5.4 Technical Notes

NetworkManager allowed users to create completely insecure ad-hoc wireless networks and indeed, the default security setting for wifi sharing was "none". Because of this default setting and because NetworkManager did not warn users of the potential security risks, users could unwittingly compromise the security of their computers. Now, NetworkManager uses "WEP Passphrase" as the default security option for creating a new wifi network, and allows administrators to disable users' ability to share wifi connections without security in place, or their ability to share wifi connections at all. These measures make it less likely that a user could inadvertently compromise a sensitive system. (BZ#496247)

accessing the context (right-click) menu of the NetworkManager GNOME applet could trigger the GNOME Keyring Unlock dialog to appear, after which no X11 applications could receive keyboard or mouse events. Now, NetworkManager closes the context menu before requesting keyring items, and therefore avoids this situation. (BZ#476020)

NetworkManager did not export VPN configurations. When a user selected this function, NetworkManager would present an error message: "VPN setting invalid", even for a connection with valid settings. Network manager now exports VPN connections correctly. (BZ#485345)

due to faulty logic in the code, nm-applet would choose the lowest signal strength of all APs of the same SSID in the area and display this strength in the menu to represent the signal strength for that SSID. NetworkManager now correctly calculates wireless signal strength when multiple access points with the same SSID are present. (BZ#485477)

when NetworkManager fails to connect to a wifi network, it re-prompts the user for the passphrase for that network. Previously, NetworkManager did not retain the original text of the passphrase entered by the user. Therefore, when users selected the "Show password" option so that they could see what they had typed after a failed connection attempt, NetworkManager displayed the passphrase in hexadecimal form. NetworkManager now retains the original text of the passphrase and displays the original passphrase instead of a hexadecimal string when the user selects the "Show password" option. (BZ#466509)

NetworkManager has its own internal method of starting loopback devices, and does not use the configuration settings stored in /etc/sysconfig/network-scripts/ifcfg-lo. Previously, NetworkManager would produce an error, alerting users that the configuration settings were ignored. This error message could mislead users to think that a problem had occurred. Now, NetworkManager does not present this error message to the user, and avoids the potential confusion. (BZ#484060)

the NetworkManager package requires wpa_supplicant, but previously omitted the Epoch term for the wpa_supplicant package. Consequently, installing NetworkManager did not ensure that a suitable version of wpa_supplicant was installed on the system. Now, the NetworkManager package specifies the epoch for the version of wpa_supplicant that it requires. (BZ#468688)

NetworkManager displayed configuration options for VPN even when no VPN software was installed on the system. This could mislead users to think that they could make VPN connections in situations when it was not possible to make these connections. Now, the VPN submenu is hidden if no VPN services are installed on the system, avoiding the potential confusion. (BZ#464604)

some IPMI-enabled hardware makes use of UDP ports 623 (ASF Remote Management and Control Protocol) and 664 (ASF Secure Remote Management and Control Protocol), which corrupts other traffic on these ports, causing symptoms such as autofs mounts hanging. The OpenIPMI package provides a configuration file for xinetd that prevents other services from using these ports, so that they do not interfere with IPMI. On affected systems, the fix has to be enabled manually by setting "disabled = no" for the appropriate port(s) in /etc/xinetd.d/rmcp and (re)starting the xinetd service. (BZ#429329)

on the S/390 architecture, running "ipmicmd" to access the internal hash table of open connections caused the utility to segmentation fault. With this update, "ipmicmd" correctly handles the hash table and thus no longer crashes. (BZ#437013 )

the "rmcp_ping" utility did not perform checks on the arguments provided to it on the command line, and would accept invalid port numbers and/or start tags. (BZ#437256)

the ipmitool utility is shipped in the OpenIPMI-tools packages, and it was not possible to have other packages depend on "ipmitool" directly. These updated packages explicitly provide the "ipmitool" feature so that other packages are now able to reference it. (BZ#442784)

several libraries in the OpenIPMI packages contained unnecessary RPATH values, which have not been compiled in to these updated packages. (BZ#466119)

the OpenIPMI-devel packages contained manual pages which were already provided by the OpenIPMI packages and have therefore been removed from the OpenIPMI-devel packages. (BZ#466487)

the ipmievd daemon listens for events sent by the BMC to the SEL and logs those events to syslog. Previously, the OpenIPMI-tools package did not contain the init script for the "ipmievd" service. This init script is included in these updated packages. (BZ#469979)

previously, it was not possible to query "ipmitool" to determine whether SOL payloads were enabled or disabled for specific users. These updated packages introduce a new "ipmitool sol payload status" query that implements the "Gets User Payload Access Command" from the IPMI specification, thus allowing users' SOL payload access privileges to be queried. (BZ#470031)

the "ipmitool sel list" command displayed event IDs as hexadecimal numbers. However, it was not possible to then provide these values as parameters to other "ipmitool sel" commands. These packages include an updated ipmitool whose various "ipmitool sel" commands accept both decimal and hexadecimal ID values as parameters. (BZ#470805)

it was not possible to specify a Kg key with non-printable characters on the ipmitool command line. With this update, a Kg key can now be specified as a hexadecimal value using the '-y' command line option. (BZ#479252)

the "sensor list" section of the ipmitool(1) man page now describes each columnar value of the command "ipmitool sensors list". (BZ#479702)

new in this OpenIPMI 2.0.16 release is the OpenIPMI-gui package, which contains a GUI that provides a tree-structured view of the IPMI domains it is connected to. (BZ#504783)

the "ipmitool sol set" command now checks the values of arguments provided on the command line. (BZ#311231)

the ipmitool(1) man page has been updated to include descriptions for these commands: spd, picmg, hpm, firewall, fwum and kontronoem. (BZ#438539)

the /var/run/utmp configuration file is now correctly treated as a log file, and the hidden files (also known as "dot files") located in the root user's home directory are now checked for permission integrity only. These enhancements to AIDE should cause systems to produce fewer false alarms concerning files which have changed. (BZ#476542)

the "amtapetype" command had a bug in memory management: an invalid pointer was passed to the free() function. In some circumstances this caused amrecover to fail with a "Extractor child exited with status 2" error. The invalid pointer is no longer passed to free() and amrecover extracts files from a tape backup as expected. (BZ#476971)

previously, amanda sub-packages (including amanda-devel, amanda-server and amanda-client) were only required to be the same version as amanda: they did not check that their release was in sync with the base amanda package. This could cause the packages to go out-of-sync and malfunction if an attempt was made to update either the base amanda package or any of amanda's sub-packages. With this update, both the version and release are checked, ensuring all dependent packages remain in sync if either the base package or any sub-packages are updated. (BZ#497111)

a write-protected SD card could cause an installation failure even when the mount point was de-selected in the Disk Druid. (BZ#471883)

Anaconda occasionally attempted to delete nonexistent snapshots, which caused installation to fail. (BZ#433824)

if a boot file was retrieved via DHCP, Anaconda now saves it so that it can later be used to construct the default Kickstart file if the user boots with "ks" as a boot parameter. (BZ#448006)

driver disk locations can now be specified using the "dd=[URL]" option, where [URL] is an FTP, HTTP or NFS location. (BZ#454478)

the bootloader can now be located in the MBR on a software RAID1 boot partition. (BZ#475973)

Anaconda now installs multipath packages so that multipath devices work as expected following first reboot. (BZ#466614)

Anaconda prompted for the time zone even when the time zone was correctly specified in the Kickstart file. (BZ#481617)

on Itanium systems, the time stamps of installed files and directories were in the future. (BZ#485200)

the iSCSI Boot Firmware Table (iBFT) now works with Challenge-Handshake Authentication Protocol (CHAP) and reverse-CHAP setups. (BZ#497438)

Anaconda now correctly sets the umask on device nodes. (BZ#383531)

following a manual installation during which IPv6 was configured, the /etc/sysconfig/network-scripts/ifcfg-[interface] file (such as ifcfg-eth0) did not contain those IPv6 network details. (BZ#445394)

Anaconda now correctly handles LAN channel station (LCS) devices. (BZ#471101)

when using autostep mode with a Kickstart configuration file, Anaconda incorrectly prompted for a root password even when the root password was designated as encrypted. (BZ#471122)

empty repositories caused installation to fail. (BZ#476182)

large numbers of tape drives in the Kickstart file are now handled correctly. (BZ#476186)

hyphenated MAC address formats in the Kickstart file (e.g. "ksdevice=00-11-22-33-44-55") are now allowed. (BZ#480309)

an unexpected exception during Logical Unit Number (LUN) selection caused installation to fail. (BZ#475271)

when installing on a low-memory system or virtual machine over HTTP or FTP, a non-present "lspci" binary caused installation to fail. (BZ#476476)

Anaconda now correctly adds the user to the default group, and groups specified by "--groups", when performing a Kickstart installation. (BZ#454418)

the "cmdline" option, which specifies a non-Ncurses installation, is now honored in the Kickstart file. (BZ#456325)

Kickstart file download from an anonymous FTP site is now possible. (BZ#477536)

default configuration values are now suggested during System z installation. (BZ#475350)

hardware device descriptions have been enhanced to reflect expanded hardware support. (BZ#498511)

the Mellanox ConnectX mt26448 10Gb/E driver is now supported. (BZ#514971)

the mpt2sas driver is now supported. (BZ#475671)

the Emulex Tiger Shark converged network adatper is now supported. (BZ#496875)

the Marvell RAID bus controller MV64460/64461/64462 and Emulex OneConnect 10GbE NIC devices are now supported. (BZ#493179)

the IGB Virtual Function driver is now supported. (BZ#502875)

installation on RAID10 devices is now supported. (BZ#467996)

non-fatal errors and conditions are now ignored when installing from a Kickstart file. (BZ#455465)

stale LVM metadata can now be removed with the "--clearpart" option. (BZ#462615)

to aid in identifying the network card, an option to blink its LED for 5 minutes is now present. (BZ#473747)

IPv6 address validation on S/390 installations has been improved. (BZ#460579)

the previous aspell-nl update provided also an empty aspell-nl-debuginfo package. The dictionary packages for Aspell do not require debuginfo packages; this update therefore removes the extraneous aspell-nl-debuginfo package. (BZ#500540)

ausearch was unable to interpret tty audit records. tty records are specially-encoded, and the ausearch program could not decode them, which resulted in their being displayed in encoded form. These updated packages enable ausearch to interpret (i.e. decode correctly) TTY records, thus resolving the issue. ( BZ#497518 )

The aureport program was enhanced to add a '--tty' report option. This is a new report that was recently added to audit in order to aid in the review of TTY audit events. ( BZ#497518 )

when the log_format parameter was set to "NOLOG" in the auditd.conf configuration file, audit events which were queued in the internal message queue were not cleared after being written to dispatchers. This caused the internal message queue to grow over time, causing an auditd memory leak. With these updated packages the audit events in the internal message queue are properly cleared after being written, thus plugging the memory leak.

certain audit rules failed parser checks even though they were specified correctly, which prevented those rules from being loaded into the kernel. With this update, all correctly-specified audit rules pass parser checks and can be loaded into the kernel, thus resolving the problem.

the user-space audit tools use ausearch to search audit records. Ausearch does not contain logic to handle event-linked lists and previously, could not find records if they were out of chronological order. The logic to link these lists together and evaluate whether the list is complete is now available in the auparse library. Ausearch now uses auparse to handle these lists so that it can find records even when they are out of order. (BZ#235898)

the manual page for ausyscall did not document use of the "--exact" option. A description of "--exact" is now included. (BZ#471383)

due to a logic error, the "local_port = any" option for the audisp-remote plugin did not work as described in the manual page. When executed with this option, the plugin would display the error "Value any should only be numbers" and terminate. With the error corrected, the plugin works as documented. (BZ#474466)

previously, audisp would read not only its configuration file (in /etc/audisp/plugins.d/) but any files with names simlar to its configuration file found in the same directory, for example, backups of the configuration file. As a result, if a plugin were listed in more than one configuration file, it would be activated multiple times. audisp now reads only its configuration file and therefore avoids activating multiple copies of plugins. (BZ#476189)

previously, TTY audit results were reported in ausearch in their raw hexadecimal form. This format was not easily readable by humans, so ausearch now converts the hexadecimal strings and presents them as their corresponding keystrokes. Note that the "--tty" option has now been added to aureport to provide a convenient way of accessing the TTY audit report. (BZ#483086)

previously, when setting the output log format to "NOLOG", audit events would be added to the internal message queue but not removed from the queue when written to the dispatchers. The queue would therefore grow to consume available memory. Audit events are now removed from the internal queue to avoid this memory leak. (BZ#487237)

due to a logic error, auditctl was not correctly parsing options that included non-numeric characters. For example, the "-F a0!=-1" option would result in an error saying "-F value should be number for a0!=-1". With the error corrected, auditctl parses this rule correctly. (BZ#497542)

remote logging is a technology preview item and as such had some bugs. Robustness of this facility was improved.

on busy systems, pam had problems communicating with the audit system, which resulted in a timeout and being denied access to the system. We now loop a few times when checking for the event ACK.

On biarch system, a warning is emitted if audit rules don't cover both 64 & 32 bit syscalls of the same name.

Fix regression where msgtype couldn't be used for a range of types.

New aulast program helps analyse login session information.

If log rotation fails, auditd now leaves the old log writable.

A tcp_wrappers config option was added to auditd for remote logging.

Fix problem where negative uids in audit rules on 32 bit systems resulted in the wrong uid and therefore incorrect event logging.

when disabling caching using the system-config-authentication graphical interface or with the "authconfig --update --disablecache" command, authconfig did not properly stop ncsd, the name service cache daemon, which could have caused timeouts and delays during authentication or when user information was requested by applications. (BZ#471642)

on 64-bit architectures, a size mismatch between data structures led to an endlessly repeating pattern of output, though no error. This size mismatch has been fixed in this updated package so that authd works as expected.

attempting to connect to a Postgresql database using identd authentication resulted in error messages similar to the following in Postgresql's pg_log, where [user] is the username of the user attempting to connect:

CESTLOG:  invalidly formatted response from Ident server: "49795 ,
5432 : ERROR :[user]

This authd error has been corrected so that users are now able to log in successfully, thus resolving the issue.

previously, installing the authd package resulted in the creation of a user named "ident" with a home directory of /home/ident. With this updated package, the "ident" user is still created, but, by convention, ident's home directory is the root ("/") directory.

when connecting to an LDAP server while using SASL authentication, autofs occasionally failed with a segmentation fault, forcing users to restart the autofs service. This failure was caused by a double-free error in the cyrus-sasl module, which has been fixed in this updated package. Connecting to an LDAP server while using SASL authentication now works as expected. (BZ#504566)

Previously, automount did not return its status to its parent while it waited for the autofs daemon to complete its startup. As a result, the init script did not always report success when the service started sucessfully. Automount now returns its status and accurately reports when the service has started. (BZ#244177)

Autofs uses "umount -l" to clear active mounts at restart. This method results in getcwd() failing because the point from which the path is constructed has been detached from the mount tree. To resolve this a miscellaneous device node for routing ioctl commands to these mount points has been implemented in the autofs4 kernel module and a library added to autofs. This provides the ability to re-construct a mount tree from existing mounts and then re-connect them. (BZ#452122)

Previously, the version of autofs shipped with Red Hat Enterprise Linux 5 used the "-hosts" method as its default way to handle /net mounts. Using this method, it was necessary to reboot the client to release processes if if the connection to the server was lost. Now, autofs uses the "intr" option as its default, which allows the mount to be unmounted forcibly if necessary. (BZ#466673)

By default, autofs waits 60 seconds for a server to respond while performing a YP lookup. Previously, repeated attempts to perform lookups for non-existent directories could result in all available ports becoming congested. Autofs now maintains a cache of failed lookups and avoids repeated failures occupying the available ports. (BZ#469387)

The %{dist?} tag that is used by rpm spec files is defined in ~/.rpmmacros for the user building the package. However, this is not a reliable method of providing the "Release:" tag in a package, because the {%dist?} tag might not be defined for the user building the package. Previously, autofs relied on the {%dist?} tag to define "Release:" in its spec file, which meant that building it correctly depended on the user's ~/.rpmmacros file being set up appropriately. "Release:" is now defined directly in the autofs file system, which makes it more likely to build correctly on a greater number of systems. (BZ#471385)

Previously, the LDAP module lacked the ability to lock the server list. When used in SASL authenticated environments, this could cause autofs to fail if the credential for the connection became stale. The LDAP module can now lock a server list, and autofs refreshes and retries failed SASL connections. Autofs therefore performs more reliably when used in authenticated environments. (BZ#481139)

Submounts are detached threads that do not belong to the master map entry list. Previously, autofs did not release mount resources when a mount thread for a submount was terminated. With these resources not released, a segmentation fault during a shutdown or reboot of the system could result. Resources allocated to submounts are now explictly released in the code and the segmentation fault is therefore avoided. (BZ#482988)

Previously, autofs contained an an incorrect %token declaration in the master map parser. In some rare cases this could cause the timeout sent from the tokenizer to the parser to always be zero, which is interpreted as "never". As a result, indirect mounts would never expire, no matter how long they had been inactive. The %token declaration is now corrected, meaning that mounts expire as they should. (BZ#487151)

Previously, autofs used the select() function to process direct-mount maps and was therefore limited by the file descriptor limit (by default, 1024). As a consequence, autofs was not able to use direct-mount maps with numbers of entries larger than the limit, and would stop responding when it used up all available file descriptors. Now, autofs uses poll() instead of select() and is therefore no longer limited by the available file descriptors. Freed of this limitation, autofs can use large direct-mount maps. (BZ#487653)

Previously, autofs reported an incorrect buffer size internally when passing the startup status from the autofs daemon to the parent process. Although no specific consequences of this inaccuracy are known, the buffer size is now reported correctly to avoid any consequences arising in the future. (BZ#487656)

Previously, the additive hashing algorithm used by autofs to generate hash values would result in a clustering of values that favoured a small range of hash indexes and led to reduced performance in large maps. Autofs now uses a "one-at-a-time" hash function which gives a better distribution of hash values in large hash tables. Use of the "one-at-a-time" hash function safeguards lookup performance as maps increase to 8,000 entries and beyond. (BZ#487985)

