Red Hat Enterprise Linux 6

6.5 Technical Notes

Detailed notes on the changes implemented in Red Hat Enterprise Linux 6.5

Edition 5

Red Hat Engineering Content Services

Legal Notice

Copyright © 2013 Red Hat, Inc.
This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack Logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.

Abstract

The Red Hat Enterprise Linux 6.5 Technical Notes list and document the changes made to the Red Hat Enterprise Linux 6 operating system and its accompanying applications between Red Hat Enterprise Linux 6.4 and minor release Red Hat Enterprise Linux 6.5.
Preface
1. Red Hat Enterprise Linux 6.5 International Languages
2. Important Changes to External Kernel Parameters
3. Device Drivers
4. Technology Previews
4.1. Storage and File Systems
4.2. Networking
4.3. Clustering and High Availability
4.4. Authentication
4.5. Security
4.6. Devices
4.7. Kernel
5. Deprecated Functionality
6. Known Issues
6.1. Installation
6.2. Entitlement
6.3. Deployment
6.4. Virtualization
6.5. Storage and File Systems
6.6. Networking
6.7. Security
6.8. Clustering
6.9. Authentication
6.10. Devices
6.11. Kernel
6.12. Desktop
6.13. Tools
6.14. Documentation
7. New Packages
7.1. RHEA-2013:1625 — new packages: freerdp
7.2. RHBA-2013:1607 — new packages: gcc-libraries
7.3. RHEA-2013:1728 — new packages: openhpi32
7.4. RHEA-2013:1626 — new packages: p11-kit
7.5. RHEA-2013:1621 — new package: ps_mem
7.6. RHEA-2013:1642 — new packages: redhat-support-lib-python and redhat-support-tool
7.7. RHEA-2013:1686 — new package: sapconf
7.8. RHEA-2013:1731 — new packages: snappy
7.9. RHEA-2013:1622 — new packages: xorg-x11-glamor
8. Updated Packages
8.1. abrt
8.2. anaconda
8.3. arptables_jf
8.4. augeas
8.5. autofs
8.6. batik
8.7. bfa-firmware
8.8. bind-dyndb-ldap
8.9. biosdevname
8.10. boost
8.11. busybox
8.12. ca-certificates
8.13. cifs-utils
8.14. cjkuni-fonts
8.15. cluster and gfs2-utils
8.16. clustermon
8.17. compat-openmpi
8.18. conman
8.19. coolkey
8.20. coreutils
8.21. corosync
8.22. cpupowerutils
8.23. crash
8.24. crash-gcore-command
8.25. createrepo
8.26. cronie
8.27. cvs
8.28. device-mapper-multipath
8.29. device-mapper-persistent-data
8.30. dhcp
8.31. dovecot
8.32. dracut
8.33. e2fsprogs
8.34. efibootmgr
8.35. emacs
8.36. environment-modules
8.37. esc
8.38. evolution
8.39. fcoe-target-utils
8.40. fcoe-utils
8.41. febootstrap
8.42. fence-agents
8.43. fence-virt
8.44. firstboot
8.45. foomatic
8.46. fprintd
8.47. freeipmi
8.48. ftp
8.49. gcc
8.50. gdm
8.51. gegl
8.52. ghostscript
8.53. glib2
8.54. glibc
8.55. glusterfs
8.56. gnome-screensaver
8.57. gpxe
8.58. grep
8.59. grub
8.60. grubby
8.61. gtk2
8.62. haproxy
8.63. hdparm
8.64. hsqldb
8.65. hwdata
8.66. hypervkvpd
8.67. ibus-hangul
8.68. icedtea-web
8.69. initscripts
8.70. iotop
8.71. ipa
8.72. ipmitool
8.73. iproute
8.74. iptables
8.75. ipvsadm
8.76. irqbalance
8.77. iscsi-initiator-utils
8.78. iw
8.79. java-1.6.0-openjdk
8.80. java-1.7.0-openjdk
8.81. kde-settings
8.82. kernel
8.83. kexec-tools
8.84. ksh
8.85. ledmon
8.86. libXcursor
8.87. libcgroup
8.88. libdrm
8.89. libguestfs
8.90. libibverbs-rocee
8.91. libksba
8.92. libnl
8.93. libpcap
8.94. libqb
8.95. libreoffice
8.96. librtas
8.97. libtevent
8.98. libvirt
8.99. libvirt-cim
8.100. libvirt-snmp
8.101. libwacom
8.102. libxml2
8.103. linuxptp
8.104. lksctp-tools
8.105. logrotate
8.106. logwatch
8.107. luci
8.108. lvm2
8.109. mailx
8.110. man-pages-fr
8.111. man-pages-ja
8.112. man-pages-overrides
8.113. mcelog
8.114. mdadm
8.115. mesa
8.116. microcode_ctl
8.117. mobile-broadband-provider-info
8.118. mod_auth_kerb
8.119. ModemManager
8.120. mysql
8.121. net-snmp
8.122. netcf
8.123. NetworkManager
8.124. nfs-utils
8.125. nmap
8.126. nss and nspr
8.127. ntp
8.128. numactl
8.129. numad
8.130. opencryptoki
8.131. opencv
8.132. openhpi
8.133. openscap
8.134. openssh
8.135. openssl
8.136. openswan
8.137. pacemaker
8.138. pam
8.139. papi
8.140. parted
8.141. pcs
8.142. perl
8.143. perl-CGI-Session
8.144. perl-Config-General
8.145. perl-DateTime
8.146. perl-Makefile-Parser
8.147. perl-Net-DNS
8.148. perl-Socket6
8.149. perl-Test-Memory-Cycle
8.150. perl-Test-MockObject
8.151. perl-XML-Dumper
8.152. php
8.153. piranha
8.154. 389-ds-base
8.155. pki-core
8.156. policycoreutils
8.157. powertop
8.158. pykickstart
8.159. pyparted
8.160. python
8.161. python-beaker
8.162. python-ethtool
8.163. python-urlgrabber
8.164. python-urwid
8.165. python-virtinst
8.166. python-weberror
8.167. qemu-kvm
8.168. ql2400-firmware
8.169. ql2500-firmware
8.170. quota
8.171. rdesktop
8.172. RDMA stack
8.173. readahead
8.174. redhat-indexhtml
8.175. redhat-release
8.176. Red Hat Enterprise Linux 6.5 Release Notes
8.177. resource-agents
8.178. rgmanager
8.179. rhel-guest-image
8.180. rhn-client-tools
8.181. rhnlib
8.182. ricci
8.183. rp-pppoe
8.184. rpm
8.185. rpmlint
8.186. rsyslog
8.187. rubygems
8.188. s390utils
8.189. samba
8.190. samba4
8.191. sanlock
8.192. sblim-cmpi-fsvol
8.193. sblim-sfcc
8.194. sblim-wbemcli
8.195. scl-utils
8.196. scsi-target-utils
8.197. seabios
8.198. selinux-policy
8.199. setuptool
8.200. sg3_utils
8.201. slapi-nis
8.202. sos
8.203. spice-gtk
8.204. spice-protocol
8.205. spice-server
8.206. spice-vdagent
8.207. spice-xpi
8.208. sssd
8.209. subscription-manager
8.210. sudo
8.211. suitesparse
8.212. sysstat
8.213. system-config-date
8.214. system-config-keyboard
8.215. system-config-lvm
8.216. system-config-users-docs
8.217. systemtap
8.218. sysvinit
8.219. talk
8.220. tboot
8.221. tomcat6
8.222. tuned
8.223. udev
8.224. util-linux-ng
8.225. vhostmd
8.226. virt-manager
8.227. virt-p2v
8.228. virt-v2v
8.229. virt-viewer
8.230. virt-who
8.231. virtio-win
8.232. watchdog
8.233. webkitgtk
8.234. wireshark
8.235. xfsprogs
8.236. xmlrpc-c
8.237. xorg-x11-drv-ati
8.238. xorg-x11-drv-intel
8.239. xorg-x11-drv-mga
8.240. xorg-x11-drv-nouveau
8.241. xorg-x11-drv-qxl
8.242. xorg-x11-drv-synaptics
8.243. xorg-x11-drv-wacom
8.244. xorg-x11-server
8.245. xorg-x11-xinit
8.246. yaboot
8.247. yum-rhn-plugin
8.248. zsh
A. Revision History

Preface

The Red Hat Enterprise Linux 6.5 Technical Notes list and document the changes made to the Red Hat Enterprise Linux 6 operating system and its accompanying applications between minor release Red Hat Enterprise Linux 6.4 and minor release Red Hat Enterprise Linux 6.5.
For system administrators and others planning Red Hat Enterprise Linux 6.5 upgrades and deployments, the Technical Notes provide a single, organized record of the bugs fixed in, features added to, and Technology Previews included with this new release of Red Hat Enterprise Linux.
For auditors and compliance officers, the Red Hat Enterprise Linux 6.5 Technical Notes provide a single, organized source for change tracking and compliance testing.
For every user, the Red Hat Enterprise Linux 6.5 Technical Notes provide details of what has changed in this new release.

Note

The Package Manifest is available as a separate document.

Chapter 1. Red Hat Enterprise Linux 6.5 International Languages

Red Hat Enterprise Linux 6.5 supports installation of multiple languages and changing of languages based on your requirements.
The following languages are supported in Red Hat Enterprise Linux 6.5:
  • East Asian Languages - Japanese, Korean, Simplified Chinese, and Traditional Chinese
  • European Languages - English, German, Spanish, French, Portuguese Brazilian, and Russian,
  • Indic Languages - Assamese, Bengali, Gujarati, Hindi, Kannada, Malayalam, Marathi, Oriya, Punjabi, Tamil, and Telugu
The table below summarizes the currently supported languages, their locales, default fonts installed and packages required for some of the supported languages

Table 1.1. Red Hat Enterprise Linux 6 International Languages

Territory Language Locale Fonts Package Names
China Simplified Chinese zh_CN.UTF-8 AR PL (ShanHeiSun and Zenkai) Uni fonts-chinese, scim-pinyin, scim-tables
Japan Japanese ja_JP.UTF-8 Sazanami (Gothic and Mincho) fonts-japanese, scim-anthy
Korea Hangul ko_KR.UTF-8 Baekmuk (Batang, Dotum, Gulim, Headline) fonts-korean, scim-hangul
Taiwan Traditional Chinese zh_TW.UTF-8 AR PL (ShanHeiSun and Zenkai) Uni fonts-chinese, scim-chewing, scim-tables
Brazil Portuguese pt_BR.UTF-8 standard latin fonts
France French ft_FR.UTF-8 standard latin fonts
Germany German de_DE.UTF-8 standard latin fonts
Italy Italy it_IT.UTF-8 standard latin fonts
Russia Russian ru_RU.UTF-8 KOI8-R, fonts-KOI8-R-100dpi, fonts-KOI8-R-75dpi and xorg-x11-fonts-cyrillic fonts-KO18-R, fonts-KO18-R-100 dpi,fonts-KO18-R-75dpi, xorg-x11-fonts-cyrillic
Spain Spanish es_ES.UTF-8 standard latin fonts
India Assamese as_IN.UTF-8 Lohit Bengali fonts-bengali, scim-m17n, m17n-db-assamese
Bengali bn_IN.UTF-8 Lohit Bengali fonts-bengali, scim-m17n, m17n-db-bengali
Gujarati gu_IN.UTF-8 Lohit Gujarati fonts-gujarati, scim-m17n, m17n-db-gujarati
Hindi hi_IN.UTF-8 Lohit Hindi fonts-hindi, scim-m17n, m17n-db-hindi
Kannada kn_IN.UTF-8 Lohit Kannada fonts-kannada, scim-m17n, m17n-db-kannada
Malayalam ml_IN.UTF-8 Lohit Malayalam fonts-malayalam, scim-m17n, m17n-db-malayalam
Marathi mr_IN.UTF-8 Lohit Hindi fonts-hindi, scim-m17n, m17n-db-marathi
Oriya or_IN.UTF-8 Lohit Oriya fonts-oriya, scim-m17n, m17n-db-oriya
Punjabi pa_IN.UTF-8 Lohit Punjabi fonts-punjabi, scim-m17n, m17n-db-punjabi
Tamil ta_IN.UTF-8 Lohit Tamil fonts-tamil, scim-m17n, m17n-db-tamil
Telugu te_IN.UTF-8 Lohit Telugu fonts-telugu, scim-m17n, m17n-db-telugu

Chapter 2. Important Changes to External Kernel Parameters

This chapter provides system administrators with a summary of significant changes in the kernel shipped with Red Hat Enterprise Linux 6.5. These changes include added or updated procfs entries, sysfs default values, boot parameters, kernel configuration options, or any noticeable behavior changes.
reserved_blocks
This RW file contains a number of reserved blocks in the file system which are used in specific situations to avoid unexpected No space left on device (ENOSPC) errors or possible data loss.
proc/<pid>/comm and /proc/<pid>/task/<tid>/comm files
These files provide a method to access a task's comm value. It also allows for a task to set its own or one of its thread siblings' comm values. The comm value is limited in size compared to the cmdline value, so writing anything longer then the kernel's TASK_COMM_LEN macro (currently 16 chars) will result in a truncated comm value.
efi_no_storage_paranoia
Using this parameter you can use more than half of your EFI variable storage.
int_pln_enable
This parameter allows users to enable power limit notification interrupts.
nfsd.nfs4_disable_idmapping
The default value of this parameter is 0. When set to 1, NFSv4 server returns only numeric user IDs (UIDs) and group IDs (GIDs) to clients using AUTH_SYS mode, and will accept numeric UIDs and GIDs from such clients. This facilitates migration from NFS version 2 to NFS version 3.
PCI Subsystem Options
The following options for the pci kernel parameter can be used in Red Hat Enterprise Linux 6.5:
  • pcie_bus_tune_off—disables PCIe maximum payload size (MPS) tuning and uses the BIOS-configured MPS default values.
  • pcie_bus_safe—sets every device MPS to the largest value supported by all devices below the root complex.
  • pcie_bus_perf—sets the device MPS to the largest allowable MPS based on its parent bus.
  • pcie_bus_peer2peer— sets every device's MPS to 128B, which every device is guaranteed to support.
smbios_26_uuid
With this parameter, universally unique identifiers (UUIDs) are displayed in the System Management BIOS (SMBIOS) 2.6 format.
tsc_init_debug
With this parameter, additional information about the Time Stamp Counter (TSC) is displayed during system boot.
usbcore.usbfs_memory_mb
This option displays memory limit in MB for buffers allowated by USB device file system (usbfs).
tcp_limit_output_bytes
tcp_limit_output_bytes controls TCP Small Queue limit per TCP socket.
tcp_challenge_ack_limit
tcp_challenge_ack_limit limits the number of challenge acknowledgements sent per second, as recommended in RFC 5961 (Improving TCP's Robustness to Blind In-Window Attacks).
accept_ra
The accept_ra boolean allows for accepting router discovery messages (also known as router advertisements).
cookie_hmac_alg
cookie_hmac_alg is used to select the keyed-hash message authentication code (HMAC) algorithm used when generating the cookie value sent by a listening SCTP socket to a connecting client in the INIT-ACK chunk. Valid values are:
  • md5
  • sha1
  • none
nf_conntrack_acct
The nf_conntrack_acct boolean enables connection tracking flow accounting.
nf_conntrack_buckets
nf_conntrack_buckets determines the size of a hash table. If it is not specified as parameter during module loading, the default size is calculated by dividing total memory by 16384 to determine the number of buckets but the hash table will never have fewer than 32 nor more than 16384 buckets.
nf_conntrack_checksum
This parameter is used to verify the checksums of incoming packets. Packets with invalid checksums are in INVALID state. If this is enabled, such packets will not be considered for connection tracking.
nf_conntrack_events_retry_timeout
This option is only relevant when "reliable connection tracking events" are used. Normally, ctnetlink is "lossy", that is, events are normally dropped when userspace listeners cannot keep up. Userspace can request "reliable event mode". When this mode is active, the connection tracking will only be destroyed after the event was delivered. If event delivery fails, the kernel periodically re-tries to send the event to userspace. The default value 15 is the maximum interval the kernel should use when re-trying to deliver the destroy event. A higher number means there will be fewer delivery retries and it will take longer for a backlog to be processed.
merge_across_nodes
The merge_across_nodes parameter specifies if pages from different NUMA nodes can be merged. When set to 0, Kernel SamePage Merging (KSM) merges only pages which physically reside in the memory area of the same NUMA node. 1 is the default value and merging across nodes is performed as in earlier releases.

Chapter 3. Device Drivers

This chapter provides a comprehensive listing of all device drivers which were updated in Red Hat Enterprise Linux 6.5.

Storage Drivers

  • The Emulex be2iscsi driver has been upgraded to the latest upstream version.
  • The megaraid_sas driver has been upgraded to version 6.600.18.00.
  • The pm8001/pm80xx driver has been added in Red Hat Enterprise Linux 6.5 to add support for PMC-Sierra Adaptec Series 6H and 7H SAS/SATA HBA cards as well as PMC Sierra 8081, 8088, and 8089 chip based SAS/SATA controllers.
  • 12Gbps SAS devices from LSI are now supported in Red Hat Enterprise Linux.
  • The Brocade BFA driver has been updates to version 3.2.21.1.
  • The NVMe driver has been added to Red Hat Enterprise Linux 6.

Network Drivers

  • The Virtual Extensible LAN, vxlan, driver has been updated.
  • Support for Single Root I/O virtualization (SR-IOV) has been added to the qlcnic driver as a Technology Preview.
  • The Brocade BNA driver has been updated to version 3.1.2.1.
  • The ixgbevf driver has been updated to the latest upstream version.
  • The igbvf driver has been updated the to latest upstream version.
  • The bnx2x driver has been updated to version 1.78.17-0.
  • The Emulex be2net driver has been updated to version 4.6.x.
  • The qlcnic driver has been updated to add support for the QLogic 83XX CNA adapter.
  • The e1000e driver has been updated to the latest upstream version.
  • The tg3 driver has been updated to include various bug fixes and new features, including hardware PTP support.
  • The sfc driver has been upgraded to upstream version 3.2 and includes hardware accelerated receive flow steering (RFS).
  • The igb driver has been updated to version 4.1.2 to include software time stamping support.
  • The qlge driver has been updated to version 1.00.00.32.

Miscellaneous Drivers

  • The hpilo driver has been upgraded to the latest upstream version.

Chapter 4. Technology Previews

This chapter provides a list of all available Technology Previews in Red Hat Enterprise Linux 6.5.
Technology Preview features are currently not supported under Red Hat Enterprise Linux subscription services, may not be functionally complete, and are generally not suitable for production use. However, these features are included as a customer convenience and to provide the feature with wider exposure.
Customers may find these features useful in a non-production environment. Customers are also free to provide feedback and functionality suggestions for a Technology Preview feature before it becomes fully supported. Errata will be provided for high-severity security issues.
During the development of a Technology Preview feature, additional components may become available to the public for testing. It is the intention of Red Hat clustering to fully support Technology Preview features in a future release.

4.1. Storage and File Systems

Cross Realm Kerberos Trust Functionality for samba4 Libraries
The Cross Realm Kerberos Trust functionality provided by Identity Management, which relies on the capabilities of the samba4 client library, is included as a Technology Preview starting with Red Hat Enterprise Linux 6.4. This functionality uses the libndr-nbt library to prepare Connection-less Lightweight Directory Access Protocol (CLDAP) messages.
Package: samba-3.6.9-164
System Information Gatherer and Reporter (SIGAR)
The System Information Gatherer and Reporter (SIGAR) is a library and command-line tool for accessing operating system and hardware level information across multiple platforms and programming languages. In Red Hat Enterprise Linux 6.4 and later, SIGAR is considered a Technology Preview package.
Package: sigar-1.6.5-0.4.git58097d9
DIF/DIX support
DIF/DIX, is a new addition to the SCSI Standard and a Technology Preview in Red Hat Enterprise Linux 6. DIF/DIX increases the size of the commonly used 512-byte disk block from 512 to 520 bytes, adding the Data Integrity Field (DIF). The DIF stores a checksum value for the data block that is calculated by the Host Bus Adapter (HBA) when a write occurs. The storage device then confirms the checksum on receive, and stores both the data and the checksum. Conversely, when a read occurs, the checksum can be checked by the storage device, and by the receiving HBA.
The DIF/DIX hardware checksum feature must only be used with applications that exclusively issue O_DIRECT I/O. These applications may use the raw block device, or the XFS file system in O_DIRECT mode. (XFS is the only file system that does not fall back to buffered I/O when doing certain allocation operations.) Only applications designed for use with O_DIRECT I/O and DIF/DIX hardware should enable this feature.
For more information, refer to section Block Devices with DIF/DIX Enabled in the Storage Administration Guide.
Package: kernel-2.6.32-431
Btrfs, BZ#614121
Btrfs is under development as a file system capable of addressing and managing more files, larger files, and larger volumes than the ext2, ext3, and ext4 file systems. Btrfs is designed to make the file system tolerant of errors, and to facilitate the detection and repair of errors when they occur. It uses checksums to ensure the validity of data and metadata, and maintains snapshots of the file system that can be used for backup or repair. The Btrfs Technology Preview is only available on AMD64 and Intel 64 architectures.

Btrfs is still experimental

Red Hat Enterprise Linux 6 includes Btrfs as a technology preview to allow you to experiment with this file system. You should not choose Btrfs for partitions that will contain valuable data or that are essential for the operation of important systems.
Package: btrfs-progs-0.20-0.2.git91d9eec
LVM Application Programming Interface (API)
Red Hat Enterprise Linux 6 features the new LVM application programming interface (API) as a Technology Preview. This API is used to query and control certain aspects of LVM.
Package: lvm2-2.02.100-8
FS-Cache
FS-Cache in Red Hat Enterprise Linux 6 enables networked file systems (for example, NFS) to have a persistent cache of data on the client machine.
Package: cachefilesd-0.10.2-1
eCryptfs File System
eCryptfs is a stacked, cryptographic file system. It is transparent to the underlying file system and provides per-file granularity. eCryptfs is provided as a Technology Preview in Red Hat Enterprise Linux 6.
Package: ecryptfs-utils-82-6

4.2. Networking

Mellanox SR-IOV Support
Single Root I/O Virtualization (SR-IOV) is now supported as a Technology Preview in the Mellanox libmlx4 library and the following drivers:
  • mlx_core
  • mlx4_ib (InfiniBand protocol)
  • mlx_en (Ethernet protocol)
Package: kernel-2.6.32-335
Open multicast ping (Omping), BZ#657370
Open Multicast Ping (Omping) is a tool to test the IP multicast functionality, primarily in the local network. This utility allows users to test IP multicast functionality and assists in the diagnosing if an issues is in the network configuration or elsewhere (that is, a bug). In Red Hat Enterprise Linux 6 Omping is provided as a Technology Preview.
Package: omping-0.0.4-1
QFQ queuing discipline
In Red Hat Enterprise Linux 6, the tc utility has been updated to work with the Quick Fair Scheduler (QFQ) kernel features. Users can now take advantage of the new QFQ traffic queuing discipline from userspace. This feature is considered a Technology Preview.
Package: kernel-2.6.32-431
vios-proxy, BZ#721119
vios-proxy is a stream-socket proxy for providing connectivity between a client on a virtual guest and a server on a Hypervisor host. Communication occurs over virtio-serial links.
Package: vios-proxy-0.2-1

4.3. Clustering and High Availability

luci support for fence_sanlock
The luci tool now supports the sanlock fence agent as a Technology Preview. The agent is available in the luci's list of agents.
Package: luci-0.26.0-48
Recovering a node via a hardware watchdog device
New fence_sanlock agent and checkquorum.wdmd, included in Red Hat Enterprise Linux 6.4 as a Technology Preview, provide new mechanisms to trigger the recovery of a node via a hardware watchdog device. Tutorials on how to enable this Technology Preview will be available at https://fedorahosted.org/cluster/wiki/HomePage
Note that SELinux in enforcing mode is currently not supported.
Package: cluster-3.0.12.1-59
keepalived
The keepalived package has been included as a Technology Preview, starting with Red Hat Enterprise Linux 6.4. The keepalived package provides simple and robust facilities for load-balancing and high-availability. The load-balancing framework relies on the well-know and widely used Linux Virtual Server kernel module providing Layer4 network load-balancing. The keepalived daemon implements a set of health checkers to load-balanced server pools according to their state. The keepalived daemon also implements the Virtual Router Redundancy Protocol (VRRP), allowing router or director failover to achieve high availability.
Package: keepalived-1.2.7-3
HAProxy
HAProxy is a stand-alone, layer-7, high-performance network load balancer for TCP and HTTP-based applications which can perform various types of scheduling based on the content of the HTTP requests. The haproxy package is included as a Technology Preview, starting with Red Hat Enterprise Linux 6.4.
Package: haproxy-1.4.24-2

4.4. Authentication

Simultaneous maintaining of TGTs for multiple KDCs
Kerberos version 1.10 added a new cache storage type, DIR:, which allows Kerberos to maintain Ticket Granting Tickets (TGTs) for multiple Key Distribution Centers (KDCs) simultaneously and auto-select between them when negotiating with Kerberized resources. Red Hat Enterprise Linux 6.4 and later includes SSSD enhanced to allow the users to select the DIR: cache for users that are logging in via SSSD. This feature is introduced as a Technology Preview.
Package: sssd-1.9.2-129

4.5. Security

TPM
TPM (Trusted Platform Module) hardware can create, store and use RSA keys securely (without ever being exposed in memory), verify a platform's software state using cryptographic hashes and more. The trousers and tpm-tools packages are considered a Technology Preview.
Packages: trousers-0.3.4-4, tpm-tools-1.3.4-2

4.6. Devices

mpt2sas lockless mode
The mpt2sas driver is fully supported. However, when used in the lockless mode, the driver is a Technology Preview.
Package: kernel-2.6.32-431

4.7. Kernel

Kernel Media support
The following features are presented as Technology Previews:
  • The latest upstream video4linux
  • Digital video broadcasting
  • Primarily infrared remote control device support
  • Various webcam support fixes and improvements
Package: kernel-2.6.32-431
Linux (NameSpace) Container [LXC]
Linux containers provide a flexible approach to application runtime containment on bare-metal systems without the need to fully virtualize the workload. Red Hat Enterprise Linux 6 provides application level containers to separate and control the application resource usage policies via cgroups and namespaces. This release includes basic management of container life-cycle by allowing creation, editing and deletion of containers via the libvirt API and the virt-manager GUI. Linux Containers are a Technology Preview.
Packages: libvirt-0.9.10-21, virt-manager-0.9.0-14
Diagnostic pulse for the fence_ipmilan agent, BZ#655764
A diagnostic pulse can now be issued on the IPMI interface using the fence_ipmilan agent. This new Technology Preview is used to force a kernel dump of a host if the host is configured to do so. Note that this feature is not a substitute for the off operation in a production cluster.
Package: fence-agents-3.1.5-35

Chapter 5. Deprecated Functionality

virtio-win component, BZ#1001981
The VirtIO SCSI driver has been removed from the virtio-win package and is no longer supported on Microsoft Windows Server 2003 platform.
qemu-kvm component
The qemu-guest-agent-win32 package is no longer shipped as part of the qemu-kvm package. The Windows guest agent is now delivered in the Supplementary channel together with other Windows components, for example, virtio-win drivers.
fence-agents component
Prior to Red Hat Enterprise Linux 6.5 release, the Red Hat Enterprise Linux High Availability Add-On was considered fully supported on certain VMware ESXi/vCenter versions in combination with the fence_scsi fence agent. Due to limitations in these VMware platforms in the area of SCSI-3 persistent reservations, the fence_scsi fencing agent is no longer supported on any version of the Red Hat Enterprise Linux High Availability Add-On in VMware virtual machines, except when using iSCSI-based storage. See the Virtualization Support Matrix for High Availability for full details on supported combinations:
Users using fence_scsi on an affected combination can contact Red Hat Global Support Services for assistance in evaluating alternative configurations or for additional information.
matahari component
The Matahari agent framework (matahari-*) packages have been removed from Red Hat Enterprise Linux 6. Focus for remote systems management has shifted towards the use of the CIM infrastructure. This infrastructure relies on an already existing standard which provides a greater degree of interoperability for all users.
distribution component
The following packages have been deprecated and are subjected to removal in a future release of Red Hat Enterprise Linux 6. These packages will not be updated in the Red Hat Enterprise Linux 6 repositories and customers who do not use the MRG-Messaging product are advised to uninstall them from their system.
  • mingw-gcc
  • mingw-boost
  • mingw32-qpid-cpp
  • python-qmf
  • python-qpid
  • qpid-cpp
  • qpid-qmf
  • qpid-tests
  • qpid-tools
  • ruby-qpid
  • saslwrapper
Red Hat MRG-Messaging customers will continue to receive updated functionality as part of their regular updates to the product.
fence-virt component
The libvirt-qpid is no longer part of the fence-virt package.
openscap component
The openscap-perl subpackage has been removed from openscap.

Chapter 6. Known Issues

6.1. Installation

dracut component
For Fibre Channel over Ethernet (FCoE) from SAN on Dell systems which enable biosdevname=1 by default, udev typically renames all network interfaces to their biosdevname naming convention during boot. However, a bug in udev prevents the FCoE boot interface from being renamed. This can result in occasional shutdown stalls. In order to install and shut down the system correctly, it is recommended to use the biosdevname=0 installation parameter to avoid biosdevname naming in this case.
dracut component
For iSCSI boot from SAN on Dell systems which enable settingbiosdevname=1 by default, the installation completes successfully, but the system will not be able to mount the rootfs partition after reboot. This is because of a bug in Dracut where the boot network interface is not brought up if biosdevname naming is used. In order to install and reboot the system successfully in this case, use the biosdevname=0 installation parameter to avoid biosdevname naming.
anaconda component
Setting the qla4xxx parameter ql4xdisablesysfsboot to 1 may cause boot from SAN failures.
anaconda component
To automatically create an appropriate partition table on disks that are uninitialized or contain unrecognized formatting, use the zerombr kickstart command. The --initlabel option of the clearpart command is not intended to serve this purpose.
anaconda component, BZ#676025
Users performing an upgrade using the Anaconda's text mode interface who do not have a boot loader already installed on the system, or who have a non-GRUB boot loader, need to select Skip Boot Loader Configuration during the installation process. Boot loader configuration will need to be completed manually after installation. This problem does not affect users running Anaconda in the graphical mode (graphical mode also includes VNC connectivity mode).
anaconda component
On s390x systems, you cannot use automatic partitioning and encryption. If you want to use storage encryption, you must perform custom partitioning. Do not place the /boot volume on an encrypted volume.
anaconda component
The order of device names assigned to USB attached storage devices is not guaranteed. Certain USB attached storage devices may take longer to initialize than others, which can result in the device receiving a different name than you expect (for example, sdc instead of sda).
During installation, verify the storage device size, name, and type when configuring partitions and file systems.
kernel component
Recent Red Hat Enterprise Linux 6 releases use a new naming scheme for network interfaces on some machines. As a result, the installer may use different names during an upgrade in certain scenarios (typically em1 is used instead of eth0 on new Dell machines). However, the previously used network interface names are preserved on the system and the upgraded system will still use the previously used interfaces. This is not the case for Yum upgrades.
anaconda component
The kdump default on feature currently depends on Anaconda to insert the crashkernel= parameter to the kernel parameter list in the boot loader's configuration file.
firstaidkit component
The firstaidkit-plugin-grub package has been removed from Red Hat Enterprise Linux 6.2. As a consequence, in rare cases, the system upgrade operation may fail with unresolved dependencies if the plug-in has been installed in a previous version of Red Hat Enterprise Linux. To avoid this problem, the firstaidkit-plugin-grub package should be removed before upgrading the system. However, in most cases, the system upgrade completes as expected.
anaconda component, BZ#623261
In some circumstances, disks that contain a whole disk format (for example, an LVM Physical Volume populating a whole disk) are not cleared correctly using the clearpart --initlabel kickstart command. Adding the --all switch—as in clearpart --initlabel --all—ensures disks are cleared correctly.
anaconda component
When installing on the IBM System z architecture, if the installation is being performed over SSH, avoid resizing the terminal window containing the SSH session. If the terminal window is resized during the installation, the installer will exit and the installation will terminate.
yaboot component, BZ#613929
The kernel image provided on the CD/DVD is too large for Open Firmware. Consequently, on the POWER architecture, directly booting the kernel image over a network from the CD/DVD is not possible. Instead, use yaboot to boot from a network.
anaconda component
The Anaconda partition editing interface includes a button labeled Resize. This feature is intended for users wishing to shrink an existing file system and an underlying volume to make room for an installation of a new system. Users performing manual partitioning cannot use the Resize button to change sizes of partitions as they create them. If you determine a partition needs to be larger than you initially created it, you must delete the first one in the partitioning editor and create a new one with the larger size.
system-config-kickstart component
Channel IDs (read, write, data) for network devices are required for defining and configuring network devices on IBM S/390 systems. However, system-config-kickstart—the graphical user interface for generating a kickstart configuration—cannot define channel IDs for a network device. To work around this issue, manually edit the kickstart configuration that system-config-kickstart generates to include the desired network devices.

6.2. Entitlement

subscription-manager component
If multiple repositories are enabled, subscription-manager installs product certificates from all repositories instead of installing the product certificate only from the repository from which the RPM package was installed.

6.3. Deployment

389-ds-base component, BZ#878111
The ns-slapd utility terminates unexpectedly if it cannot rename the dirsrv-<instance> log files in the /var/log/ directory due to incorrect permissions on the directory.
cpuspeed component, BZ#626893
Some HP Proliant servers may report incorrect CPU frequency values in /proc/cpuinfo or /sys/device/system/cpu/*/cpufreq. This is due to the firmware manipulating the CPU frequency without providing any notification to the operating system. To avoid this ensure that the HP Power Regulator option in the BIOS is set to OS Control. An alternative available on more recent systems is to set Collaborative Power Control to Enabled.
releng component, BZ#644778
Some packages in the Optional repositories on RHN have multilib file conflicts. Consequently, these packages cannot have both the primary architecture (for example, x86_64) and secondary architecture (for example, i686) copies of the package installed on the same machine simultaneously. To work around this issue, install only one copy of the conflicting package.
grub component, BZ#695951
On certain UEFI-based systems, you may need to type BOOTX64 rather than bootx64 to boot the installer due to case sensitivity issues.
grub component, BZ#698708
When rebuilding the grub package on the x86_64 architecture, the glibc-static.i686 package must be used. Using the glibc-static.x86_64 package will not meet the build requirements.

6.4. Virtualization

virtio-win component
When upgrading the NetKVM driver through the Windows Device Manager, the old registry values are not removed. As a consequence, for example, non-existent parameters may be available.
qemu-kvm component
When working with very large images (larger than 2TB) created with very small cluster sizes (for example, 512bytes), block I/O errors can occur due to timeouts in qemu. To prevent this problem from occurring, use the default cluster size of 64KiB or larger.
kernel component
On Microsoft Windows Server 2012 containing large dynamic VHDX (Hyper-V virtual hard disk) files and using the ext3 file system, a call trace can appear, and, consequently, it is not possible to shut down the guest. To work around this problem, use the ext4 file system or set a logical block size of 1MB when creating a VHDX file. Note that this can only be done by using Microsoft PowerShell as the Hyper-V manager does not expose the –BlockSizeBytes option which has the default value of 32MB. To create a dynamix VHDX file with an approximate size of 2.5TB and 1MB block size run:
New-VHD –Path .\MyDisk.vhdx –SizeBytes 5120MB –BlockSizeBytes 1MB -Dynamic
libvirt component
The storage drivers do not support the virsh vol-resize command options --allocate and --shrink. Use of the --shrink option will result in the following error message:
error: invalid argument: storageVolumeResize: unsupported flags (0x4)
Use of the --allocate option will result in the following error message:
error: invalid argument: storageVolumeResize: unsupported flags (0x1)
Shrinking a volume's capacity is possible as long as the value provided on the command line is greater than the volume allocation value as seen with the virsh vol-info command. You can shrink an existing volume by name through the followind sequence of steps:
  1. Dump the XML of the larger volume into a file using the vol-dumpxml .
  2. Edit the file to change the name, path, and capacity values, where the capacity must be greater than or equal to the allocation.
  3. Create a temporary smaller volume using the vol-create with the edited XML file.
  4. Back up and restore the larger volumes data using the vol-download and vol-upload commands to the smaller volume.
  5. Use the vol-delete command to remove the larger volume.
  6. Use the vol-clone command to restore the name from the larger volume.
  7. Use the vol-delete command to remove the temporary volume.
In order to allocate more space on the volume, follow a similar sequence, but adjust the allocation to a larger value than the existing volume.
virtio-win component
It is not possible to downgrade a driver using the Search for the best driver in these locations option because the newer and installed driver will be selected as the "best" driver. If you want to force installation of a particular driver version, use the Don't search option and the Have Disk button to select the folder of the older driver. This method will allow you to install an older driver on a system that already has a driver installed.
kernel component
There is a known issue with the Microsoft Hyper-V host. If a legacy network interface controller (NIC) is used on a multiple-CPU virtual machine, there is an interrupt problem in the emulated hardware when the IRQ balancing daemon is running. Call trace information is logged in the /var/log/messages file.
libvirt component, BZ#888635
Under certain circumstances, virtual machines try to boot from an incorrect device after a network boot failure. For more information, please refer to this article on Customer Portal.
numad component, BZ#872524
If numad is run on a system with a task that has very large resident memory (>= 50% total system memory), then the numad-initiated NUMA page migrations for that task can cause swapping. The swapping can then induce long latencies for the system. An example is running a 256GB Microsoft Windows KVM Virtual Machine on a 512GB host. The Windows guest will fault in all pages on boot in order to zero them. On a four node system, numad will detect that a 256GB task can fit in a subset of two or three nodes, and then attempt to migrate it to that subset. Swapping can then occur and lead to latencies. These latencies may then cause the Windows guest to hang, as timing requirements are no longer met. Therefore, on a system with only one or two very large Windows machines, it is recommended to disable numad.
Note that this problem is specific to Windows 2012 guests that use more memory than exists in a single node. Windows 2012 guests appear to allocate memory more gradually than other Windows guest types, which triggers the issue. Other varieties of Windows guests do not seem to experience this problem. You can work around this problem by:
  • limiting Windows 2012 guests to less memory than exists in a given node -- so on a typical 4 node system with even memory distribution, the guest would need to be less than the total amount of system memory divided by 4; or
  • allowing the Windows 2012 guests to finish allocating all of its memory before allowing numad to run. numad will handle extremely huge Windows 2012 guests correctly after allowing a few minutes for the guest to finish allocating all of its memory.
grubby component, BZ#893390
When a Red Hat Enterprise Linux 6.4 guest updates the kernel and then the guest is turned off through Microsoft Hyper-V Manager, the guest fails to boot due to incomplete grub information. This is because the data is not synced properly to disk when the machine is turned off through Hyper-V Manager. To work around this problem, execute the sync command before turning the guest off.
kernel component
Using the mouse scroll wheel does not work on Red Hat Enterprise Linux 6.4 guests that run under certain version of Microsoft Hyper-V Manager. However, the scroll wheel works as expected when the vncviewer utility is used.
kernel component, BZ#874406
Microsoft Windows Server 2012 guests using the e1000 driver can become unresponsive consuming 100% CPU during boot or reboot.
kernel component
When a kernel panic is triggered on a Microsoft Hyper-V guest, the kdump utility does not capture the kernel error information; an error is only displayed on the command line. This is a host problem. Guest kdump works as expected on Microsoft Hyper-V 2012 R2 host.
quemu-kvm component, BZ#871265
AMD Opteron G1, G2 or G3 CPU models on qemu-kvm use the family and models values as follows: family=15 and model=6. If these values are larger than 20, the lahfm_lm CPU feature is ignored by Linux guests, even when the feature is enabled. To work around this problem, use a different CPU model, for example AMD Opteron G4.
qemu-kvm component, BZ#860929
KVM guests must not be allowed to update the host CPU microcode. KVM does not allow this, and instead always returns the same microcode revision or patch level value to the guest. If the guest tries to update the CPU microcode, it will fail and show an error message similar to:
CPU0: update failed (for patch_level=0x6000624)
To work around this, configure the guest to not install CPU microcode updates; for example, uninstall the microcode_ctl package Red Hat Enterprise Linux of Fedora guests.
virt-p2v component, BZ#816930
Converting a physical server running either Red Hat Enterprise Linux 4 or Red Hat Enterprise Linux 5 which has its file system root on an MD device is not supported. Converting such a guest results in a guest which fails to boot. Note that conversion of a Red Hat Enterprise Linux 6 server which has its root on an MD device is supported.
virt-p2v component, BZ#808820
When converting a physical host with a multipath storage, Virt-P2V presents all available paths for conversion. Only a single path must be selected. This must be a currently active path.
virtio-win component, BZ#615928
The balloon service on Windows 7 guests can only be started by the Administrator user.
libvirt component, BZ#622649
libvirt uses transient iptables rules for managing NAT or bridging to virtual machine guests. Any external command that reloads the iptables state (such as running system-config-firewall) will overwrite the entries needed by libvirt. Consequently, after running any command or tool that changes the state of iptables, guests may lose access to the network. To work around this issue, use the service libvirt reload command to restore libvirt's additional iptables rules.
virtio-win component, BZ#612801
A Windows virtual machine must be restarted after the installation of the kernel Windows driver framework. If the virtual machine is not restarted, it may crash when a memory balloon operation is performed.
qemu-kvm component, BZ#720597
Installation of Windows 7 Ultimate x86 (32-bit) Service Pack 1 on a guest with more than 4GB of RAM and more than one CPU from a DVD medium can lead to the system being unresponsive and, consequently, to a crash during the final steps of the installation process. To work around this issue, use the Windows Update utility to install the Service Pack.
qemu-kvm component, BZ#612788
A dual function Intel 82576 Gigabit Ethernet Controller interface (codename: Kawela, PCI Vendor/Device ID: 8086:10c9) cannot have both physical functions (PF's) device-assigned to a Windows 2008 guest. Either physical function can be device assigned to a Windows 2008 guest (PCI function 0 or function 1), but not both.
virt-v2v component, BZ#618091
The virt-v2v utility is able to convert guests running on an ESX server. However, if an ESX guest has a disk with a snapshot, the snapshot must be on the same datastore as the underlying disk storage. If the snapshot and the underlying storage are on different datastores, virt-v2v will report a 404 error while trying to retrieve the storage.
virt-v2v component, BZ#678232
The VMware Tools application on Microsoft Windows is unable to disable itself when it detects that it is no longer running on a VMware platform. Consequently, converting a Microsoft Windows guest from VMware ESX, which has VMware Tools installed, will result in errors. These errors usually manifest as error messages on start-up, and a "Stop Error" (also known as a BSOD) when shutting down the guest. To work around this issue, uninstall VMware Tools on Microsoft Windows guests prior to conversion.
libguestfs component
The libguestfs packages do not support remote access to disks over the network in Red Hat Enterprise Linux 6. Consequently, the virt-sysprep tool as well as other tools do not work with remote disks. Users who need to access disks remotely with tools such as virt-sysprep are advised to upgrade to Red Hat Enterprise Linux 7.

6.5. Storage and File Systems

lvm2 component, BZ#1024347
An event is generated for any device that is being watched for changes by means of a special WATCH udev rule. This udev rule is also used for logical volumes and it causes the /dev/ directory to be up-to-date with any data written to the logical volume (mainly the symlinks that are based on metadata, like the content of the /dev/disk directory). The event is generated each time the device is closed after being open for writing.
device-mapper: remove ioctl on  failed: Device or resource busy
This is caused by the LVM command and udev interaction where the original logical volume is open for writing and then part of the logical volume is zeroed so it is prepared for thin pool use. Then the logical volume is closed, which triggers the WATCH rule. Then LVM tries to remove the original volume while it can still be opened by udev. This causes the error message to appear. LVM tries to remove the logical volume a few times before exiting with an lvconvert failure. Normally, udev should process the logical volume quickly and LVM should continue retrying to remove the logical volume. Normally, users can just ignore this error message; the logical volume is processed correctly on next retry. If the number of retries is not sufficient, then lvconvert can fail as a result. If this is the case, users are encouraged to comment out the OPTIONS+="watch" line in the /lib/udev/rules.d/13-dm-disk.rules file. This will cause the WATCH rule for LVM volumes to be disabled. However, this may cause the /dev/ content to be out-of-sync with actual metadata state stored on the logical volume. If LVM needs to retry the logical volume removal because it is being opened in parallel, most notably by udev as described before, it issues an error message "remove ioctl failed: Device or resource busy". If this is the case, the removal is retried several times before lvconvert fails completely.
device-mapper-persistent-date component, BZ#960284
Tools provided by the device-mapper-persistent-data package fail to operate on 4K hard-sectored metadata devices.
anaconda component
In UEFI mode, when creating a partition for software RAID, anaconda can be unable to allocate the /boot/efi mount point to the software RAID partition and fails with the "have not created /boot/efi" message in such a scenario.
kernel component, BZ#918647
Thin provisioning uses reference counts to indicate that data is shared between a thin volume and snapshots of the thin volume. There is a known issue with the way reference counts are managed in the case when a discard is issued to a thin volume that has snapshots. Creating snapshots of a thin volume and then issuing discards to the thin volume can therefore result in data loss in the snapshot volumes. Users are strongly encouraged to disable discard support on the thin-pool for the time being. To do so using lvm2 while the pool is offline, use the lvchange --discard ignore <pool> command. Any discards that might be issued to thin volumes will be ignored.
kernel component
Storage that reports a discard_granularity that is not a power of two will cause the kernel to improperly issue discard requests to the underlying storage. This results in I/O errors associated with the failed discard requests. To work around the problem, if possible, do not upgrade to newer vendor storage firmware that reports discard_granularity that is not a power of two.
parted component
Users might be unable to access a partition created by parted. To work around this problem, reboot the machine.
lvm2 component, BZ#852812
When filling a thin pool to 100% by writing to thin volume device, access to all thin volumes using this thin pool can be blocked. To prevent this, try not to overfill the pool. If the pool is overfilled and this error occurs, extend the thin pool with new space to continue using the pool.
dracut component
The Qlogic QLA2xxx driver can miss some paths after booting from Storage Area Network (SAN). To workaroud this problem, run the following commands:
echo "options qla2xxx ql2xasynclogin=0" > /etc/modprobe.d/qla2xxx.conf
mkinitrd  /boot/initramfs-`uname -r`.img `uname -r` --force
lvm2 component, BZ#903411
Activating a logical volume can fail if the --thinpool and --discards options are specified on logical-volume creation. To work around this problem, manually deactivate all thin volumes related to the changed thin pool prior to running the lvchange command.
kernel component
Unloading the nfs module can cause the system to terminate unexpectedly if the fsx utility was ran with NFSv4.1 before.
device-mapper-multipath component
When the multipathd service is not running, failed devices will not be restored. However, the multipath command gives no indication that multipathd is not running. Users can unknowingly set up multipath devices without starting the multipathd service, keeping failed paths from automatically getting restored. Make sure to start multipathing by
  • either running:
    ~]# mpathconf --enable
    ~]# service multipathd start
    
  • or:
    ~]# chkconfig multipathd on
    ~]# service multipathd start
    
multipathd will automatically start on boot, and multipath devices will automatically restore failed paths.
lvm2 component, BZ#837603
When the administrator disables use of the lvmetad daemon in the lvm.conf file, but the daemon is still running, the cached metadata are remembered until the daemon is restarted. However, if the use_lvmetad parameter in lvm.conf is reset to 1 without an intervening lvmetad restart, the cached metadata can be incorrect. Consequently, VG metadata can be overwritten with previous versions. To work around this problem, stop the lvmedat daemon manually when disabling use_lvmetad in lvm.conf. The daemon can only be restarted after use_lvmetad has been set to 1. To recover from an out-of-sync lvmetad cache, execute the pvscan --cache command or restart lvmetad. To restore metadata to correct versions, use vgcfrestore with a corresponding file in /etc/lvm/archive.
lvm2 component, BZ#563927
Due to the limitations of the LVM 'mirror' segment type, it is possible to encounter a deadlock situation when snapshots are created of mirrors. The deadlock can occur if snapshot changes (e.g. creation, resizing or removing) happen at the same time as a mirror device failure. In this case, the mirror blocks I/O until LVM can respond to the failure, but the snapshot is holding the LVM lock while trying to read the mirror.
If the user wishes to use mirroring and take snapshots of those mirrors, then it is recommended to use the 'raid1' segment type for the mirrored logical volume instead. This can be done by adding the additional arguments '--type raid1' to the command that creates the mirrored logical volume, as follows:
~]$ lvcreate --type raid1 -m 1 -L 1G -n my_mirror my_vg
kernel component, BZ#606260
The NFSv4 server in Red Hat Enterprise Linux 6 currently allows clients to mount using UDP and advertises NFSv4 over UDP with rpcbind. However, this configuration is not supported by Red Hat and violates the RFC 3530 standard.
lvm2 component
The pvmove command cannot currently be used to move mirror devices. However, it is possible to move mirror devices by issuing a sequence of two commands. For mirror images, add a new image on the destination PV and then remove the mirror image on the source PV:
~]$ lvconvert -m +1 <vg/lv> <new PV>
~]$ lvconvert -m -1 <vg/lv> <old PV>
Mirror logs can be handled in a similar fashion:
~]$ lvconvert --mirrorlog core <vg/lv>
~]$ lvconvert --mirrorlog disk <vg/lv> <new PV>
or
~]$ lvconvert --mirrorlog mirrored <vg/lv> <new PV>
~]$ lvconvert --mirrorlog disk <vg/lv> <old PV>

6.6. Networking

kernel component
In cluster environment, the multicast traffic from the guest to a host can be unreliable. To work around this problem, enable multicast_querier for the bridge. The setting is located in the /sys/class/net/<bridge_name>/bridge/multicast_querier file. Note that if the setting is not available, the problem should not occur.
kernel component
A missing part of the bcma driver causes the brcmsmac driver not to load automatically when the bcma driver scans the for devices. This causes the kernel not to load the brcmsmac module automatically on boot. Symptoms can be confirmed by running the lspci -v command for the device and noting the driver to be bmca, not brcmsmac. To load the driver manually, run modprobe brcmsmac on the command line.
389-ds-base component
Under certain conditions, when the server is processing multiple outgoing replication or windows sync agreements using the TLS or SSL protocol, and processing incoming client requests that use TLS or SSL and Simple Paged Results, the server becomes unresponsive to new incoming client requests. The dirsrv service will stop responding to new incoming client requests. A restart of the dirsrv service is required to restore service.
kernel component, BZ#1003475
When some Fibre Channel over Ethernet (FCoE) switch ports connected to the bfa host bus adapter go offline and then return in the online state, the bfa port may not re-establish the connection with the switch. This is due to a failure of the bfa driver's retry logic when interacting with certain switches. To work around this problem, reset the bfa link. This can be done either by running:
]# echo 1 > /sys/class/fc_host/host/issue_lip
or by running:
]# modprobe -r bfa && modprobe bfa
anaconda component, BZ#984129
For HP systems running in HP FlexFabric mode, the designated iSCSI function can only be used for iSCSI offload related operations and will not be able to perform any other Layer 2 networking tasks, for example, DHCP. In the case of iSCSI boot from SAN, the same SAN MAC address is exposed to both the corresponding ifconfig record and the iSCSI Boot Firmware Table (iBFT), therefore, Anaconda will skip the network selection prompt and will attempt to acquire the IP address as specified by iBFT. If DHCP is desired, Anaconda will attempt to acquire DHCP using this iSCSI function, which will fail and Anaconda will then try to acquire DHCP indefinitely. To work around this problem, if DHCP is desired, the user must use the asknetwork installation parameter and provide a "dummy" static IP address to the corresponding network interface of the iSCSI function. This prevents Anaconda from entering an infinite loop and allows it to request the iSCSI offload function to perform DHCP acquisition instead.
iscsi-initiator-utils component, BZ#825185
If the corresponding network interface has not been brought up by dracut or the tools from the iscsi-initiator-utils package, this prevents the correct MAC address from matching the offload interface, and host bus adapter (HBA) mode will not work without manual intervention to bring the corresponding network interface up. To work around this problem, the user must select the corresponding Layer 2 network interface when anaconda prompts the user to choose "which network interface to install through". This will inherently bring up the offload interface for the installation.
kernel component
When an igb link us up, the following ethtool fields display incorrect values as follows:
  • Supported ports: [ ] - for example, an empty bracket can be displayed.
  • Supported pause frame use: No - however, pause frame is supported.
  • Supports auto-negotiation: No - auto-negotiation is supported.
  • Advertised pause frame use: No - advertised pause frame is turned on.
  • Advertised auto-negotiation: No - advertised auto-negotiation is turned on.
  • Speed: Unknown! - the speed is known and can be verified using the dmesg tool.
linuxptp component
End-to-End (E2E) slaves that communicated with an E2E master once can synchronize to Peer-to-Peer (P2P) masters and vice versa. The slaves cannot update their path delay value because E2E ports reject peer delay requests from P2P ports. However, E2E ports accept SYNC messages from P2P ports and the slaves keep updating clock frequency based on undesired offset values that are calculated by using the old path delay value. Therefore, a time gap will occur if the master port is started with an incorrect delay mechanism. The "delay request on P2P" or "pdelay_req on E2E port" message can appear. To work around these problems, use a single delay mechanism for one PTP communication path. Also, because E2E and P2P mismatch can trigger a time gap of slave clock, pay attention to the configuration when starting or restarting a node on a running domain.
samba4 component, BZ#878168
If configured, the Active Directory (AD) DNS server returns IPv4 and IPv6 addresses of an AD server. If the FreeIPA server cannot connect to the AD server with an IPv6 address, running the ipa trust-add command will fail even if it would be possible to use IPv4. To work around this problem, add the IPv4 address of the AD server to the /etc/hosts file. In this case, the FreeIPA server will use only the IPv4 address and executing ipa trust-add will be successful.
kernel component
Destroying the root port before any NPIV ports can cause unexpected system behavior, including a full system crash. Note that one instance where the root port is destroyed before the NPIV ports is when the system is shut down. To work around this problem, destroy NPIV ports before destroying the root port that the NPIV ports were created on. This means that for each created NPIV port, the user should write to the sysfs vport_delete interface to delete that NPIV port. This should be done before the root port is destroyed. Users are advised to script the NPIV port deletion and configure the system such that the script is executed before the fcoe service is stopped, in the shutdown sequence.
kernel component
A Linux LIO FCoE target causes the bfa driver to reset all FCoE targets which might lead to data corruption on LUN. To avoid these problems, do not use the bfa driver with a Linux FCoE target.
NetworkManager component, BZ#896198
A GATEWAY setting in the /etc/sysconfig/network file causes NetworkManager to assign that gateway to all interfaces with static IP addresses, even if their configuration did not specify a gateway or specified a different gateway. Interfaces have the incorrect gateway information and the wrong interface may have the default route. Instead of using GATEWAY in /etc/sysconfig/network to specify which interface receives the default route, set DEFROUTE=no in each ifcfg file that should not have the default route. Any interface connected using configuration from an ifcfg file containing DEFROUTE=no will never receive the default route.
kernel component
Typically, on platforms with no Intelligent Platform Management Interface (IPMI) hardware the user can see the following message the on the boot console and in dmesg log:
Could not set up I/O space
This message can be safely ignored, unless the system really does have IPMI hardware. In that case, the message indicates that the IPMI hardware could not be initialized. In order to support Advanced Configuration and Power Interface (ACPI) opregion access to IPMI functionality early in the boot, the IPMI driver has been statically linked with the kernel image. This means that the IPMI driver is "loaded" whether or not there is any hardware. The IPMI driver will try to initialize the IPMI hardware, but if there is no IPMI hardware present on the booting platform, the driver will print error messages on the console and in the dmesg log. Some of these error messages do not identify themselves as having been issued by the IPMI driver, so they can appear to be serious, when they are harmless.
kernel component
Shutting down the fcoe-target service while the Fibre Channel over Ethernet (FCoE) can lead to a kernel crash. Please minimize FCoE traffic before stopping or restarting this service.
fcoe-utils component
After an ixgbe Fibre Channel over Ethernet (FCoE) session is created, server reboot can cause some or all of the FCoE sessions to not be created automatically. To work around this problem, follow the following steps (assuming that eth0 is the missing NIC for the FCoE session):
ifconfig eth0 down
ifconfig eth0 up
sleep 5
dcbtool sc eth0 dcb on
sleep 5
dcbtool sc eth0 pfc e:1 a:1 w:1
dcbtool sc eth0 app:fcoe e:1 a:1 w:1
service fcoe restart
libibverbs component
The InfiniBand UD transport test utility could become unresponsive when the ibv_ud_pingpong command was used with a packet size of 2048 or greater. UD is limited to no more than the smallest MTU of any point in the path between point A and B, which is between 0 and 4096 given that the largest MTU supported (but not the smallest nor required) is 4096. If the underlying Ethernet is jumbo frame capable, and with a 4096 IB MTU on an RoCE device, the max packet size that can be used with UD is 4012 bytes.
bind-dyndb-ldap component
IPA creates a new DNS zone in two separate steps. When the new zone is created, it is invalid for a short period of time. A/AAAA records for the name server belonging to the new zone are created after this delay. Sometimes, BIND attempts to load this invalid zone and fails. In such a case, reload BIND by running either rndc reload or service named restart.
selinux-policy component
SELinux can prevent the nmbd service from writing into the /var/, which breaks NetBIOS name resolution and leads to SELinux AVC denials.
kernel component
The latest version of the sfc NIC driver causes lower UDP and TX performance with large amounts of fragmented UDP packets. This problem can be avoided by setting a constant interrupt moderation period (not adaptive moderation) on both sides, sending and receiving.
kernel component
Some network interface cards (NICs) may not get an IPv4 address assigned after the system is rebooted. To work around this issue, add the following line to the /etc/sysconfig/network-scripts/ifcfg-<interface> file:
LINKDELAY=10
NetworkManager component, BZ#758076
If a Certificate Authority (CA) certificate is not selected when configuring an 802.1x or WPA-Enterprise connection, a dialog appears indicating that a missing CA certificate is a security risk. This dialog presents two options: ignore the missing CA certificate and proceed with the insecure connection, or choose a CA certificate. If the user elects to choose a CA certificate, this dialog disappears and the user may select the CA certificate in the original configuration dialog.
samba component
Current Samba versions shipped with Red Hat Enterprise Linux 6 are not able to fully control the user and group database when using the ldapsam_compat back end. This back end was never designed to run a production LDAP and Samba environment for a long period of time. The ldapsam_compat back end was created as a tool to ease migration from historical Samba releases (version 2.2.x) to Samba version 3 and greater using the new ldapsam back end and the new LDAP schema. The ldapsam_compat back end lack various important LDAP attributes and object classes in order to fully provide full user and group management. In particular, it cannot allocate user and group IDs. In the Red Hat Enterprise Linux Reference Guide, it is pointed out that this back end is likely to be deprecated in future releases. Refer to Samba's documentation for instructions on how to migrate existing setups to the new LDAP schema.
When you are not able to upgrade to the new LDAP schema (though upgrading is strongly recommended and is the preferred solution), you may work around this issue by keeping a dedicated machine running an older version of Samba (v2.2.x) for the purpose of user account management. Alternatively, you can create user accounts with standard LDIF files. The important part is the assignment of user and group IDs. In that case, the old Samba 2.2 algorithmic mapping from Windows RIDs to Unix IDs is the following: user RID = UID * 2 + 1000, while for groups it is: group RID = GID * 2 + 1001. With these workarounds, users can continue using the ldapsam_compat back end with their existing LDAP setup even when all the above restrictions apply.
kernel component
Because Red Hat Enterprise Linux 6 defaults to using Strict Reverse Path filtering, packets are dropped by default when the route for outbound traffic differs from the route of incoming traffic. This is in line with current recommended practice in RFC3704. For more information about this issue please refer to /usr/share/doc/kernel-doc-<version>/Documentation/networking/ip-sysctl.txt and https://access.redhat.com/site/solutions/53031.

6.7. Security

kernel component
When stopping the ipsec daemon, error messages about modules being in use can occur.
openssl component, BZ#1022002
The external Advanced Encryption Standard (AES) New Instructions (AES-NI) engine is no longer available in openssl; the engine is now built-in and therefore no longer needs to be manually enabled.

6.8. Clustering

corosync component
The redundant ring feature of corosync is not fully supported in combination with InfiniBand or Distributed Lock Manager (DLM). A double ring failure can cause both rings to break at the same time on different nodes. In addition, DLM is not functional if ring0 is down.
lvm2 component, BZ#814779
Clustered environment is not supported by lvmetad at the moment. If global/use_lvmetad=1 is used together with global/locking_type=3 configuration setting (clustered locking), the use_lvmetad setting is automatically overriden to 0 and lvmetad is not used in this case at all. Also, the following warning message is displayed:
WARNING: configuration setting use_lvmetad overriden to 0 due to locking_type 3. Clustered environment not supported by lvmetad yet.
luci component, BZ#615898
luci will not function with Red Hat Enterprise Linux 5 clusters unless each cluster node has ricci version 0.12.2-14.

