Chapter 8. Bug fixes

The installer now displays correct total disk space in Custom partitioning with multipath or DDF RAID devices

Previously, when Custom partitioning was selected in Installer on a system with a multipath or DDF RAID device, the total disk space was not reported correctly and member disk devices were listed as available for partitioning.

The installer now adds configuration options correctly into the yum repo files

Previously, the installer did not add configuration options correctly into yum repo files while including and excluding packages from additional installation repositories. With this update, yum repo files are created correctly. As a result, using the --excludepkgs= or --includepkgs= options in the repo kickstart command now excludes or includes the specified packages during installation as expected.

Using the filename DHCP option no longer blocks downloading the kickstart file for installation

Previously, when building a path for getting the kickstart file from an NFS server, the installer did not consider the filename DHCP option. As a consequence, the installer did not download the kickstart file and was blocking the installation process. With this update, the filename DHCP option correctly constructs a path to the kickstart file. As a result, the kickstart file is downloaded properly, and the installation process starts correctly.

The installer now creates a new GPT disk layout while custom partitioning

Previously, the installer did not change the disk layout to GPT when inst.gpt was specified on the kernel command line, and the user removed all partitions from a disk with the MBR disk layout on the custom partitioning spoke. As a consequence, the MBR disk layout remained on the disk.

Installer now lists all PPC PreP Boot or BIOS Boot partitions during custom partitioning

Previously, when adding multiple PPC PreP Boot or BIOS Boot partitions during custom partitioning, the Custom Partitioning screen displayed only one partition of a related type. As a consequence, the Custom Partitioning screen did not reflect the real state of the intended partitioning layout, making the partitioning process difficult and non-transparent.

Anaconda now validates LUKS passphrases for the FIPS requirements

Previously, Anaconda did not check if the length of LUKS passphrases satisfies the FIPS requirements, while the underlying tools performed this check. As a consequence, installing in FIPS mode with a passphrase shorter than 8 characters caused the installer to terminate prematurely.

Subscription manager no longer denies registration and fetching of Red Hat content

Previously, subscription-manager operated in container mode when run under OpenShift Container Platform (OCP) because of improved container detection logic in RHEL 9. As a consequence, the system was unable to use the provided subscription credentials and therefore not fetching Red Hat content.

subscription-manager no longer retains nonessential text in the terminal

Starting with RHEL 9.1, subscription-manager displays progress information while processing any operation. Previously, for some languages, typically non-Latin, progress messages did not clean up after the operation finished. With this update, all the messages are cleaned up properly when the operation finishes.

RPM no longer hangs during a transaction involving the fapolicyd service restart

Previously, if you tried to update a package that caused the fapolicyd service to be restarted, for example, systemd, the RPM transaction stopped responding because the fapolicyd plug-in failed to communicate with the fapolicyd daemon.

Reverting a DNF upgrade transaction is now possible for a package group or environment

Previously, the dnf history rollback command failed when attempting to revert an upgrade transaction for a package group or an environment.

Security DNF upgrade is now possible for packages that change their architecture through the upgrade

Patch for BZ#2108969 introduced with RHBA-2022:8295 caused a regression where DNF upgrade using security filters skipped packages that changed their architecture from or to noarch through the upgrade. Consequently, the missing security upgrades for these packages could leave the system in a vulnerable state.

Qt message QM files with 3-letter names are now packaged when an RPM package is being built or rebuilt

Previously, the find-lang.sh script could not find Qt message QM files (.qm) with names consisting of 3 characters. Consequently, these files were not added to an RPM package.

ReaR handles excluded DASDs on the IBM Z architecture correctly

Previously on the IBM Z architecture, ReaR reformatted all connected Direct Access Storage Devices (DASD) during the recovery process, including those DASDs that users excluded from the saved layout and did not intend to restore their content. As a consequence, if you excluded some DASDs from the saved layout, their data were lost during system recovery. With this update, ReaR no longer formats excluded DASDs during system recovery, including the device from which the ReaR rescue system was booted (using the zIPL bootloader). You are also prompted to confirm the DASD formatting script before ReaR reformats DASDs. This ensures that the data on excluded DASDs survive a system recovery.