Previously, autofs would not always read file maps. If a map had been loaded into cache, autofs would rely on checks to determine whether the map was up to date before reading the map. Because file maps require a linear search through the file, large maps consume significant resources to process. Now, autofs automatically loads file-based maps when it starts, and uses the map file mtime parameter to detemine whether the cache needs to be refresed. This avoids the processing overhead of checking a map before deciding whether to load it. (BZ#487986)

Previously, the autofs code contained a logic error that resulted in a crash under conditions of heavy load. When autofs was not able to create a new pthread, it would double free a value. Now, with the error corrected, when heavily loaded, autofs will fail to create a new pthread safely. It reports the failure, but does not crash. (BZ#489658)

Previously, autofs could use the LDAP server on a network only if the location of the LDAP server were specified manually. Now, if no LDAP server is specified, autofs can look up domain SRV server records to make LDAP connections. This functionality simplifies the use of autofs on networks where an LDAP server is available. (BZ#490476)

Previously, if a name lookup failed while creating a TCP or UDP client, automount would destroy the client, but would not set the rpc client to NULL. Therefore, subsequent lookup attempts would attempt to use the invalid rpc client, which would lead to a segmentation fault. Now, when a name lookup fails, autofs sets the rpc client to NULL, and therefore avoids the segmentation fault on subsequent lookup attempts. (BZ#491351)

Previously, in LDAP environments were both Red Hat Enterprise Linux and Solaris were in use, autofs would not correctly interpret master map keys added by Solaris. The auto_master file would therefore contain duplicate entries, where '%' symbols were interspersed between the characters of the map key names. Autofs now correctly parses the Solaris key names and does not create duplicate entries. (BZ#493074)

Previously, a stack variable was not initialized on entry to the create_udp_client() or create_tcp_client() functions. During an error exit, the stack variable was checked, and the corresponding file descriptor was closed if the variable had a value other than -1. This could result in incorrectly closing a file descriptor still in use. The stack variable is now initialized and descriptors currently in use should not be closed. (BZ#493223)

Due to a number of logic errors in the code, autofs could not remount a direct-mount NFS if the mount had expired following a map reload. The mount request would never complete, and "can't find map entry" would appear in the log. The logic errors are now fixed, and autofs can successfully remount an expired direct-mount NFS after a map reload. (BZ#493791)

Previously, thread locking was missing from the st_remove_tasks() function, which meant in turn that its calling function could not get the locks that it required. This could result in a segmentation fault and a crash of autofs. Now, with the thread locking properly in place, the segmentation fault is avoided. (BZ#494319)

Previously, when autofs looked up a host name where when one NFS server name was associated with multiple IP adresses, autofs would repeat the query many times. As a consequence of these multiple queries, the mount would take a long time. Now, redundant queries have been removed, so that autofs performs the mount more quickly. (BZ#495895)

When connecting to an LDAP server while using SASL authentication, autofs occasionally failed with a segmentation fault, forcing users to restart the autofs service. This failure was caused by a double-free error in the cyrus-sasl module, which has been fixed in this updated package. Connecting to an LDAP server while using SASL authentication now works as expected. (BZ#501612)

Previously, the method used by autofs to clean up pthreads was not reliable and could result in a memory leak. If the memory leak occurred, autofs would gradually consume all available memory and then crash. A small semantic change in the code prevents this memory leak from occurring now. (BZ#510530)

DNSSEC, the Domain Name System Security Extensions, are a set of specifications used to secure information provided by the domain name system. One of the specifications, DNSSEC Lookaside Validation (DLV), failed to handle unknown algorithms, which caused the name resolution of "gov" and "org" top-level domains to fail. DLV in these updated packages is now able to handle unknown algorithms, and thus the validation and resolution of top-level domains (such as "org" and "gov") succeeds, thus resolving the issue. (BZ#504794)

named occasionally crashed due to an assertion failure, and logged this error message to the system log:

named[PID]: socket.c:1649: INSIST(!sock->pending_recv) failed
named[PID]: exiting

This crash was caused by sockets being closed too early. With these updated packages, this assertion failure no longer occurs. (BZ#455802)

when using the '-4' option with the "host" and "dig" utilities to force them to use an IPv4 transport, the order in which IPv4 and IPv6 nameservers were listed in the /etc/resolv.conf configuration file affected whether the command would fail or succeed. This has been fixed so that these utilities continue to look for an IPv4 address, even past listed IPv6 addresses, when the '-4' option is supplied. (BZ#469441)

the "named-checkconf" utility ignored the "check-names" option in the /etc/named.conf configuration file, which caused the named daemon to fail to start, even if the configuration was valid. With these updated packages, "named-checkconf" no longer ignores the "check-names" option, and named starts up as expected. (BZ#491400)

the named init script did not handle the named_write_master_zones SELinux boolean or the permissions on the /var/named/ directory as documented. (BZ#494370)

a new configuration directive which informs secondary servers not to send DNS notify messages, "notify master-only", is now supported. (BZ#477651)

dynamic loading of database back-ends is now supported with these updated packages. (BZ#479273)

the "allow-query-cache" option, which allows control over access to non-authoritative data (such as cached data and root hints), is now supported. (BZ#483708)

the sample /etc/named.conf configuration file provided with these packages has been improved. (BZ#485393)

the "objdump" and "size" utilities were not recognizing ELF64-i386 object files. Such files are not normally produced on 32-bit x86 architectures. However, the kdump utility does produce such files on Physical Address Extension (PAE)-enabled kernels. With these updated packages, it is now possible to use the objdump and size utilities on ELF64-i386 object files. (BZ#457189)

due to a rare linking error, producing certain executables caused multi-megabyte zero-filled gaps in the executables. This did not affect the running of excutables affected by this bug. This linker error has been corrected in these updated packages so that executables do not contain spurious zero-filled gaps. (BZ#458301)

the error message for the "strings -n [non-number]" command were less clear than in the previous package release, and therefore has been reverted and clarified. (BZ#480009)

the c++filt(1) man page contained a typo when giving the syntax for the recognized '--strip-underscore' option. (BZ#485194)

the c++filt(1) man page incorrectly mentioned the '-j' and '--java' options, which are not available when running c++filt. These mentionings have been removed from the man page. (BZ#495196)

busybox provides a diff utility that is used extensively during installation. When this diff utility was called using the '-q' option, which reports only whether the files differ and not the details of how they differ, it always exited with an exit status of 0, indicating success. With this busybox update, the command "diff -q" correctly returns an exit status that corresponds to the same exit status returned when calling "diff" without the '-q' option, thus resolving the issue. (BZ#385661)

invoking the "uname -p" command resulted in the processor type being listed as "unknown" when it should have been listed, for example, as "x86_64", or "i686". With these updated packages, "uname -p" either prints the processor type if known, or, if it is unknown, then the command is silent. This behavior now corresponds to the behavior of the uname command in coreutils. (BZ#480105)

using BusyBox's rpm applet to install an rpm caused busybox to exit due to a segmentation fault caused by a memory corruption error. This has been fixed in these updated packages so that installing rpms using the "busybox rpm" command works as expected and does not fail with a segmentation fault. (BZ#466896)

the busybox packages also contained empty debuginfo packages. These have been removed from this update. (BZ#500547)

Removing a node from the cluster using the 'cman_tool leave remove' command now properly reduces the expected_votes and quorum.

Quickly starting and stopping the cman service no longer causes the cluster membership to become inconsistent across the cluster.

'group_tool ls fence' no longer exits with return code '1' when the group exists but has an id of zero.

Connections to openais are now allowed from an unprivileged CPG clients with the user 'ais' or an initial login group of 'ais'.

Nodes are no longer ejected from the cluster that were quorate on their own if they do not have a state.

a buffer could overflow if cluster.conf had more than 52 entries per block inside the <cman> block. The limit is now 1024.

the output of the group_tool dump subcommands were NULL padded.

using device="" instead of label="" no longer causes qdiskd to incorrectly exit.

the IPMI fencing agent has been modified to time out after 10 seconds. It is also now possible to specify a different timeout value with the '-t' option.

the IPMI fencing agent now allows punctuation in passwords.

quickly starting and stopping the cman service no longer causes the cluster membership to become inconsistent across the cluster.

an issue with lock syncing caused 'receive_own from' errors to be logged to '/var/log/messages'.

an issue which caused gfs_controld to segfault when mounting hundreds of file systems has been fixed.

the LPAR fencing agent now properly reports status when an LPAR is in Open Firmware mode.

the LPAR fencing agent now works properly with systems using the Integrated Virtualization Manager (IVM).

the APC SNMP fencing agent now properly recognizes outletStatusOn and outletStatusOff return codes from the SNMP agent.

the WTI fencing agent can now connect to fencing devices with no password.

the rps-10 fencing agent now properly performs a reboot when run with no options.

the IPMI fencing agent now supports different cipher types with the '-C' option.

qdisk now properly scans devices and partitions.

cman now checks to see if a new node has state to prevent killing the first node during cluster setup.

'service qdiskd start' now works properly.

the McData fence agent now works properly with the McData Sphereon 4500 Fabric Switch.

the Egenera fence agent can now specify an SSH login name.

the APC fence agent now works with non-admin accounts when using the 3.5.x firmware.

fence_xvmd now tries two methods to reboot a virtual machine.

connections to OpenAIS are now allowed from unprivileged CPG clients with the user and group of 'ais'.

groupd no longer allows the default fence domain to be '0', which previously caused rgmanager to hang. Now, rgmanager no longer hangs.

the RSA fence agent now supports SSH enabled RSA II devices.

the DRAC fence agent now works with the Integrated Dell Remote Access Controller (iDRAC) on Dell PowerEdge M600 blade servers.

fixed a memory leak in cman.

qdisk now displays a warning if more than one label is found with the same name.

the DRAC5 fencing agent now shows proper usage instructions for the '-D' option.

cman no longer uses the wrong node name when getnameinfo() fails.

the SCSI fence agent now verifies that sg_persist is installed.

the DRAC5 fencing agent now properly handles modulename.

QDisk now logs warning messages if it appears its I/O to shared storage is hung.

fence_apc no longer fails with a pexpect exception.

removing a node from the cluster using 'cman_tool leave remove' now properly reduces the expected_votes and quorum.

a semaphore leak in cman has been fixed.

'cman_tool nodes -F name' no longer segfaults when a node is out of membership.

support for: ePowerSwitch 8+ and LPAR/HMC v3 devices, Cisco MDS 9124 and MDS 9134 SAN switches, the virsh fencing agent, and broadcast communication with cman.

fence_scsi limitations added to fence_scsi man page.

Copy percentage of corelog mirror no longer hangs due to stale checkpoint data.

A segfault in clogd was fixed; the segfault was caused by mirrors being suspended too quickly after being started.

The large number of dm-log-clustered timeouts generated by a pvmove no longer causes a cluster deadlock.

Remnants of a moved device no longer remain in a volume group.

Device-mapper userspace logs now have a local unique identifier to prevent issues when two logs have the same UUID.

kmod-cmirror packages now use symbols that are on the kernel ABI whitelist. (BZ#481689)

A bug that prevented Microsoft Internet Explorer from working correctly with the Luci server has been fixed.

A bug that caused some operations to fail when accessing Conga via Microsoft Internet Explorer was fixed.

A bug that caused quorum disk heuristics to be lost after changing quorum disk main properties was fixed.

A bug that made it impossible to set failover domains for virtual machine services was fixed.

A bug that required that a fence device password be provided when a password script has been defined was fixed.

A bug that caused the "run exclusive" cluster service attribute to always be shown as having been selected was fixed.

A bug that caused adding existing Red Hat Enterprise Linux 4 clusters to the management interface to fail was fixed.

A bug that caused updating existing fence devices to fail in some circumstances was fixed.

A bug that caused the ricci storage module to fail to read mdadm device information was fixed.

Support for configuration of LPAR fencing.

Support for configuring NFS locking workarounds for cluster services.

Support for choosing between the Xen and KVM hypervisors for virtual machine services.

previously, it was not possible to compile coreutils without SELinux support. This has been fixed so that removing the "--enable-selinux" option from the spec file allows coreutils to compile successfully. (BZ#488730)

the "join" utility, which joins two text files, or a file and standard input, on a line-by-line basis, could experience a segmentation fault when running under a multibyte locale. In addition, multibyte locales could cause "join" to produce unexpected results. With this updated package, these coding errors have been corrected so that "join" completes correctly and successfully when run under a multibyte locale. (BZ#497368)

the "df" utility reports the disk usage of a directory within a file system. Using "df" on a directory which contained autofs mount points under it did not cause autofs to mount those directories, which resulted in "df" not factoring in the disk usage of those automount directories. With this update, invoking the "df" command does trigger automount, which in turn results in a correct disk usage count. (BZ#497830)

several other utilities in the coreutils package possessed undocumented options, which could have led to user confusion. Those undocumented options have been removed from their respective utilities, thus reducing the possibility for confusion. (BZ#468030)

the "chmod", "chown" and "chgrp" commands all take the following options, which have the same effect: "-f", "--silent" and "--quiet". These flags cause the command to suppress most error messages. However, calling the command with one of these options on a non-existent file caued the command to output the following message: "No such file or directory". These options now suppress error messages when called on non-existent files. (BZ#474220)

the tail(1) man page contained a formatting error and a typo, both of which have been rectified. (BZ#470788)

the rm(1) man page stated that the "rm" command possessed a "--directory" ('-d') option, whose purpose was to allow the removal of directories, including non-empty directories. However, invoking "rm --directory [dir]" always resulted in the following error message: "rm: cannot remove `some_dir': Is a directory". The rm(1) man page has been corrected and no longer lists "--directory" as an option. The recommended switch for recursively removing a directory and its contents is "--recursive" ('-r'). (BZ#473472)

the coreutils package's locale directories were not owned by the coreutils package. This has been corrected by ensuring that all locale directories are owned by the package. (BZ#481804)

the '-v' option of the "ls" command sorts directory listings based upon version numbers. However, "ls -v" did not sort vmlinuz-[version] files from the /boot/ directory in the correct order. This updated coreutils package enhances both "ls -v" and "sort -V" so that they are now able to sort /boot/vmlinuz-[version] files correctly. (BZ#253817)

the "install" command now supports the "--compare" ('-c') flag, which causes "install" to compare each pair of source and destination files and, if the destination file's content is identical to the source (and disregarding any discrepancy between the owner, group, permissions and possibly SELinux context) then the destination file is not modified and the modification time is left unchanged. (BZ#453447)

the "cp" and "mv" utilities now support the preservation of extended attributes on files and directories. In addition, Access Control Lists (ACLs) are now preserved when copying or moving files (with "cp" or "mv") to or from NFSv4-mounted file systems. (BZ#454072)

when called with the "--pass-through" ('-p') option, which enables copy-pass mode, cpio did not always set the permissions of copied directories correctly. In certain circumstances, cpio always created directories with a permissions mode of 700 and did not respect the system umask. With this updated package, cpio copies directories while honoring the umask setting when using copy-pass mode, which resolves the issue.

cpio was unable to write to a file on a remote system when using the "-O [archive]" option along with "--rsh-command". With this update, cpio is once again able to write files to remote systems. Note that the default remote shell is defined as /usr/bin/rsh.

the cpuspeed init script loaded the speedstep-centrino driver on Intel systems, even when the acpi-cpufreq driver had already loaded successfully. With both these drivers loaded, the system would not handle P-states correctly. The cpuspeed init script now attempts to load the speedstep-centrino driver only as a fallback for situations where it has not been able to load the acpi-cpufreq driver. Intel systems that can use the acpi-cpufreq driver no longer load the speedstep-centrino driver, and now handle P-states correctly. (BZ#485480)

a development version of this package attempted to make cpuspeed run reliably on Xen kernels by only allowing cpuspeed to start on Xen kernels if the number of virtual CPUs in dom0 equalled the number of physical CPUs in the system. However, this condition can never be true until xend starts, and xend starts after cpuspeed. Therefore, cpuspeed would only run properly on Xen kernels if cpuspeed were restarted after the system completed the boot process. The restriction that cpuspeed can only start if the number of virtual and physical kernels are equal has therefore been removed, allowing cpuspeed to start on Xen kernels even when xend has not yet started. (BZ#488924 , BZ#498406 , BZ#492139)

The bt command displays a task's kernel-stack backtrace. When running this command against an x86 Xen kernel vmcore, crash did not correctly handle the transition from the IRQ stack back to the process stack, leading to a segmentation fault. The version of crash provided with this advisory contains a patch that corrects this issue, allowing users to analyze a vmcore file from a system with an x86 Xen kernel.

if entered alone on the command line, the "set" command would cause a segmentation violation, because there is no concept of a "context" in the Xen hypervisor. Crash now prompts the user to provide an option with "set", and provides more meaningful error messages if the option selected is not applicable. (BZ#462819)

crash would indicate "irq: invalid structure size: gate_struct" and dump a stack trace leading to x86_64_display_idt_table() when the "irq -d" option was run on AMD64 and Intel 64 Xen kernels. Now it will indicate that the -d option is not applicable. (BZ#464116)

the "bt" command did not work correctly when running against the Xen hypervisor binary. The "bt -o" option, and setting it to run by default with "bt -O", would fail with the vmlinux-specific error message "bt: invalid structure size: desc_struct" with a stack trace leading to read_idt_table(). Now, it will display the generic error message "bt: -o option not supported or applicable on this architecture or kernel". The "bt -e" or "bt -E" will also display the same error message, as opposed to the command usage message. Lastly, the "bt -R" option would cause a segmentation violation; it has been fixed to work as it was designed. (BZ#464288)

when run on a Xen hypervisor in which the backtrace leads to either "process_softirqs" or "page_fault", the "bt" command backtrace would indicate: "bt: cannot resolve stack trace". The recovery code would then terminate the command with the nonsensical error message: "bt: invalid structure size: task_struct". The command now properly terminates the backtrace. (BZ#474712 , BZ#466724)

when run against the Xen hypervisor where the number of physical cpus outnumber the MAX_VIRT_CPUS value for the processor type, the "bt -a" command would fail after displaying backtraces for the first 32 (MAX_VIRT_CPUS) pcpus with the the error message: "bt: invalid vcpu". The command now shows backtraces for all pcpus. (BZ#471790)

the "mod -[sS]" command would fail with the error message: "mod: cannot find or load object file for <name> module" if the target module object filename contains both underscore and dash characters. Crash now parses these filenames correctly. (BZ#480136)

an existing Itanium INIT and MCA handler bug incorrectly writes the pseudo task's command name in its comm[] name string such that the CPU number may not be part of the string. The "bt" command could not link back to a PID 0 swapper task that was interrupted by an Itanium INIT or MCA exception, and displayed the error message: "bt: unwind: failed to locate return link (ip=0x0)!" Crash now uses a different method to obtain the CPU number for the interrupted task, and the backtrace correctly transitions back to the interrupted task. (BZ#487429)

the starting backtrace location of active, non-crashing, xen dom0 tasks are not available in kdump dumpfiles, nor is there anything that can be searched for in their respective stacks. Therefore, for these tasks, the "bt" command would show either an empty backtrace or an invalid backtrace starting at the last location where schedule() had been called. Instead, the "bt" command now provides an error message for these tasks that indicated "bt: starting backtrace locations of the active (non-crashing) xen tasks cannot be determined: try -t or -T options". (BZ#495586)