6.9. Authentication

ipa component, BZ#1024744
OpenLDAP and 389 Directory Server treat the grace logins differently. 389 Directory Server treats them as "number of grace logins left" while OpenLDAP treats them as "number of grace logins used". Currently the SSSD only handles the semantics used by 389 Directory server. As a result, when using OpenLDAP server, the grace password warning might be incorrect.
ipa component, BZ#1024959
The Identity Management server does not write the initial user password correctly to password history. As a consequence, when a new Identity Management user is created and a password is generated for him, the first time that user changes the password, the value of the first password is disregarded when the password policy plug-in checks the password history. This means that user can "change" the initial password to the same value as the previous one, with no regards to the configured password history. Password history is applied correctly to all subsequent password changes.
ipa component, BZ#1009102
When an Identity Management server installed on Red Hat Enterprise Linux 6.2 is updated to the version provided by Red Hat Enterprise Linux 6.4 or 6.5, the new pbac permission "Write DNS Configuration" is created without any of the required object classes. Consequently, the permission may not show up on the Identity Management Web UI permission page or when the --sizelimit parameter is used for the CLI permission-find command. The permission is still accessible using the command line when the --sizelimit option is not specified. To work around this problem, run the following command on the server to trigger the DNS permission update process again and fix the list of permission object classes:
]# ipa-ldap-updater --ldapi /usr/share/ipa/updates/40-dns.update
This problem can also be avoided when a Red Hat Enterprise Linux 6.4 or 6.5 replica is installed or when an Identity Management server is reinstalled or upgraded.
ipa component, BZ#1015481
Identity Management administration framework API contains two checks to verify that a request on its API can be passed further:
  1. A check to see if the client API version is not higher than the server API version. If it is, the request is rejected.
  2. A check to see if the client API request does not use an attribute or a parameter unknown to the server. If it does, the request is rejected.
However, the Identity Management server performs the checks in an incorrect order: first, the attribute and parameter check is done and after that, the API version check is done. As a consequence, when a new client (for example, Red Hat Enterprise Linux 6.5) runs the ipa administration tool against a server with an earlier operating system (for example, Red Hat Enterprise Linux 6.4), the command returns a confusing error message; for example, instead of stating API compatibility, ipa outputs the following message:
]$ ipa user-show admin
ipa: ERROR: Unknown option: no_members
ipa component, BZ#1016042
The ipa-replica-manage tool contains a bug in the re-initialize command causing the MemberOf task to fail with an error under certain circumstances. When the ipa-replica-manage re-initialize command is run for a Windows Synchronization (WinSync) replication agreement, it succeeds in the re-initialization part, but fails during execution of the MemberOf task which is run after the re-initialization part. The following error is returned:
Update succeeded
Can't contact LDAP server
However, the error is harmless as running the MemberOf task is not required in this case.
sssd component, BZ#995737
SSSD fails if the entryUSN attribute of sudo rules is empty. As a result, processing of sudo rules stops instead of proceeding. To work around this problem, if the server contains any other USN-like attribute, the user can set the attribute in the configuration file using:
ldap_rootdse_last_usn = attr_name
ldap_entry_usn = attr_name
ipa component, BZ#983237
ipa-adtrust-install, an Identity Management Active Directory Trust configuration tool, does not explicitly specify authentication mechanism when performing Active Directory Trust configuration changes. When the user specifies the default LDAP authentication mechanism other than the expected default (for example, by setting the SASL_MECH configuration option to GSSAPI in the LDAP configuration file for the root user, .ldaprc), ipa-adtrust-install will not use the expected authentication mechanism and will fail to configure some of the parts of the Active Directory Integration feature, a crash of samba daemon (smbd) can occur or the user will be unable to use the feature. To work around this problem, remove any user default settings related to LDAP authentication mechanism from the .ldaprc file. The ipa-adtrust-install installer will then successfully configure the Active Directory integration feature.
ipa component, BZ#894388
The Identity Management installer configures all integrated services to listen on all interfaces. The administrator has no means to instruct the Identity Management installer to listen only on chosen interfaces even though the installer requires a valid interface IP address as one installation parameter. To work around this problem, change service configuration after Identity Management installation.
ipa component, BZ#894378
Identity Management LDAP permission manipulation plugin validates subtree and filter permission specifiers as mutually exclusive even though it is a valid combination in the underlying LDAP Access Control Instruction (ACI). Permissions with filter and subtree specifiers can be neither created nor modified. This affects for example the Add Automount Keys permission which cannot be modified.
ipa component, BZ#817080
In some cases the certificates tracked by certmonger are not cleared when running the ipa-server-install --uninstall command. This will cause a subsequent re-installation to fail with an unexpected error.
sssd component, BZ#892604
The ssh_cache utility sets the DEBUG level after it processes the command-line parameters. If the command-line parameters cannot be processed, the utility prints DEBUG lines that are not supposed to be printed by default. To avoid this, correct parameters must be used.
sssd component, BZ#891647
It is possible to specify the enumerate=true value in the sssd.conf file to access all users in the system. However, using enumerate=true is not recommended in large environments as this can lead to high CPU consumption. As a result, operations like login or logout can be slowed down.
ipa component, BZ#888579
The Identity Management server processes Kerberos Password Expiration Time field as a 32-bit integer. If Maximum Lifetime of a user password in Identity Management Password Policy is set to a value causing the resulting Kerberos Password Expiration Time timestamp to exceed 32 bits and to overflow, the passwords that are being changed are configured with an expiration time that lies in the past and are always rejected. To ensure that new user passwords are valid and can be changed properly, do not set password Maximum Lifetime in Identity Management Password Policy to values that would cause the Kerberos Password Expiration Time timestamp to exceed 32 bits; that is, passwords that would expire after 2038-01-19. At the moment, recommended values for the Maximum Lifetime field are numbers lower than 9000 days.
sssd component, BZ#785877
When reconnecting to an LDAP server, SSSD does not check it was re-initialized during the downtime. If the server was re-initialized during the downtime and was filled with completely different data, SSSD does not update its database. As a consequence, the user can get invalid information from SSSD. To work around this problem:
  1. stop SSSD before reconnecting to the re-initialized server;
  2. clear the SSSD caches manually before reconnecting;
  3. start SSSD.
krb5 component
In environments where entropy is scarce, the kadmind tool can take longer to initialize after startup than it did in previous releases as it attempts to read data from the /dev/random file and seed its internal random number generator (RNG). Clients which attempt to connect to the kadmin service can time out and fail with a GSS-API or Kerberos error. After the service completely finishes initializing itself, it will process messages received from now-disconnected clients and can log clock-skew or decrypt-integrity-check-failed errors for those connections. To work around this problem, use a service such as rngd to seed the system RNG using hardware sources of entropy.
ipa component, BZ#887193
The Identity Management server in Red Hat Enterprise Linux 6.3 introduced a technical preview of SELinux user mapping feature, which enabled a mapping of SELinux users to users managed by the Identity Management based on custom rules. However, the default configured SELinux user (guest_u:s0) used when no custom rule matches is too constraining. An Identity Management user authenticating to Red Hat Enterprise Linux 6.5 can be assigned the too constraining SELinux user in which case a login through graphical session would always fail. To work around this problem, change a too constraining default SELinux user in the Identity Management server from guest_u:s0 to a more relaxed value unconfined_u:s0-s0:c0.c1023:
kinit admin
ipa config-mod ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023
An unconfined SELinux user will be now assigned to the Identity Management user by default, which will allow the user to successfully authenticate through graphical interface.
ipa component, BZ#761574
When attempting to view a host in the web UI, the following message can appear:
Certificate operation cannot be completed: Unable to communicate with CMS (Unauthorized)
Attempting to delete installed certificates through the web UI or command-line interface can fail with the same error message. To work around this problem, run the following command:
~]# yum downgrade ipa-server libipa_hbac libipa_hbac-python ipa-python ipa-client ipa-admintools ipa-server-selinux
ipa component
When upgrading the ipa-server package using anaconda, the following error message is logged in the upgrade.log file:
/sbin/restorecon:  lstat(/var/lib/pki-ca/publish*) failed:  No such file or directory
This problem does not occur when using yum.
sssd component
In the Identity Manager subdomain code, a User Principal Name (UPN) is by default built from the SAM Account Name and Active Directory trust users, that is user@DOMAIN. The UPN can be changed to differ from the UPN in Active Directory, however only the default format, user@DOMAIN, is supported.
sssd component, BZ#805921
Sometimes, group members may not be visible when running the getent group groupname command. This can be caused by an incorrect ldap_schema in the [domain/DOMAINNAME] section of the sssd.conf file. SSSD supports three LDAP schema types: RFC 2307, RFC 2307bis, and IPA. By default, SSSD uses the more common RFC 2307 schema. The difference between RFC 2307 and RFC 2307bis is the way which group membership is stored in the LDAP server. In an RFC 2307 server, group members are stored as the multi-valued memberuid attribute which contains the name of the users that are members. In an RFC2307bis server, group members are stored as the multi-valued attribute member (or sometimes uniqueMember) which contains the DN of the user or group that is a member of this group. RFC2307bis allows nested groups to be maintained as well.
When encountering this problem:
  • add ldap_schema = rfc2307bis in the sssd.conf file,
  • detele the /var/lib/sss/db/cache_DOMAINNAME.ldb file,
  • and restart SSSD.
If the workaround does not work, add ldap_group_member = uniqueMember in the sssd.conf file, delete the cache file and restart SSSD.
Identity Management component, BZ#826973
When Identity Management is installed with its CA certificate signed by an external CA, the installation is processed in 2 stages. In the first stage, a CSR is generated to be signed by an external CA. The second stage of the installation then accepts a file with the new signed certificate for the Identity Management CA and a certificate of the external CA. During the second stage of the installation, a signed Identity Management CA certificate subject is validated. However, there is a bug in the certificate subject validation procedure and its default value (O=$REALM, where $REALM is the realm of the new Identity Management installation) is never pulled. Consequently, the second stage of the installation process always fails unless the --subject option is specified. To work around this issue, add the following option for the second stage of the installation: --subject "O=$REALM" where $REALM is the realm of the new Identity Management installation. If a custom subject was used for the first stage of the installation, use its value instead. Using this work around, the certificate subject validation procedure succeeds and the installation continues as expected.
Identity Management component, BZ#822350
When a user is migrated from a remote LDAP, the user's entry in the Directory Server does not contain Kerberos credentials needed for a Kerberos login. When the user visits the password migration page, Kerberos credentials are generated for the user and logging in via Kerberos authentication works as expected. However, Identity Management does not generate the credentials correctly when the migrated password does not follow the password policy set on the Identity Management server. Consequently, when the password migration is done and a user tries to log in via Kerberos authentication, the user is prompted to change the password as it does not follow the password policy, but the password change is never successful and the user is not able to use Kerberos authentication. To work around this issue, an administrator can reset the password of a migrated user with the ipa passwd command. When reset, user's Kerberos credentials in the Directory Server are properly generated and the user is able to log in using Kerberos authentication.
Identity Management component
In the Identity Management webUI, deleting a DNS record may, under come circumstances, leave it visible on the page showing DNS records. This is only a display issue and does not affect functionality of DNS records in any way.
Identity Management component, BZ#790513
The ipa-client package does not install the policycoreutils package as its dependency, which may cause install/uninstall issues when using the ipa-client-install setup script. To work around this issue, install the policycoreutils package manually:
~]# yum install policycoreutils
Identity Management component, BZ#813376
Updating the Identity Management LDAP configuration via the ipa-ldap-updater fails with a traceback error when executed by a non-root user due to the SASL EXTERNAL bind requiring root privileges. To work around this issue, run the aforementioned command as the root user.
Identity Management component, BZ#794882
With netgroups, when adding a host as a member that Identity Management does not have stored as a host already, that host is considered to be an external host. This host can be controlled with netgroups, but Identity Management has no knowledge of it. Currently, there is no way to use the netgroup-find option to search for external hosts.
Also, note that when a host is added to a netgroup as an external host, rather than being added in Identity Management as an external host, that host is not automatically converted within the netgroup rule.
Identity Management component, BZ#786629
Because a permission does not provide write access to an entry, delegation does not work as expected. The 389 Directory Server (389-ds) distinguishes access between entries and attributes. For example, an entry can be granted add or delete access, whereas an attribute can be granted read, search, and write access. To grant write access to an entry, the list of writable attributes needs to be provided. The filter, subtree, and other options are used to target those entries which are writable. Attributes define which part(s) of those entries are writable. As a result, the list of attributes will be writable to members of the permission.
sssd component, BZ#808063
The manpage entry for the ldap_disable_paging option in the sssd-ldap man page does not indicate that it accepts the boolean values True or False, and defaulting to False if it is not explicitly specified.
Identity Management component, BZ#812127
Identity Management relies on the LDAP schema to know what type of data to expect in a given attribute. If, in certain situations (such as replication), data that does not meet those expectations is inserted into an attribute, Identity Management will not be able to handle the entry, and LDAP tools have do be used to manually clean up that entry.
Identity Management component, BZ#812122
Identity Management sudo commands are not case sensitive. For example, executing the following commands will result in the latter one failing due to the case insensitivity:
~]$ ipa sudocmd-add /usr/bin/X
⋮
~]$ ipa sudocmd-add /usr/bin/x
ipa: ERROR: sudo command with name "/usr/bin/x" already exists
Identity Management component
When an Identity Management server is installed with a custom hostname that is not resolvable, the ipa-server-install command should add a record to the static hostname lookup table in /etc/hosts and enable further configuration of Identity Management integrated services. However, a record is not added to /etc/hosts when an IP address is passed as an CLI option and not interactively. Consequently, Identity Management installation fails because integrated services that are being configured expect the Identity Management server hostname to be resolvable. To work around this issue, complete one of the following:
  • Run the ipa-server-install without the --ip-address option and pass the IP address interactively.
  • Add a record to /etc/hosts before the installation is started. The record should contain the Identity Management server IP address and its full hostname (the hosts(5) man page specifies the record format).
As a result, the Identity Management server can be installed with a custom hostname that is not resolvable.
sssd component
Upgrading SSSD from the version provided in Red Hat Enterprise Linux 6.1 to the version shipped with Red Hat Enterprise Linux 6.2 may fail due to a bug in the dependent library libldb. This failure occurs when the SSSD cache contains internal entries whose distinguished name contains the \, character sequence. The most likely example of this is for an invalid memberUID entry to appear in an LDAP group of the form:
memberUID: user1,user2
memberUID is a multi-valued attribute and should not have multiple users in the same attribute.
If the upgrade issue occurs, identifiable by the following debug log message:
(Wed Nov  2 15:18:21 2011) [sssd] [ldb] (0): A transaction is still active in
ldb context [0xaa0460] on /var/lib/sss/db/cache_<DOMAIN>.ldb
remove the /var/lib/sss/db/cache_<DOMAIN>.ldb file and restart SSSD.

Removing the /var/lib/sss/db/cache_<DOMAIN>.ldb file

Removing the /var/lib/sss/db/cache_<DOMAIN>.ldb file purges the cache of all entries (including cached credentials).
sssd component, BZ#751314
When a group contains certain incorrect multi-valued memberUID values, SSSD fails to sanitize the values properly. The memberUID value should only contain one username. As a result, SSSD creates incorrect users, using the broken memberUID values as their usernames. This, for example, causes problems during cache indexing.
Identity Management component
Two Identity Management servers, both with a CA (Certificate Authority) installed, use two replication replication agreements. One is for user, group, host, and other related data. Another replication agreement is established between the CA instances installed on the servers. If the CA replication agreement is broken, the Identity Management data is still shared between the two servers, however, because there is no replication agreement between the two CAs, issuing a certificate on one server will cause the other server to not recognize that certificate, and vice versa.
Identity Management component
The Identity Management (ipa) package cannot be build with a 6ComputeNode subscription.
sssd component, BZ#741264
Active Directory performs certain LDAP referral-chasing that is incompatible with the referral mechanism included in the openldap libraries. Notably, Active Directory sometimes attempts to return a referral on an LDAP bind attempt, which used to cause a hang, and is now denied by the openldap libraries. As a result, SSSD may suffer from performance issues and occasional failures resulting in missing information.
To work around this issue, disable referral-chasing by setting the following parameter in the [domain/DOMAINNAME] section of the /etc/sssd/sssd.conf file:
ldap_referrals = false

6.10. Devices

kernel component
When using large block size (1MB), the tape driver sometimes returns an EBUSY error. To work around this problem, use a smaller block size, that is 256KB.
kernel component
On some of the older Broadcom tg3 devices, the default Maximum Read Request Size (MRRS) value of 512 byte is known to cause lower performance. It is because these devices perform direct memory access (DMA) requests serially. 1500-byte ethernet packet will be broken into 3 PCIE read requests using 512 byte MRRS. When using a higher MRRS value, the DMA transfer can be faster as fewer requests will be needed. However, the MRRS value is meant to be tuned by system software and not by the driver. PCIE Base spec 3.0 section 7.8.4 contains an implementation note that illustrates how system software might tune the MRRS for all devices in the system. As a result, Broadcom modified the tg3 driver to remove the code that sets the MRRS to 4K bytes so that any value selected by system software (BIOS) will be preserved.
kernel component
The Brocade BFA Fibre Channel and FCoE driver does not currently support dynamic recognition of Logical Unit addition or removal using the sg3_utils utilities (for example, the sg_scan command) or similar functionality. Please consult Brocade directly for a Brocade equivalent of this functionality.
kernel component
iSCSI and FCoE boot support on Broadcom devices is not included in Red Hat Enterprise Linux 6.4 and later. These two features, which are provided by the bnx2i and bnx2fc Broadcom drivers, remain a Technology Preview until further notice.
kexec-tools component
Starting with Red Hat Enterprise Linux 6.0 and later, kexec kdump supports dumping core to the Brtfs file system. However, note that because the findfs utility in busybox does not support Btrfs yet, UUID/LABEL resolving is not functional. Avoid using the UUID/LABEL syntax when dumping core to Btrfs file systems.
trace-cmd component
The trace-cmd service does not start on 64-bit PowerPC and IBM System z systems because the sys_enter and sys_exit events do not get enabled on the aforementioned systems.
trace-cmd component
trace-cmd's subcommand, report, does not work on IBM System z systems. This is due to the fact that the CONFIG_FTRACE_SYSCALLS parameter is not set on IBM System z systems.
libfprint component
Red Hat Enterprise Linux 6 only has support for the first revision of the UPEK Touchstrip fingerprint reader (USB ID 147e:2016). Attempting to use a second revision device may cause the fingerprint reader daemon to crash. The following command returns the version of the device being used in an individual machine:
~]$ lsusb -v -d 147e:2016 | grep bcdDevice
kernel component
The Emulex Fibre Channel/Fibre Channel-over-Ethernet (FCoE) driver in Red Hat Enterprise Linux 6 does not support DH-CHAP authentication. DH-CHAP authentication provides secure access between hosts and mass storage in Fibre-Channel and FCoE SANs in compliance with the FC-SP specification. Note, however that the Emulex driver (lpfc) does support DH-CHAP authentication on Red Hat Enterprise Linux 5, from version 5.4. Future Red Hat Enterprise Linux 6 releases may include DH-CHAP authentication.
kernel component
The recommended minimum HBA firmware revision for use with the mpt2sas driver is "Phase 5 firmware" (that is, with version number in the form 05.xx.xx.xx). Note that following this recommendation is especially important on complex SAS configurations involving multiple SAS expanders.

6.11. Kernel

kernel component
Sun Fire X4500 data server enumerates the e1000 card with Peripheral Component Interconnect Extended (PCI-X) and enables 64-bit direct memory access (DMA), however, 64-bit DMA is not fully supported on this hardware. If possible, disable 64-bit DMA in BIOS.
grubby component
Use of multiboot images makes discerning different image types problematic during kernel updates. As a consequence, using the tboot package and multiple types of kernels at the same time does not work properly. If, for example, tboot is in use and the kernel-debug package is installed, bootloader configuration can sometimes reflect an incorrect image list. To avoid this, do not use the kernel-debug on a system utilizing tboot, or vice versa. If such a situation is unavoidable, manually verify that the bootloader configuration is reasonable after each update before rebooting.
kexec-tools component
When the debug kernel is installed and also used as the Red Hat Enterprise Linux kdump kernel, the reserved kdump memory must be increased to a minimum of 256 MB. To assure this setting, start the system-config-kdump tool, modify the kdump memory, and reboot your Linux instance. Alternatively, you can configure a particular kernel that is always used as the kdump kernel, independently of the running kernel. For more information, consult the Red Hat Enterprise Linux 6 Deployment Guide.
kernel component
Red Hat Enterprise Linux 6.4 changed the maximum read/write socket memory default value to be higher, allowing for better performance on some machines. It was observed that if the values of ?mem_max are not symmetrical between two machines, the performance can be negatively affected. To work around this problem, adjust the value of ?mem_max to be equal across all Red Hat Enterprise Linux systems in the network.
kabi-whitelists component
The vxfs module might not work properly on Red Hat Enterprise Linux 6.4 and later because of the broken radix_tree_gang_lookup_slot symbol. Consult Symantec should you require a workaround for this issue.
kernel component
Enabling TCP Segmentation Offload (TSO) on TAP interface may cause low throughput when the uplink is a high-speed interface. To improve throughput, turn off TSO on the tap interface of the virtual machine.
kernel component
When using Chelsio's iSCSI HBAs for an iSCSI root partition, the first boot after install fails. This occurs because Chelsio's iSCSI HBA is not properly detected. To work around this issue, users must add the iscsi_firmware parameter to grub's kernel command line. This will signal to dracut to boot from the iSCSI HBA.
kernel component
The installation of Red Hat Enterprise Linux 6.3 i386 and later may occasionally fail. To work around this issue, add the following parameter to the kernel command line:
vmalloc=256MB
kernel component
If a device reports an error, while it is opened (via the open(2) system call), then the device is closed (via the close(2) system call), and the /dev/disk/by-id link for the device may be removed. When the problem on the device that caused the error is resolved, the by-id link is not re-created. To work around this issue, run the following command:
~]# echo 'change' > /sys/class/block/sdX/uevent
kernel component
When an HBA that uses the mpt2sas driver is connected to a storage using an SAS switch LSI SAS 6160, the driver may become unresponsive during Controller Fail Drive Fail (CFDF) testing. This is due to faulty firmware that is present on the switch. To fix this issue, use a newer version (14.00.00.00 or later) of firmware for the LSI SAS 6160 switch.
kernel component, BZ#745713
In some cases, Red Hat Enterprise Linux 6 guests running fully-virtualized under Red Hat Enterprise Linux 5 experience a time drift or fail to boot. In other cases, drifting may start after migration of the virtual machine to a host with different speed. This is due to limitations in the Red Hat Enterprise Linux 5 Xen hypervisor. To work around this, add the nohpet parameter or, alternatively, the clocksource=jiffies parameter to the kernel command line of the guest. Or, if running under Red Hat Enterprise Linux 5.7 or newer, locate the guest configuration file for the guest and add the hpet=0 parameter in it.
kernel component
On some systems, Xen full-virt guests may print the following message when booting:
WARNING: BIOS bug: CPU MTRRs don't cover all of memory, losing <number>MB of RAM
It is possible to avoid the memory trimming by using the disable_mtrr_trim kernel command line option.
kernel component
The perf record command becomes unresponsive when specifying a tracepoint event and a hardware event at the same time.
kernel component
On 64-bit PowerPC, the following command may cause kernel panic:
~]# ./perf record -agT -e sched:sched_switch -F 100 -- sleep 3
kernel component
Applications are increasingly using more than 1024 file descriptors. It is not recommended to increase the default soft limit of file descriptors because it may break applications that use the select() call. However, it is safe to increase the default hard limit; that way, applications requiring a large amount of file descriptors can increase their soft limit without needing root privileges and without any user intervention.
kernel component
In network only use of Brocade Converged Network Adapters (CNAs), switches that are not properly configured to work with Brocade FCoE functionality can cause a continuous linkup/linkdown condition. This causes continuous messages on the host console:
bfa xxxx:xx:xx.x: Base port (WWN = xx:xx:xx:xx:xx:xx:xx:xx) lost fabric connectivity
To work around this issue, unload the Brocade bfa driver.
kernel component
In Red Hat Enterprise Linux 6, a legacy bug in the PowerEdge Expandable RAID Controller 5 (PERC5) which causes the kdump kernel to fail to scan for scsi devices. It is usually triggered when a large amounts of I/O operations are pending on the controller in the first kernel before performing a kdump.
kernel component, BZ#679262
In Red Hat Enterprise Linux 6.2 and later, due to security concerns, addresses in /proc/kallsyms and /proc/modules show all zeros when accessed by a non-root user.
kernel component
Superfluous information is displayed on the console due to a correctable machine check error occurring. This information can be safely ignored by the user. Machine check error reporting can be disabled by using the nomce kernel boot option, which disables machine check error reporting, or the mce=ignore_ce kernel boot option, which disables correctable machine check error reporting.
kernel component
The order in which PCI devices are scanned may change from one major Red Hat Enterprise Linux release to another. This may result in device names changing, for example, when upgrading from Red Hat Enterprise Linux 5 to 6. You must confirm that a device you refer to during installation, is the intended device.
One way to assure the correctness of device names is to, in some configurations, determine the mapping from the controller name to the controller's PCI address in the older release, and then compare this to the mapping in the newer release, to ensure that the device name is as expected.
The following is an example from /var/log/messages:
kernel: cciss0: <0x3230> at PCI 0000:1f:00.0 IRQ 71 using DAC
…
kernel: cciss1: <0x3230> at PCI 0000:02:00.0 IRQ 75 using DAC
If the device name is incorrect, add the pci=bfsort parameter to the kernel command line, and check again.
kernel component
The minimum firmware version for NIC adapters managed by netxen_nic is 4.0.550. This includes the boot firmware which is flashed in option ROM on the adapter itself.
kernel component
High stress on 64-bit IBM POWER series machines prevents kdump from successfully capturing the vmcore. As a result, the second kernel is not loaded, and the system becomes unresponsive.
kernel component
Triggering kdump to capture a vmcore through the network using the Intel 82575EB ethernet device in a 32 bit environment causes the networking driver to not function properly in the kdump kernel, and prevent the vmcore from being captured.
kernel component
Memory Type Range Register (MTRR) setup on some hyperthreaded machines may be incorrect following a suspend/resume cycle. This can cause graphics performance (specifically, scrolling) to slow considerably after a suspend/resume cycle.
To work around this issue, disable and then re-enable the hyperthreaded sibling CPUs around suspend/resume, for example:
#!/bin/sh
# Disable hyper-threading processor cores on suspend and hibernate, re-enable
# on resume.
# This file goes into /etc/pm/sleep.d/

case $1 in
        hibernate|suspend)
                echo 0 > /sys/devices/system/cpu/cpu1/online
                echo 0 > /sys/devices/system/cpu/cpu3/online
                ;;

        thaw|resume)
                echo 1 > /sys/devices/system/cpu/cpu1/online
                echo 1 > /sys/devices/system/cpu/cpu3/online
                ;;
esac
kernel component
In Red Hat Enterprise Linux 6.2, nmi_watchdog registers with the perf subsystem. Consequently, during boot, the perf subsystem grabs control of the performance counter registers, blocking OProfile from working. To resolve this, either boot with the nmi_watchdog=0 kernel parameter set, or run the following command to disable it at run time:
echo 0 > /proc/sys/kernel/nmi_watchdog
To re-enable nmi-watchdog, use the following command
echo 1 > /proc/sys/kernel/nmi_watchdog
kernel component, BZ#603911
Due to the way ftrace works when modifying the code during start-up, the NMI watchdog causes too much noise and ftrace can not find a quiet period to instrument the code. Consequently, machines with more than 512 CPUs will encounter issues with the NMI watchdog. Such issues will return error messages similar to BUG: NMI Watchdog detected LOCKUP and have either ftrace_modify_code or ipi_handler in the backtrace. To work around this issue, disable NMI watchdog by setting the nmi_watchdog=0 kernel parameter, or using the following command at run time:
echo 0 > /proc/sys/kernel/nmi_watchdog
kernel component
On 64-bit POWER systems the EHEA NIC driver will fail when attempting to dump a vmcore via NFS. To work around this issue, utilize other kdump facilities, for example dumping to the local file system, or dumping over SSH.
kernel component, BZ#587909
A BIOS emulated floppy disk might cause the installation or kernel boot process to hang. To avoid this, disable emulated floppy disk support in the BIOS.
kernel component
The preferred method to enable nmi_watchdog on 32-bit x86 systems is to use either nmi_watchdog=2 or nmi_watchdog=lapic parameters. The parameter nmi_watchdog=1 is not supported.
kernel component
The kernel parameter, pci=noioapicquirk, is required when installing the 32-bit variant of Red Hat Enterprise Linux 6 on HP xw9300 workstations. Note that the parameter change is not required when installing the 64-bit variant.

6.12. Desktop

gnome-panel component, BZ#1017631
The gnome-panel utility can sometimes terminate unexpectedly on 64-bit PowerPC architecture using the XDMCP protocol.
xorg-x11-drv-intel component, BZ#889574
Red Hat Enterprise Linux 6 graphics stacs does not support NVIDIA Optimus hardware configurations. On laptops with both Intel and NVIDIA GPUs, some or all external video ports may not function correctly when using the Intel GPU. If external video ports are needed, configure the BIOS to use the NVIDIA GPU instead of the Intel GPU if possible.
xorg-x11-drv-synaptics component, BZ#873721
Two-finger scrolling is default for devices that announce two-finger capability. However, on certain machines, although the touchpad announces two-finger capability, events generated by the device only contain a single finger position at a time and two-finger scrolling therefore does not work. To work around this problem, use edge scrolling instead.
firefox component
In certain environments, storing personal Firefox configuration files (~/.mozilla/) on an NFS share, such as when your home directory is on a NFS share, led to Firefox functioning incorrectly, for example, navigation buttons not working as expected, and bookmarks not saving. This update adds a new configuration option, storage.nfs_filesystem, that can be used to resolve this issue. If you experience this issue:
  1. Start Firefox.
  2. Type about:config into the URL bar and press the Enter key.
  3. If prompted with "This might void your warranty!", click the I'll be careful, I promise! button.
  4. Right-click in the Preference Name list. In the menu that opens, select NewBoolean.
  5. Type "storage.nfs_filesystem" (without quotes) for the preference name and then click the OK button.
  6. Select true for the boolean value and then press the OK button.
wacomcpl component, BZ#769466
The wacomcpl package has been deprecated and has been removed from the package set. The wacomcpl package provided graphical configuration of Wacom tablet settings. This functionality is now integrated into the GNOME Control Center.
acroread component
Running a AMD64 system without the sssd-client.i686 package installed, which uses SSSD for getting information about users, causes acroread to fail to start. To work around this issue, manually install the sssd-client.i686 package.
kernel component, BZ#681257
With newer kernels, such as the kernel shipped in Red Hat Enterprise Linux 6.1, Nouveau has corrected the Transition Minimized Differential Signaling (TMDS) bandwidth limits for pre-G80 NVIDIA chipsets. Consequently, the resolution auto-detected by X for some monitors may differ from that used in Red Hat Enterprise Linux 6.0.
fprintd component
When enabled, fingerprint authentication is the default authentication method to unlock a workstation, even if the fingerprint reader device is not accessible. However, after a 30 second wait, password authentication will become available.
evolution component
Evolution's IMAP backend only refreshes folder contents under the following circumstances: when the user switches into or out of a folder, when the auto-refresh period expires, or when the user manually refreshes a folder (that is, using the menu item FolderRefresh). Consequently, when replying to a message in the Sent folder, the new message does not immediately appear in the Sent folder. To see the message, force a refresh using one of the methods describe above.
anaconda component
The clock applet in the GNOME panel has a default location of Boston, USA. Additional locations are added via the applet's preferences dialog. Additionally, to change the default location, left-click the applet, hover over the desired location in the Locations section, and click the Set... button that appears.
xorg-x11-server component, BZ#623169
In some multi-monitor configurations (for example, dual monitors with both rotated), the cursor confinement code produces incorrect results. For example, the cursor may be permitted to disappear off the screen when it should not, or be prevented from entering some areas where it should be allowed to go. Currently, the only workaround for this issue is to disable monitor rotation.

6.13. Tools

ssh-keygen component
The following example in the description of the -V option in the ssh-keygen(1) manual page is incorrect:
“-4w:+4w” (valid from four weeks ago to four weeks from now)
If you set a date range in this format, the certificate is valid from four weeks ago until now.
perl-WWW-curl component
Attempting to access the CURLINFO_PRIVATE value can cause curl to terminate unexpectedly with a segmentation fault.
freerpd component, BZ#988277
The ALSA plug-in is not supported in Red Hat Enterprise Linux 6. Instead of the ALSA plug-in, use the pulseaudio plug-in. To enable it, use the --plugin rpdsnd option with the xfreerdp command without specifying which plug-in should be used; the pulseaudio plug-in will be used automatically in this case.
coolkey component, BZ#906537
Personal Identity Verification (PIV) Endpoint Cards which support both CAC and PIV interfaces might not work with the latest coolkey update; some signature operations like PKINIT can fail. To work around this problem, downgrade coolkey to the version shipped with Red Hat Enterprise Linux 6.3.
libreport component
Even if the stored credentials are used , the report-gtk utility can report the following error message:
Wrong settings detected for Red Hat Customer Support [..]
To work around this problem, close the dialog window; the Login=<rhn-user> and Password=<rhn-password> credentials in the /etc/libreport/plugins/rhtsupport.conf will be used in the same way they are used by report-rhtsupport.
For more information, refer to this Knowledge Base article.
vlock component
When a user password is used to lock a console with vlock, the console can only be unlocked with the user password, not the root password. That is, even if the first inserted password is incorrect, and the user is prompted to provide the root password, entering the root password fails with an error message.
libreoffice component
Libreoffice contains a number of harmless files used for testing purposes. However, on Microsoft Windows system, these files can trigger false positive alerts on various anti-virus software, such as Microsoft Security Essentials. For example, the alerts can be triggered when scanning the Red Hat Enterprise Linux 6 ISO file.
gnome-power-manager component
When the computer runs on battery, custom brightness level is not remembered and restored if power saving features like "dim display when idle" or "reduce backlight brightness when idle" are enabled.
rsyslog component
rsyslog does not reload its configuration after a SIGHUP signal is issued. To reload the configuration, the rsyslog daemon needs to be restarted:
~]# service rsyslog restart

6.14. Documentation

release-notes component
The Release Notes document included in Red Hat Enterprise Linux 6.5 and available on the Customer Portal contains incorrectly lists information about the FSTEK certification in all languages. Please consult the online English version of the Release Notes, which is the latest and most up-to-date version.
release-notes component
The Benagali (bn-IN) and Simplified Chinese (zh-CN) translations of the Release Notes included in Red Hat Enterprise Linux 6.5 and on the Customer Portal contain several untranslated strings.

Chapter 7. New Packages

New freerdp packages are now available for Red Hat Enterprise Linux 6.
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. The xfreerdp client can connect to RDP servers such as Microsoft Windows machines, xrdp and VirtualBox.
This enhancement update adds the freerdp packages to Red Hat Enterprise Linux 6. (BZ#951696)
All users who require freerdp are advised to install these new packages.
New gcc-libraries packages are now available for Red Hat Enterprise Linux 6.
The new gcc-libraries packages contain various GCC runtime libraries, such as libatomic and libitm. In Red Hat Enterprise Linux 5.9, libitm was a separate package that included the libitm library. The libitm package is now deprecated and replaced by the gcc-libraries packages.
This enhancement update adds the gcc-libraries packages to Red Hat Enterprise Linux 6. (BZ#906241)
All users who require gcc-libraries are advised to install these new packages.
New openhpi32 packages are now available for Red Hat Enterprise Linux 6.
OpenHPI provides an open source implementation of the Service Availability Forum (SAF) Hardware Platform Interface (HPI). HPI is an abstracted interface for managing computer hardware, typically chassis- and rack-based servers. HPI includes resource modeling; access to and control over sensor, control, watchdog, and inventory data associated with resources; abstracted System Event Log interfaces; hardware events and alarms; and a managed hot swap interface. This is version 3.2 of the OpenHPI project.
This enhancement update adds the openhpi32 packages to Red Hat Enterprise Linux 6. (BZ#927897)
All users who require openhpi32 are advised to install these new packages.
New p11-kit packages are now available for Red Hat Enterprise Linux 6.
The p11-kit package provides a mechanism to manage PKCS#11 modules. The p11-kit-trust subpackage includes a PKCS#11 trust module that provides certificate anchors and black lists based on configuration files.
This enhancement update adds the p11-kit packages to Red Hat Enterprise Linux 6. (BZ#915798)
* Red Hat Enterprise Linux 6.5 provides the p11-kit package to implement the Shared System Certificates feature. If enabled by the administrator, it ensures system-wide trust store of static data that is used by crypto toolkits as input for certificate trust decisions. (BZ#977886)
These new packages had several bugs fixed during testing:
* Support for using the freebl3 library for the SHA1 and MD5 cryptographic hash functions has been added even though the hashing is done in a strictly non-cryptographic context. (BZ#983384)
* All file handles opened by p11-kit are created with the O_CLOEXEC flag, so that they are automatically closed on the execve() function and do not leak to subprocesses. (BZ#984986)
* When expanding the "$HOME" variable or the "~/" path for SUID and SGID programs, the expand_home() function returns NULL. This change allows for avoiding vulnerabilities that could occur if SUID or SGID programs accidentally trusted this environment. Also, documentation concerning the fact that user directories are not read for SUID/SGID programs has been added. (BZ#985014)
* Users need to use the standard environment $TMPDIR variable for locating the temp directory. (BZ#985017)
* If a critical module fails to initialize, module initialization stops and the user is informed about the failure. (BZ#985023)
* The p11_kit_space_strlen() function returns a "0" value for empty strings. (BZ#985416)
* Arguments of the size_t variable are correctly passed to the "p11_hash_xxx" functions. (BZ#985421)
* Changes in the code ensures that the memdup() function is not called with a zero length or NULL pointers. (BZ#985433)
All users who require the Shared System Certificates feature are advised to install these new packages.
A new ps_mem package is now available for Red Hat Enterprise Linux 6.
The ps_mem package provides a memory usage script written in Python that calculates how much RAM is used per program. The script automatically selects the most accurate method, which is available for a particular running kernel.
This enhancement update adds the ps_mem package to Red Hat Enterprise Linux 6. (BZ#962850)
All users who require ps_mem are advised to install this new package.
New redhat-support-lib-python and redhat-support-tool packages are now available for Red Hat Enterprise Linux 6.
The redhat-support-lib-python package provides a Python library that developers can use to easily write software solutions that leverage Red Hat Access subscription services.
The redhat-support-tool utility facilitates console-based access to Red Hat's subscriber services and gives Red Hat subscribers more venues for accessing the content and services available to them as Red Hat customers. Further, it enables our customers to integrate and automate their helpdesk services with our subscription services. The capabilities of this package include:
* Red Hat Access Knowledge Base article and solution viewing from the console (formatted as man pages). * Viewing, creating, modifying, and commenting on customer support cases from the console. * Attachment uploading directly to a customer support case or to ftp://dropbox.redhat.com/ from the console. * Full proxy support (that is, FTP and HTTP proxies). * Easy listing and downloading of attachments in customer support cases from the console. * Red Hat Access Knowledge Base searching on query terms, log messages, and other parameters, and viewing search results in a selectable list. * Easy uploading of log files, text files, and other sources to the Red Hat Access automatic problem determination engine for diagnosis. * Various other support-related commands.
Detailed usage information for the tool can be found in the Red Hat Customer Portal at https://access.redhat.com/site/articles/445443
This enhancement update adds the redhat-support-lib-python and redhat-support-tool packages to Red Hat Enterprise Linux 6. (BZ#987159, BZ#869395, BZ#880776, BZ#987171, BZ#987169, BZ#987163)
All users who require redhat-support-lib-python and redhat-support-tool are advised to install these new packages.
A new sapconf package is now available for Red Hat Enterprise Linux 6.
The sapconf package contains a script that checks the basic installation of Red Hat Enterprise Linux and modifies it according to SAP requirements. The script ensures that all necessary packages are installed and that configuration parameters are set correctly to run SAP software.
This enhancement update adds the sapconf package to Red Hat Enterprise Linux 6. This package is available through the "Red Hat Enterprise Linux for SAP Business Applications" channel. (BZ#910838)
All users who running SAP software on Red Hat Enterprise Linux 6 are advised to install this new package.
New snappy packages are now available for Red Hat Enterprise Linux 6.
Snappy is a compression and decompression library that aims for very high speeds and reasonable compression.
This enhancement update adds the snappy packages to Red Hat Enterprise Linux 6. (BZ#903090)
All users who require snappy are advised to install these new packages.
New xorg-x11-glamor packages are now available for Red Hat Enterprise Linux 6.
The glamor module is an open-source 2D graphics common driver for the X Window System as implemented by X.org. It supports a variety of graphics chip sets which have OpenGL, EGL or GBM support.
This enhancement update adds the xorg-x11-glamor packages to Red Hat Enterprise Linux 6. The glamor library is provided to support new AMD GPU hardware and can be used by the DDX driver to implement acceleration using the OpenGL driver. Some new hardware, such as AMD HD7xxx Series, needs glamor for acceleration. (BZ#962832)
All users who require xorg-x11-glamor are advised to install these new packages.

Chapter 8. Updated Packages

8.1. abrt
8.2. anaconda
8.3. arptables_jf
8.4. augeas
8.5. autofs
8.6. batik
8.7. bfa-firmware
8.8. bind-dyndb-ldap
8.9. biosdevname
8.10. boost
8.11. busybox
8.12. ca-certificates
8.13. cifs-utils
8.14. cjkuni-fonts
8.15. cluster and gfs2-utils
8.16. clustermon
8.17. compat-openmpi
8.18. conman
8.19. coolkey
8.20. coreutils
8.21. corosync
8.22. cpupowerutils
8.23. crash
8.24. crash-gcore-command
8.25. createrepo
8.26. cronie
8.27. cvs
8.28. device-mapper-multipath
8.29. device-mapper-persistent-data
8.30. dhcp
8.31. dovecot
8.32. dracut
8.33. e2fsprogs
8.34. efibootmgr
8.35. emacs
8.36. environment-modules
8.37. esc
8.38. evolution
8.39. fcoe-target-utils
8.40. fcoe-utils
8.41. febootstrap
8.42. fence-agents
8.43. fence-virt
8.44. firstboot
8.45. foomatic
8.46. fprintd
8.47. freeipmi
8.48. ftp
8.49. gcc
8.50. gdm
8.51. gegl
8.52. ghostscript
8.53. glib2
8.54. glibc
8.55. glusterfs
8.56. gnome-screensaver
8.57. gpxe
8.58. grep
8.59. grub
8.60. grubby
8.61. gtk2
8.62. haproxy
8.63. hdparm
8.64. hsqldb
8.65. hwdata
8.66. hypervkvpd
8.67. ibus-hangul
8.68. icedtea-web
8.69. initscripts
8.70. iotop
8.71. ipa
8.72. ipmitool
8.73. iproute
8.74. iptables
8.75. ipvsadm
8.76. irqbalance
8.77. iscsi-initiator-utils
8.78. iw
8.79. java-1.6.0-openjdk
8.80. java-1.7.0-openjdk
8.81. kde-settings
8.82. kernel
8.83. kexec-tools
8.84. ksh
8.85. ledmon
8.86. libXcursor
8.87. libcgroup
8.88. libdrm
8.89. libguestfs
8.90. libibverbs-rocee
8.91. libksba
8.92. libnl
8.93. libpcap
8.94. libqb
8.95. libreoffice
8.96. librtas
8.97. libtevent
8.98. libvirt
8.99. libvirt-cim
8.100. libvirt-snmp
8.101. libwacom
8.102. libxml2
8.103. linuxptp
8.104. lksctp-tools
8.105. logrotate
8.106. logwatch
8.107. luci
8.108. lvm2
8.109. mailx
8.110. man-pages-fr
8.111. man-pages-ja
8.112. man-pages-overrides
8.113. mcelog
8.114. mdadm
8.115. mesa
8.116. microcode_ctl
8.117. mobile-broadband-provider-info
8.118. mod_auth_kerb
8.119. ModemManager
8.120. mysql
8.121. net-snmp
8.122. netcf
8.123. NetworkManager
8.124. nfs-utils
8.125. nmap
8.126. nss and nspr
8.127. ntp
8.128. numactl
8.129. numad
8.130. opencryptoki
8.131. opencv
8.132. openhpi
8.133. openscap
8.134. openssh
8.135. openssl
8.136. openswan
8.137. pacemaker
8.138. pam
8.139. papi
8.140. parted
8.141. pcs
8.142. perl
8.143. perl-CGI-Session
8.144. perl-Config-General
8.145. perl-DateTime
8.146. perl-Makefile-Parser
8.147. perl-Net-DNS
8.148. perl-Socket6
8.149. perl-Test-Memory-Cycle
8.150. perl-Test-MockObject
8.151. perl-XML-Dumper
8.152. php
8.153. piranha
8.154. 389-ds-base
8.155. pki-core
8.156. policycoreutils
8.157. powertop
8.158. pykickstart
8.159. pyparted
8.160. python
8.161. python-beaker
8.162. python-ethtool
8.163. python-urlgrabber
8.164. python-urwid
8.165. python-virtinst
8.166. python-weberror
8.167. qemu-kvm
8.168. ql2400-firmware
8.169. ql2500-firmware
8.170. quota
8.171. rdesktop
8.172. RDMA stack
8.173. readahead
8.174. redhat-indexhtml
8.175. redhat-release
8.176. Red Hat Enterprise Linux 6.5 Release Notes
8.177. resource-agents
8.178. rgmanager
8.179. rhel-guest-image
8.180. rhn-client-tools
8.181. rhnlib
8.182. ricci
8.183. rp-pppoe
8.184. rpm
8.185. rpmlint
8.186. rsyslog
8.187. rubygems
8.188. s390utils
8.189. samba
8.190. samba4
8.191. sanlock
8.192. sblim-cmpi-fsvol
8.193. sblim-sfcc
8.194. sblim-wbemcli
8.195. scl-utils
8.196. scsi-target-utils
8.197. seabios
8.198. selinux-policy
8.199. setuptool
8.200. sg3_utils
8.201. slapi-nis
8.202. sos
8.203. spice-gtk
8.204. spice-protocol
8.205. spice-server
8.206. spice-vdagent
8.207. spice-xpi
8.208. sssd
8.209. subscription-manager
8.210. sudo
8.211. suitesparse
8.212. sysstat
8.213. system-config-date
8.214. system-config-keyboard
8.215. system-config-lvm
8.216. system-config-users-docs
8.217. systemtap
8.218. sysvinit
8.219. talk
8.220. tboot
8.221. tomcat6
8.222. tuned
8.223. udev
8.224. util-linux-ng
8.225. vhostmd
8.226. virt-manager
8.227. virt-p2v
8.228. virt-v2v
8.229. virt-viewer
8.230. virt-who
8.231. virtio-win
8.232. watchdog
8.233. webkitgtk
8.234. wireshark
8.235. xfsprogs
8.236. xmlrpc-c
8.237. xorg-x11-drv-ati
8.238. xorg-x11-drv-intel
8.239. xorg-x11-drv-mga
8.240. xorg-x11-drv-nouveau
8.241. xorg-x11-drv-qxl
8.242. xorg-x11-drv-synaptics
8.243. xorg-x11-drv-wacom
8.244. xorg-x11-server
8.245. xorg-x11-xinit
8.246. yaboot
8.247. yum-rhn-plugin
8.248. zsh

8.1. abrt

Updated abrt, libreport, and btparser packages that fix several bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
ABRT is a tool to help users to detect defects in applications and to create a problem report with all the information needed by a maintainer to fix it. ABRT uses a plug-in system to extend its functionality.
The libreport libraries provide an API for reporting different problems in applications to different bug targets like Bugzilla, ftp, and trac.
The btparser utility is a backtrace parser and analyzer library, which works with backtraces produced by the GNU Project Debugger. It can parse a text file with a backtrace to a tree of C structures, allowing to analyze the threads and frames of the backtrace and process them.

Bug Fixes

BZ#854668
If the /etc/abrt/abrt.conf file was modified so that the "DumpLocation" and "WatchCrashdumpArchiveDir" variables referred to the same directory, the ABRT utility tried to process the files in that directory as both archives and new problem directories, which led to unpredictable results. With this update, ABRT refuses to start if such misconfiguration is detected.
BZ#896090
While creating a case, the reporter-rhtsupport utility sent the operation system (OS) version value which RHT customer center server did not accept. Consequently, a new case failed to be created and an error message was returned. With this update, suffixes such as "Beta" in the OS version value are not stripped, RHT customer center server accepts the version value, and a case is created.
BZ#952773
Prior to this update, the abrt-watch-log and abrt-dump-oops utilities were creating too many new problem directories when a kernel error occurred periodically. As a consequence, the user was flooded with problem reports and the /var partition could overflow. To fix this bug, abrt-dump-oops has been changed to ignore all additional problems for a few minutes after it sees 5 or more of them. As a result, the user is not flooded with problem reports.

Enhancements

BZ#952704
The Red Hat Support tool required an API for querying crashes caught by ABRT. With this update, python API for ABRT has been provided and it is now possible to use python API to query bugs caught by ABRT.
BZ#961231
There is a high probability that users who do not use the graphical environment (headless systems) will miss the problems detected by the ABRT utility. When the user installs the abrt-console-notification packages, they now see a warning message in the console regarding new problems detected since the last login.
All users of abrt, libreport and btparser are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.2. anaconda

Updated anaconda packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.

Bug Fixes

BZ#818233
Previously, anaconda did not recognize a DVD ISO image written to a USB drive as a source repository for installation because this device does not have partitions. Consequently, the ISO acted like a boot.iso and it was not possible to install packages included in it. With this update, anaconda has been modified to include devices with ISO 9660 formatting, and to configure any device as a source repository if this device contains the /repodata/repomd.xml file. As a result, anaconda now recognizes ISO on USB as expected.
BZ#845572
Prior to this update, the anaconda loader command created the /etc/sysconfig/network file by renaming a new temporary file, which did not trigger the NetworkManager's inotify mechanism. Consequently, a hostname set by the network --hostname kickstart option could be overridden by NetworkManager with hostname obtained though DHCP or DNS. With this update, loader has been modified to write new values directly into /etc/sysconfig/network. As a result, NetworkManager now accepts the hostname value specified in this file.
BZ#846336
Previously, anaconda did not attempt to use another loop device if the firstly selected one was already in use. Consequently, HDD ISO installation failed if loop devices were used in the kickstart %pre section. With this update, anaconda has been modified to use another loop device if the first one is already in use. As a result, HDD ISO installation works as expected.
BZ#847600
With this update, the list-harddrives command has been modified not to list the /dev/srX devices in its output.
BZ#851284
With this update, several typographical errors have been corrected in the About LVM dialog.
BZ#852523
When a different set of disks was used for the clearpart --drives and part --ondisk commands, a backtrace was returned. Consequently, installation did not finish successfully. With this update, only one set of disks is used with these commands. User must specify multiple disks with a single clearpart command, otherwise only the last clearpart --drives arguments is used.
BZ#859420
Prior to this update, when partitioning was incorrectly specified, the No free space error message was incorrectly shown instead of the appropriate No free slots dialog. With this update, the correct error message is displayed in case of incorrectly specified partitioning.
BZ#859569
Previously, anaconda in rescue mode unmounted the source ISO before searching for the .discinfo file. Consequently, the stage2 parameter was loaded twice, increasing the boot time. With this update, anaconda has been modified to skip the check for .discinfo in rescue mode. As a result, stage2 is only loaded once, as expected.
BZ#873281
Previously, when re-installing the system with already configured LVM raid1 volumes, anaconda terminated unexpectedly. This bug has been fixed, and anaconda no longer crashes in the aforementioned scenario.
BZ#875644
When a kickstart upgrade was performed on IBM System z architectures, anaconda shut down the system instead of rebooting even though the reboot command was present in the kickstart configuration. Consequently, a manual reboot was required. This update adds support for kickstart upgrades on System z, thus fixing this bug.
BZ#877852
Previously, when installing Red Hat Enterprise Linux 6 on a system with multiple disks and one or more of these disks contained the PPC PReP Boot partition, anaconda created an empty PPC PReP Boot partition on the selected installation disk, but stored necessary boot files in the already existing PPC PReP Boot. Consequently, the system failed to boot after the installation. With this update, anaconda has been modified to use the correct PPC PReP Boot for boot files, thus fixing this bug.
BZ#878907
The algorithm for calculating the swap size did not take into account the amount of space used for the installation. Consequently, even on small disks the installer created big swap space often leaving only insufficient amount of space for the rest of the system. This algorithm has been modified to register the amount of space used for the installation. As a result, smaller (10% of used disks' space) swap is created on machines with small disks leaving more space for the rest of the system.
BZ#880577
Previously, anaconda did not create partitions larger than 16TB on XFS filesystems. This bug has been fixed, and the official limit of 100TB is now used as accepted.
BZ#881005
Prior to this update, the autopart command did not function correctly with already defined prepboot partitions. Consequently, when using a kickstart file that contained the part command defining a prepboot partition followed by autopart, anaconda terminated unexpectedly with a segmentation fault. With this update, autopart has been modified to work correctly in the aforementioned configuration. As a result, the installation continues as expected.
BZ#882452
Previously, when configuring network devices within the anaconda GUI, devices using the FCoE network technology were automatically set not to be controlled by the NetworkManager. Consequently, NetworkManager disabled these devices, causing previously connected FCoE SAN disks to disappear from the GUI. This bug has been fixed, and editing network device configuration in the GUI no longer disconnects previously set FCoE devices.
BZ#886020
Previously, anaconda did not return a warning message when using a raw partition for the / mount point without creating a new file system. With this update, anaconda has been modified to display a warning message in such scenario.
BZ#888292
Under certain circumstances, when managing partitions with the anaconda GUI, an unexpected loss of window focus occurred. With this update, the parent window setting has been modified, thus fixing this bug.
BZ#893849
With this update, several typographic and translation errors have been corrected in the Japanese locale in anaconda.
BZ#894050
Previously, anaconda created the /etc/zipl.conf configuration file using a set of default kernel parameters regardless of whether a fresh install or upgrade was performed. Consequently, kernel parameters added to /etc/zipl.conf by users were lost when upgrading IBM System z systems with anaconda. This update adds support for boot loader upgrades for systems with System z architecture. As a result, kernel parameters added by users to /etc/zipl.conf are preserved in the aforementioned scenario.
BZ#895098
Prior to this update, when attempting to install conflicting packages with the anaconda GUI, a misleading warning message was displayed. With this update, this message has been modified to inform about the package conflict.
BZ#895982
Physical-extents size less than 32MB on top of an MD physical volume leads anaconda to problems with calculating the capacity of a volume group. To work around this problem, use a physical-extent size of at least 32MB or leave free space (with size equal to doubled size of the physical-extent) when allocating logical volumes.
BZ#901515
Before proceeding to the package installation phase, anaconda did not check if the core package group was available in selected repositories. If this group was not present, the installation terminated unexpectedly. With this update, anaconda has been modified to check for the presence of core. As a result, a warning message is displayed when core is not available, and installation no longer crashes.
BZ#903689
Previously, when configuring a VLAN network device, such as eth0.171, during the installation, the same configuration was incorrectly applied also for its parent device. Consequently, the VLAN parent device, such as eth0, was incorrectly configured during the installation. The bug has been fixed, and the VLAN device configuration is now applied correctly.
BZ#909463
Under certain circumstances, kernel command-line entries created by anaconda and passed to GRUB did not work correctly. Consequently, in multi-path configuration, the Boot File System (BFS) terminated unexpectedly when the last FCoE interface specified in kernel command was not on-line. With this update, the form of kernel command-line entries has been modified, and BFS no longer fails in the aforementioned scenario.
BZ#919409
Previously, the /etc/multipath/bindings file had incorrect SElinux context after installation. This bug has been fixed, and /etc/multipath/bindings is now installed with correct SElinux context.
BZ#921609
Prior to this update, the generated kickstart file did not contain correct network commands for VLAN interfaces. Consequently, these commands were not reusable during the installation. This bug has been fixed, and the generated kickstart now contains reusable network commands.
BZ#928144
By default, the AMD IOMMU driver is disabled in Red Hat Enterprise Linux 6 for stability reasons. However, when IOMMU is expected to be present for trusted boot, this driver is needed. With this update, anaconda has been modified to enable AMD IOMMU in the kernel boot parameters when the tboot package is installed. MD IOMMU is enabled when trusted boot is in use and AMD IOMMU specifications are present and enabled in the BIOS. To revert these settings, users may remove the "amd_iommu=on" kernel parameter if stability issues are encountered.
BZ#947704
Previously, it was not possible to blacklist the usb-storage module during the installation of Red Hat Enterprise Linux 6. This bug has been fixed, and usb-storage can now be blacklisted without complications.
BZ#949409
Under certain rare circumstances, the dasd_eckd_mod driver was not loaded during linuxrc.s390 installation and anaconda became unresponsive. With this update, a patch has been applied to prevent this problem.
BZ#971961
Previously, bond network devices were activated only in the early stage of installation. Consequently, bond devices configured by network commands in the stage2 file were not activated. This behavior has been changed and bond devices can now be activated also in later stages of installation.
BZ#994504
Previously, anaconda loaded certain required packages multiple times during installation. Consequently, the dependency solving took a long time, growing with number of disks and file systems. With this update, anaconda has been modified to use a more efficient way of selecting packages, thus reducing the time spent on dependency solving.
BZ#998486
With this update, anaconda no longer requires the fcoe-utils package for installation on the IBM System z architectures.
BZ#1003844
Prior to this update, anaconda limited swap size to 10 % of disk space even if --hibernation option was used in the kickstart file. With this update, anaconda has been modified to accept the --hibernation option, and swap size is no longer limited to 10% of disk space when this option is specified.
BZ#1004752
Due to an incorrect setting in the /etc/ssh/sshd_config.anaconda configuration file, the sshd daemon did not start during installation on IBM System z architectures in FIPS mode. Consequently, the installation was not successful. This bug has been fixed, and sshd now runs as expected during installation in FIPS mode.
BZ#1007641
Prior to this update, multipath devices were not listed during installation in VNC mode. This bug has been fixed, and these devices are now listed properly.
BZ#1007683
Devices directly formatted with a file system without any partitions are not supported in Red Hat Enterprise Linux 6. Previously, anaconda did not verify if devices meet this condition. Consequently, when attempting to create a new partition on such unsupported device, anaconda terminated unexpectedly. With this update, anaconda has been modified to check if the device is unpartitioned and to abort partitioning in such case, thus preventing the crash.
BZ#1007884
Previously, a bug in the zipl boot loader caused a runtime error in anaconda. Consequently, the IBM System z architectures with rootfs on iSCSI LUN failed to boot after ananaconda upgrade from Red Hat Enterprise Linux 6.4 to 6.5. This bug has been fixed, and the failed booting no longer occurs after system upgrade.
BZ#1008731
Due to an outdated FCoE detection for Broadcom adapters in anaconda, the system was unable to boot after OS after FCoE BFS installation on HP systems. With this update, anaconda has been modified to correctly detect FCoE on Broadcom adapters, and the boot problems no longer occur in the aforementioned scenario.
BZ#1008941
Under certain circumstances, after an upgrade from Red Hat Enterprise Linux 6.4 to 6.5, the IBM System z system did not boot from the correct storage device. This bug has been fixed, and System z systems now boot from the correct device after upgrade.
BZ#1009691
Certain adapters, such as 10GBaseT Twin Pond require longer time to link up. This time often exceeded the timeout limit of the fipvlan tool used by the installer. Consequently, adding FCoE targets in the GUI failed by timing out. With this update, the timeout limit of fipvlan has been raised. As a result, FCoE target is now added successfully regardless of adapter type. Nevertheless, to view the added device in the GUI, user has to go two screens back to the language selection and then forth.
BZ#1013176
Previously, the list of FCoE LUNs disappeared from the SAN Devices tab in anaconda after adding a second adapter during installation of the Specialized Storage BFS. This bug has been fixed, and the list is now displayed correctly during the installation.
BZ#1018703
Prior to this update, anaconda incorrectly extracted partition names for NVMe devices. Consequently, the boot loader installation failed on NVMe devices. This bug has been fixed, and NVMe devices are now installed successfully.

Enhancements

BZ#890095
This update adds more flexible support for disk references within the --driveorder option in the kickstart boot loader. It is now possible to specify disks that use the /dev/disk/by-*/ folders as arguments for --driveorder.
BZ#905227
This update adds the --ipv6gateway option to the kickstart network command, which allows to specify a default IPv6 gateway. Now, both IPv4 and IPv6 default gateways can be specified in network kickstart command using --gateway or --ipv6gateway respectively.
BZ#915666
With this update, a partition size check has been added to anaconda to ensure that the boot partition on x86 architectures is always less than 2TB, which is required by the GRUB boot loader.
BZ#917815
With this update, anaconda has been modified to allow the DDNS method in the installer. If a hostname is specified in the kickstart configuration of a network device that uses the DHCP protocol, this hostname is passed to the dhclient utility.
Users of anaconda are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.3. arptables_jf

Updated arptables_jf packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The arptables_jf utility controls the arpfilter packet filtering code in the Linux kernel.

Bug Fixes

BZ#807315
Prior to this update, both the "mangle-hw-s" and "mangle-hw-d" options required the use of the "--arhln" option. However, even if the "--arhln" option was specified on the command line, the "arptables" command did not recognize it. As a consequence, it was not possible to use those two options successfully. These updated packages fix this bug and the "--arhln" option can now be used together with the mangle hardware options.
BZ#963209
When the "-x" command line option (exact values) was used along with the "-L" (List rules) option, the arptables utility did not list rules but issued an error message saying "-x" option is illegal with "-L". With this update, the arptables utility now uses the "-x" option when listing rules.
Users of arptables_jf are advised to upgrade to these updated packages, which fix these bugs.

8.4. augeas

Updated augeas packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, are available for each vulnerability from the CVE links associated with each description below.
Augeas is a utility for editing configuration. Augeas parses configuration files in their native formats and transforms them into a tree. Configuration changes are made by manipulating this tree and saving it back into native configuration files. Augeas also uses "lenses" as basic building blocks for establishing the mapping from files into the Augeas tree and back.

Security Fix

CVE-2012-0786, CVE-2012-0787
Multiple flaws were found in the way Augeas handled configuration files when updating them. An application using Augeas to update configuration files in a directory that is writable to by a different user (for example, an application running as root that is updating files in a directory owned by a non-root service user) could have been tricked into overwriting arbitrary files or leaking information via a symbolic link or mount point attack.

Upgrade to an Upstream Version

The augeas package has been upgraded to upstream version 1.0.0, which provides a number of bug fixes and enhancements over the previous version. (BZ#817753)

Bug Fixes

BZ#799885
Previously, when single quotes were used in an XML attribute, Augeas was unable to parse the file with the XML lens. An upstream patch has been provided ensuring that single quotes are handled as valid characters and parsing no longer fails.
BZ#855022
Prior to this update, Augeas was unable to set up the "require_ssl_reuse" option in the vsftpd.conf file. The updated patch fixes the vsftpd lens to properly recognize this option, thus fixing this bug.
BZ#799879
Previously, the XML lens did not support non-Unix line endings. Consequently, Augeas was unable to load any files containing such line endings. The XML lens has been fixed to handle files with CRLF line endings, thus fixing this bug.
BZ#826752
Previously, Augeas was unable to parse modprobe.conf files with spaces around "=" characters in option directives. The modprobe lens has been updated and parsing no longer fails.
All Augeas users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.

