Chapter 7. Bug fixes

Before this release, when starting a RHEL installation with the inst.dd kernel command-line option, the console failed to render characters typed by the user. As a consequence, the lack of visual feedback made the application appear unresponsive, even though the input was still being processed in the background. With this update, this display issue has been resolved, and user input is now visible as expected during the driver disk selection process.

Jira:RHEL-4737

Before this release, the installer did not set the display mode (text, graphical, or non-interactive) early enough during startup. As a result, the check to determine whether a selected language is supported in text mode did not run. In text mode installations, languages that are not supported in the text user interface, such as Japanese, could be used, resulting in unreadable output.

With this fix, the installer correctly detects languages that are not supported in the text mode. If an unsupported language is selected, the text user interface falls back to English. The installed system is still configured to use the originally selected language.

Jira:RHEL-144834

Before this update, AIDE terminated with an error if a file was truncated or removed while AIDE was computing its hash. With this update, AIDE detects when a file is truncated or deleted during hash calculation and handles the condition safely. As a result, AIDE successfully completes integrity checks even if a monitored file change size or is removed during processing.

Jira:RHEL-1569

Before this update, the CrackLib website URL in the cracklib and cracklib-dicts packages was outdated. As a consequence, an incorrect download of cracklib-dicts occurred. With this release, the URL in the cracklib and cracklib-dicts RPMs is updated to the new website URL. As a result, the package information is accurate.

Jira:RHEL-5215

Before this update, the clevis-pin-tpm2 command did not validate JSON field names during encryption with TPM2 and silently ignored typos and invalid fields, for example, pcrs_ids instead of pcr_ids. Consequently, users could inadvertently create LUKS bindings with incorrect TPM2 configurations due to typos. This could lead to unlock failures when TPM state changes, potentially making systems unbootable.

This update adds JSON schema validation to reject unknown fields in the TPM2 configuration during encryption. As a result, invalid field names in TPM2 JSON configuration are properly rejected with clear error messages to prevent silent misconfigurations that could cause unlock failures.

Jira:RHEL-68417

Some files, for example, /usr/lib/rpm/redhat/redhat-annobin-cc1 or /etc/selinux/targeted/policy/policy.33, owned by an RPM package, are expected to be changed during and after the installation, but they are still owned by the corresponding package. Consequently, fapolicyd cannot verify such files. With this release, the fapolicyd framework no longer adds files that do not have size or checksum information in the RPM database to the trust database. As a result, the fapolicyd-cli --check-trustdb command does not report the miscompares: size sha256 error message for such files.

Jira:RHEL-94661

Before this update, the Keylime registrar performed an unnecessary data conversion of malformed Endorsement Key (EK) certificates. This process corrupted the certificates and invalidated their signatures. Consequently, it prevented the use of the ek_check_script workaround for Trusted Platform Module (TPM) devices with non-standard certificates.

With this update, the database stores EK certificates without data corruption. As a result, you can validate TPM devices with malformed certificates by using the Keylime registrar and custom verification scripts.

Jira:RHEL-111167^[1]

Before this update, when generating signed Trusted Platform Module (TPM) quotes, the keylime-agent-rust component did not properly support Elliptic Curve Cryptography (ECC) key algorithms. This prevented the agent from generating TPM quote evidence and caused enrollment failures for the ECC key types. With this update, the keylime-agent-rust component correctly handles ECC key algorithms during TPM quote generation. As a result, agents can successfully generate TPM quotes and enroll with verifiers to provide full attestation functionality with ECC keys generated by the TPM.

Jira:RHEL-118148

Before this update, when verifying signed Trusted Platform Module (TPM) quotes from agents, the Keylime verifier component did not properly support Elliptic Curve Cryptography (ECC) key algorithms. This caused attestation failures when agents used the ECC key types ecc521, ecc384, ecc256, ecc224, or ecc192. With this update, the verifier correctly handles and verifies TPM quotes signed with ECC keys. As a result, Keylime provides full attestation functionality for these algorithms.

Jira:RHEL-118150

Before this update, the scp utility did not expand the .. parent directory indicator in a path to the directory name. Consequently, scp incorrectly handled relative paths containing ... This update adds special handling for parent directory indicators. As a result, scp now processes paths containing .. correctly.

Jira:RHEL-119515

Before this update, the ssh-pkcs11-helper binary lacked a specific SELinux security context, which prevented confined users from sending a request to the ssh-agent program. Consequently, confined users, such as user_u or staff_u, were unable to add smart-card-based keys to ssh-agent. With this update, ssh-pkcs11-helper is labeled with the ssh_agent_exec_t type, and additional rules are added to cache results. As a result, confined users can successfully use smart cards with ssh-agent, allowing the agent to correctly access PKCS #11 keys and cache the results in the user’s home cache.