Running the "bt" command against an x86 Xen kernel vmcore, the transition from the IRQ stack back to the process stack led to a segmentation fault. (BZ#478904)

the cryptsetup luksFormat command now properly wipes old filesystem signatures. (BZ#468910)

the exit code for cryptsetup status command is no longer incorrect. (BZ#439191)

the cryptsetup password entry message now includes the device name for which the user is being prompted. (BZ#437261)

the libcups library's HTTP state machine could get into a busy loop when a connection was closed at an unexpected point. (BZ#474323)

web interface template files and translated template files were not marked as configuration files so local modifications to them would be lost when applying updates. This update will also cause local modifications to those files to be lost, but will prevent the same situation occurring with future updates. (BZ#474769)

the "compression" job option was encoded with the wrong IPP tag, preventing the "document-format" job option from overriding automatic MIME type detection of compressed job files . (BZ#474814)

the "mailto" CUPS notifier used the wrong line ending when transferring messages to an SMTP server, causing it not to send any notifications. (BZ#474920)

automatic MIME type detection would fail when the document name was required by the relevant rule but only one file was present in the job. MIME detection would also fail with some rules using "+" (e.g. application/x-shell). (BZ#479635)

incorrect web interface URLs would be given when the server's domain name resolved to a local loopback address on the server. (BZ#479809)

the CUPS configuration file directive "Satisfy Any" was not correctly implemented, causing access to be restricted in situations where it should not have been. (BZ#481303)

an optimization in the libcups library for fetching details of a print queue when its name is known caused problems with obtaining the name of the default printer when "lpoptions" files listed a non-existent queue as the default. (BZ#481481)

RPM verification would fail on configuration files even though content changes were expected. (BZ#487161)

the CUPS scheduler requires an updated version of the krb5 package in order to function correctly but this was not an RPM dependency. (BZ#489714)

the text-only filter would not send form-feed characters correctly. (BZ#491190)

incorrect IPP-Get-Jobs requests, accepted by CUPS in current versions of Red Hat Enterprise Linux but rejected in newer versions of the upstream package, were generated by the cupsGetJobs2() API function and by the lpstat and lpq commands. (BZ#497529)

mismatches between hosts sometimes caused the CVS client to present incorrect credentials to servers with gserver authentication. This update ensures the correct credentials are supplied by confirming the IP address of the currently-connected server so that host mismatch does not occur. (BZ#473245)

attempting to process large numbers of files with long names caused problems with some scripts due to lengthy command line arguments. This problem has been resolved by adding the possibility of passing arguments through standard input. (BZ#462062)

attempting to connect to the update server failed and resulted in the following error messages being logged to /var/log/maillog:

connect(192.168.11.110) failed: Invalid argument
couldn't connect to MUPDATE server
[IP address]: no connection to server
FATAL: error connecting with MUPDATE server

These updated packages correct this problem so that connecting to the update server now works as expected. (BZ#326511)

on systems with 64-bit architectures, cyrus-imapd experienced a segmentation fault when replication was enabled. (BZ#484377)

more detailed information has been added to the ctl_cyrusdb(8) man page, which explains how to perform operations common to Cyrus databases. (BZ#463230)

the shadow authentication method was not working properly on 64 bit architectures. The saslauthd might randomly crash if it was configured to authenticate against the shadow file. (BZ#433583)

the rimap authentication method was not working properly when user passwords contain double quote characters. The saslauthd process would hang when it was configured to authenticate with the rimap method and user password contained such characters. (BZ#438533)

the saslauthd init script did not support a reload command although it was mentioned in the init script usage instructions. The reload is now implemented as a conditional restart of the saslauthd daemon. (BZ#448154)

the pluginviewer command did not display plugins which were not statically linked into it. The pluginviewer command is now linked dynamically so it can display any cyrus-sasl plugins which are installed on the system. (BZ#473197)

the ldap authentication method had very long timeout for network failure detection. The saslauthd now sets a network failure timeout based on the ldap_timeout configuration option. (BZ#475726)

These updated db4 packages fix a bug which, in certain circumstances, could have caused database environment recovery to fail.

Fixes crash when dmsetup -U, -G, and -M options are used.

Enforces device name length and character limitations.

Adds "all" field to "-o fields" option, expanding to all fields of report type. That is, you can add -o <field_name> to specify which fields to print in certain commands; "-o all" expands to all possible fields known to report.

Library now exports dm_tree_node_size_changed function and correctly propagates table size change up the device tree.

Prints warning message if application releases the library and a memory pool is still in use (indicating a possible memory leak).

Library is now compiled from merged device-mapper LVM2 tree (device-mapper library is now part of LVM2 source code tree).

there was a race condition in the shutdown code for multipathd wherein a lock could be destroyed before all threads were finished using it. This could cause the machine to become unresponsive on multipathd shutdown. The multipathd daemon now waits for all threads to finish using the lock before destroying it, thus removing the race and resolving the issue.

when adding a new multipath-capable block device, a race condition existed between the multipathd daemon and udev to multipath the new device. If udev--through multipath--updated the multipath devices first, then the multipathd daemon would not use the device-specific configurations for the device when it started monitoring the path. With this update, multipathd now correctly configures the device, even when udev notices it first, thus resolving the issue.

multipath must be able to open a file descriptor for each path that it monitors, plus 32 other file descriptors. By default, multipath can open 1024 file descriptors, which is sufficient for it to monitor 992 paths. If multipath is not able to open all the file descriptors that it needs, the multipath daemon will not function correctly, and in Red Hat Enterprise Linux 5.3, this situation exposes a kernel memory leak that can cause a system to stop responding. Previously, multipath would not warn users that it could not open enough file descriptors. Now, when multipath runs out of file descriptors, it prints an error message. System administrators can allow multipath to open more file descriptors by setting "max_fds" in the multipath.conf file to a sufficiently high number, or by setting "max_fds" to "max" to allow multipath to open as many file descriptors as the system allows.

Occasionally multipathd was ignoring a device's hardware type when configuring it after a path was added.

Multiple documentation errors were fixed.

Multipathd would occasionally hang or crash while shutting down.

Multipath would always return a failure exit code when removing a device with multipath -f/-F.

Multipathd wouldn't free its resources when it failed to execute a callout.

Multipathd would always return a success exit code for interactive commands, even if the command failed or was invalid.

The mpath_prio_alua pritority callout was failing on some setups because a buffer was too small.

Multipathd was holding mount points in the /etc directory busy, even after they were unmounted.

Multipath and multipathd were racing to create the mulitpath devices for newly added block devices. This was causing device creation to take a long time on some systems, and could even cause devices to have incorrect configurations.

Default configurations were added for the Compellent Storage Center and the IBM DS3200, DS3300, DS4700, and DS5000.

It is now possible to set the verbosity level for the multipath and multipathd commands in /etc/multipath.conf.

The TUR path checker retries on more transient errors, so that multipathd will not fail a path due to a transient error.

There is a new priority callout mpath_prio_intel to support the Intel Modular Server.

There is now a multipath.conf.5 man page that explains the /etc/multipath.conf configuration file.

Supplying an interface name (on the command line) that was longer than the size declared by the IFNAMSIZ macro caused an unexpected segmentation fault. This update contains an added process that properly checks the validity of interface names, which resolves this issue. (BZ#441524)

This update corrects a bug in the way the dhclient-script file processed the $localClockFudge variable. In previous releases, this bug caused the NTPD daemon to restart unexpectedly at times. (BZ#450301)

dhclient now retains relay agent options when it enters the INIT and REBIND states. (BZ#450545)

A bug in the network shutdown code prevented dhclient from correctly honoring the PEERNTP and PEERDNS variables in /etc/sysconfig/network-scripts/ifcfg-* files. This caused dhcp to replace a modified /etc/ntp.conf file with a default version during a network service restart. This update fixes the bug, ensuring that dhclient-script no longer replaces the /etc/ntp.conf file upon network service restart if PEERNTP and PEERDNS are both set to 'yes'. (BZ#471543)

The dhcpd and dhcrelay init scripts do not support the 'try-restart' and 'reload' arguments. In previous releases, however, using these arguments did not output any error messages to inform the user that the restart/reload attempt failed. With this release, using the unsupported 'try-restart' or 'reload' arguments with the dhcpd or dhcrelay init scripts will correctly display the usage screen and exit the script with a status code 3. (BZ#491868)

the previous version of the dmidecode package was based on upstream version 2.7 and lacked support for a variety of newer hardware. The package now provides version 2.9, which: ( BZ#459048 )

the default method used by dmidecode to retrieve entries from the DMI table produces unaligned access errors when used on Itanium systems. When built for the Itanium architecture, this version of the package includes a workaround that avoids these errors. ( BZ#459048 ).

The dmraid logwatch-based email reporting feature has been moved from the dmraid-events package into the new dmraid-events-logwatch package. Consequently, systems that use this dmraid feature need to complete the following manual procedure: 1. Ensure the new 'dmraid-events-logwatch' package is installed. 2. Un-comment the functional portion of the "/etc/cron.d/dmeventd-logwatch" crontab file.

The sgpio and dmevent_tool applications get installed with the dmraid package now.

The drive order for isw RAID01 sets is now identical with the OROM order.

Various issues with wrong LED rebuild and metadata states have been fixed.

Device Failure Monitoring, using the tools dmraid and dmevent_tool, is now included in Red Hat Enterprise Linux 5.4 as a Technology Preview. Device Failure Monitoring provides the ability to watch and report device failures on component devices of RAID sets.

dmraid now automatically activates device event monitoring for the isw metadata format (Intel IMSM). The dmevent_tool is still available to allow for manual (de)registration.

dmraid now supports an "--rm_partitions" option to allow for removing partition devices for RAID set component devices.

Activation of isw RAID sets on disks with long serial numbers is now supported.

dos2unix did not allow for instances where a user specified the -c option without a conversion mode name following it. An input in this format would therefore result in a segmentation fault. Dos2unix now exits safely with a message to the user that option -c requires an argument.

when dos2unix created a new file as the output of its conversion (when run with the -n option), the new file would always have its permission mode set as 600, regardless of the permission mode of the original file. Dos2unix now sets the permission mode for the new file to be the same as the mode of the old file, filtered through the user's umask.

when running the dump command without specifying a dump level, then neither did dump's output indicate the dump level, as in the following example output:

DUMP: Date of this level  dump: Thu Apr  2 09:05:09 2009
DUMP: Date of this level  dump: Thu Apr  2 09:05:09 2009

This has been corrected in these updated packages so that the dump level is no longer missing in output in which it is shown.

When the dump command was called without a default dump level specified on the command line, then the dump level defaulted to 0, while the dump(8) man page stated that the default level was 9. The actual default dump level that is used when this is not specified in arguments to dump is 0, and the man page has been changed to reflect this.

the restore(8) man page, as well as the program's help information, incorrectly implied that the '-P [file]' option could be used in conjunction with the '-A [archive_file]', which is not the case. Attempting to use both options results in the following error message: "restore: A option is not valid for P command". The restore(8) man page and restore's help has been corrected so that it is clear that the '-A' and '-P' options cannot be used together.

several typos in the dump(8) man page were corrected.

on some systems with manually-operated DVD drive trays (ie drives that cannot be closed mechanically, such as most slim-line drive trays), burning data to DVD media would produce an erroneous "Error writing to disk" alert. The data was, in fact, successfully burnt to the DVD and the newly burnt DVD was then ejected. The inability of the drive tray to close mechanically, however, caused dvd+rw-tools to return an "unable to reload tray" message which, in turn, caused the 'writing to disk' error to present. With this update, dvd+rw-tools treats the underlying "START_STOP_UNIT" message properly and, consequently, the misleading alert does not present. (BZ#390961)

a typo in the dvd+rw-tools.spec file was corrected. The "%{dist}" tag on the "Release" line was corrected to "%{?dist}". The correction ensures an rpm can be built from the dvd+rw-tools source even if a distribution is not defined in either the Makefile or your local ~/.rpmmacros file. (BZ#440621)

when mke2fs or resize2fs was run on a device of exactly 2^32 file system blocks (16 terabytes for 4 kilobit blocks), these commands would fail with a "File too large" error, because the maximum file system size was 2^32-1 blocks. mke2fs and resize2fs now round down by one block to allow the commands to succeed for devices of exactly 2^32 blocks, and the error no longer presents. ( BZ#241285 )

the German localization of an e2fsprogs process contained a typographical error. This has been corrected and the correct line now displays. (BZ#488960)

the e2fsck method, pass3, would use a pointer regardless of whether it contained a null value. This would result in a segfault. The method has been corrected and the problem no longer presents. ( BZ#505110 )

the ismounted method was set to use two arguments when it required three. This has been corrected, and the method now works as expected. ( BZ#505110 )

the debugfs method, logdump, performed a call to fclose without checking that the value being passed was not null. This would result in segfault. The method now checks for a null before attempting to pass the value, and does not call fclose if a null is present. (BZ#505110)

a typographical error in the uuidd initscript that caused an incorrect status to me set has been corrected. (BZ#506080)

running mke2fs on devices larger than 8 terabytes required the "-F" (force) option to succeed. This update removes that requirement. (BZ#241285)

invoking the "stats" command while at the "debuge4fs" prompt could cause "debuge4fs" to segmentation fault due to a missing check to see whether the file system was currently open. This has been fixed in this updated package so that calling "stats" is now safe. (BZ#482894)

a new package, ecryptfs-utils-gui, has been added to this update. This package depends on the pygtk2 and pygtk2-libglade packages and provides the eCryptfs Mount Helper GUI program. To install the GUI, first install encryptfs-utils and then issue the following command:

yum install ecryptfs-utils-gui

(BZ#500997)

the "ecryptfs-rewrite-file" utility is now more intelligent when dealing with non-existent files and with filtering special files such as the "." directory. In addition, the progress output from "ecryptfs-rewrite-file" has been improved and is now more explicit about the success status of each target. (BZ#500813)

descriptions of the "verbose" flag and the "verbosity=[x]" option, where [x] is either 0 or 1, were missing from a number of eCryptfs manual pages, and have been added. Refer to the eCryptfs man pages for important information regarding using the verbose and/or verbosity options. (BZ#470444)

mounting a directory using the eCryptfs mount helper with an RSA key that was too small did not allow the eCryptfs mount helper to encrypt the entire key. When this situation occurred, the mount helper did not display an error message alerting the user to the fact that the key size was too small, possibly leading to corrupted files. The eCryptfs mount helper now refuses RSA keys which are to small to encrypt the eCryptfs key. (BZ#499175)

when standard input was redirected from /dev/null or was unavailable, attempting to mount a directory with the eCryptfs mount helper caused it to become unresponsive and eventually crash, or an "invalid value" error message, depending on if the "--verbosity=[value]" option was provided as an argument, and, if so, its value. With these updated packages, attempting to mount a directory using "mount.ecryptfs" under the same conditions results in either the mount helper attempting to use default values (if "verbosity=0" is supplied), or an "invalid value" error message (instead of the mount helper hanging) if standard input is redirected and "--verbosity=1" is supplied, or that option is omitted entirely. (BZ#499367)

attempting to use the eCryptfs mount helper with an OpenSSL key when the keyring did not contain enough space for the key resulted in an unhelpful error message. The user is now alerted when this situation occurs. (BZ#501460)

the eCryptfs mount helper no longer fails upon receiving an incorrect or empty answer to "yes/no" questions. (BZ#466210)

If a smart card were inserted when the esc daemon was already running then there could be odd behaviors when the ESC GUI was opened. For example, if the smart card was blank, then the Phone Home configuration dialog would not open. When the smart card was removed, then esc could crash. (BZ#496410)

If a user attempted to re-enroll a formatted token when the RE_ENROLL value was set to NO, then the ESC wrongly gave an error that the token was suspended, not that re-enrollment wasn't allowed. This message has been corrected. (BZ#494981)

Certificate System previously supported re-enrollment for tokens, which allows a formatted token to be re-formatted with new certificates. This enhancement also allows smart cards to have renewal operations, so existing certificates can have renewed.

This release includes enhancements to streamline the security officer mode for ESC. Security officer mode allows designated users to perform in-person token enrollments, as added security. This simplifies launching the ESC GUI in security officer mode.

generic receive offload (GRO) has been added to some network drivers in Red Hat Enterprise Linux 5.4. GRO aggregates packets before they're processed by the rest of the stack. This allows TCP performance to be greatly enhanced at high speeds. In particular, it's crucial for good 10GbE performance. With GRO enabled, you should observe higher throughput, lower CPU utilization of network traffic, or both; especially with smaller message sizes.

