Chapter 6. Notable Bug Fixes
This chapter describes bugs fixed in Red Hat Enterprise Linux 7.9 that have a significant impact on users.
6.1. Authentication and Interoperability
A deadlock no longer occurs when using SASL binds to Directory Server
Previously, a SASL bind to Directory Server could attempt using callbacks that were modified during the connection process. Consequently, a deadlock occurred, and Directory Server could terminated unexpectedly. With this update, the server uses a connection lock that prevents modifying IO layers and callbacks while they are in use. As a result, the deadlock no longer occurs when using SASL binds.
The 389-ds-base
package now sets the required permissions on directories owned by the Directory Server user
If directories in the file system owned by the Directory Server user do not have the correct permissions, Directory Server utilities adjust them accordingly. However, if these permissions were different to the ones that were set during the RPM installation, verifying the RPM using the rpm -V 389-ds-base
command failed. This update fixes the permissions in the RPM. As a consequence, verifying the 389-ds-base
package no longer complains about incorrect permissions.
A memory leak has been fixed in Directory Server when using ip
binding rules in an ACI with IPv6
The Access Control Instruction (ACI) context in Directory Server is attached to a connection and contains a structure for both the IPv4 and IPv6 protocol. Previously, when a client closed a connection, Directory Server removed the only IPv4 structure and the context. As a consequence, if an administrator configured an ACI with ip
binding rule, Directory Server leaked memory of the IPv6 structure. With this update, the server frees both the IPv4 and IPv6 structures at the end of a connection. As a result, Directory Server no longer leaks memory in the mentioned scenario.
Directory Server no longer leaks memory when using ACIs with an ip
bind rule
When a Directory Server Access Control Instruction (ACI) contains an ip
bind rule, the server stores the value of the ip
keyword as a reference while evaluating the ACI. Previously, when the evaluations were completed Directory Server did not free the ip
value. As a consequence, the server leaked around 100 bytes of memory each time the server evaluated an ACI with an ip
bind rule. With this update, Directory Server keeps track of the ip
value in the per-connection structure and frees the structure when the connection is closed. As a consequence, Directory Server no longer leaks memory in the mentioned scenario.
Directory Server no longer rejects wildcards in the rootdn-allow-ip
and rootdn-deny-ip
parameters
Previously, when an administrator tried to set a wildcard in the rootdn-allow-ip
or rootdn-deny-ip
parameters in the cn=RootDN Access Control Plugin,cn=plugins,cn=config
entry, Directory Server rejected the value. With this update, you can use wildcards when specifying allowed or denied IP addresses in the mentioned parameters.
Directory Server rejects update operations if retrieving the system time fails or the time difference is too large
Previously, when calling the system time() function failed or the function returned an unexpected value, Change Sequence Numbers (CSN) in Directory Server could become corrupted. As a consequence, the administrator had to re-initialize all replicas in the environment. With this update, Directory Server rejects the update operation if the time() function failed, and Directory Server no longer generates corrupt CSNs in the mentioned scenario.
Note that, if the time difference is greater than one day, the server logs a INFO - csngen_new_csn - Detected large jump in CSN time
message in the /var/log/dirsrv/slapd-<instance_name>/error
file. However, Directory Server still creates the CSN and does not reject the update operation.
Directory Server no longer hangs while updating the schema
Previously, during a mixed load of search and modify operations, the update of the Directory Server schema blocked all search and modify operations, and the server appeared to hang. This update adjusts the mutex locking during schema updates. As a result, the server does not hang while updating the schema.
Directory Server no longer leaks memory when using indirect COS definitions
Previously, after processing an indirect Class Of Service (COS) definition, Directory Server leaked memory for each search operation that used an indirect COS definition. With this update, Directory Server frees all internal COS structures associated with the database entry after it has been processed. As a result, the server no longer leaks memory when using indirect COS definitions.
Password expiration notifications sent to AD clients using SSSD
Previously, Active Directory clients (non-IdM) using SSSD were not sent password expiration notices because of a recent change in the SSSD interface for acquiring Kerberos credentials.
The Kerberos interface has been updated and expiration notices are now sent correctly.
KDCs now correctly enforce password lifetime policy from LDAP backends
Previously, non-IPA Kerberos Distribution Centers (KDCs) did not ensure maximum password lifetimes because the Kerberos LDAP backend incorrectly enforced password policies. With this update, the Kerberos LDAP backend has been fixed, and password lifetimes behave as expected.