ReaR no longer fails to restore non-LVM XFS filesystems

Previously, when you used ReaR to restore a non-LVM XFS filesystems with certain settings and disk mapping, ReaR created the file system with the default settings instead of the specified settings. For example, if you had a file system with the sunit and swidth parameters set to non-zero values and you restored the file system using ReaR with disk mapping, the file system would be created with default sunit and swidth parameters ignoring the specified values. As a consequence, ReaR failed during mounting the filesystem with specific XFS options. With this update, ReaR correctly restores the file system with the specified settings.

wsmancli handles HTTP 401 Unauthorized statuses correctly

The wsmancli utility for managing systems using Web Services Management protocol now handles authentication to better conform to RFC 2616.

USBGuard saves rules even if RuleFile is not defined

Previously, if the RuleFolder configuration directive in USBGuard was set but RuleFile was not, the rule set could not be changed. With this update, you can now change the rule set even if RuleFolder is set but RuleFile is not. As a result, you can modify the permanent policy in USBGuard to permanently save newly added rules.

python-sqlalchemy rebased to 1.4.45

The python-sqlalchemy package has been rebased to version 1.4.45, which provides many bug fixes over version 1.4.37. Most notably, this version contains a fix for a critical memory bug in the cache key generation.

crypto-policies now disable NSEC3DSA for BIND

Previously, the system-wide cryptographic policies did not control the NSEC3DSA algorithm in the BIND configuration. Consequently, NSEC3DSA, which does not meet current security requirements, was not disabled on DNS servers. With this update, all cryptographic policies disable NSEC3DSA in the BIND configuration by default.

OpenSSL in SECLEVEL=3 now works with PSK cipher suites

Previously, pre-shared key (PSK) cipher suites were not recognized as performing perfect forward secrecy (PFS) key exchange methods. As a consequence, the ECDHE-PSK and DHE-PSK cipher suites did not work with OpenSSL configured to SECLEVEL=3, for example, when the system-wide cryptographic policy was set to FUTURE. The new version of the openssl package fixes this problem.

Clevis now correctly skips commented-out devices in crypttab

Previously, Clevis tried to unlock commented-out devices in the crypttab file, causing the clevis-luks-askpass service to run even if the device was not valid. This caused unnecessary service runs and made it difficult to troubleshoot.

Clevis no longer requests too much entropy from pwmake

Previously, the pwmake password generation utility displayed unwanted warnings when Clevis used pwmake to create passwords for storing data in LUKS metadata, which caused Clevis to use lower entropy. With this update, Clevis is limited to 256 entropy bits provided to pwmake, which eliminates an unwanted warning and uses the correct amount of entropy.

USBGuard no longer causes a confusing warning

Previously, a race condition could happen in USBGuard when a parent process finished sooner than the first child process. As a consequence, systemd reported that a process was present with a wrongly identified parent PID (PPID). With this update, a parent process waits for the first child process to finish in working mode. As a result, systemd no longer reports such warnings.

OOM killer no longer terminates usbguard prematurely

Previously, the usbguard.service file did not contain a definition of the OOMScoreAdjust option for the systemd service. Consequently, when the system was low on resources, the usbguard-daemon process could be terminated before other unprivileged processes. With this update, usbguard.service file now includes OOMScoreAdjust setting, which prevents the Out-of-Memory (OOM) killer terminate the usbguard-daemon process prematurely.

logrotate no longer incorrectly signals Rsyslog in log rotation

Previously, the argument order was incorrectly set in the logrotate script, which caused a syntax error. This resulted in logrotate not correctly signaling Rsyslog during log rotation.

imklog no longer calls free() on missing objects

Previously, the imklog module called a free() function on an already freed object. Consequently, imklog could cause a segmentation fault. With this update, the object is no longer freed twice.

fagenrules --load now works correctly

Previously, the fapolicyd service did not correctly handle the signal hang up (SIGHUP). Consequently, fapolicyd terminated after receiving SIGHUP, and the fagenrules --load command did not work correctly. This update contains a fix for the problem. As a result, fagenrules --load now works correctly, and rule updates no longer require manual restarts of fapolicyd.

