Password hashing using the SHA-256 and SHA-512 hash functions is now supported.
To switch to SHA-256 or SHA-512 on an installed system, run authconfig --passalgo=sha256 --kickstart or authconfig --passalgo=sha512 --kickstart. Existing user accounts will not be affected until their passwords are changed.
For newly installed systems, using SHA-256 or SHA-512 can be configured only for kickstart installations. To do so, use the --passalgo=sha256 or --passalgo=sha512 options of the kickstart command auth; also, remove the --enablemd5 option if it is present.
If your installation does not use kickstart, use authconfig as described above, then change all passwords (including root) created after installation.
Appropriate options were also added to libuser, pam, and shadow-utils to support these password hashing algorithms. authconfig configures necessary options automatically, so it is usually not necessary to modify them manually:
New values of the crypt_style option and new options for both hash_rounds_min and hash_rounds_max are now supported in the [defaults] section of /etc/libuser.conf. For more information, refer to /usr/share/doc/libuser-.
[libuser version]/README.sha
New options sha256, sha512, and rounds are now supported by the pam_unix PAM module. For more information, refer to /usr/share/doc/pam-.
[pam version]/txts/README.pam_unix
The following new options in /etc/login.defs are now supported by shadow-utils:
ENCRYPT_METHOD — Specifies the encryption method to be used. Valid values are DES, MD5, SHA256, SHA512. If this option is defined, MD5_CRYPT_ENAB is ignored.
SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS — Specifies the number of hashing rounds to use if ENCRYPT_METHOD is set to SHA256 or SHA512. If neither option is set, a default value is chosen by glibc. If only one option is set, the encryption method specifies the number of rounds.
If both options are used, they specify an inclusive interval from which the number of rounds is chosen randomly. The selected number of rounds is limited to the inclusive interval [1000, 999999999].
The group OpenFabrics Enterprise Distribution is now included in comps.xml. This group contains components used for high-performance networking and clustering (for example, InfiniBand and Remote Direct Memory Access).
This update implements the use of paravirtualized block device and network drivers, which improve the performance of fully-virtualized guests. In addition, you can now use more than three virtual network interface (VNIF) numbers per guest domain.
The divider= option is a kernel command-line parameter that allows you to adjust the system clock rate while maintaining the same visible HZ timing value to user space applications.
[value]
Using the divider= option allows you to reduce CPU overhead and increase efficiency at the cost of lowering the accuracy of timing operations and profiling. This is useful in virtualized environments as well as for certain applications.
[value]
Useful [values]
2 = 500Hz
4 = 250Hz
10 = 100Hz (value used by previous releases of Red Hat Enterprise Linux)
Note that the virtualized kernel uses a 250HZ clock by default. As such, it does not need the divider= option either in [value]dom0 or in paravirtualized guests.
Firefox is now updated to version 3.0. This update features several fixes and enhancements, most notably:
Set homepages are now loaded correctly when the Firefox browser window is opened.
Firefox no longer crashes when you search for the string "do".
Firefox in 64-bit mode now loads the ext JavaScript library correctly. In previous versions of Firefox, web-based applications that used this library either took too long to load, or were never loaded at all.
A cross-site scripting flaw was discovered in the way Firefox handled the jar:URI scheme. This flaw made it possible for a malicious web site to conduct a scripting attack against the user. This security issue is now fixed in this update.
Several flaws were discovered in the way Firefox processed certain malformed content. Web sites that contained such content could cause Firefox to crash or even execute arbitrary code as the user running Firefox. This security issue is now fixed in this update.
A race condition was discovered in the way Firefox set the window.location property on a web page. With this flaw, it was possible for a web page to set an arbitrary Referer header; this could lead to a cross-site request forgery (CSRF) attack against websites that rely only on the Referer header. This security issue is now fixed in this update.
Firefox now renders correctly on laptops equipped with external display.
Note, however, that this update of Firefox is not fully backwards compatible with all JavaScripts or Firefox plugins used today.
Also, Red Hat has observed that several large commercial web applications have relied on the presence of some cross-site scripting flaws addressed by this Firefox update. These scripting flaws are described in the following links:
Consequently, the use of these commercial web applications may result in some loss of functionality. You can observe this in the presence of additional JavaScript errors in the Firefox Error Console (Tools => Error Console). Red Hat is currently working with the corresponding vendors to address this.