The kernel in Red Hat Enterprise Linux 5.4 allows users to manually control whether GRO is enabled for supported ethernet adapters. This updated ethtool provides a command-line interface -- "ethtool -k" -- for setting and querying that flag. (BZ#509398)

when printing "n" copies of a non-postscript document, "n times n" copies were printed instead. (That is, if two copies were requested, four copies -- 2 x 2 -- were printed.) This flaw has been corrected. Note: the underlying cause of this problem also influenced collated printing, reversed printing and printing of sets of pages. (BZ#439937)

when adding a new Exchange account, a Mailbox name separate from the user name can now be specified. (BZ#205787)

pasting text into an event summary by issuing the Ctrl+V control code did not work as expected. (BZ#208356)

running Evolution in a different language caused it to not display certain translations such as "On This Computer", "Personal" and specific calendar and address book names. (BZ#210858)

when attempting to import a certificate from the Edit Preferences -> Certificates menu, the subsequent Trust dialog box appeared below the file selector window, forcing users to manually move both windows in order to accomplish the task. (BZ#212206)

Evolution crashed due to a segmentation fault when reading certain email messages when accessibility was enabled. (BZ#212481)

attempting to import a vCard File containing contacts into a new address book created during the import process failed, and no contacts were imported. All contacts imported in this way are now present in the new address book. (BZ#215470)

selecting the "On This Computer" folder and then clicking Folder -> Properties produced no result. The "Properties" menu item is now correctly grayed-out. (BZ#215479)

Evolution did not honor the selected day when adding a memo while in calendar view: the user had to manually alter the memo's date afterward. (BZ#217541)

searching an address book using the "any field" option when no results were found caused Evolution to display all contacts instead of none. This behavior is now more intuitive: no contacts are displayed when none are found. (BZ#217714)

while in Mail view, deselecting a previously-selected group of messages by clicking on one of those selected did not result in that message being shown in the preview pane. (BZ#227710)

when accessibility was enabled, specific combinations of calender-viewing actions caused Evolution to crash. (BZ#428817)

when starting Evolution for the first time with a German (de_DE) locale, the setup wizard window was too large for some monitors to display. (BZ#432322)

dragging-and-dropping messages into the "Personal Folders" caused those messages to be irretrievably lost. Dropping messages into "Personal Folders" is now disallowed. (BZ#437768)

Evolution's account editor did not strip whitespace characters in hostnames, which caused a failure to connect when attempting to retrieve email. (BZ#446945)

sorting email by subject did not always result in the expected alphabetical sorting. (BZ#449797)

the Contact Quick-Add window allowed users to click "OK" without selecting an address book, which did not result in the contact being added to any address book. (BZ#449983)

attempting to download Exchange messages for offline use caused Evolution to segmentation fault. Evolution no longer crashes, and downloading Exchange messages works as expected, allowing for offline use. (BZ#472872)

it was not possible to create a new folder from the New Search Folder dialog box and related menus. Also, attempting to name a new folder and then clicking the "Create" button caused Evolution to crash under certain circumstances. (BZ#473024)

moving an Exchange folder containing subfolders to a different location resulted in the loss of all subfolders and their emails. With this update, all subfolders and their contents are copied or moved correctly and without any loss of data. (BZ#480849)

improved support for CalDAV. (BZ#484252)

the cursor now conveniently moves to the new rule when it is created in the "Add Rule" dialog box. (BZ#218539)

when adding a new Exchange account, a Mailbox name separate from the user name can now be specified. (BZ#205787)

a memory leak related to using Exchange accounts has been plugged. (BZ#393761)

dragging-and-dropping messages into the "Personal Folders" caused those messages to be irretrievably lost. Dropping messages into "Personal Folders" is now disallowed. (BZ#437768)

incoming mail filters had no effect on messages received by Exchange-based email accounts. This has been fixed in this updated package so that incoming mail filters work as expected with Exchange accounts. (BZ#446095)

in certain situations, notifications were not shown for calendar events stored on an Exchange Server. With this updated package, notifications work correctly as long as Evolution is configured to remember Exchange Server passwords. Otherwise, notifications fail to be shown. (BZ#480164)

moving an Exchange folder containing subfolders to a different location resulted in the loss of all subfolders and their emails. With this update, all subfolders and their contents are copied or moved correctly and without any loss of data. (BZ#480849)

occasionally, a "?" appeared as the last result of the list obtained when viewing the "Select Contacts from Address Book" dialog. With these updated packages, this incorrect entry no longer occurs in the dialog window when selecting contacts. (BZ#220431)

The IMAP mail protocol distinguishes between messages which are "new" on the server and messages which are "new" for a mail client. This dichotomy led Evolution Data Server to only apply filters to one of the "new" groups and not to the other, which meant that email filters were not applied to certain messages. With these updated packages, filters now apply to all IMAP messages which are new for the client, with the result that all messages can now be successfully filtered. (BZ#247779)

when attempting to connect to an Exchange 2007 server, the server's response sometimes caused Evolution to segmentation fault. Although the possibility of an Exchange 2007 server's response causing Evolution to crash has been fixed with these updated packages, it is still not possible for Evolution to communicate successfully with an Exchange 2007 server. (BZ#433648)

when Evolution was configured with two IMAP accounts, deleting one of those accounts could have caused Evolution to segmentation fault. These updated packages fix a variable referencing error with the result that disabling a mail account no longer causes Evolution to crash. (BZ#437758)

Evolution Data Server could segmentation fault when provided a malformed CalDAV calendar URL. With these updated packages, Evolution performs better error-checking on calendar URLs, which prevents this issue from occurring. (BZ#440232)

the Exchange connector for Evolution Data Server contained several memory leaks which have been plugged in these updated packages. (BZ#460669)

when adding a new Exchange account, a Mailbox name separate from the user name can now be specified. (BZ#460671)

when reading a calendar via the CalDAV protocol, Evolution failed to correctly adjust the time of events based on timezone information. (BZ#462007)

improved support for CalDAV. (BZ#484232)

attempting to download Exchange messages for offline use caused Evolution to segmentation fault. Evolution no longer crashes, and downloading Exchange messages works as expected, allowing for offline use. (BZ#489869)

Evolution incorrectly switched to Daylight Saving Time (DST) one week later than the time when DST should have started. With these updated packages, DST now takes effect at the correct time. (BZ#490218)

Evolution did not provide notifications for events located on a foreign Exchange calendar. This update ensures that Evolution is able to notify based on foreign Exchange calendar events in the same way as for local calendars. (BZ#494847)

A core file, which is created when a program crashes, contains the name of the crashed program. The file command did not report the correct program name on some core files. The file command reports the correct name with this updated package.

when using the "find" utility to search a directory hierarchy which contained autofs mounts, it dutifully triggered the aufofs mounts so that they could be searched, even when "find" had been directed to exclude NFS shares. With these updated packages, "find" possesses an additional exclusionary flag, "-xautofs", that prevents "find" from searching all autofs direct mounts in the searched directory hierarchy. (BZ#485672)

previously, the fipscheck libraries and binaries were installed in / (root). However, because they are not required by anything in /, they are now relocated to /usr. (BZ#475800)

previously, the fipscheck libraries were packaged in the main fipscheck package. This would lead to a file conflict when installing fipscheck on architectures with multilib support. The fipscheck libraries are now shipped in fipscheck-lib subpackages for each architecture, therefore avoiding the file conflict. (BZ#502676)

fipscheck now includes a runtime integrity self-test which is necessary for FIPS 140-2 level 1 validation of Red Hat Enterprise Linux 5 cryptography modules.

the FIPSCHECK_DEBUG environment variable adds improved debugging. Error messages can be saved to the syslog or sent to stderr.

fipscheck can now compute HMACs on multiple files at the same time.

previously, PostScript Printer Descriptions (PPDs) created for printers for which no page margin information was available used ImageableArea settings that equated to zero-width margins (ie, foomatic over-optimistically assumed edge-to-edge printing capability in the absence of specific information to the contrary). With this update, PPDs created for printers with no included margin information are set to 127mm (36 points or 0.5") by default. This avoids problems with print jobs being cropped at the edges of the page. (BZ#244348)

spooler auto-detection is not part of foomatic and, previously, foomatic did not set a default spooler. Consequently, the foomatic-configure command failed to detect that CUPS was present if a default spooler was not set in /etc/foomatic/defaultspooler (which was not created by default during foomatic installation). With this update, /etc/foomatic/defaultspooler is created during installation and the default spooler is set to CUPS, ensuring foomatic-configure is aware of CUPS. (BZ#454684)

64-bit multiplication by constant on the x86 platform caused unexpected aborts when compiling code that used 'unsigned long long' variables. This was because the compiler did not check whether CONST_DOUBLE_LOW was positive when multiplying constants. With this update, the compiler now check if CONST_DOUBLE_LOW is positive, ensuring that 'unsigned long long' variables are processed correctly during compiles. (BZ#465807)

A bug in the way the GFortran compiler processed unique symtrees could have prevented some valid GFortran code from compiling if the code contained symbols defined by USE and ONLY clauses. Whenever this occurred, the compile attempt would fail with a segmentation fault. This update adds a special function that correctly reconciles symbols with unique symtrees, which resolves this bug. (BZ#483845)

Using the -fabi-version=1 option prevented some valid C++ code from compiling. This was because Version 1 of the C++ ABI did not properly substitute template parameters. This release corrects this behavior, adding a function that correctly sets the processing_template_decl to 0 when performing substitutions. (BZ#492011)

A bug in the way gcc optimized code could have prevented some samples of valid C code from compiling (resulting in an internal compiler error) whenever the -O1 option was used. This was because during optimized compiles, the C compiler did not properly process bounds; this resulted in incorrect computations for loop iterations. With this update, the compiler now processes bounds correctly, ensuring that valid C code compiles correctly with the -O1 option set. (BZ#490513)

The GFortran compiler did not handle FMT= character array arguments properly. This prevented some samples of valid GFortran code from compiling; whenever this occurred, the compile attempt would fail with a segmentation fault. This update adds new functions to correct how FMT= character array arguments are handled, thereby resolving this bug. (BZ#492209)

The expand_expr_real_1() function of the C compiler did not handle TRUTH_ANDIF_EXPR and TRUTH_ORIF_EXPR cases correctly. As a result, a compile attempt could fail with an internal compiler error on the PowerPC platform. This update applies an upstream fix for this issue. (BZ#495469)

GFortran provided improper DWARF definitions for array parameters (i.e. missing upper bounds). This was caused by a bug in gcc/fortran/trans-decl.c that provided incorrect debugging information for variable-length, non-desc Fortran arrays. With this release, Gfortran now provides proper DWARF definitions for arrays parameters. (BZ#459374)

A bug in GFortran made it possible for an internal compiler error to incorrectly escalate to a segmentation fault (instead of terminating the compilation gracefully). An upstream fix for this bug is now included with this release. (BZ#466928)

Whenever gcc is used with the option -march=z9-ec or -march=z10, hardware decimal floating point (DFP) support is used by default. (BZ#474367)

An improper option (i.e. %global _use_internal_dependency_generator 0) used during the build of libgomp in previous releases disabled "file coloring". This caused RPM to erroneously detect a file conflict on /usr/lib/libgomp.so.1.0.0 when installing libgomp from the Itanium compatibility layer. This release includes a properly-built libgomp, which resolves this issue. (BZ#503725)

Normally, static variables always have the same debugging information for each possible constructor/destructor implementation kind, which allows the compiler to keep their DIE (debugging information entry) only in the single abstract instance of the constructor. However, GDB did not automatically inherit whole DIEs from the abstract instances to the concrete instances. As such, the static variables in C++ constructors were not visible from GDB. With this update, GDB now inherits whole DIEs to ensure that static variables do not become inaccessible. (BZ#445912)

GDB now supports the use of 64-bit ELF files for 32-bit platforms (i.e. elf64-i386). (BZ#457187)

It was possible for GDB to print an error when trying to access an allocatable or otherwise dynamic array or string variable in Fortran. This was because GDB did not account for the fact that the lower bound for Fortran arrays was 1 (rather than 0). This made it possible for array size calculations to result in invalid values (i.e. too high) when allocating unbound or dynamically-bound Fortran arrays. This release corrects the way GDB processes Fortran arrays; it also adds functions to verify the validity of a calculated array size first before attempting to allocate it. (BZ#459380)

Variables imported from Fortran modules can be now accessed from GDB with the same scope as the program being debugged. (BZ#466118 , BZ #457793)

Variables shared by Fortran "common blocks" can be now accessed from GDB with the same scope as the program being debugged. Further, common blocks valid in the current program scope can be printed using the GDB command 'info common'. (BZ#459762)

Allocatable arrays, objects with assumed size, and pointers to objects can be now accessed from GDB in the same manner that they are accessed from the program being debugged. (BZ#460250 , BZ#459952 , BZ#465301 , BZ#505333)

Variables of type 'logical (kind=8)' can be now accessed from GDB. (BZ#465310)

For external references, GCC does not produce DWARF debug information. As a result, GDB could not access Thread Local Storage (TLS) variables from a local source file if those variables were defined in a different source file. This made it possible for certain memory addresses to become unaccessible to GDB. With this release, GDB can now process TLS variables using ELF structures instead of DWARF; as such, GDB can now access TLS variables regardless of where those variables were defined. (BZ#494412)

Running gcore (or any 'attach' or 'detach' command sequence) on a multi-threaded process that was halted with 'kill -STOP' could unexpectedly resume some of that process's threads. This behavior was caused by a kernel bug (present in upstream version 2.6.29) that remained unfixed in Red Hat Enterprise Linux 5 kernels to maintain backward compatibility. While this update does not fix the kernel bug, it applies a GDB workaround that ensures threads from a halted multi-threaded process do not unexpectedly resume. (BZ#498595)

the GDM Reference Manual is now included with the gdm packages. The gdm-docs package installs this document in HTML format in "/usr/share/doc/". (BZ#196054)

GDM appeared in English on systems using Telugu (te_IN). With this update, GDM has been localized in te_IN. (BZ#226931)

the Ctrl+Alt+Backspace sequence resets the X server when in runlevel 5. In previous releases, however, repeated use of this sequence prevented GDM from starting the X server as part of the reset process. This was because GDM sometimes did not notice the X server shutdown properly and would subsequently fail to complete the reset process. This update contains an added check to explicitly notify GDM whenever the X server is terminated, ensuring that resets are executed reliably. (BZ#441971)

the "gdm" user is now part of the "audio" group by default. This enables audio support at the login screen. (BZ#458331)

the gui/modules/dwellmouselistener.c source code contained incorrect XInput code that prevented tablet devices from working properly. This update removes the errant code, ensuring that tablet devices work as expected. (BZ#473262)

a bug in the XOpenDevice() function prevented the X server from starting whenever a device defined in "/etc/X11/xorg.conf" was not actually plugged in. This update wraps XOpenDevice() in the gdk_error_trap_pop() and gdk_error_trap_push() functions, which resolves this bug. This ensures that the X server can start properly even when devices defined in "/etc/X11/xorg.conf" are not plugged in. (BZ#474588)

A bug which did not flush the journal after a fsync to a stuffed inode has been fixed.

A potential deadlock causing gfs to hang in 'wait_for_completion' was fixed by prefaulting buffer pages.

Applications using sendfile on files with the inherit_jdata flag are now notified that sendfile will not work on those files instead of failing.

A bug that could potentially cause a page allocation failure has been fixed.

A bug that caused fsyncs to stuffed inodes fail to flush the journal has been fixed.

An issue was fixed which caused gfs_fsck to attempt to fix the wrong bitmap.

gfs_fsck's ability to fix damaged resource groups has been improved.

A human readable option has been added to to gfs_tool df.

Fixed an issue which could potentially cause gfs_fsck to remove everything in a corrupt filesystem.

gfs_grow performance has been improved on 1k block size filesystems.

Fix a segfault in gfs_fsck when fixing a 'EA leaf block type' problem.

The gfs service is no longer disabled after an upgrade.

A segfault was fixed in gfs2_fsck which can be triggered by a stuffed directory inode block also being listed as a data block.

In certain cases a conversion between gfs1 and gfs2 filesystem could cause corruption; this bug has been fixed.

Other mount options will now be properly recognized when using 'noatime' or 'nodiratime'.

gfs2_grow now works with block sizes other than 4k.

gfs2_fsck now properly detects and repairs problems with sequence numbers on GFS2 file systems.

GFS2 user utilities now use the file system UUID.

gfs2_grow now properly updates the file system size during operation.

gfs2_fsck now returns the proper exit codes.

gfs2_convert now properly frees blocks when removing free blocks up to height 2.

the gfs2_fsck manual page has been renamed to fsck.gfs2 to match current standards.

the 'gfs2_tool df' command now provides human-readable output.

mounting GFS2 file systems with the noatime or noquota option now works properly.

new capabilities have been added to the gfs2_edit tool to help in testing and debugging GFS and GFS2 issues.

the 'gfs2_tool df' command no longer segfaults on file systems with a block size other than 4k.

the gfs2_grow manual page no longer references the '-r' option, which has been removed.

the 'gfs2_tool unfreeze' command no longer hangs during use.

gfs2_convert no longer corrupts file systems when converting from GFS to GFS2.

gfs2_fsck no longer segfaults when encountering a block which is listed as both a data and stuffed directory inode.

gfs2_fsck can now fix file systems even if the journal is already locked for use.

a GFS2 file system's metadata is now properly copied with 'gfs2_edit savemeta' and 'gfs2_edit restoremeta'.

the gfs2_edit savemeta function now properly saves blocks of type 2.