8.5. autofs

Updated autofs packages that fix several bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
The autofs utility controls the operation of the automount daemon. The daemon automatically mounts file systems when in use and unmounts them when they are not busy.

Bug Fixes

BZ#859078
Under certain circumstances, the autofs utility did not respect all configured settings and used the UDP protocol to probe availability of network file systems. This can lead to some servers refusing the connection with the message:
Client x.x.x.x is violating the NFSv4 specification by sending a UDP/IP datagram to the NFSv4 server.
With this update, autofs has been modified to respect explicitly defined NFSv4 requests, thus fixing this bug.
BZ#886623
Due to changes made to the autofs utility, when probing server availability at mount time, mounts using the RDMA protocol are no longer recognized. With this update, autofs has been modified not to probe availability for mounts that use the RDMA protocol.
BZ#903944
Previously, the autofs utility ignored the --random-multimount-selection option. Consequently, this setting was not used when mounting local file systems even when it was given. This bug has been fixed and --random-multimount-selection now works as expected.
BZ#908020
Previously, when two nearly simultaneous mount requests appeared, NFS mounts mounted by the autofs utility sometimes terminated. This was caused by using invalid protoent structures to identify the protocol. With this update, autofs has been modified to use numeric protocol IDs, instead of protoent structures. As a result, attempts to mount NFS no longer fail in the described scenario.
BZ#971131
Prior to this update, the autofs master map parser did not recognize the SELinux context= option and returned a syntax error when the option was used. The master map parser has been updated to recognize SELinux context= that can now be used without complications.
BZ#974884
Previously, the autofs utility did not recognize the allowed limit of maximum opened files after it was increased by the system administrator. Consequently, the default limit was used regardless of the new configuration. With this update, autofs has been modified to check for changes of this limit and to apply them correctly.
BZ#996749
Previously, the libldap library was not initialized in a thread-safe manner. Consequently, when running automount, the ber_memalloc_x() function could have terminated unexpectedly with a segmentation fault. With this update, the initializaliton of libldap has been modified to be thread-safe and ber_memalloc_x() no longer crashes in the aforementioned scenario. (BZ#996749)
BZ#979929
When the automount daemon was checking host availability and one of the network interfaces was marked "DOWN", automount terminated with a segmentation fault. With this update, a check for this case has been added and the segmentation fault no longer occurs.
BZ#994296
When the automount daemon received a shutdown signal, executing the autofs reload command caused automount to stop running when multiple maps were being removed from the auto.master map. A patch has been added to fix this bug and automount no longer terminates in the described case.
BZ#994297
A change that removed a code for adding the current map entry caused wildcard indirect multi-mount map entries to fail to mount. A patch to fix wildcard multi-map regression has been added and map entries now mount successfully.
BZ#1002896
Due to an execution order race that occurred when creating an expire thread, the automount daemon became unresponsive. The code that handled the expire thread creation has been modified to prevent the aforementioned problem.
BZ#996749
Previously, no locking was performed around LDAP initialization calls. However, these functions are not thread-safe and race conditions could have occurred. With this update, the locking has been added and the risk of race condition is now reduced.

Enhancements

BZ#982103
The description of the TIMEOUT configuration option has been enhanced in the autofs man page. The description now explains the internal default configuration more clearly.
BZ#852327
The autofs utility has been updated to provide the ability to dump its mount maps in a simple <key, value> format in addition to the existing informational format.
Users of autofs are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.6. batik

Updated batik packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The batik packages provide the Batik toolkit based on a Java technology. This toolkit is used by applications that require to use images in the Scalable Vector Graphics (SVG) format for various purposes, such as viewing, generation, or manipulation.

Bug Fixes

BZ#631677
This update removes the empty batik-debuginfo package.
BZ#867701, BZ#995471
Previously, an attempt to use the rasterizer utility to convert an SVG image to the JPEG format caused an error to be returned. This update applies a patch to fix this bug and rasterizer now converts SVG images to the JPEG format correctly.
BZ#883464
Previously, the manifest.mf file included the keyword "version" instead of "bundle-version". Consequently, the Eclipse platform did not work correctly with Batik utilities. This bug has been fixed and Eclipse now works as expected.
BZ#979527, BZ#995471
Due to a bug in the underlying source code, an attempt to use the ttf2svg font converter failed with an exception. This update applies a patch to fix this bug and ttf2svg now works correctly.
BZ#995471
Previously, the batik packages contained many bugs, among others classpath errors and errors connected with a missing module for handling the JPEG format. Consequently, Batik utilities, such as raterizer, svgpp, and ttf2svg, failed with exceptions. With this update, the underlying source code has been modified to fix these bugs and the aforementioned utilities now work as expected.
Users of batik are advised to upgrade to these updated packages, which fix these bugs.

8.7. bfa-firmware

Updated bfa-firmware packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The bfa-firmware package contains the Brocade Fibre Channel Host Bus Adapter (HBA) Firmware to run Brocade Fibre Channel and CNA adapters. This package also supports the Brocade BNA network adapter.

Upgrade to an upstream version

The bfa-firmware packages have been upgraded to upstream version 3.2.21-1, which provides a number of bug fixes and enhancements over the previous version. (BZ#928990, BZ#1007100)
All users of bfa-firmware are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.8. bind-dyndb-ldap

Updated bind-dyndb-ldap packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The dynamic LDAP back-end is a plug-in for BIND that provides back-end capabilities to LDAP databases. It features support for dynamic updates and internal caching that helps to reduce the load on LDAP servers.

Bug Fixes

BZ#908780
Previously, the bind-dyndb-ldap plug-in did not handle DNS zones without the "idnsUpdatePolicy" attribute properly, which led to a harmless, but misleading error message:
zone serial ([zone serial]) unchanged. zone may fail to transfer to slaves.
This message was logged after each zone reload or potentially after each change in the affected DNS zone. The bind-dyndb-ldap plug-in has been fixed, so that it no longer prints any error message if the "idnsUpdatePolicy" attribute is not defined in the DNS zone.
BZ#921167
Previously, the bind-dyndb-ldap plug-in processed update policies with the "zonesub" match-type incorrectly, which led to the BIND daemon terminating unexpectedly during the processing of the update-policy parameter. The bind-dyndb-ldap plug-in has been fixed to process update-policy with the "zonesub" match-type correctly, and so it no longer crashes in this scenario.
BZ#923113
The bind-dyndb-ldap plug-in processed settings too early, which led to the BIND daemon terminating unexpectedly with an assertion failure during startup or reload. The bind-dyndb-ldap plug-in has been fixed to process its options later, and so no longer crashes during startup or reload.
BZ#1010396
Prior to this update, the bind-dyndb-ldap plug-in with the default configuration did not establish enough connections to LDAP server for the pointer record (PTR) synchronization feature and, consequently, the PTR record synchronization failed. With this update, the default number of connections has been raised to four, and the PTR record synchronization now works as expected.
Users of bind-dyndb-ldap are advised to upgrade to these updated packages, which fix these bugs.

8.9. biosdevname

Updated biosdevname packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The biosdevname packages contain a udev helper utility which provides an optional convention for naming network interfaces; it assigns names to network interfaces based on their physical location. The utility is disabled by default, except for on a limited set of Dell PowerEdge, C Series and Precision Workstation systems.

Upgrade to an upstream version

The biosdevname packages have been upgraded to upstream version 0.5.0, which provides a number of bug fixes and enhancements over the previous version. (BZ#947841)

Bug Fix

BZ#1000386
Previously, the addslot() function returned the same "dev->index_in_slot" value for two or more interfaces. As a consequence, more than one network interfaces could be named "renameN". This update restores the logic used to obtain a port number that existed in biosdevname version 0.3.11 and, as a result, all interfaces are named as expected.
Users of biosdevname are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.10. boost

Updated boost packages that fix one bug are now available.
The boost packages provide free peer-reviewed portable C++ source libraries with emphasis on libraries which work well with the C++ Standard Library.

Bug Fix

BZ#820670
The Boost package did not contain the Boost.Math shared libraries, which include an inverse of trigonometric functions over complex numbers and gamma, beta and erf special functions, as specified in the Technical Report on C++ Library Extensions. This update adds the boost-math sub-package, which includes the symbols corresponding to the mentioned functions.
Users of boost are advised to upgrade to these updated packages, which fix this bug.

8.11. busybox

Updated busybox packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link associated with the description below.
BusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries.

Security Fix

CVE-2013-1813
It was found that the mdev BusyBox utility could create certain directories within /dev with world-writable permissions. A local unprivileged user could use this flaw to manipulate portions of the /dev directory tree.

Bug Fixes

BZ#820097
Previously, due to a too eager string size optimization on the IBM System z architecture, the "wc" BusyBox command failed after processing standard input with the following error:
wc: : No such file or directory
This bug was fixed by disabling the string size optimization and the "wc" command works properly on IBM System z architectures.
BZ#859817
Prior to this update, the "mknod" command was unable to create device nodes with a major or minor number larger than 255. Consequently, the kdump utility failed to handle such a device. The underlying source code has been modified, and it is now possible to use the "mknod" command to create device nodes with a major or minor number larger than 255.
BZ#855832
If a network installation from an NFS server was selected, the "mount" command used the UDP protocol by default. If only TCP mounts were supported by the server, this led to a failure of the mount command. As a result, Anaconda could not continue with the installation. This bug is now fixed and NFS mount operations default to the TCP protocol.
All busybox users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

8.12. ca-certificates

Updated ca-certificates packages that add various enhancements are now available for Red Hat Enterprise Linux 6.
The ca-certificates package contains a set of CA certificates chosen by the Mozilla Foundation for use with the Internet Public Key Infrastructure (PKI).

Upgrade to an upstream version

The ca-certificates package has been upgraded to upstream version 1.94 as released with NSS version 3.15, which provides an updated set of recent Certificate Authorities according to the Mozilla CA Certificate Policy. Also, the update-ca-trust configuration management tool has been added. (BZ#973727, BZ#1002646)

Enhancement

BZ#544376
This update provides Shared System Certificate Authority storage, a system-wide trust storage for configuration data, required as an input for certificate trust decisions. This is a functionally compatible replacement for classic Certificate Authority configuration files and for the libnssckbi NSS trust module. This feature must be explicitly enabled by an administrator. Refer to the update-ca-trust man page in the ca-certificates package for a more detailed description of the feature.
Users of ca-certificates are advised to upgrade to these updated packages, which add these enhancements.

8.13. cifs-utils

Updated cifs-utils packages that fix one bug are available for Red Hat Enterprise Linux 6.
The SMB/CIFS protocol is a standard file sharing protocol widely deployed on Microsoft Windows machines. This package contains tools for mounting shares on Linux using the SMB/CIFS protocol. The tools in this package work in conjunction with support in the kernel to allow one to mount a SMB/CIFS share onto a client and use it as if it were a standard Linux file system.
Users of cifs-utils are advised to upgrade to these updated packages, which fix this bug.

8.14. cjkuni-fonts

Updated cjkuni-fonts packages that fix one bug are now available.
CJK Unifonts are Unicode TrueType fonts derived from original fonts made available by Arphic Technology under the Arphic Public License and extended by the CJK Unifonts project.

Bug Fix

BZ#651651
Previously, under some configurations, the KDE startup menu did not show any Chinese characters in Chinese locales (both zh-CN and zh-TW), while Japanese and Korean did not have this problem. With this update, the KDE startup menu now displays Chinese characters in Chinese locales.
Users of cjkuni-fonts are advised to upgrade to these updated packages, which fix this bug.

8.15. cluster and gfs2-utils

Updated cluster and gfs2-utils packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Cluster Manager is a collection of technologies working together to provide data integrity and the ability to maintain application availability in the event of a failure. Using redundant hardware, shared disk storage, power management, and robust cluster communication and application failover mechanisms, a cluster can meet the needs of the enterprise market.

Bug Fixes

BZ#996233
Prior to this update, if one of the gfs2_tool, gfs2_quota, gfs2_grow, or gfs2_jadd commands was killed unexpectedly, a temporary GFS2 metadata mount point used by those tools could be left mounted. The mount point was also not registered in the /etc/mtab file, and so the "umount -a -t gfs2" command did not unmount it. This mount point could prevent systems from rebooting properly, and cause the kernel to panic in cases where it was manually unmounted after the normal GFS2 mount point. This update corrects the problem by creating an mtab entry for the temporary mount point, which unmounts it before exiting when signals are received.
BZ#893925
Previously, the cman utility did not work correctly if there was a brief network failure in a cluster running in two_node mode with no fence delay. Consequently, the two nodes killed each other when the connection was re-established. This update adds a 5-second delay to the “fenced” daemon for the node with the higher node ID and the described problem no longer occurs. Another option is to add a fence delay into the "cluster.conf" file, as documented in the Red Hat Knowledgebase (see https://access.redhat.com/site/solutions/54829).
BZ#982670
Prior to this update, the cman init script did not handle its lock file correctly when executing the "restart" command. Consequently, the node could be removed from the cluster by other members during the node reboot. The cman init script has been modified to handle the lock file correctly, and no fencing action is now taken by other nodes of the cluster.
BZ#889564
Previously, when the corosync utility detected a "process pause", an old, therefore invalid, control group ID was occasionally sent to the gfs_controld daemon. Consequently, gfs_controld became unresponsive. This update fixes gfs_controld to discard messages with old control group IDs, and gfs_controld no longer hangs in this scenario.
BZ#888857
Prior to this update, the "fenced" daemon and other related daemons occasionally closed a file descriptor that was still referenced by the corosync libraries during an attempt to stop the daemons. Consequently, the daemons did not terminate properly and shutting down the cluster utility failed. This bug has been fixed, the file descriptor now stays open and it is marked unused by the daemons, and the daemons terminate properly.
BZ#989647
Previously, the fsck.gfs2 utility did not handle a certain type of file system corruption properly. As a consequence, fsck.gfs2 terminated with an error message and did not repair the corruption. This update extends the abilities of fsck.gfs2 to handle file system corruption and the described problems no longer occur.
BZ#1007970
Previously, the "-K" option was unavailable in the mkfs.gfs2 utility. Consequently, mkfs.gfs2 returned the "invalid option" error message, and it was impossible to use this option to keep and not to discard unused blocks. With this update, mkfs.gfs2 handles the "-K" option properly.
BZ#896191
The cluster.conf(5) manual page contained incorrect information that the default syslog facility was "daemon". This update corrects this statement to "local4".
BZ#902920
Previously, the fsck.gfs2 utility did not correctly recognize cases when information about a directory in the Global File System 2 (GFS2) was misplaced. Also, fsck.gfs2 did not properly check consistency of the GFS2 directory hash table. As a consequence, fsck.gfs2 did not report problems with the file system and the files in the corrupted directories were unusable. With this update, fsck.gfs2 has been modified to do extensive sanity checking and it is now able to identify and fix the described problems among others.
BZ#963657
Prior to this update, nested Global File System 2 (GFS2) mount points were not taken into account when stopping the GFS2 resources. Consequently, the mount points were not being unmounted in the correct order and the gfs2 utility failed to stop. The gfs2 init script has been modified to unmount GFS2 mount points in the correct order and the stopping of gfs2 no longer fails in this scenario.
BZ#920358
Previously, the qdiskd daemon did not correctly handle newly rejoined nodes that had been rebooted uncleanly. Consequently, qdiskd removed such nodes after its initialization. With this update, qdiskd skips counting of the missed updates for nodes in the "S_NONE" state, and it no longer removes nodes in the described scenario.
BZ#888318
Previously, the qdiskd daemon did not issue a specific error message for cases when the token timeout was set incorrectly in the "cluster.conf" file. Consequently, qdiskd terminated with the "qdiskd: configuration failed" error message giving no details. This update adds a specific error message for the described cases.
BZ#886585
Previously, the gfs2_grow utility returned a zero exit status even in cases where no growth was possible, due to how little the device had grown. Consequently, automated scripts, used especially for testing of gfs2_grow, received an incorrect "0" return code. With this update, gfs2_grow has been modified to return a non-zero exit status when its operations fail.
BZ#871603
Previously, the help text for the "ccs_tool create" command contained incorrect parameters for the "addfence" subcommand, namely "user" instead of "login". Consequently, users could create an incorrect "cluster.conf" file. With this update, the help text has been corrected.
BZ#985796
Previously, when the fsck.gfs2 utility was repairing the superblock, it looked up the locking configuration fields from the "cluster.conf" file. Consequently, the "lockproto" and "locktable" fields could be set improperly when the superblock was repaired. With this update, the "lockproto" and "locktable" fields are now set to sensible default values and the user is now instructed to set the fields with the tunegfs2 utility at the end of the fsck.gfs2 run.
BZ#984085
Previously, the fsck.gfs2 utility did not properly handle cases when directory leaf blocks were duplicated. As a consequence, files in the corrupted directories were occasionally not found and fsck.gfs2 became unresponsive. With this update, fsck.gfs2 checks for duplicate blocks in all directories, identifies and fixes corruptions, and it no longer hangs in this scenario.
Users of cluster and gfs2-utils are advised to upgrade to these updated packages, which fix these bugs.

8.16. clustermon

Updated clustermon packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The clustermon packages are used for remote cluster management. The modclusterd service provides an abstraction of cluster status used by conga and by the Simple Network Management (SNMP) and Common Information Model (CIM) modules of clustermon.

Bug Fixes

BZ#951470
Prior to this update, the modclusterd service made an improper CMAN API call when attempting to associate the local machine's address with a particular cluster node entry, but with no success. Consequently, modclusterd returned log messages every five seconds. In addition, when logging for CMAN was enabled, membership messages included, messages arising from the CMAN API misuse were emitted. Now, the CMAN API call is used properly, which corrects the aforementioned consequences.
BZ#908728
Previously, the modclusterd service terminated unexpectedly in IPv4-only environments when stopped due to accessing unitialized memory only used when IPv6 was available. With this update, modclusterd no longer crashes in IPv4-only environments.
BZ#888543
Previously, the SNMP (Simple Network Management Protocol) agent exposing the cluster status and shipped as cluster-snmp caused the SNMP server (snmpd) to terminate unexpectedly with a segmentation fault when this module was loaded, and the containing server was instructed to reload. This was caused by an improper disposal of the resources facilitated by this server, alarms in particular. Now, the module properly cleans up such resources when being unloaded, preventing the crash on reload.
Users of clustermon are advised to upgrade to these updated packages, which fix these bugs.

8.17. compat-openmpi

Updated compat-openmpi packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The compat-openmpi packages contain shared libraries from earlier versions of Open Message Passing Interface (Open MPI). The libraries from previous releases have been compiled against the current version of Red Hat Enterprise Linux 6, and the packages enable earlier programs to keep functioning properly.

Bug Fix

BZ#876315
The compat-openmpi packages previously did not ensure compatibility with earlier versions of the Open MPI shared libraries. Consequently, the users failed to run certain applications using Open MPI on Red Hat Enterprise Linux 6.3 and later if those applications were compiled against Open MPI versions used on Red Hat Enterprise Linux 6.2 and earlier. After this update, the compat-openmpi packages now maintain compatibility with earlier versions of Open MPI on Red Hat Enterprise Linux 6.
Users of compat-openmpi are advised to upgrade to these updated packages, which fix this bug.

8.18. conman

Updated conman packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
ConMan is a serial console management program designed to support a large number of console devices and simultaneous users. ConMan currently supports local serial devices and remote terminal servers.

Upgrade to an upstream version

The conman packages have been upgraded to upstream version 0.2.7, which provides a number of bug fixes and enhancements over the previous version. With this update, support for the ipmiopts directive in the conman.conf configuration file has been included. (BZ#951698)

Bug Fix

BZ#891938
Previously, the length range of timezone strings was not sufficient to process all known timezone codes. As a consequence, the conmand daemon failed to start if the timezone name consisted of five or more characters. The maximum string length has been set to 32, and conmand now always starts as expected.
Users of conman are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.19. coolkey

Updated coolkey packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
Coolkey is a smart card support library for the CoolKey, Common Access Card (CAC), and Personal Identity Verification (PIV) smart cards.

Bug Fixes

BZ#806038
In previous versions, coolkey always created a bogus e-gate smart card reader to avoid problems with Network Security Services (NSS) and the PC/SC Lite framework when no smart card reader was available. However, e-gate smart cards are no longer available for smart card authentication, and the NSS and pcsc-lite packages have been updated to handle a situation with no e-gate reader attached. Therefore, this bogus reader in coolkey became unnecessary and could cause problems to some applications under certain circumstances. This update modifies the respective code so that coolkey no longer creates a bogus e-gate smart card.
BZ#906537
With a previous version of coolkey, some signature operations, such as PKINIT, could fail on PIV endpoint cards that support both CAC and PIV interfaces. The underlying coolkey code has been modified so these PIV endpoint cards now works with coolkey as expected.
BZ#991515
The coolkey library registered only with the NSS DBM database, however, NSS now uses also the SQLite database format, which is preferred. This update modifies coolkey to register properly with both NSS databases.

Enhancement

BZ#951272
Support for tokens containing Elliptic Curve Cryptography (ECC) certificates has been added to the coolkey packages so the coolkey library now works with ECC provisioned cards.
Users of coolkey are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

8.20. coreutils

Updated coreutils packages that fix three security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE link(s) associated with each description below.
The coreutils package contains the core GNU utilities. It is a combination of the old GNU fileutils, sh-utils, and textutils packages.

Security Fixes

CVE-2013-0221, CVE-2013-0222, CVE-2013-0223
It was discovered that the sort, uniq, and join utilities did not properly restrict the use of the alloca() function. An attacker could use this flaw to crash those utilities by providing long input strings.

Bug Fixes

BZ#747592
Previously, due to incorrect propagation of signals from child processes, the return values of the "su" command were incorrect and core dump information was not shown in the parent process. With this update, signal propagation from child processes has been fixed and the return values of the "su" command corrected. As a result, core dump messages from child processes are no longer ignored and the "su" command returns correct exit values.
BZ#749679
Previously, the su command did not wait for the end of its child processes. As a consequence, the su utility might exit before the child process has finished. This bug has been fixed and now "su" waits for the child process to exit.
BZ#816708
Previously, when invoked with no user name argument, the "id -G" and "id --groups" commands printed the default group ID listed in the password database. Occasionally, this ID was incorrect or not effective, especially when it has been changed. After this update, the aforementioned commands print only effective and real IDs when no user is specified.
BZ#827199
The "tail -f" command uses inotify for tracking changes in files. For remote file systems [-/,] inotify is not available. In the case of unknown file systems, for example panasas, "tail -f" failed instead of falling back to polling. Now, the list of known file systems is updated and "tail -f" is modified to fall back into polling for unknown file systems. As result, "tail -f" now works correctly, even on unknown file systems, with only a warning about the unknown file system and a fall back to polling.
BZ#842040
Previously, the "df" command interpreted control characters in the output mount name. As a consequence, it could be inconvenient to read and problematic for scripts when there are control characters such as "\n" in the output. Problematic characters have been replaced by a question mark sign ("?"), and such output is no longer hard to read.
BZ#867984
Previously, a Red Hat specific patch for multibytes locales support in the core utilities was missing the handling of the "--output-delimiter" option of the "cut" command. As a consequence, the option was ignored if specified. Support for the "--output-delimiter" option has been implemented in coreutils and users can now use this option with multibyte locales.
BZ#889531
Previously, when an "su" session was terminated by a signal, it returned an incorrect exit status. This caused various issues, such as a ksh lockup, to occur. This update fixes the exit status handling and the aforementioned situation no longer occurs.
BZ#911206
Previously, the stat utility used the setpwent() and setgrent() functions. This caused NIS database download problems when the time stat utility was called, thus causing performance issues. After this update, the aforementioned system calls are no longer present in the stat utility source code. As a result, NIS database downloads are not necessary with every stat utility run.
BZ#956143
When parsing a file's content, in which the end of a field was specified using the obsolete key formats (+POS -POS), the sort utility determined the end of the field incorrectly, and therefore produced incorrect output. This update fixes the parsing logic to match the usage of the "-k" option when using these obsolete key formats. The sort utility now returns expected results in this situation.
BZ#960160
Previously, in some cases, the date utility could parse invalid input. This was due to a sign-extending of "other" bytes in the parsing mechanism. This caused unexpected results of some invalid input. The parsing mechanism has been fixed, and, the date utility now correctly recognizes invalid input where appropriate.
BZ#965654
Previously, the "dd" utility produced the transfer statistics output even if the "status=noxfer" was specified. To fix this bug, a new option, "status=none", has been implemented to suppress all informational output. As a result, unnecessary information produced by dd is no longer displayed with this option.
BZ#967623
The "su" utility has a "-p" option, which preserves some of the environmental variables. However, the su(1) manual page incorrectly stated that the whole environment was preserved. After this update, the manual page has been adjusted to list all the preserved environmental variables.
BZ#980061
When moving directories between two file systems, the "mv" utility failed to overwrite an empty directory, which was a violation of the POSIX standard. After this update, mv no longer fails to overwrite an empty destination directory and the POSIX standard rules are obeyed.
BZ#997537
Previously, the "pr" utility used a suboptimal code routine when the "-n" option was specified, and inconsistent padding with either zeros or spaces. As a consequence, pr terminated unexpectedly when the "-n" option was used with a value of 32 or higher. Moreover, the inconsistent padding was hard to parse by scripts. After this update, line numbers are consistently padded by spaces and the program has been improved to handle high values of the "-n" option correctly. As a result, the "pr" utility no longer terminates unexpectedly.
BZ#1006221
Previously, the "tail -f" command did not monitor dead symbolic links properly. As a result, "tail -f" ignored updates to the referent of a symbolic link after the symbolic link was killed. This bug has now been fixed and "tail -f" now notices when the dead symbolic link is revived and resumes tailing the contents of the referent.

Enhancements

BZ#836557
Before this update, a directory cycle induced by a bind mount was treated as a fatal error, for example a probable disk corruption. However, such cycles are relatively common and can be detected efficiently. The "du" command has been modified to display a descriptive warning and also to return the appropriate non-zero exit value. This allows bind mounts of various services to be handles correctly.
BZ#908980
In Red Hat Enterprise Linux 6, the "dd" command has a "conv" option, which supports various conversion types. This updates adds support for the "sparse" conversion option, used for sparse files. This feature is useful when copying block devices to files to minimize the actual amount of data occupied. In addition, it can be used for managing virtual machine images in different storage types, including iSCSI and NFS.
Users of coreutils are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.21. corosync

Updated corosync packages that fix several bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
The corosync packages provide the Corosync Cluster Engine and C Application Programming Interfaces (APIs) for Red Hat Enterprise Linux cluster software.

Bug Fixes

BZ#854216
When running corosync on a faulty network with the failed_to_recv configuration option set, corosync was very often terminated with a segmentation fault after a cluster node was marked as "failed to receive". This happened because an assert condition was met during a cluster node membership determination. To fix this problem, the underlying code has been modified to ignore the assert if it was triggered by nodes marked as "failed to receive". This is safe because a single node membership is always established in this situation.
BZ#877349
The corosync-notifyd service was not started right after installation because the default configuration of the corosync notifier did not exist. This fix adds the default configuration for this service in the /etc/sysconfig/corosync-notifyd file so that corosync-notifyd can now be started right after installation without any additional configuration.
BZ#880598
Due to a bug in the underlying code, the corosync API could read uninitialized memory, and thus return incorrect values when incrementing or decrementing value of certain objects in the configuration and statistics database. This update modifies the respective code to only read 16 bits of memory instead of 32 bits when returning the [u]int16 type values. The corosync API no longer read uninitialized memory and return correct values.
BZ#881729
Due to a rare race condition in the corosync logging system, corosync could terminate with a segmentation fault after an attempt to dereference a NULL pointer. A pthread mutex lock has been added to a respective formatting variable so that the race condition between log-formatting and log-printing functions is now avoided.
BZ#906432
Previously, corosync did not support IPv6 double colon notation and did not handle correctly closing braces when parsing the corosync.conf file. As a consequence, the totem service failed to start when using IPv6. If the configuration file contained additional closing braces, no error was displayed to inform users why was the configuration file not parsed successfully. This update fixes these parsing bugs so the totem service can now be successfully started, and an error message is displayed if the corosync.conf file contains additional closing braces.
BZ#907894
Due to multiple bugs in the corosync code, either duplicate or no messages were delivered to applications if the corosync service was terminated on multiple cluster nodes. This update applies a series of patches correcting these bugs so that corosync no longer loses or duplicates messages in this scenario.
BZ#915490
The corosync-fplay utility could terminate with a segmentation fault or result in unpredictable behavior if the corosync fdata file became corrupted. With this update, corosync-fplay has been modified to detect loops in code and properly validate fdata files. To avoid another cause of fdata corruption, corosync now also prohibits its child processes from logging. As a result of these changes, corosync no longer crashes or becomes unresponsive in this situation.
BZ#915769
If a service section in the corosync.conf file did not contain a service name, corosync either terminated with a segmentation fault or refused to start an unknown service. With this update, corosync now properly verifies the name key and if no service name is found, returns an error message and exits gracefully.
BZ#916227
The corosync service did not correctly handle a situation when it received an exit request (the SIGINT signal) before the service initialization was complete. As a consequence, corosync became unresponsive and ignored all signals, except for SIGKILL. This update adds a semaphore to ensure that corosync exits gracefully in this situation.
BZ#922671
When running applications that used the Corosync inter-process communication (IPC) library, some messages in the dispatch() function were lost or duplicated. With this update, corosync properly verifies return values of the dispatch_put() function, returns the correct remaining bytes in the IPC ring buffer, and ensures that the IPC client is correctly informed about the real number of messages in the ring buffer. Messages in the dispatch() function are no longer lost or duplicated.
BZ#924261
Sometimes, when an attempt to shut down the corosync service using the "corosync-cfgtool -H" command failed and returned the CS_ERR_TRY_AGAIN error code, subsequent shutdown attempts always failed with the CS_ERR_EXISTS error. The corosync-cfgtool utility has been modified to automatically retry the shutdown command, and the Corosync's Cfg library now allows processing of multiple subsequent shutdown calls. The "corosync-cfgtool -H" command now works as expected even on heavily loaded cluster nodes.
BZ#947936
If the uidgid section of the corosync.conf file contained a non-existing user or group, corosync did not display any error. The underlying code has been modified so that corosync now properly verifies values returned by the getpwnam_r system call, and displays an appropriate error message in this situation.
BZ#959184
If an IPC client exited in a specific time frame of the connection handshake, the corosync main process received the SIGPIPE signal and terminated. With this update, the SIGPIPE signal is now correctly handled by the sendto() function and the corosync main process no longer terminates in this situation.
BZ#959189
The corosync process could become unresponsive upon exit, by sending the SIGINT signal or using the corosync-cfgtool utility, if it had open a large number of confdb IPC connections. This update modifies the corosync code to ensure that all IPC connection to the configuration and statistics database are closed upon corosync exit so that corosync exits as expected.

Enhancements

BZ#949491
The corosync daemon now detects when the corosync main process was not scheduled for a long time and sends a relevant message to the system log.
BZ#956739
In order to improve process of problem detection, output of the corosync-blackbox command now contains time stamps of events. This feature is backward-compatible so that output (fdata) from old versions of corosync is processed correctly.
Users of corosync are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.22. cpupowerutils

Updated cpupowerutils packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
The cpupowerutils packages provide a suite of tools to manage power states on appropriately enabled central processing units (CPU).

Bug Fixes

BZ#886225
Previously, some of the commands in the cpupowerutils packages were missing manual pages. Manual pages for the turbostat, x86_energy_perf_policy, cpufreq-bench, and cpufreq-bench_plot.sh commands have been added, thus fixing this bug.
BZ#886226
If a non-root user tried to run the cpufreq-bench utility, it terminated unexpectedly with a segmentation fault, and an ABRT notification appeared on the desktop. With this update, a warning message is displayed to the user instead, informing them that it is necessary to run the utility as root.
BZ#886227
Prior to this update, the x86_energy_perf_policy utility failed when it tried to open the /dev/cpu/*/msr/ directory. Consequently, a "permission denied" error message was returned. With this update, a new error message explains that the command needs root privileges and x86_energy_perf_policy cleanly exits.
BZ#886228
Previously, the interactive help for the x86_energy_perf_policy utility was short and confusing. The help text has been expanded to clarify the meaning of the command-line options.
BZ#914623
Due to the missing implementation for the "cpupower set -m" command, the error message is returned upon launching the command. Previously, this message wrongly implied that the sched-mc utility is not supported on the system. This update clarifies the message to clearly state that sched-mc is not yet implemented.
BZ#914787
Previously, running the "cpupower -v" or "cpupower --version" commands returned incorrect version information. This bug has been fixed and a selected component of cpupower now reports the correct version-release number.

Enhancement

BZ#852831
Intel turbostat v3.0 utility has been included in Red Hat Enterprise Linux. The utility is used to read current CPU core frequency and active C-states.
Users of cpupowerutils are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

8.23. crash

Updated crash packages that add various enhancements are now available for Red Hat Enterprise Linux 6.
The crash packages provide a self-contained tool that can be used to investigate live systems and kernel core dumps created from the netdump, diskdump, kdump, and Xen/KVM "virsh dump" facilities from Red Hat Enterprise Linux.

Enhancements

BZ#902141
Currently, dump files created by the makedumpfile utility using the snappy compression format are now readable by the crash utility. The snappy format is suitable for the crash dump mechanism that requires stable performance in any situation with enterprise application use.
BZ#902144
With this update, dump files created by the makedumpfile utility using the LZO compression format are now readable by the crash utility. The LZO compression format is fast and stable for randomized data.
BZ#1006622
This update adds support for compressed dump files created by the makedumpfile utility that were generated on systems with physical memory requiring more than 44 bits.
BZ#1017930
This update fixes faulty panic-task backtraces generated by the bt command in KVM guest dump files. The bt command now shows a trace when the guest operating system is panicking.
BZ#1019483
This update fixes the CPU number display on systems with 255 or more CPUs during the initialization, by the set command, the ps command, and by all commands that display the per-task header consisting of the task address, PID, CPU and command name. Without the patch, for CPU 255, the sys command displays "NO_PROC_ID", and the other commands show a "-" for the CPU number; for CPU numbers greater than 255, garbage values would be displayed in the CPU number field.
Users of crash are advised to upgrade to these updated packages, which add these enhancements.

8.24. crash-gcore-command

Updated crash-gcore-command packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The crash-gcore-command packages contain an extension module for the crash utility that adds a "gcore" command which can create a core dump file of a user-space task that was running in a kernel dumpfile.

Bug Fix

BZ#890232
Due to a backported madvise/MADV_DONTDUMP change in the Red Hat Enterprise Linux 6 kernel, VDSO (Virtual Dynamically linked Shared Objects) and vsyscall pages were missing in the generated process core dump. With this update, VDSO and vsyscall pages are always contained in the generated process core dump.
Users of crash-gcore-command are advised to upgrade to these updated packages, which fix this bug.

8.25. createrepo

An updated createrepo package that fixes two bugs is now available for Red Hat Enterprise Linux 6.
The createrepo package contains a utility that generates a common metadata repository from a directory of RPM packages.

Bug Fixes

BZ#877301
Previously, a time-stamp check did not pass if a file did not exist. As a consequence, an empty repository was incorrectly flagged as being up to date and the "createrepo --checkts" command performed no action on an empty repository. With this update, missing file is now considered as a failure, and not a pass. The "createrepo --checkts" command now properly creates a new repository when called on an empty repository.
BZ#892657
The --basedir, --retain-old-md, and --update-md-path options were reported only in the createrepo utility help message but not in the man page. This update amends the man page and the options are now properly documented in both the help message and the man page.
Users of createrepo are advised to upgrade to this updated package, which fixes these bugs.

8.26. cronie

Updated cronie packages that fix several bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
Cronie contains the standard UNIX daemon crond that runs specified programs at scheduled times and related tools. It is a fork of the original vixie-cron and has security and configuration enhancements like the ability to use pam and SELinux.

Bug Fixes

BZ#697485
Previously, the crond deamon did not drop data about user privileges before calling the popen() system function. Consequently, warnings about changing privileges were written to the /var/log/crond file when the function was invoked by the non-root user. With this update, crond has been modified to drop user privileges before calling popen(). As a result, warnings are no longer logged in this scenario.
BZ#706979
With this update, file permissions of cron configuration files have been changed to be readable only by the root user.
BZ#733697
Prior to this update, the definition of restart in the cron init file was incorrect. Consequently, a failure was incorrectly reported when restarting the crond daemon. The init file has been fixed and the redundant failure message is no longer displayed after crond restart.
BZ#738232
Cron jobs of users with home directories mounted on a Lightweight Directory Access Protocol (LDAP) server or Network File System (NFS) were often refused because jobs were marked as orphaned (typically due to a temporary NSS lookup failure, when NIS and LDAP servers were unreachable). With this update, a database of orphans is created, and cron jobs are performed as expected.
BZ#743473
With this update, obsolete comments have been removed from the /etc/cron.hourly/0anacron configuration file.
BZ#821046, BZ#995089
Due to a bug in cron's support for time zones, planned jobs were executed multiple times. Effects of this bug were visible only during the spring change of time. This bug has been fixed and jobs are now executed correctly during the time change.
BZ#887859
With this update, an incorrect example showing the anacron table setup has been fixed in the anacrontab man page.
BZ#919440
Previously, the crond daemon did not check for existing locks for daemon. Consequently, multiple instances of crond could run simultaneously. The locking mechanism has been updated and running multiple instances of cron at once is no longer possible.
BZ#985888
Prior to this update, the $LANG setting was not read by the crond daemon. Consequently, cron jobs were not run with the system-wide $LANG setting. This bug has been fixed and $LANG is now used by cron jobs as expected.
BZ#985893
Previously, the crond daemon used the putenv system call, which could have caused crond to terminate unexpectedly with a segmentation fault. With this update, putenv() has been replaced with the setenv() system call, thus preventing the segmentation fault.
BZ#990710
Prior to this update, the PATH variable could be set by cron or in crontable, but could not be changed by a PAM setting. With this update, PATH can be altered by PAM setting. As a result, PATH can now be inherited from the environment if the "-P" option is used.
BZ#1006869
Previously, an incorrect error code was returned when non-root user tried to restart the crond daemon. With this update, a correct code is returned in the described case.

Enhancements

BZ#829910
This update adds the RANDOM_DELAY variable that allows delaying job startups by random amount of minutes with upper limit specified by the variable. The random scaling factor is determined during the crond daemon startup so it remains constant for the whole run time of the daemon.
BZ#922829
With this update, the CRON_CORRECT_MAIL_HEADER environment variable in the /etc/crond/sysconfig configuration file has been updated. With this variable enabled, cron now sends emails with headers in RFC compliant format.
Users of cronie are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.27. cvs

Updated cvs packages that fix one bug and add one enhancement are now available for Red Hat Enterprise Linux 6.
The Concurrent Versions System (CVS) is a version control system that can record the history of your files. CVS only stores the differences between versions, instead of every version of every file you have ever created. CVS also keeps a log of who, when, and why changes occurred.

Bug Fix

BZ#671460
When a CVS client tried to establish a GSSAPI-authenticated connection to a DNS load-balanced cluster node, the authentication failed because each node had a unique host name. With this update, the GSSAPI CVS server has been modified to search for any Kerberos key that matches the "cvs" service and any host name. As a result, the CVS server can now authenticate clients using GSSAPI even if the server's host name does not match the domain name, and thus Kerberos principal host name part, common for all cluster nodes. CVS server administrators are advised to deploy two Kerberos principals to each node: a principal matching the node's host name and a principal matching the cluster's domain name.

Enhancement

BZ#684789
Previously, the CVS server did not pass the client address to the Pluggable Authentication Modules (PAM) system. As a consequence, it was not possible to distinguish clients by the network address with the PAM system and the system was not able to utilize the client address for authentication or authorization purposes. With this update, the client network address is passed to the PAM subsystem as a remote host item (PAM_RHOST). Also, the terminal item (PAM_TTY) is set to a dummy value "cvs" because some PAM modules cannot work with an unset value.
Users of cvs are advised to upgrade to these updated packages, which fix this bug and add this enhancement.

8.28. device-mapper-multipath

Updated device-mapper-multipath packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The device-mapper-multipath packages provide tools for managing multipath devices using the device-mapper multipath kernel module.

Bug Fixes

BZ#975676
Device Mapper Multipath (DM-Multipath) did not test pointers for NULL values before dereferencing them in the sysfs functions. Consequently, the multipathd daemon could terminate unexpectedly with a segmentation fault if a multipath device was resized while a path from the multipath device was being removed. With this update, DM-Multipath performs NULL pointer checks in sysfs functions and no longer crashes in the described scenario.
BZ#889429
Prior to this update, the multipathd daemon did not start listening to udev events (uevents) until all the multipath paths that were discovered on system startup had been configured. As a consequence, multipathd was unable to handle paths that were discovered in the meantime. This bug has been fixed and multipathd now handles all paths as expected in the described scenario.
BZ#889441
Due to incorrectly ordered udev rules for multipathd, link priority was not set for multipath paths when creating the multipath device using initramfs udev rules. Consequently, the /dev/disk/by-uuid/<uuid> symbolic links pointed to multipath paths instead of the multipath device. This could lead to boot problems under certain circumstances. With this update, the multipathd udev rules have been ordered correctly so that the aforementioned symbolic links point to the multipath device as expected.
BZ#902585, BZ#994277
Previously, DM-Multipath did not allocate enough space for the sysfs "state" attribute. Consequently, when a path was switched to the "transport-offline" state, a buffer overflow was triggered, resulting in an error message being logged into the system log. Also, DM-Multipath did not handle correctly paths in the "quiesce" state, which resulted in unnecessary failure of these paths. With this update, DM-Multipath allocates enough space to store all valid values of the sysfs "state" attribute. Paths in the "quiesce" state are now moved to the "pending" state, which prevents the paths from failing.
BZ#928831
Previously, DM-Multipath did not verify whether the kernel supported the "retain_attached_hw_handler" mpath target feature before setting it. Consequently, the multipath devices which had set "retain_attached_hw_handler" did not work on machines with an older kernel without this feature support. With this update, DM-Multipath checks that the kernel supports the "retain_attached_hw_handler" feature before setting it. The multipath devices now work as expected on systems with older kernels utilizing newer versions of DM-Multipath.
BZ#995251
In certain setups, the Redundant Disk Array Controller (RDAC) did not mark a path as down if the target controller reported an asymmetric access state of the target port to be "unavailable". As a consequence, the multipathd daemon repeatedly attempted to send I/O to an unusable path. This bug has been fixed, and multipathd no longer sends I/O to unusable paths in this case.
BZ#1011341
Previously, the kpartx utility did not take into account the actual sector size of the device when creating partitions for the MS-DOS partition table, assuming a fixed size of 512 bytes per sector. Therefore, kpartx created partitions that were 1/8 of the proper size if the device with a sector size of 4 KB used the MS-DOS partition table. With this update, kpartx verifies the device's sector size and calculates the proper partition size if the device uses the MS-DOS partition table.
BZ#892292
When displaying multipath topology for the specified multipath device, DM-Multipath unnecessarily obtained WWIDs for all the multipath paths for all the configured multipath devices. Consequently, the "multipath -l" command took an extensively longer time to complete than expected, especially on systems containing a large number of multipath devices. This behavior has been changed and when displaying topology of the specified multipath devices, the multipath command now acquires WWIDs only for paths belonging to these devices.
BZ#974129
DM-Multipath previously set the fast_io_fail_tmo configuration option before setting the dev_loss_tmo option. However, a new value of fast_io_fail_tmo is not allowed to be greater than or equal to the current value of dev_loss_tmo. Therefore, when increasing values of both options and sysfs failed to set fast_io_fail_tmo due to the aforementioned limitation, even dev_loss_tmo could not have been set to a new value. With this update, if a new value of fast_io_fail_tmo would be too high, DM-Multipath sets it to the highest valid value, that is, the current value of dev_loss_tmo minus one. When setting both, the fast_io_fail_tmo and dev_loss_tmo options, dev_loss_tmo is now increased first.
BZ#889987
When the detect_prio option was set, DM-Multipath did not verify whether a storage device supports asymmetric logical unit access (AULA) before setting up the AULA prioritizer on the device. Consequently, if the device did not support AULA, multipathd failed to detect AULA priority of the paths and emitted an error message to the system log. This bug has been fixed so that DM-Multipath now verifies whether a path can be set with AULA priority before setting up the AULA prioritizer on the storage device.
BZ#875199
Due to a NULL pointer dereference bug, multipathd could terminate with a segmentation fault when removing a failed path to a multipath device. This update adds a NULL pointer test to the code, preventing multipathd from a fail in this scenario.
BZ#904836
When creating partitions for the GUID Partition Table (GPT), the kpartx utility did not account for the actual sector size of the devices with the sector size other than 512 bytes. As a result, kpartx created partitions that did not match the actual device partitions. With this update, kpartx correctly calculates a size of the created partitions to matches the actual block size of the storage device.
BZ#918825
The kpartx utility did not properly release file descriptors allocated for loopback devices, causing file descriptor leaks. This update corrects the kpartx code, and kpartx no longer leaves file descriptors open after releasing loopback devices.
BZ#958091
When the multipath command failed to load a multipath device map with read/write permissions, the multipath device could have been incorrectly set with read-only access. This happened because the multipath command always retried reloading the map table with read-only permissions even though the failure was not caused by an EROFS error. With this update, multipath correctly reloads a multipath device with read-only permissions only if the first load attempt has failed with an EROFS error.
BZ#986767
Previously, DM-Multipath did not prevent creating a multipath device to a tapdev device, which cannot be a subject to multipath I/O due to an unexpected path format. Consequently, if a multipath device was created on top of a tapdev device, multipathd terminated with a segmentation fault on the tapdev device's removal from the system. With this update, tapdev devices are blacklisted by default and this problem can no longer occur.

Enhancements

BZ#947798
This update adds a new default keyword, "reload_readwrite", to the /etc/multipath.conf file. If set to "yes", multipathd listens to path change events, and if the path has read-write access to the target storage, multipathd reloads it. This allows a multipath device to automatically grant read-write permissions, as soon as all its paths have read-write access to the storage, instead of requiring manual intervention.
BZ#916667
The multipathd daemon now includes major and minor numbers of the target SCSI storage device along with the path's name to messages that are logged upon path's addition and removal. This allows for better association of the path with the particular multipath device.
BZ#920448
In order to keep naming consistency of multipath devices, DM-Multipath now sets the smallest available user-friendly name even when the /etc/multipath/bindings file has been edited manually. If the smallest user-friendly name cannot be determined, DM-Multipath retains previous behavior and sets the multipath device symbolic name to the next available largest name
BZ#924924
A new default parameter, "replace_wwid_whitespace", has been added to the /etc/multipath.conf file. If set to "yes", the scsi_id command in the default configuration section returns WWID with white space characters replaced by underscores for all applying SCSI devices.
Users of device-mapper-multipath are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.29. device-mapper-persistent-data

Updated device-mapper-persistent-data packages that add various enhancements are now available for Red Hat Enterprise Linux 6.
The device-mapper-persistent-data packages provide device-mapper thin provisioning (thinp) tools.

Bug Fix

BZ#814790, BZ#960284, BZ#1006059, BZ#1019217
This enhancement update adds important thin provisioning tools (repair, rmap, and metadata_size) as well as caching tools (check, dump, restore, and repair) to the device-mapper-persistent-data packages in Red Hat Enterprise Linux 6 as a Technology Preview.
More information about Red Hat Technology Previews is available here:
Users of device-mapper-persistent-data are advised to upgrade to these updated packages, which add these enhancements.

8.30. dhcp

Updated dhcp packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network.

Bug Fixes

BZ#996518
Previously, the dhcpd daemon or the dhclient utility terminated unexpectedly with a segmentation fault when starting on an InfiniBand network interface card (NIC) with an alias interface and a shared-network defined. Consequently, dhcpd and dhclient could not be used with an alias interface in a different subnet on InfiniBand NICs. A patch has been applied to address this problem, and neither dhcpd nor dhclient now crash in this scenario.
BZ#902966
Prior to this update, if some of the IPv6 addresses were not in the subnet range declared by subnet6 in the range6 statement, the DHCPv6 server incorrectly offered an address which was not from the client's subnet. The range6 statement parsing code has been fixed to check whether its addresses belong to the subnet, in which the range6 statement was declared. With this update, the DHCPv6 server now fails to start with an error message if the range6 statement is incorrect.
BZ#863936
Previously, the DHCPv4 relay agent (dhcrelay) terminated unexpectedly with a segmentation fault if dhcrelay received a packet over an interface without any IPv4 address assigned. With this update, dhcrelay checks whether the interface has an address assigned prior to further processing of the received packet, and the relay agent no longer crashes in this scenario.
BZ#952126
Previously, when a DHCPv6 request from a DHCPv6 client came from a random port number, the DHCPv6 server sent the reply back to the source port of the message instead of sending it to UDP port 546, which is standard for IPv6. Consequently, the client got the reply on the incorrect port. The reply handling in the DHCPv6 server code has been fixed, and the server now sends replies to UDP port 546.
BZ#978420
Previously, the dhcpd daemon managed memory allocations incorrectly when manipulating objects via the Object Management API (OMAPI). As a consequence, several memory leaks were identified in dhcpd. With this update, memory allocation management has been fixed, and dhcpd no longer leaks memory in this scenario.
BZ#658855
Prior to this update, when the dhclient utility obtained a lease containing the "next-server" option, dhclient did not expose the option to the dhclient-script environment. Consequently, NetworkManager was not able to use the "next-server" option from the dhclient's lease. This bug has been fixed, dhclient now correctly exposes the "next-server" option and NetworkManager can use the option from the dhclient's lease.
BZ#919221
Previously, the dhcpd server was not able to properly handle parsing of a zone definition which contained two or more key statements. As a consequence, dhcpd returned a misleading error message about an internal inconsistency. The zone statement parsing code has been fixed; the error message reported by dhcpd is now more precise in this scenario, saying that there is a multiple key definition for the zone.
BZ#1001742
Previously, when the dhclient utility was running under IPv6 using multiple interfaces, only the last started instance was configured, while others lost connection after the lease-time had expired. Consequently, the last started instance of dhclient received all the DHCPv6 packets, while the other instances failed to communicate with the server. With this update, dhclient is now bound to a specified interface, and multiple instances of dhclient communicate correctly.
Users of dhcp are advised to upgrade to these updated packages, which fix these bugs.

8.31. dovecot

Updated dovecot packages that fix one bug are now available for Red Hat Enterprise Linux 6.
Dovecot is an IMAP server for Linux and other UNIX-like systems, primarily written with security in mind. It also contains a small POP3 server. It supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as sub-packages.

Bug Fix

BZ#1010279
Because of a bug in dovecot's SSL parameters generator, installation of Red Hat Enterprise Linux 6 with FIPS mode enabled could become unresponsive when installing the dovecot package. This problem has been fixed and the installation now completes successfully in the described scenario.
Users of dovecot are advised to upgrade to these updated packages, which fix this bug.

8.32. dracut

Updated dracut packages that fix one security issue, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE link(s) associated with each description below.
The dracut packages include an event-driven initramfs generator infrastructure based on the udev device manager. The virtual file system, initramfs, is loaded together with the kernel at boot time and initializes the system, so it can read and boot from the root partition.

Security Fix

CVE-2012-4453
It was discovered that dracut created initramfs images as world readable. A local user could possibly use this flaw to obtain sensitive information from these files, such as iSCSI authentication passwords, encrypted root file system crypttab passwords, or other information.
This issue was discovered by Peter Jones of the Red Hat Installer Team.

Bug Fixes

BZ#610462
Previously, the mkinitrd utility had no manual page accessible by users. This update adds the mkinitrd(8) manual page.
BZ#720684
Previously, the dracut utility did not call the "lvchange" command with the "--yes" option. Consequently, specification of the original logical volume name (rd_LVM_LV) was required when booting an LVM snapshot. With this update, dracut calls "lvchange" with the "--yes" option and booting LVM snapshots is now more intuitive.
BZ#857048
Prior to this update, the dracut utility copied symbolic links from the system to initramfs without following every redirection. As a consequence, initramfs could contain stale symbolic links, causing the system to boot incorrectly. This bug has been fixed; dracut now correctly copies symbolic link redirections, initramfs contains the same layout as the real system, and boot problems no longer occur in this scenario.
BZ#886194
The dracut utility did not take into account all parameters of the /etc/crypttab file when setting up crypto devices. Consequently, options and file names in /etc/crypttab had no effect in initramfs. With this update, dracut passes options and file names to the cryptsetup tool when setting up crypto devices, and options and files in /etc/cryppttab are now applied correctly.
BZ#910605
Previously, the dracut utility needed a network configuration on the kernel command line to boot with Internet Small Computer System Interface (iSCSI). Consequently, in cases where no network configuration was needed, it was not possible to boot with iSCSI. Now, dracut starts the iSCSI service regardless of the network configuration parameters on the kernel command line, and the problem described no longer occurs.
BZ#912299
Previously, the dracut utility used the grep tool without unsetting the "GREP_OPTIONS" environment variable. As a consequence, grep did not work correctly because of arbitrary options if the user had set GREP_OPTIONS while calling yum or running dracut. With this update, dracut now unsets GREP_OPTIONS and user settings of this variable no longer affect the correct operation of dracut.
BZ#916144
Prior to this update, the multipath configuration file was always included in the initramfs, even if the root device was not a multipath device. Consequently, the administrator had to update initramfs before rebooting when changing the multipath configuration. The dracut utility has been fixed to include the multipath configuration only if the root device is a multipath device. Additionally, the administrator can split the configuration for the root device which is used in initramfs. Currently, dracut recognizes:
  • /etc/multipath-root.conf
  • /etc/multipath-root/*
  • /etc/xdrdevices-root.conf
These files will be used in initramfs as follows:
  • /etc/multipath.conf
  • /etc/multipath/*
  • /etc/xdrdevices.conf
The administrator can make sure that only the specific multipath configuration for the root device is included in initramfs if he does not want the whole configuration to be copied.
BZ#947729
Previously, when using the Red Hat Enterprise Virtualization Hypervisor packaging of the kernel on a live image, the path to the kernel which needed to be verified during the initial boot did not work correctly. Consequently, the checksum test of the kernel in Federal Information Processing Standard (FIPS) mode failed, and the system did not boot. With this update, the dracut-fips module also looks for the kernel image in different paths and checks those paths with the checksum file in initramfs. As a result, booting an installation in FIPS mode now checks the correct kernel image and if the checksum is correct, the system continues to boot in FIPS mode.
BZ#960729
The dracut utility did not include the xhci-hcd kernel module in the initramfs image. Consequently, the kernel did not recognize USB 3.0 devices in an early boot stage and the root files ystem could not be mounted from a USB 3.0 disk. With this update, dracut now includes the xhci-hcd driver in initramfs, and the system is able to boot from USB 3.0 disks.
BZ#1011508
Previously, if the "biosdevname=1" parameter had not been specified on the kernel command line, the dracut utility disabled biosdevname network interface renaming on all machines. Consequently, on Dell machines, interfaces used in initramfs did not have automatic biosdevname names, even though biosdevname interface renaming was active later in the boot process. With this update, dracut only disables biosdevname if the parameter is set to "0". For non-Dell machines, biosdevname now renames interfaces only if "biosdevname=1" is specified on the kernel command line, and Dell machines have biosdevname named interfaces in initramfs.
BZ#1012316
Previously, the time necessary to activate Fibre Channel over Ethernet (FcoE) on a 10GBaseT Twin Pond adapter was too long. As a consequence, the fipvlan utility called by dracut timed out in the process of waiting for the link to come up, and the boot failed. With this update, fipvlan is called with a parameter to wait 30 seconds for the link to come up, and the problem no longer occurs.
BZ#1018377
Previously, when the dracut utility was running the ldd tool, ldd forwarded its output to the cat utility to use the SELinux permissions of cat to display the output. Consequently, if the ldd forwarded the output to cat, and cat forwarded the output further, and the pipe reader exited early, cat received an "EPIPE" signal and reported it to the standard error output. With this update, dracut redirects standard error of ldd calls to the /dev/null file, and the error message of cat is now hidden in this scenario.

Enhancements

BZ#851666
The dracut utility now supports bonding of network interfaces in initramfs. Bonding parameters can be specified on the kernel command line in the following format:
bond=<bondname>[:<bondslaves>:[:<options>]]
This sets up the <bondname> bonding device on top of <bondslaves>. For more information, run the "modinfo bonding" command.
BZ#1012626
The National Institute of Standards and Technology (NIST) now requires the FIPS module to be defined as a cryptosystem. Therefore, this update adds the /etc/system-fips file marker when the dracut-fips rpm package is installed. It provides a stable file location for FIPS product determination to be used by libraries and applications.
All dracut users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.
Updated dracut packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The dracut packages include an event-driven initramfs generator infrastructure based on the udev device manager. The virtual file system, initramfs, is loaded together with the kernel at boot time and initializes the system, so it can read and boot from the root partition.

Bug Fixes

BZ#1029844
In FIPS mode, the self checking of binaries is only done if the /etc/system-fips file is present. Prior to this update, the dracut utility did not copy the /etc/system-fips file and some checksum files in the initial ram file system (initramfs). As a consequence, the self check of the tools needed to decrypt a partition was not done and the tools terminated unexpectedly. This bug has been fixed, dracut now copies all the needed files in the initramfs, and systems with encrypted disks can now boot successfully in FIPS mode.
BZ#1029846
When booting in FIPS mode on live ISO images, dracut searched for the checksum file of the kernel image in the wrong place. Consequently, the booting process failed. With this update, the path to the checksum file has been corrected, and live ISO images can now boot in FIPS mode as expected.
Users of dracut are advised to upgrade to these updated packages, which fix these bugs.

8.33. e2fsprogs

Updated e2fsprogs packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The e2fsprogs packages provide a number of utilities for creating, checking, modifying, and correcting any inconsistencies in the ext2 file systems.

Bug Fixes

BZ#922847
Previously, the e2fsck utility was unable to detect inconsistencies related to overlapping interior or leaf nodes in the extent tree. As a consequence, some of ext4 extent tree corruptions were not detected or repaired by e2fsck but they were detected by the kernel at run time. With this update, e2fsck is able to detect and repair the described problems as expected.
BZ#994615
Previously, the e2fsck utility incorrectly detected uninitialized extents past end of file (EOF) as invalid. Consequently, e2fsck identified pre-allocated blocks past EOF as corrupt. This bug has been fixed and e2fsck now identifies uninitialized extents past EOF correctly.
BZ#873201
The resize2fs utility did not properly handle resizing of an ext4 file system to a smaller size. As a consequence, files containing many extents could become corrupted if they were moved during the resize process. With this update, resize2fs maintains a consistent extent tree when moving files containing many extents, and such files no longer become corrupted in the described scenario.
BZ#974975
Previously, the resize2fs utility did not correctly relocate inode and block bitmaps when resizing an ext4 file system to a smaller size. Consequently, some file systems became corrupted when the bitmaps were not moved within the new file system size. A patch has been provided to address this bug and resize2fs now maintains a consistent file system in the described scenario.
BZ#885083
Previously, the e2fsck utility failed to store information about file system errors correctly. Consequently, entries in the journal were sometimes not properly propagated to the file system superblock. This bug has been fixed and e2fsck now handles all file system errors as expected.
BZ#895679
Previously, the e2fsck utility did not clear the error log when processing an ext4 file system. Consequently, e2fsck stored detailed error information in the ext4 file system superblock and returned it periodically upon mounting. With this update, the error log is cleared when e2fsck completes and the redundant error messages are no longer returned.
BZ#927541
Prior to this update, the filefrag utility occasionally reported incorrect extent counts. A patch has been applied to address this problem and extents are now counted correctly.
Users of e2fsprogs are advised to upgrade to these updated packages, which fix these bugs.

8.34. efibootmgr

Updated efibootmgr packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The efibootmgr utility is responsible for the boot loader installation on Unified Extensible Firmware Interface (UEFI) systems.

Bug Fix

BZ#924892
Previously, when an invalid value was passed to the "efibootmgr -o" command, the command did not recognize the problem and passed the incorrect value to other functions. This could have lead to several complications such as commands becoming unresponsive. With this update, efibootmgr has been modified to test for invalid input. As a result, an error message is displayed in the aforementioned scenario.
Users of efibootmgr are advised to upgrade to these updated packages, which fix this bug.

8.35. emacs

Updated emacs packages that fix a bug are now available for Red Hat Enterprise Linux 6.
GNU Emacs is a powerful, customizable, self-documenting text editor. It provides special code editing features, a scripting language (elisp), and the capability to read email and news.

Bug Fix

BZ#678225
The Lucida Typewriter and Lucida Console fonts were not usable with Emacs 23.1 in Red Hat Enterprise Linux 6. Consequently, the following error message was displayed in the Messages buffer: "set-face-attribute: Font not available". With this update, no error message is displayed in this scenario and the selected font can be used to display the buffer contents.
Users of emacs are advised to upgrade to these updated packages, which fix this bug.

8.36. environment-modules

Updated environment-modules packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The environment-modules packages provide for the dynamic modification of a user's environment using modulefiles. Each modulefile contains the information needed to configure the shell for an application. Once the package is initialized, the environment can be modified on a per-module basis using the module command which interprets modulefiles.

Bug Fixes

BZ#918540
When updating the environment-modules package, changes to the /usr/share/Modules/init/.modulespath config file were being silently replaced by upgrades. The file is now set marked as %config(noreplace) in the spec file, thus it is preserved between updates.
BZ#929007
The environment scripts of csh and tcsh used the "test" command without specifying the PATH variable. That could have possibly resulted in an unexpected behavior as a user binary called "test" could have been run instead. With this update, the "test" binary is called by its full path. Misbehavior caused by calling a random test binary is no longer possible.
BZ#953198
When updating the environment-modules package, changes to environment scripts in /etc/profile.d were not preserved. With this update, those scripts have been marked as configuration scripts, thus they are preserved between updates.
All users of environment-modules are advised to upgrade to these updated packages, which fix these bugs.

8.37. esc

Updated esc packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The esc packages contain the Smart Card Manager GUI, which allows user to manage security smart cards. The primary function of the tool is to enroll smart cards, so that they can be used for common cryptographic operations, such as secure e-mail and website access.