Jira:RHEL-121165

Before this update, when you changed the database password, a bug in how NSS handled database re-encryption prevented the ML-DSA seed attribute from updating. As a result, the seed value was permanently lost, even if you knew the previous password.

With this update, password changes correctly update the ML-DSA seed attribute and no longer cause the permanent loss of seed values. Note that you still cannot recover the seeds lost before this update.

Jira:RHEL-127671^[1]

Before this update, user and group membership updates from package installations were not properly applied when migrating from package mode to image mode. Consequently, the clevis user was not added to the tss security group, preventing Clevis from accessing a trusted platform module (TPM) device and retrieving encryption keys during system boot. With this update, the Clevis package installation process is updated to ensure that the clevis user is properly added to the tss group during image mode updates, even when existing configuration files are preserved. As a result, Clevis can properly access the TPM device and successfully retrieve an encryption key on systems in image mode.

Jira:RHEL-132187

Before this update, the SELinux policy restricted confined users from using the Assistive Technology Service Provider Interface (AT-SPI) services. As a consequence, these services failed to operate in graphical desktop environments. This update adds the required execution and directory access permissions to the SELinux policy.

As a result, assistive technologies, such as the Orca screen reader and on-screen keyboards, function correctly for confined users in SELinux enforcing mode.

Jira:RHEL-133898^[1]

Before this update, the fapolicyd service did not add binaries from /usr/share/*/bin/ directories to the trust database. For example, the /usr/share/Modules/bin/mkroot binary was not added. Consequently, users could not run these binaries when using the trust=1 option in fapolicyd rules. With this fix, the fapolicyd-filter.conf file contains */bin/*. As a result, you can run binaries from /usr/share/*/bin/ with the fapolicyd service active.

Jira:RHEL-141670

Before this update, if you installed a protected package as a dependency required by only one other package and had the clean_requirements_on_remove configuration option enabled, DNF failed to perform any transaction that tried to remove the protected package if this package became an unused dependency. This prevented the removal of the package that depended on it, because DNF would automatically attempt to remove the protected dependency as well. With this update, DNF treats all protected packages as explicitly installed by the user. As a result, DNF no longer attempts to automatically remove protected packages, allowing the removal of the package that depends on it.

Jira:RHEL-76112

Before this update, DNF incorrectly performed comparison of the epoch-version-release (EVR) RPM package information. As a consequence, if you performed two subsequent upgrade transactions for a package that had the same epoch-version but different release, DNF identified the overall transaction as a downgrade. This update fixes the EVR comparison. As a result, DNF identifies two subsequent package upgrades with different release versions as an upgrade.

Jira:RHEL-81779

Before this update, if the dnf-automatic utility used the command_email emitter to send emails to multiple recipients and also used the /usr/bin/mail utility installed with the s-nail package, /usr/bin/mail failed to send an email. With this update, the dnf-automatic utility expands the email_to keyword in the command_format formatting string from a single argument to multiple arguments. As a result, dnf-automatic sends emails to multiple recipients with the default /usr/bin/mail utility.

Jira:RHEL-94321

Before this update, using DNF advisory filters, such as --security, to update certain packages with multiple architectures triggered a logic error in the libsolv dependency solver. As a consequence, updating packages by using advisory filters would sometimes result in a transaction that could not be resolved. This issue affected the libldb and libsmbclient packages. This update fixes the logic error in libsolv. As a result, update transactions involving multiple architectures and the forcebest and implicitobsoleteusescolors solver options resolve.

Jira:RHEL-103995

Before this update, when you verified a package with multiple signatures, pqrpm, the minimal variant of RPM with post quantum cryptography (PQC) support, did not correctly determine the overall verification result when the /usr/lib/pqrpm/bin/rpmkeys utility reported some of the package signatures as NOTTRUSTED. A signature can become NOTTRUSTED if, for example, its certificate is expired or revoked, or if its algorithm is disabled by system-wide cryptographic policies. As a consequence, pqrpm failed to verify the package even if the package had at least one valid and trusted signature.

This update fixes the verification logic in pqrpm to correctly handle packages with NOTTRUSTED signatures. This update also improves error reporting around this functionality.

As a result, pqrpm ignores NOTTRUSTED package signatures and successfully verifies a package with multiple signatures if the package has at least one valid signature and no invalid signatures. Error messages are also clearer and more accurate when verification actually fails.

