6.4 Technical Notes

Security Fixes

CVE-2012-4450

A flaw was found in the way 389 Directory Server enforced ACLs after performing an LDAP modify relative distinguished name (modrdn) operation. After modrdn was used to move part of a tree, the ACLs defined on the moved (Distinguished Name) were not properly enforced until the server was restarted. This could allow LDAP users to access information that should be restricted by the defined ACLs.

Bug Fixes

BZ#742054

Previously, 389 Directory Server did not support the Simple Authentication and Security Layer (SASL) PLAIN mechanism. This mechanism has been added to the list of supported SASL mechanisms.

BZ#742381

Due to certain changes under the cn=config suffix, when an attribute value was deleted and then added back in the same modify operation, error 53 was returned. Consequently, the configuration could not be reset. This update allows delete operations to succeed if the attribute is added back in the same modify operation and reset the configuration file as expected.

BZ#757836

Previously, the logconv.pl script used a connection number equal to 0 (conn=0) as a restart point, which caused the script to return incorrect restart statistics. The underlying source code has been modified and 389 Directory Server is now configured to use connection number equal to 1 (conn=1) as the restart point.

BZ#803873

The Windows Sync feature uses the name in a search filter to perform an internal search to find an entry. Parentheses, “(” and “)” are special characters in the LDAP protocol and therefore must be escaped. However, an attempt to synchronize an entry containing parentheses in the name from an Active Directory (AD) server failed with an error. With this update, 389 Directory Server properly escapes the parentheses and synchronization now proceeds correctly as expected.

BZ#818762

When having an entry in a directory server (DS) with the same user name, group name, or both as an entry in AD and simultaneously the entry in AD was out of scope of the Windows Sync feature, the DS entry was deleted. This update adds the new winSyncMoveAction DS attribute for the Windows Sync agreement entry, which allows the user to specify the behavior of out-of-scope AD entries. The value could be set to:

• none, which means that an out-of-scope AD entry does nothing to the corresponding DS entry;
• delete, which means that an out-of-scope AD entry deletes the corresponding DS entry;
• unsync, which means that an out-of-scope AD entry is unsynchronized with the corresponding DS entry and changes made to either entry are not synchronized.

By default, the value is set to none, which fixes this bug.

BZ#830334

Due to an incorrect interpretation of an error code, a directory server considered an invalid chaining configuration setting as the disk full error and shut down unexpectedly. This bug has been fixed by using the correct error code and a directory server now no longer terminates due to an invalid chaining of a configuration setting.

BZ#830335

Previously, restoring an ldif file from a replica, which had older changes that other servers did not see yet, could lead to these updates not being replicated to other replicas. With this update, 389 Directory Server checks the Change Sequence Numbers (CSNs) and allows the older updates to be replicated. As a result, all replicas remain synchronized.

BZ#830336

When a directory server was under a heavy read and write load, and an update request was processed, the following error message or other similar DB_LOCK_DEADLOCK error messages appeared in the error log:

entryrdn-index - _entryrdn_put_data: Adding the parent link (XXX) failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)

These errors are common under these circumstances and there is no need to report them in the error log. With this update, 389 Directory Server ensures that these errors are handled properly and no longer logs these messages in the error log.

BZ#830337

When a directory server was configured to use multi-master replication and the Entry USN plug-in, the delete operation was not replicated to the other masters. This update modifies the Entry USN plug-in to prevent it from changing the delete operation into a delete tombstone operation, and from removing the operation before it logs into the change log to replay to other servers. As a result, the delete operation is replicated to all servers as expected.

BZ#830338

Previously, 389 Directory Server did not refresh its Kerberos cache. Consequently, if a new Kerberos ticket was issued for a host that had already authenticated against a directory server, it would be rejected by this server until it was restarted. With this update, the Kerberos cache is flushed after an authentication failure and 389 Directory Server works as expected in the described scenario.

BZ#830343

Using the Managed Entry plug-in in conjunction with other plug-ins, such as Distributed Numeric Assignment (DNA), Member of, and Auto Member, led to problems with delete operations on entries that managed the Managed Entry plug-in. The manager entry was deleted, but the managed entry was not. The deadlock retry handling has been improved so that both entries are deleted during the same database operation.

BZ#830344

Previously, replication errors logged in the error log could contain incorrect information. With this update, the replication errors have been modified to be more useful in diagnosing and fixing problems.

BZ#830346

When audit logging in a directory server was enabled, LDAP ADD operations were ignored and were not logged. This update removes a regression in the audit log code that caused the ADD operation to be ignored, and LDAP ADD operations are now logged to the audit log as expected.

BZ#830348

389 Directory Server with a large number of replication agreements took a considerable amount of time to shut down due to a long sleep interval coded in the replication stop code. This sleep interval has been reduced to speed up the system termination.

BZ#830349

Previously, in a SASL map definition, using a compound search filter that included the “&” character failed because the “&” character was escaped. The underlying source code has been modified and searching with a filter that includes the “&” character works as expected.

BZ#830353

When 389 Directory Server used the Managed Entry plug-in or the DNA plug-in, the valgrind tool reported memory errors and leaks. With this update, a patch has been applied to prevent these problems, and memory is now used and deleted correctly.

BZ#832560

When replication was configured and a conflict occurred, under certain circumstances, an error check did not reveal this conflict, because a to-be-deleted attribute was already deleted by another master. Consequently, the conflict terminated the server. This update improves error checks to prevent replication conflicts from crashing the server.

BZ#833202

Previously, internal entries that were in the cache were freed when retrying failed transactions due to a deadlock. This behavior caused problems in a directory server and this server could terminate under a heavy update load. With this update, the cached internal entries are no longer freed and directory servers do not crash in the described scenario.

BZ#833218

Due to improper deadlock handling, the database reported an error instead of retrying the transaction. Consequently, under a heavy load, the directory server got deadlock errors when attempting to write to the database. The deadlock handling has been fixed and 389 Directory Server works as expected in such a case.

BZ#834047

Internal access control prohibited deleting newly added or modified passwords. This update allows the user to delete any password if they have the modify rights.

BZ#834054

Certain operations, other than LDAP Modify operations, can cause the 389 Directory Server to modify internal attributes. For example, a BIND operation can cause updates to password failure counters. In these cases, 389 Directory Server was updating attributes that could only be updated during an explicit LDAP Modify operation, such as the modifyTimestamp attribute. This update adds a new internal flag to skip the update of these attributes on other than Modify operations.

BZ#834056

Due to an invalid configuration setup in the Auto Memmber plug-in, the directory server became unresponsive under certain circumstances. With this update, the configuration file is validated, invalid configurations are not allowed, and the server no longer hangs.

BZ#834057

When using SNMP monitoring, 389 Directory Server terminated at startup due to multiple ldap servers listed in the ldap-agent.conf file. With this update, the buffer between ldap servers no longer resets and 389 Directory Server starts up regardless of the number of ldap servers listed in the configuration file.

BZ#834064

Previously, the dnaNextValue counter was incremented in the pre-operation stage. Consequently, if the operation failed, the counter was still incremented. This bug has been fixed and the dnaNextValue counter is not incremented if the operation fails.

BZ#834065

When a replication agreement was added without the LDAP BIND credentials, the replication process failed with a number of errors. With this update, 389 Directory Server validates the replication configuration and ensures that all needed credentials are supplied. As a result, 389 Directory Server rejects invalid replication configuration before attempting to replicate with invalid credentials.

BZ#834075

Previously, the logconv.pl script did not grab the correct search base, and as a consequence, the searching statistics were invalid. A new hash has been created to store connections and operation numbers from search operations. As a result, logconv.pl now grabs the correct search base and no longer produces incorrect statistics.

BZ#838706

When using the Referential Integrity plug-in, renaming a user DN did not rename the user's DN in the user's groups, unless that case matched exactly. With this update, case-insensitive comparisons or DN normalizations are performed, so that the member attributes are updated when the user is renamed.

BZ#840153

Previously, the Attribute Uniqueness plug-in did comparisons of un-normalized values. Consequently, using this plug-in and performing the LDAP RENAME operation on an entry containing one of the attributes which were tested for uniqueness by this plug-in caused the LDAP RENAME operation to fail with the following error:

Constraint Violation - Another entry with the same attribute value already exists.

With this update, Attribute Uniqueness ensures that comparisons are performed between values which were normalized the same way, and LDAP RENAME works as expected in this situation.

BZ#841600

When the Referential Integrity plug-in was used with a delay time greater than 0, and the LDAP RENAME operation was performed on a user entry with DN specified by one or more group entries under the scope of the Referential Integrity plug-in, the user entry DN in the group entries did not change. The underlying source code has been modified and LDAP RENAME operations work as expected in the described scenario.

BZ#842437

Previously, the DNA plug-in could leak memory in certain cases for certain MODIFY operations. This update applies a patch to fix this bug and the modifications are freed as expected with no memory leaks.

BZ#842438

To improve the performance, the entry cache size is supposed to be larger then the primary database size if possible. Previously, 389 Directory Server did not alert the user that the size of the entry cache was too small. Consequently, the user could not notice that the size of the entry cache was too small and that they should enlarge it. With this update, the configured entry cache size and the primary database size are examined, and if the entry cache is too small, a warning is logged in the error log.

BZ#842440

Previously, the Memberof plug-in code executed redundant DN normalizations and therefore slowed down the system. The underlying source code has been modified to eliminate redundant DN normalizations.

BZ#842441

Previously, the directory server could disallow changes that were made to the nsds5ReplicaStripAttrs attribute using the ldapmodify operation. Consequently, the attribute could only be set manually in the dse.ldif file when the server was shut down. With this update, the user is now able to set the nsds5ReplicaStripAttrs attribute using the ldapmodify operation.

BZ#850683

Previously, 389 Directory Server did not check attribute values for the nsds5ReplicaEnabled feature which caused this feature to be disabled. With this update, 389 Directory Server checks if the attribute value for nsds5ReplicaEnabled is valid and reports an error if it is not.

BZ#852088

When multi-master replication or database chaining was used with the TLS/SSL protocol, a server using client certificate-based authentication was unable to connect and connection errors appeared in the error log. With this update, the internal TLS/SSL and certificate setup is performed correctly and communication between servers works as expected.

BZ#852202

Previously, there was a race condition in the replication code. When two or more suppliers were attempting to update a heavily loaded consumer at the same time, the consumer could, under certain circumstances, switch to total update mode, erase the database, and abort replication with an error. The underlying source code has been modified to prevent the race condition. As a result, the connection is now protected against access from multiple threads and multiple suppliers.

BZ#852839

Due to the use of an uninitialized variable, a heavily loaded server processing multiple simultaneous delete operations could terminate unexpectedly under certain circumstances. This update provides a patch that initializes the variable properly and the directory server no longer crashes under these circumstances.

BZ#855438

Due to an incorrect attempt to send the cleanallruv task to the Windows WinSync replication agreements, the task became unresponsive. With this update, the WinSync replication agreements are ignored and the cleanallruv task no longer hangs in the described scenario.

BZ#856657

Previously, the dirsrv init script always returned 0, even when one or all the defined instances failed to start. This update applies a patch that improves the underlying source code and dirsrv no longer returns 0 if any of the defined instances failed.

BZ#858580

The schema reload task reloads schema files in the schema directory. Simultaneously, Directory server has several internal schemas which are not stored in the schema directory. These schemas were lost after the schema reload task was executed. Consequently, adding a posixAccount class failed. With this update, the internal schemas are stashed in a hash table and reloaded with external schemas. As result, adding a posixAccount is successful.

BZ#863576

When abandoning a Simple Paged Result request, 389 Directory Server tried to acquire a connection lock twice, and because the connection lock is not self reentrant, 389 Directory Server was waiting for the lock forever and stopped the server. This update provides a patch that eliminates the second lock and 389 Directory Server works as expected in the described scenario.

BZ#864594

Previously, Anonymous Resource Limits applied to the Directory Manager. However, the Directory Manager should never have any limits. With this update, Anonymous Resource Limits no longer apply to Directory Manager.

BZ#868841

Even if an entry in AD did not contain all the required attributes for the POSIX account entry, the entry was synchronized to the DS as a POSIX entry. Consequently, the synchronization failed due to a “missing attribute” error. With this update, if an entry does not have all the required attributes, the POSIX account related attributes are dropped and the entry is synchronized as an ordinary entry. As a result, the synchronization is successful.

BZ#868853

When enabling replication level logging, the Windows Sync feature prints out what version of Windows or AD it detects. Previously, if the feature detected Windows Server 2003 or later, it printed out the following message:

detected win2k3 peer

This message could be confusing for users who had a later version of Windows, such as Windows Server 2008. This update modifies the message and now the following message is printed out:

detected win2k3 or later peer

BZ#870158

When a directory server was under a heavy load, deleting entries using the Entry USN feature caused tombstone entry indexes to be processed incorrectly. Consequently, the server could become unresponsive. This update fixes 389 Directory Server to process tombstone indexes correctly, so that the server no longer hangs in this situation.

BZ#870162

Previously, the abandon request checked if the operation to abandon existed. When a search operation was already finished and an operation object had been released, a Simple Page Results request could fail due to this check. This update modifies 389 Directory Server to skip operation existence checking, so that Simple Paged Results requests are always successfully aborted.

BZ#875862

Previously, the DNA plug-in attempted to dereference a NULL pointer value for the dnaMagicRegen attribute. Consequently, if DNA was enabled with no dnamagicregen value specified in its configuration and an entry with an attribute that triggered the DNA value generation was added, the server could terminate unexpectedly. This update improves the 389 Directory Server to check for an empty dnamagicregen value before it attempts to dereference this value. As a result, 389 Directory Server no longer crashes if no dnamagicregen attribute is specified.

BZ#876694

Previously, the code to check if a new superior entry existed, returned the “No such object” error only when the operation was requested by the directory manager. Consequently, if an ordinary non-root user attempted to use the modrdn operation to move an entry to a non-existing parent, the server terminated unexpectedly. This update provides a patch that removes the operator condition so that the check returns the “No such object” error even if the requester is an ordinary user, and the modrdn operation performed to the non-existing parent successfully fails for any user.

BZ#876727

aIf a filter contained a range search, the search retrieved one ID per one idl_fetch attribute and merged it to the ID list using the idl_union() function. This process is slow, especially when the range search result size is large. With this update, 389 Directory Server switches to ALLID mode by using the nsslapd-rangelookthroughlimit switch instead of creating a complete ID list. As a result, the range search takes less time.

BZ#889083

Previously, if an entry was added or created without plug-in interference, the nsslapd-plugin-track-binddn feature filled the value of the internalModifiersname and internalCreatorsname attributes with the original bind DN instead of the name of the actual plug-in that modified or added the entry. This behavior is undesired; thus the nsslapd-plugin-track-binddn has been modified to always show the name of the actual plug-in that performed these operations.

BZ#891930

In previous versions of the 389-ds-base packages, an attempt to add a new entry to the DNA plug-in when the range of values was depleted caused the following error message to be returned:

ipa: ERROR: Operations error: Allocation of a new value for range cn=posix
ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed!
Unable to proceed.

This message was missing all additional information in recent versions of the 389-ds-base packages. With this update, a patch is applied to provide the returned error message with additional information.

BZ#896256

Previously, an upgrade of the 389-ds-base packages affected configuration files. Consequently, custom configuration files were reverted to by default. This update provides a patch to ensure that custom changes in configuration files are preserved during the upgrade process.

Enhancements

BZ#746642

This update allows the PAM Pass-through plug-in to pass through the authentication process to different PAM stacks, based on domain membership or some property of the user entry, or both. Users now can login to Red Hat Directory Server using the credentials and account data from the correct AD server.

BZ#768084

This enhancement improves the automember plug-in to check existing entries and writes out the changes which occur if these entries are added.