Bug Fixes

BZ#920826
The ESC utility did not start when the latest 17 series release of the XULRunner runtime environment was installed on the system. This update includes necessary changes to ensure that ESC works as expected with the latest version of XULRunner.
BZ#961582
The ESC utility can be started manually or automatically when a card is inserted. Previously, when ESC started automatically, the ~/.redhat/ directory was created and granted with the read, write and execute permissions. However, some files within this directory had the permissions to read and write only. This inconsistency has been fixed with this update and the permissions are now set properly in the described scenario.
BZ#981156
Due to a bug in the esc.desktop file, an error message has been logged in the /var/log/messages/ directory. This update applies a patch to fix this bug and the error message is no longer returned.
Users of esc are advised to upgrade to these updated packages, which fix these bugs.

8.38. evolution

Updated evolution packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, are available for each vulnerability from the CVE links associated with each description below.
Evolution is the integrated collection of email, calendaring, contact management, communications, and personal information management (PIM) tools for the GNOME desktop environment.

Security Fix

CVE-2013-4166
A flaw was found in the way Evolution selected GnuPG public keys when encrypting emails. This could result in emails being encrypted with public keys other than the one belonging to the intended recipient.

Upgrade to an Upstream Version

The Evolution packages have been upgraded to upstream version 2.32.3, which provides a number of bug fixes and enhancements over the previous version. These changes include implementation of Gnome XDG Config Folders, and support for Exchange Web Services (EWS) protocol to connect to Microsoft Exchange servers. EWS support has been added as a part of the evolution-exchange packages. (BZ#883010, BZ#883014, BZ#883015, BZ#883017, BZ#524917, BZ#524921, BZ#883044)
The gtkhtml3 packages have been upgraded to upstream version 2.32.2, which provides a number of bug fixes and enhancements over the previous version. (BZ#883019)
The libgdata packages have been upgraded to upstream version 0.6.4, which provides a number of bug fixes and enhancements over the previous version. (BZ#883032)

Bug Fix

BZ#665967
The Exchange Calendar could not fetch the "Free" and "Busy" information for meeting attendees when using Microsoft Exchange 2010 servers, and this information thus could not be displayed. This happened because Microsoft Exchange 2010 servers use more strict rules for "Free" and "Busy" information fetching. With this update, the respective code in the openchange packages has been modified so the "Free" and "Busy" information fetching now complies with the fetching rules on Microsoft Exchange 2010 servers. The "Free" and "Busy" information can now be displayed as expected in the Exchange Calendar.
All Evolution users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. All running instances of Evolution must be restarted for this update to take effect.

8.39. fcoe-target-utils

Updated fcoe-target-utils packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The fcoe-target-utils packages contain a command-line interface for configuring FCoE LUNs (Fibre Channel over Ethernet Logical Unit Numbers) and backstores.

Bug Fixes

BZ#854708
Due to an error leaving a device marked as in-use, attempts to map a block backstore that had been previously mapped would fail. With this update, mappings of block backstores are properly released, and remapping a block device now succeeds.
BZ#880542
Prior to this update, the kernel terminated unexpectedly when the fcoe-target daemon stopped. A patch has been provided to fix this bug, and the kernel now no longer crashes.
BZ#882121
Previously, the target reported support for sequence-level error recovery erroneously. Consequently, interrupting the connection between the FCoE target and a bnx2fc initiator could cause the initiator to erroneously perform sequence-level error recovery instead of exchange-level error, leading to a failure of all devices attached to the target. This bug has been fixed, and connections with a bnx2fc initiator may now be interrupted without disrupting other devices.
BZ#912210
Prior to this update, there was an error in the python-rtslib library. Consequently, when creating a pscsi (SCSI pass-through) storage object in the targetcli utility, the python-rtslib returned a traceback. The error in the library has been fixed, and pscsi storage objects are now created without errors.
BZ#999902
Since the fcoe-utils command-line interface is required by the fcoe-target-utils packages and is not supported on the s390x architecture, fcoe-target-utils will not work properly on s390x, and thus has been removed.
Users of fcoe-target-utils are advised to upgrade to these updated packages, which fix these bugs.

8.40. fcoe-utils

Updated fcoe-utils, libhbalinux, libhbaapi, and lldpad packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The fcoe-utils packages provide Fibre Channel over Ethernet (FCoE) utilities, such as the fcoeadm command-line utility for configuring FCoE interfaces, and the fcoemon service to configure DCB Ethernet QOS filters.

Upgrade to an upstream version

The libhbalinux packages contain the Host Bus Adapter API (HBAAPI) vendor library which uses standard kernel interfaces to obtain information about Fiber Channel Host Buses (FC HBA) in the system.
The libhbaapi library is the Host Bus Adapter (HBA) API library for Fibre Channel and Storage Area Network (SAN) resources. It contains a unified API that programmers can use to access, query, observe, and modify SAN and Fibre Channel services.
The lldpad packages provide a user-space daemon and a configuration utility for Intel's Link Layer Discovery Protocol (LLDP) agent with Enhanced Ethernet support.
The fcoe-utils packages have been upgraded to upstream version 1.0.28, which provides a number of bug fixes and enhancements over the previous version, including support for the virtual N_Port to virtual N_Port (VN2VN) protocol. Moreover, the fcoeadm utility now supports listing Fibre Channel Forwarder (FCF) and Link Error Status Block (LESB) statistics, and also support for the fcoe_sysfs kernel interface has been added. Additionally, documentation updates, a new website, mailing lists, and various minor bug fixes are included in this rebase. (BZ#829793, BZ#829797)
The libhbalinux packages have been upgraded to upstream version 1.0.16, which provides a number of bug fixes and enhancements over the previous version. Also, the documentation has been updated and it now directs the user to the new mailing lists. (BZ#829810)
The libhbaapi packages have been upgraded to upstream version 2.2.9, which provides a number of enhancements over the previous version. Also, the documentation has been updated and it now directs the user to the new mailing lists. (BZ#829815)
The lldpad packages have been upgraded to upstream version 0.9.46, which provides a number of bug fixes and enhancements over the previous version, including 802.1Qbg edge virtual bridging (EVB) module support. Also, FCoE initialization protocol (FIP) application type-length-value (TLV) parsing support, help on usage of the out-of-memory killer, manual page and documentation enhancements have been included. (BZ#829816, BZ#893684)

Bug Fix

BZ#903099
Due to a bug in the kernel, destroying an N_Port ID Virtualization (NPIV) port while using an ixbge adapter, the fcoe service init script could become unresponsive on shutdown. An init script patch has been applied to destroy the associated virtual ports first, and the fcoe service no longer hangs in the described scenario.

Enhancement

BZ#981062
The readme file has been updated with a note clarifying that the file system automounting feature is enabled in the default installation of Red Hat Enterprise Linux 6.
Users of fcoe-utils, libhbalinux, libhbaapi, and lldpad are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.41. febootstrap

Updated febootstrap packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The febootstrap package is used by libguestfs to build a small appliance.

Upgrade to an Upstream Version

The febootstrap package has been upgraded to upstream version 3.21, which provides one bug fix over the previous version.

Bug Fix

BZ#902478
Previously, when using febootstrap-supermin-helper with the "-g" option, the command did not set the supplemental groups properly. As a consequence, some groups from the user running libguestfs leaked into the appliance build process. After this update, supplemental groups are set correctly.
Users of febootstrap are advised to upgrade to these updated packages, which fix this bug.

8.42. fence-agents

Updated fence-agents packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
Red Hat fence-agents are a collection of scripts for handling remote power management for cluster devices. They allow failed or unreachable nodes to be forcibly restarted and removed from the cluster.

Bug Fixes

BZ#872308
Previously, the fence agents documentation did not mention how to use the fence_ipmilan agent for fence device HP iLO 3. This update adds this information to the fence_ipmilan(8) manual page.
BZ#896603
Previously, the fence agent fence_cisco_ucs did not respect the "delay" attribute. This bug has now been fixed and fence_cisco_ucs waits the appropriate amount of time, as expected.
BZ#978325
Previously, the fence agent fence_cisco_ucs did not use a proper timeout during the login process, which could have an impact on a successful login. With this update, this timeout is set properly and can be customized by users through the standard configuration methods.
BZ#978326
Previously, the fence agent fence_cisco_ucs failed with a traceback error when the hostname could not be resolved to an IP address. With this update, fence_cisco_ucs exits with an appropriate error message.
BZ#978328
Previously, the fence agent fence_scsi did not provide the correct metadata for the pacemaker "unfence" operation. With this update, an "unfence" operation can be run only on local node.
BZ#912773, BZ#994186
Previously, the fence agent fence_scsi did not respect the "delay" attribute. This bug has been fixed and fence_scsi now waits the appropriate amount of time. As a result, nodes in a 2-node cluster can no longer fence each other.
BZ#959490
Previously, when using the fence_bladecenter agent with the "--ssh" option, the fence agent required also the "--password" or "--identity-file" options. However, this behavior was not documented. As a consequence, when using fence_bladecenter with the "--ssh" option only, fence_bladecenter failed with an error message which was too generic. This bug has been fixed and a more specific error message is now displayed if fence_bladecenter fails to connect.
BZ#887349
Previously, the fence_scsi(8) manual page did not mention the "unfence" operation which is required for fence_scsi to properly function in a cluster environment. With this update, a comment with information about "unfence" in cluster environment has been added to the fence_scsi(8) manual page.
BZ#902404
Previously, when fencing a Red Hat Enterprise Linux cluster node with the fence_soap_vmware fence agent, the agent terminated unexpectedly with a traceback if it was not possible to resolve a hostname of an IP address. With this update, a proper error message is displayed in the described scenario.
BZ#905478
Due to incorrect detection on newline characters during an SSH connection, the fence_drac5 agent could terminate the connection with a traceback when fencing a Red Hat Enterprise Linux cluster node. Only the first fencing action completed successfully but the status of the node was not checked correctly. Consequently, the fence agent failed to report successful fencing. When the "reboot" operation was called, the node was only powered off. With this update, the newline characters are correctly detected and the fencing works as expected.
BZ#981086
Previously, the description of the fence_ipmilan "lanplus" option in the fence_ipmilan(8) manual page was incomplete. This update improves the description of the "lanplus" option and includes information on its impact on security.
BZ#1014000
Previously, an insecure temporary directory was used by the VMware fence agent, which could be used by a local attacker to overwrite an arbitrary local file by the victim running fence agent. This update removes a dependency on the python-suds library, which is vulnerable to a symbolic link attack (CVE-2013-2217), and the VMware fence agent now uses mkdtemp to create a unique temporary directory.

Enhancements

BZ#870269
Previously, users of the HP Integrated Lights-Out (iLO) 4 fence device had to use the fence_ipmilan fence agent. This update adds support for the iLO fence device to the fence-agents packages.
BZ#886614
This update adds support for the firmware for APC power switches, version 5. This update also adds changes to the fence agent command line interface.
Users of fence-agents are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

8.43. fence-virt

Updated fence-virt packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The fence-virt packages provide a fencing agent for virtual machines as well as a host agent, which processes fencing requests.

Bug Fixes

BZ#883588
The respective gzip files for the fence_virt(8) and fence_xvm(8) manual pages were previously created with executable permissions for everybody, which is incorrect. This has been fixed and these files are now properly created with 644 permissions.
BZ#903172
A bug in the fence_virt fencing agent could cause the agent to fail listing the virtual machines that could have been fenced by the fence_virtd daemon using the serial channel within a virtual interface. This happened when the virtual machine had been started or live-migrated after starting the fence_virtd daemon on the cluster node. The bug has been fixed and fence_virt now lists virtual machines as expected in this scenario.
Users of fence-virt are advised to upgrade to these updated packages, which fix these bugs. Before applying this update, make sure all previously released errata relevant to your system have been applied.

8.44. firstboot

Updated firstboot packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The firstboot utility runs after system installation and guides the user through a series of steps that allows for easier configuration of the machine.

Bug Fix

BZ#876018
The code handling the response to a two-button dialog prompted the user to click one of the buttons. After clicking the close button or pressing the Escape key, the response was ignored, and the post-installation process continued even after disagreeing to the end-user license agreement (EULA) in Red Hat Enterprise Linux 6. With this update, the code has been modified to close the dialog and stay on the underlying screen. As a result, clicking the close button or pressing the Escape key works as expected.
Users of firstboot are advised to upgrade to these updated packages, which fix this bug.

8.45. foomatic

Updated foomatic packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
Foomatic is a comprehensive, spooler-independent database of printers, printer drivers, and driver descriptions. The package also includes spooler-independent command line interfaces to manipulate queues and to print files and manipulate print jobs. foomatic-rip is a print filter written in C.

Bug Fixes

BZ#661770
The foomatic package could not be rebuilt due to the RPM package spec file having incorrect locations for Perl files. The installation locations have been fixed and the package can now be rebuilt.
BZ#726385
Under certain circumstances, the foomatic-rip CUPS filter could fail, causing print jobs to pass raw data to the printer without being correctly filtered. This was caused by a missing parameter to a logging function. This programming error has been corrected and foomatic-rip now behaves correctly in the described scenario.
Users of foomatic are advised to upgrade to these updated packages, which fix these bugs.

8.46. fprintd

Updated fprintd packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The fprintd packages contain a D-Bus service to access fingerprint readers.

Bug Fix

BZ#1003940
When the Pluggable Authentication Module (PAM) configuration includes the pam_fprintd module, PAM uses the glib2 functions where the dlclose() function is executed to unload the glib2 libraries. However, this method is not designed for multi-threaded applications. When a PAM operation was made, Directory Server on Red Hat Enterprise Linux 6 terminated unexpectedly during the shutdown phase because it attempted to unload the glib2 destructor, which had been previously unloaded by the fprintd service. This update applies a patch to fix this bug so that fprintd no longer unloads glib2 when pam_fprintd closes. As a result, the glib2 libraries are unloaded when Directory Server is closed and therefore the server shuts down gracefully.
Users of fprintd are advised to upgrade to these updated packages, which fix this bug.

8.47. freeipmi

Updated freeipmi packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The FreeIPMI project provides "Remote-Console" (out-of-band) and "System Management Software" (in-band) based on the Intelligent Platform Management Interface specification.

Upgrade to an upstream version

The freeipmi packages have been upgraded to upstream version 1.2.1, which provides a number of bug fixes and enhancements over the previous version. Among others, this rebase adds the ipmiseld daemon and subpackage, and the Serial Over Lan (SOL) command processing. This update also provides more secure permissions for configuration files that recognize remote password configuration. (BZ#951700)

Bug Fixes

BZ#616846, BZ#715605
Prior to this update, the ipmidetectd daemon did not fully validate input command-line parameters. Consequently, ipmidetectd terminated unexpectedly with a segmentation fault when parsing invalid command-line options. With this update, ipmidetectd validates command-line input properly, and therefore no longer crashes in this case.
BZ#818168
Previously, the bmc-watchdog daemon did not create the PID file and did not write the PID number into the file. As a consequence, tools depending on missing PID values did not work correctly. This bug has been fixed, the PID number is now stored in the created PID file and the described problems no longer occur.
Users of freeipmi are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.48. ftp

Updated ftp packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The ftp packages provide the standard UNIX command-line File Transfer Protocol (FTP) client. FTP is a widely used protocol for transferring files over the Internet, and for archiving files.

Bug Fix

BZ#861113
Prior to this update, when the FTP client was used from a shell with elevated permissions (through the su or the sudo utility), it incorrectly assumed the UID from the original login, instead of the user initiating the client. Consequently, the local home directory was incorrect. With this update, the underlying code has been modified to correctly get the login credentials using the getpwuid(3) utility function call. Now, the local home directory is set according to the user running the client.
All users of ftp are advised to upgrade to these updated packages, which fix this bug.

8.49. gcc

Updated gcc packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
The gcc packages provide compilers for C, C++, Java, Fortran, Objective C, and Ada 95 GNU, as well as related support libraries.

Bug Fixes

BZ#906234
Due to the small local buffer for read tokens, GCC (GNU Compiler Collection) could trigger stack smashing protector when reading digraphs in a program. The buffer has been enlarged, and thus the digraph tokens can be read without harming the memory.
BZ#921758
Previously, GCC could terminate unexpectedly when compiling C++ code that contained a structure with the "va_list" member field. The initialization of such a structure has been fixed, and GCC no longer crashes on such code.
BZ#959564
Prior to this update, the libgcc utility could terminate unexpectedly when unwinding the stack for a function annotated with "__attribute__((ms_abi))". This bug has been fixed by ignoring unwind data for unknown column numbers and libgcc no longer crashes.
BZ#967003
Previously, GCC could terminate unexpectedly when processing debug statements. This bug has been fixed by removing the value bound to the variable in such debug statements, and GCC no longer crashes in the described scenario.

Enhancement

BZ#908025
GCC now supports strings with curly braces and vertical bar inside inline assembler code. That is, '{', '}', and '|' can now be prefixed with the '%' sign; in that case they are not handled as dialect delimiters, but are passed directly to the assembler instead.
Users of gcc are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

8.50. gdm

Updated gdm packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The GNOME Display Manager (GDM) provides the graphical login screen, shown shortly after boot up, log out, and when user-switching.

Bug Fixes

BZ#712959
Logging into the system with GNOME installed while having set KDE Display Manager (KDM) as the default display manager could sometimes cause the user-switch applet to abort. Consequently, switching the user was impossible unless the applet was reloaded. The underlying code has been modified to prevent interference of multiple queued loads of user information so the user-switch applet is now more resilient to crash in this scenario.
BZ#759174
GDM previously did not forward X Display Manager Control Protocol (XDMCP) indirect queries to the correct port of the appropriate machine. Consequently, the GDM host chooser did not work correctly and XDMCP connection could not be established. With this update, GDM now uses the correct port when redirecting XCDMCP queries and XDMCP connections can be established with the chosen remote host as expected.
BZ#785775, BZ#865832
Previously, GDM displayed login messages for an insufficiently short period of time so that some users were not able to read the messages. This update increases the duration of the time period for which is a message displayed at login time to a minimum of 3 seconds.
BZ#795920
GDM previously did not consult content of the "~/.dmrc" file before reading the cached copy of the drmc file in the "/var/cache/gdm/$USERNAME/" directory. This behavior could lead to incorrect or inconsistent users environment settings, such as the default graphical desktop session or language, in environments using network-mounted home directories. This happened because changes to "~/.dmrc" had no effect on machines to which the users logged in and out before modifying the "~/.dmrc" file. With this update, GDM reads "~/.dmrc" before "/var/cache/gdm/$USERNAME/dmrc" so that updates to the user's environment configuration can take effect.
BZ#818074
When the user switched to the already active session, GDM attempted to clean up temporary internal resources twice. This resulted in spurious error messages being logged in the system log. The underlying code has been fixed so that GDM now cleans up those resources correctly.
BZ#844004
When the PreSession shell script fails, the user is expected to be denied login to the system. GDM previously ignored PreSession failures so that the users were able to proceed with an unauthorized login to the system. This update corrects this behavior so that GDM now fails the login process upon the PreSession script failure.
BZ#861114
GDM adjusted the width of the login window in accordance with the length of the authentication message. If an authentication message was very long, the login window became unreasonably wide, resulting in text being displayed out of the visible screen. With this update, long authentication messages are automatically wrapped so the login window retains the expected size, and the message is displayed properly.
BZ#874202
When the user logged out of the system or switched runlevel, the gdm-smartcard-worker extension was terminated unexpectedly with a segmentation fault. This update modifies GDM to ensure that gdm-smartcard-worker is brought down gracefully.
BZ#874707
The GDM default greeter did not set the LANG environment variable in canonical form. Consequently, in mixed environment deployments, such as networks containing Mac OS X machines, the LANG encoding was not correctly recognized by non-Linux systems. This update ensures that GDM sets environment variables are in canonical form.
BZ#953552
The gdm-smartcard-worker extension terminated unexpectedly with a segmentation fault upon startup if the system was started without smart card support. The respective code in gdm-smartcard-worker has been modified so this GDM extension no longer crashes in this scenario.
BZ#977560
When using the smart card authentication method with the "disable_user_list=True" option set, entering an incorrect PIN disabled all further smart card logins until the user successfully logged in using a different authentication method. This update properly resets the dialog window in this situation and allows users to repeat smart card authentication attempts.
BZ#1006947
When booting to runlevel 5 on IBM S/390 systems, GDM emitted a warning messages about not being able to start the X server, which were harmless but could confuse the user. The underlying GDM code has been modified to no longer attempt to start the X server on IBM S/390 systems, and the messages are no longer logged to the system logs.
Users of gdm are advised to upgrade to these updated packages, which fix these bugs. GDM must be restarted for this update to take effect. Rebooting achieves this, but changing the runlevel from 5 to 3 and back to 5 also restarts GDM.

8.51. gegl

Updated gegl packages that fix one bug are now available for Red Hat Enterprise Linux 6.
GEGL (Generic Graphics Library) is a graph-based image processing framework.

Bug Fix

BZ#620378
Documentation files were installed executable. As a consequence, testing tools failed due to that configuration. To fix this bug, executable bits were removed from documentation files and testing tools now work as expected in the described scenario.
Users of gegl are advised to upgrade to these updated packages, which fix this bug.

8.52. ghostscript

Updated ghostscript packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common, bitmap formats so that the code can be displayed or printed.

Bug Fixes

BZ#893775
Due to a bug in a function that copies CID-keyed Type 2 fonts, document conversion attempts sometimes caused the ps2pdf utility to terminate unexpectedly with a segmentation fault. A patch has been provided to address this bug so that the function now copies fonts properly and ps2pdf no longer crashes when converting documents.
BZ#916162
Due to lack of support for the TPGDON option for JBIG2 encoded regions, some PDF files were not displayed correctly. A patch has been provided to add this support so that PDF files using the TPGDON option are now displayed correctly.
BZ#1006165
Previously, some PDF files with incomplete ASCII base-85 encoded images caused the ghostscript utility to terminate with the following error:
/syntaxerror in ID
The problem occurred when the image ended with "~" (tilde) instead of "~>" (tilde, right angle bracket) as defined in the PDF specification. Although this is an improper encoding, an upstream patch has been applied, and ghostscript now handles these PDF files without errors.
Users of ghostscript are advised to upgrade to these updated packages, which fix these bugs.

8.53. glib2

Updated glib2 packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
GLib is a low-level core library that forms the basis for projects such as GTK+ and GNOME. It provides data structure handling for C, portability wrappers, and interfaces for such runtime functionality as an event loop, threads, dynamic loading, and an object system.

Upgrade to an upstream version

The glib2 packages have been upgraded to upstream version 2.26.0, which provides a number of bug fixes and enhancements over the previous version. (BZ#883021)
Users of glib2 are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.54. glibc

Updated glibc packages that fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.

Security Fixes

CVE-2013-4332
Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in glibc's memory allocator functions (pvalloc, valloc, and memalign). If an application used such a function, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
CVE-2013-0242
A flaw was found in the regular expression matching routines that process multibyte character input. If an application utilized the glibc regular expression matching mechanism, an attacker could provide specially-crafted input that, when processed, would cause the application to crash.
CVE-2013-1914
It was found that getaddrinfo() did not limit the amount of stack memory used during name resolution. An attacker able to make an application resolve an attacker-controlled hostname or IP address could possibly cause the application to exhaust all stack memory and crash.

Bug Fixes

BZ#1022022
Due to a defect in the initial release of the getaddrinfo() system call in Red Hat enterprise Linux 6.0, AF_INET and AF_INET6 queries resolved from the /etc/hosts file returned queried names as canonical names. This incorrect behavior is, however, still considered to be the expected behavior. As a result of a recent change in getaddrinfo(), AF_INET6 queries started resolving the canonical names correctly. However, this behavior was unexpected by applications that relied on queries resolved from the /etc/hosts file, and these applications could thus fail to operate properly. This update applies a fix ensuring that AF_INET6 queries resolved from /etc/hosts always return the queried name as canonical. Note that DNS lookups are resolved properly and always return the correct canonical names. A proper fix to AF_INET6 queries resolution from /etc/hosts may be applied in future releases; for now, due to a lack of standard, Red Hat suggests the first entry in the /etc/hosts file, that applies for the IP address being resolved, to be considered the canonical entry.
BZ#552960
The pthread_cond_wait() and pthread_cond_timedwait() functions for AMD64, Intel 64, and Intel P6 architectures contained several synchronizations bugs. Consequently, when a multi-threaded program used a priority-inherited mutex to synchronize access to a condition variable, some threads could enter a deadlock situation when they were woken up by the pthread_cond_signal() function or canceled. This update fixes these synchronization bugs and a thread deadlock can no longer occur in the described scenario.
BZ#834386
The C library security framework was unable to handle dynamically loaded character conversion routines when loaded at specific virtual addresses. This resulted in an unexpected termination with a segmentation fault when trying to use the dynamically loaded character conversion routine. This update enhances the C library security framework to handle dynamically loaded character conversion routines at any virtual memory address, and crashes no longer occur in the described scenario.
BZ#848748
Due to a defect in the standard C library, the library could allocate unbounded amounts of memory and eventually terminate unexpectedly when processing a corrupted NIS request. With this update, the standard C library has been fixed to limit the size of NIS records to the maximum of 16 MB, and the library no longer crashes in this situation. However, it is possible that some configurations with very large NIS maps may no longer work if those maps exceed the maximum of 16 MB.
BZ#851470
Previously, the ttyname() and ttyname_r() library calls returned an error if the proc (/proc/) file system was not mounted. As a result, certain applications could not properly run in a chroot environment. With this update, if the ttyname() and ttyname_r() calls cannot read the /proc/self/fd/ directory, they attempt to obtain the name of the respective terminal from the devices known to the system (the /dev and /dev/pts directories) rather than immediately return an error. Applications running in a chroot environment now work as expected.
BZ#862094
A defect in the standard C library resulted in an attempt to free memory that was not allocated with the malloc() function. Consequently, the dynamic loader could terminate unexpectedly when loading shared libraries that require the dynamic loader to search non-default directories. The dynamic loader has been modified to avoid calling the free() routine for memory that was not allocated using malloc() and no longer crashes in this situation.
BZ#863384
Due to a defect in the getaddrinfo() resolver system call, getaddrinfo() could, under certain conditions, return results that were not Fully Qualified Domain Names (FQDN) when FQDN results were requested. Applications using getaddrinfo() that expected FQDN results could fail to operate correctly. The resolver has been fixed to return FQDN results as expected when requesting an FQDN result and the AI_CANONNAME flag is set.
BZ#868808
The backtrace() function did not print call frames correctly on the AMD64 and Intel 64 architecture if the call stack contained a recursive function call. This update fixes this behavior so backtrace() now prints call frames as expected.
BZ#903754
Debug information previously contained the name "fedora" which could lead to confusion and the respective package could be mistaken for a Fedora-specific package. To avoid this confusion, the package build framework has been changed to ensure that the debug information no longer contains the name "fedora."
BZ#919562
A program that opened and used dynamic libraries which used thread-local storage variables may have terminated unexpectedly with a segmentation fault when it was being audited by a module that also used thread-local storage. This update modifies the dynamic linker to detect such a condition, and crashes no longer occur in the described scenario.
BZ#928318
When the /etc/resolv.conf file was missing on the system or did not contain any nameserver entries, getaddrinfo() failed instead of sending a DNS query to the local DNS server. This bug has been fixed and getaddrinfo() now queries the local DNS server in this situation.
BZ#929388
A previous fix to prevent logic errors in various mathematical functions, including exp(), exp2(), expf(), exp2f(), pow(), sin(), tan(), and rint(), created CPU performance regressions for certain inputs. The performance regressions have been analyzed and the core routines have been optimized to raise CPU performance to expected levels.
BZ#952422
Previously, multi-threaded applications using the QReadWriteLocks locking mechanism could experience performance issues under heavy load. This happened due to the ineffectively designed sysconf() function that was repeatedly called from the Qt library. This update improves the glibc implementation of sysconf() by caching the value of the _SC_NPROCESSORS_ONLN variable so the system no longer spends extensive amounts of time by parsing the /stat/proc file. Performance of the aforementioned applications, as well as applications repetitively requesting the value of _SC_NPROCESSORS_ONLN, should significantly improve.
BZ#966775
Improvements to the accuracy of the floating point functions in the math library, which were introduced by the RHBA-2013:0279 advisory, led to a performance decrease for those functions. With this update, the performance loss regressions have been analyzed and a fix has been applied that retains the current accuracy but reduces the performance penalty to acceptable levels.
BZ#966778
If user groups were maintained on an NIS server and queried over the NIS compat interface, queries for user groups containing a large number of users could return an incomplete list of users. This update fixes multiple bugs in the compat interface so that group queries in the described scenario now return correct results.
BZ#970090
Due to a defect in the name service cache daemon (nscd), cached DNS queries returned, under certain conditions, only IPv4 addresses even though the AF_UNSPEC address family was specified and both IPv4 and IPv6 results existed. The defect has been corrected and nscd now correctly returns both IPv4 and IPv6 results in this situation.
BZ#988931
Due to a defect in the dynamic loader, the loader attempted to write to a read-only page in memory while loading a prelinked dynamic application. This resulted in all prelinked applications being terminated unexpectedly during startup. The defect in the dynamic loader has been corrected and prelinked applications no longer crash in this situation.

Enhancements

BZ#629823
Previous versions of nscd did not cache netgroup queries. The lack of netgroup caching could result in less than optimal performance for users that relied on heavily on netgroup maps in their system configurations. With this update, support for netgroup query caching has been added to nscd. Systems that rely heavily on netgroup maps and use nscd for caching will now have their netgroup queries cached which should improve performance in most configurations.
BZ#663641
Previously, if users wanted to adjust the size of stacks created for new threads, they had to modify the program code. With this update, glibc adds a new GLIBC_PTHREAD_STACKSIZE environment variable allowing users to set the desired default thread stack size in bytes. The variable affects the threads created with the pthread_create() function and default attributes. The default thread stack size may be slightly larger than the requested size due to memory alignment and certain other factors.
BZ#886968
The dynamic loader now coordinates with GDB to provide an interface that is used to improve the performance of debugging applications with very large lists of loaded libraries.
BZ#905575
The glibc packages now provide four Static Defined Tracing (SDT) probes in the libm libraries for the pow() and exp() functions. The SDT probes can be used to detect whether the input to the functions causes the routines to execute the multi-precision slow paths. This information can be used to detect performance problems in applications calling the pow() and exp() functions.
BZ#916986
Support for the MAP_HUGETLB and MAP_STACK flags have been added for use with the mmap() function. Their support is dependant on kernel support and applications calling mmap() should always examine the result of the function to determine the result of the call.
BZ#929302
Performance of the sched_getcpu() function has been improved by calling the Virtual Dynamic Shared Object (VDSO) implementation of the getcpu() system call on the PowerPC architecture.
BZ#970776
The error string for the ESTALE error code has been updated to print "Stale file handle" instead of "Stale NFS file handle", which should prevent confusion over the meaning of the error. The error string has been translated to all supported languages.
All glibc users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.

8.55. glusterfs

Updated glusterfs packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
Red Hat Storage is software only, scale-out storage that provides flexible and affordable unstructured data storage for the enterprise. GlusterFS, a key building block of Red Hat Storage, is based on a stackable user-space design and can deliver exceptional performance for diverse workloads. GlusterFS aggregates various storage servers over network interconnects into one large, parallel network file system.

Bug Fixes

BZ#998778
Previously, the "errno" value was not set correctly during an API failure. Consequently, applications using API could behave unpredictably. With this update, the value is set properly during API failures and the applications work as expected.
BZ#998832
Previously, the glusterfs-api library handled all signals that were sent to applications using glusterfs-api. As a consequence, glusterfs-api interpreted incorrectly all the the signals that were not used by this library. With this update, glusterfs-api no longer handles the signals that it does not use so that such signals are now interpreted properly.
BZ#1017014
Previously, the glfs_fini() function did not return NULL, even if the libgfapi library successfully cleaned up all resources. Consequently, an attempt to use the "qemu-img create" command, which used libgfapi, failed. The underlying source code has been modified so that the function returns NULL when the libgfapi cleanup is successful, and the command now works as expected.

Enhancement

BZ#916645
Native Support for GlusterFS in QEMU has been included to glusterfs packages. This support allows native access to GlusterFS volumes using the libgfapi library instead of through a locally mounted FUSE file system. This native approach offers considerable performance improvements.
Users of glusterfs are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

8.56. gnome-screensaver

Updated gnome-screensaver packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The gnome-screensaver packages contain the GNOME project's official screen saver program. The screen saver is designed for improved integration with the GNOME desktop, including themeability, language support, and Human Interface Guidelines (HIG) compliance. It also provides screen-locking and fast user-switching from a locked screen.

Bug Fixes

BZ#905935
Previously, when using the virt-manager, virt-viewer, and spice-xpi applications, users were unable to enter the gnome-screensaver password after the screen saver had started. This occurred only when the virtual machine system used the Compiz composting window manager. After users had released the mouse cursor, then pressed a key to enter the password, the dialog window did not accept any input. This happened due to incorrect assignment of window focus to applications that did not drop their keyboard grab. With this update, window focus is now properly assigned to the correct place, and attempts to enter the gnome-screensaver password no longer fail in the described scenario.
BZ#947671
Prior to this update, the gnome-screensaver utility worked incorrectly when using an X server that does not support the fade-out function. Consequently, gnome-screensaver terminated unexpectedly when trying to fade out the monitor. This bug has been fixed and gnome-screensaver now detects a potential fade-out failure and recovers instead of crashing.
Users of gnome-screensaver are advised to upgrade to these updated packages, which fix these bugs.

8.57. gpxe

Updated gpxe packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The gpxe packages provide gPXE, an open source Pre-boot Execution Environment (PXE) implementation and bootloader.

Bug Fix

BZ#972671
A DHCP server can be configured to use the Pre-Boot Execution Environment (PXE) to boot virtual machines using the gPXE utility. Previously, PXE boot failed when the next-server details had come from a different DHCP server. This update applies a patch to fix this bug and PXE boot now works as expected in the described scenario.
Users of gpxe are advised to upgrade to these updated packages, which fix this bug.

8.58. grep

Updated grep packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The grep utility searches through textual input for lines which contain a match to a specified pattern and then prints the matching lines. GNU grep utilities include grep, egrep and fgrep.

Bug Fixes

BZ#715295
For some regular expressions, the DFA analysis could insert up to double "positions" than there were leaves. Consequently, there were not enough room to insert all the positions and grep could terminate unexpectedly on certain regular expressions. To fix this problem, space allocation has been increased and grep works as expected in the described scenario.
BZ#797934
When a fixed string pattern was empty while the case-insensitive search was active, grep could terminate unexpectedly. With this update, the check for this case has been added to the code and grep works as expected in the described scenario.
BZ#826997
Previously, the code handling case-insensitive searches could alter a string's byte size while converting it to lower case. Consequently, grep could truncate certain output strings. To fix this bug, the grep code has been modified to correctly handle such cases when the byte size gets altered during the conversion to lower case. As a result, case-insensitive searches work correctly and grep no longer truncates its output.
Users of grep are advised to upgrade to these updated packages, which fix these bugs.

8.59. grub

Updated grub packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
The grub packages provide GRUB (Grand Unified Boot Loader), a boot loader capable of booting a wide variety of operating systems.

Bug Fixes

BZ#851706
If the title of the GRUB menu entry exceeded the line length of 80 characters, the text showing the remaining time to a boot was inconsistent and thus appeared to be incorrect. The overflowing text was displayed on a new line and the whole text was moved one line down with every passing second. This update splits the text into two lines, and only the second line is rewritten as a boot countdown proceeds so that GRUB behaves correctly for long menu entries.
BZ#854652
When building a new version of grub packages, GRUB did not remove the grub.info file upon the "make clean" command. As a consequence, the grub.info file did not contain the latest changes after applying an update. To fix this problem, the GRUB Makefile has been modified so the grub.info file is now explicitly removed and generated with every package build.
BZ#911715
The GRUB code did not comply with the Unified Extensible Firmware Interface (UEFI) specification and did not disable an EFI platform's watchdog timer as is required by the specification. Consequently, the system was rebooted if the watchdog was not disabled within 5-minutes time frame, which is undesirable behavior. A patch has been applied that disables the EFI watchdog immediately after GRUB is initialized so that EFI systems are no longer restarted unexpectedly.
BZ#916016
When booting a system in QEMU KVM with Open Virtual Machine Firmware (OVMF) BIOS, GRUB was not able to recognize virtio block devices, and the booting process exited to the GRUB shell. This happened because GRUB did not correctly tested paths to EFI devices. The GRUB code now verifies EFI device paths against EFI PCI device paths, and recognizes disk devices as expected in this scenario.
BZ#918824
GRUB did not comply with the UEFI specification when handling the ExitBootServices() EFI function. If ExitBootServices() failed while retrieving a memory map, GRUB exited immediately instead of repeating the attempt. With this update, GRUB retries to obtain a memory map 5 times before exiting, and boot process continues on success.
BZ#922705
When building a 64-bit version of GRUB from a source package, it fails to link executable during the configure phase, unless a 32-bit version of the glibc-static package is installed. No error message was displayed upon GRUB failure in this situation. This has been fixed by setting the grub packages to depend directly on the /usr/lib/libc.a file, which can be provided in different environments. If the file is missing when building the grub packages, an appropriate error message is displayed.
BZ#928938
When installed on a multipath device, GRUB was unreadable and the system was unable to boot. This happened due to a bug in a regular expression used to match devices, and because the grub-install command could not resolve symbolic links to obtain device statistics. This update fixes these problems so that GRUB now boots as expected when installed on a multipath device.
BZ#1008305
When booting in UEFI mode, GRUB previously allocated memory for a pointer to a structure instead allocating memory for the structure. This rendered GRUB to be unable to finish and pass control to the kernel on specific hardware configurations. This update fixes this problem so GRUB now allocates memory for a structure as expected and successfully passes control to the kernel.
BZ#1017296
Previously, GRUB could not be installed on Non-Volatile Memory Express (NVMe) devices because it was unable to parse a device name during the installation process. This update adds a regular expression support for matching NVMe devices, and GRUB can now be successfully installed on these devices.

Enhancements

BZ#848628
GRUB now provides a new menu option "macappend". When "macappend" is used either in the grub.conf file or on the GRUB command line, the "BOOTIF=<MAC_address>" parameter is appended to the kernel command line. This allows specifying a network interface for Anaconda to use during a PXE boot.
Users of grub are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

8.60. grubby

Updated grubby packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The grubby packages provide grubby, a command-line tool for displaying and editing GRUB (GRand Unified Bootloader) configuration files.

Bug Fixes

BZ#991197
Previously, the grub.conf file was not properly updated after a kernel update with the tboot bootloader. This was due to a bug in the grubby tool which caused it to improperly interpret the grub.conf stanzas that had tboot in them. This update enables grubby to read the HYPERVISOR and HYPERVISOR_ARGS parameters from the /etc/sysconfig/kernel file in order for tboot to perform as intended.
BZ#999908
Prior to this update, yum and anaconda upgrades could have failed with a kernel panic on the AMD64 and Intel 64 architectures due to the RAM disk image not being found. This only happened when tboot was installed, and the kernel "%post" or "%posttrans" scripts were run. This update adds the initramfs disk image to the grub entry, and kernel panic failures no longer occur in the described scenario.
Users of grubby are advised to upgrade to these updated packages, which fix these bugs.

8.61. gtk2

Updated gtk2 and atk packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The gtk2 packages provide a multi-platform toolkit for creating graphical user interfaces, GIMP Toolkit (GTK+). GTK+ offers a complete set of widgets and is suitable for small projects as well as complete application suites.

Upgrade to an upstream version

The ATK library provides a set of interfaces for adding accessibility support to applications and graphical user interface toolkits. By supporting the ATK interfaces, an application or toolkit can be used with tools such as screen readers, magnifiers, and alternative input devices.
The gtk2 packages have been upgraded to upstream version 2.20.1, which provides a number of bug fixes and enhancements over the previous version. (BZ#883022)
The atk packages have been upgraded to upstream version 1.30.0, which provides a number of bug fixes and enhancements over the previous version. (BZ#883027)

Bug Fixes

BZ#970594
When rendering the text in a combo box, the GTK+ cell renderer always rendered text that was rendered last time as the first item. Consequently, if the previously rendered text did not match any item in the name set, the first item in the "Categories" combo box in the Contacts view could have been rendered as empty, which affected accessibility and automated tests. This update ensures that the cell renderer is now properly updated and renders items for the current combo box call so the aforementioned problem no longer occurs.
BZ#979049
Due to a bug in the GtkTreeView interface, the expand arrows in a tree view in Evolution stopped functioning after clicking on an icon in the system tray. This update increases robustness of the tree expanding and collapsing code, which fixes this bug.
Users of gtk2 and atk are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.62. haproxy

Updated haproxy packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications. It is particularly suited for web sites crawling under very high loads while needing persistence or Layer7 processing.

Upgrade to an upstream version

The haproxy packages have been upgraded to upstream version 1.4.24, which provides a number of bug fixes and enhancements over the previous version. (BZ#947987)

Bug Fix

BZ#903303
Previously, the setuid() and setgid() functions did not work properly. As a consequence, the HAProxy load balancer failed to drop supplementary groups correctly after attempting to drop root privileges. The behavior of the functions has been modified, and HAProxy now drops all supplementary groups as expected.

Enhancement

BZ#921064
With this update, support for TPROXY has been added to the haproxy packages. TPROXY simplifies management tasks of clients behind proxy firewalls. Also, transparent proxying makes the presence of the proxy invisible to the user.
Users of haproxy are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.63. hdparm

Updated hdparm packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
Hdparm is a useful system utility for setting (E)IDE hard drive parameters. For example, hdparm can be used to tweak hard drive performance and to spin down hard drives for power conservation.

Upgrade to an upstream version

The hdparm packages have been upgraded to upstream version 9.43, which provides a number of bug fixes and enhancements over the previous version. These enhancements include creating files with the desired size on the ext4 and xfs filesystems, and a possibility to specify the offset for reading operations when measuring timing performance. Other notable enhancements include an ability to obtain and set the "idle3" timeout value of the Western Digital Green (WDG) hard drive, and an ability to obtain and set the Write-Read-Verify feature for hard drives. (BZ#977800)

Bug Fixes

BZ#639623
Previously, the hdparm utility did not assume that some disk information could be unavailable. As a consequence, hdparm could terminate unexpectedly with no useful output. With this update, proper checks for unsuccessful disk queries have been added, and hdparm now terminates with a more detailed error message.
BZ#735887
Prior to this update, the hdparm utility did not assume that some disk information could be unavailable when the user requested information about how much disk space a file occupied. Consequently, hdparm terminated unexpectedly with no useful output in such a scenario. With this update, proper checks for unsuccessful disk queries have been added. As a result, hdparm now terminates with an error message providing detailed information.
BZ#807056
Previously, the hdparm utility retrieved the hard drive identification data in a way that could cause errors. As a consequence, hdparm failed to obtain the data on some occasions and displayed an unhelpful error message. With this update, the respective system call has been replaced with one that is more appropriate and robust. As a result, the hard drive identification data is now successfully obtained and printed in the output.
BZ#862257
When the hdparm utility is unable to obtain the necessary geometry information about a hard drive, it attempts to download firmware. Previously, due to incorrect control statements, hdparm could terminate unexpectedly with a segmentation fault at such a download attempt. With this update, control statements checking for system call failures have been added. As a result, if hdparm cannot operate on a drive, it displays an error message and exits cleanly.
Users of hdparm are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.64. hsqldb

Updated hsqldb packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The hsqldb packages provide a relational database management system written in Java. The Hyper Structured Query Language Database (HSQLDB) contains a JDBC driver to support a subset of ANSI-92 SQL.

Bug Fixes

BZ#996152
Previously, the /etc/sysconfig/hsqldb file was not marked as "config(noreplace)". Consequently, reinstallation or update of the packages could overwrite changes to the configuration made by the user. With this update, the configuration file has been marked correctly, and modifications to the file are preserved during reinstallation or update.
BZ#962676
Prior to this update, the hsqldb database depended on java packages of version 1:1.6.0 or later, which are unavailable on some Red Hat Enterprise Linux 6 platforms. As a consequence, installing the hsqldb packages failed with an error message. With this update, java packages of version 0:1.5.0 or later are required, and the installation of hsqldb now proceeds correctly as expected.
Users of hsqldb are advised to upgrade to these updated packages, which fix these bugs.

8.65. hwdata

An updated hwdata package that fixes one bug and adds various enhancements is now available for Red Hat Enterprise Linux 6.
The hwdata package contains tools for accessing and displaying hardware identification and configuration data.

Bug Fix

BZ#989142
Previously, certain information about the Red Hat Virtio Small Computer System Interface (SCSI) device was missing from the pci.ids database. Consequently, when using the lspci utility, the device name was not shown correctly and the numeric device ID was shown instead. With this update, the pci.ids database has been modified to provide correct information as expected.

Enhancements

BZ#982659
The PCI ID numbers have been updated for the Beta and the Final compose lists.
BZ#739838
With this update, the pci.ids database has been updated with information about AMD FirePro graphic cards.
BZ#948121
With this update, the pci.ids database has been updated with information about the Cisco VIC SR-IOV Virtual Function with the usNIC capability.
All users of hwdata are advised to upgrade to this updated package, which fixes this bug and adds these enhancements.

8.66. hypervkvpd

Updated hypervkvpd packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The hypervkvpd packages contain hypervkvpd, the guest Hyper-V Key-Value Pair (KVP) daemon. Using VMbus, hypervkvpd passes basic information to the host. The information includes guest IP address, fully qualified domain name, operating system name, and operating system release number. An IP injection functionality enables the user to change the IP address of a guest from the host via the hypervkvpd daemon.

Bug Fixes

BZ#920032
Previously, the hypervkvpd service registered to two netlink multicast groups, one of which was used by the cgred service. When hypervkvpd received a netlink message, it was interpreted blindly as its own. As a consequence, hypervkvpd terminated unexpectedly with a segmentation fault. After this update, hypervkvpd now registers only to its own netlink multicast group and verifies the type of the incoming netlink message. Using hypervkvpd when the cgred service is running no longer leads to a segmentation fault.
BZ#962565
Prior to this update, the hypervkvpd init script did not check if Hyper-V driver modules were loaded into the kernel. If hypervkvpd was installed, it started automatically on system boot, even if the system was not running as a guest machine on a Hyper-V hypervisor. Verification has been added to the hypervkvpd init script to determine whether Hyper-V driver modules are loaded into the kernel. As a result, if the modules are not loaded into the kernel, hypervkvpd now does not start, but displays a message that proper driver modules are not loaded.
BZ#977861
Previously, hypervkvpd was not built with sufficiently secure compiler options, which could, consequently, make the compiled code vulnerable. The hypervkvpd daemon has been built with full read-only relocation (RELRO) and position-independent executable (PIE) flags. As a result, the compiled code is more secure and better guarded against possible buffer overflows.
BZ#983851
When using the Get-VMNetworkAdapter command to query a virtual machine network adapter, each subnet string has to be separated by a semicolon. Due to a bug in the IPv6 subnet enumeration code, the IPv6 addresses were not listed. A patch has been applied, and the IPv6 subnet enumeration now works as expected.
Users of hypervkvpd are advised to upgrade to these updated packages, which fix these bugs. After updating the hypervkvpd packages, rebooting all guest machines is recommended, otherwise the Microsoft Windows server with Hyper-V might not be able to get information from these guest machines.

8.67. ibus-hangul

Updated ibus-hangul packages that fix one bug are now available.
The ibus-hangul package is a Korean language input engine platform for the IBus input method (IM).

Bug Fix

BZ#965554
Previously, the Hangul engine for IBus did not function properly. If a preedit string was available, and the input focus was moved to another window, then the preedit string was committed. After that, when the input focus was moved back to the window, the X Input Method (XIM) could not handle the first key input. This update resolves this issue with a change in the code, and key press inputs after a focus change are no longer lost in the described scenario.
Users of ibus-hangul are advised to upgrade to these updated packages, which fix this bug.

8.68. icedtea-web

Updated icedtea-web packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations.

Upgrade to an upstream version

The icedtea-web packages have been upgraded to upstream version 1.4.1, which provides a number of bug fixes and enhancements over the previous version including support for updated versions of OpenJDK6 and OpenJDK7. (BZ#916161, BZ#975098)
Users of icedtea-web are advised to upgrade to these updated packages, which fix these bugs and add these enhancements

8.69. initscripts

Updated initscripts packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
The initscripts package contains basic system scripts to boot the system, change runlevels, activate and deactivate most network interfaces, and shut the system down cleanly.

Bug Fixes

BZ#915659
A regular expression, which was used to match the name of the master bond device in the grep utility, was incorrect. Consequently, network scripts did not properly handle lines in interface configuration containing comments and the ifup-eth command failed to activate slave devices. This update provides an updated regular expression for grep and ifup-eth now works as expected in the described scenario.
BZ#919217 BZ#963944
In Red Hat Enterprise Linux 6.4, a master device was always started after its slaves while using Mode 6 bonding. As a consequence, bonded interfaces were unusable. This update ensures the master device is always set up before its slaves and Mode 6 bonding now works as expected.
BZ#984003
Previously, mounting of the /proc directory in the initrd script did not take into account options set in the /etc/fstab file. As a consequence, /proc was not mounted with the specified options. With this update, /proc is now re-mounted in the rc.sysinit script, which ensures it is mounted with the specified options.
BZ#877928
Previously, initscripts called the nmcli utility to stop the interface even if it was not managed by NetworkManager at the time. As a consequence, the interface was stopped, but the output of nmcli stated the action had failed. After this update, nmcli is no longer called when NetworkManager is not handling the interace, for example when it has failed, is disconnected, unamanaged or unavailable. As a result, the output from nmcli now matches the real result.
BZ#836233
If assigning an IP address through the Dynamic Host Configuration Protocol version 4 (DHCPv4) failed, initscript exited with an error. As a consequence, static IPv4 and IPv6 addresses were not set if DHCPv4 failed. The option IPV4_FAILURE_FATAL has been added to let the user decide whether the script should continue or exit when DHCPv4 fails. Additionally, if set to "no" and DHCPv6 is enabled in the configuration file, initscript tries to get an IPv6 address even if DHCPv4 fails.
BZ#843402
After sending the TERM signal, the killproc() function always waited $delay seconds before it checked the process again. This waiting was unnecessary and with this update killproc() checks multiple times during the waiting delay. As a result, killproc can continue almost immediately after a process ends.
BZ#864802
Previously, initscript did not follow the order of mounts specified by the administrator, because some mount types were prioritized. As a consequence, a subdirectory could be mounted before its parent directory. After this update, NFS, the Common Internet File System (CIFS), the Server Message Block (SBM) and other mount types are the last to be mounted. As a result, the mounts in the /etc/fstab file are processed in the right order.
BZ#814427
Previously, the securetty utility always tried to open the /etc/securetty file in read and write mode. As a consequence, on a read-only root filesystem, this led to failure and the file was not modified even if the TTY had already existed. With this update, securetty now checks whether the /etc/securetty file needs to me modified and exits if it does not. As a result, securetty now works correctly on a read-only root filesystem.
BZ#948824
Prior to this update, users were not informed when an Address Resolution Protocol (ARP) check was performed successfully. As a consequence, the users could be confused about the time needed to load the interface. With this update, a message is printed after every ARP check thus preventing confusion.
BZ#921476
Previously, initscripts documentation contained no information about the rule-* files. As a consequence, users did not know how to set routing rules for IPv6 addresses. This update adds documentation for the rule6-* files to the sysconfig.txt file.
BZ#905423
Previously, users were not aware of the /etc/init/*.conf files being overwritten after every update with the default values. A comment has been added to the /etc/init/*.conf files to inform users these files should not be modified and to use the *.override files instead.

Enhancements

BZ#815676
With this update, configuration options for Dynamic Host Configuration Protocol version 6 (DHCPv6) have been applied to the /etc/dhcp/dhclient6-<iface>.conf files. Options for both DHCPv4 and DHCPv6 in the /etc/dhcp/dhclient6-<iface>.conf are now applied.
Users of initscripts are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.70. iotop

An updated iotop package that fixes several bugs is now available for Red Hat Enterprise Linux 6.
The iotop package provides a program with a UI similar to the "top" utility. The program watches input-output (I/O) usage information output by the Linux kernel and displays a table of current I/O usage by processes on the system.

Bug Fixes

BZ#746240, BZ#908149
Previously, the iotop utility terminated unexpectedly when it was run by a non-root user. This was because a recently-applied patch in CVE-2011-2494 made I/O statistics from the taskstats kernel subsystem accessible only to root users, and iotop did not anticipate that its "taskstats" call could fail when run by a non-root user. This update adds permission checks to iotop, and when the user does not have the necessary permissions, iotop exits with an explanation that root privileges are now required.
BZ#826875
Previously, the iotop utility did not handle platform strings correctly. Consequently, the iotop command could not show the I/O scheduling class and its priority ("PRIO") column on 64-bit PowerPC systems properly. With this update, the bug has been fixed so that the iotop command now shows the "PRIO" column on 64-bit PowerPC systems as expected.
BZ#849559
When an invalid locale was set, the iotop utility failed to start with the following traceback error:
locale.Error: unsupported locale setting
With this update, the underlying source code has been modified. As a result, when an invalid locale is set, the default locale is used instead and a warning about this change is returned.
Users of iotop are advised to upgrade to this updated package, which fixes these bugs.

8.71. ipa

Updated ipa packages that fix several bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
Red Hat Identity Management is a centralized authentication, identity management and authorization solution for both traditional and cloud-based enterprise environments. It integrates components of the Red Hat Directory Server, MIT Kerberos, Red Hat Certificate System, NTP, and DNS. It provides web browser and command-line interfaces. Its administration tools allow an administrator to quickly install, set up, and administer a group of domain controllers to meet the authentication and identity management requirements of large-scale Linux and UNIX deployments.

Bug Fixes

BZ#904119
Previously, during migration, users were added to the default user group one by one. As a consequence, adding users to a large group was time consuming. With this update, users are now added in batches of 100, which provides a considerable performance boost over the previous method.
BZ#905626
Previously, the Identity Management client installer did not look for all available servers when it tried to enroll a client. Consequently, the enrollment "ipa-client-install" command failed to enroll a client if any of the Identity Management masters were unavailable during the enrollment. With this update, the client installer tries all servers, either auto-discovered from DNS or passed using the "--server" option on the command line, until it finds an available server, and ipa-client-install now works properly.
BZ#906846
Identity Management did not work correctly when migrating from an OpenLDAP server. As a consequence, attempts to retrieve the LDAP schema from the remote server failed. With this update, Identity Management also looks in the "cn=subschema" entry, and migrations from OpenLDAP servers no longer fail.
BZ#907881
Prior to this update, the Identity Management password lockout Directory Server plug-in processed password lockout incorrectly. Consequently, if Identity Management password policy was configured with the Lockout Time value set to 0, user accounts were permanently disabled even though the maximum number of user password failures had not been exceeded. The plug-in has been fixed to process the password lockout time correctly, and the user accounts lockout now works as expected.
BZ#915745
Previously, update files used when upgrading an Identity Management server to a later version did not contain the new Directory Server schema "ipaExternalMember" attribute type and the "ipaExternalGroup" object class. Consequently, neither command-line interface (CLI) commands using the schema elements nor web user interface (Web UI) as a whole worked correctly. This update adds the missing object class and attribute type to the Identity Management update files. The Directory Server schema is now updated during the Identity Management update process, and both CLI commands and the Web UI work properly.
BZ#916209
The Identity Management configuration parser was not able to parse the Kerberos client configuration file (/etc/krb5.conf) when it contained the "includedir" directive. Consequently, the Identity Management ipa-adtrust-install installer, which directly parses and updates Kerberos client configuration, terminated unexpectedly with a syntax error. With this update, the configuration parser processes "includedir" correctly, and ipa-adtrust-install no longer crashes in the described scenario.
BZ#924004
Previously, when the Identity Management client installer was downloading a Certification Authority (CA) certificate from Identity Management server using the LDAP protocol, it did occasionally not fallback to the HTTP protocol. Consequently, Identity Management client installation failed even though the certificate was accessible using the HTTP protocol. With this update, the Identity Management client installer can properly fallback between different protocols when downloading a CA certificate, and it is now able to complete the installation even when download via one protocol fails.
BZ#924009
The Identity Management client installer did not allow re-enrolling of an already enrolled client. Consequently, when a machine or a virtual machine with a configured Identity Management client was being removed or decommissioned without unenrolling the client first, all succeeding client enrollments failed until the client entry was removed from the Identity Management sever. This update adds a "--force-join" option to the Identity Management client installer, and the privileged administrator is now able to re-enroll an Identity Management client.
BZ#924542
Previously, Identity Management Host Based Access Control (HBAC) rules API allowed administrators to specify a "Source Host" component of HBAC rules even though this component had been deprecated. Consequently, unexpected behavior could occur when using the "Source Host" component in HBAC rules. This bug has been fixed; "Source Host" components are now not allowed in HBAC rules, and unexpected behavior of the rules for administrators no longer occurs.
BZ#948928
Under certain circumstances, the Identity Management upgrade process double encoded the Certification Authority (CA) certificate stored in Directory Server. Consequently, some Identity Management clients failed to decode the CA certificate and installing a client failed. With this update, CA certificates are now properly encoded; client installation CA certificate is correctly retrieved from Identity Management server and the installation proceeds as expected.
BZ#950014
In some cases, the Identity Management installation and upgrade process did not update the user and user role membership information in correct order. As a consequence, user roles were occasionally not correctly applied, and users could fail to proceed with privileged actions even though they had been authorized for them (for example, enrollment of an an Identity Management client). Now, the membership information is applied in correct order, and users' privileged actions no longer fail because of incomplete membership information.
BZ#952241
Previously, when an Identity Management public-key infrastructure (PKI) server certificate (auditSigningCert) was being renewed, incorrect trust argument was assigned to the renewed certificate and the server was unable to use it. The certificate renewal procedure has been updated to assign correct trust arguments to the renewed certificates, and Identity Management PKI certificate renewal now works as expected.
BZ#967870
Identity Management server with Active Directory integration support configured replies differently in NetLogon queries compared to Active Directory. The following discrepancies were present in NetLogon behavior:
  • No response to NetLogon query when querying over TCP based LDAP
  • No response when DnsDomain was not present in the query
  • No return of a LDAP_RES_SEARCH_RESULT to sender when query did not match; NetLogon became unresponsive.
As a consequence, these discrepancies could cause errors in utilities which had sent the NetLogon queries. The NetLogon query responder has been fixed, and the above mentioned issues in NetLogon replies no longer occur.
BZ#970541
Identity Management server did not work efficiently in case of entries with many members, such as a large user group. Consequently, Identity Management CLI or Web UI management commands operating with such entries (for example, adding new users, listing groups, or updating them) could last more than 30 seconds. Several improvements have been implemented in the Identity Management server, namely:
  • Web UI interface now avoids membership information when it is not required (for example, in group listing)
  • Entry membership manipulating commands (for example, adding users to a group) now avoid unnecessary manipulation with membership information
  • Missing substring indices for membership attributes have been added.
With these implementations, the performance of Identity Management CLI and Web UI management commands has been significantly improved, especially when dealing with large user groups.
BZ#975431
Previously, the /var/lib/ipa/pki-ca/publish/ directory, where Identity Management public-key infrastructure (PKI) publishes Certificate Revocation List (CRL) exports, contained incorrect ownership and permissions information after the ipa-server package had been reinstalled or upgraded. Consequently, PKI was not able to update CRL in the directory until the ownership and permissions of the directory were manually amended. The Identity Management installer and upgrade script have been fixed to handle the ownership and permissions of the directory correctly, and CRL exports are now updated properly in the described scenario.
BZ#976716
Prior to this update, the Identity Management XML-RPC interface occasionally did not return the correct "Content-Type" header in its replies. Consequently, programs or scripts processing the XML-RPC response could fail to process the response with a validation error. The XML-RPC responder has been fixed to return the correct "Content-Type" header, and programs and scripts are now able to call the Identity Management XML-RPC interface even with strict validation enabled.
BZ#980409
Previously, the Identity Management Active Directory integration did not expect different procedure for populating KERB_VALIDATION_INFO section of MS-PAC extension for a Kerberos ticket done in Microsoft Windows Server 2012, as compared to Microsoft Windows Server 2008. As a consequence, such Kerberos tickets were not accepted due to an incompatibility and could not be used to authenticate or create a Trust with the Microsoft Windows Server 2012. The KERB_VALIDATION_INFO verification has been refactored to filter out unexpected values before further processing, and the Identity Management Active Directory Trust creation no longer fails with Microsoft Windows Server 2012.
BZ#1011044
Previously, the ipa-client-install installation script did not properly detect whether the client had already been installed on the machine or not. As a consequence, the client uninstall script could refuse to restore the machine when it did not recognize the client as installed. Also, the client installation could succeed even on an installed Identity Management client or server machine. This, however, could disrupt the configuration files or Identity management client or server function. With this update, ipa-client-install has been fixed to detect installation properly, and the issues described above no longer occur.

Enhancements

BZ#955698
This update introduces the "userClass" attribute for Identity Management server host entries. Previously, host entries did not contain a free-form attribute usable for host provisioning systems to tag or set a class for a new host, which could then be used by other functions of Identity Management, for example, by the Automatic Membership Assignment module. Administrators and provisioning systems are now able to use the new "userClass" host entry attribute.
BZ#986211
This update adds the "GECOS" field for user entries to Identity Management Web UI. "GECOS" is an important user field as it equals the user's common name presented to the systems, and it should be editable both through CLI and Web UI interfaces. Now, the user's "GECOS" field can be displayed and changed in Identity Management Web UI.
Users of ipa are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.72. ipmitool

Updated ipmitool packages that fix several bugs are now available.
The ipmitool package contains a command-line utility for interfacing with devices that support the Intelligent Platform Management Interface (IPMI) specification. IPMI is an open standard for machine health, inventory, and remote power control.