Jira:RHEL-112700

Before this update, you could not install packages with signatures that used both supported and unsupported RPMv6 package signing algorithms. As a consequence, DNF rejected such packages when verifying their signatures because of the unsupported algorithms. With this update, the DNF multisig plugin ignores signatures classified as NOTTRUSTED in the rpmkeys command output. As a result, multisig can install packages that use both supported and unsupported signing algorithms.

Jira:RHEL-145372

Before this update, the volume_key utility used functions that were incompatible with Federal Information Processing Standards (FIPS) when retrieving a backup passphrase from an escrow packet. Consequently, volume_key failed and reported an error on systems with FIPS mode enabled. This update ensures that the backup passphrase retrieval function is FIPS-compliant. As a result, you can successfully retrieve backup passphrases on FIPS-enabled systems.

Jira:RHEL-113757^[1]

Before this update, RHEL did not automatically disable large receive offload (LRO) on port if you created a VLAN device. As a consequence, this could affect VLAN packet receiving because LRO merges small packets to big ones and ignores the VLAN flag. With this update, RHEL enforces disabling LRO on the port device when you add a VLAN on it. As a result, VLAN packet receiving works correctly.

Jira:RHEL-80409^[1]

Before this update, NetworkManager could not dynamically apply changes if a user changed the sriov.vfs property. As a consequence, NetworkManager connections with Single Root I/O Virtualization (SR-IOV) settings required a restart after modifications. With this release, sriov.vfs now supports the reapply operation if the total number of virtual functions (VFs) does not change. As a result, restarting a connection after modifying SR-IOV settings is no longer required in the mentioned scenario.

Jira:RHEL-113954^[1]

Before this update, if a client, such as the Nmstate API or the GNOME control center application, used the D-Bus API for changes on a global level, it was not possible to set DNS search domains without defining a DNS server. This update fixes the problem, and clients can define only a global-level DNS search domain.

Jira:RHEL-115973^[1]

Before this update, the xdp-trafficgen utility failed on ARM systems with a Missing required option '--interface' error even if you specified the -i <interface> option. As a consequence, it was not possible to probe eXpress Data Path (XDP) support on a specific interface. This update fixes the problem, and the -i <interface> option works correctly on ARM systems.

Jira:RHEL-119860

When you use nftables flowtables, connection tracking entries handled by a flowtable can be marked with an OFFLOAD status to accelerate packet processing. In previous releases, a kernel safeguard prevented the conntrack utility from deleting any entry after it was marked as offloaded. As a consequence, deleting stale entries was not possible. With this update, the kernel was modified to allow the deletion of connection tracking entries regardless of their offload status. As a result, you can use the conntrack utility to remove entries that are handled by an nftables flowtable.

Jira:RHEL-138511^[1]

Before this update, multi-page write operations to GFS2 files sometimes degenerated into page-size (typically 4 KiB) chunks. This happened after an initial multi-page segment was written, particularly when using write(2) with a large buffer that was not resident in memory. This led to reduced write efficiency for large files.

With this release, GFS2 kernel code has been updated to fix the issue. As a result, some large write workloads may see a small improvement in write efficiency.

Jira:RHEL-7971^[1]

Before this update, the libmpathpersist library, which is used by the mpathpersist command, had several issues and corner cases that affected persistent reservation handling for multipath devices. This caused the following problems:

With this release, multiple areas of libmpathpersist have been redesigned and fixed to ensure correct and consistent behavior. As a result, mpathpersist commands on multipath devices now work the same as the equivalent sg_persist commands on SCSI devices. I/O access to multipath devices also consistently reflects the device’s persistent reservation state.

Jira:RHEL-118515

Before this update, starting an operating system installation on a system that used iSCSI storage could cause the Anaconda installer to crash. This occurred when the iSCSI Logical Unit Number (LUN) ID was 256 or higher.

This update includes a fix to the LUN ID parsing logic in the blivet library. As a result, installations on systems that use iSCSI targets with LUN IDs of 256 or greater can now proceed.

Jira:RHEL-122858

Before this update, when a large number of files were deleted on a GFS2 file system, the space occupied by those files remained claimed. As a consequence, the df utility reported much higher disk usage than the du utility, which made the file system appear to have run out of space.

With this release, the logic that manages and updates free disk space counters has been corrected. As a result, disk usage information reported by df and du now remains accurate and consistent, even after mass file deletion operations.

Jira:RHEL-129403^[1]

Before this update, if multipathd started or reconfigured while a path was offline, the daemon did not print regular offline warnings for that path. This made it difficult to identify issues with uninitialized paths.