'gfs2_convert -vy' now works properly on the PowerPC architecture.

when mounting a GFS2 file system as '/', mount_gfs2 no longer fails after being unable to find the file system in '/proc/mounts'.

gfs2_fsck no longer segfaults when fixing 'EA leaf block type' problems.

an incorrect offset computation that occurred when handling subglyphs made it possible for ghostscript to read uninitialized data. When this occurred, ghostscript would crash with a segmentation fault. This update corrects the offset computation, preventing ghostscript from reading uninitialized data. (BZ#450717)

the way that the Ghostscript source code used pointer aliasing could produce unexpected results when strict aliasing optimizations are in use. To avoid problems, this ghostscript update was built using the -fno-strict-aliasing option, which disables strict aliasing optimization. (BZ#465960)

a typographical error in the gsiparam.h header file made it possible for some PDF files to cause ghostscript to fall into an infinite loop. This update fixes the error. (BZ#473889)

the gdevpsu.c source file incorrectly defined the point size of A3 pages, which sometimes resulted in incorrect document page sizes. This update fixes the point size definition error , ensuring that A3 pages are always printed with the correct size. (BZ#480978)

this update corrects how the cvrs PostScript operator performs sign extensions. This fix prevents range errors from occurring on 64-bit platforms. (BZ#488127)

this update also fixes ColorSpace initialization in the InkJet Server (IJS) driver, which is used by hpijs and gimp-print drivers in some configurations. In previous releases, print jobs that did not initialize ColorSpace failed whenever they used Ghostscript to render and print PDFs on devices that used the ijs driver. (BZ#504254)

A strcmp() call in the setlocale() function could cause a segmentation fault (SIGSEGV) to occur in multi-threaded applications. This was caused by an improper free() call, which freed _nl_global_locale.__names[category] around the same time strcmp() tried to access it. As such, it was possible for strcmp() to access _nl_global_locale.__names[category] after it was freed (i.e. no longer available), resulting in a segmentation fault. To fix this, this update adds a return() call to make _nl_global_locale.__names[category] available when strcmp() accesses it. (BZ#455580)

The getifaddrs() function listed invalid IPv6 interface names for Infiniband devices. This was because Infiniband names are 20 bytes long, while glibc only prepares an 8-byte string array (i.e. sll_addr) for interface names. When getifaddrs() copied the 20-byte string into sll_addr, the result was a corrupted, invalid interface name. To prevent this, this update expands the field size from 8 bytes to 24 bytes, allowing getifaddrs() to copy 20-byte Infiniband names to the sll_addr string array. (BZ#463252)

A previous update to glibc resulted in a performance regression with mutex() calls. This was caused by the addition of mutual exclusion (mutex) types tested by pthread_mutex_lock() and pthread_mutex_unlock(). To alleviate the problem, this update optimizes the pthread_mutex_lock() and pthread_mutex_unlock() for the most common mutex types, which improves the performance of mutex() calls in most common user scenarios. (BZ#467316)

dl_runtime_profile on the IBM System Z incorrectly used the instruction lr to remove stack frames, which could result in corrupted stacks in rare cases. With this update, dl_runtime_profile uses the correct instruction (lgr) to remove stack frames instead. (BZ#470300)

An improper break statement in the getgrouplist() function caused searches to abort prematurely. This resulted in a bug that prevented getgrouplist() from retrieving group definitions from LDAP. As such, applications that used getgrouplist() to authenticate group details could not honor supplementary group credentials defined in LDAP. This update removes the improper break statement in getgrouplist(), enabling proper retrieval of group definitions from LDAP. (BZ#470768)

The /var/run/utmp file keeps track of all log-ins and log-outs to the system. All attempts to open it with read-write permission are denied and audited. The setutent_file() function call always attempted to open the /var/run/utmp with read-write permissions, resulting in the audit system logging a large volume of denial records. With this update, setutent_file() now only attempts to open /var/run/utmp with read-only permissions, thereby reducing the volume of audited records. (BZ#475332)

The elf/dl-load.c source file did not properly free allocated memory before dlclose() function calls. This made it possible for some dlopen() and dlclose() calls to result in a memory leak. This update corrects the elf/dl-load.c source file by instructing it to free all allocated memory, thereby preventing a memory leak whenever dlopen() or dlclose() are used. (BZ#476725) .

The getent command no longer incorrectly uses a comma to delimit aliases when displaying network map entries. As such, running getent networks now only displays network map entries using spaces or tabs as delimiters. (BZ#484082)

This update now includes the RUSAGE_THREAD definition in the glibc headers. This allows the getrusage() function call to retrieve information about the resource usage of a thread. (BZ#484214).

The inet6_opt_init() function incorrectly counted the first octet when computing the length of extension headers (i.e. extlen). This was contrary to the definition of extension header lengths as per RFC 2460. With this update, inet6_opt_init() now subtracts 1 octet unit when computing for extlen. (BZ#488748)

As per RFC3493, getnameinfo() should return EAI_NONAME when both nodename and servname variables are set to NULL while the NI_NAMEREQD flag is set. However, getnameinfo() returned 0 in this situation. This update adds an if statement to getnameinfo() to correct its behavior as per RHC3493. (BZ#489419).

The nscd paranoia mode instructs nscd to restart periodically. However, whenever nscd attempted to restart itself in this mode, it incorrectly used the system call execv("/proc/self/exe", argv). As a result, nscd would restart with an process name of exe instead of nscd. To correct this, the nscd paranoia mode now instructs nscd to restart using readlink("/proc/self/exe", target, 255), which allows nscd to preserve its process name upon restart. Note that nscd will still use execv("/proc/self/exe", argv) if the attempt to use readlink() fails. (BZ#490010)

The sysconf() function call used an obsolete const attribute. This caused the gcc compiler to incorrectly return errno when it attempted to compile code while using some optimization options. With this update, sysconf() no longer uses the obsolete const, ensuring that optimization works as expected at compile time. (BZ#490821)

The inet6_rth_reverse() function produced an incorrect return order of addresses in the routing header. This was caused by an incorrect identifier (ip6r0_segleft instead of ip6r0_len) in the inet/inet6_rth.c source code. This update corrects the identifier, ensuring that inet6_rth_reverse() returns the correct output. (BZ#494849)

The inet6_rth_add() function incorrectly returned 0 even when the routing header did not have enough space to store an address. This was caused by a lack of error checking routines to verify routing header size. This update applies an additional if statement to verify the routing header size. (BZ#494850).

Previous versions of glibc coded malloc() in a way that was not thread-safe. This could have led to unexpected program crashes in some cases. This release revises the malloc() code to ensure better thread safety, as well as to adhere to C standards. (BZ#502901)

This update removes an extra comma at the end of the dlfcn.h header file's enumerator list. This typographical error caused dlfcn.h to fail g++ pedantic tests in previous releases. (BZ#504704)

A bug in the nptl/pthread_mutex_lock.c code prevented pthread_mutex calls from honoring some types of private futex attributes. This update applies a patch that corrects this behavior, ensuring that pthread_mutex calls honor all types of private futex attributes for PI mutexes.(BZ#495955).

Applications that performed a large number of directory reads ran much slower on 64-bit Red Hat Enterprise Linux 5 compared to 64-bit Red Hat Enterprise Linux 4. This was partly because while Red Hat Enterprise Linux 5 uses the system call getdents() to retrieve directory entries for both 32-bit and 64-bit platforms, Red Hat Enterprise Linux 4 used getdents64() for 64-bit platforms. Because of this, the opendir() function did not allocate more memory for directory reads on 64-bit platforms, resulting in much slower reads on Red Hat Enterprise Linux 5. To resolve this, opendir() now has an increased default buffer size; if memory allocation fails (as it would on 32-bit applications), it retries the memory allocation with a smaller buffer size. This improves the performance of directory reads on 64-bit platforms, while ensuring that opendir() still works on 32-bit platforms. (BZ#484440)

An incorrect parameter in the MALLOC_COPY() function of the libc/malloc/malloc.c source file could supply an incorrect size_t value for realloc(). With this update, MALLOC_COPY() is now fixed, ensuring that it always supplies the correct size_t information for realloc(). (BZ#478499)

With this update, users can now run fork() safely in one thread while a pthread stack cache updates in another thread. Doing so no longer causes the process created by fork() to crash. (BZ#477705)

This update also applies several upstream fixes to nscd. These fixes prevent nscd from crashing due to segmentation faults in some cases. (BZ#464918 and 483636)

This update also includes the ability to enable (and configure) per-thread memory pools. This capability enables higher scalability accross many sockets and cores, and is included in this release as a technology preview. The environmental variable MALLOC_PER_THREAD=1 enables per-thread memory pools, while MALLOC_ARENA_MAX and MALLOC_ARENA_TEST control the amount of additional memory used for the memory pools (if any). MALLOC_ARENA_MAX sets a maximum number of memory pools used, regardless of the number of cores; MALLOC_ARENA_TEST specifies that the number of cores should be tested once it reaches a set value. Note that once per-thread memory pooling becomes fully supported, it will also become the default behavior; this will render the MALLOC_PER_THREAD option obsolete then. (BZ#494758)

previous versions of glibc coded the malloc() function in a way that was not thread-safe, which could have led to unexpected program crashes in some cases. With these updated packages, the malloc() code has been revised to ensure better thread safety, as well as to adhere to C standards. (BZ#502901)

The gnomekeyring.find_items_sync() function was returning a list of long integers representing the addresses of GnomeKeyringFound instances. These addresses are not useful in Python, however, and this update adds Python bindings for GnomeKeyringFound. IT also changes find_items_sync() to return a list of GnomeKeyringFound instances. (BZ#479280)

gnome-session, also referred to as the GNOME Session Manager, remembers information such as which applications were open at the time of logout (among other session details), and restores these applications upon logging in again. A bug prevented gnome-session from restoring two applications when both of them were named the same, such as could happen with GKrellM system monitors, multiple instances of the KDE Konsole, and potentially other applications with multiple instances. With this updated package, gnome-session is able to restore all same-named application instances which were saved in the previous session, thus resolving the problem. (BZ#484431)

while searching certain immense binary files in which the newline character did not appear for large expanses (for hundreds of megabytes of text, for instance), grep may have missed a subsequent match. Because the grep utility is not intended to process arbitrarily-long files in this manner, this updated version now exits with a "line too long" error message and an appropriate error code under these conditions. (BZ#483073)

when operating on particular multi-byte character sets (but not, notably, UTF-8), grep could enter an infinite loop and become unresponsive. This has been fixed in this updated package so that grep is once again able to process these multi-byte character sets without hanging. (BZ#479151)

certain output control option combinations could cause the grep tool to segmentation fault. With this updated package, these combinations work as expected and no longer cause a segmentation fault. (BZ#452127)

the example attached to the "--label" option description was not illustrative enough: as documented, the option actually had no effect. The updated package contains an improved example that shows the "--label" option's utility, both in the manual and info pages. (BZ#484366)

current GCC defaults mean grub is compiled without writable string support. On systems with an XFS file system present on the same controller as the boot disk, this could cause the grub shell to segfault and crash. With this update grub no longer assumes constant strings in the XFS file system driver are writable, obviating the error. (BZ#496949)

previously, grub-install did not support installing on virtio_blk devices. When attempted it printed the error message "[device path] does not have any corresponding BIOS drive." With this update, support has been added for installing to virtio devices. (BZ#498388)

the handling of the virtual mouse pointer could result in the pointer getting stuck against an invisible wall, unable to move into some areas of the virtual machine display area. (BZ#487560)

handling of non-US layout keyboards had flaws making it impossible to type certain key sequences, for example Shift+Tab. (BZ#357491)

the gtk-vnc package was re-based to version 0.3.8, from version 0.3.2, to address problems with virtual mouse pointer movement handling and the conversion of "keysyms" for non-US layout keyboards. The update also improves interoperability with VNC servers and extensions. (BZ#489326)

hal now detects blank optical media correctly on buggy hardware. (BZ#488265)

if a device identifier was not well formed, the error message the presented was not correctly formatted. This has been fixed. (BZ#471004)

if an error occurrs the correct hal-device code is now returned. (BZ#462453)

permissions on the directory /usr/lib/hal were incorrect. hal now owns this directory, as expected. (BZ#481806)

hal no longer tries to close shared DBus connections to avoid printing a warning. (BZ#472199)

the hal daemon now starts earlier in the boot sequence, allowing other services to use HAL. (BZ#500577)

another ID match was added to fix suspending on Lenovo X61s type 7667 notebooks. (BZ#456277)

the number of brightness levels is now reported correctly for newer laptops using the ibm-acpi driver. (BZ#475850)

storage devices on the cciss bus are now detected. (BZ#489982)

new man pages for the installed binaries. (BZ#217644)

the child-timeout can now be set for machines with a large number of devices. (BZ#463128)

updating the htdig packages incorrectly removed configuration files, which were written over with the original configuration files. This no longer occurs with these updated packages.

in cases where htdig attempted to run the parser configured in the "external_parsers" attribute in the htdig.conf configuration file, and running that parser failed, then htdig could attempt to parse its own error messages. With this update, htdig is prevented from parsing data incorrectly in such a manner, exits from such a situation correctly, and displays an improved error message when running the external parser fails.

running "htfuzzy soundex" after indexing with htdig resulted in spurious error messages when the "allow_numbers" attribute of the htdig.conf configuration file was set to set to true.

calling either the "htstat" or "htfuzzy" command when the database contained zero words resulted in a segmentation fault, which has been fixed in these updated packages.

Apache's mod_mime_magic module attempts to determine the MIME type of files using heuristic tests. However, the "magic" file used by the mod_mime_magic module was unable to detect PNG images correctly as being of MIME type "image/png", which this update corrects. (BZ#240844)

when using a reverse-proxy configuration with the mod_nss module being used in place of the usual mod_ssl module, the mod_proxy module failed to pass the hostname, which resulted in this error message: "Requested domain name does not match the server's certificate". The hostname is now passed correctly so that secure HTTP (https) connections no longer fail due to this error. (BZ#479410)

the "mod_ssl" module placed a hard-coded 128K limit on the amount of request body data which would be buffered if an SSL renegotiation was required in a Location or Directory context. This could occur if a POST request was made to a Directory or Location which required client certificate authentication. The limit on the amount of data to buffer is now configurable using the "SSLRenegBufferSize" directive. (BZ#479806)

when configuring a reverse proxy using an .htaccess file (instead of httpd.conf) by using a "RewriteRule" to proxy requests using the "[P]" flag, space characters in URIs would not be correctly escaped in remote server requests, resulting in "404 Not Found" response codes. This has been fixed so that .htaccess-configured reverse proxies perform proper character-escaping. (BZ#480604)

if an error occurred when invoking a CGI script, the "500 Internal Server Error" error document was not generated. (BZ#480932)

the mod_speling module attempts to correct misspellings of URLs. When the "AcceptPathInfo" directive was not enabled, then mod_speling did not handle and correct misspelled directory names. This has been fixed so that directory names are always handled, and possibly corrected, by the mod_speling module, regardless of the value that "AcceptPathInfo" is set to. (BZ#485524)

if request body data was buffered when an SSL renegotiation was required in a Location or Directory context, then the buffered data was discarded if an internal redirect occurred. (BZ#488886)

the httpd init script did not reference the process ID stored by a running daemon, and invocations could affect other httpd processes running on the system. (BZ#491135)

during a graceful restart, a spurious "Bad file descriptor" error message was sometimes logged. The error, though harmless, occurred because the socket on which the server called the accept() function was immediately closed in child processes upon receipt of the graceful restart signal. This error message is no longer logged. (BZ#233955)

during a graceful restart, the following spurious error messages were logged by the mod_rewrite module if the "RewriteLog" directive was configured: "apr_global_mutex_lock(rewrite_log_lock) failed". (BZ#493023)

Apache's mod_ext_filter module sometimes logged this spurious error message if an input filter was configured and an error response was sent: "Bad file descriptor: apr_file_close(child input)". (BZ#479463)

the "%p" format option in the "CustomLog" directive, used to log a port number in a request, did not respect the "remote" and "local" specifiers. (BZ#493070)

the httpd package inappropriately obsoleted the "mod_jk" package; it no longer does so. (BZ#493592)

an invalid HTTP status code—such as 70007—was logged to the access log if a timeout or other input error occurred while reading the request body during processing of a CGI script. (BZ#498170)

a security issue fix (CVE-2009-1195) in Server-Side Include (SSI) Options-handling inadvertently broke backwards-compatibility with the mod_perl module. (BZ#502998)

both hal-device-manager and hwbrowser used the same name ("Hardware") in the System>Administration menu, as well as the same icon (hwbrowser.png). The existence of two apparently identical entries in the menu that launch two different applications could be confusing to users. Since hwbrowser is now a legacy tool, it no longer creates a menu item upon installation, thus eliminating the potential confusion. Users can still run hwbrowser from the command line.