BZ#782975

Previously, certain BINDs could cause only entries with the modifiersname or modifystimestamp attribute to be updated. This behavior led to unnecessary replication traffic. This enhancement introduces the new replication feature to decrease replication traffic caused by BINDs.

BZ#830331

This enhancement adds the new Disk Monitoring plug-in. When disk partitions fill up, Disk Monitoring returns a warning.

BZ#830340

Previously, two tasks were needed to be performed to clean an entire replication environment, the clean task and the release task. With this update, these tasks are incorporated in the Cleanallruv feature.

BZ#830347

Previously, the Paged Results search was allowed to perform only one request per connection. If the user used one connection, multiple Paged Results requests were not supported. This update adds support for multiple Paged Results requests.

BZ#830355

With this enhancement, obsolete elements in the Database Replica Update Vector (RUV) can be removed with the CLEANRUV operation, which removes them on a single supplier or master.

BZ#833222

This enhancement improves the memberOf plug-in to work across multiple back ends or suffixes.

BZ#834046

With this update, the Directory Server schema has been updated with the nsTLS1 attribute to make TLS/SSL configuration easier.

BZ#834049

With this update, the Directory Server schema has been updated to include the DNA plug-in attributes.

BZ#834052

This enhancement improves the Access Control feature to control the Directory Manager account.

BZ#834053

This enhancement adds the ability to execute internal modification operations without changing the operational modifiersname attribute.

BZ#834058

With this update, the logconv.pl script has been enhanced with the getopts() function.

BZ#834060

Previously, the password lockout process was triggered not when maximum the number of tries was reached, but the time after. This behavior was not consistent with other vendors' LDAP servers. This enhancement adds the new option which allows users to specify the behavior of password lockout.

BZ#834061

Previously, DS did not include the SO_KEEPALIVE settings and connections could not be closed properly. This enhancement implements the SO_KEEPALIVE settings to the DS connections.

BZ#834063

With this update, the new passwordTrackUpdateTime attribute has been added. This attribute records a timestamp when the password was last changed.

BZ#834074

This enhancement adds the new nsds5ReplicaEnabled attribute to the replication agreement. If the replication agreement is disabled, it appears to be removed, but can be easily re-enabled and resumed.

BZ#847868

Previously, the Windows Sync plug-in did not support the RFC 2307 and 2307bis types of POSIX schema which supports Windows Active Directory (AD). Under these circumstances, users had to synchronize data between AD and DS manually which could return errors. This enhancement changes the POSIX attributes to prevent these consequences.

Note

Note, that for the initial release, when adding new user and group entries to the DS, the POSIX attributes are not synchronized with AD. Adding new user and group entries to AD synchronizes to DS, and modifying attributes synchronizes both ways.

BZ#852087

This enhancement improves the Directory Server schema to allow setting up an access control for the nsslapd-readonly attribute.

Security Fix

CVE-2013-4283

It was discovered that the 389 Directory Server did not properly handle the receipt of certain MOD operations with a bogus Distinguished Name (DN). A remote, unauthenticated attacker could use this flaw to cause the 389 Directory Server to crash.

Bug Fixes

BZ#799909

When the user attempted to remove a non-existing problem directory using the abrt-cli utility, abrt-cli emitted a confusing error message, such as in the following example:

# abrt-cli rm sdfsdf
'sdfsdf' does not exist
Can't connect to '/var/run/abrt/abrt.socket': Connection refused

With this update, abrt-cli has been modified to display only a message informing that such a problem directory does not exist.

BZ#808721, BZ#814594

When multiple kernel oopses occur in a short period of time, ABRT saves only the first oops because the later oopses are mostly only consequences of the first problem. However, ABRT sorted the processed oopses incorrectly so that the last oops that occurred was saved instead of the first oops. With this update, ABRT has been modified to process multiple kernel oopses in the correct order so that ABRT now saves the first oops as expected.

BZ#810309

Due to incorrect configuration, ABRT attempted to use the abrt-bodhi command, which is not available in Red Hat Enterprise Linux, while analyzing a backtrace. As a consequence, the user could see the following error message in the problem backtrace:

/bin/sh: line 6: abrt-bodhi: command not found

However, the error message had no influence on the problem reporting process. This update corrects the ABRT configuration so that the abrt-bodhi command is removed from the analyzer events and the error message no longer occurs.

BZ#811901

Previously, ABRT expected the dbus-send command to be always present on a system. However, ABRT does not depend on the related dbus package so there is no guarantee that the command is installed on the system. Therefore, when processing events that use the dbus-send command and the dbus package was not installed, ABRT emitted the following error message to the system log:

abrtd: /bin/sh: dbus-send: command not found

With this update, ABRT has been modified to verify the existence of dbus-send before attempting to call this command. The aforementioned error messages no longer occur in the system log.

BZ#813283

Previously, when running the report-gtk command with a non-existing problem directory, ABRT GUI attempted to process the problem directory. As a consequence, the terminal was flooded with GTK error messages. With this update, the ABRT GUI has been modified to no longer process non-existing problem directories. GUI now only prints a message informing that the processed directory does not exist and exits gracefully.

BZ#817051

The report tool always had to be executed from a problem directory even to perform actions which do not require the problem directory, such as adding an attachment to the existing bug report. When running from a directory that was not a problem directory, the report tool failed with the following error message:

'.' is not a problem directory

With this update, the report tool has been modified to not require a problem directory if the "-t" option is specified. The report tool can now be used to update existing bug reports without a need to run inside a problem directory.

BZ#815339, BZ#828673

Due to an error in the default libreport configuration, ABRT attempted to run the reporter-bugzilla command, which is not installed by default. This caused the following warning message to appear during problem reporting:

/bin/sh: line 4: reporter-bugzilla: command not found

However, the reporting process was not affected by this warning message. With this update, the default configuration of libreport has been corrected and reporter-bugzilla is no longer called by ABRT in the default configuration. The aforementioned warning message is no longer displayed during the reporting process.

BZ#820475

Previously, the abrt-ccpp init script did not emit any status message so that the service abrt-ccpp status command did not display any output. This update corrects the abrt-ccpp init script so that if the abrt-ccpp service is running the "abrt-ccpp hook is installed" message is displayed. If abrt-ccpp is stopped, the "abrt-ccpp hook is not installed" message appears.

BZ#826745

Certain ABRT libraries were previously built with wrong linker parameters and when running prelink on these libraries, the process returned error messages that the library contains "undefined non-weak symbols". With this update, the related makefiles have been corrected and the aforementioned errors no longer occur during prelink phase.

BZ#826924

ABRT ran the sosreport utility whenever a problem was detected. However, if the detected problem was caused by sosreport, ABRT could run sosreport in an infinite loop. Consequently, abrtd became unresponsive with extensive consumption of system resources. This update modifies ABRT to ignore consequent crashes in the same component that occur within a 20-second time period. The abrtd daemon no longer hangs if sosreport crashes.

BZ#847227

ABRT previously moved captured vmcore files from the default location in the /var/crash/ directory to the /var/spool/abrt/ directory. This affected the functioning of various tools that expected a vmcore file to be present in the /var/crash/ directory. This update modifies ABRT to use the CopyVMcore configuration option to specify whether to copy or move the core file. By default, ABRT no longer moves vmcore from the /var/crash/ directory but copies it.

BZ#847291

When disk space usage of the /var/spool/abrt/ directory reaches the specified disk space quota, ABRT finds and removes the largest problem directory. However, ABRT was previously unable to handle situations when the largest directory in /var/spool/abrt/ was not a problem directory. ABRT could not remove this directory and entered an infinite loop while searching for the largest directory to be removed. This update modifies ABRT to exclude unknown directories when determining which problem directory needs to be removed. The abrtd daemon no longer hangs in this scenario.

BZ#856960

When configured for centralized crash collection, ABRT previously printed logging credentials in plain text into the /var/log/messages log file on a dedicated system while uploading a crash report. This was a security risk, and so ABRT has been modified to no longer print the libreport-plugin-reportuploader plug-in credentials in log messages.

BZ#873815

When processing a large amount of problems, the inotify handling code could become out of sync, causing abrtd to be unable to read inotify events. Eventually, abrtd became unresponsive while trying to read an inotify event. If this happened and a Python application attempted to communicate with ABRT, abrtd and the Python application entered a deadlock situation. The daemon was busy trying to read an incoming inotify event and the Python script was waiting for a response from abrtd, which caused the application to become unresponsive as well. With this update, the ABRT exception handler sets timeout on a socket used for communication between abrtd and Python scripts, and also the inotify handling code has been modified. The abrtd daemon and Python applications no longer hang, however under heavy load, the inotify handling code can still become out of sync, which would cause abrtd to stop accepting new problems. If abrtd stops accepting new problems, it has to be restarted to work correctly again.

Enhancement

BZ#814832

The alsa-utils package has been enhanced to work better with the GNOME volume control applet and sound preferences user interface.

Bug Fix

BZ#752096

Previously, the amandad daemon, which is required for successful running of AMANDA, was located in the amanda-client package; however, this package was not required during installation of the amanda-server package. Consequently, AMANDA did not work properly. The amanda-client package has been added to the amanda-server dependencies and AMANDA works correctly now.

Bug fixes

BZ#803883

Due to a bug in the multipath output parsing code, when installing Red Hat Enterprise Linux 6 on an IBM Power system with JBOD (Joined Body Of Disks — more than one hard drive attached to the same SAS controller), Anaconda could detect these multiple hard drives as a multipath device. This in turn caused the partitioning of the hard drive to fail, causing the installation of the system to fail as well. This update fixes the parsing code and the system is installed correctly.

BZ#848741

The Anaconda installer did not wait for BIOS storage devices to initialize when booted with the ks:bd:<bios disk>:/ks.cfg command-line option. As a consequence, BIOS storage devices could not be found and the installation could fail. To fix this bug, a delay algorithm for BIOS devices has been added to the code path used when booting with ks:bd:<bios disk>:/ks.cfg. As a result, Anaconda tries to wait for BIOS devices to initialize.

BZ#828650

The file system migration from ext2 to ext3 did not work because Anaconda did not modify the /etc/fstab file with the new ext3 file system type. Consequently, after the installation, the file system was mounted as an ext2 file system. With this update, Anaconda properly sets the migrated file system type in /etc/fstab. Thus, the file system is mounted as expected after installation.

BZ#886150

When installing Red Hat Enterprise Linux 6.4 Beta using the kickstart file, which included the partition scheme, LVM incorrectly removed the dashes from Logical Volume and Volume Group names. This caused the names to be malformed. This update fixes the aforementioned function to correctly format Logical Volume and Volume Group names during the installation process.

BZ#819486

Using IPv6 to install Red Hat Enterprise Linux 6.3 (both Alpha and Beta) on a z/VM guest enabled the user to SSH to the system and proceed with the language selection screen. However, after this step, the installation stopped and the SSH session was closed. With this update, the IPv6 installation on a z/VM guest is successful on Red Hat Enterprise Linux 6.4.

BZ#824963

A kickstart installation on unsupported hardware resulted in a dialog box asking for confirmation before proceeding with the installation process. As a consequence, it was not possible to perform a kickstart installation on unsupported hardware without any user input. To fix this bug, a new unsupported_hardware kickstart command has been added, which skips the interactive dialog warning when installing a system on unsupported hardware without user input.

BZ#811197

When a /boot partition was on a RAID device, inconsistent messages were returned because it was not supported to have this partition on such a device. These varied messages were confusing. To fix this bug, the error messages have been corrected to make sense and to not duplicate each other.

BZ#834689

Kernel modules containing Microsoft paravirtualized drivers were missing in the installation environment. To fix this bug, kernel modules with Microsoft PV have been added to the installation environment. As a result, better support for Microsoft virtualization is provided.

BZ#837835

Modules with VMware PV drivers were not included in the installation environment. This update adds the modules with VMware PV drivers to provide better virtualization support.

BZ#809641

The udev device manager was not used to resolve kickstart raid --onpart disk references. As a consequence, the /dev/disk/by-id/ path could not be used properly. With this update, the udev_resolve_devspec() function is used to resolve the --onpart command option. As a result, the raid --onpart command can now use the /dev/disk/by-id/ paths as expected.

BZ#809640

The Anaconda installer did not use the udev device manager to resolve /dev/disk/by-id/ names. This meant the kickstart installation method did not work with /dev/disk/by-id/ names. To fix this bug, Anaconda is now using udev to resolve /dev/disk/by-id/ names. As a result, kickstart installations using /dev/disk/by-id/ names work as expected.

BZ#804557

When installing a system using the text mode on a machine which already had Red Hat Enterprise Linux installed on it, a traceback error occurred when the Back button was used to go back from any dialog after the time zone dialog. With this update, disks are rescanned when moving back through the upgrade dialog, thus preventing this bug.

BZ#840723

The Anaconda installer called the modprobe tool without the -b argument that enabled blacklists. Consequently, modules were not blacklisted. To fix this bug, the required argument has been added to modprobe call. As a result, modules are blacklisted as expected.

BZ#851249

The Anaconda installer appended the boot= parameter on the command line whenever the fips=1 parameter was used. With this update, Anaconda appends the boot= parameter only when the fips=1 parameter is used and /boot is on a separate partition.

BZ#828029

This update fixes a typographical error in Korean version of a warning message used to alert users of a root password that is too simple.

BZ#681224

The Anaconda installer did not verify package checksums against the checksum in the repository metadata. A package which did not match the repo metadata checksum could be installed by the Yum utility. As a consequence, an incorrect package could be installed with no errors returned. This update adds verification of the package checksum against the checksum in the repository metadata.

BZ#656315

IPv6 configuration options of the installer's text UI (user interface) were using descriptions suggesting misleading meaning. Consequently, the description could mislead the users with DHCPv6 configured to use Dynamic IPv6 configuration (DHCPv6) which used DHCPv6 exclusively without using SLAAC automatic configuration. To fix this bug, the first option (Automatic neighbor discovery) has been renamed to Automatic; it is the (SLAAC) automatic configuration with the option of using a DHCPv6 server based on RA server configuration. The second option (Dynamic IP configuration (DHCPv6)) was renamed to Automatic, DHCP only, which describes the actual configuration to be used more accurately. These descriptions are now the same as those used by Network Manager. As a result, it is now clearer that the third option (Automatic, DHCP only) is using the DHCPv6 server exclusively.

BZ#836321

The command-line interface of the fcoe-utils package in Red Hat Enterprise Linux 6.3 was changed but the installer did not adapt to this change correctly. As a consequence, FCoE initiators were not able to log in to remote storages, which could then not be used for installation. To fix this bug, the fipvlan command arguments have been fixed to use the new -f option correctly. As a result, the installer now logs in to a FCoE remote storage correctly, and can be used for installation purposes.

BZ#823690

Repositories without size data caused a divide-by-zero error. Consequently, the installation failed. With this update, repositories without size data do not cause a divide-by-zero error and the installation succeeds.

BZ#848818

Support for the --hibernation option was only added to the part command. Consequently, --hibernation did not work with the logvol command. To fix this bug, support for --hibernation has been added to the logvol command. As a result, --hibernation now works with the logvol command.

BZ#784001

The linksleep option used to be applied only for the ksdevice= boot parameter using the value link. Consequently, when the ksdevice boot parameter was supplied a value containing a device name or a MAC address, the linksleep boot parameter did not take effect. Without waiting for the link, as required by the linksleep boot parameter, the installer could fail. To fix this bug, the linksleep boot parameter has been added to code paths where the to-be-activated device is specified. As a result, the linksleep boot parameter is honored also for installation where the ksdevice boot parameter is supplied a value containing a device name or a MAC address.

BZ#747278

The Anaconda installer did not check lengths of Logical Volume Manager (LVM) Volume Group names or Logical Volume names. As a consequence, an error occurred when creating disk partitions. To fix this bug, the length of LVM Volume Group names has been truncated to 32 characters and Logical Volume names to 16 characters. As a result, the installation completes successfully.