With this update, multipathd prints offline messages for uninitialized paths. As a result, you can monitor path status consistently.

Jira:RHEL-133814^[1]

Before this update, when a large number of uevents occurred, multipathd delayed processing the events for up to 30 seconds. During this time, multipathd show status incorrectly reported that there was no outstanding work. As a consequence, multipathd did not always react promptly when path devices were added or removed. This could lead to temporary hangs or I/O errors if no active paths were available.

With this update, multipathd processes uevents without delay and reports its status correctly. As a result, multipath devices no longer hang or return I/O errors after a usable path is added.

Jira:RHEL-135904^[1]

Before this update, issuing the nvme subsystem-reset command on the PowerPC platform caused the Non-volatile Memory Express (NVMe) device to enter the resetting state and it failed to recover. As a consequence, the device hung and required a system reboot to recover.

With this release, the NVMe device recovers correctly after a subsystem reset. It is temporarily inaccessible while transitioning from the resetting state to the live state.

Jira:RHEL-137435^[1]

Before this update, pcs automatically wrapped resource and stonith agent descriptions to fit within the terminal window. Consequently, any formatting done by the agents' authors-such as new lines, paragraphs, lists, or tables-was removed, often making the descriptions difficult to read.

With this update, pcs no longer reformats the description text.

As a result, pcs displays resource and stonith agent descriptions exactly as the agents' authors intended, preserving the original structure and improving readability.

Jira:RHEL-113763

Before this update, the db2 resource agent could encounter a race condition when a node was reintegrating into the cluster. Consequently, the reintegrating node could incorrectly attempt to start as a "Primary" instance.

With this update, a "reintegration" attribute has been added to the agent. This allows the agent to correctly identify whether it is expected to join as a "Primary" or not, avoiding the race condition.

As a result, reintegration works correctly. Note that in order to prevent issues during the upgrade, you must disable all db2 resources before applying the update and re-enable them only after the update is complete on all nodes.

Jira:RHEL-118624^[1]

Before this update, the ANSI_X3.110-1983 character set codec was accidentally shipped in the main glibc package. As a consequence, minimal installations and container images were slightly larger, and applications could be exposed to vulnerabilities in the ANSI_X3.110-1983 conversion code even when the glibc-gconv-extra package was not installed.

With this release, the ANSI_X3.110-1983 codec is moved from the main glibc package to the glibc-gconv-extra package. As a result, the amount of conversion code present in minimal installations is reduced, and customers who require ANSI_X3.110-1983 support can obtain it explicitly by installing the glibc-gconv-extra package.

Jira:RHEL-41205

Before this update, the glibc-locale-source package provided character maps in gzip compressed format but did not declare a dependency on the gzip package. As a consequence, using localedef with a character map provided by glibc-locale-source could fail if gzip was not installed on the system because the compressed archive could not be uncompressed.

With this release, glibc-locale-source now depends on the gzip package to ensure that the required compression utility is installed with the character map data. As a result, using localedef with character maps provided by glibc-locale-source now works as expected even on systems where gzip was previously missing.

Jira:RHEL-111005^[1]

Before this update, on systems where Name Service Switch (NSS) merged groups from more than two sources, if merging two groups failed because the internal buffer was too small, glibc skipped that merge result instead of retrying with a larger buffer.

As a consequence, on such systems, running commands like getent group sometimes returned incomplete or empty group lists.

With this update, glibc no longer skips merge failures that are caused by an insufficient internal buffer and instead retries the merge with a larger buffer as intended.

As a result, group membership lookups on systems with multiple group database sources now return complete and correct group membership data.

Jira:RHEL-112149

Before this update, integer deserialization in Boost.JSON was not endian-aware on big-endian systems, and integer fields were interpreted with the wrong byte order. As a consequence, applications that used Boost.JSON to deserialize integer values on big-endian architectures obtained incorrect integer results and could behave unexpectedly.

With this release, the boost package updates Boost.JSON to handle integer deserialization in an endian-aware manner on big-endian systems. As a result, the library returns correct integer values on big-endian systems, ensuring predictable application behavior

Jira:RHEL-116553^[1]

Before this update, missing checks in the __nss_database_get function in the glibc package could cause null pointer dereferences and assertion failures during Name Service Switch (NSS) database lookups. As a consequence, applications relying on NSS could terminate unexpectedly, or the C library could crash under specific lookup conditions.

With this release, additional validation checks are added to the NSS database lookup path in glibc to handle invalid or unexpected internal states safely. As a result, NSS database lookups are more robust, and system stability is improved.