Bug Fixes

BZ#826027
In a previous ipmitool update, the new options "-R" and "-N" were added to adjust the retransmission rate of outgoing IPMI requests over LAN and lanplus interfaces. Implementation of these options set a wrong default value of the retransmission timeout, and an outgoing request timed out prematurely. In addition, in some corner cases, ipmitool could terminate unexpectedly with a segmentation fault when the timeout occurred. This update fixes the default timeout value, so ipmitool without the "-N" option retransmits outgoing IPMI requests as in previous versions, and crashes no longer occur in the described scenario.
BZ#903251
Previously, enabling the "ipmi" and "link" keys in user access information using the ipmitool utility did not work properly. Consequently, the values of these settings were not taken into account. A patch has been provided that ensures the values of these settings are read and processed as expected.
BZ#923192
In cases of congested network or slow-responding Baseboard Management Controller (BMC), the reply operation timeout triggered the protocol command retry action. Consequently, the ipmitool utility could incorrectly process a LAN session protocol command with the reply from a previous protocol command. This update fixes handling of expected replies for each command alone, and cleans up expected replies between commands. Now, the retried reply of the first command is correctly ignored while the later command, which is currently pending, is properly processed in the described scenario.
Users of ipmitool are advised to upgrade to these updated packages, which fix these bugs. After installing this update, the IPMI event daemon (ipmievd) will be restarted automatically.

8.73. iproute

Updated iproute packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The iproute packages contain networking utilities (for example, ip and rtmon), which are designed to use the advanced networking capabilities of the Linux kernel.

Bug Fixes

BZ#1011148
While monitoring IP neighbor cache with the ip monitor neigh command, the cache experienced the layer 2 network miss. Consequently, ip monitor neigh command could not decode the miss event generated by the kernel. To fix this bug, code for neighbor cache events for entry deletion and entry miss have been back-ported from upstream and ip monitor neigh now recognizes cache miss event and format it properly with a miss keyword on the output.
BZ#950400
Previously, Red Hat Enterprise Linux 6 was missing a functionality to set up IPv6 token-only network configuration. As a consequence, the user had fewer networking options. The IPv6 token feature has been implemented in both kernel (BZ#876634) and a userspace interface to iproute. Users can now setup IPv6 token-only networking, optionaly receiving network prefixes later.
BZ#908155
Red Hat Enterprise Linux 6.5 shipped with VXLAN (Virtual Extended LAN), a VLAN-like layer 3 encapsulation technique support in the kernel, so a userspace interface was required for users and applications to utilize the VXLAN feature. With this update, the ip utility recognizes and supports the 'vxlan' devices.
BZ#838482
When larger rto_min (the minimum TCP Retransmission TimeOut to use when communicating with a certain destination) was set, the ip route show command did not return correct values. A patch has been provided to fix this bug and ip route show now handles rto_min as expected.
BZ#974694
Prior to this update, the manual page for the lnstat utility was referring wrongly to non-existent directory, the iproute-doc instead of iproute-<package version> directory. The incorrect documentation could confuse the user. To fix this bug, the file-system path has been corrected.
BZ#977845
Previously, there was an inconsistency between the lnstat utility's interval option behavior and its documentation. Consequently, lnstat exited after a number of seconds instead of refreshing the view, making the interval option useless. The interval option behavior has been changed to refresh the data every N seconds, thus fixing the bug.
BZ#985526
Previously, the ip utility was mishandling netlink communication, which could cause hangs under certain circumstances. Consequently, listing network devices with the ip link show command hung in a SELinux restricted mode. With this update, the ip utility checks for the result of the rtnl_send() function before waiting for a reply, avoiding an indefinite hang. As a result, it is now possible to list network devices in a SELinux restricted environment.
BZ#950122
Prior to this update, the tc utility documentation lacked description of the batch option. To fix this bug, the tc manual pages have been updated including the description of the batch option.

Enhancements

BZ#885977
Previously, the bridge module sysfs system did not provide the ability to inspect the non-configuration IP multicast Internet Group Management Protocol (IGMP) snooping data. Without this functionality, users could not fully analyze their multicast traffic. With this update, users are able to list detected multicast router ports, groups with active subscribers and the associated interfaces.
BZ#929313
Distributed Overlay Virtual Ethernet (DOVE) tunnels allow for building of Virtual Extensible Local Area Network (VXLAN), which represents a scalable solution for ISO OSI layer 2 networks used in cloud centers. The bridge tool is part of the iproute packages and can be used, for example, to manage forwarding database on WLAN devices on Linux platform.
BZ#851371
If the tc utility is instrumented from a pipe, there is no way how to recognize when a subcommand has been completed. A new OK option has been added to the tc utility. Now, tc in the batch mode accepts commands in standard input (the tc -OK -force -batch command) and returns OK on a new line on standard output for each successfully completed tc subcommand.
Users of iproute are advised to upgrade to these updated packages, which fixe these bugs and add these enhancements.

8.74. iptables

Updated iptables packages that fix several bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
The iptables utility controls the network packet filtering code in the Linux kernel. The utility allows users to perform certain operations such as setting up firewalls or IP masquerading.

Bug Fixes

BZ#924362
A previous version of iptables added the "alternatives" functionality support for the /lib/xtables/ or /lib64/xtables/ directory. However, iptables failed to replace the directory with the alternatives slave symbolic link when upgrading iptables with the "yum upgrade" command and the directory contained custom plug-in files. Consequently, some iptables modules became unavailable. This problem has been fixed by modifying the iptables spec file so that the /lib/xtables/ or /lib64/xtables/ directory is no longer managed by "alternatives".
BZ#983198
The iptables-save command previously supported only the "--modprobe=" option to specify the path to the modprobe executable. However, the iptables-save(8) man page incorrectly stated that this action could have been performed using an unsupported option, "-M", which could lead to confusion. The iptables-save command has been modified to support the "-M" option for specifying the path to modprobe, and corrects the iptables-save(8) man page, which now correctly mentions both the "-M" and "--modprobe=" option.
BZ#1007632
Due to a bug in the iptables init script, the system could become unresponsive during shutdown when using the network-based root device and the default filter for INPUT or OUTPUT policy was DROP. This problem has been fixed by setting the default chain policy to ACCEPT before flushing the iptables rules and deleting the iptables chains.

Enhancements

BZ#845435
The iptables utility has been modified to support a new option, "--queue-bypass", which allows bypassing an NFQUEUE rule if the specified queue is not used.
BZ#928812
A new iptables service option,"reload", has been added to enable a refresh of the firewall rules without unloading netfilter kernel modules and a possible drop of connections.
Users of iptables are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.75. ipvsadm

Updated ipvsadm packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The ipvsadm package provides the ipsvadm tool to administer the IP Virtual Server services offered by the Linux kernel.

Upgrade to an upstream version

The ipvsadm packages have been upgraded to upstream version 1.26, which provides new features to IPVS from the kernel side, which take full-advantage of PE config of SIP PE-data. In addition, this update:
* fixes the "One Packet Scheduler" output for the status and save operations to include all Virtual Servers instead of only those configured with a persistent flag (BZ#986189)
* addresses a possible, but very unlikely, memory corruption issues;
* includes minor improvements to the manual pages related to ipvsadm.
Users of ipvsadm are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.76. irqbalance

Updated irqbalance packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The irqbalance packages provide a daemon that evenly distributes interrupt request (IRQ) load across multiple CPUs for enhanced performance.

Bug Fixes

BZ#951720
Previously, irqbalance warned about MSI interrupts, and that IRQs would not be properly classified due to the use of a kernel version older than kernel-2.6.32-279. This update blocks users from using irqbalance with an older version of the kernel, without features required for processing MSI interrupts, and warning messages are no longer received.
BZ#975524
Due to recent changes in the irqbalance packages, the /var/run/irqbalance.pid file was not created upon start of the irqbalance service, causing irqbalance to become non-compliant with the Linux Standard Base (LSB) specification. This update provides a patch fixing this problem so the irqbalance packages are LSB compliant again.
BZ#991363
A bug in the irqbalance code caused the irqbalance daemon to terminate with a segmentation fault when a CPU was hot plugged or hot unplugged. This update fixes a corrupted IRQ rebalance list and the irqbalance daemon no longer crashes in this scenario.
Users of irqbalance are advised to upgrade to these updated packages, which fix these bugs.

8.77. iscsi-initiator-utils

Updated iscsi-initiator-utils packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The iscsi-initiator-utils packages provide the server daemon for the iSCSI protocol, as well as utilities used to manage the daemon. iSCSI (Internet Small Computer System Interface) is a protocol for distributed disk access using SCSI commands sent over Internet Protocol networks.

Upgrade to an upstream version

The iscsi-initiator-utils packages have been upgraded to upstream version 6.2.0.873, which provides a number of bug fixes and enhancements over the previous version. (BZ#916007)

Bug Fixes

BZ#884427
Previously, database errors could occur if multiple node records in different formats were created for the same iSCSI target portal. Consequently, depending on the file system dependent return order of the readdir syscall, an error occasionally occurred causing an update operation to fail. To fix this bug, multiple node records in different formats have been prevented from existing simultaneously and detected at record creation time. Duplicate node entries no longer exist in the iSCSI database, and updates to records do not result in database errors.
BZ#983553
Prior to this update, a single unreachable target could previously block rescans of others. Consequently, the iscsiadm utility could halt in the D state and the rest of the targets could remain unscanned. To fix this bug, iscsiadm has been made terminable and all the targets have been updated. Now, functioning sessions will be rescanned properly without long delays.
BZ#1001705
When VDMS (Virtual Desktop Server Manager) attempted to add a new record to the iSCSI database, it failed with the following error:
iscsiadm: Error while adding record: no available memory.
Consequently, due to this error, the host became non-operational when connecting to storage. An upstream patch has been applied and the /var/lib/iscsi file is now successfully attached.

Enhancements

BZ#831003
For the bnx2i hardware and potentially other offloading solutions (complementary network technologies for delivering data originally targeted for cellular networks), the iscsistart tool for passing along the VLAN tag from iBFT (iSCSI Boot Firmware Table) to iface_rec (iscsi iface record name) has been implemented to this package.
BZ#917600
With this update, support for managing Flash nodes from the open-iscsi utility has been added to this package.
Users of iscsi-initiator-utils are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.78. iw

Updated iw packages that add one enhancement are now available for Red Hat Enterprise Linux 6.
The iw command-line utility is used for configuring wireless devices based on the nl80211 interface.

Upgrade to an upstream version

The iw packages have been upgraded to upstream version 3.10, which provides one enhancement over the previous version. This update adds support for Wake on Wireless LAN (WoWLAN) to Atheros WiFi interfaces in Red Hat Enterprise Linux 6. (BZ#951706)
Users of iw are advised to upgrade to these updated packages, which add this enhancement.

8.79. java-1.6.0-openjdk

Updated java-1.6.0-openjdk packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit.

Upgrade to an upstream version

The java-1.6.0-openjdk packages have been upgraded to upstream IcedTea version 1.13.0, which provides a number of bug fixes and enhancements over the previous version. (BZ#983411)

Bug Fix

BZ#976897
Previously, int[] objects allocated by instances of the com.sun.imageio.plugins.jpeg.JPEGImageWriter class were consuming extensive amounts of memory, which was consequently not released. With this update, the underlying stream processing logic has been modified to ensure correct releasing of such memory, and extensive memory consumption no longer occurs.
Users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which fix these bugs and add these enhancements. All running instances of OpenJDK Java must be restarted for the update to take effect.

8.80. java-1.7.0-openjdk

Updated java-1.7.0-openjdk packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Software Development Kit.

Upgrade to an Upstream Version

The java-1.7.0-openjdk package has been upgraded to upstream version 2.4.3, which provides a number of bug fixes and enhancements over the previous version.

Bug Fixes

BZ#825824
Attempting to compile a SystemTap script using the jstack tapset could have failed with an error similar to the following:
error: the frame size of 272 bytes is larger than 256 bytes
This update corrects the jstack tapset and resolves this problem.
BZ#871771
Because of incorrect KDC list concatenation logic, the sun.security.krb5.Config.getKDCList method returned incorrect KDC lists when the dns_lookup_kdc property in the krb5.conf file was set to true. The concatenation logic has been fixed with this release and correct KDC lists are now returned.
BZ#997633
The java-1.7.0-openjdk RPM package contained incorrect specification of the libnss3 dependency and installed its x86_64 version on i686 systems. Because of the missing dependency, launching the java command with the -Dcom.sun.management.jmxremote parameter on 32bit JVMs terminated unexpectedly. The dependency specification has been corrected with this update. As a result, the correct version of the libnss3 package is installed and the java command no longer terminates when launched with the -Dcom.sun.management.jmxremote parameter.

Enhancements

BZ#831734, BZ#905128
The NSS security provider is now the default security provider in OpenJDK 7. This brings a significant performance improvement over the previous releases.
BZ#916288
The java-1.7.0-openjdk RPM package now provides the java dependency. As a result, it is no longer necessary to have the java-1.6.0-openjdk package installed alongside java-1.7.0-openjdk for the java dependency to be available.
Users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which fix these bugs and add these enhancements. All running instances of OpenJDK Java must be restarted for the update to take effect.

8.81. kde-settings

Updated kde-settings packages that fix one bug are now available.
The kde-settings packages provide a rich set of administration panels to configure system and desktop settings in the Konqueror Desktop Environment (KDE).

Bug Fix

BZ#886237
The Konqueror browser enabled Java support by default. Because Java is one of the common targets for browser-based malware attacks, Java is now disabled by default in Konqueror.
To enable Java in Konqueror, navigate to Settings -> Configure Konqueror -> Java & JavaScript (which sets the path to Java), and select the "Enable Java globally" check box.
Users of kde-settings are advised to upgrade to these updated packages, which fix this bug.

8.82. kernel

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fixes

CVE-2014-0055, Important
A flaw was found in the way the get_rx_bufs() function in the vhost_net implementation in the Linux kernel handled error conditions reported by the vhost_get_vq_desc() function. A privileged guest user could use this flaw to crash the host.
CVE-2014-0101, Important
A flaw was found in the way the Linux kernel processed an authenticated COOKIE_ECHO chunk during the initialization of an SCTP connection. A remote attacker could use this flaw to crash the system by initiating a specially crafted SCTP handshake in order to trigger a NULL pointer dereference on the system.
CVE-2014-0069, Moderate
A flaw was found in the way the Linux kernel's CIFS implementation handled uncached write operations with specially crafted iovec structures. An unprivileged local user with access to a CIFS share could use this flaw to crash the system, leak kernel memory, or, potentially, escalate their privileges on the system. Note: the default cache settings for CIFS mounts on Red Hat Enterprise Linux 6 prohibit a successful exploitation of this issue.
CVE-2013-1860, Low
A heap-based buffer overflow flaw was found in the Linux kernel's cdc-wdm driver, used for USB CDC WCM device management. An attacker with physical access to a system could use this flaw to cause a denial of service or, potentially, escalate their privileges.
Red Hat would like to thank Nokia Siemens Networks for reporting CVE-2014-0101, and Al Viro for reporting CVE-2014-0069.

Bug Fixes

BZ#1063507
A previous change in the Advanced Programmable Interrupt Controller (APIC) code caused a regression on certain Intel CPUs using a Multiprocessor (MP) table. An attempt to read from the local APIC (LAPIC) could be performed before the LAPIC was mapped, resulting in a kernel crash during a system boot. A patch has been applied to fix this problem by mapping the LAPIC as soon as possible when parsing the MP table.
BZ#1067775
When removing an inode from a name space on an XFS file system, the file system could enter a deadlock situation and become unresponsive. This happened because the removal operation incorrectly used the AGF and AGI locks in the opposite order than was required by the ordering constraint, which led to a possible deadlock between the file removal and inode allocation and freeing operations. With this update, the inode's reference count is dropped before removing the inode entry with the first transaction of the removal operation. This ensures that the AGI and AGF locks are locked in the correct order, preventing any further deadlocks in this scenario.
BZ#1064913
Previously, the GFS2 kernel module leaked memory in the gfs2_bufdata slab cache and allowed a use-after-free race condition to be triggered in the gfs2_remove_from_journal() function. As a consequence after unmounting the GFS2 file system, the GFS2 slab cache could still contain some objects, which subsequently could, under certain circumstances, result in a kernel panic. A series of patches has been applied to the GFS2 kernel module, ensuring that all objects are freed from the slab cache properly and the kernel panic is avoided.
BZ#1054072
Due to the locking mechanism that the kernel used while handling Out of Memory (OOM) situations in memory control groups (cgroups), the OOM killer did not work as intended in case that many processes triggered an OOM. As a consequence, the entire system could become or appear to be unresponsive. A series of patches has been applied to improve this locking mechanism so that the OOM killer now works as expected in memory cgroups under heavy OOM load.
BZ#1055364
Previously, certain SELinux functions did not correctly handle the TCP synchronize-acknowledgment (SYN-ACK) packets when processing IPv4 labeled traffic over an INET socket. The initial SYN-ACK packets were labeled incorrectly by SELinux, and as a result, the access control decision was made using the server socket's label instead of the new connection's label. In addition, SELinux was not properly inspecting outbound labeled IPsec traffic, which led to similar problems with incorrect access control decisions. A series of patches that addresses these problems has been applied to SELinux. The initial SYN-ACK packets are now labeled correctly and SELinux processes all SYN-ACK packets as expected.
BZ#1063199
In Red Hat Enterprise Linux 6.5, the TCP Segmentation Offload (TSO) feature is automatically disabled if the corresponding network device does not report any CSUM flag in the list of its features. Previously, VLAN devices that were configured over bonding devices did not propagate its NETIF_F_NO_CSUM flag as expected, and their feature lists thus did not contain any CSUM flags. As a consequence, the TSO feature was disabled for these VLAN devices, which led to poor bandwidth performance. With this update, the bonding driver propagates the aforementioned flag correctly so that network traffic now flows through VLAN devices over bonding without any performance problems.
BZ#1064464
Due to a bug in the Infiniband driver, the ip and ifconfig utilities reported the link status of the IP over Infiniband (IPoIB) interfaces incorrectly (as "RUNNING" in case of "ifconfig", and as "UP" in case of "ip") even if no cable was connected to the respective network card. The problem has been corrected by calling the respective netif_carrier_off() function on the right place in the code. The link status of the IPoIB interfaces is now reported correctly in the described situation.
BZ#1058418
When performing read operations on an XFS file system, failed buffer readahead can leave the buffer in the cache memory marked with an error. This could lead to incorrect detection of stale errors during completion of an I/O operation because most callers do not zero out the b_error field of the buffer on a subsequent read. To avoid this problem and ensure correct I/O error detection, the b_error field of the used buffer is now zeroed out before submitting an I/O operation on a file.
BZ#1062113
Previously, when hot adding memory to the system, the memory management subsystem always performed unconditional page-block scans for all memory sections being set online. The total duration of the hot add operation depends on both, the size of memory that the system already has and the size of memory that is being added. Therefore, the hot add operation took an excessive amount of time to complete if a large amount of memory was added or if the target node already had a considerable amount of memory. This update optimizes the code so that page-block scans are performed only when necessary, which greatly reduces the duration of the hot add operation.
BZ#1059991
Due to a bug in the SELinux socket receive hook, network traffic was not dropped upon receiving a peer:recv access control denial on some configurations. A broken labeled networking check in the SELinux socket receive hook has been corrected, and network traffic is now properly dropped in the described case.
BZ#1060491
When transferring a large amount of data over the peer-to-peer (PPP) link, a rare race condition between the throttle() and unthrottle() functions in the tty driver could be triggered. As a consequence, the tty driver became unresponsive, remaining in the throttled state, which resulted in the traffic being stalled. Also, if the PPP link was heavily loaded, another race condition in the tty driver could has been triggered. This race allowed an unsafe update of the available buffer space, which could also result in the stalled traffic. A series of patches addressing both race conditions has been applied to the tty driver; if the first race is triggered, the driver loops and forces re-evaluation of the respective test condition, which ensures uninterrupted traffic flow in the described situation. The second race is now completely avoided due to a well-placed read lock, and the update of the available buffer space proceeds correctly.
BZ#1058420
Previously, the e752x_edac module incorrectly handled the pci_dev usage count, which could reach zero and deallocate a PCI device structure. As a consequence, a kernel panic could occur when the module was loaded multiple times on some systems. This update fixes the usage count that is triggered by loading and unloading the module repeatedly, and a kernel panic no longer occurs.
BZ#1057165
When a page table is upgraded, a new top level of the page table is added for the virtual address space, which results in a new Address Space Control Element (ASCE). However, the Translation Lookaside Buffer (TLB) of the virtual address space was not previously flushed on page table upgrade. As a consequence, the TLB contained entries associated with the old ASCE, which led to unexpected program failures and random data corruption. To correct this problem, the TLB entries associated with the old ASCE are now flushed as expected upon page table upgrade.
BZ#1064115
When a network interface is running in promiscuous (PROMISC) mode, the interface may receive and process VLAN-tagged frames even though no VLAN is attached to the interface. However, the enic driver did not handle processing of the packets with the VLAN-tagged frames in PROMISC mode correctly if the frames had no VLAN group assigned, which led to various problems. To handle the VLAN-tagged frames without a VLAN group properly, the frames have to be processed by the VLAN code, and the enic driver thus no longer verifies whether the packet's VLAN group field is empty.
BZ#1057164
A previous change in the Linux memory management on IBM System z removed the handler for the Address Space Control Element (ASCE) type of exception. As a consequence, the kernel was unable to handle ASCE exceptions, which led to a kernel panic. Such an exception was triggered, for example, if the kernel attempted to access user memory with an address that was larger than the current page table limit from a user-space program. This problem has been fixed by calling the standard page fault handler, do_dat_exception, if an ASCE exception is raised.
BZ#1063271
Due to several bugs in the network console logging, a race condition between the network console send operation and the driver's IRQ handler could occur, or the network console could access invalid memory content. As a consequence, the respective driver, such as vmxnet3, triggered a BUG_ON() assertion and the system terminated unexpectedly. A patch addressing these bugs has been applied so that driver's IRQs are disabled before processing the send operation and the network console now accesses the RCU-protected (read-copy update) data properly. Systems using the network console logging no longer crashes due to the aforementioned conditions.
All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fixes

CVE-2013-6381, Important
A buffer overflow flaw was found in the way the qeth_snmp_command() function in the Linux kernel's QETH network device driver implementation handled SNMP IOCTL requests with an out-of-bounds length. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system.
CVE-2013-2929, Low
A flaw was found in the way the get_dumpable() function return value was interpreted in the ptrace subsystem of the Linux kernel. When 'fs.suid_dumpable' was set to 2, a local, unprivileged local user could use this flaw to bypass intended ptrace restrictions and obtain potentially sensitive information.
CVE-2013-7263, CVE-2013-7265, Low
It was found that certain protocol handlers in the Linux kernel's networking implementation could set the addr_len value without initializing the associated data structure. A local, unprivileged user could use this flaw to leak kernel stack memory to user space using the recvmsg, recvfrom, and recvmmsg system calls.

Bug Fixes

BZ#1051393
Due to a bug in the NFS code, the state manager and the DELEGRETURN operation could enter a deadlock if an asynchronous session error was received while DELEGRETURN was being processed by the state manager. The state manager became unable to process the failing DELEGRETURN operation because it was waiting for an asynchronous RPC task to complete, which could not have been completed because the DELEGRETURN operation was cycling indefinitely with session errors. A series of patches has been applied to ensure that the asynchronous error handler waits for recovery when a session error is received and the deadlock no longer occurs.
BZ#1049590
The IPv4 and IPv6 code contained several issues related to the conntrack fragmentation handling that prevented fragmented packages from being properly reassembled. This update applies a series of patches and ensures that MTU discovery is handled properly, and fragments are correctly matched and packets reassembled.
BZ#1046043
Inefficient usage of Big Kernel Locks (BKLs) in the ptrace() system call could lead to BKL contention on certain systems that widely utilize ptrace(), such as User-mode Linux (UML) systems, resulting in degraded performance on these systems. This update removes the relevant BKLs from the ptrace() system call, thus resolving any related performance issues.
BZ#1046041
When utilizing SCTP over the bonding device in Red Hat Enterprise Linux 6.5, SCTP assumed offload capabilities on virtual devices where it was not guaranteed that underlying physical devices are equipped with these capabilities. As a consequence, checksums of the outgoing packets became corrupted and a network connection could not be properly established. A patch has been applied to ensure that checksums of the packages to the devices without SCTP checksum capabilities are properly calculated in software fallback. SCTP connections over the bonding devices can now be established as expected in Red Hat Enterprise Linux 6.5.
BZ#1044566
The context of the user's process could not be previously saved on PowerPC platforms if the VSX Machine State Register (MSR) bit was set but the user did not provide enough space to save the VSX state. This update allows to clear the VSX MSR bit in such a situation, indicating that there is no valid VSX state in the user context.
BZ#1043779
After a statically defined gateway became unreachable and its corresponding neighbor entry entered a FAILED state, the gateway stayed in the FAILED state even after it became reachable again. As a consequence, traffic was not routed through that gateway. This update enables probing such a gateway automatically so that the traffic can be routed through this gateway again once it becomes reachable.
BZ#1040826
Due to several bugs in the IPv6 code, a soft lockup could occur when the number of cached IPv6 destination entries reached the garbage collector treshold on a high-traffic router. A series of patches has been applied to address this problem. These patches ensure that the route probing is performed asynchronously to prevent a dead lock with garbage collection. Also, the garbage collector is now run asynchronously, preventing CPUs that concurrently requested the garbage collector from waiting until all other CPUs finish the garbage collection. As a result, soft lockups no longer occur in the described situation.
BZ#1035347
A previous change to the md driver disabled the TRIM operation for RAID5 volumes in order to prevent a possible kernel oops. However, if a MD RAID volume was reshaped to a different RAID level, this could result in TRIM being disabled on the resulting volume, as the RAID4 personality is used for certain reshapes. A patch has been applied that corrects this problem by setting the stacking limits before changing a RAID level, and thus ensuring the correct discard (TRIM) granularity for the RAID array.
BZ#1051395
NFS previously allowed a race between "silly rename" operations and the rmdir() function to occur when removing a directory right after an unlinked file in the directory was closed. As a result, rmdir() could fail with an EBUSY error. This update applies a patch ensuring that NFS waits for any asynchronous operations to complete before performing the rmdir() operation.
BZ#1051394
Due to a bug in the EDAC driver, the driver failed to decode and report errors on AMD family 16h processors correctly. This update incorporates a missing case statement to the code so that the EDAC driver now handles errors as expected.
BZ#1045094
A deadlock between the state manager, kswapd daemon, and the sys_open() function could occur when the state manager was recovering from an expired state and recovery OPEN operations were being processed. To fix this problem, NFS has been modified to ignore all errors from the LAYOUTRETURN operation (a pNFS operation) except for "NFS4ERR_DELAY" in this situation.
BZ#1040498
The bnx2x driver handled unsupported TLVs received from a Virtual Function (VF) using the VF-PF channel incorrectly; when a driver of the VF sent a known but unsupported TLV command to the Physical Function, the driver of the PF did not reply. As a consequence, the VF-PF channel was left in an unstable state and the VF eventually timed out. A patch has been applied to correct the VF-PF locking scheme so that unsupported TLVs are properly handled and responded to by the PF side. Also, unsupported TLVs could previously render a mutex used to lock the VF-PF operations. The mutex then stopped protecting critical sections of the code, which could result in error messages being generated when the PF received additional TLVs from the VF. A patch has been applied that corrects the VF-PF channel locking scheme, and unsupported TLVs thus can no longer break the VF-PF lock.
BZ#1040497
A bug in the statistics flow in the bnx2x driver caused the card's DMA Engine (DMAE) to be accessed without taking a necessary lock. As a consequence, previously queued DMAE commands could be overwritten and the Virtual Functions then could timeout on requests to their respective Physical Functions. The likelihood of triggering the bug was higher with more SR-IOV Virtual Functions configured. Overwriting of the DMAE commands could also result in other problems even without using SR-IOV. This update ensures that all flows utilizing DMAE will use the same API and the proper locking scheme is kept by all these flows.
BZ#1035339
When starting or waking up a system that utilized an AHCI controller with empty ports, and the EM transmit bit was busy, the AHCI driver incorrectly released the related error handler before initiation of the sleep operation. As a consequence, the error handler could be acquired by a different port of the AHCI controller and the Serial General Purpose Input/Output (SGPIO) signal could eventually blink the rebuild pattern on an empty port. This update implements cross-port error handler exclusion to the generic ATA driver and the AHCI driver has been modified to use the msleep() function in this particular case. The error handler is no longer released upon the sleep operation and the SGPIO signal can no longer indicate the disk's rebuild on the empty controller's slot.
BZ#1032389
Previous changes to the igb driver caused the ethtool utility to determine and display some capabilities of the Ethernet devices incorrectly. This update fixes the igb driver so that the actual link capabilities are now determined properly, and ethtool displays values as accurate as possible in dependency on the data available to the driver.
All users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
Updated kernel packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fixes

CVE-2013-4470, Important
A flaw was found in the way the Linux kernel's TCP/IP protocol suite implementation handled sending of certain UDP packets over sockets that used the UDP_CORK option when the UDP Fragmentation Offload (UFO) feature was enabled on the output device. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges on the system.
CVE-2013-6367, Important
A divide-by-zero flaw was found in the apic_get_tmcct() function in KVM's Local Advanced Programmable Interrupt Controller (LAPIC) implementation. A privileged guest user could use this flaw to crash the host.
CVE-2013-6368, Important
A memory corruption flaw was discovered in the way KVM handled virtual APIC accesses that crossed a page boundary. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system.
CVE-2013-2141, Low
An information leak flaw in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user space.
Red Hat would like to thank Hannes Frederic Sowa for reporting CVE-2013-4470, and Andrew Honig of Google for reporting CVE-2013-6367 and CVE-2013-6368.

Bug Fixes

BZ#1027343
Due to a regression bug in the mlx4 driver, Mellanox mlx4 adapters could become unresponsive on heavy load along with IOMMU allocation errors being logged to the systems logs. A patch has been applied to the mlx4 driver so that the driver now calculates the last memory page fragment when allocating memory in the Rx path.
BZ#1028278
A bug in the RSXX DMA handling code allowed DISCARD operations to call the pci_unmap_page() function, which triggered a race condition on the PowerPC architecture when DISCARD, READ, and WRITE operations were issued simultaneously. However, DISCARD operations are always assigned a DMA address of 0 because they are never mapped. Therefore, this race could result in freeing memory that was mapped for another operation and a subsequent EEH event. A patch has been applied, preventing the DISCARD operations from calling pci_unmap_page(), and thus avoiding the aforementioned race condition.
BZ#1029330
Due to a missing part of the bcma driver, the brcmsmac kernel module did not have a list of internal aliases that was needed by the kernel to properly handle the related udev events. Consequently, when the bcma driver scanned for the devices at boot time, these udev events were ignored and the kernel did not load the brcmsmac module automatically. A patch that provides missing aliases has been applied so that the udev requests of the brcmsmac module are now handled as expected and the kernel loads the brcmsmac module automatically on boot.
BZ#1029997
A bug in the mlx4 driver could trigger a race between the "blue flame" feature's traffic flow and the stamping mechanism in the Tx ring flow when processing Work Queue Elements (WQEs) in the Tx ring. Consequently, the related queue pair (QP) of the mlx4 Ethernet card entered an error state and the traffic on the related Tx ring was blocked. A patch has been applied to the mlx4 driver so that the driver does not stamp the last completed WQE in the Tx ring, and thus avoids the aforementioned race.
BZ#1030171
A previous change in the NFSv4 code resulted in breaking the sync NFSv4 mount option. A patch has been applied that restores functionality of the sync mount option.
BZ#1030713
Due to a bug in the Emulex lpfc driver, the driver could not allocate a SCSI buffer properly, which resulted in severe performance degradation of lpfc adapters on 64-bit PowerPC systems. A patch addressing this problem has been applied so that lpfc allocates the SCSI buffer correctly and lpfc adapters now work as expected on 64-bit PowerPC systems.
BZ#1032162
When performing I/O operations on a heavily-fragmented GFS2 file system, significant performance degradation could occur. This was caused by the allocation strategy that GFS2 used to search for an ideal contiguous chunk of free blocks in all the available resource groups (rgrp). A series of patches has been applied that improves performance of GFS2 file systems in case of heavy fragmentation. GFS2 now allocates the biggest extent found in the rgrp if it fulfills the minimum requirements. GFS2 has also reduced the amount of bitmap searching in case of multi-block reservations by keeping track of the smallest extent for which the multi-block reservation would fail in the given rgrp. This improves GFS2 performance by avoiding unnecessary rgrp free block searches that would fail. Additionally, this patch series fixes a bug in the GFS2 block allocation code where a multi-block reservation was not properly removed from the rgrp's reservation tree when it was disqualified, which eventually triggered a BUG_ON() macro due to an incorrect count of reserved blocks.
BZ#1032167
An earlier patch to the kernel added the dynamic queue depth throttling functionality to the QLogic's qla2xxx driver that allowed the driver to adjust queue depth for attached SCSI devices. However, the kernel might have crashed when having this functionality enabled in certain environments, such as on systems with EMC PowerPath Multipathing installed that were under heavy I/O load. To resolve this problem, the dynamic queue depth throttling functionality has been removed from the qla2xxx driver.
BZ#1032168
Previously, devices using the ixgbevf driver that were assigned to a virtual machine could not adjust their Jumbo MTU value automatically if the Physical Function (PF) interface was down; when the PF device was brought up, the MTU value on the related Virtual Function (VF) device was set incorrectly. This was caused by the way the communication channel between PF and VF interfaces was set up and the first negotiation attempt between PF and VF was made. To fix this problem, structural changes to the ixgbevf driver have been made so that the kernel can now negotiate the correct API between PF and VF successfully and the MTU value is now set correctly on the VF interface in this situation.
BZ#1032170
A bug in the ixgbe driver caused that IPv6 hardware filtering tables were not correctly rewritten upon interface reset when using a bridge device over the PF interface in an SR-IOV environment. As a result, the IPv6 traffic between VFs was interrupted. An upstream patch has been backported to modify the ixgbe driver so that the update of the Multimedia Terminal Adapter (MTA) table is now unconditional, avoiding possible inconsistencies in the MTA table upon PF's reset. The IPv6 traffic between VFs proceeds as expected in this scenario.
BZ#1032247
When using Haswell HDMI audio controllers with an unaligned DMA buffer size, these audio controllers could become locked up until the next reboot for certain audio stream configurations. A patch has been applied to the Intel's High Definition Audio (HDA) driver that enforces the DMA buffer alignment setting for the Haswell HDMI audio controllers. These audio controllers now work as expected.
BZ#1032249
As a result of a recent fix preventing a deadlock upon an attempt to cover an active XFS log, the behavior of the xfs_log_need_covered() function has changed. However, xfs_log_need_covered() is also called to ensure that the XFS log tail is correctly updated as a part of the XFS journal sync operation. As a consequence, when shutting down an XFS file system, the sync operation failed and some files might have been lost. A patch has been applied to ensure that the tail of the XFS log is updated by logging a dummy record to the XFS journal. The sync operation completes successfully and files are properly written to the disk in this situation.
BZ#1032250
A chunk of a patch was left out when backporting a batch of patches that fixed an infinite loop problem in the LOCK operation with zero state ID during NFSv4 state ID recovery. As a consequence, the system could become unresponsive on numerous occasions. The missing chunk of the patch has been added, resolving this hang issue.
BZ#1032260
When performing buffered WRITE operations from multiple processes to a single file, the NFS code previously always verified whether the lock owner information is identical for the file being accessed even though no file locks were involved. This led to performance degradation because forked child processes had to synchronize dirty data written to a disk by the parent process before writing to a file. Also, when coalescing requests into a single READ or WRITE RPC call, NFS refused the request if the lock owner information did not match for the given file even though no file locks were involved. This also caused performance degradation. A series of patches has been applied that relax relevant test conditions so that lock owner compatibility is no longer verified in the described cases, which resolves these performance issues.
BZ#1032395
Due to a bug in the mlx4 driver, Mellanox Ethernet cards were brought down unexpectedly while adjusting their Tx or Rx ring. A patch has been applied so that the mlx4 driver now properly verifies the state of the Ethernet card when the coalescing of the Tx or Rx ring is being set, which resolves this problem.
BZ#1032423
When the system was under memory stress, a double-free bug in the tg3 driver could have been triggered, resulting in a NIC being brought down unexpectedly followed by a kernel panic. A patch has been applied that restructures the respective code so that the affected ring buffer is freed correctly.
BZ#1032424
The RPC client always retransmitted zero-copy of the page data if it timed out before the first RPC transmission completed. However, such a retransmission could cause data corruption if using the O_DIRECT buffer and the first RPC call completed while the respective TCP socket still held a reference to the pages. To prevent the data corruption, retransmission of the RPC call is, in this situation, performed using the sendmsg() function. The sendmsg() function retransmits an authentic reproduction of the first RPC transmission because the TCP socket holds the full copy of the page data.
BZ#1032688
When creating an XFS file system, an attempt to cover an active XFS log could, under certain circumstances, result in a deadlock between the xfssyncd and xfsbufd daemons. Consequently, several kernel threads became unresponsive and the XFS file system could not have been successfully created, leading to a kernel oops. A patch has been applied to prevent this situation by forcing the active XFS log onto a disk.

Enhancements

BZ#1020518
The kernel now supports memory configurations with more than 1TB of RAM on AMD systems.
BZ#1032426
The kernel has been modified to stop reporting ABS_MISC events on Wacom touch devices in order to ensure that the devices are correctly recognized by the HAL daemon.
All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. The system must be rebooted for this update to take effect.
Updated kernel packages that fix multiple security issues, address several hundred bugs, and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 6. This is the fifth regular update.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fixes

CVE-2013-4387, Important
A flaw was found in the way the Linux kernel's IPv6 implementation handled certain UDP packets when the UDP Fragmentation Offload (UFO) feature was enabled. A remote attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system.
CVE-2013-0343, Moderate
A flaw was found in the way the Linux kernel handled the creation of temporary IPv6 addresses. If the IPv6 privacy extension was enabled (/proc/sys/net/ipv6/conf/eth0/use_tempaddr set to '2'), an attacker on the local network could disable IPv6 temporary address generation, leading to a potential information disclosure.
CVE-2013-2888, Moderate
A flaw was found in the way the Linux kernel handled HID (Human Interface Device) reports with an out-of-bounds Report ID. An attacker with physical access to the system could use this flaw to crash the system or, potentially, escalate their privileges on the system.
CVE-2013-4345, Moderate
An off-by-one flaw was found in the way the ANSI CPRNG implementation in the Linux kernel processed non-block size aligned requests. This could lead to random numbers being generated with less bits of entropy than expected when ANSI CPRNG was used.
CVE-2013-4591, Moderate
It was found that the fix for CVE-2012-2375 released via RHSA-2012:1580 accidentally removed a check for small-sized result buffers. A local, unprivileged user with access to an NFSv4 mount with ACL support could use this flaw to crash the system or, potentially, escalate their privileges on the system .
CVE-2013-4592, Moderate
A flaw was found in the way IOMMU memory mappings were handled when moving memory slots. A malicious user on a KVM host who has the ability to assign a device to a guest could use this flaw to crash the host.
CVE-2013-2889, CVE-2013-2892, Moderate
Heap-based buffer overflow flaws were found in the way the Zeroplus and Pantherlord/GreenAsia game controllers handled HID reports. An attacker with physical access to the system could use these flaws to crash the system or, potentially, escalate their privileges on the system.
CVE-2012-6542, CVE-2013-3231, Low
Two information leak flaws were found in the logical link control (LLC) implementation in the Linux kernel. A local, unprivileged user could use these flaws to leak kernel stack memory to user space.
CVE-2013-1929, Low
A heap-based buffer overflow in the way the tg3 Ethernet driver parsed the vital product data (VPD) of devices could allow an attacker with physical access to a system to cause a denial of service or, potentially, escalate their privileges.
CVE-2012-6545, CVE-2013-1928, CVE-2013-2164, CVE-2013-2234, Low
Information leak flaws in the Linux kernel could allow a privileged, local user to leak kernel memory to user space.
CVE-2013-2851, Low
A format string flaw was found in the Linux kernel's block layer. A privileged, local user could potentially use this flaw to escalate their privileges to kernel level (ring0).
Red Hat would like to thank Stephan Mueller for reporting CVE-2013-4345, and Kees Cook for reporting CVE-2013-2851.