LSI Fusion-MPT SAS-2 controllers (BZ#475674)

ASPEED Technology AST2000 updated to reflect product name revision in hal-device-manager. AST2000 should now display ASPEED Graphics Family. (BZ#480560)

Emulex OneConnect 10Gb NIC, Emulex OneConnect 10Gb FCoE Initiator and Emulex OneConnect 10Gb iSCSI Initiator (BZ#496877 , BZ#502907)

Mellanox Technologies ConnectX EN 10GigE (BZ#501955)

Intel IGB Virtual Function devices (BZ#502873)

QLogic Corp. 10GbE Converged Network Adapters (BZ#504035)

if SELinux is in Enforcing mode, the 'allow_unconfined_execmem_dyntrans', 'allow_execmem' and 'allow_execstack' booleans must be enabled in order for the IA-32 Execution Layer (i.e. the ia32el service) to operate correctly. If only the 'allow_execmem' or 'allow_execstack' booleans are enabled, the ia32el service can still support emulation; however, SELinux might issue an AVC denial to the service. In previous releases, whenever SELinux issued an AVC denial to ia32el, users were not informed that these booleans needed to be enabled first. This release provides proper documentation (in the README file) for this requirement, and revises the init script to warn the user if any of these boolean requirements are not met at runtime. (BZ#474152)

this update also fixes a bug that caused the fcntl system call to fail whenever the 'flock' structure was filled with values exceeding 2GB. (BZ#494004)

this adds support for the latest system calls and SSE4.2 instructions. In addition, this update also applies several fixes from upstream to improve performance, compatibility, and robustness. (BZ#472843)

while its IPv4 counterpart was present, the Differentiated Services Code Point (DSCP) match target for IPv6 was missing. Two new modules, one for iptables and a separate one for the Linux kernel, now enable this functionality.

the init scripts for iptables and ip6tables sometimes exited with incorrect or invalid exit statuses. (BZ#242457)

the Internet Control Message Protocol (ICMP) '--reject-with' types did not always work as expected. This has been fixed in these updated packages. (BZ#253014)

the iptables-restore(8) man page did not contain descriptions of some of the options that were listed in the program's help information. These information sources for the utility's options have now been synchronized. (BZ#474847)

the "ROUTE" section of the iptables(8) man page contained misleading information on certain features that do not exist in the iptables packages. (BZ#485834)

the iptables-devel package did not include certain header files, which are now included in the updated package. (BZ#487649)

the spec file contained a typo on the the Release line. (BZ#440622)

a buffer alignment problem prevented iprconfig from updating disk microcode during I/O. In the block layer, iprconfig incorrectly used malloc() for memory allocation; as a result, buffers in the scatter/gather list were not 512-byte aligned. With this update, iprconfig uses posix_memalign() to properly execute memory allocation, which corrects the buffer alignment problem. This update also applies several other improvements to help ensure that iprconfig can perform disk microcode updates even during heavy I/O. (BZ#452312)

this update also applies a firmware enhancement to support dual-shared Active/Active multiplex on SAS adapters. This improves the performance of supported solid-state disks (SSD). (BZ#475362)

it is the rdisc utility which is called at boot time to populate the network routing tables with default routes. This bug caused rdisc to fail during initialization when more than one IP address was assigned to a single interface. This has been solved so that when rdisc encounters two or more IP addresses assigned to the same interface, it continues working as expected. (BZ#470498)

running "service ipvsadm status" returned the status code "0" (for "service is running") even when ipvsadm was stopped. The ipvsadm init script has been updated and ipvsadm now only returns "0" when it is, in fact, running. (BZ#232335)

ipvsadm's previous start priority, 08, meant it loaded before network. If the ipvsadm rule set contained virtual services using fwmarks, these rules did not load properly. ipvsadm's start priority is now 11, ensuring it loads after network and ensuring virtual services load after real network services. (BZ#472425)

previously you could install the debuginfo packages but, because the makefile stripped the symbol table, they contained no data. The ipvsadm makefile no longer strips the symbol table and installing the debuginfo packages adds ipvsadm.debug and the debugging source as expected. (BZ#500601)

multiple instances of irqbalance could be started when changing between run levels. A universal exit is now run on existing instances so that only one will operate at a time. (BZ#471574)

several errors in set_interrupt_count and investigate interaction caused irqbalance to ignore IRQBALANCE_BANNED_INTERRUPTS. The two now work discretely and the problem no longer presents. (BZ#479459)

documentation has been improved in order to clarify the meaning and use of some of the configuration settings in irqbalance. (BZ#479856)

attempting to log in to targets which used the iSCSI protocol's login redirect feature failed due to a coding error in the IPv6 address parser. This bug has been fixed in this updated package so that address parsing succeeds as expected, and logging in to targets over IPv6 is once again possible. (BZ#501737)

iscsi-initiator-utils now includes support for Broadcom bnx2 and bnx2x network interface cards. (BZ#442418)

iscsi-initiator-utils has been rebased to upstream version 2.0-870. Among many other changes, this version supports the offload feature of Broadcom and Chelsio cards. Refer to the changelog included in the package for a full list of bug fixes and enhancements in this version. Section 5.1.2 of /usr/share/docs/iscsi-initiator-utils-$version/README contains instructions to set up ifaces for use with offload cards. (BZ#458203)

the iscsi-initiator-utils packages place files in the /etc/iscsi directory but previously, did not list that directory for creation. The /etc/iscsi directory would therefore be created during the installation process, but would remain unowned. /etc/iscsi is now listed for creation and are therefore owned by iscsi-initiator-utils. (BZ#481807)

when a user-space iSCSI tool invokes an option that is not supported in the kernel, the tool returns "Iferror -38". Previously, this error message was presented to users and could mislead them to think that a problem existed with their iSCSI configuration. The iSCSI tools no longer present this type of error to users and therefore do not create this potential misunderstanding. Note that certain combinations of new tools with old kernels might still present a related "-22" error. (BZ#497940)

the iSCSI protocol allows targets to redirect initiators during the login phase. Previously, the code used by the iscsi initiator to parse IPv6 addresses contained faulty logic that caused it to fail to recognize IPv6 addresses as valid when redirected. As a consequence, when operating in an IPv6 environment, the initiator could not log into targets that use the login redirect feature, such as Dell EqualLogic targets. The initiator now parses IPv6 addresses correctly, enabling use of these targets in IPv6 environments. (BZ#500102)

previously, the cxgb3i driver for Chelsio host bus adapters (HBAs) was not listed in the iscsi init script. Therefore, iscsi would not load this driver and therefore could not use the Chelsio HBAs that need this driver. The cxgb3i driver is now included in the iscsi init script, which enables the use of these devices. (BZ#505958)

the iscsi code contained a bad cast of a data structure. This would lead to a segmentation fault while logging in or out of an iSCSI target. With the logic now corrected, these segmentation faults do not occur. (BZ#508782)

iscsiadm obtains its information about the boot environment from the iSCSI boot firmware table (IBFT). However, this information does not include the target portal group tag (TPGT) associated with the boot target. Iscsiadm would assume that the relevant TPGT should be "1". In cases where this was correct, the boot process would continue as intended. In all other cases, iscsiadm would be unable to find the target necessary for the boot to proceed. This made it impossible to automate the installation of Red Hat Enterprise Linux in environments with multiple portals on targets and where the portal used for boot did not have TPGT=1. Iscsiadm no longer assumes a value for the TPGT for the boot portal and instead relies on the information that it finds in the /var/lib/iscsi record. This enables iscsiadm to find the correct target automatically, and therefore makes automated installations possible. (BZ#515806)

the init scripts for the "capi" and "isdn" programs sometimes exited with incorrect or invalid exit statuses. These init scripts have been updated for compliance with Linux Standard Base (LSB) guidelines. The "capi" and "isdn" programs now exit with exit status 5 (program is not installed) or 6 (program is not configured), as appropriate. The improved init scripts also check for correct privileges and exit with exit status 4 (user has insufficient privileges) when appropriate. (BZ#237831)

the isdn4k-utils packages contained spurious CVS files; they have been removed in these updated packages. (BZ#481569)

the divaload, divalog, divalogd and ipppd executable binaries, which were located in the /sbin directory, depend on libraries located in the /usr/lib directory. In certain situations such as when located on a separate partition, the /usr directory may not be mounted and available when the executables are called. For this reason, divaload, divalog, divalogd and ipppd have all been moved to the /usr/sbin directory, which solves this potential problem. (BZ#503910)

The iwl3945 driver and the iwl3945 firmware work together to provide proper wireless functionality. It is best to pair equivalent versions of these components in order to provide maximum compatibility between them, which this updated package provides.

the iwlagn driver and the iwl4965 firmware work together to provide proper wireless functionality. It is best to pair equivalent versions of these components in order to provide maximum compatibility between them, which this updated package provides. (BZ#476869)

several jadetex files which were installed in the /usr/share/texmf/web2c/ directory had the wrong SELinux context. This updated package corrects the SELinux context of these files.

previously, installing the jadetex package led to the creation of two unnecessary log files that were not owned by the package in the /usr/share/texmf/web2c/ directory. This updated package no longer creates these log files, thus resolving the issue.

the EVR in the java-1.6.0-openjdk package as shipped with Red Hat Enterprise Linux allowed the java-1.6.0-openjdk package from the EPEL repository to take precedence (appear newer). Users using java-1.6.0-openjdk from EPEL would not have received security updates since October 2008. This update prevents the packages from EPEL from taking precedence. (BZ#499079)

version 0.5 of the Hardware Abstraction Layer (HAL) creates child device objects only when a file system is mounted. In cases where a storage device cannot be polled (for example, a floppy drive or IDE Zip drive), HAL adds mount methods to the device itself rather than the volume. Previously, this meant that when used in conjunction with HAL 0.5, KDE 3 would not allow users to mount file systems on devices which the HAL could not poll. KDE now includes a modified HAL back end that allows users to mount and unmount volumes through the storage devices detected by the HAL. (BZ#469723)

previously, when KDE refreshed desktop icons, it did not refresh the list of icons that it should display on the desktop. As a consequence, icons could appear on the desktop even when the file that they represented had been deleted, and refreshing the desktop would not remove these icons. This situation could arise, for example, when viewing files on an NFS share. When KDE refreshes its view of the desktop, it now updates the list of icons first and therefore avoids drawing icons for non-existent files. (BZ#472295)

the krfb command is a VNC-compatible server for sharing KDE desktops. The desktop can be shared by running krfb from the command line. krfb would fail if a user accessed the shared desktop from a web browser using the address http://hostname:5800 (where hostname is a valid address or hostname). The updated kdenetwork packages no longer have this issue and shared desktops can be accessed normally.

kdepim.spec used "%{prefix}/share/doc" in the %install section but had no "Prefix:" header line. Consequently, the symlinks created in this section were not relative (contrary to the included comment). With this update "%{prefix}/share/doc" has been replaced with "%{_docdir}", ensuring the created symlinks are relative, as expected.

a NULL pointer dereference flaw was found in the sctp_rcv_ootb() function in the Linux kernel Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could send a specially-crafted SCTP packet to a target system, resulting in a denial of service. (CVE-2010-0008, Important)

a missing boundary check was found in the do_move_pages() function in the memory migration functionality in the Linux kernel. A local user could use this flaw to cause a local denial of service or an information leak. (CVE-2010-0415, Important)

a NULL pointer dereference flaw was found in the ip6_dst_lookup_tail() function in the Linux kernel. An attacker on the local network could trigger this flaw by sending IPv6 traffic to a target system, leading to a system crash (kernel OOPS) if dst->neighbour is NULL on the target system when receiving an IPv6 packet. (CVE-2010-0437, Important)

a NULL pointer dereference flaw was found in the ext4 file system code in the Linux kernel. A local attacker could use this flaw to trigger a local denial of service by mounting a specially-crafted, journal-less ext4 file system, if that file system forced an EROFS error. (CVE-2009-4308, Moderate)

an information leak was found in the print_fatal_signal() implementation in the Linux kernel. When /proc/sys/kernel/print-fatal-signals is set to 1 (the default value is 0), memory that is reachable by the kernel could be leaked to user-space. This issue could also result in a system crash. Note that this flaw only affected the i386 architecture. (CVE-2010-0003, Moderate)

missing capability checks were found in the ebtables implementation, used for creating an Ethernet bridge firewall. This could allow a local, unprivileged user to bypass intended capability restrictions and modify ebtables rules. (CVE-2010-0007, Low)

a bug prevented Wake on LAN (WoL) being enabled on certain Intel hardware. (BZ#543449)

a race issue in the Journaling Block Device. (BZ#553132)

Prior to this update, user data corruption could occur when a 64-bit system was in the 32-bit compatibility mode. Specifically, programs compiled on an x86 system that called sched_rr_get_interval() were silently corrupted. This was due to the kernel filling data beyond the end of a timespec structure because the size of the structure is different between 32-bit and 64-bit systems. With this update, this issue has been fixed by calling sys32_sched_rr_get_interval() instead of sys_sched_rr_get_interval() when sched_rr_get_interval() is called, and user data corruption no longer occurs. (BZ#557684)

the RHSA-2010:0019 update introduced a regression, preventing WoL from working for network devices using the e1000e driver. (BZ#559335)

adding a bonding interface in mode balance-alb to a bridge was not functional. (BZ#560588)

some KVM (Kernel-based Virtual Machine) guests experienced slow performance (and possibly a crash) after suspend/resume. (BZ#560640)

on some systems, VF cannot be enabled in dom0. (BZ#560665)

on systems with certain network cards, a system crash occurred after enabling GRO. (BZ#561417)

for x86 KVM guests with pvclock enabled, the boot clocks were registered twice, possibly causing KVM to write data to a random memory area during the guest's life. (BZ#561454)

serious performance degradation for 32-bit applications, that map (mmap) thousands of small files, when run on a 64-bit system. (BZ#562746)

improved kexec/kdump handling. Previously, on some systems under heavy load, kexec/kdump was not functional. (BZ#562772)

dom0 was unable to boot when using the Xen hypervisor on a system with a large number of logical CPUs. (BZ#562777)

a fix for a bug that could potentially cause file system corruption. (BZ#564281)

a bug caused infrequent cluster issues for users of GFS2. (BZ#564288)

gfs2_delete_inode failed on read-only file systems. (BZ#564290)

the possibility of a timeout value overflow was found in the Linux kernel high-resolution timers functionality, hrtimers. This could allow a local, unprivileged user to execute arbitrary code, or cause a denial of service (kernel panic). (CVE-2007-5966, Important)

a flaw was found in the Intel PRO/1000 network driver in the Linux kernel. Frames with sizes near the MTU of an interface may be split across multiple hardware receive descriptors. Receipt of such a frame could leak through a validation check, leading to a corruption of the length check. A remote attacker could use this flaw to send a specially-crafted packet that would cause a denial of service or code execution. (CVE-2009-1385, Important)

Michael Tokarev reported a flaw in the Realtek r8169 Ethernet driver in the Linux kernel. This driver allowed interfaces using this driver to receive frames larger than could be handled, which could lead to a remote denial of service or code execution. (CVE-2009-1389, Important)

the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when a setuid or setgid program was executed. A local, unprivileged user could use this flaw to bypass the mmap_min_addr protection mechanism and perform a NULL pointer dereference attack, or bypass the Address Space Layout Randomization (ASLR) security feature. (CVE-2009-1895, Important)

Ramon de Carvalho Valle reported two flaws in the Linux kernel eCryptfs implementation. A local attacker with permissions to perform an eCryptfs mount could modify the metadata of the files in that eCrypfts mount to cause a buffer overflow, leading to a denial of service or privilege escalation. (CVE-2009-2406, CVE-2009-2407, Important)

Konstantin Khlebnikov discovered a race condition in the ptrace implementation in the Linux kernel. This race condition can occur when the process tracing and the process being traced participate in a core dump. A local, unprivileged user could use this flaw to trigger a deadlock, resulting in a partial denial of service. (CVE-2009-1388, Moderate)

possible host (dom0) crash when installing a Xen para-virtualized guest while another para-virtualized guest was rebooting. (BZ#497812)

no audit record for a directory removal if the directory and its subtree were recursively watched by an audit rule. (BZ#507561)

page caches in memory can be freed up using the Linux kernel's drop_caches feature. If drop_pagecache_sb() and prune_icache() ran concurrently, however, a missing test in drop_pagecache_sb() could cause a kernel panic. For example, running echo 1 > /proc/sys/vm/drop_caches or sysctl -w vm.drop_caches=1 on systems under high memory load could cause a kernel panic or system hang. With this update, the missing test has been added and the drop_caches feature frees up page caches properly. Consequently these system failures no longer occur, even under high memory load. (BZ#503692)

on 32-bit systems, core dumps for some multithreaded applications did not include all thread information. (BZ#505322)

a stack buffer used by get_event_name() was not large enough for the nul terminator sprintf() writes. This could lead to an invalid pointer or kernel panic. (BZ#506906)

when using the aic94xx driver, a system with SATA drives may not boot due to a bug in libsas. (BZ#506029)

incorrect stylus button handling when moving it away then returning it to the tablet for Wacom Cintiq 21UX and Intuos tablets. (BZ#508275)

CPU "soft lockup" messages and possibly a system hang on systems with certain Broadcom network devices and running the Linux kernel from the kernel-xen package. (BZ#503689)

on 64-bit PowerPC, getitimer() failed for programs using the ITIMER_REAL timer and that were also compiled for 64-bit systems (this caused such programs to abort). (BZ#510018)

write operations could be blocked even when using O_NONBLOCK. (BZ#510239)

enabling MSI on systems with VIA VT3364 chipsets caused a kernel panic or system hang during installation of Red Hat Enterprise Linux or subsequent booting of the operating system. MSI was enabled by default during boot and the "pci=nomsi" boot option to disable MSI was required on Red Hat Enterprise Linux 5.2 and later to avoid this bug. With this update, the kernel automatically disables MSI on VIA VT3364 chipsets during boot. The "pci=nomsi" boot option is no longer required to install or boot Red Hat Enterprise Linux successfully. (BZ#507529)

shutting down, destroying, or migrating Xen guests with large amounts of memory could cause other guests to be temporarily unresponsive. (BZ#512311)

HugeTLBFS (Translation Look-Aside Buffer File System) allows much larger page sizes than standard 4-kilobyte pages. The kernel's virtual memory subsystem uses these pages to map between real and virtual memory address spaces, and HugeTLBFS allows for significant performance increases for memory-intensive applications under heavy load. When a file existing on the HugeTLB file system was accessed simultaneously by two separate processes, the system become unresponsive and eventually a soft lockup occurred. These updated packages correct this issue so that simultaneous access of a single file on a HugeTLB file system is no longer problematic. (BZ#510235)

RHSA-2009-1106 included a fix for a rare race condition (BZ#486921). This earlier race condition occurred if an application performed multiple O_DIRECT reads per virtual memory page and also performed fork(2). Unfortunately, the fix included with RHSA-2009-1106 introduced a new, very small, race condition which presented if the system was swapping heavily or heavily reproducing the conditions that were the cause of BZ#48692. With this update, the parent pte is not set to writable if the src pte is unmapped by the VM, preventing the race condition from occurring. (BZ#507297)

the copy_hugetlb_page_range() function assumed it was safe to drop the source mm->page_table_lock before calling hugetlb_cow(). As a consequence a kernel panic occurred when a particular multi-threaded application did Direct IO on a HUGEPAGE-mapped file region and created new processes. With this update, copy_hugetlb_page_range() calls hugetlb_cow() with the locks held, ensuring the panic does not occur. (BZ#508030)

several flaws were found in the way the Linux kernel CIFS implementation handles Unicode strings. CIFS clients convert Unicode strings sent by a server to their local character sets, and then write those strings into memory. If a malicious server sent a long enough string, it could write past the end of the target memory region and corrupt other memory areas, possibly leading to a denial of service or privilege escalation on the client mounting the CIFS share. (CVE-2009-1439, CVE-2009-1633, Important)

the Linux kernel Network File System daemon (nfsd) implementation did not drop the CAP_MKNOD capability when handling requests from local, unprivileged users. This flaw could possibly lead to an information leak or privilege escalation. (CVE-2009-1072, Moderate)