Jira:RHEL-150269

Before this update, when the Domain Name System (DNS) search path in /etc/resolv.conf file contained a single . entry, the glibc DNS stub resolver queried both the original domain name and the same domain name with a trailing dot.

As a consequence, DNS queries for non-existent domains were duplicated, increasing the load on DNS servers.

After this update, the glibc DNS stub resolver no longer appends a trailing dot to domain names when the search path contains only a single . entry.

As a result, DNS queries are no longer duplicated in this configuration, reducing unnecessary DNS traffic and server load.

Jira:RHEL-153056

Before this update, one of the replication functions did not call a required function. As a result, when you ran dsconf <instance_name> replication get-ruv --suffix dc=example,dc=com, an error was displayed. With this update, the command returns a Replica Update Vector (RUV) value as expected.

Jira:RHEL-112727^[1]

Before this update, the numSubordinates and numTombstoneSubordinates attributes were wrongly computed during import. Consequently, when you compared the number of child entries under a specific node, the wrong values were displayed.

With this update, Directory Server computes numSubordinates and numTombstoneSubordinates correctly.

Jira:RHEL-117748^[1]

Before this update, the memberOfDeferredUpdate configuration attribute, which is only effective for a Berkeley DB (BDB) backend, was not ignored on instances with a Lightning Memory-Mapped Database Manager (LMDB) backend. As a consequence, if memberOfDeferredUpdate was enabled on an LMDB instance, the Directory Server could become unresponsive during MemberOf plugin processing of large or complex groups.

With this update, Directory Server ignores the memberOfDeferredUpdate setting on instances with LMDB. As a result, processing large or complex groups no longer causes the server to become unresponsive.

Jira:RHEL-117782^[1]

Before this update, dscreate and dsconf used different functions to parse and display the LMDB database maximum size (nsslapd-mdb-max-size). As a consequence, dscreate create-template displayed the value as a raw floating-point number in bytes, while dsconf backend config set --mdb-max-size accepted values in bytes only, making it difficult to configure consistent values across the two tools.

With this update, both tools use the same parsing functions and accept values with unit suffixes (k, m, g, t), automatically aligning the result to the nearest page boundary. As a result, administrators can use human-readable size values consistently across dscreate and dsconf when setting the LMDB database maximum size.

Jira:RHEL-121170^[1]

Before this update, asynchronous requests that exceeded the maximum number of threads per connection caused server unresponsiveness without identification in the Directory Server access logs. As a consequence, it was difficult to diagnose server unresponsiveness.

With this release, Directory Server uses the new search indicators in the access logs to identify such requests: notes=N defines that the operation is not synchronous. notes=B defines that the operation blocks other new incoming operations: pending operations, not the read operations, are delayed.

In both cases, you might need to increase the nsslapd-maxthreadsperconn attribute value to allow a connection to use more threads.

Jira:RHEL-123231^[1]

Before this update, when the MemberOf plugin completed a global fixup task, the plugin freed its configuration structure before logging the completion message. As a consequence, the completion log message displayed (null) instead of the membership attribute name.

With this update, the MemberOf plugin logs the fixup task completion message before freeing its configuration structure, ensuring the attribute name is available when the message is written. As a result, the completion log message displays the correct membership attribute name, making it easier for administrators to verify fixup operations and troubleshoot issues.

Jira:RHEL-123258^[1]

Before this update, when enabling replication on a consumer, the dsconf utility printed a warning about changelogs to the stdout stream instead of stderr. As a consequence, the textual warning broke JSON parsing in the Directory Server web console, which expects pure JSON on stdout.

With this update, dsconf utility was updated so that the warning about changelogs on consumer replicas is written to stderr. As a result, the Directory Server web console successfully loads the Replication tab after enabling replication on a consumer or changing a role to consumer.

Jira:RHEL-123897^[1]

Before this update, a regression in the handling of filters containing distinguished name (DN) caused LDAP searches with spaces inside DN values in the filter, such as (member=uid=user, ou=people,dc=example,dc=com), to be evaluated incorrectly. As a consequence, applications received incomplete group membership and search results.

With this update, Directory Server normalizes and correctly compares DN values in the filter, accepting filters both with and without spaces in DN components. As a result, LDAP searches that include spaces in DN values return the same, complete results as in earlier RHDS versions, restoring expected application behavior.

Jira:RHEL-126552^[1]

Before this update, the replication agreement could send entries faster than the consumer was able to import during online initialization. In that situation, the consumer responded with an LDAP_BUSY error. As a consequence, the replication agreement did not handle this error and terminated the online initialization.