BZ#746925

Previously, Anaconda failed to enable add-on repositories when upgrading the system. Consequently, packages from the add-on repositories were not upgraded. This update allows Anaconda to enable add-on repositories when the system is upgrading and packages from the add-on repositories are upgraded as expected.

Bug Fixes

BZ#862195

Prior to this update, the authconfig utility used old syntax for configuring the idmap mapping in the smb.conf file when started with the "--smbidmapuid" and "--smbidmapgid" command line options. Consequently, Samba 3.6 ignored the configuration. This update adapts authconfig to use the new syntax of the idmap range configuration so that Samba 3.6 can read it.

BZ#874527

Prior to this update, the authconfig utility could write an incomplete sssd.conf file when using the options "--enablesssd" or "--enablesssdauth". As a consequence, the sssd daemon did not start. With this update, authconfig no longer tries to create the sssd.conf file without complete information, and the sssd daemon can now start as expected.

Bug Fixes

BZ#585059

When the automount daemon managed a large number of mount points, unmounting all active mount points could take a longer period of time than expected. If the daemon failed to exit within 45 seconds, the autofs init script timed out and returned a false-positive shutdown failure. To resolve this problem, the init script restart behavior has been modified. If the init script repeatedly fails to stop the daemon, the script terminates the daemon by sending the SIGKILL signal, which allows autofs to be restarted correctly.

BZ#819703

The automount interface matching code was able to detect only IPv4 interfaces. As a consequence, mount points were mounted with an incorrect mount type when using IPv6. To fix this problem, the automount interface matching code has been modified to use the getifaddrs() function insted of ioctl(). The automount interface matching code now properly recognizes IPv6 interfaces and both, IPv4 and IPv6 mounts are now mounted as expected.

BZ#827024, BZ#846852, BZ#847873

Previously, automount could terminate unexpectedly with a segmentation fault when using the internal hosts map. This could happen due to a function name collision between autofs and the libtirpc library. Both utilities called a debug logging function of the same name but with a different call signature. This update applies a series of patches that fix this problem by redefining the internal debug logging function in autofs. Also, several other bugs related to the autofs RPC function have been fixed. The automount daemon no longer crashes when using the internal hosts map and the libtirpc library is installed on the system.

BZ#834641

Due to an incorrectly placed port test in the get_nfs_info() function, autofs attempted to contact the portmap service when mounting NFSv4 file systems. Consequently, if the portmap service was disabled on the server, automount failed to mount the NFSv4 file systems with the following error message:

mount(nfs): no hosts available

With this update, the port check has been moved to the correct location in the code so that automount no longer contacts the server's port mapper when mounting NFSv4 file systems. NFSv4 file systems are mounted as expected in this scenario.

BZ#836422

Previously, the autofs internal hosts map could not be refreshed until all entries in the map had been unmounted. Consequently, users could not access newly exported NFS shares and any attempt to access such shares failed with the "No such file or directory" error message. This update allows the server export list to be updated by sending a HUP signal to the automount daemon. This causes automount to request server exports so the hosts map and associated automounts can be updated. Newly exported NFS shares can now be accessed as expected.

BZ#845512

Previously, the usage message displayed by the autofs init script did not contain the "usage" command entry. This update corrects the init script so it now displays all commands that can be used with the autofs service as expected.

BZ#856296

When stopping the autofs service, autofs did not correctly handle situations where a null map entry appeared after a corresponding indirect map entry in the autofs master map. As a consequence, automount attempted to unmount a unmount a non-existing automount point and became unresponsive. This update modifies autofs to process null map entries correctly so it no longer attempts to unmount non-existing automount points. The autofs service now stops gracefully as expected.

BZ#860184

Previously, the autofs init script did not allow any commands to be run by unprivileged users. However, it is desirable to let a non-root user check the status of autofs for example for monitoring purposes. Therefore, this update modifies the autofs init script to allow unprivileged users to execute the service autofs status command.

BZ#865311

Previous versions of autofs contained several typographical errors and misleading information in the auto.master(5) man page, and autofs.sysconfig and autofs.conf configuration files. This update corrects these bugs including the description of the MOUNT_NFS_DEFAULT_PROTOCOL and MOUNT_WAIT options.

BZ#868973

When attempting to mount an NFSv4 share from an unreachable NFSv4 server, autofs did not close IPv6 UDP sockets. This could eventually lead to depletion of free file descriptors and an automount failure. This update modifies autofs to close IPv6 UDP sockets as expected, and automount no longer fails due to too many open files in the described scenario.

BZ#892846

When using autofs with LDAP, the code used to perform a base DN search allowed a race between two threads executing the same function simultaneously to occur. As a result of this race, autofs could attempt to access already freed memory and terminate unexpectedly with a segmentation fault. With this update, the code used to perform base DN searches has been moved to the function protected by a mutex, which prevents the race from occurring. The base DN searches are now performed only when refreshing settings of the map lookup modules.

Enhancements

BZ#846870

This update modifies autofs to allow configuring of separate timeout values for individual direct map entries in the autofs master map.

BZ#859947

With this update, the auto.master(5) man page has been updated to document the "-t, --timeout" option in the FORMAT options section.

BZ#866338

The auto.master(5) man page has been updated to clarify description of the "nobind" option when it is used with direct mount maps.

BZ#866396

The autofs.spec file has been modified to update build dependency of the autofs sss interface library. The library now requires the libsss_autofs package instead of sssd.

BZ#822733

This update improves debug logging of autofs. With debug logging set on, automount now reports whether it needs to read a mount map or not.

Bug Fix

BZ#921147

Previously, when two nearly simultaneous mount requests occurred, NFS mounts mounted by autofs sometimes failed. This caused a fatal error for the host being probed and autofs failed the mount attempt with a "mount(nfs): no hosts available" error message. This update provides a patch which uses numeric protocol IDs, instead of protoent structures, and NFS mount attempts by autofs no longer fail in the described scenario.

Bug Fix

BZ#1006163

Previously, when mounting new mounts, the automount daemon stopped responding. This occurred due to an execution order race during an expire thread creation. This update refactors the code handling the expire thread creation and the problem no longer occurs.

Security Fix

CVE-2012-3386

It was found that the distcheck rule in Automake-generated Makefiles made a directory world-writable when preparing source archives. If a malicious, local user could access this directory, they could execute arbitrary code with the privileges of the user running "make distcheck".

Bug Fix

BZ#599435

Previously, the Avahi library packages required the Avahi daemon packages as a dependency. Consequently, whenever installing some of the Avahi libraries, the Avahi daemon was installed as well, which could pose a security risk in certain environments. This update removes these dependencies so that the Avahi libraries are now installed without the Avahi daemon.

BZ#728693

Prior to this update, the logwatch tool did not check the "/var/log/bacula*" file. As a consequence, the logwatch report was incomplete. This update adds all log files to the logwatch configuration file. Now, the logwatch report is complete.

BZ#728697

Prior to this update, the bacula tool itself created the "/var/spool/bacula/log" file. As a consequence, this log file used an incorrect SELinux context. This update modifies the underlying code to create the /var/spool/bacula/log file in the bacula package. Now, this log file has the correct SELinux context.

BZ#729008

Prior to this update, the bacula packages were built without the CFLAGS variable "$RPM_OPT_FLAGS". As a consequence, the debug information was not generated. This update modifies the underlying code to build the packages with CFLAGS="$RPM_OPT_FLAGS. Now, the debug information is generated as expected.

BZ#756803

Prior to this update, the perl script which generates the my.conf file contained a misprint. As a consequence, the port variable was not set correctly. This update corrects the misprint. Now, the port variable is set as expected.

BZ#802158

Prior to this update, values for the "show pool" command was obtained from the "res->res_client" item. As a consequence, the output displayed incorrect job and file retention values. This update uses the "res->res_pool" item to obtain the correct values.

BZ#862240

Prior to this update, bacula-storage-common utility wrongly removed alternatives for the bcopy function during the update. As a consequence, the Link to bcop.{mysql,sqlite,postgresql} disappeared after updating. This update modifies the underlying code to remove these links directly in storage-{mysql,sqlite,postgresql} and not in bacula-storage-common.

Bug Fixes

BZ#695656

Prior to this update, the trap handler could, under certain circumstances, lose signals during another trap initialization. This update blocks the signal while the trap string and handler are being modified. Now, the signals are no longer lost.

BZ#799958

Prior to this update, the manual page for trap in Bash did not mention that signals ignored upon entry cannot be listed later. This is now fixed and the manual page entry text is amended to "Signals ignored upon entry to the shell cannot be trapped, reset or listed".

BZ#800473

Prior to this update, the Bash shell called the trap handler within a signal handler when a SIGCHLD signal was received in job control mode and a handler for the signal was installed. This was a security risk and could cause Bash to enter a deadlock or to terminate unexpectedly with a segmentation fault due to memory corruption. With this update, the trap handler is now called outside of the signal handler, and Bash no longer enters a deadlock.

Enhancement

BZ#677439

This update enables the system-wide "/etc/bash.bash_logout" file. This allows administrators to write system-wide logout actions for all users.

Bug Fix

BZ#982610

When a trap handler was invoked while running another trap handler, which was invoked during a pipeline call, bash was unresponsive. With this update, pipeline calls are saved and subsequently restored in this scenario, and bash responds normally.

Bug Fixes

BZ#767496

When persistent search was in use, the plug-in sometimes terminated unexpectedly due to an assertion failure when the "rndc reload" command was issued and the LDAP server was not reachable. With this update, the code has been improved so that connection failures and reconnects are now handled more robustly. As a result, the plug-in no longer crashes in the scenario described.

BZ#829388

Previously, some relative domain names were not expanded correctly to FQDNs. Consequently, zone transfers sometimes contained relative domain names although they should only contain FQDNs (for example, they contained "name." record instead of "name.example.com."). The plug-in has been patched, and as a result, zone transfers now contain the correct domain names.

BZ#840381

Due to a bug in bind-dyndb-ldap, the named process sometimes terminated unexpectedly when a connection to LDAP timed out. Consequently, when a connection to LDAP timed out (or failed), the named process was sometimes aborted and DNS service was unavailable. The plug-in has been fixed and as a result, the plug-in now handles situations when a connection to LDAP fails gracefully.

BZ#856269

Due to a race condition, the plug-in sometimes caused the named process to terminate unexpectedly when it received a request to reload. Consequently, the DNS service was sometimes unavailable. A patch has been applied and as a result, the race condition during reload no longer occurs.

Enhancements

BZ#733711

LDAP in Red Hat Enterprise Linux 6.4 includes support for persistent search for both zones and their resource records. Persistent search allows the bind-dyndb-ldap plug-in to be immediately informed about all changes in an LDAP database. It also decreases network bandwidth usage required by repeated polling.

BZ#829340

Previously, it was only possible to configure IPv4 forwarders in LDAP. With this update, a patch has been added to the plug-in, and as a result, the plug-in is now able to parse and use IPv6 forwarders. BIND9 syntax for "forwarders" is required.

BZ#829385

Previously, it was impossible to share one LDAP database between multiple master servers; only one master server could be used. A new bind-dyndb-ldap option "fake_mname" which allows for overriding the master server name in the SOA record has been added. With this option it is now possible to override the master server name in the SOA record so that multiple servers can act as master server for one LDAP database.

BZ#840383

When multiple named processes shared one LDAP database and dynamically updated DNS records (via DDNS), they did not update the SOA serial numbers so it was impossible to serve such zones on secondary servers correctly (that is to say, they were not updated on slave servers). With this update, the plug-in can now update SOA serial numbers automatically, if configured to do so. Refer to the new "serial_autoincrement" option in the /usr/share/doc/bind-dyndb-ldap/README file for more details.

BZ#869323

This update provides support for the per-zone disabling of forwarding. Some setups require the disabling of forwarding per-zone. For example, company servers are configured as authoritative for a non-public zone and have global forwarding turned on. When the non-public zone contains delegation for a non-public subdomain, the zone must have explicitly disabled forwarding otherwise the glue records will not be returned. As a result, a server can now return delegation glue records for private zones when global forwarding is turned on. Refer to /usr/share/doc/bind-dyndb-ldap/README for detailed information.

Bug Fix

BZ#928429

The bind-dyndb-ldap plug-in processed settings too early, which led to the daemon terminating unexpectedly with a segmentation fault during startup or reload. The bind-dyndb-ldap plug-in has been fixed to process its options later, and so, no longer crashes during startup or reload.

Security Fix

CVE-2012-5689

A flaw was found in the DNS64 implementation in BIND when using Response Policy Zones (RPZ). If a remote attacker sent a specially-crafted query to a named server that is using RPZ rewrite rules, named could exit unexpectedly with an assertion failure. Note that DNS64 support is not enabled by default.

Enhancement

BZ#906312

Previously, it was impossible to configure the maximum number of responses sent per second to one client. This allowed remote attackers to conduct traffic amplification attacks using DNS queries with spoofed source IP addresses. With this update, it is possible to use the new "rate-limit" configuration option in named.conf and configure the maximum number of queries which the server responds to. Refer to the BIND documentation for more details about the "rate-limit" option.

Bug Fixes

BZ#827282

Previously, initscript sometimes reported a spurious error message "initscript: silence spurious "named.pid: No such file or directory" due to a race condition when the DNS server (named) was stopped. This spurious error message has been suppressed and is no longer reported in this scenario.

BZ#837165

Due to a race condition in the rbtdb.c source file, the named daemon could terminate unexpectedly with the INSIST error code. This bug has been fixed in the code and the named daemon no longer crashes in the described scenario.

BZ#853806

Previously, BIND rejected "forward" and "forwarders" statements in static-stub zones. Consequently, it was impossible to forward certain queries to specified servers. With this update, BIND accepts those options for static-stub zones properly, thus fixing this bug.

Security Fix

CVE-2013-2266

A denial of service flaw was found in the libdns library. A remote attacker could use this flaw to send a specially-crafted DNS query to named that, when processed, would cause named to use an excessive amount of memory, or possibly crash.

Bug Fix

BZ#928439

Previously, rebuilding the bind-dyndb-ldap source RPM failed with a "/usr/include/dns/view.h:76:21: error: dns/rrl.h: No such file or directory" error.

Bug Fix

BZ#996955

Due to a missing gss_release_name() call, the BIND DNS server leaked memory when the "tkey-gssapi-credential" option was used in the BIND configuration. This update properly frees all memory in case the "tkey-gssapi-credential" is used, and BIND no longer leaks memory when GSSAPI credentials are used internally by the server for authentication.

Security Fix

CVE-2013-4854

A denial of service flaw was found in BIND. A remote attacker could use this flaw to send a specially-crafted DNS query to named that, when processed, would cause named to crash when rejecting the malformed query.

Bug Fixes

BZ#773526

In order to display a non-printing character, the readelf utility adds the "0x40" string to the character. However, readelf previously did not add that string when processing multibyte characters, so that multibyte characters in the ELF headers were displayed incorrectly. With this update, the underlying code has been corrected and readelf now displays multibyte and non-ASCII characters correctly.

BZ#825736

Under certain circumstances, the linker could fail to produce the GNU_RELRO segment when building an executable requiring GNU_RELRO. As a consequence, such an executable failed upon start-up. This problem affected also the libudev library so that the udev utility did not work. With this update, the linker has been modified so that the GNU_RELRO segment is now correctly created when it is needed, and utilities such as udev now work correctly.

Bug Fixes

BZ#751373

The biosdevname utility ignored the SMBIOS version check for PCI network adapters. Consequently, PCI network adapter interfaces were renamed according to PCI slot and port numbers on systems with unsupported SMBIOS versions. With this update, the new biosdevname utility ensures that if the SMBIOS version is not supported, PCI network adapter interfaces are not renamed. As a result, PCI network adapters are named with the kernel default name in the scenario described.