Bug Fixes

BZ#955712
A function in the RPC code responsible for verifying whether the cached credentials matches the current process did not perform the check correctly. The code checked only whether the groups in the current process credentials appear in the same order as in the cached credential but did not ensure that no other groups are present in the cached credentials. As a consequence, when accessing files in NFS mounts, a process with the same UID and GID as the original process but with a non-matching group list could have been granted an unauthorized access to a file, or under certain circumstances, the process could have been wrongly prevented from accessing the file. The incorrect test condition has been fixed and the problem can no longer occur.
BZ#629857
When the state of the netfilter module was out-of-sync, a TCP connection was recorded in the conntrack table although the TCP connection did not exist between two hosts. If a host re-established this connection with the same source, port, destination port, source address and destination address, the host sent a TCP SYN packet and the peer sent back acknowledgment for this SYN package. However, because netfilter was out-of-sync, netfilter dropped this acknowledgment, and deleted the connection item from the conntrack table, which consequently caused the host to retransmit the SYN packet. A patch has been applied to improve this handling; if an unexpected SYN packet appears, the TCP options are annotated. Acknowledgment for the SYN packet serves as a confirmation of the connection tracking being out-of-sync, then a new connection record is created using the information annotated previously to avoid the retransmission delay.
BZ#955807
Due to several bugs in the ext4 code, data integrity system calls did not always properly persist data on the disk. Therefore, the unsynchronized data in the ext4 file system could have been lost after the system's unexpected termination. A series of patches has been applied to the ext4 code to address this problem, including a fix that ensures proper usage of data barriers in the code responsible for file synchronization. Data loss no longer occurs in the described situation.
BZ#953630
C-states for the Intel Family 6, Model 58 and 62, processors were not properly initialized in Red Hat Enterprise Linux 6. Consequently, these processors were unable to enter deep C-states. Also, C-state accounting was not functioning properly and power management tools, such as powertop or turbostat, thus displayed incorrect C-state transitions. This update applies a patch that ensures proper C-states initialization so the aforementioned processors can now enter deep core power states as expected. Note that this update does not correct C-state accounting which has been addressed by a separate patch.
BZ#953342
The kernel previously did not handle situation where the system needed to fall back from non-flat Advanced Programmable Interrupt Controller (APIC) mode to flat APIC mode. Consequently, a NULL pointer was dereferenced and a kernel panic occurred. This update adds the flat_probe() function to the APIC driver, which allows the kernel using flat APIC mode as a fall-back option. The kernel no longer panics in this situation.
BZ#952785
When attempting to deploy a virtual machine on a hypervisor with multiple NICs and macvtap devices, a kernel panic could occur. This happened because the macvtap driver did not gracefully handle a situation when the macvlan_port.vlans list was empty and returned a NULL pointer. This update applies a series of patches which fix this problem using a read-copy-update (RCU) mechanism and by preventing the driver from returning a NULL pointer if the list is empty. The kernel no longer panics in this scenario.
BZ#952329
Due to a missing structure, the NFSv4 error handler did not handle exceptions caused by revoking NFSv4 delegations. Consequently, the NFSv4 client received the EIO error message instead of the NFS4ERR_ADMIN_REVOKED error. This update modifies the NFSv4 code to no longer require the nfs4_state structure in order to revoke a delegation.
BZ#952174
On KVM guests with the KVM clock (kvmclock) as a clock source and with some VCPUs pinned, certain VCPUs could experience significant sleep delays (elapsed time was greater 20 seconds). This resulted in unexpected delays by sleeping functions and inaccurate measurement for low latency events. The problem happened because a kvmclock update was isolated to a certain VCPU so the NTP frequency correction applied only to that single VCPU. This problem has been resolved by a patch allowing kvmclock updates to all VCPUs on the KVM guest. VCPU sleep time now does not exceed the expected amount and no longer causes the aforementioned problems.
BZ#951937
When using applications that intensively utilized memory mapping, customers experienced significant application latency, which led to serious performance degradation. A series of patches has been applied to fix the problem. Among other, the patches modifies the memory mapping code to allow block devices to require stable page writes, enforce stable page writes only if required by a backing device, and optionally snapshot page content to provide stable pages during write. As a result, application latency has been improved by a considerable amount and applications with high demand of memory mapping now perform as expected.
BZ#997845
The RAID1 and RAD10 code previously called the raise_barrier() and lower_barrier() functions instead of the freeze_array() and unfreeze_array() functions that are safe being called from within the management thread. As a consequence, a deadlock situation could occur if an MD array contained a spare disk, rendering the respective kernel thread unresponsive. Furthermore, if a shutdown sequence was initiated after this problem had occurred, the shutdown sequence became unresponsive and any in-cache file system data that were not synchronized to the disk were lost. A patch correcting this problem has been applied and the RAID1 and RAID10 code now uses management-thread safe functions as expected.
BZ#950598
If an NFSv4 client was checking open permissions for a delegated OPEN operation during OPEN state recovery of an NFSv4 server, the NFSv4 state manager could enter a deadlock. This happened because the client was holding the NFSv4 sequence ID of the OPEN operation. This problem is resolved by releasing the sequence ID before the client starts checking open permissions.
BZ#983288
NFS previously allowed extending an NFS file write to cover a full page only if the file had not set a byte-range lock. However, extending the write to cover the entire page is sometimes desirable in order to avoid fragmentation inefficiencies. For example, a noticeable performance decrease was reported if a series of small non-contiguous writes was performed on the file. A patch has been applied to the NFS code that allows NFS extending a file write to a full page write if the whole file is locked for writing or if the client holds a write delegation.
BZ#998752
A patch included in kernel version 2.6.32-358.9.1.el6, to fix handling of revoked NFSv4 delegations, introduced a regression bug to the NFSv4 code. This regression in the NFSv4 exception and asynchronous error handling allowed, under certain circumstances, passing a NULL inode to an NFSv4 delegation-related function, which resulted in a kernel panic. The NFSv4 exception and asynchronous error handling has been fixed so that a NULL inode can no longer be passed in this situation.
BZ#947582
XFS file systems were occasionally shut down with the "xfs_trans_ail_delete_bulk: attempting to delete a log item that is not in the AIL" error message. This happened because the EFI/EFD handling logic was incorrect and the EFI log item could have been freed before it was placed in the AIL and committed. A patch has been applied to the XFS code fixing the EFI/EFD handling logic and ensuring that the EFI log items are never freed before the EFD log items are processed. The aforementioned error no longer occurs on an XFS shutdown.
BZ#947275
A bug in the autofs4 mount expiration code could cause the autofs4 module to falsely report a busy tree of NFS mounts as "not in use". Consequently, automount attempted to unmount the tree and failed with a "failed to umount offset" error, leaving the mount tree to appear as empty directories. A patch has been applied to remove an incorrectly used autofs dentry mount check and the aforementioned problem no longer occurs.
BZ#927988
Cyclic adding and removing of the st kernel module could previously cause a system to become unresponsive. This was caused by a disk queue reference count bug in the SCSI tape driver. An upstream patch addressing this bug has been backported to the SCSI tape driver and the system now responds as expected in this situation.
BZ#927918
A previous update introduced a new failure mode to the blk_get_request() function returning the -ENODEV error code when a block device queue is being destroyed. However, the change did not include a NULL pointer check for all callers of the function. Consequently, the kernel could dereference a NULL pointer when removing a block device from the system, which resulted in a kernel panic. This update applies a patch that adds these missing NULL pointer checks. Also, some callers of the blk_get_request() function could previously return the -ENOMEM error code instead of -ENODEV, which would lead to incorrect call chain propagation. This update applies a patch ensuring that correct return codes are propagated.
BZ#790921
By default, the kernel uses a best-fit algorithm for allocating Virtual Memory Areas (VMAs) to map processed files to the address space. However, if an enormous number of small files (hundreds of thousands or millions) was being mapped, the address space became extremely fragmented, which resulted in significant CPU usage and performance degradation. This update introduces an optional next-fit policy which, if enabled, allows for mapping of a file to the first suitable unused area in the address space that follows after the previously allocated VMA.
BZ#960717
A rare race condition between the "devloss" timeout and discovery state machine could trigger a bug in the lpfc driver that nested two levels of spin locks in reverse order. The reverse order of spin locks led to a deadlock situation and the system became unresponsive. With this update, a patch addressing the deadlock problem has been applied and the system no longer hangs in this situation.
BZ#922999
An error in backporting the block reservation feature from upstream resulted in a missing allocation of a reservation structure when an allocation is required during the rename system call. Renaming a file system object (for example, file or directory) requires a block allocation for the destination directory. If the destination directory had not had a reservation structure allocated, a NULL pointer dereference occurred, leading to a kernel panic. With this update, a reservation structure is allocated before the rename operation, and a kernel panic no longer occurs in this scenario.
BZ#805407
A system could become unresponsive due to an attempt to shut down an XFS file system that was waiting for log I/O completion. A patch to the XFS code has been applied that allows for the shutdown method to be called from different contexts so XFS log items can be deleted properly even outside the AIL, which fixes this problem.
BZ#922931
A bug in the dm_btree_remove() function could cause leaf values to have incorrect reference counts. Removal of a shared block could result in space maps considering the block as no longer used. As a consequence, sending a discard request to a shared region of a thin device could corrupt its snapshot. The bug has been fixed to prevent corruption in this scenario.
BZ#980273
A recent change in the memory mapping code introduced a new optional next-fit algorithm for allocating VMAs to map processed files to the address space. This change, however, broke behavior of a certain internal function which then always followed the next-fit VMA allocation scheme instead of the first-fit VMA allocation scheme. Consequently, when the first-fit VMA allocation scheme was in use, this bug caused linear address space fragmentation and could lead to early "-ENOMEM" failures for mmap() requests. This patch restores the original first-fit behavior to the function so the aforementioned problems no longer occur.
BZ#922779
The GFS2 discard code did not calculate the sector offset correctly for block devices with the sector size of 4 KB, which led to loss of data and metadata on these devices. A patch correcting this problem has been applied so the discard and FITRIM requests now work as expected for the block devices with the 4 KB sector size.
BZ#1002765
A bug in the real-time (RT) scheduler could cause a RT priority process to stop running due to an invalid attribute of the run queue. When a CPU became affected by this bug, the migration kernel thread stopped running on the CPU, and subsequently every other process that was migrated to the affected CPU by the system stopped running as well. A patch has been applied to the RT scheduler and RT priority processes are no longer affected this problem.
BZ#920794
When using the congestion window lock functionality of the ip utility, the system could become unresponsive. This happened because the tcp_slow_start() function could enter an infinite loop if the congestion window was locked using route metrics. A set of patches has been applied to comply with the upstream kernel, ensuring the problem no longer occurs in this scenario.
BZ#978609
A race condition in the abort task and SPP device task management path of the isci driver could, under certain circumstances, cause the driver to fail cleaning up timed-out I/O requests that were pending on an SAS disk device. As a consequence, the kernel removed such a device from the system. A patch applied to the isci driver fixes this problem by sending the task management function request to the SAS drive anytime the abort function is entered and the task has not completed. The driver now cleans up timed-out I/O requests as expected in this situation.
BZ#920672
Due to a race condition in the kernel's DMA initialization code, DMA requests from the hpsa and hpilo drivers could fail with IO_PAGE_FAULT errors during initialization of the AMD iommu driver on AMD systems with the IOMMU feature enabled. To avoid triggering this race condition, the kernel now executes the init_device_table_dma() function to block DMA requests from all devices only after the initialization of unity mappings is finished.
BZ#1003697
If the arp_interval and arp_validate bonding options were not enabled on the configured bond device in the correct order, the bond device did not process ARP replies, which led to link failures and changes of the active slave device. A series of patches has been applied to modify an internal bond ARP hook based on the values of arp_validate and arp_interval. Therefore, the ARP hook is registered even if arp_interval is set after arp_validate has already been enabled, and ARP replies are processed as expected.
BZ#920445
The kernel could rarely terminate instead of creating a dump file when a multi-threaded process using FPU aborted. This happened because the kernel did not wait until all threads became inactive and attempted to dump the FPU state of active threads into memory which triggered a BUG_ON() routine. A patch addressing this problem has been applied and the kernel now waits for the threads to become inactive before dumping their FPU state into memory.
BZ#962460
Previously, the Generic Receive Offload (GRO) functionality was not enabled by default for VLAN devices. Consequently, certain network adapters, such as Emulex Virtual Fabric Adapter (VFA) II, that use be2net driver, were dropping packets when VLAN tagging was enabled and the 8021q kernel module loaded. This update applies a patch that enables GRO by default for VLAN devices.
BZ#827548
A race condition between the read_swap_cache_async() and get_swap_page() functions in the Memory management (mm) code could lead to a deadlock situation. The deadlock could occur only on systems that deployed swap partitions on devices supporting block DISCARD and TRIM operations if kernel preemption was disabled (the !CONFIG_PREEMPT parameter). If the read_swap_cache_async() function was given a SWAP_HAS_CACHE entry that did not have a page in the swap cache yet, a DISCARD operation was performed in the scan_swap_map() function. Consequently, completion of an I/O operation was scheduled on the same CPU's working queue the read_swap_cache_async() was running on. This caused the thread in read_swap_cache_async() to loop indefinitely around its "-EEXIST" case, rendering the system unresponsive. The problem has been fixed by adding an explicit cond_resched() call to read_swap_cache_async(), which allows other tasks to run on the affected CPU, and thus avoiding the deadlock.
BZ#987426
An infinite loop bug in the NFSv4 code caused an NFSv4 mount process to hang on a busy loop of the LOOKUP_ROOT operation when attempting to mount an NFSv4 file system and the first iteration on this operation failed. A patch has been applied that allows to exit the LOOKUP_ROOT operation properly and a mount attempt now either succeeds or fails in this situation.
BZ#828936
A bug in the OProfile tool led to a NULL pointer dereference while unloading the OProfile kernel module, which resulted in a kernel panic. The problem was triggered if the kernel was running with the nolapic parameter set and OProfile was configured to use the NMI timer interrupt. The problem has been fixed by correctly setting the NMI timer when initializing OProfile.
BZ#976915
An NFS client previously did not wait for completing of unfinished I/O operations before sending the LOCKU and RELEASE_LOCKOWNER operations to the NFS server in order to release byte range locks on files. Consequently, if the server processed the LOCKU and RELEASE_LOCKOWNER operations before some of the related READ operations, it released all locking states associated with the requested lock owner, and the READs returned the NFS4ERR_BAD_STATEID error code. This resulted in the "Lock reclaim failed!" error messages being generated in the system log and the NFS client had to recover from the error. A series of patches has been applied ensuring that an NFS client waits for all outstanding I/O operations to complete before releasing the locks.
BZ#918239
When the Red Hat Enterprise Linux 6 kernel runs as a virtual machine, it performs boot-time detection of the hypervisor in order to enable hypervisor-specific optimizations. Red Hat Enterprise Linux 6.4 introduces detection and optimization for the Microsoft Hyper-V hypervisor. Previously Hyper-V was detected first, however, because some Xen hypervisors can attempt to emulate Hyper-V, this could lead to a boot failure when that emulation was not exact. A patch has been applied to ensure that the attempt to detect Xen is always done before Hyper-V, resolving this issue.
BZ#962976
If the audit queue is too long, the kernel schedules the kauditd daemon to alleviate the load on the audit queue. Previously, if the current audit process had any pending signals in such a situation, it entered a busy-wait loop for the duration of an audit backlog timeout because the wait_for_auditd() function was called as an interruptible task. This could lead to system lockup in non-preemptive uniprocessor systems. This update fixes the problem by setting wait_for_auditd() as uninterruptible.
BZ#833299
Due to a bug in firmware, systems using the LSI MegaRAID controller failed to initialize this device in the kdump kernel if the "intel_iommu=on" and "iommu=pt"kernel parameters were specified in the first kernel. As a workaround until a firmware fix is available, a patch to the megaraid_sas driver has been applied so if the firmware is not in the ready state upon the first attempt to initialize the controller, the driver resets the controller and retries for firmware transition to the ready state.
BZ#917872
A previous change in the port auto-selection code allowed sharing ports with no conflicts extending its usage. Consequently, when binding a socket with the SO_REUSEADDR socket option enabled, the bind(2) function could allocate an ephemeral port that was already used. A subsequent connection attempt failed in such a case with the EADDRNOTAVAIL error code. This update applies a patch that modifies the port auto-selection code so that bind(2) now selects a non-conflict port even with the SO_REUSEADDR option enabled.
BZ#994430
A previous patch to the bridge multicast code introduced a bug allowing reinitialization of an active timer for a multicast group whenever an IPv6 multicast query was received. A patch has been applied to the bridge multicast code so that a bridge multicast timer is no longer reinitialized when it is active.
BZ#916994
A kernel panic could occur during path failover on systems using multiple iSCSI, FC or SRP paths to connect an iSCSI initiator and an iSCSI target. This happened because a race condition in the SCSI driver allowed removing a SCSI device from the system before processing its run queue, which led to a NULL pointer dereference. The SCSI driver has been modified and the race is now avoided by holding a reference to a SCSI device run queue while it is active.
BZ#994382
The kernel's md driver contained multiple bugs, including a use-after-free bug in the raid10 code that could cause a kernel panic. Also a data corruption bug in the raid5 code was discovered. The bug occurred when a hard drive was replaced while a RAID4, RAID5, or RAID6 array contained by the drive was in process of recovery. A series of patches has been applied to fix all bugs that have been discovered. The md driver now contains necessary tests that prevent the mentioned use-after-free and data corruption bugs from occurring.
BZ#840860
The sunrpc code paths that wake up an RPC task are highly optimized for speed so the code avoids using any locking mechanism but requires precise operation ordering. Multiple bugs were found related to operation ordering, which resulted in a kernel crash involving either a BUG_ON() assertion or an incorrect use of a data structure in the sunrpc layer. These problems have been fixed by properly ordering operations related to the RPC_TASK_QUEUED and RPC_TASK_RUNNING bits in the wake-up code paths of the sunrpc layer.
BZ#916735
In the RPC code, when a network socket backed up due to high network traffic, a timer was set causing a retransmission, which in turn could cause even larger amount of network traffic to be generated. To prevent this problem, the RPC code now waits for the socket to empty instead of setting the timer.
BZ#916726
When using parallel NFS (pNFS), a kernel panic could occur when a process was killed while getting the file layout information during the open() system call. A patch has been applied to prevent this problem from occurring in this scenario.
BZ#916722
Previously, when open(2) system calls were processed, the GETATTR routine did not check to see if valid attributes were also returned. As a result, the open() call succeeded with invalid attributes instead of failing in such a case. This update adds the missing check, and the open() call succeeds only when valid attributes are returned.
BZ#916361
The crypto_larval_lookup() function could return a larval, an in-between state when a cryptographic algorithm is being registered, even if it did not create one. This could cause a larval to be terminated twice, and result in a kernel panic. This occurred for example when the NFS service was run in FIPS mode, and attempted to use the MD5 hashing algorithm even though FIPS mode has this algorithm blacklisted. A condition has been added to the crypto_larval_lookup() function to check whether a larval was created before returning it.
BZ#976879
Previously, systems running heavily-loaded NFS servers could experience poor performance of the NFS READDIR operations on large directories that were undergoing concurrent modifications, especially over higher latency connections. This happened because the NFS code performed certain dentry operations inefficiently and revalidated directory attributes too often. This update applies a series of patches that address the problem as follows; needed dentries can be accessed from dcache after the READDIR operation, and directory attributes are revalidated only at the beginning of the directory or if the cached attributes expire.
BZ#976823
The GFS2 did not reserve journal space for a quota change block while growing the size of a file. Consequently, a fatal assertion causing a withdraw of the GFS2 file system could have been triggered when the free blocks were allocated from the secondary bitmap. With this update, GFS2 reserves additional blocks in the journal for the quota change so the file growing transaction can now complete successfully in this situation.
BZ#976535
A previous patch to the CIFS code caused a regression of a problem where under certain conditions, a mount attempt of a CIFS DFS share fails with a "mount error(6): No such device or address" error message. This happened because the return code variable was not properly reset after a previous unsuccessful mount attempt. A backported patch has been applied to properly reset the variable and CIFS DFS shares can now be mounted as expected.
BZ#965002
A bug in the PCI driver allowed to use a pointer to the Virtual Function (VF) device entry that was already freed. Consequently, when hot-removing an I/O unit with enabled SR-IOV devices, a kernel panic occurred. This update modifies the PCI driver so a valid pointer to the Physical Function (PF) device entry is used and the kernel no longer panics in this situation.
BZ#915834
A race condition could occur in the uhci-hcd kernel module if the IRQ line was shared with other devices. The race condition allowed the IRQ handler routine to be called before the data structures were fully initialized, which caused the system to become unresponsive. This update applies a patch that fixes the problem by adding a test condition to the IRQ handler routine; if the data structure initialization is still in progress, the handler routine finishes immediately.
BZ#975507
An insufficiently designed calculation in the CPU accelerator could cause an arithmetic overflow in the set_cyc2ns_scale() function if the system uptime exceeded 208 days prior to using kexec to boot into a new kernel. This overflow led to a kernel panic on the systems using the Time Stamp Counter (TSC) clock source, primarily the systems using Intel Xeon E5 processors that do not reset TSC on soft power cycles. A patch has been applied to modify the calculation so that this arithmetic overflow and kernel panic can no longer occur under these circumstances.
BZ#915479
Due to a bug in the NFSv4 nfsd code, a NULL pointer could have been dereferenced when nfsd was looking up a path to the NFSv4 recovery directory for the fsync operation, which resulted in a kernel panic. This update applies a patch that modifies the NFSv4 nfsd code to open a file descriptor for fsync in the NFSv4 recovery directory instead of looking up the path. The kernel no longer panics in this situation.
BZ#858198
Previously, bond and bridge devices did not pass Generic Receive Offload (GRO) information to their slave devices, and bridge devices also did not propagate VLAN information to their ports. As a consequence, in environments with VLAN configured over a bridge or bonding device, performance of the slave devices configured on the bridge and bonding devices was significantly low. A series of patches has been applied that adds the GRO feature for bonding and bridge devices and allows VLANs to be registered with the participating bridge ports. If a slave device supports GRO, its performance is now significantly increased in environments with VLAN configured over a bridge or bonding device.
BZ#975211
Due to a bug in the NFS code, kernel size-192 and size-256 slab caches could leak memory. This could eventually result in an OOM issue when the most of available memory was used by the respective slab cache. A patch has been applied to fix this problem and the respective attributes in the NFS code are now freed properly.
BZ#913704
Previously, the NFS Lock Manager (NLM) did not resend blocking lock requests after NFSv3 server reboot recovery. As a consequence, when an application was running on a NFSv3 mount and requested a blocking lock, the application received an -ENOLCK error. This patch ensures that NLM always resend blocking lock requests after the grace period has expired.
BZ#862758
When counting CPU time, the utime and stime values are scaled based on rtime. Prior to this update, the utime value was multiplied with the rtime value, but the integer multiplication overflow could happen, and the resulting value could be then truncated to 64 bits. As a consequence, utime values visible in the user space were stall even if an application consumed a lot of CPU time. With this update, the multiplication is performed on stime instead of utime. This significantly reduces the chances of an overflow on most workloads because the stime value, unlike the utime value, cannot grow fast.
BZ#913660
In a case of a broken or malicious server, an index node (inode) of an incorrect type could be matched. This led to an NFS client NULL pointer dereference, and, consequently, to a kernel oops. To prevent this problem from occurring in this scenario, a check has been added to verify that the inode type is correct.
BZ#913645
A previously-applied patch introduced a bug in the ipoib_cm_destroy_tx() function, which allowed a CM object to be moved between lists without any supported locking. Under a heavy system load, this could cause the system to crash. With this update, proper locking of the CM objects has been re-introduced to fix the race condition, and the system no longer crashes under a heavy load.
BZ#966853
Previously, when booting a Red Hat Enterprise Linux 6.4 system and the ACPI Static Resource Affinity Table (SRAT) had a hot-pluggable bit enabled, the kernel considered the SRAT table incorrect and NUMA was not configured. This led to a general protection fault and a kernel panic occurring on the system. The problem has been fixed by using an SMBIOS check in the code in order to avoid the SRAT code table consistency checks. NUMA is now configured as expected and the kernel no longer panics in this situation.
BZ#912963
When booting the normal kernel on certain servers, such as HP ProLiant DL980 G7, some interrupts may have been lost which resulted in the system bein unresponsive or rarely even in data loss. This happened because the kernel did not set correct destination mode during the boot; the kernel booted in "logical cluster mode" that is default while this system supported only "x2apic physical mode". This update applies a series of patches addressing the problem. The underlying APIC code has been modified so the x2apic probing code now checks the Fixed ACPI Description Table (FADT) and installs the x2apic "physical" driver as expected. Also, the APIC code has been simplified and the code now uses probe routines to select destination APIC mode and install the correct APIC drivers.
BZ#912867
Previously, the fsync(2) system call incorrectly returned the EIO (Input/Output) error instead of the ENOSPC (No space left on device) error. This was due to incorrect error handling in the page cache. This problem has been fixed and the correct error value is now returned.
BZ#912842
Previously, an NFS RPC task could enter a deadlock and become unresponsive if it was waiting for an NFSv4 state serialization lock to become available and the session slot was held by the NFSv4 server. This update fixes this problem along with the possible race condition in the pNFS return-on-close code. The NFSv4 client has also been modified to not accepting delegated OPEN operations if a delegation recall is in effect. The client now also reports NFSv4 servers that try to return a delegation when the client is using the CLAIM_DELEGATE_CUR open mode.
BZ#912662
Due to the way the CPU time was calculated, an integer multiplication overflow bug could occur after several days of running CPU bound processes that were using hundreds of kernel threads. As a consequence, the kernel stopped updating the CPU time and provided an incorrect CPU time instead. This could confuse users and lead to various application problems. This update applies a patch fixing this problem by decreasing the precision of calculations when the stime and rtime values become too large. Also, a bug allowing stime values to be sometimes erroneously calculated as utime values has been fixed.
BZ#967095
An NFS server could terminate unexpectedly due to a NULL pointer dereference caused by a rare race condition in the lockd daemon. An applied patch fixes this problem by protecting the relevant code with spin locks, and thus avoiding the race in lockd.
BZ#911359
Virtual LAN (VLAN) support of the eHEA ethernet adapter did not work as expected. A "device ethX has buggy VLAN hw accel" message could have been reported when running the "dmesg" command. This was because an upstream backport patch removed the vlan_rx_register() function. This update adds the function back, and eHEA VLAN support works as expected. This update also addresses a possible kernel panic, which could occur due to a NULL pointer dereference when processing received VLAN packets. The patch adds a test condition verifying whether a VLAN group is set by the network stack, which prevents a possible NULL pointer to be dereferenced, and the kernel no longer crashes in this situation.
BZ#910597
The kernel's implementation of RTAS (RunTime Abstraction Services) previously allowed the stop_topology_update() function to be called from an interrupt context during live partition migration on PowerPC and IBM System p machines. As a consequence, the system became unresponsive. This update fixes the problem by calling stop_topology_update() earlier in the migration process, and the system no longer hangs in this situation.
BZ#875753
Truncating files on a GFS2 file system could fail with an "unable to handle kernel NULL pointer dereference" error. This was because of a missing reservation structure that caused the truncate code to reference an incorrect pointer. To prevent this, a patch has been applied to allocate a block reservation structure before truncating a file.
BZ#909464
Previously, race conditions could sometimes occur in interrupt handling on the Emulex BladeEngine 2 (BE2) controllers, causing the network adapter to become unresponsive. This update provides a series of patches for the be2net driver, which prevents the race from occurring. The network cards using BE2 chipsets no longer hang due to incorrectly handled interrupt events.
BZ#908990
Previously, power-limit notification interrupts were enabled by default on the system. This could lead to degradation of system performance or even render the system unusable on certain platforms, such as Dell PowerEdge servers. A patch has been applied to disable power-limit notification interrupts by default and a new kernel command line parameter "int_pln_enable" has been added to allow users observing these events using the existing system counters. Power-limit notification messages are also no longer displayed on the console. The affected platforms no longer suffer from degraded system performance due to this problem.
BZ#876778
A change in the ipmi_si driver handling caused an extensively long delay while booting Red Hat Enterprise Linux 6.4 on SIG UV platforms. The driver was loaded as a kernel module on previous versions of Red Hat Enterprise Linux 6 while it is now built within the kernel. However, SIG UV does not use, and thus does not support the ipmi_si driver. A patch has been applied and the kernel now does not initialize the ipmi_si driver when booting on SIG UV.
BZ#908851
Previously, the queue limits were not being retained as they should have been if a device did not contain any data or if a multipath device temporarily lost all its paths. This problem has been fixed by avoiding a call to the dm_calculate_queue_limits() function.
BZ#908751
When adding a virtual PCI device, such as virtio disk, virtio net, e1000 or rtl8139, to a KVM guest, the kacpid thread reprograms the hot plug parameters of all devices on the PCI bus to which the new device is being added. When reprogramming the hot plug parameters of a VGA or QXL graphics device, the graphics device emulation requests flushing of the guest's shadow page tables. Previously, if the guest had a huge and complex set of shadow page tables, the flushing operation took a significant amount of time and the guest could appear to be unresponsive for several minutes. This resulted in exceeding the threshold of the "soft lockup" watchdog and the "BUG: soft lockup" events were logged by both, the guest and host kernel. This update applies a series of patches that deal with this problem. The KVM's Memory Management Unit (MMU) now avoids creating multiple page table roots in connection with processors that support Extended Page Tables (EPT). This prevents the guest's shadow page tables from becoming too complex on machines with EPT support. MMU now also flushes only large memory mappings, which alleviates the situation on machines where the processor does not support EPT. Additionally, a free memory accounting race that could prevent KVM MMU from freeing memory pages has been fixed.
BZ#908608
Certain CPUs contain on-chip virtual-machine control structure (VMCS) caches that are used to keep active VMCSs managed by the KVM module. These VMCSs contain runtime information of the guest machines operated by KVM. These CPUs require support of the VMCLEAR instruction that allows flushing the cache's content into memory. The kernel previously did not use the VMCLEAR instruction in Kdump. As a consequence, when dumping a core of the QEMU KVM host, the respective CPUs did not flush VMCSs to the memory and the guests' runtime information was not included in the core dump. This problem has been addressed by a series of patches that implement support of using the VMCLEAR instruction in Kdump. The kernel is now performs the VMCLEAR operation in Kdump if it is required by a CPU so the vmcore file of the QEMU KVM host contains all VMCSs information as expected.
BZ#908524
When pNFS (parallel NFS) code was in use, a file locking process could enter a deadlock while trying to recover form a server reboot. This update introduces a new locking mechanism that avoids the deadlock situation in this scenario.
BZ#878708
Sometimes, the irqbalance tool could not get the CPU NUMA node information because of missing symlinks for CPU devices in sysfs. This update adds the NUMA node symlinks for CPU devices in sysfs, which is also useful when using irqbalance to build a CPU topology.
BZ#908158
The virtual file system (VFS) code had a race condition between the unlink and link system calls that allowed creating hard links to deleted (unlinked) files. This could, under certain circumstances, cause inode corruption that eventually resulted in a file system shutdown. The problem was observed in Red Hat Storage during rsync operations on replicated Gluster volumes that resulted in an XFS shutdown. A testing condition has been added to the VFS code, preventing hard links to deleted files from being created.
BZ#908093
When an inconsistency is detected in a GFS2 file system after an I/O operation, the kernel performs the withdraw operation on the local node. However, the kernel previously did not wait for an acknowledgement from the GFS control daemon (gfs_controld) before proceeding with the withdraw operation. Therefore, if a failure isolating the GFS2 file system from a data storage occurred, the kernel was not aware of this problem and an I/O operation to the shared block device may have been performed after the withdraw operation was logged as successful. This could lead to corruption of the file system or prevent the node from journal recovery. This patch modifies the GFS2 code so the withdraw operation no longer proceeds without the acknowledgement from gfs_controld, and the GFS2 file system can no longer become corrupted after performing the withdraw operation.
BZ#907844
If a logical volume was created on devices with thin provisioning enabled, the mkfs.ext4 command took a long time to complete, and the following message was recorded in the system log:
kernel: blk: request botched
This was caused by discard request merging that was not completely functional in the block and SCSI layers. This functionality has been temporarily disabled to prevent such problems from occurring.
BZ#907512
A previous patch that modified dcache and autofs code caused a regression. Due to this regression, unmounting a large number of expired automounts on a system under heavy NFS load caused soft lockups, rendering the system unresponsive. If a "soft lockup" watchdog was configured, the machine rebooted. To fix the regression, the erroneous patch has been reverted and the system now handle the aforementioned scenario properly without any soft lockups.
BZ#907227
Previously, when using parallel network file system (pNFS) and data was written to the appropriate storage device, the LAYOUTCOMMIT requests being sent to the metadata server could fail internally. The metadata server was not provided with the modified layout based on the written data, and these changes were not visible to the NFS client. This happened because the encoding functions for the LAYOUTCOMMIT and LAYOUTRETURN operations were defined as void, and returned thus an arbitrary status. This update corrects these encoding functions to return 0 on success as expected. The changes on the storage device are now propagated to the metadata server and can be observed as expected.
BZ#883905
When the Active Item List (AIL) becomes empty, the xfsaild daemon is moved to a task sleep state that depends on the timeout value returned by the xfsaild_push() function. The latest changes modified xfsaild_push() to return a 10-ms value when the AIL is empty, which sets xfsaild into the uninterruptible sleep state (D state) and artificially increased system load average. This update applies a patch that fixes this problem by setting the timeout value to the allowed maximum, 50 ms. This moves xfsaild to the interruptible sleep state (S state), avoiding the impact on load average.
BZ#905126
Previously, init scripts were unable to set the master interface MAC address properly because it was overwritten by the first slave MAC address. To avoid this problem, this update re-introduces the check for an unassigned MAC address before adopting the first slaves as its own.
BZ#884442
Due to a bug in the be2net driver, events in the RX, TX, and MCC queues were not acknowledged before closing the respective queue. This could cause unpredictable behavior when creating RX rings during the subsequent queue opening. This update applies a patch that corrects this problem and events are now acknowledged as expected in this scenario.
BZ#904726
Previously, the mlx4 driver set the number of requested MSI-X vectors to 2 under multi-function mode on mlx4 cards. However, the default setting of the mlx4 firmware allows for a higher number of requested MSI-X vectors (4 of them with the current firmware). This update modifies the mlx4 driver so that it uses these default firmware settings, which improves performance of mlx4 cards.
BZ#904025
Reading a large number of files from a pNFS (parallel NFS) mount and canceling the running operation by pressing Ctrl+C caused a general protection fault in the XDR code, which could manifest itself as a kernel oops with an "unable to handle kernel paging request" message. This happened because decoding of the LAYOUTGET operation is done by a worker thread and the caller waits for the worker thread to complete. When the reading operation was canceled, the caller stopped waiting and freed the pages. So the pages no longer existed at the time the worker thread called the relevant function in the XDR code. The cleanup process of these pages has been moved to a different place in the code, which prevents the kernel oops from happening in this scenario.
BZ#903644
A previous patch to the mlx4 driver enabled an internal loopback to allow communication between functions on the same host. However, this change introduced a regression that caused virtual switch (vSwitch) bridge devices using Mellanox Ethernet adapter as the uplink to become inoperative in native (non-SRIOV) mode under certain circumstances. To fix this problem, the destination MAC address is written to Tx descriptors of transmitted packets only in SRIOV or eSwitch mode, or during the device self-test. Uplink traffic works as expected in the described setup.
BZ#887006
The Intel 5520 and 5500 chipsets do not properly handle remapping of MSI and MSI-X interrupts. If the interrupt remapping feature is enabled on the system with such a chipset, various problems and service disruption could occur (for example, a NIC could stop receiving frames), and the "kernel: do_IRQ: 7.71 No irq handler for vector (irq -1)" error message appears in the system logs. As a workaround to this problem, it has been recommended to disable the interrupt remapping feature in the BIOS on such systems, and many vendors have updated their BIOS to disable interrupt remapping by default. However, the problem is still being reported by users without proper BIOS level with this feature properly turned off. Therefore, this update modifies the kernel to check if the interrupt remapping feature is enabled on these systems and to provide users with a warning message advising them on turning off the feature and updating the BIOS.
BZ#887045
When booting Red Hat Enterprise Linux 6 system that utilized a large number of CPUs (more than 512), the system could fail to boot or could appear to be unresponsive after initialization. This happened because the CPU frequency driver used a regular spin lock (cpufreq_driver_lock) to serialize frequency transitions, and this lock could, under certain circumstances, become a source of heavy contention during the system initialization and operation. A patch has been applied to convert cpufreq_driver_lock into a read-write lock, which resolves the contention problem. All Red Hat Enterprise Linux 6 systems now boot and operate as expected.
BZ#903220
A previous patch to the kernel introduced a bug by assigning a different value to the IFLA_EXT_MASK Netlink attribute than found in the upstream kernels. This could have caused various problems; for example, a binary compiled against upstream headers could have failed or behaved unexpectedly on Red Hat Enterprise Linux 6.4 and later kernels. This update realigns IFLA_EXT_MASK in the enumeration correctly by synchronizing the IFLA_* enumeration with the upstream. This ensures that binaries compiled against Red Hat Enterprise Linux 6.4 kernel headers will function as expected. Backwards compatibility is guaranteed.
BZ#887868
Due to a bug in the SCTP code, a NULL pointer dereference could occur when freeing an SCTP association that was hashed, resulting in a kernel panic. A patch addresses this problem by trying to unhash SCTP associations before freeing them and the problem no longer occurs.
BZ#888417
Previously, a kernel panic could occur on machines using the SCSI sd driver with Data Integrity Field (DIF) type 2 protection. This was because the scsi_register_driver() function registered the prep_fn()function that might have needed to use the sd_cdp_pool variable for the DIF functionality. However, the variable had not yet been initialized at this point. The underlying code has been updated so that the driver is registered last, which prevents a kernel panic from occurring in this scenario.
BZ#901747
The bnx2x driver could have previously reported an occasional MDC/MDIO timeout error along with the loss of the link connection. This could happen in environments using an older boot code because the MDIO clock was set in the beginning of each boot code sequence instead of per CL45 command. To avoid this problem, the bnx2x driver now sets the MDIO clock per CL45 command. Additionally, the MDIO clock is now implemented per EMAC register instead of per port number, which prevents ports from using different EMAC addresses for different PHY accesses. Also, boot code or Management Firmware (MFW) upgrade is required to prevent the boot code (firmware) from taking over link ownership if the driver's pulse is delayed. The BCM57711 card requires boot code version 6.2.24 or later, and the BCM57712/578xx cards require MFW version 7.4.22 or later.
BZ#990806
When the Audit subsystem was under heavy load, it could loop infinitely in the audit_log_start() function instead of failing over to the error recovery code. This would cause soft lockups in the kernel. With this update, the timeout condition in the audit_log_start() function has been modified to properly fail over when necessary.
BZ#901701
A previous kernel update broke queue pair (qp) hash list deletion in the qp_remove() function. This could cause a general protection fault in the InfiniBand stack or QLogic InfiniBand driver. A patch has been applied to restore the former behavior so the general protection fault no longer occurs.
BZ#896233
Under rare circumstances, if a TCP retransmission was multiple times partially acknowledged and collapsed, the used Socked Buffer (SKB) could become corrupted due to an overflow caused by the transmission headroom. This resulted in a kernel panic. The problem was observed rarely when using an IP-over-InfiniBand (IPoIB) connection. This update applies a patch that verifies whether a transmission headroom exceeded the maximum size of the used SKB, and if so, the headroom is reallocated. It was also discovered that a TCP stack could retransmit misaligned SKBs if a malicious peer acknowledged sub MSS frame and output interface did not have a sequence generator (SG) enabled. This update introduces a new function that allows for copying of a SKB with a new head so the SKB remains aligned in this situation.
BZ#896020
When using transparent proxy (TProxy) over IPv6, the kernel previously created neighbor entries for local interfaces and peers that were not reachable directly. This update corrects this problem and the kernel no longer creates invalid neighbor entries.
BZ#894683
A previous change in the port auto-selection code allowed sharing ports with no conflicts extending its usage. Consequently, when binding a socket with the SO_REUSEADDR socket option enabled, the bind(2) function could allocate an ephemeral port that was already used. A subsequent connection attempt failed in such a case with the EADDRNOTAVAIL error code. This update applies a patch that modifies the port auto-selection code so that bind(2) now selects a non-conflict port even with the SO_REUSEADDR option enabled.
BZ#893584
Timeouts could occur on an NFS client with heavy read workloads; for example when using rsync and ldconfig. Both client-side and server-side causes were found for the problem. On the client side, problems that could prevent the client reconnecting lost TCP connections have been fixed. On the server side, TCP memory pressure on the server forced the send buffer size to be lower than the size required to send a single Remote Procedure Call (RPC), which consequently caused the server to be unable to reply to the client. Code fixes are still being considered. To work around the problem, increase the minimum TCP buffer sizes, for example using:
echo "1048576 1048576 4194304" >/proc/sys/net/ipv4/tcp_wmem
BZ#895336
Broadcom 5719 NIC could previously sometimes drop received jumbo frame packets due to cyclic redundancy check (CRC) errors. This update modifies the tg3 driver so that CRC errors no longer occur and Broadcom 5719 NICs process jumbo frame packets as expected.
BZ#896224
When running a high thread workload of small-sized files on an XFS file system, sometimes, the system could become unresponsive or a kernel panic could occur. This occurred because the xfsaild daemon had a subtle code path that led to lock recursion on the xfsaild lock when a buffer in the AIL was already locked and an attempt was made to force the log to unlock it. This patch removes the dangerous code path and queues the log force to be invoked from a safe locking context with respect to xfsaild. This patch also fixes the race condition between buffer locking and buffer pinned state that exposed the original problem by rechecking the state of the buffer after a lock failure. The system no longer hangs and kernel no longer panics in this scenario.
BZ#902965
The NFSv4.1 client could stop responding while recovering from a server reboot on an NFSv4.1 or pNFS mount with delegations disabled. This could happen due to insufficient locking in the NFS code and several related bugs in the NFS and RPC scheduler code which could trigger a deadlock situation. This update applies a series of patches which prevent possible deadlock situations from occurring. The NFSv4.1 client now recovers and continue with workload as expected in the described situation.
BZ#1010840
The default sfc driver on Red Hat Enterprise Linux 6 allowed toggling the Large Receive Offset (LRO) flag on and off on a network device regardless of whether LRO was supported by the device or not. Therefore, when the LRO flag was enabled on devices without LRO support, the action had no effect and could confuse users. A patch to the sfc driver has been applied so that the sfc driver properly validates whether LRO is supported by the device. If the device does not support LRO, sfc disables the LRO flag so that users can no longer toggle it for that device.
BZ#886867
During device discovery, the system creates a temporary SCSI device with the LUN ID 0 if the LUN 0 is not mapped on the system. Previously, this led to a NULL pointer dereference because inquiry data was not allocated for the temporary LUN 0 device, which resulted in a kernel panic. This update adds a NULL pointer test in the underlying SCSI code, and the kernel no longer panics in this scenario.
BZ#886420
When a network interface (NIC) is running in promiscuous (PROMISC) mode, the NIC may receive and process VLAN tagged frames even though no VLAN is attached to the NIC. However, some network drivers, such as bnx2, igb, tg3, and e1000e did not handle processing of packets with VLAN tagged frames in PROMISC mode correctly if the frames had no VLAN group assigned. The drivers processed the packets with incorrect routines and various problems could occur; for example, a DHCPv6 server connected to a VLAN could assign an IPv6 address from the VLAN pool to a NIC with no VLAN interface. To handle the VLAN tagged frames without a VLAN group properly, the frames have to be processed by the VLAN code so the aforementioned drivers have been modified to restrain from performing a NULL value test of the packet's VLAN group field when the NIC is in PROMISC mode. This update also includes a patch fixing a bug where the bnx2x driver did not strip a VLAN header from the frame if no VLAN was configured on the NIC, and another patch that implements some register changes in order to enable receiving and transmitting of VLAN packets on a NIC even if no VLAN is registered with the card.
BZ#988460
When a slave device started up, the current_arp_slave parameter was unset but the active flags on the slave were not marked inactive. Consequently, more than one slave device with active flags in active-backup mode could be present on the system. A patch has been applied to fix this problem by marking the active flags inactive for a slave device before the current_arp_slave parameter is unset.
BZ#883575
Due to a bug in descriptor handling, the ioat driver did not correctly process pending descriptors on systems with the Intel Xeon Processor E5 family. Consequently, the CPU was utilized excessively on these systems. A patch has been applied to the ioat driver so the driver now determines pending descriptors correctly and CPU usage is normal again for the described processor family.
BZ#905561
A previous change in the bridge multicast code allowed sending general multicast queries in order to achieve faster convergence on startup. To prevent interference with multicast routers, send packets contained a zero source IP address. However, these packets interfered with certain multicast-aware switches, which resulted in the system being flooded with the IGMP membership queries with zero source IP address. A series of patches addresses this problem by disabling multicast queries by default and implementing multicast querier that allows to toggle up sending of general multicast queries if needed.
BZ#882413
A bug was causing bad block detection to try to isolate which blocks were bad in a device that had suffered a complete failure - even when bad block tracking was not turned on. This was causing very large delays in returning I/O errors when the entire set of RAID devices was lost to failure. The large delays caused problems during disaster recovery scenarios. The bad block tracking code is now properly disabled and errors return in a timely fashion when enough devices fail in a RAID array to exceed its redundancy.
BZ#876600
Previously, running commands such as "ls", "find" or "move" on a MultiVersion File System (MVFS) could cause a kernel panic. This happened because the d_validate() function, which is used for dentry validation, called the kmem_ptr_validate() function to validate a pointer to a parent dentry. The pointer could have been freed anytime so the kmem_ptr_validate() function could not guarantee the pointer to be dereferenced, which could lead to a NULL pointer derefence. This update modifies d_validate() to verify the parent-child relationship by traversing the parent dentry's list of child dentries, which solves this problem. The kernel no longer panics in the described scenario.
BZ#1008705
The sfc driver exposes on-board flash partitions using the MTD subsystem and it must expose up to 9 flash partitions per board. However, the MTD subsystem in Red Hat Enterprise Linux 6 has a static limit of 32 flash partitions. As a consequence, the Solarflare tools cannot operate on all boards if more than 3 boards are installed, preventing firmware on some boards from being updated or queried for a version number. With this update, a new EFX_MCDI_REQUEST sub-command has been added to the driver-private SIOCEFX ioctl, which allows bypassing the MTD layer and sending requests directly to the controller's firmware. The Solarflare tools can now be used and the firmware on all installed devices can be updated as expected in this scenario.
BZ#871795
Previously, the VLAN code incorrectly cleared the timestamping interrupt bit for network devices using the igb driver. Consequently, timestamping failed on the igb network devices with Precision Time Protocol (PTP) support. This update modifies the igb driver to preserve the interrupt bit if interrupts are disabled.
BZ#869736
When using more than 4 GB of RAM with an AMD processor, reserved regions and memory holes (E820 regions) can also be placed above the 4 GB range. For example, on configurations with more than 1 TB of RAM, AMD processors reserve the 1012 GB - 1024 GB range for the Hyper Transport (HT) feature. However, the Linux kernel does not correctly handle E820 regions that are located above the 4 GB range. Therefore, when installing Red Hat Enterprise Linux on a machine with an AMD processor and 1 TB of RAM, a kernel panic occurred and the installation failed. This update modifies the kernel to exclude E820 regions located above the 4 GB range from direct mapping. The kernel also no longer maps the whole memory on boot but only finds memory ranges that are necessary to be mapped. The system can now be successfully installed on the above-described configuration.
BZ#867689
The kernel interface to ACPI had implemented error messaging incorrectly. The following error message was displayed when the system had a valid ACPI Error Record Serialization Table (ERST) and the pstore.backend kernel parameter had been used to disable use of ERST by the pstore interface:
ERST: Could not register with persistent store
However, the same message was also used to indicate errors precluding registration. A series of patches modifies the relevant ACPI code so that ACPI now properly distinguish between different cases and accordingly prints unique and informative messages.
BZ#965132
When setting up a bonding device, a certain flag was used to distinguish between TLB and ALB modes. However, usage of this flag in ALB mode allowed enslaving NICs before the bond was activated. This resulted in enslaved NICs not having unique MAC addresses as required, and consequent loss of "reply" packets sent to the slaves. This patch modifies the function responsible for the setup of the slave's MAC address so the flag is no longer needed to discriminate ALB mode from TLB and the flag was removed. The described problem no longer occur in this situation.
BZ#920752
A bug in the do_filp_open() function caused it to exit early if any write access was requested on a read-only file system. This prevented the opening of device nodes on a read-only file system. With this update, the do_filp_open() has been fixed to no longer exit if a write request is made on a read-only file system.
BZ#981741
A dentry leak occurred in the FUSE code when, after a negative lookup, a negative dentry was neither dropped nor was the reference counter of the dentry decremented. This triggered a BUG() macro when unmounting a FUSE subtree containing the dentry, resulting in a kernel panic. A series of patches related to this problem has been applied to the FUSE code and negative dentries are now properly dropped so that triggering the BUG() macro is now avoided.
BZ#924804
This update reverts two previously-included qla2xxx patches. These patches changed the fibre channel target port discovery procedure, which resulted in some ports not being discovered in some corner cases. Reverting these two patches fixes the discovery issues.
BZ#957821
Due a bug in the memory mapping code, the fadvise64() system call sometimes did not flush all the relevant pages of the given file from cache memory. A patch addresses this problem by adding a test condition that verifies whether all the requested pages were flushed and retries with an attempt to empty the LRU pagevecs in the case of test failure.
BZ#957231
The xen-netback and xen-netfront drivers cannot handle packets with size greater than 64 KB including headers. The xen-netfront driver previously did not account for any headers when determining the maximum size of GSO (Generic Segmentation Offload). Consequently, Xen DomU guest operations could have caused a network DoS issue on DomU when sending packets larger than 64 KB. This update adds a patch that corrects calculation of the GSO maximum size and the problem no longer occurs.
BZ#848085
A possible race in the tty layer could result in a kernel panic after triggering the BUG_ON() macro. As a workaround, the BUG_ON() macro has been replaced by the WARN_ON() macro, which allows for avoiding the kernel panic and investigating the race problem further.
BZ#980876
A bug in the network bridge code allowed an internal function to call code which was not atomic-safe while holding a spin lock. Consequently, a "BUG: scheduling while atomic" error has been triggered and a call trace logged by the kernel. This update applies a patch that orders the function properly so the function no longer holds a spin lock while calling code which is not atomic-safe. The aforementioned error with a call trace no longer occurs in this case.
BZ#916806
An NFSv4 client could previously enter a deadlock situation with the state recovery thread during state recovery after a reboot of an NFSv4 server. This happened because the client did not release the NFSv4 sequence ID of an OPEN operation that was requested before the reboot. This problem is resolved by releasing the sequence ID before the client starts waiting for the server to recover.
BZ#859562
A bug in the device-mapper RAID kernel module was preventing the "sync" directive from being honored. The result was that users were unable to force their RAID arrays to undergo a complete resync if desired. This has been fixed and users can use 'lvchange --resync my_vg/my_raid_lv' to force a complete resynchronization on their LVM RAID arrays.

Enhancements

BZ#823012
This update provides simplified performance analysis for software on Linux on System z by using the Linux perf tool to access the hardware performance counters.
BZ#829506
The fnic driver previously allowed I/O requests with the number of SGL descriptors greater than is supported by Cisco UCS Palo adapters. Consequently, the adapter returned any I/O request with more than 256 SGL descriptors with an error indicating invalid SGLs. A patch has been applied to limit the maximum number of supported SGLs in the fnic driver to 256 and the problem no longer occurs.
BZ#840454
To transmit data, for example, trace data, from guests to hosts, a low-overhead communication channel was required. Support for the splice() call has been added to the virtio_console module in the Linux kernel. This enables sending guest kernel data to the host without extra copies of the data being made inside the guest. Low-overhead communication between the guest Linux kernel and host userspace is performed via virtio-serial.
BZ#888903
A new MTIOCTOP operation, MTWEOFI, has been added to the SCSI tape driver, which allows writing of "filemarks" with the "immediate" bit. This allows a SCSI tape drive to preserve the content of its buffer, enabling the next file operation to start immediately. This can significantly increase write performance for applications that have to write multiple small files to the tape while it also reduces tape weariness.
BZ#913650
Previously, a user needed to unmount, deactivate their RAID LV, and re-activate it in order to restore a transiently failed device in their array. Now it is possible to restore such devices without unmounting by simply running 'lvchange --refresh'.
BZ#923212
Open vSwitch (OVS) is an open-source, multi-layer software switch designed to be used as a virtual switch in virtualized server environments. Starting with Red Hat Enterprise Linux 6.4, the Open vSwitch kernel module is included as an enabler for Red Hat Enterprise Linux OpenStack Platform. Open vSwitch is only supported in conjunction with Red Hat products containing the accompanying user-space packages. Without theses packages, Open vSwitch will not function and cannot be used with other Red Hat Enterprise Linux variants.
BZ#928983
The RHEL6.5 bfa driver changes behavior of the dev_loss_tmo value such that it can only be set to a value greater than the bfa driver specific path_tov value. The minimum default value that the dev_loss_tmo can be set to is 31 seconds. Attempting to set the dev_loss_tmo value lower than 31 seconds without lowering the default bfa path_tov value will not succeed.
BZ#929257
Error recovery support has been added to the flash device driver, which allows hardware service upgrades without negative impact on I/O of flash devices.
BZ#929259
The crypto adapter resiliency feature has been added. This feature provides System z typical RAS for cryptographic adapters through comprehensive failure recovery. For example, this feature handles unexpected failures or changes caused by Linux guest relocation, suspend and resume activities or configuration changes.
BZ#929262
The "fuzzy live dump" feature has been added. With this feature kernel dumps from running Linux systems can be created, to allow problem analysis without taking down systems. Because the Linux system continues running while the dump is written, and kernel data structures are changing during the dump process, the resulting dump contains inconsistencies.
BZ#929264, BZ#929264
The kernel now provides an offline interface for DASD devices. Instead of setting a DASD device offline and returning all outstanding I/O requests as failed, with this interface you can set a DASD device offline and write all outstanding data to the device before setting the device offline.
BZ#929274
The kernel now provides the Physical Channel ID (PCHID) mapping that enables hardware detection with a machine-wide unique identifier.
BZ#929275
The kernel now provides VEPA mode support. VEPA mode routes traffic between virtual machines on the same mainframe through an external switch. The switch then becomes a single point of control for security, filtering, and management.
BZ#755486, BZ#755486
Message Transfer Part Level 3 User Adaptation Layer (M3UA) is a protocol defined by the IETF standard for transporting MTP Level 3 user part signaling messages over IP using Stream Control Transmission Protocol (SCTP) instead of telephony equipment like ISDN and PSTN. With this update, M3AU measurement counters have been included for SCTP.
BZ#818344
Support for future Intel 2D and 3D graphics has been added to allow systems using future Intel processors to be certified through the Red Hat Hardware Certification program.
BZ#826061
In certain storage configurations (for example, configurations with many LUNs), the SCSI error handling code can spend a large amount of time issuing commands such as TEST UNIT READY to unresponsive storage devices. A new sysfs parameter, eh_timeout, has been added to the SCSI device object, which allows configuration of the timeout value for TEST UNIT READY and REQUEST SENSE commands used by the SCSI error handling code. This decreases the amount of time spent checking these unresponsive devices. The default value of eh_timeout is 10 seconds, which was the timeout value used prior to adding this functionality.
BZ#839470, BZ#839470
With this update, 12Gbps LSI SAS devices are now supported in Red Hat Enterprise Linux 6.
BZ#859446
Red Hat Enterprise Linux 6.5 introduces the Orlov block allocator that provides better locality for files which are truly related to each other and likely to be accessed together. In addition, when resource groups are highly contended, a different group is used to maximize performance.
BZ#869622
The mdadm tool now supports the TRIM commands for RAID0, RAID1, RAID10 and RAID5.
BZ#880142
Network namespace support for OpenStack has been added. Network namespaces (netns) is a lightweight container-based virtualization technology. A virtual network stack can be associated with a process group. Each namespace has its own loopback device and process space. Virtual or real devices can be added to each network namespace, and the user can assign IP addresses to these devices and use them as a network node.
BZ#908606
Support for dynamic hardware partitioning and system board slot recognition has been added. The dynamic hardware partitioning and system board slot recognition features alert high-level system middleware or applications for reconfiguration and allow users to grow the system to support additional workloads without reboot.
BZ#914771, BZ#920155, BZ#914797, BZ#914829, BZ#914832, BZ#914835
An implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux was introduced as a Technology Preview in Red Hat Enterprise Linux 6.4. The PTP infrastructure, both kernel and user space, is now fully supported in Red Hat Enterprise Linux 6.5. Network driver time stamping support now also includes the following drivers: bnx2x, tg3, e1000e, igb, ixgbe, and sfc.
BZ#862340
The Solarflare driver (sfc) has been updated to add PTP support as a Technology Preview.
BZ#918316
In Red Hat Enterprise Linux 6.5, users can change the cryptography hash function from MD5 to SHA1 for Stream Control Transmission Protocol (SCTP) connections.
BZ#922129
The pm8001/pm80xx driver adds support for PMC-Sierra Adaptec Series 6H and 7H SAS/SATA HBA cards as well as PMC Sierra 8081, 8088, and 8089 chip based SAS/SATA controllers.
BZ#922299
VMware Platform Drivers Updates The VMware network para-virtualized driver has been updated to the latest upstream version.
BZ#922941
The Error-correcting code (ECC) memory has been enabled for future generation of AMD processors. This feature provides the ability to check for performance and errors by accessing ECC memory related counters and status bits.
BZ#922965
Device support is enabled in the operating system for future Intel System-on-Chip (SOC) processors. These include Dual Atom processors, memory controller, SATA, Universal Asynchronous Receiver/Transmitter, System Management Bus (SMBUS), USB and Intel Legacy Block (ILB - lpc, timers, SMBUS (i2c_801 module)).
BZ#947944
Kernel Shared Memory (KSM) has been enhanced to consider non-uniform memory access (NUMA) when coalescing pages, which improves performance of the applications on the system. Also, additional page types have been included to increase the density of applications available for Red Hat OpenShift.
BZ#949805
FUSE (Filesystem in User Space) is a framework that allows for development of file systems purely in the user space without requiring modifications to the kernel. Red Hat Enterprise Linux 6.5 delivers performance enhancements for user space file systems that use FUSE, for example, GlusterFS (Red Hat Storage).
All Red Hat Enterprise Linux 6 users are advised to install these updated packages, which correct these issues, and fix the bugs and add the enhancements noted in the Red Hat Enterprise Linux 6.5 Release Notes and Technical Notes. The system must be rebooted for this update to take effect.

8.83. kexec-tools

Updated kexec-tools packages that fix several bus and add various enhancements are now available for Red Hat Enterprise Linux 6.
The kexec-tools packages contain the /sbin/kexec binary and utilities that together form the user-space component of the kernel's kexec feature. The /sbin/kexec binary facilitates a new kernel to boot using the kernel's kexec feature either on a normal or a panic reboot. The kexec fastboot mechanism allows booting a Linux kernel from the context of an already running kernel.

Bug Fixes

BZ#1015764
Previously, in the mkdumprd utility, the strip_comments() function was not implemented correctly. When arguments were passed to strip_comments(), it only took the first argument into account and skipped the rest. As a consequence, it passed the "makedumpfile" argument to the $config_val variable, but the parameters for "makedumpfile" were missed. With this update, the strip_comments() function has been modified. As a result, it no longer skips arguments passed to it.
BZ#886572
When the kdump file system resided on a logical volume or a volume group with another independent and encrypted device, the mkdumprd utility exited with an error message when trying to access the encrypted device, preventing kdump from functioning properly. A patch has been provided to address this problem and kdump is now properly reconfigured and restarted in the described scenario, thus fixing this bug.
BZ#920705
Certain multi-port network cards return the same PCI bus address for all ports. When the kdump utility maps the network ports, it cannot differentiate one network port from another on these cards. Consequently, when different network ports were on different networks, kdump failed to dump data over NFS or SSH. This update ensures that the MAP_NET_BY_MAC variable is set in the described scenario and kdump now dumps data for all ports as expected.
BZ#883543
Previously, a udev rule in the 98-kexec.rules file spawned processes that restarted the kdump tool with each memory added. To fix this bug, the "condrestart" parameter is used when attempting to restart a service that was previously running. As a result, kdump is no longer restarted when a restart is not needed.
BZ#921142
Previously, kernel modules in the extra_modules list were overridden by the built-in blacklist. Consequently, kdump was unable to load the mlx4_core and mlx4_en modules and dump data over network cards using these modules. With this update, modules in the extra_modules list are not excluded if they are blacklisted and kdump can use them as expected.
BZ#1008543
Previously, in makedumpfile, the dumpfile header had a field which was inherited from the deprecated "diskdump" facility. The field was used by the crash utility as a delimiter to determine whether a physical address read request was legitimate. The field could not handle Physical Frame Number (PFN) values greater than 32-bits and such values were truncated. This update adds three new fields to the header. As a result, the dumpfile header in makedumpfile correctly handels PFN values greater than 32-bits.
BZ#876667
Previously, for some kernel modules, the "modprobe --show-depends" command's output did not have the "insmod" prefix for every line. Consequently, the mkdumprd utility failed to load as the current code assumed that each line started with the "insmod" prefix. The code has been modified to only match lines starting with "insmod" in awk scripts. As a result, mkdumprd no longer fails to load in this scenario.
BZ#1009207
Previously, in cyclic mode, the makedumpfile recalculated incorrectly the size of the cyclic buffer size. As a consequence, makedumpfile did not update the length of the range of a cycle in page frame numbers, which caused a buffer overrun or a segmentation violation. Furthermore, due to the divideup() function in the recalculations, the cyclic buffer size became too much aligned and less efficient. A patch has been provided to fix these bugs and the aforementioned problems no longer occur in this scenario.
BZ#1010103
The x86_64 kernel is a relocatable kernel, and there can be a gap between the physical address statically assigned to the kernel data and texts, and the address that is really assigned to each object corresponding to the kernel symbols. The gap is the phys_base() function. The makedump utility calculates the phys_base in an ad-hoc way that compares the addresses of some of occurrences of "Linux kernel" strings in certain range of the vmcore. As a consequence, makedumpfile failed calculating phys_base and also failed converting a vmcore. This bug has now been fixed and makedumpfile calculates phys_base correctly and convers vmcore normally.
BZ#893764
Previously, setting empty Direct Access Storage Device (DASD) options, parsed from the /etc/dasd.conf file, resulted in displaying environment variables. As a consequence, restarting the kdump service displayed the complete kdump script. After this update, if there are no options specified in the /etc/dasd.conf file for a device, the kdump script proceeds to the next one. As a result, restarting the kdump service no longer displays the complete kdump script.
BZ#918372
Previously, kdump data written on a raw device was not completely flushed. As a consequence, the saved vmcore was occasionally incomplete. This update uses the blockdev tool to flush out block device buffers. As a result, vmcore saved on a raw device is now always complete.
BZ#903529
Previously, because Storage Class Memory (SCM) devices did not expose the same sysfs attributes as Small Computer System Interface (SCSI) disks, the mkdumprd utility failed to determine the list of "critical disks" for writing a dump file. As a consequence, certain SCM devices were not correctly handled by mkdumprd, resulting in an infinite loop when trying to specify a file system on such a device as target for kdump. After this update, mkdumprd now handles waiting for SCM devices based on the device's storage increment address, a property which uniquely identifies an SCM device across reboots. As a result, mkdumprd now successfully determines the list of "critical disks" for writing a dump file and an infinite loop no longer occurs.
BZ#906601
Previously, on a system configured with multipath support, the mkdumprd tool pushed the code handling multipath devices into the kdump initrd. As a consequence, the kdump utility failed to capture vmcore on multipath devices. This update introduces a mechanism where the call to the kpartx utility is delayed until the "dmsetup ls" command lists the device names which match the multipath device where a vmcore is going to be captured. As a result, mkdumprd now waits until the multipath devices are created and then successfully captures a vmcore on them.
BZ#977651
Previously, when Red Hat Enterprise Linux was configured to use the hugepages parameter, the kdump kernel also used this parameter. As a consequence, due to its limited memory, using hugepages could lead to an Out Of Memory (OOM) error for the kdump kernel. With this update, hugepages and hugepagesz kernel parameters are not used by the kdump kernel when the Red Hat Enterprise Linux is using them. If the user wants to explicitly use hugepages in the kdump kernel, they can be specified through the KERNEL_COMMANDLINE_APPEND option in the /etc/sysconfig/kdump file.
BZ#963948
Previously, when a VMware guest was added additional RAM, multiple instances of the kdump.init script were started concurrently. As a consequence, a race condition occurred among the kdump.init instances. By introducing a global mutex lock, now only one instance can acquire this lock and run, others will be waiting for the lock in queue. As a result, the kdump.init instances are run in serial order and a race condition no longer occurs in this scenario.
BZ#951035
Previously, when the e2fsprogs package, which contains tools used by the mkdumprd utility, was not installed on the system, mkdumprd displayed a misleading error message. With this update, the error message has been improved to explicitly inform the user which of these tools is missing.

Enhancements

BZ#959449
This update allows the kdump tool to work with an arbitrary bridge, bond or vlan names over a network. Now, it is possible to name a device without following the established naming conventions, for example, bonding devices do not need to start with "bond". The user can determine whether a network device is a bond, bridge or vlan by checking for the existence of specific directories in the /sys/ or /proc/ directories.
BZ#871522
With this update, kexec-tools now respect the memory limit while building crash memory ranges on a 64-bit PowerPC. The kernel exports memory limit information through the /proc/device-tree file, which kexec-tools now read and limit the crash memory ranges accordingly.
BZ#825476, BZ#902147, BZ#902148
In Red Hat Enterprise Linux 6.5, the makedumpfile utility supports the Lempel–Ziv–Oberhumer (LZO) and snappy compression formats. Using these compression formats instead of the zlib format is quicker, in particular when compressing data with randomized content.
BZ#947621
This update includes changes to allow filtering of poisoned pages during a crash dump capture. The user can now decide if poisoned pages are dumped. Furthermore, filtering can increase dumping speed.
BZ#797231
This update adds an SELinux relabeling during kdump service startup. The kdump service now relabels files in the dumping path which have an incorrect or missing label.
BZ#909402
In previous Red Hat Enterprise Linux releases, support for SSH FIPS mode was incomplete. This update adds the relevant library files and *.hmac files to the kdump kernel. The kdump utility can now work in SSH FIPS mode.
BZ#975642
This update adds documentation for the "--allow-missing" mkdumprd option to the mkdumprd(8) manual page.
Users of kexec-tools are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.84. ksh

Updated ksh packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
KornShell (KSH) is a Unix shell developed by AT&T Bell Laboratories, which is backward-compatible with the Bourne shell (Bash) and includes many features of the C shell. The most recent version is KSH-93. KornShell complies with the POSIX.2 standard (IEEE Std 1003.2-1992).

Upgrade to an upstream version

The ksh package has been upgraded to upstream version 20120801, which provides a number of bug fixes and enhancements over the previous version. (BZ#840568)

Bug Fixes

BZ#761551
Previously, the ksh shell did not set any editing mode as default, which caused various usability problems in interactive mode and with shell auto-completion. This update sets emacs editing mode as default for new users. As a result, the usability is significantly improved and the shell auto-completion works as expected.
BZ#858263
Previously, the ksh internal counter of jobs was too small. Consequently, when a script used a number of subshells in a loop, a counter overflow could occur causing the ksh shell to terminate unexpectedly with a segmentation fault. This update modifies ksh to use bigger types for counter variables. As a result, ksh no longer crashes in the described scenario.
BZ#903750
Previously, the ksh shell did not compute an offset for fixed size variables correctly. As a consequence, when assigning a right-justified variable with a fixed width to a smaller variable, the new variable could have an incorrect content. This update applies a patch to fix this bug and the assignment now proceeds as expected.
BZ#913110
Previously, the output of command substitutions was not always redirected properly. Consequently, the output in a here-document could be lost. This update fixes the redirection code for command substitutions and the here-document now contains the output as expected.
BZ#921455, BZ#982142
Using arrays inside of ksh functions, command aliases, or automatically loaded functions caused memory leaks to occur. The underlying source code has been modified to fix this bug and the memory leaks no longer occur in the described scenario.
BZ#922851
Previously, the ksh SIGTSTP signal handler could trigger another SIGTSTP signal. Consequently, ksh could enter an infinite loop. This updated version fixes the SIGTSTP signal processing and ksh now handles the signal without any problems.
BZ#924440
Previously, the ksh shell did not resize the file descriptor list every time it was necessary. This could lead to memory corruption when several file descriptors were used. As a consequence, ksh terminated unexpectedly. This updated version resizes the file descriptor list every time it is needed, and ksh no longer crashes in the described scenario.
BZ#960034
Previously, the ksh shell ignored the "-m" argument specified by the command line. As a consequence, ksh did not enable monitor mode and the user had to enable it in a script. With this update, ksh no longer ignores the argument so that the user is able to enable monitor mode from the command line as expected.
BZ#994251
The ksh shell did not handle I/O redirections from command substitutions inside a pipeline correctly. Consequently, the output of certain commands could be lost. With this update, the redirections have been fixed and data is no longer missing from the command outputs.
Users of ksh are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.85. ledmon

Updated ledmon packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The ledmon and ledctl utilities are user-space applications designed to control LEDs associated with each slot in an enclosure or a drive bay. There are two types of systems: 2-LED system (Activity LED, Status LED) and 3-LED system (Activity LED, Locate LED, Fail LED). Users must have root privileges to use this application.

Upgrade to an upstream version

The ledmon packages have been upgraded to upstream version 0.78, which provides a number of bug fixes and enhancements over the previous version. (BZ#922976, BZ#876593, BZ#887370)
Users of ledmon are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.86. libXcursor

Updated libXcursor packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The X.Org's X11 libXcursor package provides a runtime library for cursor management, designed to help locate and load cursors.

Bug Fix

BZ#949586
In the last rebuild of libXcursor, the Icon Theme was changed to Adwaita, which was not available in Red Hat Enterprise Linux 6. To fix this bug, the Icon Theme has been changed back to dmz-aa for Red Hat Enterprise Linux 6.
Users of libXcursor are advised to upgrade to these updated packages, which fix this bug.

8.87. libcgroup

Updated libcgroup packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
The libcgroup packages provide tools and libraries to manage and monitor control groups.

Bug Fixes

BZ#972893
Previously, the pam_cgoup pluggable authentication module (PAM) did not use caching. As a consequence, when a system had several thousand users and the cgrules.conf file contained several thousand lines of configuration settings, the login time could take several seconds. With this update, the libcgroup code no longer reads the /etc/passwd file once for every line in cgrules.conf, and the login time is no longer affected in the described scenario.
BZ#863172
Prior to this update, the cgroup files did not have write permissions set correctly. Consequently, members of the group that owned the cgroup files could not modify their content. The group permissions have been updated, and the members of the group can now modify the content of the cgroup files.
BZ#921328
Previously, the behavior of the cgred service when opening the configuration file was not set correctly. Consequently, cgred failed to start if the configuration file was missing or empty. Explicit checks for the existence of the configuration file have been removed, and cgred now starts with a missing or empty configuration file as expected.
BZ#912425
The code in the cg_get_pid_from_flags() function assumed that every entry in the /etc/cgrules.conf file had the process name specified. As a consequence, if the entry in the /etc/cgrules.conf file did not specify the process name, the cgred service terminated unexpectedly with a segmentation fault. This update allows the code to accept empty process names and cgred no longer crashes.
BZ#946953
Prior to this update, the permissions of the /bin/cgclassify file were set incorrectly. As a consequence, the "--sticky" option of the cgclassify command was ignored when running under a non-privileged user. The file permissions of /bin/cgclassify have been updated, and the "--sticky" option now works correctly for regular users.
BZ#753334
Previously, using commas in the lexical analyzer was not supported. As a consequence, the cgconfig service failed to parse commas in the cgconfig.conf file. Support for commas in the lexical analyzer has been added, and cgconfig can now successfully parse commas in cgconfig.conf.
BZ#924399
The cgrulesengd daemon had different default logging level than the rest of the library. Consequently, the log messages were inconsistent. With this update, the logging level of the cgrulesengd daemon and the library has been unified, and the log messages are now consistent as expected.
BZ#809550
Prior to this update, the cgcreate(1) manual page contained the invalid "-s" option in the synopsis. This update removes this option.
BZ#961844
Previously, the cgred service was starting too early in the boot process. As a consequence, if some services started before cgred, they could avoid being restricted. The boot priority of cgred has been lowered, and all services are now restricted correctly.

Enhancement

BZ#589535
After this update, the cgred daemon supports automated control groups for every user in any UNIX group that logs in. A template is now used to create a new control group automatically, and every process the user launches is started in the appropriate group, which makes managing multiple users easier.
Users of libcgroup are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

8.88. libdrm

Updated libdrm packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Direct Rendering Manager runtime library (libdrm) provides a user-space interface library for direct rendering clients.

Upgrade to an upstream version

The libdrm packages have been upgraded to upstream version 2.4.45, which provides a number of bug fixes and enhancements over the previous version. (BZ#914774)
Users of libdrm are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.89. libguestfs

Updated libguestfs packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE link(s) associated with each description below.
Libguestfs is a library and set of tools for accessing and modifying guest disk images.

Upgrade to an upstream version

The libguestfs package has been upgraded to upstream version 1.20.0, which provides a number of bug fixes and enhancements over the previous version. (BZ#958183)

Security Fix

CVE-2013-4419
It was found that guestfish, which enables shell scripting and command line access to libguestfs, insecurely created the temporary directory used to store the network socket when started in server mode. A local attacker could use this flaw to intercept and modify other user's guestfish command, allowing them to perform arbitrary guestfish actions with the privileges of a different user, or use this flaw to obtain authentication credentials.
This issue was discovered by Michael Scherer of the Red Hat Regional IT team.

Bug Fixes

BZ#892291
Previously, when the guestmount utility failed to create a hard link, an incorrect error message was returned. Consequently, information about the true cause of error was not displayed. With this update, the error handling in guestmount has been fixed and correct messages are now displayed in the described case.
BZ#892834
When attempting to rename a symbolic link with the guestmount utility, guestmount followed the link instead of overwriting it. With this update, a guestfs_rename API has been added, which allows guestmount to rename target files correctly.
BZ#908255
Downloading a directory using the guestfs_download API or the guestfish download command is not allowed. However libguestfs did not return an error in such case and lost protocol synchronization instead. With this update, libguestfs now tests if the download source is a directory and returns an error message if it is.
BZ#909666
Under certain circumstances, long-running libguestfs API calls, which generated progress messages, caused libguestfs to terminate unexpectedly due to a stack overflow. The underlying source code has been modified to handle this case and the stack overflow no longer occurs.
BZ#971090
Prior to this update, the libguestfs inspection did not detect a Microsoft Windows guest that used a non-standard systemroot path. With this update, libguestfs has been modified to use the contents of the Windows boot.ini file to find the systemroot path. As a result, Windows guests are detected properly even if they use non-standard systemroot paths.
BZ#971326
Previously, libguestfs did not resize a Microsoft Windows NTFS file system when the target size was not explicitly specified. With this update, libguestfs has been modified to establish this size automatically from the target storage device. As a result, NTFS file systems can now be resized even without specifying the target size.
BZ#975753
The virt-resize fails on Windows guests that are in an inconsistent state. This update adds the description of this problem to the guestfs(3) man page.
BZ#975760
If the iface parameter was used when adding a drive, libguestfs entered an infinite loop. With this update, libguestfs has been fixed to process iface parameters correctly, thus preventing the hang.
BZ#980358
Calling the guestfs_filesystem_available(g,"xfs") function could be evaluated as true even if certain XFS functions were not available. This problem has been documented in the guestfs(3) man page.
BZ#980372
Prior to this update, the hivex-commit command with a relative path parameter wrote to a location inaccessible to users. This command has been modified to require an absolute path or a NULL path that overwrites the original. An error message is now displayed if a relative path is passed to hivex-commit.
BZ#985269
The syntax for setting Access Control Lists (ACLs) with libguestfs is now documented in the guestfs(3) man page.
BZ#989352
When libguestfs was used to read the capabilities of a file that had no capabilities set, libguestfs returned an error. The guestfs_cap_get_file() function that is responsible for retrieving the file capabilities has been modified to return an empty string in the described case.
BZ#996039
Under certain circumstances, using the guestfish command with both --remote and --add options can have unexpected results. This behavior has been documented in the guestfish(1) man page.
BZ#996825
Previously, when using the guestfish --remote command, the following message was displayed:
libguestfs: error: waitpid (qemu): No child processes
With this update, this unnecessary message is no longer displayed.
BZ#998108
Previously, when the libguestfs package was used on systems under heavy load, messages about "unstable clocks" appeared in the debugging output. With this update, libguestfs has been modified to check if the kvmclock kernel feature is enabled, thus reducing the aforementioned message output.
BZ#1000122
Prior to this update, using the guestfs_sh or sh command before mounting a disk caused the guestfish utility to terminate with a segmentation fault. With this update, guestfish has been modified to verify if a file system is mounted before executing these commands, and if not, an error message is displayed. As a result, guestfish no longer crashes in the aforementioned scenario.
Users of libguestfs are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.

8.90. libibverbs-rocee

Updated libibverbs-rocee and libmlx4-rocee packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
Red Hat Enterprise Linux includes a collection of InfiniBand and iWARP utilities, libraries, and development packages for writing applications that use Remote Direct Memory Access (RDMA) technology.

Upgrade to an upstream version

The libibverbs-rocee packages have been upgraded to upstream version 1.1.7 and the libxml-rocee packages to upstream version 1.0.5, which provides a number of bug fixes and enhancements over the previous versions and keeps the HPN channel synchronized with the base Red Hat Enterprise Linux channel, where the sister versions of these packages (libibverbs and libmlx4) were also updated to the latest upstream release.
All users of Remote Direct Memory Access (RDMA) technology are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.91. libksba

Updated libksba packages that fix one bug are now available for Red Hat Enterprise Linux 6.
KSBA is a library designed to build software based on the X.509 and CMS standards. It provides developers with a single API that handles the underlying details of the X.509 standard and presents data consistently.

Bug Fix

BZ#658058
Previously, contents of the /usr/bin/libksba-config script conflicted between 32-bit and 64-bit versions of libksba-devel packages. Consequently, these packages could not be installed simultaneously. This update amends the script to make its contents consistent for all architectures, thus fixing this bug.
Users of libksba are advised to upgrade to these updated packages, which fix this bug.

8.92. libnl

Updated libnl packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The libnl packages contain a convenience library to simplify using the Linux kernel's Netlink sockets interface for network manipulation.

Bug Fixes

BZ#682240
When a domain was started using the libvirt client libraries and utilities, a memory leak was triggered from the libnl library because libnl continued to use memory that was no longer in use. With this update, memory leaks in libnl are fixed, and libnl releases memory after it completes its usage.
BZ#689559
Prior to this update, libnl's error handling made generous use of the strerror() function. Nevertheless, the strerror() function was not threadsafe, and it was possible for multiple threads in an application to call libnl. With this update, all the occurrences of strerror() are replaced with a call to the strerror_r() function that puts the message into a thread-local static buffer.
BZ#953339
When the max_vfs parameter of the igb module, which allocates the maximum number of Virtual Functions, was set to any value greater than 50,50 on a KVM (Kernel-based Virtual Machine) host, the guest failed to start with the following error messages:
error : virNetDevParseVfConfig:1484 : internal error missing IFLA_VF_INFO in netlink response
error : virFileReadAll:457 : Failed to open file '/var/run/libvirt/qemu/eth0_vf0': No such file or directory error : virFileReadAll:457 : Failed to open file '/var/run/libvirt/qemu/eth1_vf0': No such file or directory
This update increases the default receive buffer size to allow receiving of Netlink messages that exceed the size of a memory page. Thus, guests are able to start on the KVM host, and error messages no longer occur in the described scenario.
Users of libnl are advised to upgrade to these updated packages, which fix these bugs.

8.93. libpcap

Updated libpcap packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Packet Capture library (pcap) provides a high level interface to packet capture systems. All packets on the network, even those destined for other hosts, are accessible through this mechanism. It also supports saving captured packets to a 'savefile', and reading packets from a 'savefile'. libpcap provides implementation-independent access to the underlying packet capture facility provided by the operating system.

Upgrade to an upstream version

The libpcap packages have been upgraded to upstream version 1.4.1, which provides a number of bug fixes and enhancements over the previous version. (BZ#916749)

Bug Fixes

BZ#723108
Previously, the libpcap library generated wrong filtering code for Berkeley Packet Filter (BPF) infrastructure. As a consequence, the in-kernel packet filter was discarding some packets which should have been received by userspace process. Moreover, the tcpdump utility produced incorrect output when a fragmentation of IPv6 packet occurred because of the MTUlink. To fix this bug, the code which deals with BPF filter generation has been fixed to check for fragmentation headers in IPv6 PDUs before checking for the final protocol. As a result, the kernel filter no longer discards IPv6 fragments when source-site fragmentation occurs during IPv6 transmission and tcpdump receives all packets.
BZ#731789
Prior to this update, libpcap was unable to open a capture device with small values of SnapLen, which caused libpcap to return an error code and tcpdump to exit prematurely. Calculation of frames for memory mapping packet capture mechanism has been adjusted not to truncate packets to smaller values than actual SnapLen, thus fixing the bug. As a result, libpcap no longer returns errors when trying to open a capture device with small values of SnapLen, and applications using libpcap are able to process packets.
Users of libpcap are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.94. libqb

Updated libqb packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The libqb packages provide a library with the primary purpose of providing high performance client server reusable features, such as high performance logging, tracing, inter-process communication, and polling.

Upgrade to an upstream version

The libqb packages have been upgraded to upstream version 0.16.0, which provides a number of bug fixes and enhancements over the previous version, including a patch to fix a bug in the qb_log_from_external_source() function that caused the Pacemaker's policy engine to terminate unexpectedly. (BZ#950403)

Bug Fix

BZ#889299
Output of the Blackbox window manager did not contain logging information if the string's length or precision was specified. This affected usability of the Blackbox output for debugging purposes, specifically when used with the Pacemaker cluster resource manager. The problem was caused by bugs in the libqb's implementation of the strlcpy() and strlcat() functions and the code responsible for the Blackbox log formatting. This update corrects these bugs so the Blackbox output is now formatted as expected.
Users of libqb are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.95. libreoffice

Updated libreoffice packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
LibreOffice is an Open Source, community-developed, office productivity suite. It includes the key desktop applications, such as a word processor, spreadsheet, presentation manager, formula editor and drawing program. LibreOffice replaces OpenOffice.org and provides a similar but enhanced and extended Office Suite.

Upgrade to an upstream version

The libreoffice package has been upgraded to upstream version 4.0.4, which provides a number of bug fixes and enhancements over the previous version. (BZ#919230)

Bug Fixes

BZ#820554
The "--enable-new-dtags" flag was added to allow certain types of built time regression tests to function. As a consequence, the GCJ Java complier failed to search the correct location of Java libraries. This update applies a patch to remove the flag and GCJ works as expected.
BZ#829709
Previously, the LibreOffice suite was not fully translated into certain local languages. This update provides the full translation of LibreOffice to local languages.
BZ#833512
During upgrading the OpenOffice.org suite to the OpenOffice suite, backward compatibility links were removed and the OpenOffice.org icons were not migrated to LibreOffice. Consequently, an attempt to launch LibreOffice failed with an error. With this update, the compatibility links have been restored and the icons now work as expected.
BZ#847519
Due to a bug in the chart creation code, an attempt to create a chart, under certain circumstances, failed with a segmentation fault. The underlying source code has been modified to fix this bug and the chart creation now works as expected.
BZ#855972
Due to a bug in the underlying source code, an attempt to show the outline view in the Impress utility terminated unexpectedly. This update applies a patch to fix this bug and the outline view no longer crashes in the described scenario.
BZ#863052
Certain versions of the Microsoft Office suite contain mismatching internal time stamp fields. Previously, the LibreOffice suite detected those fields and returned exceptions. Consequently, the user was not able to open certain Microsoft Office documents. With this update, LibreOffice has been modified to ignore the mismatching time stamp fields and Microsoft Office documents can be opened as expected.
BZ#865058
When a large amount of user-defined number formats was specified in a file, those formats used all available slots in a table and for remaining formats the general format was used. As a consequence, certain cell formatting did not preserve during loading the file. With this update, a patch has been provided and cell formatting works as expected.
BZ#871462
The Libreoffice suite contains a number of harmless files used for testing purposes. Previously, on Microsoft Windows system, these files could trigger false positive alerts on various anti-virus software, such as Microsoft Security Essentials. For example, the alerts could be triggered when scanning the Red Hat Enterprise Linux 6 ISO file. The underlying source code has been modified to fix this bug and the files no longer trigger false positive alerts in the described scenario.
BZ#876742
Due to an insufficient implementation of tables, the Impress utility made an internal copy of a table during every operation. Consequently, when a presentation included large tables, the operations proceeded significantly slower. This update provides a patch to optimize the table content traversal. As a result, the operations proceed faster in the described scenario.
BZ#902694
Previously, the keyboard-shortcut mapping was preformed automatically. As a consequence, non-existing keys were suggested as shortcuts in certain languages. With this update, a patch has been provided to fix this bug and affected shortcuts are now mapped manually.
Users of libreoffice are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.96. librtas

Updated librtas packages that add one enhancement are now available for Red Hat Enterprise Linux 6.
The librtas packages contain a set of libraries that allow access to the Run-Time Abstraction Services (RTAS) on 64-bit PowerPC architectures. The librtasevent library contains definitions and routines for analyzing RTAS events.