With this update, the replication agreement handles received LDAP_BUSY responses by retrying the operation after a delay. As a result, online initialization completes successfully even when the consumer temporarily cannot keep up with the rate of incoming entries.

Jira:RHEL-129559^[1]

Before this update, the ipadnsrecord module in ansible-freeipa ignored the create_reverse parameter. As a consequence, when users attempted to add A or AAAA records, the module incorrectly always required an existing reverse DNS zone and the task failed with a "DNS zone not found" error.

With this release, the module logic verifies the status of the create_reverse flag before attempting to validate or locate a reverse zone and skips the check entirely if it is set to false. As a result, the ipadnsrecord module successfully adds A and AAAA records to IdM-managed zones without requiring an existing reverse zone when create_reverse is set to false.

Jira:RHEL-140607

Before this update, when initializing replication with very large databases, especially after major subtree moves, the initialization could appear stalled after sending the initial suffix entry, because it spent excessive time building and checking large internal ID lists. As a consequence, the server experienced long CPU spikes, initialization was delayed or incomplete, and replicas remained outdated for an extended period.

With this update, the internal ID list lookup logic used during online initialization was optimized, making it scalable even with very large datasets. As a result, replication online initialization progresses as expected on large databases.

Jira:RHEL-142980^[1]

Before this update, when access log compression was enabled, the log rotation logic failed to correctly recognize .gz-suffixed rotated access log filenames while rebuilding the internal rotation information, so compressed logs were not associated with their corresponding rotation entries. As a consequence, the nsslapd-accesslog-list did not contain the actual files on disk, and access logs accumulated until manual cleanup was required to prevent disks from filling.

With this update, the log rotation logic was updated to correctly parse and match rotated access log filenames regardless of whether they are compressed (with a .gz suffix) or uncompressed, ensuring compressed logs are included when rebuilding rotation information and validating previous log files. As a result, compressed rotated access logs are properly tracked and removed according to the configured rotation settings.

Jira:RHEL-147212^[1]

Before this update, a defect in the concread dependency used by the Named Data Networking (NDN) cache caused LinCowCell chain drops to incorrectly free shared links when multiple references existed to the same chain. As a consequence, under heavy operations involving the NDN cache, the server could hit a use-after-free condition and fail with a segmentation fault in atomic_compare_exchange(), leading to erratic downtime.

With this update, the 389-ds-base package uses concread version 0.5.10, which correctly stops freeing data when a shared cache link is detected. As a result, NDN cache operations are handled safely, preventing the segmentation fault.

Jira:RHEL-152338^[1]

Before this update, user creation with, for example, a User Principal Name (UPN) format that includes the @ character instead of a sAMAccountName attribute, caused adcli to create user objects with a sAMAccountName which contained invalid characters. As a consequence, Active Directory (AD) operations involving that user could break. With this release, adcli validates the input string for user creation against a list of illegal characters before attempting to create the entry. As a result, adcli terminates user creation if the input is not a valid sAMAccountName value. This prevents the creation of malformed user objects and ensures smoother AD operation.

Jira:RHEL-134945^[1]

Before this update, when connecting to a domain to update a password, adcli always used the Kerberos realm of the first entry in the keytab file. As a consequence, on systems where the keytab contained multiple realms, the renewal process failed with a "no suitable keys" error if the required realm was not listed first. With this release, adcli searches the keytab for a principal that matches the target domain. As a result, machine account password renewals now succeed regardless of the order of entries in the keytab.

Jira:RHEL-134948^[1]

Before this update, the adcli testjoin command unconditionally used the domain or realm from the first entry found in the keytab file to perform its diagnostic test. As a consequence, on systems where the keytab contained principals from multiple domains, adcli testjoin would often attempt to connect to an incorrect domain and fail with a "Realm not local to KDC" error.

With this release, adcli uses the realm from the keytab as the domain name when the domain is not explicitly specified. As a result, users can reliably verify domain connectivity without encountering false authentication failures.

Jira:RHEL-134950^[1]

Before this update, when the nbde_client system role failed to add a required binding to a LUKS-encrypted volume, the rollback mechanism did not always function correctly. This led to idempotence issues, where subsequent attempts to run the role would fail or produce unexpected results because the system was left in a partially modified state.

With this update, the role performs a backup of the LUKS header before initiating any binding operations. If an operation fails, the role uses this backup to restore the header to its original state. As a result, the role correctly maintains idempotence and ensures the system remains in a consistent state even if a binding fails to be added.