Frank Filz reported the NFSv4 client was missing a file permission check for the execute bit in some situations. This could allow local, unprivileged users to run non-executable files on NFSv4 mounted file systems. (CVE-2009-1630, Moderate)

a missing check was found in the hypervisor_callback() function in the Linux kernel provided by the kernel-xen package. This could cause a denial of service of a 32-bit guest if an application running in that guest accesses a certain memory location in the kernel. (CVE-2009-1758, Moderate)

a flaw was found in the AGPGART driver. The agp_generic_alloc_page() and agp_generic_alloc_pages() functions did not zero out the memory pages they allocate, which may later be available to user-space processes. This flaw could possibly lead to an information leak. (CVE-2009-1192, Low)

a race in the NFS client between destroying cached access rights and unmounting an NFS file system could have caused a system crash. "Busy inodes" messages may have been logged. (BZ#498653)

nanosleep() could sleep several milliseconds less than the specified time on Intel Itanium®-based systems. (BZ#500349)

LEDs for disk drives in AHCI mode may have displayed a fault state when there were no faults. (BZ#500120)

ptrace_do_wait() reported tasks were stopped each time the process doing the trace called wait(), instead of reporting it once. (BZ#486945)

epoll_wait() may have caused a system lockup and problems for applications. (BZ#497322)

missing capabilities could possibly allow users with an fsuid other than 0 to perform actions on some file system types that would otherwise be prevented. (BZ#497271)

on NFS mounted file systems, heavy write loads may have blocked nfs_getattr() for long periods, causing commands that use stat(2), such as ls, to hang. (BZ#486926)

in rare circumstances, if an application performed multiple O_DIRECT reads per virtual memory page and also performed fork(2), the buffer storing the result of the I/O may have ended up with invalid data. (BZ#486921)

when using GFS2, gfs2_quotad may have entered an uninterpretable sleep state. (BZ#501742)

with this update, get_random_int() is more random and no longer uses a common seed value, reducing the possibility of predicting the values returned. (BZ#499783)

the "-fwrapv" flag was added to the gcc build options to prevent gcc from optimizing away wrapping. (BZ#501751)

a kernel panic when enabling and disabling iSCSI paths. (BZ#502916)

using the Broadcom NetXtreme BCM5704 network device with the tg3 driver caused high system load and very bad performance. (BZ#502837)

"/proc/[pid]/maps" and "/proc/[pid]/smaps" can only be read by processes able to use the ptrace() call on a given process; however, certain information from "/proc/[pid]/stat" and "/proc/[pid]/wchan" could be used to reconstruct memory maps. (BZ#499546)

a logic error was found in the do_setlk() function of the Linux kernel Network File System (NFS) implementation. If a signal interrupted a lock request, the local POSIX lock was incorrectly created. This could cause a denial of service on the NFS server if a file descriptor was closed before its corresponding lock request returned. (CVE-2008-4307, Important)

a deficiency was found in the Linux kernel system call auditing implementation on 64-bit systems. This could allow a local, unprivileged user to circumvent a system call audit configuration, if that configuration filtered based on the "syscall" number or arguments. (CVE-2009-0834, Important)

the exit_notify() function in the Linux kernel did not properly reset the exit signal if a process executed a set user ID (setuid) application before exiting. This could allow a local, unprivileged user to elevate their privileges. (CVE-2009-1337, Important)

a flaw was found in the ecryptfs_write_metadata_to_contents() function of the Linux kernel eCryptfs implementation. On systems with a 4096 byte page-size, this flaw may have caused 4096 bytes of uninitialized kernel memory to be written into the eCryptfs file headers, leading to an information leak. Note: Encrypted files created on systems running the vulnerable version of eCryptfs may contain leaked data in the eCryptfs file headers. This update does not remove any leaked data. Refer to the Knowledgebase article in the References section for further information. (CVE-2009-0787, Moderate)

the Linux kernel implementation of the Network File System (NFS) did not properly initialize the file name limit in the nfs_server data structure. This flaw could possibly lead to a denial of service on a client mounting an NFS share. (CVE-2009-1336, Moderate)

the enic driver (Cisco 10G Ethernet) did not operate under virtualization. (BZ#472474)

network interfaces using the IBM eHEA Ethernet device driver could not be successfully configured under low-memory conditions. (BZ#487035)

bonding with the "arp_validate=3" option may have prevented fail overs. (BZ#488064)

when running under virtualization, the acpi-cpufreq module wrote "Domain attempted WRMSR" errors to the dmesg log. (BZ#488928)

NFS clients may have experienced deadlocks during unmount. (BZ#488929)

the ixgbe driver double counted the number of received bytes and packets. (BZ#489459)

the Wacom Intuos3 Lens Cursor device did not work correctly with the Wacom Intuos3 12x12 tablet. (BZ#489460)

on the Itanium® architecture, nanosleep() caused commands which used it, such as sleep and usleep, to sleep for one second more than expected. (BZ#490434)

a panic and corruption of slab cache data structures occurred on 64-bit PowerPC systems when clvmd was running. (BZ#491677)

the NONSTOP_TSC feature did not perform correctly on the Intel® microarchitecture (Nehalem) when running in 32-bit mode. (BZ#493356)

keyboards may not have functioned on IBM eServer System p machines after a certain point during installation or afterward. (BZ#494293)

using Device Mapper Multipathing with the qla2xxx driver resulted in frequent path failures. (BZ#495635)

if the hypervisor was booted with the dom0_max_vcpus parameter set to less than the actual number of CPUs in the system, and the cpuspeed service was started, the hypervisor could crash. (BZ#495931)

using Openswan to provide an IPsec virtual private network eventually resulted in a CPU soft lockup and a system crash. (BZ#496044)

it was possible for posix_locks_deadlock() to enter an infinite loop (under the BKL), causing a system hang. (BZ#496842)

memory leaks were found on some error paths in the icmp_send() function in the Linux kernel. This could, potentially, cause the network connectivity to cease. (CVE-2009-0778, Important)

Chris Evans reported a deficiency in the clone() system call when called with the CLONE_PARENT flag. This flaw permits the caller (the parent process) to indicate an arbitrary signal it wants to receive when its child process exits. This could lead to a denial of service of the parent process. (CVE-2009-0028, Moderate)

an off-by-one underflow flaw was found in the eCryptfs subsystem. This could potentially cause a local denial of service when the readlink() function returned an error. (CVE-2009-0269, Moderate)

a deficiency was found in the Remote BIOS Update (RBU) driver for Dell systems. This could allow a local, unprivileged user to cause a denial of service by reading zero bytes from the image_type or packet_size files in "/sys/devices/platform/dell_rbu/". (CVE-2009-0322, Moderate)

an inverted logic flaw was found in the SysKonnect FDDI PCI adapter driver, allowing driver statistics to be reset only when the CAP_NET_ADMIN capability was absent (local, unprivileged users could reset driver statistics). (CVE-2009-0675, Moderate)

the sock_getsockopt() function in the Linux kernel did not properly initialize a data structure that can be directly returned to user-space when the getsockopt() function is called with SO_BSDCOMPAT optname set. This flaw could possibly lead to memory disclosure. (CVE-2009-0676, Moderate)

the ext2 and ext3 file system code failed to properly handle corrupted data structures, leading to a possible local denial of service when read or write operations were performed on a specially-crafted file system. (CVE-2008-3528, Low)

a deficiency was found in the libATA implementation. This could, potentially, lead to a local denial of service. Note: by default, the "/dev/sg*" devices are accessible only to the root user. (CVE-2008-5700, Low)

a bug in aic94xx may have caused kernel panics during boot on some systems with certain SATA disks. (BZ#485909)

a word endianness problem in the qla2xx driver on PowerPC-based machines may have corrupted flash-based devices. (BZ#485908)

a memory leak in pipe() may have caused a system deadlock. The workaround in Section 1.5, Known Issues, of the Red Hat Enterprise Linux 5.3 Release Notes Updates, which involved manually allocating extra file descriptors to processes calling do_pipe, is no longer necessary. (BZ#481576)

CPU soft-lockups in the network rate estimator. (BZ#481746)

bugs in the ixgbe driver caused it to function unreliably on some systems with 16 or more CPU cores. (BZ#483210)

the iwl4965 driver may have caused a kernel panic. (BZ#483206)

a bug caused NFS attributes to not update for some long-lived NFS mounted file systems. (BZ#483201)

unmounting a GFS2 file system may have caused a panic. (BZ#485910)

a bug in ptrace() may have caused a panic when single stepping a target. (BZ#487394)

on some 64-bit systems, notsc was incorrectly set at boot, causing slow gettimeofday() calls. (BZ#488239)

do_machine_check() cleared all Machine Check Exception (MCE) status registers, preventing the BIOS from using them to determine the cause of certain panics and errors. (BZ#490433)

scaling problems caused performance problems for LAPI applications. (BZ#489457)

a panic may have occurred on systems using certain Intel WiFi Link 5000 products when booting with the RF Kill switch on. (BZ#489846)

the TSC is invariant with C/P/T states, and always runs at constant frequency from now on. (BZ#489310)

a memory leak in keyctl handling. A local user could use this flaw to deplete kernel memory, eventually leading to a denial of service. (CVE-2009-0031, Important)

a buffer overflow in the Linux kernel Partial Reliable Stream Control Transmission Protocol (PR-SCTP) implementation. This could, potentially, lead to a denial of service if a Forward-TSN chunk is received with a large stream ID. (CVE-2009-0065, Important)

a flaw when handling heavy network traffic on an SMP system with many cores. An attacker who could send a large amount of network traffic could create a denial of service. (CVE-2008-5713, Important)

the code for the HFS and HFS Plus (HFS+) file systems failed to properly handle corrupted data structures. This could, potentially, lead to a local denial of service. (CVE-2008-4933, CVE-2008-5025, Low)

a flaw was found in the HFS Plus (HFS+) file system implementation. This could, potentially, lead to a local denial of service when write operations are performed. (CVE-2008-4934, Low)

when using the nfsd daemon in a clustered setup, kernel panics appeared seemingly at random. These panics were caused by a race condition in the device-mapper mirror target.

the clock_gettime(CLOCK_THREAD_CPUTIME_ID, ) syscall returned a smaller timespec value than the result of previous clock_gettime() function execution, which resulted in a negative, and nonsensical, elapsed time value.

nfs_create_rpc_client was called with a "flavor" parameter which was usually ignored and ended up unconditionally creating the RPC client with an AUTH_UNIX flavor. This caused problems on AUTH_GSS mounts when the credentials needed to be refreshed. The credops did not match the authorization type, which resulted in the credops dereferencing an incorrect part of the AUTH_UNIX rpc_auth struct.

when copy_user_c terminated prematurely due to reading beyond the end of the user buffer and the kernel jumped to the exception table entry, the rsi register was not cleared. This resulted in exiting back to user code with garbage in the rsi register.

the hexdump data in s390dbf traces was incomplete. The length of the data traced was incorrect and the SAN payload was read from a different place then it was written to.

when using connected mode (CM) in IPoIB on ehca2 hardware, it was not possible to transmit any data.

when an application called fork() and pthread_create() many times and, at some point, a thread forked a child and then attempted to call the setpgid() function, then this function failed and returned and ESRCH error value.

a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important)

a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important)

in the dlm code, a socket was allocated in tcp_connect_to_sock(), but was not freed in the error exit path. This bug led to a memory leak and an unresponsive system. A reported case of this bug occurred after running "cman_tool kill -n [nodename]". (BZ#515432)

when kdump required mounting a file system which had reached its maximum mount count, fsck, the file system repair utility, was run automatically. However, because fsck was run in interactive mode by default, when it encountered a file system error the dump process paused until the user intervened. This prevented successful capture of the dump and subsequent system reboot. With this update, fsck is run in non-interactive mode, which allows the dump to complete successfully.

Kernels booted under the kexec system failed to map regions in the system E820 map which were marked as reserved. As some hardware vendors use these regions for various configuration data, some systems experienced various failures during boot up. This update enables the mapping of all regions marked as reserved in the system E820 map and therefore allows these systems to boot correctly.

the addition of reserved memory regions in kdump to improve booting on various systems. (BZ#475843)

various other system-specific boot aids. (BZ#473730 , BZ#494782 and BZ#277531)

a fix to handle network config files that are lacking an ending newline. (BZ#476063)

improved the ability to detect md arrays. (BZ#479211 and BZ#490818)

fixed some bad status messages when using the ssh dump target. (BZ#466450)

fixed an issue in which sata_nv was not included in the initramfs. (BZ#476368)

enhanced our dump filtering with the ability to dump dmesg logs. (BZ#475414)

added a condrestart directive to the service initscript. (BZ#494483)

updated the initramfs for kdump to use hostnames instead of ip addresses. (BZ#493690)

cleaned up a few erroneous error messages. (BZ#496965 , BZ#506652  and BZ#509947)

improved kdump documentation. (BZ#494473)

fixed a bug in which kdump tried to unmount an un-mounted file system. (BZ#495601)

improved kdump so that fsck operations were non-interactive. (BZ#497012)

enhanced makedumpfile so that the utsname of the crashed kernel is saved in the dump header. (BZ#497021)

fixed initrd generation to properly clean up files in /tmp. (BZ#483092)

enhanced kdump to pickup virtio modules in use with kvm. (BZ#506863)

made makedumpfile verbosity configurable. (BZ#466436)

one of the error messages printed by the "ksu" command contained a spelling error ("geting"). This has been corrected. (BZ#462890)

several dozen spelling errors across 21 krb5-related manual pages were corrected. (BZ#499190)

this update no longer attempts to create a keytab for use by the kadmin service when the service is started; doing so is redundant and may interfere with third-party password-changing services such as those provided by IPA. (BZ#473151)

with this update an attempt to load a database dump into a database which has not been created will cause kdb5_util to create the database. (BZ#442879)

this update now correctly reports an error if an attempt to use rcp to copy data to a remote system encounters an error as the file is closed. (BZ#461902)

the "ksu" command can now perform PAM account and session management for the target user. (BZ#477033)

the Kerberos-aware rsh, rlogin, telnet, and ftp services can now set the PAM_RHOST item for users who log in or connect to a server remotely. (BZ#479071)

the ksh shell's "typeset" special builtin command allows scripts to perform nested variable assignment by providing a variable name and a value to assign to that variable name. However, when a ksh function which contained a nested variable was forked, the nesting counter was incorrectly set to zero, which caused nested variables assignments to become unset. This updated package corrects this error so that forked ksh functions have nested variables set correctly in their child processes, thus resolving the issue. (BZ#510712)

when umask set a default permission in a subshell, this default permission would persist after returning to the parent shell. Subsequently, files in the parent shell might have been created with wrong permissions. This is now fixed. (BZ#485030)

ksh removed variables from the environment if their names contained certain characters, for example, a hyphen or a space. Now, although ksh does not use environment variables with names that contain these characters, it keeps them for sub-processes. (BZ#488934)

the ksh builtins failed to report errors on failed file operations, for example, if they were unable to write to a file because of no space on a disk. This could result in data loss, because a user would have no warning that data was not saved. Builtins now provide a proper return code and present an error message to the user if they are unable to complete a file operation. (BZ#465438)

when typeset was used together with variable assignment in the last version of ksh, typeset took effect after the assignment, not before. Because this behavior was the opposite of how typeset works in ksh versions provided by pdksh and was not documented, it could create surprise and confusion. Now, ksh changed its behavior and typeset takes effect before the variable assignment. (BZ#489516)

the ksh package now includes 'alternatives' which allows ksh switching with PDKSH. This feature allows users to switch between the ksh-93 and ksh-88 shells and to port ksh-88 scripts to ksh-93. (BZ#488798)

ksh sometimes returned wrong OPTIND values after returning from a subshell when it executed a function within backquotes (backticks). While the original function would behave as expected, subseqeunt calls would result in incorrect OPTIND values, even calls made directly to the getopts function. Now, the use of backquotes does not cause ksh to return wrong OPTIND values on subsequent calls. (BZ#443889)

the COMPATIBILITY file which describes differences between ksh-88 and ksh-93 has been added to %doc. (BZ#494534)

if the $HISTFILE did not exist and could not be created for some reason (for example, read-only NFS home) ksh sometimes crashed with a segmentation fault when trying to insert the last word of the previous command using the M-_ or M-. keyboard shortcut. This is now fixed. (BZ#494363)

the last version of ksh replaced the ast-base-locale language catalog with a ksh-specific language catalog. However, the ksh-specific catalog lacks translations for many of the locales shipped with ksh. Attempts to use ksh with a non-English locale would therefore result in error messages. Ksh now reverts to using the previous catalog, which does not produce these errors. (BZ#493570)

in the last version of ksh, braces for a subscripted variable with ${var[sub]} became compulsory when inside [[...]], ((...)) or as a subscript. Because these braces were previouly optional, some shell scripts written for earlier versions of ksh no longer worked as expected. Ksh now recognises cases where the argument can be a pattern, and expands these variables the same way that it expanded them when the braces were optional. While this allows many old scripts to work in the current version of ksh, users cannot be certain that their scripts will work as expected unless they enclose variables in braces as defined in the ksh documentation. (BZ#498585)

ksh now allows command history to be saved in global history file or in system log. (BZ#502747)

in the last ksh version, the function nesting counter was zeroed after forking. Therefore, typeset did not assign values in asynchronously called functions. This is now fixed. (BZ#507562)

when using the "mirror" or "get" commands with the "-c" option, lftp did not check for some specific conditions that could result in the program becoming unresponsive, hanging and the command not completing. For example, when waiting for a directory listing, if lftp received a "226" message, denoting an empty directory, it previously ignored the message and kept waiting. With this update, these conditions are properly checked for and lftp no longer hangs when "-c" is used with "mirror" or "get". (BZ#422881)

when using the "put", "mput" or "reput" commands over a Secure FTP (SFTP) connection, specifying the "-c" option sometimes resulted in corrupted files of incorrect size. With this update, using these commands over SFTP with the "-c" option works as expected, and transferred files are no longer corrupted in the transfer process. (BZ#434294)

previously, LFTP linked to the OpenSSL library. OpenSSL's license is, however, incompatible with LFTP's GNU GPL license and LFTP does not include an exception allowing OpenSSL linking. With this update, LFTP links to the GnuTLS (GNU Transport Layer Security) library, which is released under the GNU LGPL license. Like OpenSSL, GnuTLS implements the SSL and TLS protocols, so functionality has not changed. (BZ#458777)

running "help mirror" from within lftp only presented a sub-set of the available options compared to the full list presented in the man page. With this update, running "help mirror" in lftp presents the same list of mirror options as is available in the Commands section of the lftp man page. (BZ#461922)

LFTP imports gnu-lib from upstream. Subsequent to gnu-lib switching from GNU GPLv2 to GNU GPLv3, the LFTP license was internally inconsistent, with LFTP licensed as GNU GPLv2 but portions of the package apparently licensed as GNU GPLv3 because of changes made by the gnu-lib import. With this update, LFTP itself switches to GNU GPLv3, resolving the inconsistency. (BZ#468858)

when the "ls" command was used within lftp to present a directory listing on a remote system connected to via HTTP, file names containing spaces were presented incorrectly. This update corrects this behavior. (BZ#504591)

the default alias "edit" did not define a default editor. If EDITOR was not set in advance by the system, lftp attempted to execute "~/.lftp/edit.tmp.$$" (which failed because the file is not set to executable). The edit alias also did not support tab-completion of file names and incorrectly interpreted file names containing spaces. The updated package defines a default editor (vi) in the absence of a system-defined EDITOR. The edit alias now also supports tab-completion and handles file names containing spaces correctly for both downloading and uploading. (BZ#504594)

The application would hang during SCIM key event handling, specifically when the user attempted to press the F4 key to change focus after typing Japanese characters in a text field. After that, it would not accept keyboard input.