Enhancement

BZ#985850
This update adds support for a user space solution for Dynamic Memory Affinity via the PRRN interface. When an affinity for a partition changes as a result of system optimization, the impacted partition will be notified through an event-scan RTAS call that the affinity properties of the partitions have changed. As a result, the partition is expected to refresh its affinity strings through existing RTAS/hidden h_calls.
Users of librtas are advised to upgrade to these updated packages, which add this enhancement.

8.97. libtevent

Updated libtevent packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The libtevent packages provide Tevent, an event system based on the talloc memory management library. Tevent supports many event types, including timers, signals, and the classic file descriptor events. Tevent also provides helpers to deal with asynchronous code represented by the tevent_req (Tevent Request) functions.

Upgrade to an upstream version

The libtevent packages have been upgraded to upstream version 0.9.18, which provides a number of bug fixes and enhancements over the previous version. (BZ#951034)

Bug Fixes

BZ#975489
Prior to this update, a condition in the poll backend copied a 64-bit variable into an unsigned integer variable, which was smaller than 64-bit on 32-bit architectures. Using the unsigned integer variable in a condition rendered the condition to be always false. The variable format has been changed to the uint64_t format guaranteeing its width to be 64 bits on all architectures. As a result, the condition now yields expected results.
BZ#978962
Previously, the tevent_loop_wait() function internally registered its own signal handler even though it had been never removed. Consequently, tevent_loop_wait() could not end even there were no registered custom handlers. This update applies a patch to fix this bug and tevent_loop_wait() now works as expected.
Users of libtevent are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.98. libvirt

Updated libvirt packages that fix a number of bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems.

Bug Fixes

BZ#846013
Previously, due to several issues, IPv6 was not handled properly during migration. With this update, migrations now succeed in the described scenario.
BZ#847822
Without manual configuration, the remote driver did not support connection to the session instance of the libvirtd daemon. This behavior could confuse users, who attempted to use such a configuration. With this update, connections that do not have the necessary manual configuration are not allowed by libvirt.
BZ#851075
Previously, the libvirt library was missing driver implementation for the ESX environment. As a consequence, a user could not configure any network for an ESX guest. The network driver has been implemented and a user now can configure networks for ESX guests as expected.
BZ#882077
Previously, libvirt reported raw QEMU errors when creating of snapshots failed, and the error message provided was confusing. With this update, libvirt now gives a clear error message when QEMU is not capable of making snapshots.
BZ#888503
The AMD family 15h processors CPU architecture consists of modules, which are represented both as separate cores and separate threads. Management applications needed to choose between one of the approaches, and libvirt did not provide enough information to do this. In addition, the management applications were not able to represent the modules in an AMD family 15h processors core according to their needs. The capabilities XML output now contains more information about the processor topology, so that the management applications can extract the information they need.
BZ#892079
Previously, the libvirtd daemon was unable to execute an s3 or s4 operation for a Microsoft Windows guest which ran the guest agent service. Consequently, this resulted in the domain s4 fail error message, due to the domain being destroyed. With this update, the guest is destroyed successfully and libvirtd no longer crashes.
BZ#894723
A virtual machine (VM) can be saved into a compressed file. Previously, when decompression of that file failed while libvirt was trying to resume the VM, libvirt removed the VM from the list of running VMs. However, it did not remove the corresponding QEMU process. With this update, the QEMU process is killed in such cases. Moreover, non-fatal decompression errors are now ignored and a VM can be successfully resumed if such an error occurs.
BZ#895294
Updating a network interface using the virDomainUpdateDeviceFlags API failed when a boot order was set for that interface. The update failed even if the boot order was set in the provided device XML. virDomainUpdateDeviceFlags API has been fixed to correctly parse boot order specification from the provided device XML and updating network interfaces with boot orders now works as expected.
BZ#895340
The libvirt library allows users to set Quality of Service (QoS) on a domain's Network Interface Controller (NIC). However, due to a bug in the implementation, certain values were not set correctly. As a consequence, the real throughput did not correspond with the one set in a domain XML. The underlying source code has been modified to set the correct values from the XML and the throughput now corresponds with the one set in the XML as expected.
BZ#895424
Hot unplug of vCPUs is not supported by QEMU in Red Hat Enterprise Linux 6. Therefore, an attempt to use this functionality failed, but the count of processors as remembered by the libvirt library was updated to the new number and remembered. With this update, libvrit now verifies if QEMU actually unplugged the CPUs so that the internal information is updated only when the unplug was successful.
BZ#895826
Previously, when a migration failed, the destination host started to relabel files because it was no longer using them. However, this behavior impacted the source host, which was still running. As a consequence, guests could lose the ability to write to disks. This update applies a patch to fix this bug so that files that are still in use are no longer relabeled in the described scenario.
BZ#895882
Python bindings for the libvirt library contained incorrect implementation of the getDomain() and getConnect() methods in the virDomainSnapshot class. Consequently, the Python client terminated unexpectedly with a segmentation fault. Python bindings now provide the proper domain() and connect() accessors that fetch Python objects stored internally within the virDomainSnapshot instance and crashes no longer occur.
BZ#896013
Previously, the libvirt library added a cache of storage file backing chains, rather than rediscovering the backing chain details on every operation. This cache was then used to decide which files to label for sVirt, but when libvirt switched over to use the cache, the code only populated when the kernel control groups (cgroups) were in use. On setups that did not use cgroups, sVirt was unable to properly label backing chain files due to the lack of backing chain cache information. This behavior caused a regression observed by guests being prevented from running. Now, populating the cache was moved earlier in the process, to be independent of cgroups, the cache results in more efficient sVirt operations, and now works whether or not cgroups are in effect.
BZ#903238
Occasionally, when users ran multiple virsh create ordestroy loops, a race condition could occur and the libvirtd daemon terminated unexpectedly with a segmentation fault. False error messages regarding the domain having already been destroyed to the caller also occurred. With this update, the outlined script is run and completes without libvirtd crashing.
BZ#903248
Previously, the libvirt library followed relative backing chains differently than QEMU. This resulted in missing sVirt permissions when libvirt could not follow the chain. With this update, relative backing files are now treated identically in libvirt and QEMU, and VDSM use of relative backing files functions properly.
BZ#903433
When the kernel control group (cgroups) were enabled, moving tasks among cgroups could, in rare occurrences, result in a race condition. Consequently, a guest could fail to start after repeating the start and stop commands tens of times using the virsh utility. With this update, the code that handles groups of threads has been optimized to prevent races while moving from one cgroup to another and guests now start as expected in the described scenario.
BZ#906299
Various memory leaks in the libvirtd daemon were discovered when users ran Coverity and Valgrind leak detection tools. This update addresses these issues, and libvirtd no longer leaks memory in the described scenario.
BZ#908073
Previously, when users started the guest with a sharable block CD-Rom, the libvirtd daemon failed unexpectedly due to accessing memory that had been already freed. This update addresses the aforementioned issue, and libvirtd no longer crashes in the described scenario.
BZ#911609
Due to a race condition in the libvirt client library, any application using libvirt could terminate unexpectedly with a segmentation fault. This happened when one thread executed the connection close callback, while another one freed the connection object, and the connection callback thread then accessed memory that had been already freed. This update fixes the possibility of freeing the callback data when they are still being accessed.
BZ#912179
When asked to create a logical volume with zero allocation, the libvirt library ran the lvcreate command to create a volume with no extends, which is not permitted. Creation of logical volumes with zero allocation failed and libvirt returned an error message that did not mention the correct error. Now, rather than asking for no extends, libvirt tries to create the volume with a minimal number of extends. The code has been also fixed to provide the correct error message when the volume creation process failes. As a result, logical volumes with zero allocation can now be successfully created using libvirt.
BZ#913244
When auto-port and port were not specified, but the tlsPort attribute was set to -1, the tlsPort parameter specified in the QEMU command line was set to 1 instead of a valid port. Consequently, QEMU failed, because it was unable to bind a socket on the port. This update replaces the current QEMU driver code for managing port reservations with the new virPortAllocator APIs, and QEMU is now able to bind a socket on the port.
BZ#913363
The libvirt library could abort migration when domain's disks used unsafe cache settings even though they were not stored on a shared storage and libvirt was explicitly asked to copy all storage. As a consequence, migration without a shared storage was only possible with the VIR_MIGRATE_UNSAFE flag enabled. With this update, the test for safe disk cache settings is now limited only to shared storage because any setting is safe for locally stored disk images.
BZ#914677
Previously, the libvirt library was not tolerant of missing unpriv_sgio support in running kernel even though it was not necessary. Consequently, after upgrading the host system to Red Hat Enterprise Linux 6.5, users were unable to start domains using shareable block disk devices unless they rebooted the host into the new kernel. With this update, the check for unpriv_sgio support is only performed when it is really needed. As as result, libvirt is now able to start all domains that do not strictly require unpriv_sgio support regardless of host kernel support for it.
BZ#916315
Due to a bug in the libvirt code, two APIs, vidDomainBlockStatsFlags() and vidDomainDetachDeviceFlags(), were executed concurrently. As a consequence, the libvirtd daemon terminated unexpectedly. The underlying source code has been modified to make these APIs mutually exclusive so that the daemon no longer crashes in such a case.
BZ#917510
When a virtual machine (VM) with a managed save image was started with the --force-boot parameter that removed the managed save image, a flag holding the managed save state was not cleared. This caused that incorrect information was displayed and some operations regarding managed stave state failed. This bug has been fixed and the flag is now correctly cleared in the described scenario.
BZ#920205
At the end of migration, libvirt was waiting for the Simple Protocol For Computing Environments (SPICE) data to be migrated to the destination QEMU, before it resumed the domain on the destination host. This significantly increased the waiting time when the domain was not running on any host. With this update, the underlying code has been modified to not to wait until the end of the SPICE migration. As a result, the resume is done as soon as possible without any significant delay.
BZ#920441
Previously, the listen attribute in QEMU cookie files was discarded. Consequently, if the user had different networks in use, one for management and migration, and one for Virtual Network Computing (VNC) and SPICE, the remote host name was passed to QEMU via the client_migrate_info flag. This caused the SPICE client to be disconnected upon migration of a virtual machine. With this update, the remote listen address is passed instead and the SPICE client is no longer disconnected in the described scenario.
BZ#921387
Due to the use-after-free bug in the logical storage back end, the libvirtd daemon could terminate unexpectedly when deleting the logical storage pool. The underlying source code has been modified and the daemon now works as expected when deleting logical volumes.
BZ#921538
Due to a race condition in the client side of libvirt's RPC implementation, a client connection that was closed by the server could be freed, even though other threads were still waiting for APIs sent through this connection to finish. As a consequence, the other threads could have accessed memory that had already been freed and the client terminated unexpectedly with a segmentation fault. With this update the connection is freed only after all threads process their API calls and report errors to their callers.
BZ#921777
Previously, a lock used when dealing with transient networks was incorrect. Consequently, when the define API was used on a transient network, the network object lock was not unlocked as expected. The underlying source code has been modified and the object lock is now unlocked correctly.
BZ#922153
Previously, the libvirt library made control group (cgroup) requests on files that it should not have. With older kernels, such nonsensical cgroup requests were ignored; however, newer kernels are stricter, resulting in libvirt logging spurious warnings and failures to the libvirtd and audit logs. The audit log failures displayed by the ausearch tool were similar to the following:
root [date] - failed cgroup allow path rw /dev/kqemu
With this update, libvirt no longer attempts the nonsensical cgroup actions, leaving only valid attempts in the libvirtd and audit logs.
BZ#922203
Previously, the libvirt library used the incorrect variable when constructing audit messages. This led to invalid audit messages, causing the ausearch utility to format certain entries as having path=(null) instead of the correct path. This could prevent ausearch from locating events related to cgroup device Access Control Lists (ACL) modifications for guests managed by libvirt. With this update, the audit messages are generated correctly, preventing loss of audit coverage.
BZ#923613
Previously, the vol-download command was described incorrectly in the virsh(1) manual page. With this update, the command description has been fixed.
BZ#923946
When SELinux was disabled on a host, or the QEMU driver was configured not to use it, and the domain XML configuration contained an explicit seclabel option, the code parsed the seclabel option, but ignored it later when it was generating labels on domain start, and created a new and empty seclabel entry [seclabeltype='none'/]. Consequently, a migration between two hosts running Red Hat Enterprise Linux 6.5 failed with the following error message:
libvirtError: XML error: missing security model when using multiple labels
With this update, if the seclabel entry already exists, a new one is no longer created, and the migration works as expected in the described scenario.
BZ#923963
Previously, there was an Application Binary Interface (ABI) inconsistency in messages of the kernel netlink protocol between certain versions of Red Hat Enterprise Linux. When the libvirt library sent a netlink NLM_F_REQUEST message and the libvirt binary had been built using kernel header files from a different version of the kernel than the version of the machine running libvirt, errors were returned. Consequently, Peripheral Component Interconnect (PCI) passthrough device assignments of SR-IOV network devices failed when they used the [interface type='hostdev'] option, or when the libvirt network was set with the [forward mode='hostdev'] option. In such a case, the following error message or a similar one was returned:
error dumping (eth3) (3) interface: Invalid argument
With this update, libvirt retries the NLM_F_REQUEST message formatted appropriately for all versions of the kernel. Now, a single libvirt binary successfully assigns SR-IOV network devices to a guest using PCI passthrough on a host running any version of Red Hat Enterprise Linux 6 kernel.
BZ#924571
Previously, the vol-name command of the virsh utility printed a NULL string when there was no option for specifying the pool. Consequently, an error message was returned, which could confuse users. The command has been modified to not require to specify an option in case where it is not needed. As a result, the error message is no longer returned in the described scenario.
BZ#924648
The QEMU driver currently does not support increasing of the maximum memory size. However, this ability was documented in the virsh(1) manual page. With this update, the manual page has been corrected.
BZ#928661
Previously, part of the code refactoring to fix another bug, left a case where locks were cleaned up incorrectly. As a consequence, the libvirtd daemon could terminate unexpectedly on certain migration to file scenarios. After this update, the lock cleanup paths were fixed and libvirtd no longer crashed when saving a domain to a file.
BZ#947387
The libvirt library uses side files to store the internal state of managed domains in order to re-read the state upon the libvirtd service restart. However, if a domain state was saved in an inconsistent state, the state was not re-read and the corresponding domain was lost. As a consequence, the domain could disappear. After this update, when the libvirtd service is saving the internal state of a domain, the consistent internal state is saved and domains which may break it are disallowed from starting. As a result, the domain is no longer forgotten.
BZ#948678
Previously, attempts to clone a storage volume that was not in the RAW format from a directory pool, file system pool, or NFS pool, to a LVM pool, using the virsh vol-create-from command, failed with an unknown file format error message. This update fixes this bug by treating output block devices as the RAW file format and storage volumes can now be cloned as expected.
BZ#950286
Under certain conditions, when a connection was closed, guests set to be automatically destroyed failed to be destroyed. As a consequence, the libvirtd daemon terminated unexpectedly. A series of patches addressing various crash scenarios has been provided and libvirtd no longer crashes while auto-destroying guests.
BZ#951227
When running the libvirt test suite on a machine under a heavy load, the test could end up in a deadlock. Since the test suite was run during an RPM build, the build never finished if a deadlock occurred. This update fixes the handling of an event loop used in the test suite, and the test suite no longer hangs in the described scenario.
BZ#955575
Previously, the VirtualHW application version 9 was not set as supported even though the corresponding ESX version 5.1 was set to be supported earlier. As a consequence, when a connection was made to an ESX 5.1 server with a guest using virtualHW version 9, the following error was displayed:
internal error Expecting VMX entry 'virtualHW.version' to be 4, 7 or 8 but found 9
This update adds VirtualHW version 9 into the list of supported versions and the aforementioned error message is no longer displayed in this scenario.
BZ#960683
Libvirt's internal data structures which hold information about the topology of the host and guest, are limited in size to avoid the possibility of a denial-of-service (DoS) attack on the daemon. However, these limits were too strict and did not take into account the possibility that hosts with 4096 CPUs might be used with libvirt. After this update, the limits have been increased to allow scalability even on larger systems.
BZ#961034
Prior to this update, the F_DUPFD_CLOEXEC operation with the fcntl() function expected a single argument, specifying the minimum file descriptor (FD) number, but none was provided. Consequently, random stack data were accessed as the FD number and a libvirt live migration could then terminate unexpectedly. This update ensures that the argument is provided in the described scenario, thus fixing this bug.
BZ#964359
Previously, the libvirtd daemon set up supplemental groups of child processes by making a call between the fork() and exec() functions to the getpwuid_r()function, which could cause a mutual exclusion (mutex). As a consequence, if another thread was already holding the getpwuid_r mutex at the time libvirtd called the fork() function, the forked child process deadlocked, which in turn caused libvirtd to become unresponsive. The code to compute the set of supplemental groups has been refactored so that no mutex is required after fork. As a result, the deadlock scenario is no longer possible.
BZ#965442
Previously, the libvirt library did not update the pool information after adding, removing, or resizing a volume. As a consequence, the user had to refresh the pool using the "virsh pool-refresh" command to get the correct pool information after these actions. After this update, the pool information is automatically updated after adding, removing, or resizing a volume.
BZ#970495
Previously, the virsh utility considered the "--pool" argument of the "vol-create" and "vol-create-as" commands to be a pool name. As a consequence, vol-create and vol-create-as virsh commands did not work when a pool was specified by its Universally Unique Identifier (UUID), even though they were documented to accept both name and UUID for pool specification. With this update, virsh has been fixed to look up a pool both by name and UUID. As a result, both virsh commands now work according to their documentation.
BZ#971485
Previously, if the user had not specified a Virtual Network Computing (VNC) address in their domain XML, the one from the qemu.conf file was used. However, upon migrating, there was no difference between cases where the listen address was set by user in the XML directly or copied from the qemu.conf file. As a consequence, a domain could not be migrated. After this update, if the listen address is copied from qemu.conf, it is not transferred to the destination. As a result, a domain can be migrated successfully.
BZ#971904
Previously, the libvirt library's logging function that was passed to the libudev library did not handle strings with multiple parameters correctly. As a consequence, the libvirtd daemon could terminate unexpectedly when libudev logged a message. After this update, libvirt now handles multiple parameters correctly. As a result, libvirtd no longer crashes when libudev logs messages.
BZ#975201
Previously, the libvirt library only loaded one Certification Authority (CA) certificate from the cacert.pem file even though the file contained several chained CA certificates. As a consequence, libvirt failed to validate client and server certificates when they were both signed by intermediate CA certificates, sharing a common ancestor CA. After this update, the underlying code has been fixed to load all CA certificates. As a result, the CA certificate validation code correctly works when a client and server certificates are both signed by intermediate CA certificate, sharing a common ancestor CA.
BZ#975751
Previously, due to loader Hypervisor versions, many features were available only for guests with only one display. As a consequence, guests with two displays could not properly be defined on the QEMU hypervisor and some other features were not properly taking the second display into consideration. With this update, the ability to define more display types and all one-display assumptions were fixed in all relevant code. As a result, domains with multiple displays can now be defined, properly migrated, and started.
BZ#976401
The SPICE protocol can be set to listen on the given IP address or obtain the listening IP address from the given network. QEMU does not allow changing the SPICE listening IP address at runtime, therefore the libvirt library verifies this IP address with every user's update of SPICE settings on a guest. A regression bug in the libvirt code caused libvirt to incorrectly evaluate this listening IP address check if the user had SPICE set to listen on the given network because the user's XLM request contained both, the listening IP address and network address. Consequently, the user's operation was rejected. With this update, libvirt considers also the type of the listening IP address when comparing an IP address from the user's request with the current listening IP address. The user is now able to update SPICE settings on a guest as expected in this scenario.
BZ#977961
When migrating, the libvirtd daemon leaked migration Uniform Resource Identifier (URI) on a destination guest. A patch has been provided to fix this bug and the migration URI is now freed correctly.
BZ#978352
Prior to this update, the libvirtd daemon leaked memory in the virCgroupMoveTask() function. A fix has been provided which prevents libvirtd from incorrect management of memory allocations.
BZ#978356
Previously, the libvirtd daemon was accessing one byte before the array in the virCgroupGetValueStr() function. This bug has been fixed and libvirtd now stays within array bounds.
BZ#979330
Previously, the libvirt library depended on a "change" notification from the kernel to indicate that it should change the name of the device driver bound to a device. However, this change notification was not sent. As a consequence, the output from the "virsh nodedev-dumpxml" command always showed the device driver that was bound to the device at the time libvirt was started and not the currently-bound driver. This bug has been fixed and libvirt now manually updates the driver name every time a "nodedev-dumpxml" command is executed, rather than depending on a change notification. As a result, the driver name form the output of "nodedev-dumpxml" is always correct.
BZ#980339
Previously, if an incorrect device name was given in the <pf> element of a libvirt network definition, libvirt terminated unexpectedly when a guest attempted to create an interface using that network. With this update, libvirt now validates the <pf> device name to verify that it exists and that it is an sriov-capable network device. As a result, libvirt no longer crashes when a network with incorrect <pf> is referenced. Instead, it logs an appropriate error message and prevents the operation.
BZ#983539
Previously, the virStorageBackendFileSystemMount() function returned success even if the mount command had failed. As a consequence, libvirt showed the pool as running even though it was unusable. After this update, an error is displayed if the mount command has failed. As a result, libvirt no longer displays a success message when the mount command fails.
BZ#999107
Due to an omission in the libvirt code, the VLAN tag for a hostdev-based network (a network which is a pool of SRIOV virtual functions to be assigned to guests via PCI device assignment) was not being properly set in the hardware device. With this update, the missing code has been provided and a VLAN tag set in the network definition is now properly presented to the devices as they are assigned to guests.
BZ#1001881
Previously, the libvirt library was erroneously attempting to use the same alias name for multiple hostdev network devices. As a consequence, it was impossible to start a guest that had more than one hostdev network device in its configuration. With this update, libvirt now ensures that each device has a different alias name. As a result, it is now possible to start a guest with multiple hostdev network devices in its configuration.
BZ#1002790
The description of the blockcopy command in the virsh(1) manual page was identical to the description of the blockpull command. The correct descriptions have been provided with this update.
BZ#1006710
Previously, when parsing the domain XML with an "auto" numatune placement and the "nodeset" option was specified, the nodeset bitmap was freed twice. As a consequence, the libvirtd daemon terminated unexpectedly due to the double freeing. After this update, libvirtd now sets the pointer to NULL after freeing it. As a result, libvirtd no longer crashes in this scenario.
BZ#1009886
Previously, due to code movement, there was an invalid job used for querying for the SPICE migration status. As a consequence, when migrating a domain with a Simple Protocol for Independent Computing Environments (SPICE) seamless migration and using the domjobinfo command to request information on the same domain at the same time, the libvirtd daemon terminated unexpectedly. After this update, the job has been set properly and libvirtd no longer crashes in this scenario.
BZ#1011981
Whereas the status command of libvirt-guests init script returned the 0 value when libvirt-guests service was stopped, Linux Standard Base (LSB) required a different value (3) in such case. Consequently, other scripts relying on the return value could not distinguish whether the service was running or not. The libvirt-guests script has been fixed to conform with LSB and the service libvirt-guests status command now returns the correct value in the described scenario.
BZ#1013758
Previously, the libvirt library contained a heuristic to determine the limit for maximum memory usage by a QEMU process. If the limit was reached, the kernel just killed the QEMU process and the domain was killed as well. This, however, cannot be guessed correctly. As a consequence, domains were killed randomly. With this update, the heuristic has been dropped and domains are not killed by the kernel anymore.

Enhancements

BZ#803602
This enhancement adds the ability to specify a share policy for domain's Virtual Network Computing (VNC) console. Latest changes in QEMU behavior from shared to exclusive VNC caused certain deployments, which used only shared VPN, to stop working. With a new attribute, sharePolicy, users are able to change the policy from exclusive to share and such deployments now work correctly.
BZ#849796
This enhancement introduces QEMU's native GlusterFS support. Users are now able to add a disk image stored on the GlusterFS volumes to a QEMU domain as a network disk.
BZ#851455
Due to security reasons, the libvirt library uses by default only ports larger than 1023 (unprivileged ports) for Network Address Translation (NAT) of network traffic from guests. However, sometimes the guests need access to network services that are only available if a privileged port is used. This enhancement provides a new element, <nat>, which allows the user to specify both a port or an address range to use for NAT of network traffic.
BZ#878765
This update adds a missing description about the migrateuri parameter of the migrate command to the virsh(1) manual page.
BZ#896604
With this enhancement, the libvirt library now supports the ram_size parameter. Users are now able to set the RAM memory when using multiple heads in one Peripheral Component Interconnect (PCI) device.
BZ#924400
The QEMU guest agent now supports enabling and disabling of guest CPUs. With this enhancement, support for this feature has been added to the libvirt library so that users are now able to use libvirt APIs to disable CPUs in a guest for performance and scalability reasons.
BZ#928638
Domain Name System (DNS) servers and especially root DNS servers, discourage forwarding of DNS requests that are not fully qualified domain names, that is, which include the domain as well as the host name. Also, the dnsmasq processes started by libvirt to service guests on its virtual networks prohibit forwarding such requests. However, there are certain circumstances where this is desirable. This update adds the permission for upstream forwarding of (DNS) requests with unqualified domain names. The libvirt library now provides an option in its network configuration to allow forwarding of DNS requests with non-qualified hostnames. The "forwardPlainNames='yes'" option must be added as an attribute to the <dns> element of a network, after which such forwards are allowed.
BZ#947118
Support for locking a domain's memory in the host's memory has been added to the libvirt library. This update enables users to avoid domain's memory pages to be swapped, and thus to avoid the latency in domain execution caused by swapping. Users can now configure domains to always be present in the host memory.
BZ#956826
QEMU I/O throttling provides a fine-grained I/O control in virtual machines and provides an abstraction layer on top of the underlying storage devices.
BZ#826315, BZ#822306
A new pvpanic virtual device can be wired into the virtualization stack and a guest panic can cause libvirt to send a notification event to management applications. This feature is introduced in Red Hat Enterprise Linux 6.5 as a Technology Preview. Note that enabling the use of this device requires the use of additional qemu command line options; this release does not include any supported way for libvirt to set those options.
BZ#1014198
Previously, the virDomainDeviceUpdateFlags() function in the libvirt library allowed users to update some configuration on a domain device while the domain was still running. Consequently, when updating Network Interface Controller (NIC), the QoS could not be changed because of a missing implementation. With this update, the missing implementation has been added, and QoS can now be updated on a NIC.
Users of libvirt are advised to upgrade to these updated packages, which fix these bugs and add these enhancements. After installing the updated packages, libvirtd will be restarted automatically.
Updated libvirt packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems.

Bug Fix

BZ#1029632
When two clients tried to start the same transient domain, libvirt may have not properly detected that the same domain had already been being started. Consequently, more than one QEMU process could run for the same domain while libvirt did not know about them. With this update, libvirt has been fixed to properly check whether the same domain is not already being started, and thus avoids starting more than one QEMU process for the same domain.
Users of libvirt are advised to upgrade to these updated packages, which fix this bug. After installing the updated packages, libvirtd will be restarted automatically.

8.99. libvirt-cim

Updated libvirt-cim packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The libvirt-cim packages contain a Common Information Model (CIM) provider based on Common Manageability Programming Interface (CMPI). It supports most libvirt virtualization features and allows management of multiple libvirt-based platforms.

Bug Fixes

BZ#826179
Previously, running the wbemcli utility with the KVM_ComputerSystem class terminated unexpectedly with a segmentation fault. This was because even when connecting to the libvirtd daemon read-only, the domain XML with secure information, that is with the VIR_DOMAIN_XML_SECURE flag, was dumped. However, this operation is forbidden in libvirt. With this update, the flag is not used with read-only connections. Running the wbemcli command with KVM_ComputerSystem now displays the domain information as expected.
BZ#833633
When updating certain libvirt-cim or sblim-smis-hba packages, the following error could have been logged in the /var/log/messages file:
sfcbmof: *** Repository error for /var/lib/sfcb/registration/repository//root/pg_interop/qualifiers
This problem occurred because libvirt-cim installed the PG_InterOp class incorrectly in the sblim-sfcb repository, however, this class is specific for the open-pegasus package. With this update, PG_InterOp is unregistered before upgrading the package, and no error message is logged in this scenario.
BZ#859122
Previously, libvirt-cim incorrectly installed providers specific for the open-pegasus package in the sblim-sfcb repository. This could have caused various problems, for example, failures when compiling the MOF files. Providers specific for open-pegasus are now installed in the correct repository and the problems no longer occur.
BZ#908083
Previously, if a qemu domain was defined with a bridge network interface, running the libvirt-cim provider failed with the following error message:
Unable to start domain: unsupported configuration: scripts are are not supported on interfaces of type bridge
This was because code triggering a script was added in a file used to create the domain prior to checking the qemu domain type. However, scripts are not allowed for qemu domains. With this update, a check for the qemu domain type is performed prior to adding the code triggering the script. As a result, when using libvirt-cim, it is now possible to create qemu domains with the bridge network interface.
BZ#913164
Previously, a call to query a guest's current VNC address and port number returned the static configuration of the guest. If the guest was used to enable the "autoport" selection, the call did not return the allocated port. The libvirt-cim code has been modified to only return static configuration information. This allows other interfaces to return information based on the domain state. As a result, the current and correct port being used by the domain for VNC is now returned.
BZ#1000937
Virtual machines managed by a libvirt-cim broker were not aware of the "dumpCore" flag in the "memory" section nor was there support for the "shareable" property for "disk" devices. Thus, those properties were dropped from the virtual machine XML configuration when the configuration was updated by the broker. As a consequence, customers expecting or setting these properties on their virtual machines had to adjust the configurations in order to reset them. With this update, a patch has been added to libvirt-cim and it is now aware of these properties so that no changes made to the virtual machine XML configuration will be lost by the broker when it writes the configuration. As a result, virtual machines managed by the libvirt-cim broker will recognize the "dumpCore" tag in the "memory" section or the "shareable" tag on a "disk" device and not remove either when updating the virtual machine XML configuration.
Users of libvirt-cim are advised to upgrade to these updated packages, which fix these bugs.

8.100. libvirt-snmp

Updated libvirt-snmp packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The libvirt-snmp packages allow users to control and monitor the libvirt virtualization management tool through Simple Network Management Protocol (SNMP).

Bug Fix

BZ#736258
Previously, closing the libvirtMib_subagent using the Ctrl+C key combination led to a memory leak. The libvirtd daemon could be also terminated sometimes. A patch has been applied to address this issue, and a memory leak no longer occurs in this scenario.
Users of libvirt-snmp are advised to upgrade to these updated packages, which fix this bug.

8.101. libwacom

Updated libwacom packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The libwacom packages contain a library that provides access to a tablet model database. The libwacom packages expose the contents of this database to applications, allowing for tablet-specific user interfaces. The libwacom packages allow the GNOME tools to automatically configure screen mappings and calibrations, and provide device-specific configurations.

Bug Fix

BZ#847427
Previously, the Wacom Stylus pen was not supported on Lenovo ThinkPad X220 tablets by the libwacom database. Consequently, the pen was not recognized by the gnome-wacom-properties tool, and warning messages were returned. Support for the Wacom Stylus on Lenovo ThinkPad X220 tablets has been added and gnome-wacom-properties is now able to calibrate the tablet.
Users of libwacom are advised to upgrade to these updated packages, which fix this bug.

8.102. libxml2

Updated libxml2 packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The libxml2 library is a development toolbox providing the implementation of various XML standards.

Bug Fix

BZ#863166
Previously, parsing an XML file containing entities loaded via Document Type Definition (DTD) using the XML::LibXML module could lead to a missing entity error as XML::LibXML did not load entities DTD. A patch has been applied to address this problem and XML files are parsed successfully in this scenario.
Users of libxml2 are advised to upgrade to these updated packages, which fix this bug. The desktop must be restarted (log out, then log back in) for this update to take effect.

8.103. linuxptp

Updated linuxptp packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Linux PTP project is a software implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux. These packages provide a robust implementation of the standard and use the most relevant and modern Application Programming Interfaces (API) offered by the Linux kernel. Supporting legacy APIs and other platforms is not a goal.

Upgrade to an upstream version

The linuxptp package has been upgraded to upstream version 1.3, which provides a number of bug fixes and enhancements over the previous version. (BZ#916787)

Bug Fixes

BZ#910966
Previously, the ptp4l application did not limit the frequency correction of the clock. As a consequence, with some PTP clocks, when ptp4l was correcting a large offset, it could set the frequency correction to -100%, which effectively stopped the clock. This update adds a new option to configure the maximum allowed correction of the clock, which, by default is 90%. As a result, the synchronized clock never stops unless ptp4l is allowed to adjust the clock by 100%.
BZ#910974
Previously, the phc2sys utility was not able to read information about the current Coordinated Universal Time (UTC) offset and pending leap seconds from the ptp4l application. As a consequence, the user had to specify the UTC offset manually and the leap seconds were not handled. This update adds a new option to phc2sys to wait for ptp4l to synchronize the PTP clock and to periodically read the current UTC offset and information about pending leap seconds. As a result, the phc2sys utility uses the correct UTC offset and leap seconds are handled properly.
BZ#991332, BZ#985531
Previously, the ptp4l application did not correctly check if a cached follow-up or a synchronized message could be associated with a newly received synchronization or a follow-up message. As a consequence, the messages could be associated incorrectly, which could result in a large offset and disturbed synchronization of the clock. The code which associates the synchronization and follow-up messages has been fixed. As a result, there are no longer disturbances in the synchronization.
BZ#991337
Previously, the ptp4l application did not reset the announce receipt timer for ports in the PASSIVE state when an announce message was received. As a consequence, the port in the PASSIVE state was repeatedly switching between PASSIVE and MASTER states. This bug has been fixed and the timer is now correctly reset with every announce message. As a result, the port stays in the PASSIVE state until it stops receiving announce messages.
BZ#966787
Previously, the ptp4l and phc2sys utilities did not check if the command line arguments and the values specified in the configuration file were valid. As a consequence, the utilities could terminate unexpectedly. The utilities now check if the values are valid and if an invalid value is specified, the utilities no longer terminate unexpectedly and print an error message instead.

Enhancement

BZ#977258
Occasionally, it is important that the system clock is not stepped, that is, not to interfere with other programs running on the system. Restarting the phc2sys application caused stepping of the clock. A new option has been added to phc2sys, and it is now possible to prevent phc2sys from stepping the clock.
Users of linuxptp are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.104. lksctp-tools

Updated lksctp-tools packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
These packages are intended to supplement the Stream Control Transmission Protocol (SCTP) implementation, which has been a part of the kernel since kernel version 2.5.36. For more information on LKSCTP see the section titled "LKSCTP - Linux Kernel SCTP" in the README file included in the package documentation. These packages contain the base runtime library and command line tools.

Upgrade to an upstream version

The lksctp-tools packages have been upgraded to upstream version 1.0.10, which provide a number of bug fixes and enhancements over the previous version. The patches include updates in the header file which enable users to make use of new SCTP kernel features, for example, the introduction of SCTP_GET_ASSOC_STATS socket option in order to retrieve association statistics. (BZ#855379, BZ#908390, BZ#912557, BZ#953383)
Users of lksctp-tools are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.105. logrotate

Updated logrotate packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The logrotate utility simplifies the administration of multiple log files, allowing the automatic rotation, compression, removal, and mailing of log files.

Bug Fixes

BZ#841520
The logrotate utility always tried to set owner of the rotated log even when the owner was the same as the current owner of the log file. Conseqeuntly, the rotation failed on file systems or systems where changing the ownership was not supported. With this update, before the ownership is changed, logrotate check if it is a real ownership change; that is, logrotate verifies if the new ownership is not the same as the previous one, and skips the change if the ownership change has not been real. The logrotate utility now rotates logs as expected in this scenario.
BZ#847338
Setting the Access control list (ACL) on a rotated log overwrote the previously set mode of the log file. As a consequence, the "create" directive was ignored. To fix this bug, the ACL is no longer copied from the old log file when using the "create" directive and the mode defined using the "create" directive is used instead. As a result, "create" mode works as expected and it is no longer ignored in the described scenario.
BZ#847339
Both the acl_set_fd() and fchmod() functions were called to set the log files permissions. Consequently, there was a race condition where the log file could have unsafe permissions for a short time during its creation. With this update, only one of those functions is now called depending on directives combination used in the configuration file and race condition between the acl_set_fd() and fchmod() function is not possible in the described scenario.
BZ#848131
Because the inverse umask value 0000 was used when creating a new log file, the newly created log file could have unwanted 0600 permissions for a short time before the permissions were set to the proper value using the fchmod() function. With this update, umask is set to 0777 and the newly created log file has proper 0000 permissions for this short period.
BZ#920030
The default SELinux context was set after the compressed log file had been created. Consequently, the compressed log did not have the proper SELinux context. With this update, the default SELinux context is now set before the compressed log file creation and compressed log files have proper SELinux context.
BZ#922169
Temporary files created by the logrotate utility were not removed if an error occurred during its use. With this update, temporary files are now removed in such a case.
Users of logrotate are advised to upgrade to these updated packages, which fix these bugs.

8.106. logwatch

An updated logwatch package that fixes several bugs is now available for Red Hat Enterprise Linux 6.
Logwatch is a customizable, pluggable log-monitoring system. It will go through the user's logs for a given period of time and make a report in the areas that the user needs.

Bug Fixes

BZ#737247
Previously, logwatch did not correctly parse the up2date service's "updateLoginInfo() login info" messages and displayed them as unmatched entries. With this update, parsing of such log messages has been fixed and works as expected.
BZ#799690
Prior to this update, logwatch did not correctly parse many Openswan log messages and displayed them as unmatched entries. With this update, parsing of such log messages has been fixed and works as expected.
BZ#799987
Logwatch did not parse Dovecot 2.x log messages properly. That resulted in a lot of unmatched entries in its reports. This patch adds additional logic to correctly parse Dovecot 2.x logs, thus unmatched entries related to Dovecot 2.x messages no longer appear.
BZ#800843
The .hdr files are headers for RPM packages; they are essentially metadata. Logwatch's HTTP service parser emitted warnings for the .hdr files, even when the "Detail" parameter was set to "Low". With this update, the .hdr files are now parsed as archives, which removes spurious warnings about the .hdr files.
BZ#837034
Previously, logwatch did not correctly handle the "MailTo" option in its configuration. That resulted in no output, even though a report should have been displayed. This patch adds additional logic to correctly handle an empty "MailTo" option. As a result, output is correctly produced even when this option is empty.
BZ#888007
Prior to this update, logwatch did not correctly parse many smartd log messages and displayed them as unmatched entries. With this update, parsing of such log messages has been fixed and works as expected.
BZ#894134
Prior to this update, logwatch did not correctly parse DNS log messages with DNSSEC validation enabled and displayed them as unmatched entries. With this update, parsing of such log messages has been fixed and works as expected.
BZ#894185
Previously, logwatch did not correctly parse the postfix service's "improper command pipelining" messages and displayed them as unmatched entries. With this update, parsing of such log messages has been fixed and works as expected.
BZ#894191
Previously, logwatch did not correctly parse user names in the secure log. It improperly assumed that such names are composed of letters only and displayed messages containing names with other symbols, such as digits, as unmatched entries. With this update, parsing of user names has been enhanced to include underscores and digits, thus log messages containing such user names no longer display as unmatched entries.
BZ#974042
Logins initiated with the "su -" or "su -l" command were not correctly parsed by logwatch and were displayed as unmatched entries. This update fixes this bug.
BZ#974044
Prior to this update, logwatch did not correctly parse the RSYSLOG_FileFormat time stamps and displayed them as unmatched entries. With this update, parsing of the rsyslog time stamps has been fixed and works as expected.
BZ#974046
SSH Kerberos (GSS) logins were not correctly parsed by logwatch and were displayed as unmatched entries. This update fixes this bug.
BZ#974047
Xen virtual console logins were not correctly parsed by logwatch and were displayed as unmatched entries. This update fixes this bug.
Users of logwatch are advised to upgrade to this updated package, which fixes these bugs.

8.107. luci

Updated luci packages that fix two security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
Luci is a web-based high availability administration application.

Security Fixes

CVE-2013-4482
A flaw was found in the way the luci service was initialized. If a system administrator started the luci service from a directory that was writable to by a local user, that user could use this flaw to execute arbitrary code as the root or luci user.
CVE-2013-4481
A flaw was found in the way luci generated its configuration file. The file was created as world readable for a short period of time, allowing a local user to gain access to the authentication secrets stored in the configuration file.
These issues were discovered by Jan Pokorný of Red Hat.

Bug Fixes

BZ#917747
Previously, luci did not reflect concurrent additions to fence devices coverage as happened in the fence-agents package. Consequently, Dell iDRAC (idrac), HP iLO2 (ilo2), HP iLO3 (ilo3), HP iLO4 (ilo4), and IBM Integrated Management Module (imm) devices or agents were not honored in luci, leading to the inability to properly work with or to setup a cluster comprising of these devices. This update restores the capability of luci to work with a full intended set of fence devices.
BZ#956360
Previously, luci did not run in FIPS mode because it utilized components that were not compliant with FIPS. Both components, the python-breaker library and the python-weberror error handler have been modified to comply with FIPS so that luci now works in FIPS mode as expected.
BZ#978479
Due to a bug in the luci code, a data race condition could occur while adding multiple nodes into a cluster with a single request. As a consequence, nodes could have been provided configurations with varying version numbers, leaving the cluster in an unexpected state. The respective luci code has been fixed so this data race cannot be triggered anymore. Multiple nodes can now be added to a cluster at once without a risk of negative consequences.
BZ#773491
Previous implementation of dynamic pop-up messages had a high probability of messages leaving the screen unnoticed under certain circumstances. Therefore, the respective luci code has been modified to adjust dynamic pop-ups to appear as static messages, which significantly decreases a chance that the message might be unnoticed.
BZ#883008
Previously, luci did not reflect concurrent additions to parameters for some fence devices (including "cmd_prompt", "login_timeout", "power_timeout", "retry_on", "shell_timeout") or respective instances ("delay") as happened in the fence-agents package. Consequently, the valid parameters could be dropped from the respective part of the configuration upon submitting the dedicated forms in luci. This update restores the capability of luci to work with a full intended set of fence agents parameters and, in turn, prevents luci from unexpectedly discarding the already configured parameters.
BZ#896244
Due to a bug in the cluster.conf(5) man page, luci expected the default value for the syslog_facility option in the cluster logging configuration to be "daemon" instead of the actual default value "local4". Consequently, all logging configuration items without "syslog_facility" explicitly set were thus marked as having "Syslog Message Facility" of "daemon" in luci. This could result in no cluster messages being logged into the custom log file for the rules containing "daemon.*". With this update, luci correctly recognizes "local4" as the default syslog message facility and logging configuration items in luci are marked accordingly by default. The user is now able to effectively set the syslog facility of the logging configuration item to be "daemon". In such a case, cluster messages are logged into log files containing the "daemon.*" rules as expected.
BZ#886517
The luci application did not automatically enable the ricci and modclusterd services upon creating a new cluster or adding a node to the existing cluster. Therefore, an administrator's intervention was necessary because these services are essential for managing the cluster during its life-cycle. Without these services, luci sustained the contact with cluster nodes, preventing the cluster from rebooting. With this update, luci has been modified to enable the ricci and modclusterd services on every cluster's node when creating a new cluster or adding a node to the existing cluster. The administrator's intervention is no longer needed in the aforementioned scenario.
BZ#878149
Previously, if no cluster node could have been contacted on certain luci pages, luci displayed the Error 500 message on that page and logged an error message with a traceback into its log. As an appropriate response to this situation, this update modifies luci to display one of the following messages:
Unable to contact any of the nodes in this cluster.
No nodes from this cluster could be contacted. The status of this cluster is unknown
BZ#880363
Due to a bug in luci validation code, a confusing validation error message was displayed if a non-existing failover domain in the "Failover Domains" tab was specified. This bug has been fixed and luci now processes these validation errors correctly, displaying appropriate error messages as expected.
BZ#878960
The "User preferences" page was accessible without authentication, which allowed an anonymous user disabling or enabling "expert" mode. Although this behavior had no direct security impact, consistency in assigned authorization is considered to be best practice. This update modifies luci to strictly require users to be authenticated before accessing this "Preferences" page.
BZ#886576
The "Remove this instance" button in the "Edit Fence Instance" form had no function and could have misled cluster administrators. This button has been removed so the aforementioned form now shows only the relevant content.
BZ#1001835
The luci application incorrectly considered the "module_name" parameter of the Dell DRAC 5 fence device as mandatory. Therefore, such a fence device could not have been created without specifying its module name. The validation code has been fixed so luci now treats this parameter as optional, and Dell DRAC 5 fence devices can now be successfully created without module names.

Enhancements

BZ#917814
A confirmation pop-up dialog has been added that prevents luci from removing selected clusters accidentally.
BZ#983693
The luci application now reflects the concurrent extension to the oracledb, orainstance, and oralistener resource agents regarding Oracle Database 11g support. This also includes the ability to configure the newly supported TNS_ADMIN variable to allow for wider customization.
All luci users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. After installing this update, the luci service will be restarted automatically.

8.108. lvm2

Updated lvm2 packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The lvm2 packages include all of the support for handling read and write operations on physical volumes, creating volume groups from one or more physical volumes and creating one or more logical volumes in volume groups.

Bug Fixes

BZ#820991
When visible clustered volume groups (VGs) were present in the system, it was not possible to silently skip them with proper return error code while the non-clustered locking type was used. To fix this bug, the "--ignoreskippedcluster" option has been added for several LVM commands; namely pvs, vgs, lvs, pvdisplay, vgdisplay, lvdisplay, vgchange, and lvchange. With this option, the clustered VGs are skipped correctly without any warning or error messages while the return error code also does not depend on these clustered VGs.
BZ#834327
Previously, the lvremove command failed to remove a virtual snapshot device if this device was still open. Consequently, the <virtual_snashot_name>_vorigin device-mapper device was left on the system after the failed removal. A manual remove with use of dmsetup was required to discard this device. With this update, lvremove has been modified to properly check the LV open count status before proceeding with the removal operation.
BZ#861227
Previously, when the lvconvert command was used with the "--stripes" option, the required supplementary options, such as "--mirrors" or "--repair", "thinpool", or "type raid*/mirror", were not enforced. Consequently, calling "lvconvert --stripes" without accompanying conversion instructions led to an incomplete conversion. With this update, a condition has been added to enforce the correct syntax. As a result, an error message is now displayed in the described scenario.
BZ#880414
Previously certain lvm2app functions were returning values in sectors instead of bytes. This behavior applied for values of origin_size, vg_extent_size, stripe_size, region_size, chunk_size, seg_start, and pvseg_size. Consequently, the returned lvm2app results were inconsistent and therefore misleading. This behavior has been changed and all lvm2app values are now returning byte values.
BZ#902538
The lvm2 tools determine the PowerPath major number by searching for an "emcpower" line in the /proc/devices file. Previously, some versions of PowerPath used the ID string "power2". Аs a consequence, on systems with such an identifier, PowerPath devices were not given the expected precedence over PowerPath components which exhibit the same physical volume UUID. With this update, detection of EMC power devices works as expected, and the priority of devices is now set properly.
BZ#902806
Prior to this update, the lvm2 dmeventd daemon attempted to reset to C locales only through the LANG environmental variable. However, when the system sets locales using the LC_ALL variable, this variable has a higher priority than the LANG variable, which leads to an extensive memory consumption. With this update, LC_ALL has been reset to C instead of LANG, thus reducing the memory consumption.
BZ#905254
With this update, a specific diagnostic message has been added for the case when the lvmetad deamon was already running or its pidfile was locked for any other reason. When trying to start lvmetad while it is already running now returns a message with a clear indication of the problem:
Failed to acquire lock on /var/run/lvmetad.pid. Already running?
BZ#907487
Previously, the 'vgreduce --removemissing' command could not be used when missing physical volumes were still used by RAID logical volumes. Now, it is possible for 'vgreduce --removemissing' to replace the failed physical volume with an 'error' segment within the affected RAID logical volumes and remove the PV from the volume group. However, in most cases it is better to replace a failed RAID device with a spare one (with use of 'lvconvert --repair') if possible.
BZ#910104
Under certain circumstances, cached metadata in the lvmetad daemon could have leaked during metadata updates. With this update, lvmetad has been fixed to prevent the leak.
BZ#913644
Previously, if a device had failed after the vgexport command was issued, it was impossible to import the volume group. Additionally, this failure to import also meant it was impossible to repair the volume group.It is now possible to use the '--force' option with vgimport to import volume groups even if there are devices missing.
BZ#914143
When LVM scans devices for LVM meta data, it applies several filters, such as the multipath filter, MD component filter, or partition signature filter. Previously, the order in which these filters were applied caused that multipath filter failed to filter out a multipath component because the device was accessed by other filters. Consequently, I/O errors occurred if the path was not accessible. With this update, the order of filtering has been changed and the multipath filter now works as expected.
BZ#919604
The 'raid1' type can be used to set the device fault tolerance for thinpool logical volumes. It is no longer possible to create thinpools on top of logical volumes of 'mirror' segment type. The existing thinpools with data or meta data areas of 'mirror' segment type will still function, however, it is recommended to convert these to 'raid1' with use of the 'lvconvert' command.
BZ#928537
When using the pvcreate command with the --restorefile and --uuid options while the supplied UUID was incorrect, an internal error message about a memory leak was issued:
 Internal error: Unreleased memory pool(s) found.
With this update, the memory leak has been fixed and the error message is no longer displayed.
BZ#953612
When updating the device-mapper-event package to a later version, the package update script attempts to restart running dmeventd instance and to replace it with the new dmeventd daemon. However, the previous version of dmeventd does not recognize the notification for restart and therefore a manual intervention is needed in this situation. Previously, the following warning message was displayed:
WARNING: The running dmeventd instance is too old
In order to provide more precise information and advise for the required action, the following message has been added for the described case:
Failed to restart dmeventd daemon. Please, try manual restart
BZ#953867
When using the lvmetad daemon together with the accompanying LVM autoactivation feature, the logical volumes on top of encrypted devices were not automatically activated during system boot. This was caused by ignoring the extra udev event that was artificially generated during system boot to initialize all existing devices. This bug has been fixed, and LVM now properly recognizes the udev event used to initialize the devices at boot, including encrypted devices.
BZ#954061
When using the lvmetad daemon together with the accompanying LVM autoactivation feature, the device-mapper devices representing the logical volumes were not refreshed after the underlying PV was unplugged or deactivated and then plugged back or activated. This was caused by assigning a different major and minor pair to identify the reconnected device, while LVs mapped on this device still referenced it with the original pairs. This bug has been fixed and LVM now always refreshes logical volumes on PV device after reactivation.
BZ#962436
Due to a regression introduced in LVM version 2.02.74, when the optimal_io_size device hint was smaller than the default pe_start size of 1 MiB, this optimal_io_size was ignored and the default size was used. With this update, the optimal_io_size is applied correctly to calculate the PV's pe_start value.
BZ#967247
Prior to this update, before adding additional images to a RAID logical volume, the available space was calculated incorrectly. Consequently, if the available space was insufficient, adding these images failed. This bug has been fixed and the calculation is now performed correctly.
BZ#973519
Previously, if the nohup command was used together with LVM commands that do not require input, nohup configured the standard input as write-only while LVM tried to reopen it also for reading. Consequently, the commands terminated with the following message:
stdin: fdopen failed: Invalid argument
LVM has been modified and if the standard input is already open write-only, LVM does not attempt to reopen it for reading.
BZ#976104
Previously, when converting a linear logical volume to a mirror logical volume, the preferred mirror segment type set in the /etc/lvm/lvm.conf configuration file was not always accepted. This behavior has been changed, and the segment type specified with the 'mirror_segtype_default' setting in configuration file is now applied as expected.
BZ#987693
Due to a code regression, a corruption of thin snapshot occurred when the underlaying thin-pool was created without the '--zero' option. As a consequence, the first 4KB in the snapshot could have been invalided. This bug has been fixed and the snapshot is no longer corrupted in the aforementioned scenario.
BZ#989347
Due to an error in the LVM allocation code, lvm2 attempted free space allocation contiguous to an existing striped space. When trying to extend a 3-way striped logical volume using the lvextend command, the lvm2 utility terminated unexpectedly with a segmentation fault. With this update, the behavior of LVM has been modified, and lvextend now completes the extension without a segmentation fault.
BZ#995193
Previously, it was impossible to convert a volume group from clustered to non-clustered with a configuration setting of 'locking_type = 0'. Consequently, problems could arise if the cluster was unavailable and it was necessary to convert the volume group to non-clustered mode. With this update, LVM has been modified to make the aforementioned conversion possible.
BZ#995440
Prior to this update, the repair of inconsistent metadata used an inconsistent code path depending on whether the lvmetad daemon was running and enabled. Consequently, the lvmetad version of meta data repair failed to correct the meta data and a warning message was printed repeatedly by every command until the problem was manually fixed. With this update, the code paths have been reconciled. As a result, metadata inconsistencies are automatically repaired as appropriate, regardless of the lvmetad.
BZ#997188
When the lvm_list_pvs_free function from the lvm2app library was called on a system with no physical volumes, lvm2app code tried to free an internal structure that had already been freed before. Consequently, the function terminated with a segmentation fault. This bug has been fixed, and the segmentation fault no longer occurs when calling lvm_list_pvs_free.
BZ#1007406
When using LVM logical volumes on MD RAID devices as PVs and while the lvmetad daemon was enabled, the accompanying logical volume automatic activation sometimes left incomplete device-mapper devices on the system. Consequently, no further logical volumes could be activated without manual cleanup of the dangling device-mapper devices. This bug has been fixed, and dangling devices are no longer left on the system.
BZ#1009700
Previously, LVM commands could become unresponsive when attempting to read an LVM mirror just after a write failure but before the repair command handled the failure. With this update, a new 'ignore_lvm_mirrors' configuration option has been added to avoid this issue. Setting this option to '1' will cause LVM mirrors to be ignored and prevent the described problem. Ignoring LVM mirrors also means that it is impossible to stack volume groups on LVM mirrors. The aforementioned problem is not present with the LVM RAID types, like "raid1". It is recommended to use the RAID segment types especially when attempting to stack volume groups on top of mirrored logical volumes.
BZ#1016322
Prior to this update, a race condition could occur during the pool destruction in libdevmapper.so. Consequently, the lvmetad daemon sometimes terminated due to heap corruption, especially under heavier concurrent loads, such as multiple LVM commands executing at once. With this update, a correct locking has been introduced to fix the race condition. As a result, lvmetad no longer suffers heap corruption and subsequent crashes.
BZ#1020304
The blkdeactivate script iterates over the list of devices given to it as an argument and tries to unmount or deactivate them one by one. However, in case of failed unmount or deactivation, the iteration did not proceed. Consequently, blkdeactivate kept attempting to process the same device and entered an endless loop. This behavior has been fixed and if blkdeactivate fails to unmount or deactivate any of the devices, the processing of this device is properly skipped and blkdeactivate proceeds as expected.

Enhancements

BZ#814737
With this update, lvm2 has been enhanced to support the creation of thin snapshots of existing non-thinly-provisioned logical volumes. Thin-pool can now be used for these snapshots of non-thin volumes, providing performance gains. Note that the current lvm2 version does not support the merge feature, so unlike with older lvm2 snapshots, an updated device cannot be merged back into its origin device.
BZ#820203
LVM now supports validating of configuration files and it can report any unrecognized entries or entries with wrong value types in addition to existing syntax checking. To support this feature, a new "config" configuration section has been added to the /etc/lvm/lvm.conf configuration file. This section has two configurables: "config/checks" which enables or disables the checking (enabled by default), and "config/abort_on_errors" which enables or disables immediate abort on any invalid configuration entry found (disabled by default).
In addition, new options have been added to the "lvm dumpconfig" command that make use of the new configuration handling code introduced. The "lvm dumpconfig" now recognizes the following options: --type, --atversion, --ignoreadvanced, --ignoreunsupported, --mergedconfig, --withcomments, --withversions, and --validate.
BZ#888641
Previously, the scm (Storage Class Memory) device was not internally recognized as partitionable device. Consequently, scm devices could not be used as physical volumes. With this update, scm device has been added to internal list of devices which are known to be partitionable. As a result, physical volumes are supported on scm partitions. Also, the new 'lvm devtypes' command has been added to list all known device types.
BZ#894136
When the lvmetad daemon is enabled, meta data is cached in RAM and most LVM commands do not consult on-disk meta data during normal operation. However, when meta data becomes corrupt on disk, LVM may not take a notice until a restart of lvmetad or a reboot. With this update, the vgck command used for checking VG consistency has been improved to detect such on-disk corruption even while lvmetad is active and the meta data is cached. As a result, users can issue the "vgck" command to verify consistency of on-disk meta data at any time, or they can arrange a periodic check using cron.
BZ#903249
If a device temporarily fails, the kernel notices the interruption and regards the device as disabled. Later, the kernel needs to be notified before it accepts the device as alive again. Previously, LVM did not recognize these changes and the 'lvs' command reported the device as operating normally even though the kernel still regarded the device as failed. With this update, 'lvs' has been modified to print a 'p' (partial) if a device is missing and also an 'r' (refresh/replace) if the device is present but the kernel regards the device as still disabled. When seeing an 'r' attribute for a RAID logical volume, the user can then decide if the array should be refreshed (reloaded into the kernel using 'lvchange --refresh') or if the device should be replaced.
BZ#916746
With this update, snapshot management handling of COW device size has been improved. This version trims the snapshot COW size to the maximal usable size to avoid unnecessary disk space consumption. It also stops snapshot monitoring once the maximal size is reached.
BZ#921280
Support for more complicated device stack for thinpool has been enhanced to properly resize more complex volumes like mirrors or raids. The new lvm2 version now supports thin data volume extension on raids. Support for mirrors has been deactivated.
BZ#921734
Prior to this update, , the "vgchange -c {y|n}" command call changed all volume groups accessible on the system to clustered or non-clustered. This may have caused an unintentional change and therefore the following prompt has been added to acknowledge this change:
Change clustered property of all volumes groups? [y/n]
This prompt is displayed only if the "vgchange -c {y|n}" is called without specifying target volume groups.
BZ#924137
The blkdeactivate utility now suppresses error and information messages from external tools that are called. Instead, only a summary message "done" or "skipped" is issued by blkdeactivate. To show these error messages if needed, a new -e/--errors switch has been added to blkdeactivate. Also, there's a new -v/--verbose switch to display any information messages from external tools together with any possible debug information.
BZ#958511
With this update, the blkdeactivate utility has been modified to correctly handle file systems mounted with bind (the 'mount -o bind' command). Now, blkdeactivate unmounts all such mount points correctly before trying to deactivate the volumes underneath.
BZ#969171
When creating many RAID logical volumes at the same time, it is possible for the background synchronization I/O necessary to calculate parity or copy mirror images to crowd out nominal I/O and cause subsequent logical volume creation to slow dramatically. It is now possible to throttle this initializing I/O via the '--raidmaxrecoveryrate' option to lvcreate. You can use the same argument with lvchange to alter the recovery I/O rate after a logical volume has been created. Reducing the recovery rate will prevent nominal I/O from being crowded out. Initialization will take longer, but the creation of many logical volumes will proceed more quickly. (BZ#969171)
BZ#985976
With this update, RAID logical volumes that are created with LVM can now be checked with use of scrubbing operations. Scrubbing operations are user-initiated checks to ensure that the RAID volume is consistent. There are two scrubbing operations that can be performed by appending the "check" or "repair" option to the "lvchange --syncaction" command. The "check" operation will examine the logical volume for any discrepancies, but will not correct them. The "repair" operation will correct any discrepancies found.
BZ#1003461
This update adds support for thin external origin to lvm2. This allows to use any LV as an external origin for a thin volume. All unprovisioned blocks are loaded from the external origin volume, while all once-written blocks are loaded from the thin volume. This functionality is provided by the 'lvcreate --snapshot' command and the 'lvconvert' command that converts any LV into a thin LV.
BZ#1003470
The error message 'Cannot change discards state for active pool volume "pool volume name"' has been improved to be more comprehensible: 'Cannot change support for discards while pool volume "pool volume name" is active'.
BZ#1007074
The repair of corrupted thin pool meta data is now provided by the 'lvconvert --repair' command, which is low-level manual repair. The thin pool meta data volume can be swapped out of the thin-pool LV via 'lvconvert --poolmetadata swapLV vg/pool' command and then the thin_check, thin_dump, and thin_repair commands can be used to run manual recover operation. After the repair, the thin pool meta data volume can be swapped back. This low-level repair should be only used when the user is fully aware of thin-pool functionality.
BZ#1017291
LVM now recognizes NVM Express devices as a proper block device type.
Users of lvm2 are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.109. mailx

Updated mailx packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The mailx packages contain a mail user agent that is mostly used to manage mail using scripts.

Bug Fixes

BZ#845098
Prior to this update, the "mail" utility provided with the Red Hat Enterprise Linux 6 mailx packages was not fully compatible with the utility provided with the Red Hat Enterprise Linux 5 mailx package and packages in earlier releases of Red Hat Enterprise Linux. Consequently, some user scripts written for the mail utility did not work with "mail" in Red Hat Enterprise Linux 6. Support for multiple versions of the "mail" utility has been added to the mailx packages. This allows the user to install alternative packages providing this utility, for example, bsd-mailx.
BZ#857120
The mailx command did not set the error return code when it failed to send an e-mail because the TMPDIR environment variable was set to an invalid path. As a consequence, error checking was incorrect and therefore not helpful. With this update, the correct return code is set when mailx fails to send an e-mail. The error checking now works properly.
Users of mailx are advised to upgrade to these updated packages, which fix these bugs.