Jira:RHEL-84891

The /usr/share/iproute2/rt_tables file contains certain built-in routing table names, such as main. Before this update, if an administrator used the network RHEL system role to modify the routing table and specified a routing table by its name in a playbook, the role failed with the following error:

cannot find route table main in /etc/iproute2/rt_tables or /etc/iproute2/rt_tables.d/

With this update, the network RHEL system role no longer fails to look up routing tables by name in /etc/iproute2/rt_tables and files in the /etc/iproute2/rt_tables.d/ directory.

Jira:RHEL-112805^[1]

Before this update, external configuration files were not loaded first, which prevented overrides of all options in the sshd_config file. Consequently, users experienced incorrect OpenSSH daemon configuration. With this update, external configuration files take priority. As a result, users can override all options in the sshd_config file.

Jira:RHEL-123018^[1]

Before this release, when you used the network RHEL system role with the persistent_state: absent setting to remove undefined profiles, the role attempted to delete the loopback interface profile. Because the system automatically recreates this profile immediately, Ansible incorrectly reported a changed state. This bug fix adds the loopback device to the role-internal black_list_names variable. As a result, the network RHEL system role ignores the loopback interface. This prevents unnecessary changes and the role reports an ok state.

Jira:RHEL-123028^[1]

Before this update, the storage role crashed on systems where /etc/fstab was absent. As a consequence, systems without a file system table configuration experienced failures.

With this update, the storage role checks whether /etc/fstab exists before attempting to parse it. As a result, systems without this file no longer experience a crash when using the storage role.

Jira:RHEL-123044^[1]

Before this update, the aide system role used the deprecated database variable in its templates. On systems running Advanced Intrusion Detection Environment (AIDE) version 0.17 or later, including RHEL 10.2, RHEL 9.8, and CentOS Stream 9, this caused the AIDE service to fail during configuration parsing.

With this update, the role introduces the database_in and aide_version variables to dynamically detect the installed AIDE version and apply the appropriate configuration syntax automatically.

As a result, the aide system role provides consistent file integrity monitoring across different releases without requiring manual configuration changes.

Jira:RHEL-129416^[1]

Before this update, the code failed to check if the disks list was empty before accessing disks[0] in the blivet module. As a consequence, an unhandled IndexError caused playbook failures, leading to poor performance.

With this update, the module checks whether the disk list is empty before accessing it. If no disks are available, a clear error message is displayed instead of triggering an exception.

Jira:RHEL-138058^[1]

Before this update, when you tried to generate an ipsec.conf file for VPN connection between managed and unmanaged hosts, a logic error in the Ansible Playbook caused the task to fail. With this update, the Ansible Playbook references the host and subnet information correctly.

As a result, the vpn system role generates a valid ipsec.conf file for this scenario.

Jira:RHEL-145220^[1]

Before this update, undefined variables, such as module paths, caused the selinux system role to fail during template expansion if the import_role directive was used. This occurred because Ansible attempts to resolve variables in task name fields immediately, even if those tasks are within a block with a when condition that evaluates to false.

With this update, task names use the default, or d, filter to provide a fallback value for potentially undefined variables. This ensures that static imports succeed without error, and dynamic usage with the include_role module still provides detailed task information when variables are present.

As a result, the selinux role functions correctly in playbooks that use the import_role directive even when no specific module path is defined.

Jira:RHEL-145248^[1]

Before this update, creating an LVM volume without specifying a size could cause a ZeroDivisionError. This occurred because the blivet module treated a volume with no specified size as zero.

With this release, if you do not specify size, the volume uses all available space in the pool. As a result, LVM volumes are created successfully even when a size is omitted.

Jira:RHEL-147823^[1]

Previously, if you wanted to look up the interface name by specifying the PCI id for the interface by using the interface_pci_id parameter, and NetworkManager was not installed, the firewall RHEL system role was unable to look up the interface by PCI ID and displayed a warning. As a consequence, the role failed to configure the firewalld service by using the specified interface_pci_id variable. With this update, the role ensures that NetworkManager is installed, and the firewall RHEL system role works as expected.

Jira:RHEL-150782^[1]

Before this update, if you used import_role with modules that had no path set, the role issued undefined variable errors. This occurred because Ansible attempted to expand templates in task names within a block regardless of the when conditions.

With this update, the d filter provides a default value for these variables. As a result, the role no longer errors with import_role and modules without a defined path, and continues to provide additional context in task names when used with include_role.

Jira:RHEL-150789^[1]

Before this update, the blivet module called an undefined function during loop mounts on Red Hat Enterprise Linux 7 because the libblockdev-loop package was missing. As a consequence, the role failed with the "The function 'bd_loop_get_backing_file' called, but not implemented" error.