Scans and remediations correctly ignore SCAP Audit rules Audit key

Previously, Audit watch rules that were defined without an Audit key (-k or -F key) encountered the following problems:

Keylime no longer fails attestation of systems that access multiple IMA-measured files

Previously, if a system that runs the Keylime agent accessed multiple files measured by the Integrity Measurement Architecture (IMA) in quick succession, the Keylime verifier incorrectly processed the IMA log additions. As a consequence, the running hash did not match the correct Platform Configuration Register (PCR) state, and the system failed attestation. This update fixes the problem and systems that quickly access multiple measured files no longer fail attestation.

Keylime policy generation script no longer causes a segmentation fault and core dump

The create_mb_refstate script generates policies for measured boot attestation in Keylime. Previously, create_mb_refstate incorrectly calculated the data length in the DevicePath field. As a consequence, the script tried to access invalid memory using the incorrectly calculated length, which resulted in a segmentation fault and core dump.

TPM certificates no longer cause Keylime registrar to crash

Previously, some certificates in the Keylime TPM certificate store were malformed x509 certificates and caused the Keylime registrar to crash. This update fixes the problem, and Keylime registrar no longer crashes due to malformed ceritficates.

NetworkManager now preserves IP addresses during reapply before acquiring a new DHCP lease

Previously, after changing the connection settings and then using nmcli device reapply command, NetworkManager did not preserve the DHCP lease. Consequently, the IP address got removed temporarily. With this fix, NetworkManager preserves the DHCP lease and uses it until the lease expires or the client requests a new one. As a result, when the nmcli device reapply command restarts DHCP client, it does not temporarily remove the IP address.

The firewalld service now triggers the ipset deprecation warning only when using direct rules

Previously, the firewalld service used the deprecated ipset kernel module when it was not necessary. Consequently, RHEL logged the module’s deprecation warning which could be misleading because the ipset feature of firewalld is not deprecated. With this update, firewalld only uses the deprecated ipset module and logs the warning if the user explicitly uses ipsets with the --direct option.

The HNV interface now displays the options after reboot

Previously, the nmcli utility created a Hybrid Network Virtualization (HNV) bond by using NetworkManager API. Consequently, after a reboot, the HNV bond lost the primary port setting. With this fix, nmcli now uses hcnmgr to set bonding options for the primary port. The hcnmgr utility supports migration of live partitions with Single Root Input/Output Virtualization (SR-IOV) for hybrid networks. As a result, the HNV bond interface displays the active slave/primary_reselect option after reboot.

FADump enabled with Secure Boot works correctly

Previously, when Firmware Assisted Dump (FADump) was enabled in the Secure Boot environment and any of the booting components exceeded the allocated memory region, system reboots caused a GRUB Out of Memory (OOM) state. This update provides a fix in kexec-tools so that Secure Boot and FADump work together correctly.

grubby now passes arguments to a new kernel correctly

When you add a new kernel using the grubby tool and do not specify any arguments, or leave the arguments blank, grubby will not pass any arguments to the new kernel and root will not be set. Using the --args and --copy-default options ensures new arguments are appended to the default arguments.

RHEL installation now succeeds even when PReP is not 4 or 8 MiB in size

Previously, the RHEL installer could not install the boot loader if the PowerPC Reference Platform (PReP) partition was of a different size than 4 MiB or 8 MiB on a disk that used 4 kiB sectors. As a consequence, you could not install RHEL on the disk.