8.110. man-pages-fr

Updated man-pages-fr packages that fix one bug are now available.
The man-pages-fr packages contain manual pages in French.

Bug Fix

BZ#903048
Due to some problem in the build system of the French manual page package man-pages-fr, some manual pages were not included in the package. Some manual pages, for example the manual page of “echo” were displayed in English even when the system was running in a French locale. Thus, the command “man echo” displayed an English manual page. The build problem in the man-pages-fr package is fixed, and the missing manual pages are now included. Hence, manual pages are now displayed in French when the system is running in a French locale, for example “man echo” now shows a French manual page.
Users of man-pages-fr are advised to upgrade to these updated packages, which fixes this bug.

8.111. man-pages-ja

An updated man-pages-ja package that fixes two bugs is now available for Red Hat Enteprise Linux 6.
The man-pages-ja package contains manual pages in Japanese.

Bug Fixes

BZ#949787
The shmat(2) man page in the previous release did not mention the EIDRM error code, which could have been returned by the shmat utility. With this update, the EIDRM error code is included in shmat.
BZ#957937
The strtoul(3) man page in the previous release incorrectly mentioned the range of the return value. This update fixes the aforementioned problem.
Users of man-pages-ja are advised to upgrade to this updated package, which fixes these bugs.

8.112. man-pages-overrides

Updated man-pages-overrides packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
The man-pages-overrides packages provide a collection of manual (man) pages to complement other packages or update those contained therein.

Bug Fixes

BZ#988125
The madvise(2) manual page did not contain the "MADV_DODUMP" and "MADV_DONTDUMP" arguments. This update adds a description of these arguments to the madvise(2) manual page.
BZ#833868
Previously, the manual page for the dig utility contained upstream-specific options for an Internationalized Domain Name (IDN) library. Consequently, these options did not function as expected and users were incapable of disabling IDN support in dig following the steps from the manual page. The dig(1) manual page has been modified to include the options of the IDN library used in Red Hat Enterprise Linux and users can now successfully disable IDN support in dig following the steps from the manual page.
BZ#978981
Previously, no manual page for the getent utility was available in Red Hat Enterprise Linux 6. This update adds the missing getent(1) manual page and the documentation of the utility is now complete.
BZ#872144
Prior to this update, the top(1) manual page did not describe calculation of resident memory size properly. The incorrect calculation of resident memory size has been removed from this manual page.
BZ#1018622
Previously, the description of the "new station" message in the arpwatch(8) manual page was not accurate, which could cause confusion. This update adds a correct description of the "new station" message to the arpwatch(8) manual page.
BZ#896700
Previously, the auditd.conf(5) manual page contained an incomplete sentence. The incomplete sentence has been fixed with this update.
BZ#974697
The ld.so(8) manual page contained an incorrect description of the "LD_PRELOAD" variable. With this update, the description of the variable has been corrected in the ld.so(8) manual page.
BZ#1002071
The bash(1) manual page did not reflect the behavior changes in the "extglob" option introduced in Bash version 4.1. This update adds a correct description of "extglob" behavior to the bash(1) man page.
BZ#903258
The manual page for the fallocate utility did not contain description of the "FALLOC_FL_PUNCH_HOLE" flag. This update adds a description of "FALLOC_FL_PUNCH_HOLE" to the fallocate(2) manual page.
BZ#979318
Previously, the manual page for the netstat utility did not mention IPv6 in the description of the command's "-A" option. With this update, the description of the IPv6 functionality has been added to the netstat(8) manual page.
BZ#905066
Previously, loading Certification Authority (CA) certificates by nickname when using the curl utility with Network Security Services (NSS) was described incorrectly in the curl documentation. This update adds correct documentation of the above mentioned process.
BZ#957010
Prior to this update, the strtoul(3) manual page contained incorrect return values of the "strtoul()" and "strtoull()" functions. This update fixes the strtoul(3) manual page and it now contains correct information.
BZ#960281
Previously, the clock_getres(2) manual page did not contain the "CLOCK_MONOTONIC_COARSE" and "CLOCK_REALTIME_COARSE" clk_id values. With this update, the above mentioned values have been added to the clock_getres(2) manual page.
BZ#974685
Previously, the sched_setaffinity(2) manual page contained an incorrect example, which could cause confusion. The incorrect example has been removed from the sched_setaffinity(2) manual page.
BZ#951826
Previously, the manual page for the postconf utility contained incorrect information about the default configuration of a postfix server. This update fixes the default configuration description in the postconf(5) manual page.
BZ#979460
The mailx(1) manual page contained an incomplete entry about setting variables with the "-S" option. This update provides a better description of setting variables with the "-S" option and adds an example of the syntax using "from=" to the mailx(1) manual page.
BZ#913191
Prior to this update, the selinux(8) manual page contained outdated information. This manual page has been updated, and SELinux is now documented correctly.
BZ#907837
The useradd(8) manual page contained an incorrect description of the "-u, --uid UID" option, which could cause confusion. The description has been fixed with this update.
BZ#807323
Previously, a manual page for the byzanz-record utility did not mention the possibility to use the "webm" output format and the manual page was thus incomplete. This update adds "webm" to the byzanz-record(1) manual page.
BZ#1020417
The ssh_config(5) manual page contained an incorrect default value for the "KexAlgorithms" option. This bug has been fixed and the default value for "KexAlgorithms" in the ssh_config(5) manual page is now correct.
BZ#1020432
The "-n" option in the ssh-keygen utility was renamed to "-Z", but the ssh-keygen(1) manual page was not updated. This bug has been fixed and the ssh-keygen(1) manual page now describes the correct option.

Enhancement

BZ#928917
Previously, the "O_DIRECT" flag was not described in the open(2) manual page. This update adds this description and the documentation is now complete.
Users of man-pages-overrides are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

8.113. mcelog

Updated mcelog packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The mcelog packages contain a daemon that collects and decodes Machine Check Exception (MCE) data on AMD64 and Intel 64 machines.

Bug Fixes

BZ#875824
Previously, mcelog packages installed a cron job to report the status of mce logs, which conflicted with running the mclogd service as default mode. Consequently, mcelog competed with the cron job and did not collect complete data. With this update, cron job is not installed in case mcelogd is running, thus fixing this bug.
BZ#919999
Due to a bug in mcelog packages, the AMD Family 15 architecture was not supported. The bug has been fixed and mcelog now supports AMD Family 15 as expected.
BZ#996634
Previously, support for extended logging was enabled by default in mcelog packages. Consequently, on systems with processors without support for extended logging, the mcelog service terminated unexpectedly with the following message:
mcelog: Cannot open /dev/cpu/0/msr to set imc_log: Permission denied
With this update, extended logging is disabled by default in mcelog packages, and the mcelog service no longer crashes in the aforementioned scenario.

Enhancement

BZ#881555, BZ#922873, BZ#991079
With this update, mcelog packags support Intel Xeon Processor E5-XXXX v3, Intel Xeon Processor E5-XXXX, and Intel Xeon Processor E3-XXXX v3 architectures.
Users of mcelog are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.114. mdadm

Updated mdadm packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The mdadm packages contain a utility for creating, managing, and monitoring Linux multiple disk (MD) devices.

Upgrade to an upstream version

The mdadm packages have been upgraded to upstream version 3.2.6, which provides a number of bug fixes and enhancements over the previous version, including performance improvements. (BZ#922971)

Bug Fixes

BZ#903212
Previously, during expanding the size of an Intel Matrix Storage Manager (IMSM) RAID1 or RAID5 volume, the resynchronization process was reported in the /proc/mdstat file but there was no information about the process stored in the volume's metadata. Consequently, if the RAID volume was stopped during the process of size expansion, all information about this progress was lost and the resynchronization would be restarted from the beginning on the next array reassembly. A patch has been been applied to address this problem, and information is now stored in metadata as expected in the described scenario.
BZ#950545
Prior to this update, the mdadm utility did not work correctly when attempting to write a superblock onto a defective drive. Consequently, mdadm could terminate unexpectedly with a segmentation fault if it encountered a write error. This bug has been fixed and mdadm no longer crashes in this scenario.
BZ#955972
Previously, the mdadm utility did not work correctly if a rebuild of an Intel Matrix Storage Manager (IMSM) RAID5 volume was started in Option ROM (OROM). Consequently, the RAID5 volume was in the "degraded" state once booted into the operating system and the rebuild did not proceed. A patch has been applied to address this problem and rebuilding IMSM RAID5 volumes now completes successfully in the described scenario.
BZ#956016
Previously, when an Intel Matrix Storage Manager (IMSM) volume was being reshaped, the "mdadm -Ss" command used for stopping the process did not work properly. Consequently, on the first run of "mdadm -Ss", only the volume was stopped but the container was left in place, and a second execution of the command was necessary. This bug has been fixed and the command now works as expected during a volume's reshape.
BZ#995105
Previously, when an Intel Matrix Storage Manager (IMSM) RAID10 volume was being resynchronized or rebuilt, stopping the process after 50% completion did not work properly. As a consequence, the processes did not proceed correctly after reassembling, and the data became corrupted. With this update, resynchronization and rebuild work correctly in this scenario.
BZ#1001627
Prior to this update, when an Intel Matrix Storage Manager (IMSM) RAID1 or RAID10 volume was being rebuilt and this process was stopped, an attempt to resume the rebuild was not successful. Consequently, the rebuild did not start even when a new drive was added to the container, and metadata contained incorrect information. This bug has been fixed and resuming a rebuild now works properly in the described scenario.
BZ#1010859
Previously, the mdadm utility did not work correctly when a disk failed in an Intel Matrix Storage Manager (IMSM) RAID volume. Consequently, the failed disk was removed neither from the volume nor from the container, the volume was not in the "degraded" state, and the rebuild could not start. With this update, mdadm handles failed disks in RAID volumes properly.
Users of mdadm are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.115. mesa

Updated mesa packages that fix several bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
Mesa provides a 3D graphics API that is compatible with Open Graphics Library (OpenGL). It also provides hardware-accelerated drivers for many popular graphics chips.

Bug Fixes

BZ#879637
On certain Intel GT2+ processors, segmentation faults could have been reported in the output of the dmesg command after running a Piglit quick-driver test. A patch has been applied to address his bug, and the unwanted behavior no longer occurs.
BZ#908547
Prior to this update, compressed texture size checks were performed in an incorrect manner. Consequently, checking the image size against the compression block size could cause certain applications to terminate unexpectedly. The underlying source code has been modified, and the texture error no longer causes the applications to crash in the described scenario.

Enhancements

BZ#818345
Support for future Intel 2D and 3D graphics has been added to allow systems using future Intel processors to be certified through the Red Hat Hardware Certification program.
BZ#957792
With this update, the mesa-private-llvm library has been added.
Users of mesa are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.116. microcode_ctl

Updated microcode_ctl packages that fix one bug and add one enhancement are now available for Red Hat Enterprise Linux 6.
The microcode_ctl packages provide utility code and microcode data to assist the kernel in updating the CPU microcode at system boot time. This microcode supports all current x86-based, Intel 64-based, and AMD64-based CPU models. It takes advantage of the mechanism built-in to Linux that allows microcode to be updated after system boot. When loaded, the updated microcode corrects the behavior of various processors, as described in processor specification updates issued by Intel and AMD for those processors.

Bug Fix

BZ#1000317
Previously, the microcode_ctl utility did not detect if it was running in a virtual machine and attempted to install the CPU microcode updates. This behavior caused several errors to be returned in the kernel ring buffer. The underlying source code has been modified and microcode_ctl no longer tries to update the CPU microcode in the described scenario.

Enhancement

BZ#915957, BZ#1005606
The Intel CPU microcode file has been updated to version 20130906.
All users of microcode_ctl are advised to upgrade to these updated packages, which fix this bug and add this enhancement. Note: a system reboot is necessary for this update to take effect.

8.117. mobile-broadband-provider-info

Updated mobile-broadband-provider-info packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The mobile-broadband-provider-info packages contain listings of mobile broadband (3G) providers, associated network, and plan information.

Bug Fix

BZ#844288
Previously, in the serviceproviders.xml file located in the /usr/share/mobile-broadband-provider-info/ directory, "internet.saunalahti" was incorrectly specified as an APN (Access Point Name) value for the Sonera provider. This prevented the Sonera mobile broadband configuration from working. The stanza containing "internet.saunalahti" as an APN value for Sonera has been removed from the XML file, and the Sonera mobile broadband configuration now works as expected.
Users of mobile-broadband-provider-info are advised to upgrade to these updated packages, which fix this bug.

8.118. mod_auth_kerb

Updated mod_auth_kerb packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The mod_auth_kerb package provides a module for the Apache HTTP Server designed to provide Kerberos authentication over HTTP. The module supports the Negotiate authentication method, which performs full Kerberos authentication based on ticket exchanges.

Bug Fix

BZ#867153
Previously, when the KrbLocalUserMapping directive was enabled, mod_auth_kerb did not translate a principal name properly if the local name was of a higher length. Consequently, the Apache server returned the HTTP 500 error in such a scenario. A patch has been provided to address this issue and the module now correctly translates account names longer than their counterpart principal names.
Users of mod_auth_kerb are advised to upgrade to these updated packages, which fix this bug.

8.119. ModemManager

Updated ModemManager packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The ModemManager packages provide a consistent application programming interface (API) to operate a wide variety of modems, including mobile broadband (3G) devices.

Bug Fix

BZ#883079
Previously, some broadband devices were not covered by the "udev" rules in the /lib/udev/rules.d/77-mm-*.rules files. As a consequence, the broadband connection was either not established at all, or failed after communicating a few packages. Additional "udev" rules have been included to ensure that ModemManager uses the correct serial port. As a result, more broadband devices, such as ZTE, LG, and Sierra Wireless modems, are now supported.
Users of ModemManager are advised to upgrade to these updated packages, which fix this bug.

8.120. mysql

Updated mysql packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries.

Bug Fixes

BZ#842052
Prior to this update, the mysqld daemon worked with uninitialized memory when accessing non-nullable GEOMETRY types. Cosequenutly, mysqld could terminate unexpectedly when the mysqldump utility was running. With this update, mysqld initializes memory properly and thus no longer crashes in this scenario
BZ#877557
Previously, the mysqldump utility expected log tables to be created on the MySQL 5.0.x server, from which it retrieved data. Consequently, mysqldump could not dump the MySQL system table. With this update, mysqldump no longer expects log tables to be created, and it is now able to dump the system table in the described scenario as expected.
BZ#884651
Prior to this update, the mysqld init script did not correctly verify the status of the mysqld daemon. Consequently, the script could return an error message even when the daemon had successfully started. The mysqld init script has been fixed, and it now checks the daemon status properly.
BZ#904061
Previously, the mysql-server sub-packages did not contain the logrotate script. Consequently, the log rotation had to be configured manually. With this update, the logrotate script has been provided by the mysql-server sub-packages, and users can use the script to log into the mysqld.log file by uncommenting appropriate lines in the script.
Users of mysql are advised to upgrade to these updated packages, which fix these bugs. After installing this update, the MySQL server daemon (mysqld) will be restarted automatically.

8.121. net-snmp

Updated net-snmp packages that fix several bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
The net-snmp packages provide a generic client library, a suite of command-line tools, an extensible SNMP agent, Perl modules, and Python modules to use and deploy the Simple Network Management Protocol (SNMP).

Bug Fixes

BZ#893119
Previously, snmpd, the SNMP daemon, did not check for errors when populating data for the UCD-SNMP-MIB::extTable table and could leak memory when the system ran out of memory. This bug has been fixed and snmpd now checks for out-of-memory conditions and frees the memory for the UCD-SNMP-MIB::extTable table when encounters an error.
BZ#907571
Previously, the snmp_config(5) manual page was not clear about which files were looked for and the reader could get the incorrect impression that any file with a suffix "conf" or "local.conf" could be used as an snmp configuration file. In this update, the snmp_config(5) manual page has been modified to precisely specify which files are used as snmp configuration files.
BZ#919259
In a previous update, the snmpd daemon was fixed to show the executable name and all the command-line arguments in the UCD-SNMP-MIB::extCommand OID string. The fix did not check for executables without command-line arguments. Consequently, the snmpd daemon terminated unxpectedly with a segmentation fault when retrieving the value of the UCD-SNMP-MIB::extCommand OID of an executable with no arguments. With this update, snmpd now checks if there are no arguments and shows the correct value of the UCD-SNMP-MIB::extCommand OID. As a result, crashes no longer occur in the described scenario.
BZ#919952
In previous net-snmp package updates, the HOST-RESOURCES-MIB::hrSWRunTable table was rewritten, and, due to a regression, it did not report the "hrSWRunPath" string of kernel threads. This update fixes the HOST-RESOURCES-MIB::hrSWRunPath string of kernel threads and is now reported by the snmpd daemon.
BZ#922691
When the "includeAllDisks" configuration option was specified in the /etc/snmp/snmpd.conf file, the snmpd daemon scanned the running system only at startup and did not update the UCD-SNMP-MIB::dskTable table if a new device was mounted later. As a consequence, on dynamic systems where devices are frequently mounted and unmounted, UCD-SNMP-MIB::dskTable could not be used to monitor storage usage, because it monitored only devices which were available at system start. To fix this bug, the implementation of UCD-SNMP-MIB::dskTable was enhanced to dynamically add new devices as they are mounted. This happens only when the "includeAddDisks" configuration option is used in /etc/snmp/snmpd.conf. As a result, in dynamic systems where devices are frequently mounted and unmounted, UCD-SNMP-MIB::dskTable always shows the current list of mounted devices.
BZ#927474
Previously, snmpd, the SNMP daemon, did not set a proper message size when communicating with the Linux kernel using a netlink socket. As a consequence, the message "netlink: 12 bytes leftover after parsing attributes." was saved to the kernel log. With this update, snmpd sets a correct message size and the kernel no longer logs the aforementioned message.
BZ#947973
In previous Net-SNMP releases, snmpd reported an invalid speed of network interfaces in IF-MIB::ifTable and IF-MIB::ifXTable tables if the interface had a speed other than 10, 100, 1000 or 2500 MB/s. Thus, the returned net-snmp ifHighSpeed value was "0" compared to the correct speed as reported in ethtool, if the Virtual Connect speed was set to, for example, 0.9 Gb/s. With this update, the ifHighSpeed value returns the correct speed as reported in the ethtool utility, and snmpd correctly reports non-standard network interface speeds.
BZ#953926
Net-SNMP did not verify if incoming SNMP messages were encoded properly. In some instances, it read past the receiving buffer size when parsing a message with an invalid size of an integer filed in the message. This caused snmptrapd, the SNMP trap processing daemon, to terminate unexpectedly with a segmentation fault on the incoming malformed message. This update enhances the checks of incoming messages and snmptrapd no longer crashes when parsing incoming messages with invalid integer sizes.
BZ#955771
Previously, the Net-SNMP python module did not propagate various errors to applications which use this module. As a consequence, the applications were not aware of erros, which had occurred during the SNMP communication. To fix this bug, the Net-SNMP python module has been updated to return the proper error codes. As a result, the applications now receive information about SNMP errors.
BZ#960568
In previous releases, the snmp-bridge-mib subagent included the bridge itself as a port of the bridge in the BRIDGE-MIB::dot1dBasePortTable table. This bug has been fixed and the snmp-bridge-mib subagent now reports only real interfaces as ports in the BRIDGE-MIB::dot1dBasePortTable table.
BZ#968898
Previously, the snmpd daemon did not properly terminate strings when processing the "agentaddress" configuration option. As a consequence, when the configuration was re-read multiple times using the SIGHUP signal, a buffer overflow occurred. This bug has been fixed and snmpd now properly terminates strings during an "agentaddress" processing and no longer crashes using the SIGHUP signal.
BZ#983116
The previous Net-SNMP update contained a fix to improve the checking of invalid incoming SNMP messages. This fix introduced a regression and some valid SNMP messages with multiple variables inside were marked as invalid. As a consequence, Net-SNMP tools and servers rejected valid SNMP messages and waited for a "proper" response until timeout. With this update, valid SNMP messages are no longer rejected. As a result, the servers and utilities accept the first incoming message and do not wait for a timeout.
BZ#989498, BZ#1006706
In the previous Net-SNMP updates, the implementation of the HOST-RESOURCES-MIB::hrStorageTable table was rewritten and devices with Virtuozzo File System (VZFS) and B-tree File System (BTRFS) were not reported. After this update, snmpd properly recognizes devices using VZFS and BTRFS file systems and reports them in HOST-RESOURCES-MIB::hrStorageTable.
BZ#991213
Previously the snmpd daemon incorrectly parsed Sendmail configuration files with enabled queue groups. Consequently, snmpd entered a loop on startup. This update fixes the parsing of configuration files with queue groups and snmpd no longer enters a loop on startup.
BZ#1001830
Previously, the Net-SNMP utilities and daemons blindly expected that an MD5 hash algorithm and a DES encryption were available in the system's OpenSSL libraries and did not check for errors when using these cryptographic functions. As a consequence, the Net-SNMP utilities and daemons terminated unexpectedly when attempting to use an MD5 or DES algorithm which are not available when the system is running in FIPS mode. The Net-SNMP utilities and daemons now check for cryptographic function error codes and display the following error message:
Error: could not generate the authentication key from the supplied pass phrase
As a result, the aforementioned utilities and daemons no longer crash in FIPS mode.

Enhancements

BZ#917816
After this update, all net-snmp configuration files can use the "includeFile" and "includeDir" options to include other configuration files or whole directories of configuration files. Detailed syntax and usage is described in the snmp_config(5) manual page.
BZ#919239
Previously, the Net-SNMP application was shipping its configuration files, which could contain sensitive information like passwords, readable to any user on the system. After this update, the configuration files are readable only by the root user.
Users of net-snmp are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.122. netcf

Updated netcf packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The netcf packages contain a library for modifying the network configuration of a system. Network configuration is expressed in a platform-independent XML format, which netcf translates into changes to the system's "native" network configuration files.

Bug Fixes

BZ#844578
When using the "virsh iface-start" or "ncftool ifup" command to start a disconnected interface configured to use a DHCP server, the netcf library reported a failure. However, the subsequent list of all interfaces showed the interface as "active". After this update, netcf only reports "active" interface status when the interface is marked both "UP" and "RUNNING" by the "ifconfig" utility and if any attempt to start the interface was successful.
BZ#848722
Previously, attempts to define an interface with a netmask higher than 24 bits failed. This bug has been fixed and it is now possible to define interfaces with netmasks of up to 30 bits.
Users of netcf are advised to upgrade to these updated packages, which fix these bugs.

8.123. NetworkManager

Updated NetworkManager packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
NetworkManager is a system network service that manages network devices and connections, attempting to keep network connectivity active when available. It manages Ethernet, Wi-Fi, mobile broadband (WWAN), and PPPoE (Point-to-Point Protocol over Ethernet) devices, and provides integration with a variety of VPN services.

Bug Fixes

BZ#922558
Previously, NetworkManager did not explicitly request static routes from DHCP (Dynamic Host Configuration Protocol) servers, and thus some servers would not deliver those routes. With this update, NetworkManager now requests static routes from DHCP servers when available.
BZ#701381
Previously, it was impossible for some users to check Enable Wireless box in NetworkManager as the field was unresponsive. Moreover, the Enable Wireless connection option was unavailable in NetworkManager after hardware was disabled and enabled again. With this update, users can turn on the wireless connection from the GUI after their hardware is reenabled.
BZ#1008884
When running the NetworkManager applet in some Virtual Machine (VM) configurations, left-clicking on the icon could cause the applet to terminate unexpectedly. This bug has been fixed and the applet no longer crashes in these configurations.
BZ#923648
Previously, bridge and bond connections created through the NetworkManager connection editor (nm-connection-editor) were not set to connect automatically, and thus had to be manually started. With this update, these connections automatically start when created by default.
BZ#896198
A GATEAWAY setting in the /etc/sysconfig/network file caused NetworkManager to assign that GATEWAY to all interfaces with static IP addresses. This scenario took place even if no GATEWAY or a different one was specified for these addresses. To fix this bug, if GATEAWAY is given in /etc/sysconfig/network, only configurations with a matching gateway address will be given the default route. Alternatively, the DEFROUTE=yes/no option may be used in individual configuration files to allow or deny the default route on a per-configuration basis.
BZ#836993
Previously, When using the vpnc program via NetworkManager with token out of synchronization, the server prompted for a next token. However, NetworkManager misinterpreted this response and reported a failed connection. With this update, a new prompt for next token code has been added to the NetworkManager-vpnc utility, thus fixing the bug.
BZ#991341
Prior to this update, on receipt of an IPv6 Router Advertisement, NetworkManager attempted to replace the IPv6 default route which the kernel had added. Consequently, the kernel returned the following failure message:
'ICMPv6 RA: ndisc_router_discovery() failed to add default route.'
To fix this bug, NetworkManager no longer replaces an IPv6 default route added by the kernel.
BZ#758076
Previously, it was not possible to choose Certificate Authority (CA) certificate via the "Choose certificate" dialog window in nm-connection-editor. This was confusing for the user. The dialog checkbox information has been replaced with a more informative text, thus fixing the bug.
BZ#919242
Previously, when NetworkManager was not allowed to manage bridge, bond, or VLAN interfaces due to the missing M_BOND_BRIDGE_VLAN_ENABLED option in the /etc/sysconfig/network file, the NetworkManager connection editor (nm-connection-editor) still allowed the user to create these types of network connections. The editor now warns the user when unusable connections have been created, thus fixing the bug.
BZ#915480
Previously, the NetworkManager GUI applet (nm-applet) did not show bridge, bond, or VLAN interfaces in the menu. With this update, the nm-applet has been enhanced to show all available bond, bridge, and VLAN interfaces that are configured but not yet created.
BZ#905532
Due to some missing ignored options for bonding interfaces, the /sys/class/net/bond0/bonding/primary file was empty during installation. In addition, the network traffic went through eth0 during installation. This bug has been fixed and NetworkManager now supports a much larger set of bond interface options.
BZ#953076
Previously, in some cases, NetworkManager was unable to set the mode of a bond master interface. A patch has been provided to fix this bug and the mode setting now changes according to nm-editor alterations.
BZ#953123
Previously, the NetworkManager connection editor (nm-connection-editor) did not allow setting the cloned MAC address for VLAN interfaces. A patch has been provided to fix this bug and nm-connection-editor now works as expected.
BZ#969363
Prior to this update, the manual page of nm-online did not describe the correct usage of nm-online parameters, such as the -t option. The manual page has been updated to describe the usage of its parameters correctly.
BZ#973245
Previously, NetworkManager wrote and saved only connection types compatible with standard ifcfg network configuration files. This bug has been fixed and other connection types like Bluetooth, WWAN, can now be saved as keyfiles in the /etc/NetworkManager/system-connections/ directory.
BZ#902372
Previously, when taking control of an existing bridge, NetworkManager did not ensure a clean bridge state. With this update, NetworkManager resets bridge options and removes all bridge ports, which ensures clean bridge state on start-up with bridging support enabled.
BZ#867273
After configuring the IP-over-InfiniBand (IPoIB) profile on machine with an InfiniBand (IB) device, the profile was not connected. This bug has been fixed and IP-over-Infiniband (IPoIB) network configurations are now listed in the network applet menu.
BZ#713975
After changing the authentication or inner authentication drop-down menus in the configuration for a new wireless network connection, the "Ask for this password every time" checkbox kept resetting. To fix this bug, the updated NetworkManager GUI applet saves the value of the checkbox when connecting to WPA Enterprise networks.
BZ#906133
Prior to this update, an Ad-Hoc WiFi network failed to start when its BSSID (Basic Service Set Identifier) was specified, due to kernel restrictions. To fix this bug, the NetworkManager connection editor (nm-connection-editor) disallows setting the BSSID for ad-Hoc WiFi connections, since this value is automatically chosen by the kernel.

Enhancements

BZ#602265
With this update, NetworkManager has been enhanced to support the creation and management of Point-to-point Protocol over Ethernet (PPPoE) based connections. NetworkManager now waits a short period of time before reconnecting a PPPoE connection to ensure the peer is ready.
BZ#694789
A new GATEWAY_PING_TIMEOUT configuration option has been added. This new option ensures that NetworkManager waits for a successful ping of the gateway before indicating network connectivity.
BZ#990310
NetworkManager now reads ifcfg alias files and assigns the addresses in them to their master interface, using the alias name as the address label.
BZ#564467, BZ#564465
Manual pages for nm-connection-editor and nm-applet utilities have been created.
Users of NetworkManager are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.124. nfs-utils

Updated nfs-utils packages that fix several bugs and add various enhancements are now available.
The nfs-utils packages provide a daemon for the kernel Network File System (NFS) server and related tools such as the mount.nfs, umount.nfs, and showmount.

Bug Fixes

BZ#889272
When the "Background", "Foreground" or "timeo" options were set in multiple sections of the nfsmount.conf configuration file, each of those options were incorrectly present in the resulting parsed values. This update changes this behavior so that the first instance of either option overrides any previous ones.
In addition, configuration file options could have been incorrectly passed to the mount syscall from sections that were not relevant to the options that were being performed. The parser has been made more strict so that each option can appear at most four times: once for the system section, once for the server-specific section, once for the mount-specific section, and once for the command line mount options.
BZ#890146
Prior to this update, running "nfsstat -s -o rpc" command produced output with incorrect labels in a table header. With this update, the underlying source code has been adapted to make sure that all columns now have the correct name.
BZ#892235
Starting the nfs service resulted in the following output:
Stopping RPC idmapd:               [ OK ]
Starting RPC idmapd:               [ OK ]
Although the sequence of events of having to first stop and then start the RPC idmapd service was previously necessary, the current init scripts do not require this behavior. This has been corrected so that starting the nfs service now simply results in a single "Starting RPC idmapd" status display.
BZ#950324
When running sm-notify, specifying the "-v <ip_address>" or "-v <hostname>" option did not work correctly after the nfs-utils packages were updated to version 1.2.2, which was the first version that included support for IPv6. This update corrects the address handling logic so that specifying a hostname, IPv4 or IPv6 IP address with the '-v' option works as expected.
BZ#952560
The nfs(5) manual page contained incorrect information about the "retrans=n" option, by which specifies the number of times an NFS client will retry a request before it attempts a further recovery action. This information has been corrected and now specifies the number of attempts by protocol type. The man page correction for the "retrans=n" option is:
The number of times the NFS client retries a request before it attempts further recovery action. If the retrans option is not specified, the NFS client tries each request three times with mounts using UDP and two times with mounts using TCP.
Users of nfs-utils are advised to upgrade to these updated packages, which fix these bugs and add various enhancements.

8.125. nmap

Updated nmap packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The nmap packages provide a network exploration utility and a security scanner.

Bug Fixes

BZ#729045
Previously, the debuginfo file for the ncat utility was missing in the nmap debuginfo package. Consequently, debugging and analysis of unexpected terminations could not be done properly. This update ensure the missing file is present in the package, thus fixing this bug.
BZ#826601
In a previous version, the ncat utility failed to write its session data to an output file when the used protocol was UDP. This update provides a patch, which ensures that the data are properly written in the described scenario, thus fixing this bug.
Users of nmap are advised to upgrade to these updated packages, which fix these bugs.

8.126. nss and nspr

Updated nss and nspr packages that fix a number of bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities.

Upgrade to an upstream version

The nss family of packages, consisting of nss, nss-softokn, and nss-util, has been upgraded to the higher upstream versions, which provide a number of bug fixes and enhancements over the previous versions:
  • The nss package has been upgraded to the upstream version 3.15.1. (BZ#918950, BZ#1002645)
  • The nss-softokn package has been upgraded to the upstream version 3.14.3 (BZ#919172)
  • The nss-util package has been upgraded to the upstream version 3.15.1 (BZ#919174, BZ#1002644)
The nspr package has been upgraded to upstream version 4.10, which provides a number of bug fixes and enhancements over the previous version. (BZ#919180, BZ#1002643)

Bug Fixes

BZ#702083
The PEM module imposed restrictions on client applications to use unique base file names upon which certificates were derived. Consequently, client applications certifications and keys with the same base name but different file paths failed to load because they were incorrectly deemed to be duplicates. The comparison algorithm has been modified and the PEM module now correctly determines uniqueness regardless of how users name their files.
BZ#882408
Due to differences in the upstream version of the nss package, an attempt to enable the unsupported SSL PKCS#11 bypass feature failed with a fatal error message. This behavior could break the semantics of certain calls, thus breaking the Application Binary Interface (ABI) compatibility. With this update, the nss package has been modified to preserve the upstream behavior. As a result, an attempt to enable SSL PKCS#11 bypass no longer fails.
BZ#903017
Previously, there was a race condition in the certification code related to smart cards. Consequently, when Common Access Card (CAC) or Personal Identity Verification (PIV) smart cards certificates were viewed in the Firefox certificate manager, the Firefox web browser became unresponsive. The underlying source code has been modified to fix the race condition and Firefox no longer hangs in the described scenario.
BZ#905013
Due to errors in the Netscape Portable Runtime (NSPR) code responsible for thread synchronization, memory corruption sometimes occurred. Consequently, the web server daemon (httpd) sometimes terminated unexpectedly with a segmentation fault after making more than 1023 calls to the NSPR library. With this update, an improvement to the way NSPR frees previously allocated memory has been made and httpd no longer crashes in the described scenario.
BZ#918136
With the 3.14 upstream version of the nss package, support for certificate signatures using the MD5 hash algorithm in digital signatures has been disabled by default. However, certain websites still use MD5-based signatures and therefore an attempt to access such a website failed with an error. With this update, MD5 hash algorithm in digital signatures is supported again so that users can connect to the websites using this algorithm as expected.
BZ#976572
With this update, fixes to the implementation of Galois/Counter Mode (GCM) have been backported to the nss package since the upstream version 3.14.1. As a result, users can use GCM without any problems already documented and fixed in the upstream version.
BZ#977341
Previously, the output of the certutil -H command, which is a list of options and arguments used by the certutil utility, did not describe the -F option. This information has been added and the option is now properly described in the output of certutil -H.
BZ#988083
Previously, the pkcs11n.h header was missing certain constants to support the Transport Layer Security (TLS) 1.2 protocol. The constants have been added to the nss-util package and NSS now supports TLS 1.2 as expected.
BZ#990631
Previously, Network Security Service (NSS) reverted the permission rights for the pkcs11.txt file so that only the owner of the file could read it and write to it. This behavior overwrote other permissions specified by the user. Consequently, users were prevented from adding security modules to their own configuration using the system-wide security databases. This update provides a patch to fix this bug. As a result, NSS preserves the existing permissions for pkcs11.txt and users are now able to modify the NSS security module database.
BZ#1008534
Due to a bug in Network Security Services (NSS), the installation of the IPA (Identity, Policy, Audit) server terminated unexpectedly and an error was returned. This bug has been fixed with this update and installation of the IPA server now proceeds as expected.
BZ#1010224
The NSS softoken cryptographic module did not ensure whether the freebl library had been properly initialized before running its self test. Consequently, certain clients, such as the Lightweight Directory Access Protocol (LDAP) client, could initialize and finalize NSS. In such a case, freebl was cleaned up and unloaded. When the library was loaded again, an attempt to run the test terminated unexpectedly causing client failures such as Transport Layer Security (TLS) connection errors. This bug has been fixed and softoken now correctly initializes freebl before running self tests. As a result, the failures no longer occur in the described scenario.

Enhancements

BZ#960193, BZ#960208
Network Security Services's (NSS) own internal cryptographic module in Red Hat Enterprise Linux 6.5 now supports the NIST Suite B set of recommended algorithms for Elliptic curve cryptography (ECC).
Users of nss and nsrp are advised to upgrade to these updated packages, which fix these bugs and add these enhancements. After installing this update, applications using NSS or NSPR must be restarted for this update to take effect.

8.127. ntp

Updated ntp packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Network Time Protocol (NTP) is used to synchronize a computer's time with another reference time source. The ntp packages include the ntpd daemon and utilities used to query and configure ntpd.

Upgrade to an upstream version

The ntp packages have been upgraded to upstream version 4.2.6p5, which provides a number of bug fixes and enhancements over the previous version. (BZ#654004)

Bug Fixes

BZ#673198
The ntpdate service did not wait for the NetworkManager service to configure the network before attempting to obtain the date and time update from the Internet. Consequently, ntpdate failed to set the system clock if the network was not configured. With this update, ntpdate attempts to obtain updates from the Internet in several increasing intervals if the initial attempt fails. The system clock is now set even when NetworkManager takes longer period of time to configure the network.
BZ#749530
The ntp-keygen utility always used the DES-CBC (Data Encryption Standard-Cipher Block Chaining) encryption algorithm to encrypt private NTP keys. However, DES-CBC is not supported in FIPS mode. Therefore, ntp-keygen generated empty private keys when it was used on systems with FIPS mode enabled. To solve this problem, a new "-C" option has been added to ntp-keygen that allows for selection of an encryption algorithm for private key files. Private NTP keys are now generated as expected on systems with FIPS mode enabled.
BZ#830821
The ntpstat utility did not include the root delay in the "time correct to within" value so the real maximum errors could have been larger than values reported by ntpstat. The ntpstat utility has been fixed to include the root delay as expected and the "time correct to within" values displayed by the utility are now correct.
BZ#862983
When adding NTP servers that were provided by DHCP (using dhclient-script) to the ntp.conf file, the ntp script did not verify whether ntp.conf already contained these servers. This could result in duplicate NTP server entries in the configuration file. This update modifies the ntp script so that duplicate NTP server entries can no longer occur in the ntp.conf file.
BZ#973807
When ntpd was configured as a broadcast client, it did not update the broadcast socket upon change of the network configuration. Consequently, the broadcast client stopped working after the network service had been restarted. This update modifies ntpd to update the broadcast client socket after network interface update so the client continues working after the network service restart as expected.

Enhancements

BZ#623616, BZ#667524
NTP now specifies four off-site NTP servers with the iburst configuration option in the default ntp.conf file, which results in faster initial time synchronization and improved reliability of the NTP service.
BZ#641800
Support for authentication using SHA1 symetric keys has been added to NTP. SHA1 keys can be generated by the ntp-keygen utility and configured in the /etc/ntp/keys file on the client and server machines.
BZ#835155
Support for signed responses has been added to NTP. This is required when using Samba 4 as an Active Directory (AD) Domain Controller (DC).
BZ#918275
A new miscellaneous ntpd option, "interface", has been added. This option allows control of which network addresses ntpd opens and whether to drop incoming packets without processing or not. For more information on use of the "interface" option, refer to the ntp_misc(5) man page.
Users of ntp are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.128. numactl

Updated numactl packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The numactl packages provide a simple Non-Uniform Memory Access (NUMA) policy support and consist of the numactl program to run other programs with a specific NUMA policy and the libnuma library to do allocations in applications using the NUMA policy.

Bug Fixes

BZ#881779
Prior to this update, the "localalloc" option was not described clearly in the numactl(8) manual page, which could cause confusion. This update adds a clear description of "localalloc" to the numactl(8) manual page.
BZ#987507
Due to a bug in the numastat utility source code, output of the "numastat -m" command reported incorrect values of the amount of allocated static huge page memory. A patch has been applied to address this bug, and numastat now calculates huge page sizes properly.
Users of numactl are advised to upgrade to these updated packages, which fix these bugs.

8.129. numad

Updated numad packages that fix two bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
The numad packages provide a daemon for NUMA (Non-Uniform Memory Architecture) systems, monitors NUMA characteristics and manages placement of processes and memory to minimize memory latency. The packages also provide an interface that can be used to query the numad daemon for the best manual placement of an application.

Bug Fixes

BZ#987563
When all CPUs were busy, the numad daemon was too reluctant to balance processes across nodes even though it would have resulted in significantly better application and system performance. With this update, numad is more aggressive about moving processes even when all CPUs are busy. As a result, overall system performance has improved significantly.
BZ#987559
Previously, it was not possible to set the system's hugepage "scan_sleep_millisecs" parameter. As a consequence, NUMA performance was damaged when process memory was migrated across nodes. The underlying code has been changed to accept the new "-H" option to specify "scan_sleep_millisecs", thus fixing the bug. The user can now set the value to fine-tune the numad's performance.

Enhancement

BZ#913546
A configuration file for the logrotate tool has been added to be fully supported by Red Hat Enterprise Linux 6.
All users of numad are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

8.130. opencryptoki

Updated opencryptoki packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The opencryptoki packages contain version 2.11 of the PKCS#11 API, implemented for IBM Cryptocards. This package includes support for the IBM 4758 Cryptographic CoProcessor (with the PKCS#11 firmware loaded), the IBM eServer Cryptographic Accelerator (FC 4960 on IBM eServer System p), the IBM Crypto Express2 (FC 0863 or FC 0870 on IBM System z), and the IBM CP Assist for Cryptographic Function (FC 3863 on IBM System z).

Upgrade to an upstream version

The opencryptoki package has been upgraded to upstream version 2.4.3.1, which, compared to the previous version, provides support for the SHA-2 hash algorithms in the ICA token and adds fixes for the SHA-2- based certificates in the CCA token. (BZ#948349)
Users of opencryptoki are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.131. opencv

Updated opencv packages that fix one bug are now available for Red Hat Enterprise Linux 6.
OpenCV is the open source computer vision library. It is a collection of C functions and C++ classes that implement Image Processing and Computer Vision algorithms.

Bug Fix

BZ#658060
The OpenCVConfig.cmake file had different contents on 32-bit and 64-bit architecture and was installed under the /usr/share directory. Consequently, the opencv-devel package could not be installed in a multilib environment. With this update, the OpenCVConfig.cmake file has been moved to the /usr/lib(64) directory and the opencv-devel package can now be installed in a multilib environment.
Users of opencv are advised to upgrade to these updated packages, which fix this bug.

8.132. openhpi

Updated openhpi packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
OpenHPI provides an open source implementation of the Service Availability Forum (SAF) Hardware Platform Interface (HPI). HPI is an abstracted interface for managing computer hardware, typically chassis- and rack-based servers. HPI includes resource modeling; access to and control over sensor, control, watchdog, and inventory data associated with resources; abstracted System Event Log interfaces; hardware events and alarms; and a managed hot swap interface.

Bug Fixes

BZ#891626
Due to a bug in the power_supply() parsing routines, some returned strings could contain incorrectly displayed characters. Consequently, retrieving a serial or part number of a power supply unit (PSU) via the OpenHPI API resulted in strings containing these characters. This update ensures that proper serial and part numbers are returned for PSUs and the returned strings now only contain valid characters.
BZ#924852
Previously, code supporting certain RDR (Request Data with Reply) sensors was missing in OpenHPI. Consequently, after the extraction and reinsertion of an enclosure monitored via the Onboard Administrator (OA) SOAP plug-in, the following error messages were returned to the log file:
openhpid: ERROR: (oa_soap_sensor.c, 2005, RDR not present) openhpid: ERROR: (oa_soap_fan_event.c, 279, processing the sensor event for sensor 24 has failed)
This bug has been fixed and no error messages are now logged after a component is extracted and reinserted.
BZ#948386
Under certain conditions, when using OpenHPI with the Onboard Administrator (OA) SOAP plug-in when an OA switch-over took place, HPI clients became unresponsive or the openhpi daemon failed to connect to the new active OA. Consequently, clients were unable to retrieve events and data. A series of patches has been provided to better account for OA failover situations, thus fixing this bug.
BZ#953515
Prior to this update, support for certain blade servers was missing in OpenHPI. Consequently, the OpenHPI daemon terminated unexpectedly with a segmentation fault at startup on these servers. A patch has been provided to add the missing support and the OpenHPI daemon no longer crashes in the described scenario.
BZ#953525
Due to missing support for certain thermal sensors, the getBladeInfo() function could terminate unexpectedly, causing the whole discovery process to fail. This update adds the support for these sensors and OpenHPI discovery now works as expected.
Users of openhpi are advised to upgrade to these updated packages, which fix these bugs.

8.133. openscap

Updated openscap packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The openscap packages provide OpenSCAP, which is a set of open source libraries for the integration of the Security Content Automation Protocol (SCAP). SCAP is a line of standards that provide a standard language for the expression of Computer Network Defense (CND) related information.

Upgrade to an upstream version

The openscap packages have been upgraded to upstream version 0.9.12, which provides a number of bug fixes and enhancements over the previous version. This update adds support for the National Institute of Standards and Technology's (NIST) SCAP 1.2 standard, so that all content, such as the following, is correctly supported: the Red Hat Enterprise Linux 5 Security Technical Implementation Guide (STIG), The United States Government Configuration Baseline (USGCB), and Red Hat Security Advisory content. (BZ#956763)

Bug Fix

BZ#999903
Previously, the oscap utility did not properly handle the process of object evaluation while querying the RPM database (RPMDB). RPMDB iterators created upon the query were not correctly removed if the process was aborted, which led to RPMDB corruption. With this update, the created RPMDB iterators are now removed correctly and process abortion no longer causes RPMDB corruption.
Users of openscap are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.134. openssh

Updated openssh packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE link(s) associated with each description below.
OpenSSH is OpenBSD's Secure Shell (SSH) protocol implementation. These packages include the core files necessary for the OpenSSH client and server.

Security Fix

CVE-2010-5107
The default OpenSSH configuration made it easy for remote attackers to exhaust unauthorized connection slots and prevent other users from being able to log in to a system. This flaw has been addressed by enabling random early connection drops by setting MaxStartups to 10:30:100 by default. For more information, refer to the sshd_config(5) man page.

Bug Fixes

BZ#872169
An existing /dev/log socket is needed when logging using the syslog utility, which is not possible for all chroot environments based on the user's home directories. Previously, to fix this, a patch was applied to keep the syslog file descriptor open. However, the syslog library was changed and the used heuristic stopped working. As a consequence, the sftp commands were not logged in the chroot setup in the internal sftp subsystem. The patch has been adjusted to the new conditions and the sftp commands are logged in the chroot setup in the internal sftp subsystem.
BZ#880575
Previously, when the user attempted to use their own unprotected private key, the ssh utility displayed the following message:
It is recommended that your private key files are NOT accessible by others.
The key was subsequently rejected, which could have led to confusion as the behavior was inconsistent with the message. With this update, the message has been changed to:
It is required that your private key files are NOT accessible by others.
BZ#896561
The ssh-agent utility was unable to open more connections and could become unresponsive due to a race condition. The race condition has been fixed and ssh-agent no longer hangs in this scenario.
BZ#954094
If the "bindpw" option contained double quotes, it was not correctly parsed by the ssh-ldap-helper parser, and ssh-ldap-helper failed to bind to an LDAP server. With this update, ssh-ldap-helper parses the LDAP configuration files correctly.
BZ#955792
Prior to this update, non-ASCII characters have been replaced by their octal representations in banner messages in order to prevent terminal re-programming attacks. Consequently, banners containing UTF-8 strings were not correctly displayed in a client. With this update, banner messages are processed according to RFC 3454, control characters have been removed, and banners containing UTF-8 strings are now displayed correctly.
BZ#974096
Previously, if the /tmp/ directory of the target user was polyinstantiated, no credentials cache was found on the remote machine after the Pluggable Authentication Module (PAM) session was initiated. As a consequence, Kerberos ticket forwarding did not work. With this update, the cache is re-created in a new /tmp/ directory after the PAM session is initiated, and Kerberos ticket forwarding now works as expected.
BZ#993509
Previously, if the sshd daemon was configured to force the internal SFTP session, the daemon was unable to properly handle requests for an interactive session. Consequently, sshd did not terminate SSH connections and SSH clients could became unresponsive. With this update, sshd has been modified to return an error message that the service allows SFTP connections only, and the SSH clients no longer hang in this scenario.

Enhancements

BZ#906872
This update adds support for certificate authentication of users and hosts using a new OpenSSH certificate format. Certificates contain a public key, identity information, and validity constraints, and are signed with a standard SSH public key using the ssh-keygen utility. Note that the version of ssh-keygen shipped with Red Hat Enterprise Linux 6 uses the "-Z" option for specifying the principals. For more information on this functionality, refer to the /usr/share/doc/openssh-5.3p1/PROTOCOL.certkeys file.
BZ#908038
This update adds support for PKCS#11 tokens. Now, OpenSSH clients are able to use smart cards for authentication.
BZ#951704
The KexAlgorithms configuration option has been added to client and server configuration in both the ssh utility and the sshd daemon. Specifying KexAlgorithms enables the user and the administrator to select key exchange methods and their order or preference.
BZ#969565
This update adds support for the SHA-2 Secure Hash Algorithm in the Hash-based Message Authentication Code (HMAC) to OpenSSH.
BZ#993577
The new Federal Information Processing Standard (FIPS) validation requires the random number generator (RNG) seed to have at least 112 bits of entropy instead of previous 80 bits. Therefore, the minimum value of the SSH_USE_STRONG_RNG environment variable has been increased to 14.
BZ#1001565
The new Federal Information Processing Standard (FIPS) validation requires the Power On Self Test (POST) to run in all cases when the FIPS module is installed. With this update, the POST self test is run on the SSH client and the SSH server if the dracut-fips package has been installed.
All openssh users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.

8.135. openssl

Updated openssl packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The openssl packages provide a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.

Upgrade to an upstream version

The openssl packages have been upgraded to upstream version 1.0.1e, which provides a number of bug fixes and enhancements over the previous version, including support for multiple new cryptographic algorithms and support for the new versions (1.1, 1.2) of the transport layer security (TLS) protocol. This update adds the following ciphers needed for transparent encryption and authentication support in GlusterFS: Cipher-based MAC (CMAC), XEX Tweakable Block Cipher with Ciphertext Stealing (AES-XTS), and Galous Counter Mode (AES-GCM). The following new additional algorithms are now supported: ECDH, ECDSA, and AES-CCM. (BZ#924250)

Bug Fixes

BZ#830109
Previously, an incorrect variable size was passed to the getsockopt() function. As a consequence, using the BIO (OpenSSL I/O) layer in datagram mode caused termination with a segmentation fault. More specifically, the openssl s_client command terminated unexpectedly on IBM System z with the "-dtls1" option enabled. After this update, a correctly-sized variable is used, and the datagram BIO functions no longer terminate with a segmentation fault on System z.
BZ#919404
Prior to this update, the getaddrinfo() function returned an error that was handled incorrectly in the openssl s_server command implementation. Consequently, the OpenSSL s_server did not work on IPv4-only systems. With this update, when getaddrinfo() fails on IPv6 addresses, the code has been modified to fall back to the IPv4 address lookup. As a result, the openssl s_server now correctly starts up on a computer with only IPv4 addresses configured.

Enhancements

BZ#818446
The Intel RDRAND instruction is now used, when available, to generate random numbers and has replaced the default OpenSSL random number generator. The instruction is not used when OpenSSL runs in FIPS mode.
BZ#929291
The performance of OpenSSL on current IBM PowerPC processors has been improved.
BZ#951690
The elliptic curve digital signature algorithm (ECDSA) and elliptic curve Diffie–Hellman (ECDH) algorithms are now enabled in OpenSSL. These algorithms support only elliptic curves listed in the national institute of standards and technology (NIST) Suite B specification.
BZ#951701
The new "-trusted_first" option has been added to OpenSSL. This enables preferring locally stored intermediate certificates instead of the intermediate certificates sent by the TLS server.
BZ#969562
Versions 1.1 and 1.2 of the transport layer security (TLS) protocol are now supported by the OpenSSL library.
BZ#969564
With this update, the "%{_prefix}" macro is used instead of the hardcoded /usr/ directory in the openssl.spec file when configuring OpenSSL before building.
BZ#987411
The next protocol negotiation (NPN) extension of the TLS protocol is now supported by OpenSSL. This extension allows for negotiation of the application protocol, which is used by the application, during the TLS handshake.
BZ#993584, BZ#999867
Due to the FIPS validation requirements, the FIPS Power-on self-tests (POST) always have to run when the FIPS module is installed. For libraries, this is ensured by running the self-tests from the dynamic library constructor function. If the dracut-fips package is installed, OpenSSL now treats it as an indicator that the OpenSSL FIPS module is installed and complete, and the self-tests run whenever the OpenSSL dynamic library is loaded.
Users of openssl are advised to upgrade to these updated packages, which fix these bugs and add these enhancements. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
Updated openssl packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The openssl packages provide a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.

Bug Fixes

BZ#1025597
Previously, the OpenSSL code incorrectly used RDRAND instruction when running on Cyrix CPU, which does not support it. Consequently, the applications that use the OpenSSL utility terminated unexpectedly on startup. The detection of CPU features on Cyrix CPU has been fixed, and the applications using OpenSSL no longer crash in the described scenario.
BZ#1025598
Prior to this update, the Transport Layer Security (TLS) client advertised support for some elliptic curves that are not supported by it. As a consequence, server could choose unsupported elliptic curve and client would not be able to communicate with the server over the TLS. With this update, OpenSSL TLS client advertises only the curves that are supported by it, and TLS communication with server (using also curves not supported by the Red Hat Enterprise Linux OpenSSL TLS client) can now be established.
Users of openssl are advised to upgrade to these updated packages, which fix these bugs. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.

8.136. openswan

Updated openswan packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks.

Bug Fixes

BZ#771612
Previously, the "ipsec barf" command called the grep utility on the /var/log/lastlog file which caused the system to use significant amount of memory. After this update, "ipsec barf" uses the "lastlog -u user" command, which prevents the utility from using too much memory.
BZ#831669
According to the RFC 5996 standard, reserved fields must be ignored on receipt, irrespective of their value. Previously, however, the contents of the reserved fields was not being ignored on receipt for some payloads. Consequently, Openswan reported an error message and Internet Key Exchange (IKE) negotiation failed. With this update, Openswan has been modified to ignore the reserved fields and IKE negotiation succeeds regardless of the reserved field value.
BZ#831676
When a connection was configured in transport mode, Openswan did not pass information about traffic selectors to the NETKEY/XFRM IPsec kernel stack during the setup of security associations (SAs). Consequently, the information was not available in the output of the "ip xfrm state" command. With this update, Openswan correctly passes the traffic selectors information to the kernel when SAs are set up in transport mode.
BZ#846797
When a tunnel was established between two IPsec hosts, for example host1 and host2, utilizing Dead Peer Detection DPD, and if host2 went offline while host1 continued to transmit data, host1 continually queued multiple phase 2 requests after the DPD action. When host2 came back online, the stack of pending phase 2 requests was established, leaving a new IPsec Security Association (SA), and a large group of extra SA's that consumed system resources and eventually expired. This update ensures that Openswan has just a single pending phase 2 request during the time that host2 is down, and when host2 comes back up, only a single new IPsec SA is established, thus preventing this bug.
BZ#848132
When a tunnel was established between two IPsec hosts, for example host1 and host2, using the "dpdaction=restart" option, if host2 went offline and the Dead Peer Detection (DPD) was activated, the new phase1 replacement started retransmitting, but was subject to a limited amount of retries, even if the "keyingtries=%forever" option (which is default) was set. If host2 did not reconnect in time, the phase1 replacement expired and then the tunnel did not rekey until the old phase1 Security Association (SA) expired (in about 10 minutes by default). This meant that using the "dpdaction=restart" option only allowed a short window for the peer to reconnect. With this update, the phase1 replacement continues to try to rekey, thus avoiding the retransmission limit and timeout.
BZ#868986
Previously, certificates specified by names in "rightid" connection options containing a comma, were ignored and these connections were not authenticated due to an ID mismatch. With this update, Openswan now supports escaped commas inside the OID field in the "rightid" option.
BZ#881914
Previously, when certificates signed with the SHA2 digest algorithm were used for peer authentication, connection setup failed with the following error:
digest algorithm not supported
This bug has been fixed and Openswan now recognizes these certificates and sets up a connection correctly.
BZ#954249
The openswan package for Internet Protocol Security (IPsec) contains two diagnostic commands, "ipsec barf" and "ipsec look", that can cause the iptables kernel modules for NAT and IP connection tracking to be loaded. On very busy systems, loading such kernel modules can result in severely degraded performance or lead to a crash when the kernel runs out of resources. With this update, the diagnostic commands do not cause loading of the NAT and IP connection tracking modules. This update does not affect systems that already use IP connection tracking or NAT as the iptables and ip6tables services will already have loaded these kernel modules.
BZ#958969
Previously, when the IPsec daemon (pluto) attempted to verify the signature of a Certificate Revocation List (CRL), if the signature value began with a zero byte and had another zero as padding, the mpz() functions stripped out all leading zeros. This resulted in the Network Security Services (NSS) data input being one byte short and consequently failing verification when NSS compared its length to the modulus length. This update removes the conversions into arbitrary-precision arithmetic (bignum) objects and handles the leading zero by moving the pointer one position forward and reducing the length of the signature by 1. As a result, verification of CRLs now works as expected even with leading zeros in the signature.
BZ#960171
Previously, the order of the load_crls() and load_authcerts_from_nss() functions in the plutomain.c file was incorrect. As a consequence, when the IPsec daemon (pluto) attempted to load the Certificate Revocation Lists (CRLs) from the /etc/ipsec.d/crls/ directory during startup, loading failed because pluto checked for a loaded Certification Authority (CA) when there was none available. This update swaps the order of the aforementioned functions in the plutomain.c file, and now pluto no longer fails during startup and loads the CRLs successfully.
BZ#965014
Previously, the Openswan Internet Key Exchage version 2 (IKEv2) implementation did not set the "reserved" field to zero. As a consequence, Openswan did not pass the TAHI IKEv2 test. After this update, Openswan now sets the "reserved" field to zero and successfully passes the TAHI IKEv2 test.
BZ#975550
Previously, when an MD5 hash was used in the Internet Key Exchange version 2 (IKEv2) algorithm in Openswan to connect to another IPsec implementation, for example strongswan, occasionally the installed kernel security policy entry had a different "enc" or "auth" value than the corresponding values on the other side. As a consequence, a connection could not be established even though the Security Association (SA) was established correctly. After this update, these values are set correctly in Openswan and a connection can be established successfully.
BZ#985596
Previously, when in FIPS mode, Openswan did not allow the use of SHA2 algorithms. This update enables the use of SHA2 algorithms in FIPS mode.
BZ#994240
Initial support for passing traffic selectors to an XFRM IPsec stack for transport mode was incomplete and did not include the necessary work-arounds for NAT-traversal support. As a consequence, Openswan could not establish an L2TP connection with devices which use NAT-Traversal. After this update, the direction of IPsec Security Association (SA) is now passed to the netlink_setup_sa() function so that the client IP is substituted with the host IP and the selector works for NAT transport mode.
BZ#1002633
After this update, Openswan now uses dracut-fips to determine whether it should run in FIPS mode.

Enhancements

BZ#916743
This update introduces a feature to control transmission delay timing for IPsec connections.
BZ#880004
With this update, Openswan now supports Internet Key Exchage (IKE) fragmentation. Openswan can now successfully connect to devices which support IKE fragmentation.
BZ#908476
Support for the Internet Key Exchage version 1 (IKEv1) INITIAL-CONTACT IPsec message, as as defined in Section 4.6.3.3. of the RFC2407 specification, has been added to Openswan. This addresses an interoperability bug where a peer does not replace an existing IPsec Security Association (SA) with a newly negotiated one unless a Notification Payload message is present.
BZ#957400
The kernel module aesni_intel is now loaded by Openswan on startup. This update significantly improves the performance of Openswan on machines running Advanced Encryption Standard New Instructions (AES-NI).
BZ#959568
The default behavior of Openswan is to send NAT-Traversal keepalive packets. Disabling sending keepalive packets previously was a global option. After this update, the user can disable NAT-Traversal keepalive packet sending per connection.
Users of openswan are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

8.137. pacemaker

Updated pacemaker packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link associated with the description below.
Pacemaker is a high-availability cluster resource manager with a powerful policy engine.

Security Fix

CVE-2013-0281
A denial of service flaw was found in the way Pacemaker performed authentication and processing of remote connections in certain circumstances. When Pacemaker was configured to allow remote Cluster Information Base (CIB) configuration or resource management, a remote attacker could use this flaw to cause Pacemaker to block indefinitely (preventing it from serving other requests).

Note

The default Pacemaker configuration in Red Hat Enterprise Linux 6 has the remote CIB management functionality disabled.

Upgrade to an Upstream Version

The pacemaker package has been upgraded to upstream version 1.1.10, which provides a number of bug fixes and enhancements over the previous version:
* Pacemaker no longer assumes unknown cman nodes are safely stopped.
* The core dump file now converts all exit codes into positive 'errno' values.
* Pacemaker ensures a return to a stable state after too many fencing failures, and initiates a shutdown if a node claimed to be fenced is still active.
* The crm_error tool adds the ability to list and print error symbols.
* The crm_resource command allows individual resources to be reprobed, and implements the "--ban" option for moving resources away from nodes. The "--clear" option has replaced the "--unmove" option. Also, crm_resource now supports OCF tracing when using the "--force" option.
* The IPC mechanism restores the ability for members of the haclient group to connect to the cluster.
* The Policy Engine daemon allows active nodes in the current membership to be fenced without quorum.
* Policy Engine now suppresses meaningless IDs when displaying anonymous clone status, supports maintenance mode for a single node, and correctly handles the recovered resources before they are operated on.
* XML configuration files are now checked for non-printing characters and replaced with their octal equivalent when exporting XML text. Also, a more reliable buffer allocation strategy has been implemented to prevent lockups.
(BZ#987355)

Bug Fixes

BZ#902407
The "crm_resource --move" command was designed for atomic resources and could not handle resources on clones, masters, or slaves present on multiple nodes. Consequently, crm_resource could not obtain enough information to move a resource and did not perform any action. The "--ban" and "--clear" options have been added to allow the administrator to instruct the cluster unambiguously. Clone, master, and slave resources can now be navigated within the cluster as expected.
BZ#908450
The hacluster user account did not have a user identification (UID) or group identification (GID) number reserved on the system. Thus, UID and GID values were picked randomly during the installation process. The UID and GID number 189 was reserved for hacluster and is now used consistently for all installations.
BZ#913093
Certain clusters used node host names that did not match the output of the "uname -n" command. Thus, the default node name used by the crm_standby and crm_failcount commands was incorrect and caused the cluster to ignore the update by the administrator. The crm_node command is now used instead of the uname utility in helper scripts. As a result, the cluster behaves