BZ#804754

When using Single Root I/O Virtualization (SR-IOV) with embedded network interface devices, the biosdevname utility did not check the System Management BIOS (SMBIOS) type of the physical function for corresponding virtual functions. Consequently, biosdevname did not find SMBIOS type 41 structure for the device virtual functions and did not suggest interface names for these onboard network interfaces. With this update, biosdevname now looks up the SMBIOS type 41 structure for the device virtual functions in the corresponding physical function table. As a result, onboard network devices with virtual network interfaces are now renamed according to the biosdevname naming scheme.

BZ#815724

The biosdevname utility did not handle PCI cards with multiple ports. Consequently, only the network interface of the first port of these cards was renamed according to the biosdevname naming scheme. An upstream patch has been applied and biosdevname now handles PCI cards with multiple ports. As a result, all ports of multiple port PCI cards are now renamed according to the biosdevname naming scheme.

Enhancements

BZ#676355

The man page was missing the multicast option descriptions. This update adds that information to the man page.

BZ#690529

This enhancement adds the missing feature described in the BRCTL(8) man page, that allows the user to get the bridge information for a simple bridge using the "brctl show $BRIDGE" command.

BZ#684526

Previously, building the brltty package could fail on the ocaml's unpackaged files error. This happened only if the ocaml package was pre-installed in the build root. The "--disable-caml-bindings" option has been added in the %configure macro so that the package now builds correctly.

BZ#809326

Previously, the /usr/lib/libbrlapi.so symbolic link installed by the brlapi-devel package incorrectly pointed to ../../lib/libbrlapi.so. The link has been fixed to correctly point to ../../lib/libbrlapi.so.0.5.

Security Fix

CVE-2010-4530

An integer overflow, leading to an array index error, was found in the way the CCID driver processed a smart card's serial number. A local attacker could use this flaw to execute arbitrary code with the privileges of the user running the PC/SC Lite pcscd daemon (root, by default), by inserting a specially-crafted smart card.

Bug Fix

BZ#808115

Previously, CCID only recognized smart cards with 5V power supply. With this update, CCID also supports smart cards with different power supply.

Bug Fix

BZ#797990

Prior to this update, overlapping memory was handled incorrectly. As a consequence, newly created paths could be garbled when calling "genisoimage" with the "-graft-points" option to graft the paths at points other than the root directory. This update modifies the underlying code to generate graft paths as expected.

Bug Fixes

BZ#810016

When certmonger was set up to not attempt to obtain a new certificate and the certificate's valid remaining time crossed a configured time to live (TTL) threshold, certmonger warned of a certificate's impending not-valid-after date. Certmonger then immediately logged the warning again, and continued to do so indefinitely, causing the /var/log/messages file to fill up with warnings. This bug has been fixed and certmonger returns a warning again only when another configured TTL threshold is crossed or the service is restarted.

BZ#893611

When certmonger attempts to save a certificate to an NSS database, it necessarily opens that database for writing. Previously, if any other process, including any other certmonger tasks that could require access to that database, had the database open for writing, that database could become corrupted. This update backports changes from later versions of certmonger which change its behavior. Now, actions that could result in database modifications are only performed one at a time.

Bug Fixes

BZ#856729

When the mount.cifs utility ran out of addresses to try, it returned the "System error" error code (EX_SYSERR) to the caller service. The utility has been modified and it now correctly returns the "Mount failure" error code (EX_FAIL).

BZ#826825

Typically, "/" characters are not allowed in user names for Microsoft Windows systems, but they are common in certain types of kerberos principal names. However, mount.cifs previously allowed the use of "/" in user names, which caused attempts to mount CIFS file systems to fail. With this package, "/" characters are now allowed in user names if the "sec=krb5" or "sec=krb5i" mount options are specified, thus CIFS file systems can now be mounted as expected.

BZ#838606

Previously, the cifs-utils packages were compiled without the RELRO (read-only relocations) and PIE (Position Independent Executables) flags. Programs provided by this package could be vulnerable to various attacks based on overwriting the ELF section of a program. The "-pie" and "-fpie" options enable the building of position-independent executables, and the "-Wl","-z","relro" turns on read-only relocation support in gcc. These options are important for security purposes to guard against possible buffer overflows that lead to exploits. The cifs-utils binaries are now built with PIE and full RELRO support. The cifs-utils binary is now more secured against "return-to-text" and memory corruption attacks and also against attacks based on the program's ELF section overwriting.

Enhancements

BZ#843596

With this update, the "strictcache", "actimeo", "cache=" and "rwpidforward" mount options are now documented in the mount.cifs(8) manual page.

BZ#843612

The "getcifsacl", "setcifsacl" and "cifs.idmap" programs have been added to the package. These utilities allow users to manipulate ACLs on CIFS shares and allow the mapping of Windows security IDs to POSIX user and group IDs.

BZ#843617

With this update, the cifs.idmap helper, which allows SID to UID and SID to GID mapping, has been added to the package. Also, the manual page cifs.upcall(8) has been updated and cifs.idmap(8) has been added.

Bug Fixes

BZ#865588

Prior to this update, the dynamic library that represents the CIM provider of a cluster status was not built with all the required dependencies and therefore certain symbols could not be resolved. As a consequence, the cluster status could not be accessed via CIM. This update adds the missing dependencies to the dynamic library. Now, the cluster status is accessible as expected.

BZ#885830

Prior to this update, the size of XML-formatted cluster configuration (as in cluster.conf file) greater than 200 kB might have crashed modcluster, a program assisting the ricci daemon in handling the cluster configuration file (cluster.conf), or modclusterd, a daemon providing cluster status. This update drops this restriction and both executables no longer abort with larger configurations.

Bug Fixes

BZ#785866

With this update, a minor typographical error has been fixed in the /usr/share/cluster/cluster.rng.in.head RELAX NG schema.

BZ#803477

Previously, the fsck.gfs2 program printed irrelevant error messages when reclaiming free metadata blocks. These messages could have been incorrectly understood as file system errors. With this update, these messages are no longer displayed.

BZ#814807

The master_wins implementation of the qdiskd daemon was not sufficiently fast to hand over the master status during the ordered shutdown. Consequently, a temporary loss of quorum in the cluster could have occurred. With this update, master_wins has been modified to operate more quickly.

BZ#838047

Previously, the master_wins implementation of the qdiskd daemon did not check strictly for errors in the /etc/cluster/cluster.conf file. Consequently, with several incorrect options in cluster.conf, two quorate partitions could have been created at the same time. With this update, master_wins has been modified to perform strict error checking to avoid the creation of multiple quorate partitions.

BZ#838945

Prior to this update, an overly long cluster name in the /etc/cluster/cluster.conf file could cause a buffer overflow when running the fsck.gfs2 utility on a GFS2 file system with a corrupt super block. With this update, the cluster name is truncated appropriately when the super block is being rebuilt. Now, the buffer overflow condition no longer occurs in the described case.

BZ#839241

Under certain circumstances, the cman cluster manager did not propagate two internal values across configuration reloads. Consequently, runtime inconsistencies could occur. This bug has been fixed, and the aforementioned error no longer occurs. Also, a corner case memory leak has been fixed.

BZ#845341

Prior to this update, the fenced daemon created the /var/log/cluster/fenced.log file with world readable permissions. With this update, fenced has been modified to set more strict security permissions for its log file. Also, permissions of an existing log file are automatically corrected if necessary.

BZ#847234

Previously, an insufficient buffer length limitation did not allow long configuration lines in the /etc/cluster/cluster.conf configuration file. Consequently, a long entry in the file caused the corosync utility to terminate unexpectedly with a segmentation fault. With this update, the length limit has been extended. As a result, the segmentation fault no longer occurs in this situation.

BZ#853180

When a GFS2 file system was mounted with the lock_nolock option enabled, the cman cluster manager incorrectly checked the currently used resources. Consequently, cman failed to start. This bug has been fixed, and cman now starts successfully in the described case.

BZ#854032

In certain corner cases, triggered especially when shutting down all cluster nodes at the same time, the cluster daemons failed to quit within the cman shutdown limit (10 seconds). Consequently, the cman cluster manager declared a shutdown error. With this update, the default shutdown timeout has been increased to 30 seconds to prevent the shutdown error.

BZ#857952

Under rare circumstances, the fenced daemon polled an incorrect file descriptor from the cman cluster manager. Consequently, fenced entered a loop and the cluster became unresponsive. This bug has been fixed, and the aforementioned error no longer occurs.

BZ#861340

The fenced daemon is usually started before the messagebus (D-BUS) service, which has no harmful operational effects. Previously, this behavior was recorded as an error message in the /var/log/cluster/fenced.log file. To avoid confusion, this error message is now entered into /var/log/cluster/fenced.log only when the log level is set to debugging.

BZ#862847

Previously, the mkfs.gfs2 -t command accepted non-standard characters, like slash (/), in the lock table name. Consequently, only the first cluster node was able to mount a GFS2 file system successfully. The next node attempting to mount a GFS2 file system became unresponsive. With this update, a more strict validation of lock table names has been introduced. As a result, cluster nodes no longer hang when special characters are used in lock table.

BZ#887787

Previously, when the client using the cman API called the cman_stop_notification() function after cman was already closed, the client terminated with the SIGPIPE signal. With this update, the underlying source code has been modified to address this issue, and the MSG_NOSIGNAL message is now displayed to warn the user in the described scenario.

BZ#888053

Prior to this update, the gfs2_convert tool was unable to handle certain corner cases when converting between GFS1 and GFS2 file systems. Consequently, the converted GFS2 file system contained errors. With this update, gfs2_convert has been fixed to detect these corner cases and adjust the converted file system accordingly

Enhancements

BZ#661764

The cman cluster manager is now supported with the bonding mode options 0, 1, and 2. Prior to this update, only bonding mode 1 was supported.

BZ#738704

This update adds support for clusters utilizing the Red Hat Enterprise Virtualization Manager native shared storage between nodes.

BZ#786118

The hostname aliases from the /etc/hosts file are now accepted as cluster node names across cluster applications.

BZ#797952

A new tool, fence_check, has been added to provide a method to test the fence configuration in a non disruptive way. The tool has been designed to run via the crontab utility for regular monitoring of fence devices.

BZ#821016

This update enables passing additional command line options to the dlm_controld daemon using the /etc/sysconfig/cman file.

BZ#842370

The Distributed Lock Manager (DLM) now allows tuning of DLM hash table sizes from the /etc/sysconfig/cman file. The following parameters can be set in the /etc/sysconfig/cman file:

DLM_LKBTBL_SIZE=<size_of_table>
DLM_RSBTBL_SIZE=<size_of_table>
DLM_DIRTBL_SIZE=<size_of_table>

which, in turn, modifies the values in the following files respectively:

/sys/kernel/config/dlm/cluster/lkbtbl_size
/sys/kernel/config/dlm/cluster/rsbtbl_size
/sys/kernel/config/dlm/cluster/dirtbl_size

BZ#857299

Previously, it was not possible to modify the default TCP port (21064) of the Distributed Lock Manager (DLM). With this update, the DLM_TCP_PORT configuration parameter has been added into the /etc/sysconfig/cman file. As a result, the DLM TCP port can be manually configured.

BZ#860048

The fsck.gfs2 program now checks for formal mismatches between disk inode numbers and directory entries in the GFS2 file system.

BZ#860847

This update adds support for two and four node clusters utilizing the rgmanager daemon with the rrp_mode option enabled.

BZ#878196

This update adds support for clusters utilizing the VMware's VMDK (Virtual Machine Disk) disk image technology with the multi-writer option. This allows using VMDK-based storage with the multi-writer option for clustered file systems such as GFS2.

Bug Fix

BZ#805069

Prior to this update, the status LEDs on Wacom tablets did not correctly indicate the current mode. With this update, the LEDs now indicate which of the Touch Ring or Touch Strip modes are active.

Bug Fixes

BZ#861108

Previously, Coolkey was unable to recognize PIV-I cards. This update fixes the bug and Coolkey now allows these cards to be read and display certificate information as expected.

BZ#879563

Prior to this update, The pkcs11_listcerts and pklogin_finder utilities were unable to recognize certificates and USB tokens on smart cards after upgrading the Coolkey library. A patch has been provided to address this issue and these utilities now work as expected.

BZ#806038

Previously, the remote-viewer utility failed to utilize a plugged smart card reader when a Spice client was running. Eventually, the client could terminate unexpectedly. Now, remote-viewer recognizes the reader and offers authentication once the card is inserted and the crashes no longer occur.

BZ#884266

Previously, certain new PIV-II smart cards could not be recognized by client card readers, the ESC card manager, or the pklogin_finder utility. A patch has been provided to address this issue and PIV-II cards now work with Coolkey as expected.

Enhancement

BZ#805693

Support for Oberthur Smart Cards has been added to the Coolkey library.

Bug Fixes

BZ#802559

Previously, in the xorg-x11-proto-devel package, the definition of the _X_NONNULL macro was incompatible with C89 compilers. Consequently, C89 applications could not be built in C89 mode if the X11/Xfuncproto.h file was included. This update fixes the macro definition to be compatible with C89 mode.

BZ#804907

Prior to this update, XI2 events were not properly initialized and could contain garbage values. A patch for the libXi package, which had been setting values to garbage, has been provided to fix this bug. Now, actual events no longer contain garbage values and are initialized as expected.

BZ#871460

Previously, the spec file of the xkeyboard-config package used the %{dist} macro in the Version tag. Although the standard Red Hat Enterprise Linux build environment defines this macro, it does not need to be defined. If it was not defined, %{dist} appeared literally in the resulting RPM package's version string when the package was rebuilt. The spec file has been corrected to use the conditional %{?dist} form, which expands to an empty string if %{dist} is not defined.

Security Fix

CVE-2011-2504

It was found that the x11perfcomp utility included the current working directory in its PATH environment variable. Running x11perfcomp in an attacker-controlled directory would cause arbitrary code execution with the privileges of the user running x11perfcomp.

Bug Fixes

BZ#783068

Prior to this update, the corosync-notifyd service did not run after restarting the process. This update modifies the init script to wait for the actual exit of previously running instances of the process. Now, the corosync-notifyd service runs as expected after restarting.

BZ#786735

Prior to this update, an incorrect node ID was sent in recovery messages when corosync entered recovery. As a consequence, debugging problems in the source code was difficult. This update sets the correct node ID.

BZ#786737

Upon receiving the JoinMSG message in the OPERATIONAL state, a node enters the GATHER state. However, if JoinMSG was discarded, the nodes sending this JoinMSG could not receive a response until other nodes have had their tokens expired. This caused the nodes having entered the GATHER state spend more time to rejoin the ring. With this update, the underlying source code has been modified to address this issue.

BZ#787789

Prior to this update the netfilter firewall blocked input and output multicast packets, corosync coould become suspended, failed to create membership and cluster could not be used. After this update, corosync is no longer dependent on multicast loop kernel feature for local messages delivery, but uses the socpair unix dgram socket.

BZ#794744

Previously, on InfiniBand devices, corosync autogenerated the node ID when the configuration file or the cluster manager (cman) already set one. This update modifies the underlying code to recognize user-set mode IDs. Now, corosync autogenerates node IDs only when the user has not entered one.

BZ#821352

Prior to this update, corosync sockets were bound to a PEERs IP address instead of the local IP address when the IP address was configured as peer-to-peer (netmask /32). As a consequence, corosync was unable to create memberships. This update modifies the underlying code to use the correct information about the local IP address.

BZ#824902

Prior to this update, the corosync logic always used the first IP address that was found. As a consequence, users could not use more than one IP address on the same network. This update modifies the logic to use the first network address if no exact match was found. Now, users can bind to the IP address they select.

BZ#827100

Prior to this update, some sockets were not bound to a concrete IP address but listened on all interfaces in the UDPU mode. As a consequence, users could encounter problems when configuring the firewall. This update binds all sockets correctly.