The pkidaemon
tool now reports the correct status of PKI instances when nuxwdog
is enabled
Previously, the pkidaemon status
command would not report the correct status for PKI server instances that have the nuxwdog
watchdog enabled. With this update, pkidaemon
detects whether nuxwdog
is enabled and reports the correct status of the PKI server.
6.2. Compiler and Tools
The strptime()
method of the Time::Piece
Perl module now correctly parses Julian dates
The Time::Piece
Perl module did not correctly parse a day of the year (%j
) using the strptime()
method. Consequently, Julian dates were parsed incorrectly. This bug has been fixed, and the strptime()
method provided by the Time::Piece
module now handles Julian dates properly.
Documentation files from perl-devel
no longer have a write permission for a group
Previously, certain documentation files from the perl-devel
package had a write permission set for a group. Consequently, users in the root group could write into these files, which represented a security risk. With this update, the write bit for a group has been removed for the affected files. As a result, no documentation file from perl-devel
has a write permission set for a group.
6.3. Kernel
Resuming from hibernation now works on the megaraid_sas
driver
Previously, when the megaraid_sas
driver resumed from hibernation, the Message Signaled Interrupts (MSIx) allocation did not work correctly. As a consequence, resuming from hibernation failed, and restarting the system was required. This bug has been fixed, and resuming from hibernation now works as expected.
(BZ#1807077)
Disabling logging in the nf-logger
framework has been fixed
Previously, when an admin used the sysctl
or echo
commands to turn off an assigned netfilter
logger, a NUL
-character was not added to the end of the NONE
string. Consequently, the strcmp()
function failed with a No such file or directory
error. This update fixes the problem. As a result, commands, such as sysctl net.netfilter.nf_log.2=NONE
work as expected and turn off logging.
(BZ#1770232)
XFS now mounts correctly even if the storage device reported invalid geometry at file system creation
In RHEL 7.8, an XFS file system failed to mount with the error SB stripe unit sanity check failed
if it was created on a block device that reported invalid stripe geometry to the mkfs.xfs
tool.
With this update, XFS now mounts the file system even if it was created based on invalid stripe geometry.
For details, see the following solution article: https://access.redhat.com/solutions/5075561.
(BZ#1836292)
6.4. Networking
The same zone file can now be included in multiple views or zones in BIND
BIND 9.11 introduced an additional check to ensure that no daemon writable zone file is used multiple times, which would result in creating errors in zone journal serialization. Consequently, configuration accepted by BIND 9.9 was no longer accepted by this daemon. With this update, the fatal error message in configuration file check is replaced by a warning, and as a result, the same zone file can now be included in multiple views or zones.
Note that using an in-view clause is recommended as a better solution.
A configuration parameter has been added to firewalld
to disable zone drifting
Previously, the firewalld
service contained an undocumented behavior known as "zone drifting". RHEL 7.8 removed this behavior because it could have a negative security impact. As a consequence, on hosts that used this behavior to configure a catch-all or fallback zone, firewalld
denied connections that were previously allowed. This update re-adds the zone drifting behavior, but as a configurable feature. As a result, users can now decide to use zone drifting or disable the behavior for a more secure firewall setup.
By default, in RHEL 7.9, the new AllowZoneDrifting
parameter in the /etc/firewalld/firewalld.conf
file is set to yes
. Note that, if the parameter is enabled, firewalld
logs:
WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
RHEL rotates firewalld
log files
Previously, RHEL did not rotate firewalld
log files. As a consequence, the /var/log/firewalld
log file grew indefinitely. This update adds the /etc/logrotate.d/firewalld
log rotation configuration file for the firewalld
service. As a result, the /var/log/firewalld
log is rotated, and users can customize the rotation settings in the /etc/logrotate.d/firewalld
file.
6.5. Security
Recursive dependencies no longer cause OpenSCAP crashes
Because systemd
units can have dependent units, OpenSCAP scans could encounter cyclical dependencies that caused the scan to terminate unexpectedly. With this update, OpenSCAP no longer analyses previously analysed units. As a result, scans now complete with a valid result even if dependencies are cyclical.
OpenSCAP scanner results no longer contain a lot of SELinux context error messages
Previously, the OpenSCAP scanner logged the inability to get the SELinux context on the ERROR
level even in situations where it is not a true error. Consequently, scanner results contained a lot of SELinux context error messages and both the oscap
command-line utility and the SCAP Workbench
graphical utility outputs were hard to read for that reason. The openscap
packages have been fixed, and scanner results no longer contain a lot of SELinux context error messages.
audit_rules_privileged_commands
now works correctly for privileged commands
Remediation of the audit_rules_privileged_commands
rule in the scap-security-guide
packages did not account for a special case in parsing command names. Additionally, the ordering of certain rules prevented successful remediation. As a consequence, remediation of certain combinations of rules reported they were fixed although successive scans reported the rule as failing again. This update improves regular expressions in the rule and the ordering of the rules. As a result, all privileged commands are correctly audited after remediation.