This was caused by a possible race condition between the client and the input method server.

As a workaround, the number of available atoms for temporary storage of IM data has been increased. The F4 key should now allow the user to change focus most of the time. The frequency of this bug has been significantly reduced but be aware that it may still be triggered under certain circumstances. (BZ#437790)

Fn+F? keys and System Buttons for Dell's Converse and Fila mobile platforms need to be mapped to appropriate actions. When pressed, nothing would happen. xkeyboard-config and libX11 have now been updated to accept input from these keys. These keys will now work when pressed. (BZ#496184)

libdhcp did not allow for some situations where a static network configuration was specified. Specifically, when a configuration without a DHCP server was specified during installation, the network interface was not activated. This would preclude installations through FTP and HTTP. Libdhcp now activates the interface when a static configuration is specified, even when no DHCP server is present so that network-based installations are possible. (BZ#233066)

previously, the method used by libdhcp to build a list of network interfaces available on a system could accommodate a maximum of 86 interfaces. As a consequence, attempts to perform network-based installations through interfaces eth86 and higher would fail. libdhcp now uses libnl to build a list of valid interfaces and therefore is no longer limited to the first 86 that it finds. Network-based installations are therefore possible on a wider range of hardware and network configurations. (BZ#444919)

Interfaces using static network configuration are properly handled during installation.

The system will now see all available network interfaces in the system during installation, rather than stopping at eth85.

runtime self-tests and FIPS mode setting have been added, both of which are necessary for Federal Information Processing Standards level 1 (FIPS 140-2) validation. Note: libgcrypt 1.4.4 is currently undergoing FIPS-140-2 validation. FIPS mode is disabled by default, however, to ensure the libgcrypt library maintains feature parity and ABI compatibility with libgcrypt packages previously included in Red Hat Enterprise Linux 5. The FIPS mode can be enabled with kernel command line setting or by creating an empty file, /etc/gcrypt/fips_enabled. (BZ#444803)

libgcrypt now works with gnutls in non-enforced FIPS mode. (BZ#462718)

dontaudit messages could not be disabled, which made it difficult for customers building their own security policies to identify which policies were being denied. This updated package includes the "sepol_set_disable_dontaudit" and "semanage_set_disable_dontaudit" functions, which allow dontaudit messages to be disabled. (BZ#493114)

corrected a specific versioned dependency issue relating to libsepol (BZ#512662)

the RPM package information specified that libsepol was provided under a GPL license. This contradicted the source RPM change log, which specified that libsepol was provided under a LGPL licence. The correct licence type (LGPL) is now specified in the libsepol package information. (BZ#488802)

dontaudit messages could not be disabled, which made it difficult for customers building their own security policies to identify which policies were being denied. This updated package includes the "sepol_set_disable_dontaudit" function, which allows dontaudit messages to be disabled.

C++ programs which used standard C++ exceptions and were linked with the libunwind library could crash, due to a conflict between the unwinding capabilities contained in GCC and those provided by libunwind. libunwind used an outdated Application Binary Interface (ABI) which did not provide the GetIPInfo() function. When the libunwind unwinder was preferred over the GCC unwinder, then the missing GetIPInfo() function (which was provided by the GCC unwinder) was used together with libunwind's unwinding support. Because GCC's GetIPInfo() function must access the (valid) state of the GCC unwinder, an application crash could result. Because of this ABI change, libunwind required a small extension to its ABI to update it to the current unwinding ABI. This updated package provides that extension, thus removing the possibility for unwinding conflict and potential application crash. (BZ#480412)

the "virsh" and "xm" commands passed incorrectly passed the option "type=vbd" when either attaching or detaching TAP devices, which caused the command to fail. With this update, the correct type, "type=tap", is passed when TAP devices are attached or detached. (BZ#475791)

attempting to create a domain on a node using an iSCSI volume pool managed by libvirt failed with this error message:

libvir: Remote error : socket closed unexpectedly
error: Failed to create domain from create_guest.xml

This has been fixed in these updated packages so that creating guests on an iSCSI volume pool succeeds as expected. (BZ#483310)

the "virsh" and "xm" commands passed incorrectly passed the option "type=vbd" when either attaching or detaching TAP devices, which caused the command to fail. With this update, the correct type, "type=tap", is passed when TAP devices are attached or detached. (BZ#483835)

occasionally, libvirt lost track of running domains, the command "virsh list" did not list those domains, and pid files still existed for the processes representing those domains. A fix to the libvirt event loop now ensures that libvirt is able to keep track of all running domains on the host. (BZ#499250)

due to a domain ID-handling error, the command "virsh destroy [domain-id]" could potentially terminate domains with IDs similar to the target. This has been corrected so that "virsh destroy [domain-id]" terminates only the target domain. (BZ#500158)

running the command "virsh dominfo [domain-id]" to acquire information about a running Xen domain resulted in this error message:

error: this function is not supported by the hypervisor: virNodeGetSecurityModel

This update fixes the dominfo subcommand so that it does not return an error message if the security model API is unimplemented. (BZ#506688)

right-clicking on a running domain in the virt-manager application and then choosing Shutdown -> Force Off incorrectly caused that domain ID to disappear from the virt-manager list of VMs. In addition, domains created with the virt-manager or virt-install applications were not listed in the GUI window until virt-manager was restarted or the newly-created guest was started. This issue was related to inotify support and has been fixed in these updated packages. (BZ#508278)

PCI pass-through is a virtualization-related ability that is enabled by AMD's IOMMU and Intel's VT-d technologies. With PCI pass-through, PCI devices can be "passed through" the hypervisor (that is, bypassing it and locking it out) to an unprivileged domain, thereby allowing near-native performance of hardware devices, such as network cards, in guest domains. With this update, PCI pass-through is enabled for both Xen and KVM virtual machines. (BZ#471156 , BZ#513317 , BZ#496925 , BZ#481757 , BZ#481747)

libvirt-cim would generate an incorrect boot tag for fully virtualized Xen guests, which would cause a 'Missing boot device' error. Boot tags will now generate in the form <boot dev='hd'> instead of <boot>hd</boot>, and guests will be able to start normally. (BZ#503724)

KVM virtualization in Red Hat Enterprise Linux, as mentioned above, requires an updated version of libvirt-cim to support the new hypervisor. libvirt-based CIM providers have been updated to enable support for third-party system management tools for Xen and KVM. (BZ#474681)

Red Hat Enterprise Linux 4 introduced higher permission sensitivity to directory creation when installing packages. When the root's umask was changed prior to installation, and a package did not explicitly define directory permissions for a file, the installer would create directories based on the umask of the user who ran the installation. This could result in an 'Unowned Directory' error. libvirt-cim now includes full permission information, so directories are set up correctly during installation. (BZ#481810)

serial tablets commonly found in tablet laptops were not recognized as tablets. The udev rules have been modified to create symbolic links, which adds serial tablet support. (BZ#483827)

wacomcpl did not show a specific pointer device in the title bar of a submenu when a tool was edited. (That is, the title bar showed 'Tool Buttons' rather than 'Stylus Tool Buttons' when the Stylus tool was selected.) The device is now shown in the submenu title bar so that users can easily see which device is being edited. (BZ#485942)

in some cases, when tracing the process that used fork system call, the kernel may have reported certain events in the forked child even before it reported that the fork had occurred in the first place. With this update, ltrace now anticipates this behavior, thus resolving the issue.

on IBM System z machines, ltrace would crash when attempting to trace binaries that called functions with five or more arguments. This has been fixed with this update and ltrace now works as expected.

when ltrace's '-o' option, which writes the output to a file, was used alongside the '-c' option, which counts time and calls for each library call and reports a summary, ltrace sent the output to standard error as usual instead of to the file designated on the command line. With this updated package, ltrace sends the output to the designated file when it is called with the '-c' option, thus resolving this issue.

ltrace was not able to trace a binary that was called using the "exec" system call. With this update, ltrace is now able to do so.

the ltrace(1) man page incorrectly claimed that ltrace could not trace 64-bit binaries, and has been corrected.

a bug in which ltrace would become unresponsive (i.e. "hang") while tracing a child process with the '-f' option, which traces child processes as they are created by currently traced processes as a result of the fork or clone system calls. To correct for this, ltrace now tests for the situation in which it fails to attach to a newly-forked process, thus resolving the issue.

Fixes pvmove to revert operation if temporary mirror creation fails.

Fixes metadata export for VG with missing PVs.

Enables use of cached metadata for pvs and pvdisplay commands.

Fixes segfault for vgcfgrestore on VG with missing PVs.

Fixes memory leaks in toolcontext error path and mirror allocation code.

Ignores suspended devices during repair and allows metadata correction even when PVs are missing.

Unifies error messages when processing inconsistent volume group.

Fixes multi-extent mirror log allocation when smallest PV has only 1 extent.

Attempts to load dm-zero module if zero target needed but not present.

Forces max_lv restriction only for newly created LV.

Fixes vgreduce --removemissing failure exit code.

Always returns exit error status when locking of volume group fails.

Fixes mirror log convert validation question.

Saves and restores the previous logging level when log level is changed internally.

Fixes error message when archive initialization fails.

Fixes lvcreate to remove unused cow volume if the snapshot creation fails.

Removes old metadata backup file after renaming VG.

Avoids scanning empty metadata areas for VG names.

Fixes fsadm to pass --test from lvresize and prevents from checking mounted file system.

Fixes lvresize size conversion for fsadm when block size is not 1K.

Fixes cached volume group metadata to cope with duplicate volume group names.

Fixes pvs segfault when pv mda attributes requested for not available PV.

Fixes pvs segfault when run with orphan PV and some VG fields.

Fixes lvmdump /sys listing to include virtual devices directory.

Avoids exceeding LV size when wiping device.

Calculates mirror log size instead of using 1 extent.

Ensures requested device number is available before activating with it.

Fixes incorrect exit status from 'help <command>'.

Fixes vgrename using UUID if there are VGs with identical names.

Fixes segfault when invalid field given in reporting commands.

Copes with snapshot dependencies when removing a whole VG with lvremove.

Exits with non-zero status from vgdisplay if couldn't show any requested VG.

Fixes minimum width of devices column in reports.

Fixes pvs report for orphan PVs when segment attributes are requested.

Fixes pvs -a output to not read volume groups from non-PV devices.

Fixes and updates to man pages including the restriction on file descriptors at invocation and --nameprefixes, --unquoted, --rows options in pvs,vgs,lvs commands.

As well, this update adds the following enhancements:

Online resizing of mirrors is now enabled.

Adds vgimportclone command to import and rename duplicated volume group (e.g. a hardware snapshot).

Adds --dataalignment to pvcreate to specify alignment of data area.

Reduces memory usage by using per volume group memory pools.

Detects and conditionally wipes swapspace signatures in pvcreate.

Adds sparse snapshot devices manipulation, e.g. lvcreate --virtualsize (hidden zero origin).

Inherits readahead setting from underlying devices during activation.

Adds MMC (mmcblk) device type to filters.

Does not scan devices if reporting only attributes from PV label.

Adds fsadm support for reszing ext4 filesystems.

Adds "--refresh" functionality to vgchange and vgmknodes.

Adds lvs origin_size, dev_size, pv_mda_size and vg_mda_size to reports.

Fixes partial activation support in clustered mode.

Flushes memory pool and fixes locking in clvmd refresh and backup command.

Destroys toolcontext on exit in clvmd (fixes memory pool leaks).

Fixes remote metadata backup for clvmd.

Fixes startup race in clvmd.

This update adds the following enhancements:

Introduces CLVMD_CMD_LOCK_QUERY command for clvmd.

Allows clvmd to start up if its lockspace already exists.

Blocks SIGTERM & SIGINT in clvmd subthreads.

closing a file object returned by m2urllib2 did not immediately close the underlying network connection. This could cause a process to run out of file handles. Closing a file object now closes the sockets associated with it and avoids leaking file descriptors. (BZ#460692)

the Python global interpreter lock was not released by blocking m2crypto functions, making it impossible to use m2crypto concurrently in a multi-threaded program. M2Crypto now uses the thread support in SWIG for functions that are likely to block. M2Crypto can now accept additional connections even when a different thread is still waiting for incoming data. (BZ#472690)

m2urllib2 used absolute URIs in HTTP requests instead of using only the selector part of the URI, which is not supported by some HTTP servers. Now, m2urllib2 makes requests with only the selector part of the URI, ensuring that the request is understood even by HTTP servers that do not support requests made with the absolute URI. (BZ#491674)

the M2Crypto SSL certificate checker incorrectly rejected certificates with a subjectAltName extension that did not contain a host name. M2Crypto now uses the certificate subject field instead of subjectAltName if subjectAltName does not contain a host name. (BZ#504060)

the OpenSSL locking callback in M2Crypto did not block on a lock when the lock was held by another thread. This could cause data corruption in multi-threaded applications. The locking callback now functions correctly, regardless of which thread holds the lock. (BZ#507903)

modules loaded after sysctl was run could override parameters set in sysctl and sysctl.conf. Man pages have been updated with information about this process and suggestions as to how modifications can be retained by the system across reboots. (BZ#451238)

The bash(1), echo(1), wall(1), vmstat(8) and edquota(8) man pages included in the previous releast of man-pages-ja contained several typographical errors. These have now been corrected. (BZ#454048 , BZ#454419 , BZ#457361 , BZ#460688 , BZ#493783)

the code that generates the MCE log contained a typo that appeared in several places. Consequently, mcelog would ignore a chunk of the data at the beginning of each record. The chunk of data would be so large that each record would be empty and therefore, the log itself would be empty. With this typo corrected, mcelog correctly generates its log of MCE events. (BZ#501512)

mcelog is unable to obtain MCE data from paravirtualized Xen guests on a system. Previously, each time that mcelog tried and failed to obtain this data, it would generate an error report -- by default, once per hour. These error reports could mislead users to think that there was a problem with their system. Now, mcelog does not generate error reports when it cannot obtain MCE data from paravirtualized Xen guests, and therefore avoids any potential confusion. (BZ#511126)

the mcelog package had not been updated in several releases. Therefore, the existing package could not decode MCE events from newer Intel processors such as the "Nehalem" and "Dunnington" series. This update adds support for newer Intel hardware. (BZ#473392)

the Linux software raid stack supports data scrubbing (reading disks in the raid array and looking for bad sectors, and when bad sectors are found using information from other disks or from parity to rewrite the bad sectors with good data). However, the mdadm package did not make use of this functionality. This package adds a cron job to /etc/cron.weekly to check disks for bad sectors and repair them when found. (BZ#233972)

the mdadm man page contained several typos and was not clear on the proper usage of a number of mdadm options. The typos have been removed and notes and clarifications have been added so that the man page now better reflects the proper usage and limitations of the mdadm command. (BZ#434670 , BZ#434671 , BZ#489476)

mdadm did not recognize the "-N" and "-Y" short options, although it recognized their long equivalents ("--name" and "--export") and they were listed as valid in mdadm --help. Mdadm now recognizes these short options. (BZ#478977)

a new raid-check script (see the enhancement note below) attempted to check arrays that were not checkable. The script first retrieved a list of active arrays from /proc/mdstat then attempted to write "check" to the sync_action element of each array's sysfs entry. Non-redundant arrays (such as linear and raid0 arrays) do not have a sync_action entry in sysfs, however. Note: this did not prevent the script from checking arrays that could be checked but did cause cron job output errors to be e-mailed to the system administrator. The raid-check script now checks for a sync_action element in sysfs before writing to it. (BZ#513473)

with this update mdadm has new functionality to enable "data scrubbing" on redundant arrays. Data scrubbing looks for bad sectors on drives in redundant arrays and fixes the bad sectors using data from other drives to reconstruct sectors that return read errors. Note: data scrubbing is on by default in this new package. It runs once per week and may cause some performance degradation while it is running. If users wish to disable this feature for performance reasons, or if they wish to control what type of check is performed on arrays, or which arrays to check at all, edit the file /etc/sysconfig/raid-check. Details of how to set options are included in the file as comments. (BZ#513200)

when using kernel version 2.6.18-122 or earlier, creating an initial ramdisk (initrd) failed due to the mkinitrd script assuming that RAID-specific kernel modules were available when they were not. With these updated packages, mkinitrd no longer assumes that these RAID-specific kernel modules are available, and thus initrd creation completes successfully. (BZ#496591)

mkinitrd failed on dmraid systems with kernels that don't include dm-raid45 modules. (BZ479270)

the "netname" command has been improved to handle environmental variables correctly. (BZ474422)

handling for UUID and LABEL on hibernation devices has been improved. (BZ489836)

This update also includes these enhancements:

when in fips mode the tcrypt module is now loaded to self-test all cryptographic algorithms. (BZ499639)

support for FIPS integrity checking of the kernel has been added. (BZ467497)