BZ#847232

Prior to this update, configuration file names that consisted of more than 255 characters could cause corosync to abort unexpectedly. This update returns the complete item value. In case of the old ABI, corosync prints an error. Now, corosync no longer aborts with longer names.

BZ#838524

When corosync was running with the votequorum library enabled, votequorum's register reloaded the configuration handler after each change in the configuration database (confdb). This caused corosync to run slower and to eventually encounter an Out Of Memory error. After this update, a register callback is only performed during startup. As a result, corosync no longer slows down or encounters an Out Of Memory error.

BZ#848210

Prior to this update, the corosync-notifyd output was considerably slow and corosync memory grew when D-Bus output was enabled. Memory was not freed when corosync-notifyd was closed. This update modifies the corosync-notifyd event handler not to wait when there is nothing to receive and send from or to D-Bus. Now, corosync frees memory when the IPC client exits and corosync-notifyd produces output in speed of incoming events.

BZ#830799

Previously, the node cluster did not correspond with the CPG library membership. Consequently, the nodes were recognized as unknown, and corosync warning messages were not returned. A patch with an enhanced log from CPG has been provided to fix this bug. Now, the nodes work with CPG correctly, and appropriate warning messages are returned.

BZ#902397

Due to a regression, the corosync utility did not work with IPv6, which caused the network interface to be down. A patch has been provided to fix this bug. Corosync now works with IPv6 as expected, and the network interface is up.

BZ#838524

When corosync was running with the votequorum library enabled, votequorum's register reloaded the configuration handler after each change in the configuration database (confdb). This caused corosync to run slower and to eventually encounter an Out Of Memory error. After this update, a register callback is only performed during startup. As a result, corosync no longer slows down or encounters an Out Of Memory error.

BZ#865039

Previously, during heavy cluster operations, one of the nodes failed sending numerous of the following messages to the syslog file:

dlm_controld[32123]: cpg_dispatch error 2

A patch has been applied to address this issue.

BZ#850757

Prior to this update, corosync dropped ORF tokens together with memb_join packets when using CPU timing on certain networks. As a consequence, the RRP interface could be wrongly marked as faulty. This update drops only memb_join messages.

BZ#861032

Prior to this update, the corosync.conf parser failed if the ring number was larger than the allowed maximum of 1. As a consequence, corosync could abort with a segmentation fault. This update adds a check to the corosync.conf parser. Now, an error message is printed if the ring number is larger than 1.

BZ#863940

Prior to this update, corosync stopped on multiple nodes. As a consequence, corosync could, under certain circumstances, abort with a segmentation fault. This update ensures that the corosync service no longer calls callbacks on unloaded services.

BZ#869609

Prior to this update, corosync could abort with a segmentation fault when a large number of corosync nodes were started together. This update modifies the underlying code to ensure that the NULL pointer is not dereferenced. Now, corosync no longer encounters segmentation faults when starting multiple nodes at the same time.

BZ#876908

Prior to this update, the parsercorosync-objctl command with additional parameters could cause the error "Error reloading DB 11". This update removes the reloading function and handles changes of changed objects in the configuration data base (confdb). Now, the logging level can be changed as expected.

BZ#873059

Several typos in the corosync(8) manual page have been fixed. Also, manual pages for confdb_* functions have been added.

Enhancements

BZ#770455

With this update, the corosync log includes the hostname and the process ID of the processes that join the cluster to allow for better troubleshooting.

BZ#794522

This update adds the manual page confdb_keys.8 to provide descriptions for corosync runtime statistics that are returned by corosync-objctl.

BZ#838743

This update adds the new trace level to filter corosync flow messages to improve debugging.

Bug Fix

BZ#929101

When running applications which used the Corosync IPC library, some messages in the dispatch() function were lost or duplicated. This update properly checks the return values of the dispatch_put() function, returns the correct remaining bytes in the IPC ring buffer, and ensures that the IPC client is correctly informed about the real number of messages in the ring buffer. Now, messages in the dispatch() function are no longer lost or duplicated.

Bug Fix

BZ#876738

Previously, the cpuspeed daemon used a naive method of getting the highest available scaling frequency. Consequently, on certain platforms, cpuspeed did not set the CPU to the correct maximum limit. A patch has been provided to address this issue and cpuspeed now sets the maximum speed correctly.

BZ#642838

Prior to this update, the PCC driver used the “userspace” governor was loaded instead of the “ondemand” governor when loading. This update modifies the init script to also check the PCC driver.

BZ#738463

Prior to this update, the cpuspeed init script tried to set cpufrequency system files on a per core basis which was a deprecated procedure. This update sets thresholds globally.

BZ#616976

Prior to this update, the cpuspeed tool did not reset MIN and MAX values, when the configuration file was emptied. As a consequence, the MIN_SPEED or MAX_SPEED values were not reset as expected. This update adds conditionals in the init script to check these values. Now, the MIN_SPEED or MAX_SPEED values are reset as expected.

BZ#797055

Prior to this update, the init script did not handle the IGNORE_NICE parameter as expected. As a consequence, "-n" was added to command options when the IGNORE_NICE parameter was set. This update modifies the init script to stop adding the NICE option when using the IGNORE_NICE parameter.

Bug Fix

BZ#990474

The cpuspeed init script relied on the presence of the scaling_available_frequencies sysfs file to get the maximum possible scaling frequency for the system. Certain platforms did not provide the scaling_available_frequencies sysfs file, which caused the attempt to set the maximum scaling frequency to fail. With this update, the init script now reads the frequency from cpuinfo_max_speed, and setting the maximum scaling frequency now works on all platforms.

Bug Fix

BZ#843093

A recent time-keeping backport to the Red Hat Enterprise Linux 6 kernel caused the crash utility to fail during initialization with the "crash: cannot resolve: xtime" error message. This update modifies crash to recognize and handle the time-keeping change in the kernel so that crash now successfully starts up as expected.

Enhancements

BZ#739094

The crash utility has been modified to support dump files in the firmware-assisted dump (fadump) format for the 64-bit PowerPC architecture.

BZ#834260

The "struct -o" option has been enhanced to accept a virtual address argument. If an address argument is entered, the structure members are prepended by their virtual address.

BZ#834276

The "bt" command has been enhanced by adding new "-s" and "[-xd]" options that allow displaying symbol names plus their offset in each frame. The default behavior is unchanged where only the symbol name is displayed. The symbol offset is expressed in the default output format, which can be overridden using the "-x" (hexadecimal) or "-d" (decimal) options.

Bug Fix

BZ#833350

Previously, the createrepo utility ignored the "umask" command for files created in the createrepo cache directory. This behavior caused problems when more than one user was updating repositories. The bug has been fixed, and multiple users can now update repositories without complications.

Enhancements

BZ#646644

It is now possible to use the "createrepo" command with both the "--split" and the "--pkglist" options simultaneously.

BZ#714094

It is now possible to remove metadata from the repodata directory using the modifyrepo program. This update also enhances updating of the existing metadata.

Bug Fixes

BZ#758367

While running ctdb on the GFS2 file system, ctdb could ban a stable node when another node was started or stopped. This bug has been fixed by the rebase and stable nodes get no longer banned in the described scenario.

BZ#821715

Previously, on the Glusterfs file system, the ctdb lock file and configuration files were shared. Consequently, the ctdbd daemon running on a node terminated unexpectedly when another node in the cluster was brought down. This bug has been fixed by the rebase and ctdbd no longer crashes in the described scenario.

BZ#866670

After removing a ctdb node, the "ctdb status" command reported the same number of nodes as before the node was removed. A patch has been provided to address this issue and "ctdb status" now returns an accurate number of nodes after a remove operation.

Bug Fixes

BZ#741935

The libssh2 library did not sufficiently reflect its ABI extensions in its version, which prevented the RPM dependency scanner from adding the correct dependency of libcurl on an updated version of libssh2. Consequently, if the user updated libcurl without first updating libssh2, the update ended with incorrect linkage of libcurl and the user was then unable to update libssh2 using yum. An explicit dependency of libcurl on an update version of libssh2 has been added and yum can now be used to update libcurl.

BZ#746629

Previously, libcurl required certificates loaded from files to have unique file base names due to limitation of the legacy API of NSS (Network Security Services). Some packages using libcurl did not fulfil this requirement and caused nickname collisions within NSS. Now, libcurl has been modified to use a newer API of NSS, which does not suffer from this limitation, and packages using libcurl are now allowed to load certificates from files with unrestricted file names.

BZ#813127

Previously, libcurl misinterpreted the Content-Length HTTP header when receiving data using the chunked encoding. Consequently, libcurl failed to read the last chunk of data and the transfer terminated prematurely. An upstream patch has been applied to fix the handling of the header and the chunked encoding in libcurl now works as expected.

BZ#841905

A sub-optimally chosen identifier in cURL source files clashed with an identifier from a public header file introduced in a newer version of libssh2, which prevented the curl package from a successful build. An upstream patch has been applied on cURL source files, which fixes the identifier collisions and the package now builds as expected.

BZ#738456

The OpenLDAP suite was recently modified to use NSS instead of OpenSSL as the SSL back end. This change led to collisions between libcurl and OpenLDAP on NSS initialization and shutdown. Consequently, applications that were using both libcurl and OpenLDAP failed to establish SSL connections. This update modifies libcurl to use the same NSS API as OpenLDAP, which prevents collisions from occurring. Applications using OpenLDAP and libcurl can now connect to the LDAP server over SSL as expected.

BZ#719938

As a solution to a security issue, GSSAPI credential delegation was disabled, which broke the functionality of applications that were relying on delegation, incorrectly enabled by libcurl. To fix this issue, the CURLOPT_GSSAPI_DELEGATION libcurl option has been introduced in order to enable delegation explicitly when applications need it. All applications using GSSAPI credential delegation can now use this new libcurl option to be able to run properly.

BZ#772642

SSL connections could not be established with libcurl if the selected NSS database was broken or invalid. This update modifies the code of libcurl to initialize NSS without a valid database, which allows applications to establish SSL connections as expected.

BZ#873789

Previously, libcurl incorrectly checked return values of the SCP/SFTP write functions provided by libssh2. Negative values returned by those functions were treated as negative download amounts, which caused applications to terminate unexpectedly. With this update, all negative values are treated as errors and as such are properly handled on the libcurl level, thus preventing the crashes.

BZ#879592

Prior to this update, libcurl used an obsolete libssh2 API for uploading files over the SCP protocol, which limited the maximum size of files being transferred on 32-bit architectures. Consequently, the 32-bit packages of libcurl were unable to transfer large files over SCP. With this update, a new libssh2 API for SCP uploads is used, which does not suffer from this limitation, thus fixing this bug.

Enhancements

BZ#676596

Previously, libcurl provided only HTTP status codes in error messages when reporting HTTP errors. This could confuse users not familiar with HTTP. Now, libcurl has been improved to include the HTTP reason phrase in error messages, thus providing more understandable output.

BZ#730445

This update introduces a new option, --delegation, which enables Kerberos credential delegation in cURL.

BZ#671145

Prior to this update, the C shell (csh) did not set the CVS_RSH environment variable to "ssh" and the remote shell (rsh) was used instead when the users accessed a remote CVS server. As a consequence, the connection was vulnerable to attacks because the remote shell is not encrypted or not necessarily enabled on every remote server. The cvs.csh script now uses valid csh syntax and the CVS_RSH environment variable is properly set at log-in.

BZ#695719

Prior to this update, the xinetd package was not a dependency of the cvs package. As a result, the CVS server was not accessible through network. With this update, the cvs-inetd package, which contains the CVS inetd configuration file, ensures that the xinetd package is installed as a dependency and the xinetd daemon is available on the system.

BZ#706147

Prior to this update, the dash shell was not an allowed login shell. As a consequence, users could not log in using the dash shell. This update adds the dash to the /etc/shells list of allowed login shells when installing or upgrading dash package and removes it from the list when uninstalling the package. Now, users can login using the dash shell.

Bug Fixes

BZ#578114

When the kpartx tool tried to delete a loop device that was previously created, and the udev utility had this loop device still open, the delete process would fail with the EBUSY error and kpartx did not attempt retry this operation. The kpartx tool has been modified to wait for one second and then retry deleting up to three times after the EBUSY error. As a result, loop devices created by kpartx are now always deleted as expected.

BZ#595692

The multipathd daemon only checked SCSI IDs when determining World Wide Identifiers (WWIDs) for devices. However, CCISS devices do not support SCSI IDs and could not be used by Device Mapper Multipath. With this update, multipathd checks CCISS devices for CCISS IDs properly and the devices are detected as expected.

BZ#810755

Some device configurations in the /usr/share/doc/device-mapper-multipath-0.X.X/multipath.conf.defaults file were out of date. Consequently, if users copied those configurations into the /etc/multipath.conf file, their devices would be misconfigured. The multipath.conf.defaults file has been updated and users can now copy configurations from it without misconfiguring their devices. Note that copying configurations from the multipath.conf.defaults file is not recommended as the configurations in that file are built into dm-multipath by default.

BZ#810788

Previously, Device Mapper Multipath stored multiple duplicate blacklist entries, which were consequently shown when listing the device-mapper-multipath's configuration. Device Mapper Multipath has been modified to check for duplicates before storing configuration entries and to store only the unique ones.

BZ#813963

Device Mapper Multipath had two Asymmetric Logical Unit Access (ALUA) prioritizers, which checked two different values. Certain ALUA setups were not correctly failing back to the primary path using either prioritizer because both values need to be checked and neither prioritizer checked them both. With this update, configuration options of both ALUA prioritizers now select the same prioritizer function, which checks both values as expected.

BZ#816717

When removing kpartx device partitions, the multipath -f option accepted only the device name, not the full pathname. Consequently, an attempt to delete a mulitpath device by the full pathname failed if the device had the kpartx partitions. Device Mapper Mulitpath has been modified to except the full pathname, when removing kpartx device partitions and deleting process no longer fails in the described scenario.

BZ#821885

Previously, the multipath -c option incorrectly listed SCSI devices, which were blacklisted by device type, as valid mulitpath path devices. As a consequence, Device Mapper Multipath could remove the partitions from SCSI devices that never ended up getting multipathed. With this update, multipath -c now checks if a SCSI device is blacklisted by device type, and reports it as invalid if it is.

BZ#822389

On reload, if a multipath device was not set to use the user_friendly_names parameter or a user-defined alias, Device Mapper Multipath would use its existing name instead of setting the WWID. Consequently, disabling user_friendly_names did not cause the multipath device names to change back to WWIDs on reload. This bug has been fixed and Device Mapper Mulitpath now sets the device name to its WWID if no user_friendly_names or user defined aliases are set. As a result, disabling user_friendly_names now allows device names to switch back to WWIDs on reload.

BZ#829065

When the Redundant Disk Array Controller (RDAC) checker returned the DID_SOFT_ERROR error, Device Mapper Multipath did not retry running the RDAC checker. This behavior caused Device Mapper Multipath to fail paths for transient issues that may have been resolved if it retried the checker. Device Mapper Multipath has been modified to retry the RDAC checker if it receives the DID_SOFT_ERROR error and no longer fails paths due to this error.

BZ#831045

When a multipath vector, which is a dynamically allocated array, was shrunk, Device Mapper Multipath was not reassigning the pointer to the array. Consequently, if the array location was changed by the shrinking, Device Mapper Multipath would corrupt its memory with unpredictable results. The underlying source code has been modified and Device Mapper Multipath now correctly reassigns the pointer after the array has been shrunk.

BZ#836890

Device Mapper Multipath was occasionally assigning a WWID with a white space for AIX VDASD devices. As a consequence, there was no single blacklist of WWID entry that could blacklist the device on all machines. With this update, Device Mapper Multipath assigns WWIDs without any white space characters for AIX VDASD devices, so that all machines assign the same WWID to an AIX VDASD device and the user is always able to blacklist the device on all machines.