Updated rule descriptions in the SCAP Security Guide
Because default kernel parameters cannot be reliably determined for all supported versions of RHEL, checking kernel parameter settings always requires explicit configuration. The text in the configuration guide mistakenly stated that explicit settings were not needed if the default version was compliant. With this update, the rule description in the scap-security-guide
package correctly describes the compliance evaluation and the corresponding remediation.
configure_firewalld_rate_limiting
now correctly rate-limits connections
The configure_firewalld_rate_limiting
rule, which protects the system from Denial of Service (DoS) attacks, previously configured the system to accept all traffic. With this update, the system correctly rate-limits connections after remediating this rule.
dconf_gnome_login_banner_text
no longer incorrectly fails
Remediation of the dconf_gnome_login_banner_text
rule in the scap-security-guide
packages previously failed after a failure to scan the configuration. As a consequence, the remediation could not properly update the login banner configuration, which was inconsistent with expected results. With this update, Bash and Ansible remediations are more reliable and align with the configuration check implemented using the OVAL standard. As a consequence, remediations now work properly and the rule passes after remediation.
scap-security-guide
Ansible remediations no longer include the follow
argument
Prior to this update, scap-security-guide
Ansible remediations could contain the follow
argument in the replace
module. Because follow
was deprecated in Ansible 2.5, and will be removed in Ansible 2.10, using such remediations caused an error. With the release of the RHBA-2021:1383 advisory, the argument has been removed. As a result, Ansible playbooks by scap-security-guide
will work properly in Ansible 2.10.
Postfix-specific rules no longer fail if postfix
is not installed
Previously, SCAP Security Guide (SSG) evaluated Postfix-specific rules independently of the postfix
package installed on the system. As a result, SSG reported Postfix-specific rules as fail
instead of notapplicable
. With the release of the RHBA-2021:4781 advisory, SSG correctly evaluates Postfix-specific rules only if the postfix
package is installed, and reports notapplicable
if the postfix
package is not installed.
Service Disabled rules are no longer ambiguous
Previously, rule descriptions for the Service Disabled type in the SCAP Security Guide provided options for disabling and masking a service but did not specify whether the user should disable the service, mask it, or both.
With the release of the RHBA-2021:1383 advisory, rule descriptions, remediations, and OVAL checks have been aligned and inform users that they must mask a service to disable it.
Fixed Ansible remediations for scap-security-guide
GNOME dconf
rules
Previously, Ansible remediations for some rules covering the GNOME dconf
configuration systems were not aligned with the corresponding OVAL checks. Consequently, Ansible incorrectly remediated the following rules, marking them as failed
in subsequent scans:
-
dconf_gnome_screensaver_idle_activation_enabled
-
dconf_gnome_screensaver_idle_delay
-
dconf_gnome_disable_automount_open
With the update released in the RHBA-2021:4781 advisory, Ansible regular expressions have been fixed. As a result, these rules remediate correctly in the dconf
configuration.
SELinux no longer blocks PCP from restarting unresponsive PMDAs
Previously, a rule that allows pcp_pmie_t
processes to communicate with Performance Metric Domain Agent (PMDA) was missing in the SELinux policy. As a consequence, SELinux denied the pmsignal
process to restart unresponsive PMDAs. With this update, the missing rule has been added to the policy, and the Performance Co-Pilot (PCP) can now restart unresponsive PMDAs.
SELinux no longer prevents auditd
to halt or power off the system
Previously, the SELinux policy did not contain a rule that allows the Audit daemon to start a power_unit_file_t
systemd
unit. Consequently, auditd
could not halt or power off the system even when configured to do so in cases such as no space left on a logging disk partition.
With this update, the missing rule has been added to the SELinux policy. As a result, auditd
can now halt or power off the system.
The chronyd
service can now execute shells in SELinux
Previously, the chronyd
process, running under chronyd_t
, was unable to execute the chrony-helper
shell script, because the SELinux policy did not allow chronyd
to execute any shell. In this update, the SELinux policy allows the chronyd
process to run a shell that is labeled shell_exec_t
. As a result, the chronyd
service starts successfully under the Multi-Level Security (MLS) policy.