Installer creating LUKSv2 devices with sector size of 512 bytes

Previously, the RHEL installer created LUKSv2 devices with 4096 bytes sectors if the disk had 4096 bytes physical sectors. With this update, installer now creates LUKSv2 devices with sector size of 512 bytes to offer better disk compatibility with different physical sector sizes used together in one LVM volume group even when the LVM physical volumes are encrypted.

supported_speeds sysfs attribute reports correct speed values

Previously, because of an incorrect definition in the qla2xxx driver, the supported_speeds sysfs attribute for the HBA reported 20 Gb/s speed instead of the expected 64 Gb/s speed. Consequently, if the HBA supported 64 Gb/s link speed, the supported_speeds sysfs value was incorrect, which affected the reported speed value.

The lpfc driver is in a valid state during the D_ID port swap

Previously, the SAN Boot host, after issuing the NetApp giveback operation, resulted in LVM hung task warnings and stalled I/O. This problem occurred even when alternate paths were available in a DM-Multipath environment due to the fiber channel D_ID port swap. As a consequence of the race condition, the D_ID port swap resulted in an inconsistent state in the lpfc driver, which prevented I/O from being issued.

pcs no longer allows you to modify cluster properties that should not be changed

Previously, the pcs command line interface allowed you to modify cluster properties that should not be changed or for which change does not take effect. With this fix, pcs no longer allows you to modify these cluster properties: cluster-infrastructure, cluster-name, dc-version, have-watchdog, and last-lrm-refresh.

pcs now displays cluster properties that are not explicitly configured

Previously, a pcs command to display the value of a specific cluster property did not list values that are not explicitly configured in the CIB. With this fix, if a cluster property is not set pcs displays the default value for the property.

Cluster resources that call crm_mon now stop cleanly at shutdown

Previously, the crm_mon utility returned a nonzero exit status while Pacemaker was in the process of shutting down. Resource agents that called crm_mon in their monitor action, such as ocf:heartbeat:pqsql, could incorrectly return a failure at cluster shutdown. With this fix, crm_mon returns success even if the cluster is in the process of shutting down. Resources that call crm_mon now stop cleanly at cluster shutdown.

OCF resource agent metadata actions can now call crm_node without causing unexpected fencing

As of RHEL 8.5, OCF resource agent metadata actions blocked the controller and crm_node queries performed controller requests. As a result, if an agent’s metadata action called crm_node, it blocked the controller for 30 seconds until the action timed out. This could cause other actions to fail and the node to be fenced.

Pacemaker now rechecks resource assignments immediately when resource order changes

As of RHEL 8.7, Pacemaker did not recheck resource assignments when the order of resources in the CIB changed with no changes to the resource definition. If configuration reordering would cause resources to move, that would not take place until the next natural transition, up to the value of cluster-recheck-interval-property. This could cause issues if resource stickiness is not configured for a resource.

Enabling a single resource and monitoring operation no longer enables monitoring operations for all resources in a resource group

Previously, after unmanaging all resources and monitoring operations in a resource group, managing one of the resources in that group along with its monitoring operation re-enabled the monitoring operations for all resources in the resource group. This could trigger unexpected cluster behavior.

DNS lookup can now succeed even when some CNAME records are invalid

Previously, the glibc DNS stub resolver treated CNAME records with owner names that are not host names as DNS packet errors. Consequently, the DNS query failed because of the DNS packet errors. With this update, the glibc stub resolver now skips invalid CNAME records and the corresponding alias information is not extracted. Therefore, DNS lookups can now succeed even if the server response includes a CNAME chain that contains a domain name that is not a host name.

golang now supports 4096 bit keys in x509 FIPS mode

Previously, golang did not support the 4096 bit keys in x509 FIPS mode. Consequently, when the user used 4096 bit keys the program crashed. With this update, golang now supports 4096 bit keys in x509 FIPS mode.

You can install SciPy using pip on all architectures

Previously, the openblas-devel package did not contain a pkg-config file for the OpenBLAS library. As a consequence, in certain scenarios, it was impossible to determine the compiler and linker flags using the pkgconf utility while compiling with OpenBLAS. For example, this caused a failure of the pip install scipy command on the 64-bit IBM Z and IBM Power Systems, Little Endian architectures.