BZ#841732

If two multipath devices had their aliases swapped, Device Mapper Multipath switched their tables. Consequently, if the user switched aliases on two devices, any application using the device would be pointed to the incorrect Logical Unit Number (LUN). Device Mapper Multipath has been modified to check if the device's new alias matches a different multipath device, and if so, to not switch to it.

BZ#860748

Previously, Device Mapper Multipath did not check the device type and WWID blacklists as soon as this information was available for a path device. Device Mapper Multipath has been modified to check the device type and WWID blacklists as soon as this information is available. As a result, Device Mapper Multipath no longer waits before blacklisting invalid paths.

BZ#869253

Previously, the multipathd daemon and the kpartx tool did not instruct the libdevmapper utility to skip the device creation process and let udev create it. As a consequence, sometimes libdevmapper created a block device in the /dev/mapper/ directory, and sometimes udev created a symbolic link in the same directory. With this update, multipathd and kpartx prevent libdevmapper from creating a block device and udev always creates a symbolic link in the /dev/mapper/ directory as expected.

Enhancements

BZ#619173

This enhancement adds a built-in configuration for SUN StorageTek 6180 to Device Mapper Multipath.

BZ#735459

To set up persistent reservations on multipath devices, it was necessary to set it up on all of the path devices. If a path device was added later, the user had to manually add reservations to that path. This enhancement adds the ability to set up and manage SCSI persistent reservations using device-mapper devices with the mpathpersist utility. As a result, when path devices are added, persistent reservations are set up as well.

BZ#810989

This enhancement updates the multipathd init script to load the dm-multipathd module, so that users do not have to do this manually in cases when no /etc/multipath.conf file is present during boot. Note that it is recommended to create the multipath.conf file by running the mpathconf --enable command, which also loads the dm-multipath module.

BZ#818367

When the RDAC path device is in service mode, it is unable to handle I/O requests. With this enhancement, Device Mapper Multipath puts an RDAC path device into a failed state if it is in the service mode.

BZ#839386

This update adds two new options to the defaults and devices sections of the multipath.conf file; the retain_attached_hw_hander option and the detect_prio option. By default, both of these options are set to no in the defaults section of the multipath.conf file. However, they are set to yes in the NETAPP/LUN device configuration file. If retain_attach_hw_handler is set to yes and the SCSI layer has attached a hardware handler to the device, Device Mapper Multipath sets the hardware as usual. If detect_prio is set to yes, Device Mapper Multipath will check if the device supports ALUA. If so, it automatically sets the prioritizer to the alua value. If the device does not support ALUA, Device Mapper Multipath sets the prioritizer as usual. This behavior allows NETAPP devices to work in ALUA or non-ALUA mode without making users change to built-in config.

In order for retain_attached_hw_handler to work, the SCSI layer must have already attached the device handler. To do this, the appropriate scsi_dh_XXX module, for instance scsi_dh_alua, must be loaded before the SCSI layer discovers the devices. To guarantee this, add the following parameter to the kernel command line:

rdloaddriver=scsi_dh_XXX

Bug Fix

BZ#988704

Prior to this update, Device Mapper Multipath did not check for NULL pointers before dereferencing them in the sysfs functions. As a result, the multipathd daemon could crash if a multipath device was resized while a path device was being removed. With this update, Device Mapper Multipath checks for NULL pointers in sysfs functions and no longer crashes when a multipath device is resized at the same time as a path device is removed.

Enhancement

BZ#993545

This update adds a new /etc/multipath.conf file default keyword, "reload_readwrite". If set to "yes", multipathd will listen to path device change events, and if the device has read-write access, it will reload the multipath device. This allows multipath devices to automatically have read-write permissions, as soon as the path devices have read-write access, instead of requiring manual intervention. Thus, when all the path devices belonging to a multipath device have read-write access, the multipath device will automatically allow read-write permissions.

Security Fix

CVE-2012-3955

A flaw was found in the way the dhcpd daemon handled the expiration time of IPv6 leases. If dhcpd's configuration was changed to reduce the default IPv6 lease time, lease renewal requests for previously assigned leases could cause dhcpd to crash.

Bug Fixes

BZ#803540

Prior to this update, the DHCP server discovered only the first IP address of a network interface if the network interface had more than one configured IP address. As a consequence, the DHCP server failed to restart if the server was configured to serve only a subnet of the following IP addresses. This update modifies network interface addresses discovery code to find all addresses of a network interface. The DHCP server can also serve subnets of other addresses.

BZ#824622

Prior to this update, the dhclient rewrote the /etc/resolv.conf file with backup data after it was stopped even when the PEERDNS flag was set to "no" before shut down if the configuration file was changed while the dhclient ran with PEERDNS=yes. This update removes the backing up and restoring functions for this configuration file from the dhclient-script. Now, the dhclient no longer rewrites the /etc/resolv.conf file when stopped.

Bug Fix

BZ#1005672

Previously, the dhcpd daemon or dhclient tool were started to serve on an alias interface for Infiniband network interface card. Consequently, dhcpd/dhclient terminated unexpectedly. One of patches was improved to cover this specific case, thus fixing the bug. Now, both dhcpd and dhclient run correctly.

Security Fix

CVE-2012-3411

It was discovered that dnsmasq, when used in combination with certain libvirtd configurations, could incorrectly process network packets from network interfaces that were intended to be prohibited. A remote, unauthenticated attacker could exploit this flaw to cause a denial of service via DNS amplification attacks.

Bug Fix

BZ#815819

Due to a regression, the lease change script was disabled. Consequently, the "dhcp-script" option in the /etc/dnsmasq.conf configuration file did not work. This update corrects the problem and the "dhcp-script" option now works as expected.

Enhancements

BZ#824214

Prior to this update, dnsmasq did not validate that the tftp directory given actually existed and was a directory. Consequently, configuration errors were not immediately reported on startup. This update improves the code to validate the tftp root directory option. As a result, fault finding is simplified especially when dnsmasq is called by external processes such as libvirt.

BZ#850944

The dnsmasq init script used an incorrect Process Identifier (PID) in the "stop", "restart", and "condrestart" commands. Consequently, if there were some dnsmasq instances running besides the system one started by the init script, then repeated calling of "service dnsmasq" with "stop" or "restart" would kill all running dnsmasq instances, including ones not started with the init script. The dnsmasq init script code has been corrected to obtain the correct PID when calling the "stop", "restart", and "condrestart" commands. As a result, if there are dnsmasq instances running in addition to the system one started by the init script, then by calling "service dnsmasq" with "stop" or "restart" only the system one is stopped or restarted.

BZ#887156

When two or more dnsmasq processes were running with DHCP enabled on one interface, DHCP RELEASE packets were sometimes lost. Consequently, when two or more dnsmasq processes were running with DHCP enabled on one interface, releasing IP addresses sometimes failed. This update sets the SO_BINDTODEVICE socket option on DHCP sockets if running dnsmasq with DHCP enabled on one interface. As a result, when two or more dnsmasq processes are running with DHCP enabled on one interface, they can release IP addresses as expected.

Bug Fix

BZ#639866

Prior to this update, the Perl script used for generating manpages contained a misprint in the header. As a consequence, the header syntax of all manual pages that docbook-utils built was wrong. This update corrects the script. Now the manual page headers have the right syntax.

Security Fixes

CVE-2011-2166, CVE-2011-2167

Two flaws were found in the way some settings were enforced by the script-login functionality of Dovecot. A remote, authenticated user could use these flaws to bypass intended access restrictions or conduct a directory traversal attack by leveraging login scripts.

CVE-2011-4318

A flaw was found in the way Dovecot performed remote server identity verification, when it was configured to proxy IMAP and POP3 connections to remote hosts using TLS/SSL protocols. A remote attacker could use this flaw to conduct man-in-the-middle attacks using an X.509 certificate issued by a trusted Certificate Authority (for a different name).

Bug Fix

BZ#697620

When a new user first accessed their IMAP inbox, Dovecot was, under some circumstances, unable to change the group ownership of the inbox directory in the user's Maildir location to match that of the user's mail spool (/var/mail/$USER). This correctly generated an "Internal error occurred" message. However, with a subsequent attempt to access the inbox, Dovecot saw that the directory already existed and proceeded with its operation, leaving the directory with incorrectly set permissions. This update corrects the underlying permissions setting error. When a new user now accesses their inbox for the first time, and it is not possible to set group ownership, Dovecot removes the created directory and generates an error message instead of keeping the directory with incorrect group ownership.

Bug Fixes

BZ#835646

Previously, dracut could not handle uppercase MAC addresses for the PXE "BOOTIF=" parameter. As a consequence, a machine with a dracut generated initramfs could not boot over the network, when the "BOOTIF=" parameter contained uppercase MAC addresses. With this update, dracut converts internally the MAC addresses to lowercase. Now, a machine with a dracut generated initramfs can boot over the network successfully when the "BOOTIF=" parameter contains uppercase MAC addresses.

BZ#831338

Previously, the default mount option of the /proc/ directory during boot up was "mount -t proc -o nosuid,noexec,nodev proc/proc". This resulted in inaccessible device nodes in the /proc/ directory for some kernel drivers. The default mount option of the /proc directory has been changed to "mount -t proc proc /proc" and all kernel modules now load successfully.

BZ#794751

Previously, dracut could not use the Internet Small Computer System Interface (iSCSI) and dmsquash-live module together. As a consequence, it was not possible to boot from a live medium over iSCSI. After this update, a dracut-generated initramfs, which contains the iSCSI and dmsquash-live modules, is able to boot a live medium via iSCSI. This can be done using the kernel command "root=live:LABEL=<partition-or-iso-label> netroot=iscsi: ".

BZ#813057

Previously, the new Brocade switch firmware took longer to complete the BCBx negotiation and a dracut-generated initramfs did not wait long enough for the DCBx negotiation. Now, the initramfs sleeps for three seconds after loading the "802q" kernel module and the DCBx negotiation with the new Brocade switch firmware completes successfully.

BZ#843105

When using the "live_ram" parameter for booting from live media, the dracut-generated initramfs ejected the medium. After this action, a reboot caused the machine to not boot from the medium again, even if it was intended. After this update, dracut honors the "no_eject" kernel command-line parameter. Now, if "no_eject" is given on the kernel command-line, the dracut-generated initramfs no longer ejects the live medium after copying it to the RAM.

BZ#850493

In FIPS mode, the kernel image has to be validated by a checksum. The sha512hmac tool reads the absolute path of the file to check from the checksum file. Previously, if "/boot" was not on a separate file system, dracut mounted the root file system to "/sysroot". The "/sysroot/boot" partition was not accessible with the "/boot" path and the sha512hmac tool could not access the file in "/boot" to check for. The check failed and the boot process was cancelled. Consequently, the boot processes did not succeed in FIPS mode if "/boot" was not on a separate file system. Now, dracut creates a symbolic link from the "/sysroot/boot" partition to the "/boot" partition in the initramfs and the sha512hmac tool can check the kernel image and the machine can continue booting, if the check was successful.

BZ#890081

Previously, the kernel module "scsi_dh_alua" was not included in the initramfs and as a consequence, "scsi_dh_alua" could not be preloaded via the "rdloaddriver" kernel command. The "scsi_dh_alua" kernel module is now included in the initramfs and "scsi_dh_alua" can be preloaded successfully using "rdloaddriver".

BZ#854416

Previously, dracut did not strip the kernel modules as mentioned in the man page. Consequently, initramfs size grew very big if the customer had kernel modules with a lot of debug info. The dracut utility now strips the kernel modules, except when in FIPS mode, and as a result, the initramfs size is smaller and can be loaded on machines with small memory.

Enhancements

BZ#823507

Documentation for the "rd_retry=" boot option has been added to the dracut(8) man page.

BZ#858187

The dracut utility can now boot from iSCSI on a network with virtual LANs configured, where the virtual LAN settings are stored in the iSCSI Boot Firmware Table BIOS.

BZ#725464

Prior to this update, the dropwatch utility could become unresponsive because it was waiting for a deactivation acknowledgement to be issued by an already deactivated or stopped service. With this update, dropwatch detects an attempt to deactivate/stop an already deactivated/stopped service and no longer hangs.

BZ#807474

Prior to this update, the growisofs utility wrote chunks of 32KB and reported an error during the last chunk when burning ISO image files that were not aligned to 32KB. This update allows the written chunk to be smaller than a multiple of 16 blocks.

Bug Fixes

BZ#806137

On a corrupted file system, the "mke2fs -S" command could remove files instead of attempting to recover them. This bug has been fixed; the "mke2fs -S" command writes metadata properly and no longer removes files instead of recovering them.

BZ#813820

The resize2fs(8) man page did not list an ext4 file system as capable of on-line resizing. This omission has been fixed and the resize2fs(8) man page now includes all file systems that can be resized on-line.

BZ#858338

A special flag was used to indicate blocks allocated beyond the end of file on an ext4 file system. This flag was sometimes mishandled, resulting in file system corruption. Both the kernel and user space have been reworked to eliminate the use of this flag.

Enhancement

BZ#824126

Previously, users could use the e2fsck utility on a mounted file system, although it was strongly recommended not to do so. Using the utility on a mounted file system led to file system corruption. With this update, e2fsck opens the file system exclusively and fails when the file system is busy. This behavior avoids possible corruption of the mounted file system.

Bug Fix

BZ#1023351

The resize2fs utility did not properly handle resizing of an ext4 file system to a smaller size. As a consequence, files containing many extents could become corrupted if they were moved during the resize process. With this update, resize2fs now maintains a consistent extent tree when moving files containing many extents, and such files no longer become corrupted in this scenario.

Bug Fix

BZ#974193

Some ext4 extent tree corruptions were not detected or repaired by e2fsck. Inconsistencies related to overlapping interior or leaf nodes in the extent tree were not detected, and the file system remained in an inconsistent state after an e2fsck. These inconsistencies were then detected by the kernel at run time. e2fsck is now able to detect and repair this class of corruptions in the file system.

Bug Fixes

BZ#818177

Due to an error in the Tcl library, some allocated pointers were invalidated inside the library. Consequently, running the "module switch" command in the tcsh shell led to a segmentation fault. The bug has been fixed and the system memory is now allocated and pointed to correctly.

BZ#848865

Previously, the /usr/share/Modules/modulefiles/modules file contained an incorrect path. Consequently, an error occurred when the "module load modules" command was executed. With this update, the incorrect path has been replaced and the described error no longer occurs.

BZ#789997

Previously, eSpeak manipulated the system sound volume. As a consequence, eSpeak could set the sound volume to maximum regardless of the amplitude specified. The sound volume management code has been removed from eSpeak, and now only PulseAudio manages the sound volume.

Bug Fix

BZ#734048

The CalDav calendar back end was converting Uniform Resource Identifiers (URIs) with unescaped space characters or the "%20" string to "%2520". As a consequence, rendering the back end did not allow to contact the remote CalDav service that caused CalDav calendars to be inaccessible. This bug has been fixed and evolution-data-server works correctly in the described scenario.

Security Fix

CVE-2011-3201

The way Evolution handled mailto URLs allowed any file to be attached to the new message. This could lead to information disclosure if the user did not notice the attached file before sending the message. With this update, mailto URLs cannot be used to attach certain files, such as hidden files or files in hidden directories, files in the /etc/ directory, or files specified using a path containing "..".

Bug Fixes

BZ#707526

Creating a contact list with contact names encoded in UTF-8 caused these names to be displayed in the contact list editor in the ASCII encoding instead of UTF-8. This bug has been fixed and the contact list editor now displays the names in the correct format.

BZ#805239

Due to a bug in the evolution-alarm-notify process, calendar appointment alarms did not appear in some types of calendars. The underlying source code has been modified and calendar notifications work as expected.

BZ#890642

An attempt to print a calendar month view as a PDF file caused Evolution to terminate unexpectedly. This update applies a patch to fix this bug and Evolution no longer crashes in this situation.