With this update, the libblockdev-loop package is installed, which prevents blivet errors during loop mounts on RHEL 7.

Jira:RHEL-151438^[1]

Previously, virtual machines (VMs) could not boot on hosts that used a 4th Generation AMD EPYC processor (also known as Genoa) and had the AMD Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP) feature enabled. Instead of booting, a kernel panic occurred in the VM. This issue has now been fixed.

Jira:RHEL-32892^[1]

After migrating a virtual machine (VM) between IBM Z hosts by using post-copy migration, the VM previously in some cases lost network connection and required resetting its network interface to reconnect. With this update, the kernel handles post-copy initiation properly, and the problem no longer occurs.

Jira:RHEL-43214^[1]

Before this update, when a virtual Trusted Platform Module (vTPM) data directory was stored on a shared file system, such as NFS, the system failed to create the directory on the destination host during migration, even if it did not exist. This caused virtual machine (VM) migrations to fail. With this update, the system correctly identifies missing vTPM data directories on the destination host and creates them as needed. As a result, virtual machines with a vTPM on shared storage now migrate successfully.

Jira:RHEL-108915

Previously, virtual machines (VMs) could not boot on hosts that used a 4th Generation AMD EPYC processor (also known as Genoa) and had the AMD Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP) feature enabled. Instead of booting, a kernel panic occurred in the VM. This issue has now been fixed.

Jira:RHEL-121983^[1]

Previously, after you installed the linux-sgx packages on your host, Intel Trust Domain Extensions (TDX) attestation on your virtual machines (VMs) only worked after you rebooted the host. Now, the /dev/sgx_provision device has correct correct ownership configured after installing linux-sgx, and you can proceed with TDX attestation without rebooting the host.

Jira:RHEL-129059^[1]

Previously, attempting to create a memory dump of a running VM by using the virsh dump --live command on an IBM Z host sometimes caused the VM to become unresponsive. In rare cases, creating a snapshot of a running VM can also caused the VM to become unresponsive. With this update, this issue has been fixed, and VMs on IBM Z work as expected in the described scenarios.

Jira:RHELDOCS-21707^[1]

Before this update, password detection was strict for obfuscating non-alphanumeric characters. With this release, password scrubbing now accepts non-alphanumeric characters. As a result, password detection no longer rejects non-alphanumeric characters, improving password input flexibility.

Jira:RHEL-121515

Before this update, the netmask portion of IPv6 addresses remained visible during the data cleaning process. With this release, both the address and the netmask are properly obfuscated, preventing the accidental exposure of network topology.

Jira:RHEL-121517

Before this update, the obfuscate_file function overwrote the file content with the filename, causing issues with the main archive population in the cleaner. Consequently, incorrectly overwritten file content in sos caused user data corruption. This update introduces the following notable enhancements:

Jira:RHEL-121531

Before this update, the passwords were never scrubbed. With this update, the obfuscation is applied only to the /var/lib/openstack/config/nova directory and obfuscating passwords from transport URLs, not the entire URL.

Jira:RHEL-121534

Before this update, the unscrubbed passwords were collected from containerized AAP deployments because of the improper scrubbing in the aap_containerized plugin. As a consequence, a password leak occurred in these deployments.

With this release, secret obfuscation has been added to the plugin. As a result, sensitive data is properly obfuscated in the containerized AAP deployments, reducing the risk of password leaks.

Jira:RHEL-142618

Before this update, the sos report inadvertently started rhsm.service service even when it was stopped. This caused the service to run in scenarios where there was no internet connection, generating error messages.

With this fix, the sos report no longer starts rhsm.service service when it is disabled, improving system stability in offline environments.

Jira:RHEL-112563

In Podman version 5.8, the container restart policy was not enforced during RHEL system reboot due to an issue in Podman v5.6 and earlier.

With this fix, the issue regarding container restart with -restart=unless-stopped and Podman-restart.service has been addressed. As a result, containers with these settings can start at boot in RHEL 9.8 and later versions.

Jira:RHEL-157746^[1]

Previously, the Buildah and Podman utilities repeatedly requested tokens during each operation. This sometimes caused a race condition in the hosted repository manager.

This update fixes the issue, which improves the performance and stability of the hosted repository manager.

Jira:RHEL-95964

Before this update, the lightspeed keyword was missing from the command-line assistant (CLA) package summary. As a consequence, users could not easily find the package when performing a dnf search. With this update, the keyword is added to the package metadata. As a result, users can now find the package by searching for lightspeed, which makes the CLA easier to install.

Jira:RHEL-129825