The tzset function in glibc now sets the daylight variable to a non-zero value if there is any DST rule in the TZ data

Previously, the tzset function in glibc would set the daylight variable to 0 if the last DST transition in the time zone data file did not result in a clock change due to a simultaneous change in the standard time offset. Consequently, when applications use the daylight variable to check if DST was ever active, they do not get the right result and perform incorrect actions based on this information. To fix this, the tzset function now sets the daylight variable to a non-zero value if there is any DST rule in the time zone data, regardless of offset. As a result, applications now observe the presence of DST rules regardless of offset changes.

OpenJDK RSAPSSSignature implementation now validates RSA keys before using them

Previously, the RSAPSSSignature implementation in OpenJDK did not fully check if given RSA keys could be used by the SunRSASign provider before attempting to use them, which would result in errors when using custom security providers. The bug is now fixed and, as a result, the RSAPSSSignature implementation now validates RSA keys and allows other providers to handle these keys when it cannot.

The OpenJDK XML signature provider is now functional in FIPS mode

Previously, the OpenJDK XML signature provider was unable to operate in FIPS mode. As a result of enhancements to FIPS mode support the OpenJDK XML signature provider is now enabled in FIPS mode.

OpenJDK in FIPS mode no longer experiences unexpected errors with certain PKCS#11 tokens

Previously, some PKCS#11 tokens were not fully initialized before use by OpenJDK in FIPS mode resulting in unexpected errors. With this upgrade, these errors are now expected and handled by the FIPS support code.

Authentication to external IdPs that require a client secret is now possible

Previously, SSSD did not properly pass client secrets to external identity providers (IdPs). Consequently, authentication failed against external IdPs that you previously configured with the ipa idp-add --secret command to require a client secret. With this update, SSSD passes the client secret to the IdP and users can authenticate.

IdM now supports setting hostmasks for sudo rules using Ansible

Previously, the ipa sudorule-add-host command allowed setting a hostmask to be used by the sudo rule, but this option was not present in the ansible-freeipa package. With this update, you can now use the ansible-freeipa hostmask variable to define a list of hostmasks to which a particular sudo rule, defined in Identity Management (IdM), applies.

The dscreate utility now works correctly when it uses a custom path with the db_dir parameter

Previously, an instance that used custom directory paths failed to start because the custom directories had a wrong SELinux label. As a consequence, SELinux denied access to these directories and the instance was not created. With this release, dscreate utility sets correct SELinux labels for the custom instance directories.

A password change for the Directory Server replication manager account now works correctly

Previously, after a password change, Directory Server did not properly update the password cache for the replication agreement. As a consequence, when you changed the password for the replication manager account, the replication failed. With this update, Directory Server updates the cache properly and, as a result, the replication works as expected.

The IdM client installer no longer specifies the TLS CA configuration in the ldap.conf file

Previously, the IdM client installer specified the TLS CA configuration in the ldap.conf file. With this update, OpenLDAP uses the default trust store and the IdM client installer does not set up the TLS CA configuration in the ldap.conf file.

IdM clients correctly retrieve information for trusted AD users when their names contain mixed case characters

Previously, if you attempted a user lookup or authentication of a user, and that trusted Active Directory (AD) user contained mixed case characters in their names and they were configured with overrides in IdM, an error was returned preventing users from accessing IdM resources.

Matrox G200e now shows output on a VGA display

Previously, your display might have shown no graphical output if you used the following system configuration:

The web console NBDE binding steps now work also on volume groups with a root file system

In RHEL 9.2.0, due to a bug in the code for determining whether or not the user was adding a Tang key to the root file system, the binding process in the web console crashed when there was no file system on the LUKS container at all. Because the web console displayed the error message TypeError: Qe(…​) is undefined after you had clicked the Trust key button in the Verify key dialog, you had to perform all the required steps in the command-line interface in the described scenario.