Bug Fixes

BZ#819698

Prior to this update, stopping the fcoe-target daemon did not stop the target session when rebooting. This update improves the fcoe-target script and the fcoe-target daemon can now properly shut down the kernel target.

BZ#824227

Prior to this update, a delay in the FCoE interface initialization sometimes resulted in the target configuration not being loaded for that interface. This update permits target configuration for absent interfaces, allowing target and interface configuration in any order.

BZ#837730

Prior to this update, specifying a nonexistent backing file when creating a backstore resulted in the unhelpful Python error "ValueError: No such path". This update reports the error in a more helpful way.

BZ#837992

Prior to this update, attempting to remove a storage object in a backstore resulted in a Python error. This update fixes the problem and storage objects can now be removed as expected.

BZ#838442

Prior to this update, attempting to redirect the output of targetcli resulted in a Python error. This update allows targetcli to be successfully redirected.

BZ#846670

Due to a regression, creating a backstore resulted in a Python error. This update allows backstore creation without error.

Enhancements

BZ#828096

Prior to this update, backstore size listing abbreviations did not clearly specify between power of 10 (for example Gigabyte) and power of 2 (Gibibyte). This update lists backstore sizes using power-of-2 sizes and labels them as such.

BZ#828681

The caching characteristics of backstores are now exposed via the SCSI Write Cache Enable (WCE) bit to initiators, instead of being set opaquely via the "buffered-mode" backstore setting. The default setting for WCE is "on".

Bug Fix

BZ#867117

When turning off DCB on a Fibre Channel over Ethernet (FCoE) initiator interface connected to a Cisco Fibre Channel Forwarder (FCF), the fcoemon utility disabled the interface but the FCoE interface was re-enabled by a Netlink event before DCB was operational again. Consequently, the interface did not operate in degraded mode with LUNS present as expected and the output of the "ip l" and "fcoeadm -i" commands was contradictory. A patch has been applied to the fcoemon utility to ensure DCB is operational again before enabling the FCoE interface when a link is brought up. In addition, a patch has been applied to fcoe-utils to improve error handling and error messages related to creating and deleting of FCoE interfaces when DCB is not ready.

Enhancement

BZ#826291

Support for VLAN notification with VLAN ID 0 has been added. If a VLAN notification has the tag "VLAN 0", the physical port will now be activated. The VLAN interface will not be created but FCoE will be started on the physical interface itself.

Bug Fix

BZ#803962

The "febootstrap-supermin-helper" program is used when opening a disk image using the libguestfs API, or as part of virt-v2v conversion. Previously, this tool did not always handle the "-u" and "-g" options correctly when the host used an LDAP server to resolve user names and group names. This caused the virt-v2v command to fail when LDAP was in use. With this update, the "febootstrap-supermin-helper" program has been modified to parse the "-u" and "-g" options correctly, so that virt-v2v works as expected in the described scenario.

Bug Fixes

BZ#908409

Previously, when fencing a Red Hat Enterprise Linux cluster node with the fence_soap_vmware fence agent, the agent terminated unexpectedly with a traceback if it was not possible to resolve a hostname of an IP address. With this update, a proper error message is displayed in the described scenario.

BZ#908401

Due to incorrect detection on newline characters during an SSH connection, the fence_drac5 agent could terminate the connection with a traceback when fencing a Red Hat Enterprise Linux cluster node. Only the first fencing action completed successfully but the status of the node was not checked correctly. Consequently, the fence agent failed to report successful fencing. When the "reboot" operation was called, the node was only powered off. With this update, the newline characters are correctly detected and the fencing works as expected.

Bug Fixes

BZ#769798

The speed of fencing is critical because otherwise, broken nodes have more time to corrupt data. Prior to this update, the operation of the fence_vmware_soap fence agent was slower than expected when used on the VMWare vSphere platform with hundreds of virtual machines. With this update, the fencing process is faster and does not terminate if virtual machines without an UID are encountered.

BZ#822507

Prior to this update, the attribute "unique" in XML metadata was set to TRUE (1) by default. This update modifies the underlying code to use FALSE (0) as the default value because fence agents do not use these attributes.

BZ#825667

Prior to this update, certain fence agents did not generate correct metadata output. As a result, it was not possible to use the metadata for automatic generation of manual pages and user interfaces. With this update, all fence agents generate their metadata as expected.

BZ#842314

Prior to this update, the fence_apc script failed to log into APC power switches where firmware changed the end-of-line marker from CR-LF to LF. This update modifies the script to log into a fence device as expected.

BZ#863568

Prior to this update, the fence_rhevm agent failed to run the regular expression get_id regex when using a new href attribute. As a consequence, the plug status was not available. This update modifies the underlying code to show the correct status either as ON or OFF.

Enhancements

BZ#740869

This update adds the fence_ipdu agent to support IBM iPDU fence devices in Red Hat Enterprise Linux 6.

BZ#752449

This update adds the fence_eaton agent to support Eaton ePDU (Enclosure Power Distribution Unit) devices in Red Hat Enterprise Linux 6.

BZ#800650

This update adds symlinks for common fence types that utilize standards-based agents in Red Hat Enterprise Linux 6.

BZ#818337

This update adds the fence_bladecenter agent to the fence-agents packages in Red Hat Enterprise Linux 6 to support the --missing-as-off feature for the HP BladeSystem to handle missing nodes as switched off nodes so that fencing can end successfully even if a blade is missing.

BZ#837174

This update supports action=metadata via standard input for all fence agents.

Bug Fixes

BZ#761228

Previously, the fence_virt man page contained incorrect information in the "SERIAL/VMCHANNEL PARAMETERS" section. With this update, the man page has been corrected.

BZ#853927

Previously, the fence_virtd daemon returned an incorrect error code to the fence_virt agent when the virt domain did not exist. Consequently, the fence_node utility occasionally failed to detect fencing. With this update, the error codes have been changed and the described error no longer occurs.

Enhancements

BZ#823542

The "delay" (-w) option has been added to the fence_virt and fence_xvm fencing agents. The delay option can be used, for example, as a method of preloading a winner in a fence race in a CMAN cluster.

BZ#843104

With this update, the documentation of the "hash" parameter in the fence_virt.conf file has been improved to notify that hash is the weakest hashing algorithm allowed for client requests.

BZ#795425

The file utility did not contain a "magic" pattern for detecting QED images and was therefore not able to detect such images. A new "magic" pattern for detecting QED images has been added, and the file utility now detects these images as expected.

BZ#795761

The file utility did not contain a "magic" pattern for detecting VDI images and was therefore not able to detect such images. A new "magic" pattern for detecting VDI images has been added, and the file utility now detects these images as expected.

BZ#797784

Previously, the file utility did not attempt to load "magic" patterns from the ~/.magic.mgc file, which caused "magic" patterns stored in this file to be unusable. This update modifies the file utility so it now attempts to load the ~/.magic.mgc file. The file is loaded if it exists and "magic" patterns defined in this file work as expected.

BZ#801711

Previously, the file utility used read timeout when decompressing files using the "-z" option. As a consequence, the utility was not able to detect files compressed by the bzip2 tool. The underlying source code has been modified so that file no longer uses read timeout when decompressing compressed files. Compressed files are now detected as expected when using the "-z" option.

BZ#859834

Previously, the file utility contained multiple "magic" patterns to detect output of the "dump" backup tool. On big-endian architectures, the less detailed "magic" pattern was used and output of the file utility was inconsistent. The less detailed "magic" pattern has been removed, and only one, more detailed, "magic" pattern to detect "dump" output is used now.

Enhancement

BZ#831818

Previously, the Firstboot utility allowed displaying only the English version of the End User Licence Agreement (EULA), which could be problematic for users who do not understand English. This update modifies Firstboot so that it uses the $LANG environment variable to find the localized EULA file according to the language set during installation. If the EULA file in the selected language is not found, the default EULA file, which is in English, is used. Users can now read the EULA document in the language chosen during installation before accepting it.

BZ#783868

Prior to this update, using the ftp command "put" when the stack size was set to unlimited caused the sysconf(_SC_ARG_MAX) function to return -1, which in turn resulted in the malloc() function being called with an argument of 0 and causing an "Out of memory" message to be displayed. With this update, the underlying source code has been improved to allocate a reasonable minimum of memory. As a result, the "Out of memory" message no longer appears if the stack size was previously set to unlimited.

BZ#869858

Prior to this update, the ftp client could encounter a buffer overflow and aborted if a macro longer than 200 characters was defined and then used after a connection. This update modifies the underlying code and the buffer that holds memory for the macro name was extended. Now, ftp matches the length of the command line limit and the ftp client no longer aborts when a macro with a long name is executed.

BZ#665337

Previously, the command line width in the ftp client was limited to 200 characters. With this update, the maximum possible length of the FTP command line is extended to 4296 characters.

BZ#786004

Prior to this update, "append", "put", and "send" commands were causing system memory to leak. The memory holding the ftp command was not freed appropriately. With this update, the underlying source code has been improved to correctly free the system resources and the memory leaks are no longer present.

BZ#849940

Previously, the ftp client could not be invoked to run directly in the active mode. This functionality has been added to the source code and documented in the manual page. The client can now be executed with an additional "-A" command line parameter and will run in the active mode.

BZ#852636

Previously, the ftp client hung up when the ftp-data port (20) was not available (e.g. was blocked). The client then had to be terminated manually. Additional logic has been added to the source code. With this update, ftp has an internal timeout set to 30 seconds. If there is no answer from the server when this time has passed, ftp will now gracefully time out and not hang up.

BZ#829558

Prior to this update, the "re_string_skip_chars" function incorrectly used the character count instead of the raw length to estimate the string length. As a consequence, any text in multi-byte encoding that did not use the UTF-8 format failed to be processed correctly. This update modifies the underlying code so that the correct string length is used. multi-byte encoding is processed correctly.

Bug Fixes

BZ#801144

Due to the incorrect size of a pointer in GCC GNAT code, GNAT used an incorrect function of the libgcc library when compiling 32-bit Ada binaries on PowerPC architecture. Consequently, these programs could not be linked and the compilation failed. This update fixes the problem so that the sizeof operator now returns the correct size of a pointer, and the appropriate function from libgcc is called. GNAT compiles Ada binaries as expected in this scenario.

BZ#808590

The Standard Template Library (STL) contained an incomplete move semantics implementation, which could cause GCC to generate incorrect code. The incorrect headers have been fixed so that GCC now produce the expected code when depending on move semantics.

BZ#819100

GCC did not, under certain circumstances, handle generating a CPU instruction sequence that would be independent of indexed addressing on PowerPC architecture. As a consequence, an internal compiler error occurred if the "__builtin_bswap64" built-in function was called with the "-mcpu=power6" option. This update corrects the relevant code so that GCC now generates an alternate instruction sequence that does not depend on indexed addressing in this scenario.

BZ#821901

A bug in converting the exception handling region could cause an internal compiler error to occur when compiling profile data with the "-fprofile-use" and "-freorder-basic-blocks-and-partition" options. This update fixes the erroneous code and the compilation of profile data now proceeds as expected in this scenario.

BZ#826882

Previously, GCC did not properly handle certain situations when an enumeration was type cast using the static_cast operator. Consequently, an enumeration item could have been assigned an integer value greater than the highest value of the enumeration's range. If the compiled code contained testing conditions using such enumerations, those checks were incorrectly removed from the code during code optimization. With this update, GCC was modified to handle enumeration type casting properly and C++ now no longer removes the mentioned checks.

BZ#831832

Previously, when comparing the trees equality, the members of a union or structure were not handled properly in the C++ compiler. This led to an internal compiler error. This update modifies GCC so that unions and structures are now handled correctly and code that uses tree equality comparing is now compiled successfully.

BZ#867878

GCC previously processed the "srak" instructions without the z196 flag, which enables a compiler to work with these instructions. Consequently, some binaries, such as Firefox, could not be compiled on IBM System z and IBM S/390 architectures. With this update, GCC has been modified to support the z196 flag for the srak instructions, and binaries requiring these instructions can now be compiled successfully on IBM System z and IBM S/390 architectures.

Security Fix

CVE-2011-4355

GDB tried to auto-load certain files (such as GDB scripts, Python scripts, and a thread debugging library) from the current working directory when debugging programs. This could result in the execution of arbitrary code with the user's privileges when GDB was run in a directory that has untrusted content.

Bug Fixes

BZ#795424

When a struct member was at an offset greater than 256 MB, the resulting bit position within the struct overflowed and caused an invalid memory access by GDB. With this update, the code has been modified to ensure that GDB can access such positions.

BZ#811648

When a thread list of the core file became corrupted, GDB did not print this list but displayed the "Cannot find new threads: generic error" error message instead. With this update, GDB has been modified and it now prints the thread list of the core file as expected.

BZ#836966

GDB did not properly handle debugging of multiple binaries with the same build ID. This update modifies GDB to use symbolic links created for particular binaries so that debugging of binaries that share a build ID now proceeds as expected. Debugging of live programs and core files is now more user-friendly.

Bug Fixes

BZ#952090

When users tried to execute the "maintenance set python print-stack" command, gdb did not recognize it and issued an error stating the command was undefined. With this update, gdb now correctly recognizes and executes the command.

BZ#952100

When debugging a C++ program which declared a local static variable inside a class, gdb was unable to locate the local static variable. This caused problems when debugging some issues that required examining these kinds of variables. With this update, gdb now correctly identifies that the variable exists, and the debugging process functions normally.

BZ#954300

Previously, users experienced an internal error in the debugger when using a Thread Local Storage (TLS) modifier in a static variable declared inside a class on a C++ program, and asking gdb to print its value. This caused the debugging session to be compromised. With this update, gdb is now able to correctly deal with a static variable declared as a TLS inside a class and errors no longer occur in the described scenario.

Bug Fixes

BZ#616755

Previously, the gdm_smartcard_extension_is_visible() function returned "TRUE" instead of the "ret" variable. Consequently, the smartcard login could not be disabled in the system-config-authentication window if the pcsd package was installed. With this update, gdm_smartcard_extension_is_visible() has been modified to return the correct value. As a result, the described error no longer occurs.

BZ#704245

When GDM was used to connect to a host via XDMCP (X Display Manager Control Protocol), another connection to a remote system using the "ssh -X" command resulted in failed authentication with the X server. Consequently, applications such as xterm could not be displayed on a remote system. This update provides a compatible MIT-MAGIC-COOKIE-1 key in the described scenario, thus fixing this incompatibility.

BZ#738462

Previously, X server audit messages were not included by default in the X server log. Now, those messages are unconditionally included in the log. Also, with this update, verbose messages are added to the X server log if debugging is enabled in the /etc/gdm/custom.conf file by setting "Enable=true" in the "debug" section.

BZ#820058

Previously, after booting the system, the following message occurred in the /var/log/gdm/:0-greeter.log file:

gdm-simple-greeter[PID]: Gtk-WARNING: gtkwidget.c:5460: widget not within a GtkWindow

With this update, this warning is no longer displayed.

Enhancements

BZ#719647

With this update, GDM has been modified to allow smartcard authentication when the visible user list is disabled.

BZ#834303

Previously, the GDM debugging logs were stored in the /var/log/messages file. With this update, a separate /var/log/gdm/daemon.log file has been established for these debugging logs.

BZ#790400

Prior to this update, ,the gd graphics library handled inverted Y coordinates incorrectly, when changing the thickness of a line. As a consequence, lines with changed thickness were drawn incorrectly. This update modifies the underlying code to draw lines with changed thickness correctly.

BZ#818755

Prior to this update, the geronimo-specs-compat package description contained inaccurate references. This update removes these references so that the description is now accurate.

Bug Fixes

BZ#804686

Prior to this update, a logic error caused the DNS code of glibc to incorrectly handle rejected responses from DNS servers. As a consequence, additional servers in the /etc/resolv.conf file could not be searched after one server responded with a REJECT. This update modifies the logic in the DNS. Now, glibc cycles through the servers listed in /etc/resolv.conf even if one returns a REJECT response.