(BZ#1775573)
Tang reliably updates its cache
When the Tang application generates its keys, for example, at first installation, Tang updates its cache. Previously, this process was unreliable, and the application cache did not update correctly to reflect Tang keys. This caused problems with using a Tang pin in Clevis, with the client displaying the error message Key derivation key not available
. With this update, key generation and cache update logic was moved to Tang, removing the file watching dependency. As a result, the application cache remains in a correct state after cache update.
6.6. Servers and Services
cupsd
now consumes less memory during PPD caching
Previously, the CUPS daemon consumed a lot of memory when many print queues with extensive Postscript Printer Description (PPD) were created. With this update, CUPSD checks if a cached file exists and if it has newer or the same timestamp as the PPD file in /etc/cups/ppd
, then it loads the cached file. Otherwise it creates a new cached file based on the PPD file. As a result, the memory consumption lowers by 91% in the described scenario.
(BZ#1672212)
tuned
no longer hangs on SIGHUP when a non-existent profile is selected
When the tuned
service receives the SIGHUP signal, it attempts to reload the profile. Prior to this update, tuned
was unable to correctly handle situations when:
-
The
tuned
profile was set to a non-existent profile, or - The automatic profile selection mode was active and the recommended profile was non-existent.
As a consequence, the tuned
service became unresponsive and had to be restarted. This bug has been fixed, and the tuned
service no longer hangs in the described scenarios.
Note that the tuned
behavior has changed with this update. Previously, when the user executed the tuned-adm off
command and restarted the tuned
service, tuned
tried to load the recommended profile. Now, tuned
loads no profile even if the recommended profile exists.
tuned
no longer applies settings from sysctl.d
directories when the reapply_sysctl
option is set to 1
Previously, if the reapply_sysctl
configuration option was set to 1
, the tuned
profile applied sysctl
settings from the /usr/lib/sysctl.d
, /lib/sysctl.d
, and /usr/local/lib/sysctl.d
directories after applying sysctl
settings from a tuned
profile. Consequently, settings from these directories would override sysctl
settings from the tuned
profile. With this update, tuned
no longer applies sysctl
settings from the mentioned directories when the reapply_sysctl
option is set to 1
.
Note that to re-apply sysctl
settings you need to move them from the mentioned directories to /etc/sysctl.d
, /etc/sysctl.conf
or /run/sysctl.d
directories or to a custom tuned
profile.
6.7. Storage
LVM volumes on VDO now shut down correctly
Previously, the stacking of block layers on VDO was limited by the configuration of the VDO systemd units. As a result, the system shutdown sequence waited for 90 seconds when it tried to stop LVM volumes stored on VDO. After 90 seconds, the system uncleanly stopped the LVM and VDO volumes.
With this update, the VDO systemd units have been improved, and as a result, the system shuts down cleanly with LVM on VDO.
Additionally, the VDO startup configuration is now more flexible. You no longer have to add special mount options in the /etc/fstab
file for most VDO configurations.
6.8. System and Subscription Management
microdnf
no longer fails to retrieve GPG key for custom Satellite repository
Previously, the librhsm
library, used internally by microdnf
, incorrectly handled relative gpgkey
paths, which are used in custom repositories hosted by Satellite. Consequently, when the user ran the microdnf
command in a container to install a package signed with GNU Privacy Guard (GPG) from a custom repository through the host’s Satellite subscription, microdnf
failed with the following error:
GPG enabled: failed to lookup digest in keyring.
With this update, handling of relative gpgkey
paths has been fixed in librhsm
. As a result, the user can now successfully use the custom repository from Satellite inside containers.
(BZ#1708628)
YUM can now install RPM packages signed with GPG keys with revoked subkeys
Previously, the YUM utlity could not install RPM packages signed with GNU Privacy Guard (GPG) keys with revoked subkeys. Consequently, YUM failed with the following error message:
signature X doesn't bind subkey to key, type is subkey revocation
This update introduces a change in the code that checks revocation before checking binding signature. As a result, YUM can now install RPM packages signed with GPG keys with revoked subkeys.
6.9. RHEL in cloud environments
Using cloud-init
to create virtual machines with XFS and swap now works correctly
Previously, using the cloud-init
utility failed when creating a virtual machine (VM) with an XFS root file system and an enabled swap partition. In addition, the following error message was logged:
kernel: swapon: swapfile has holes
This update fixes the underlying code, which prevents the problem from occurring.