The nbde_client system role now correctly handles different names of clevis-luks-askpass

The nbde_client system role has been updated to handle the systems on which the clevis-luks-askpass systemd unit has a different name. The role now correctly works with different names of clevis-luks-askpass on managed nodes, which requires unlocking also LUKS-encrypted volumes that mount late in the boot process.

The ha_cluster system role logs no longer display unencrypted passwords and secrets

The ha_cluster system role accepts parameters that can be passwords or other secrets. Previously, some of the tasks would log their inputs and outputs. As a result, the role logs could contain unencrypted passwords and other secrets.

Clusters configured with ha_cluster system role to use SBD and not start on boot now work correctly

Previously, if a user configured a cluster using the ha_cluster system role to use SBD and not start on boot, then the SBD service was disabled and SBD did not start. With this fix, the SBD service is always enabled if a cluster is set to use SBD whether or not the cluster is configured to start on boot.

Enabling implicit files provider to fix cockpit-session-recording SSSD configuration

A disabled SSSD implicit files provider caused the cockpit-session-recording modules to create an invalid System Security Services Daemon (SSSD) configuration. This update unconditionally enables the files provider and as a result, the SSSD configuration created by cockpit-session-recording now works as expected.

The nbde_client_clevis role no longer reports traceback to users

Previously, the nbde_client_clevis role sometimes failed in exception, causing a traceback and reporting sensitive data, such as the encryption_password field, back to the user. With this update, the role no longer reports sensitive data, only the appropriate error messages.

Setting stonith-watchdog-timeout property with the ha_cluster system role now works in a stopped cluster

Previously, when you set the stonith-watchdog-timeout property with the ha_cluster system role in a stopped cluster, the property reverted to its previous value and the role failed. With this fix, configuring the stonith-watchdog-timeout property by using the ha_cluster system role works properly.

Network traffic is now directed through the intended network interface when using initscripts with the networking RHEL system role

Previously, when using the initscripts provider, the routing configuration for network connections did not specify the output device that the traffic should go through. Consequently, the kernel could use a different output device than the user intended. Now, if the network interface name is specified in the playbook for the connection, it is used as the output device in the route configuration file. This aligns the behavior with NetworkManager, which configures the output device in routes when activating profiles on devices. As a result, the users can ensure that the traffic is directed through the intended network interface.

The selinux role now manages policy modules idempotently

Previously, the selinux role copied an existing module to the managed node every time, reporting a change even when the module was already present. With this update, the selinux role checks if the module has been installed on the managed node, and does not attempt to copy and install the module if it is already installed.

The rhc system role no longer fails on the registered systems when rhc_auth contains activation keys

Previously, a failure occurred when you executed playbook files on the registered systems with the activation key specified in the rhc_auth parameter. This issue has been resolved. It is now possible to execute playbook files on the already registered systems, even when activation keys are provided in the rhc_auth parameter.

System time on nested VMs now works reliably

Previously, system time on nested virtual machines (VMs) in some cases desynchronised from the Level 0 and level 1 hosts. This also sometimes caused the nested VM to become unresponsive or terminate unexpectedly.

VMs on IBM Z no longer fail to start when using memfd memory backing

Previously, on IBM Z hosts, virtual machines (VMs) failed to boot if they were configured to use the memfd type of hugepage memory backing, for example as follows:

VNC can now reliably connect to UEFI VMs after migration

Previously, if you enabled or disabled a message queue while migrating a virtual machine (VM), the Virtual Network Computing (VNC) client failed to connect to the VM after the migration was complete.

The installer shows the expected system disk to install RHEL on VM

Previously, when installing RHEL on a VM using virtio-scsi devices, it was possible that these devices did not appear in the installer because of a device-mapper-multipath bug. Consequently, during installation, if some devices had a serial set and some did not, the multipath command was claiming all the devices that had a serial. Due to this, the installer was unable to find the expected system disk to install RHEL in the VM.