BZ#806404

Prior to this update, the nss/getnssent.c file contained an unchecked malloc call and an incorrect loop test. As a consequence, glibc could abort unexpectedly. This update modifies the malloc call and the loop test.

BZ#809726

Prior to this update, locale data for the characters in the range a-z were incorrect in the Finnish locale. As a consequence, some characters in the range a-z failed to print correctly in the Finnish locale. This update modifies the underlying code to provide the correct output for these characters. Now, characters in the Finnish locale print as expected.

BZ#823909

If a file or a string was in the IBM-930 encoding, and contained the invalid multibyte character "0xffff", attempting to use iconv() (or the iconv command) to convert that file or string to another encoding, such as UTF-8, resulted in a segmentation fault. Now, the conversion code for the IBM-930 encoding recognizes this invalid character and calls an error handler, rather than causing a segmentation fault.

BZ#826149

Prior to this update, the fnmatch() function failed with the return value -1 when the wildcard character "*" was part of the pattern argument and the file name argument contained an invalid multibyte encoding. This update modifies the fnmatch() code to recognize this case. Now, the invalid characters are treated as not matching and then the process proceeds.

BZ#827362

Prior to this update, the internal FILE offset was set incorrectly in wide character streams. As a consequence, the offset returned by ftell was incorrect. In some cases, this could result in over-writing data. This update modifies the ftell code to correctly set the internal FILE offset field for wide characters. Now, ftell and fseek handle the offset as expected.

BZ#829222

Prior to this update, the /etc/rpc file was not set as a configuration file in the glibc build. As a consequence, updating glibc caused the /etc/rpc file to be replaced without warning or creating a backup copy. This update correctly marks /etc/rpc as a configuration file. Now, the existing /etc/rpc file is left in place, and the bundled version can be installed in /etc/rpc.rpmnew.

BZ#830127

Prior to this update, the vfprintf command returned the wrong error codes when encountering an overflow. As a consequence, applications which checked return codes from vfprintf could get unexpected values. This update modifies the error codes for overflow situations.

BZ#832516

Prior to this update, the newlocale flag relied entirely on failure of an underlying open() call to set the errno variable for an incorrect locale name. As a consequence, the newlocale() function did not set the errno variable to an appropriate value when failing, if it has already been asked about the same incorrect locale name. This update modifies the logic in the loadlocale call so that subsequent attempts to load a non-existent locale more than once always set the errno variable appropriately.

BZ#832694

Prior to this update, the ESTALE error message referred only to NFS file systems. As a consequence, users were confused when non-NFS file systems triggered this error. This update modifies the error message to apply the error message to all file systems that can trigger this error.

BZ#835090

Prior to this update, an internal array of name servers was only partially initialized when the /etc/resolv.conf file contained IPV6 name servers. As a consequence, applications could, depending on the exact contents of a nearby structure, abort. This update modifies the underlying code to handle IPV6 name servers listed in /etc/resolv.conf.

BZ#837695

Prior to this update, a buffer in the resolver code for glibc was too small to handle results for certain DNS queries. As a consequence, the query had to be repeated after a larger buffer was allocated and wasted time and network bandwidth. This update enlarges the buffer to handle the larger DNS results.

BZ#837918

Prior to this update, the logic for the functions exp, exp2, pow, sin, tan, and rint was erroneous. As a consequence, these functions could fail when running them in the non-default rounding mode. With this update, the functions return correct results across all 4 different rounding modes.

BZ#841787

Prior to this update, glibc incorrectly handled the options rotate option in the /etc/resolv.conf file if this file also contained one or more IPv6 name servers. As a consequence, DNS queries could unexpectedly fail, particularly when multiple queries were issued by a single process. This update modifies the internalization of the listed servers from /etc/resolv.conf into internal structures of glibc, as well as the sorting and rotation of those structures to implement the options rotate capability. Now, DNS names are resolved correctly in glibc.

BZ#846342

Prior to this update, certain user-defined 32 bit executables could issue calls to the memcpy() function with overlapping arguments. As a consequence, the applications invoked undefined behavior and could fail. With this update, users with 32 bit applications which issue the memcpy function with overlapping arguments can create the /etc/sysconfig/32bit_ssse3_memcpy_via_32bit_ssse3_memmove. If this file exists, glibc redirects all calls to the SSSE3 memcpy copiers to the SSSE3 memmove copier, which is tolerant of overlapping arguments.

Important

We strongly encourage customers to identify and fix these problems in their source code. Overlapping arguments to memcpy() is a clear violation of the ANSI/ISO standards and Red Hat does not provide binary compatibility for applications which violate these standards.

BZ#847932

Prior to this update, the strtod(), strtof(), and strtold() functions to convert a string to a numeric representation in glibc contained multiple integer overflow flaws. This caused stack-based buffer overflows. As a consequence, these functions could cause an application to abort or, under certain circumstances, execute arbitrary code. This update modifies the underlying code to avoid these faults.

BZ#848082

Prior to this update, the setlocale() function failed to detect memory allocation problems. As a consequence, the setlocale() function eventually core dumped, due to NULL pointers or uninitialized strings. This update modifies the setlocale code to insure that memory allocation succeeded. Now, the setlocale() function no longer core dumps.

BZ#849651

Prior to this update, the expf() function was considerably slowed down when saving and restoring the FPU state. This update adds a hand optimized assembler implementation of the expf() function for Intel 64 and AMD64 platforms. Now, the expf() function is considerably faster.

BZ#852445

Prior to this update, the PowerPC specific pthread_once code did not correctly publish changes it made. As a consequence, the changes were not visible to other threads at the right time. This update adds release barriers to the appropriate thread code to ensure correct synchronization of data between multiple threads.

BZ#861167

This update adds the MADV_DONTDUMP and MADV_DODUMP macros to the mman.h file to compile code that uses these macros.

BZ#863453

Prior to this update, the nscd daemon attempted to free a pointer that was not provided by the malloc() function, due to an error in the memory management in glibc. As a consequence, nscd could terminate unexpectedly, when handling groups with a large number of members. This update ensures that memory allocated by the pool allocator is no longer passed to free. Now, the pool allocator's garbage collector reclaims the memory. As a result, nscd no longer crashes on groups with a large number of members.

BZ#864322

Prior to this update, the IPTOS_CLASS definition referenced the wrong object. As a consequence, applications that referenced the IPTOS_CLASS definition from the ip.h file did not build or failed to operate as expected. This update modifies the definition to reference the right object and applications that reference to the IPTOS_CLASS definition.

Bug Fix

BZ#989558

The C library security framework was unable to handle dynamically loaded character conversion routines when loaded at specific virtual addresses. This resulted in an unexpected termination with a segmentation fault when trying to use the dynamically loaded character conversion routine. This update enhances the C library security framework to handle dynamically loaded character conversion routines at any virtual memory address, and crashes no longer occur in the described scenario.

Bug Fixes

BZ#964044

A fix to prevent logic errors in various mathematical functions, including exp, exp2, expf, exp2f, pow, sin, tan, and rint, caused by inconsistent results when the functions were used with the non-default rounding mode, creates performance regressions for certain inputs. The performance regressions have been analyzed and the core routines have been optimized to bring performance back to reasonable levels.

BZ#970992

A program that opens and uses dynamic libraries which use thread-local storage variables may terminate unexpectedly with a segmentation fault when it is being audited by a module that also uses thread-local storage. This update modifies the dynamic linker to detect such a condition, and crashes no longer occur in the described scenario.

Bug Fix

BZ#1001050

A defect in the name service cache daemon (nscd) caused cached DNS queries, under certain conditions, to return only IPv4 addresses when querying for an address using the AF_UNSPEC address family, even though IPv4 and IPv6 results existed. The defect has been corrected and nscd correctly returns both IPv4 and IPv6 results if they both exist.

BZ#829891

Previously, when a user hit the system's hot-key (most commonly Fn+F7) to change display configurations, the system could potentially switch to an invalid mode, which would fail to display. With this update, gnome-desktop now selects valid XRandR modes and correctly switching displays with the hot-key works as expected.

Bug Fixes

BZ#744980

If a package adds or removes a .repo file while updates are being installed, PackageKit (packagekitd) sends a RepoListChanged() message. If Software Update (/usr/bin/gpk-update-viewer) was being used to install these updates it responded to the message by attempting to refresh the available updates list. This resulted in said list going blank. As of this update, gpk-update-viewer ignores such signals from packagekitd, leaving the available updates list visible and unchanged.

BZ#744906

When a 64-bit Red Hat Enterprise Linux instance had both 32-bit and 64-bit versions of a package installed, and an update for both packages was available and presented in the Software Update (/usr/bin/gpk-update-viewer) window, the summary and package name appeared for both architectures. Package size and the errata note only presented for the 32-bit version, however. For the 64-bit version, the size column remained blank. And, when the 64-bit version was selected in Software list, the display pane below presented a ‘Loading...’ message rather than the errata note. With this update, gpk-update-viewer seeks out the exact package ID before falling back to the package name, ensuring both package versions are found and associated meta-data displayed when more than one package architecture is installed.

BZ#694793

When an application is installed using the Add/Remove Software interface (/usr/bin/gpk-application), a dialogue box appears immediately post-install offering a Run button. Clicking this button launches the newly-installed program. Previously, under some circumstances, an improperly assigned pointer value meant clicking this Run button caused gpk-application to crash (segfault). With this update, the pointer is correctly assigned and gpk-application no longer crashes when launching a newly-installed application.

BZ#669798

Previously, it was possible for an ordinary user to shutdown their system or log-out from a session while the PackageKit update tool was running. Depending on the transaction PackageKit was engaged in when the shutdown or logout was initiated, this could damage the RPM database and, consequently, damage the system. With this update, when ordinary users attempting to shutdown or log out while PackageKit is running an update, PackageKit inhibits the process and presents the user with an alert:

A transaction that cannot be interrupted is running.

Note: this update does not prevent a root user (or other user with equivalent administrative privileges) from shutting the system down or logging an ordinary user out of their session.

Bug Fixes

BZ#648869

Previously, NVIDIA hardware did not support the X Resize and Rotate Extension (xRandR) gamma changes. Consequently, the fade-out function did not work on the NVIDIA hardware. With this update, xRandR gamma support detection code fails on NVIDIA cards, and the XF86VM gamma fade extension is automatically used as a fallback so the fade-out function works as expected.

BZ#744763

Previously, the mouse cursor could be moved to a non-primary monitor so the unlock dialog box did not appear when the user moved the mouse. This bug has been fixed and the mouse cursor can no longer be moved to a non-primary monitor. As a result, the unlock dialog box comes up anytime the user moves the mouse.

BZ#752230

Previously, the shake animation of the unlock dialog box could appear to be very slow. This was because the background was updated every time the window's size allocation changed, and the widget's size allocation consequently changed every frame of the shake animation. The underlying source code has been modified to ensure a reasonable speed of the shake animation.

BZ#759395

When a Mandatory profile was enabled, the "Lock screen when screen saver is active" option in the Screensaver Preferences window was not disabled. This bug could expose the users to a security risk. With this update, the lock-screen option is disabled as expected in the described scenario.

BZ#824752

When using dual screens, moving the mouse did not unlock gnome-screensaver after the initial timeout. The users had to press a key to unlock the screen. The underlying source code has been modified and the user can now unlock gnome-screensaver by moving the mouse.

Bug Fix

BZ#994868

Previously, when using virt-manager, virt-viewer, and spice-xpi applications, users were unable to enter the gnome-screensaver password after the screen saver started. This happened only when the VM system used the Compiz composting window manager. After users released the mouse cursor, then pressed a key to enter a password, the dialog did not accept any input. This happened due to incorrect assignment of window focus to applications that did not drop their keyboard grab. With this update, window focus is now properly assigned to the correct place, and attempts to enter the gnome-screensaver password no longer fail in the described scenario.

Bug Fixes

BZ#805064

Previously, the LED indicators of some Wacom graphics tablets were not supported in the gnome-settings-daemon package. Consequently, the status LEDs on Wacom tablets would not accurately indicate the current control mode. With this update, LED support has been added to gnome-settings-daemon. As a result, the tablet LEDs now work as epected.

BZ#812363

Previously, using function keys without modifiers (F1, F2, and so on) as keyboard shortcuts for custom actions did not work. With this update, a patch has been added to fix this bug. As a result, gnome-settings-daemon now allows unmodified function keys to be used as keyboard shortcuts for custom actions.

BZ#824757

In certain cases, the gnome-settings-daemon did not properly handle the display configuration settings. Consequently, using the system's hot-key to change the display configuration either did not select a valid XRandR configuration or kept monitors in clone mode. This bug has been fixed and gnome-settings-daemon now selects valid XRandR modes and handles the clone mode as expected.

BZ#826128

Previously, connecting a screen tablet to a computer before activation of the tablet screen caused the input device to be matched with the only available monitor - the computer screen. Consequently, the stylus motions were incorrectly mapped to the computer screen instead of the tablet itself. With this update, a patch has been introduced to detect the tablet screen as soon as it becomes available. As a result, the device is correctly re-matched when the tablet screen is detected.

BZ#839328

Previously, using the shift key within a predefined keyboard shortcut mapped to the tablet's ExpressKey button caused gnome-settings-daemon to crash after pressing ExpressKey. This bug has been fixed, and the shortcuts which use the shift key can now be mapped to ExpressKey without complications.

BZ#853181

Prior to this update, the mouse plug-in in the gnome-settings-daemon package interfered with Wacom devices. Consequently, using ExpressKey on a tablet after hot-plugging generated mouse click events. With this update, the mouse plug-in has been fixed to ignore tablet devices and the interference no longer occurs.

BZ#886922

Previously, on tablets with multiple mode-switch buttons such as the Wacom Cintiq 24HD, all mode-switch buttons would cycle though the different modes. With this update, each different mode-switch button will select the right mode for the given button.

BZ#861890

Due to a bug in the gnome settings daemon, changing the monitor layout led to incorrect tablet mapping. With this update, the graphics tablet mapping is automatically updated when the monitor layout is changed. As a result, the stylus movements are correctly mapped after the layout change and no manual update is needed.

Enhancements

BZ#772728

With this update, several integration improvements for Wacom graphics tablets have been backported from upstream: - touchscreen devices are now automatically set in absolute mode instead of relative - memory leaks on tablet hot plug have been fixed - ExpressKeys no longer fail after the layout rotation - test applications are now included in the package to help with debugging issues.

BZ#858255

With this update, the touch feature of input devices has been enabled in the default settings of gnome-settings-daemon.

BZ#819796

Prior to this update, gnome-terminal was not completely localized into Asamese. With this update, the Assamese locale has been updated.

Bug Fixes

BZ#648297

Previously, the gnutls_priority_init.3 man page contained incorrect information on the gnutls-2.8.5-safe-renegotiation patch, particularly on special control keywords. The manual page has been updated to provide accurate information about the described subject.

BZ#745242

Prior to this update, the gnutls_x509_privkey_import() function failed to load private keys in the PKCS#8 format. Consequently, these keys were not processed by applications which use gnutls_x509_privkey_import(). This bug has been fixed, and gnutls_x509_privkey_import() now allows loading of private keys formatted in PKCS#8.

BZ#771378

Multiple bugs were present in the implementation of the TLS-1.2 protocol in the gnutls package. Consequently, gnutls was incompatible with clients and servers conforming to the TLS-1.2 protocol standard. With this update, the TLS-1.2 implementation has been fixed. As a result, the compatibility of gnutls with other TLS-1.2 clients and servers is now assured.

BZ#807746

Previously, the gnutls-cli-debug man page contained typographical errors and incorrect information on the command-line options. The manual page has been updated, and no longer contains the aforementioned errors.