Chapter 6. Notable Bug Fixes
This chapter describes bugs fixed in Red Hat Enterprise Linux 7 that have a significant impact on users.
6.1. Authentication and Interoperability
Directory Server rebased to version 1.3.10
The 389-ds-base packages have been upgraded to upstream version 1.3.10, which provides a number of bug fixes over the previous version.
Directory Server now correctly logs the search base if the server rejects a search operation
Previously, when Directory Server rejected a search operation because of a protocol error, the server logged base="(null)"
instead of the actual search base. With this update, Directory Server passes the correct internal variable to the log operation. As a result, the server correctly logs the search base in the mentioned scenario.
Directory Server improved the logging of the etime
value
Previously, if an operation started and completed at the border of a second and the operation took less than one second, Directory Server logged an incorrectly calculated etime
value. As a consequence, the logged value was too big. This updates fixes the problem. As a result, the calculated etime
value is now closer to the start and end time stamp.
Directory Server now logs the correct etime
value in the access log
Previously, Directory Server incorrectly formatted the etime
field in the /var/log/dirsrv/slapd-<instance_name>/access
log file. As a consequence, the time value in nanoseconds was 10 times lower than the actual value. This update fixes the problem. As a result, Directory Server now logs the correct nanosecond value in the etime
field.
The severity of a Directory Server log message has been changed
Previously, Directory Server incorrectly logged Event <event_name> should not occur in state <state_name>; going to sleep
messages as error
. This update changes the severity of this message to warning
.
Directory Server is RFC 4511-compliant when searching for the 1.1
and other attributes in one request
To retrieve only a list of matching distinguished names (DN), LDAP users can search for the 1.1
special attribute. According to RFC 4511, if an LDAP client searches for the 1.1.
special attribute in combination with other attributes in one search request, the server must ignore the 1.1
special attribute.
Previously, when a Directory Server user searched for the 1.1
special attribute and other attributes in the same search request, the server returned no attributes. This update fixes the problem. As a result, Directory Server is RFC 4511-compliant in the mentioned scenario.
Directory Server returns password policy controls in the correct order
Previously, if the password of a user expired, Directory Server returned password policy controls in a different order depending on whether grace logins were exhausted or not. Consequently, this sometimes caused problems in LDAP clients compliant with the RFC 4511 standard. This update fixes the problem, and as a result, Directory Server returns password policy controls in the correct order.
(BZ#1724914)
Directory Server now also applies limits for maximum concurrent cleanAllRUV
tasks received from extended operations
Directory Server supports up to 64 concurrent cleanAllRUV
tasks. Previously, Directory Server applied this limit only to manually created tasks and not to tasks the server received from extended operations. As a consequence, more than 64 concurrent cleanAllRUV
tasks could run at the same time and slow down the server. This update adds a counter to track the number of clean tasks and abort threads. As a result, only up to 64 concurrent cleanAllRUV
tasks can run at the same time.
Importing large LDIF files to Directory Server databases with many nested-subtrees is now significantly faster
Previously, if the Directory Server database contained many nested sub-trees, importing a large LDIF file using the ldif2db
and ldif2db.pl
utilities was slow. With this update, Directory Server adds the ancestorid
index after all entries. As a result, importing LDIF files to a database with many nested sub-trees is now significantly faster.
Directory Server now processes new operations only after a previous SASL bind fully initialized the connection
During a bind using the Simple Authentication and Security Layer (SASL) framework, Directory Server initializes a set of callback functions. Previously, if Directory Server received an additional operation on the same connection during a SASL bind, this operation could access and use the callback functions even if they were not fully initialized. Consequently, the Directory Server instance terminated unexpectedly. With this update, the server prevents operations from accessing and using the callback structure until the previous SASL bind is successfully initialized. As a result, Directory Server no longer crashes in this situation.
The cl-dump.pl
and cl-dump
utilities now remove temporary files after exporting the change log
Previously, the cl-dump.pl
and cl-dump
utilities in Directory Server created temporary LDIF files in the /var/lib/dirsrv/slapd-<instance_name>/changelogdb/
directory. After the change log was exported, the utilities renamed the temporary files to *.done
. As a consequence, if the temporary files were large, this could result in low free disk space. With this update, by default, cl-dump.pl
and cl-dump
now delete the temporary files at the end of the export. Additionally, the -l
option has been added to both utilities to manually preserve the temporary files. As a result, cl-dump.pl
and cl-dump
free the disk space after exporting the change log or user can optionally enforce the old behavior by using the -l
option.
IdM configures the Apache NSS module to use only TLS 1.2 when installing or updating an IdM server or replica
Previously, when an administrator installed an Identity Management (IdM) server or replica, the installer enabled the TLS 1.0, TLS 1.1, and TLS 1.2 protocols in the Apache web server’s network security service (NSS) module. This update provides the following changes:
- When you set up a new server or replica, IdM only enables the strong TLS 1.2 protocol.
- On existing IdM servers and replicas, this update disables the weak TLS 1.0 and TLS 1.1 protocols.
As a result, new and updated IdM servers and replicas use only the strong TLS 1.2 protocol in the Apache web server’s NSS module.
IdM now correctly updates the certificate record in the cn=CAcert,cn=ipa,cn=etc,<base_DN>
entry
Previously, after renewing the Identity Management (IdM) certificate authority (CA) certificate or modifying the CA certificate chain, IdM did not update the certificate record stored in the cn=CAcert,cn=ipa,cn=etc,<base_DN>
entry. As a consequence, installations of IdM clients on RHEL 6 failed. With this update, IdM now updates the certificate record in cn=CAcert,cn=ipa,cn=etc,<base_DN>
. As a result, installing IdM on RHEL 6 now succeeds after the administrator renews the CA certificate or updates the certificate chain on the IdM CA.
The ipa-replica-install
utility now verifies that the server specified in --server
provides all required roles
The ipa-replica-install
utility provides a --server
option to specify the Identity Management (IdM) server which the installer should use for the enrollment. Previously, ipa-replica-install
did not verify that the supplied server provided the certificate authority (CA) and key recovery authority (KRA) roles. As a consequence, the installer replicated domain data from the specified server and CA data from a different server that provided the CA and KRA roles. With this update, ipa-replica-install
verifies that the specified server provides all required roles. As a result, if the administrator uses the --server
option, ipa-replica-install
only replicates data from the specified server.
ipa sudorule-add-option
no longer shows a false error when options are added to an existing sudo rule
Previously, when a sudo rule already contained hosts, hostgroups, users, or usergroups, the ipa sudorule-add-option
command incorrectly processed the sudo rule content. Consequently, the ipa sudorule-add-option
command used with the sudooption
argument returned an error despite completing successfully. This bug has been fixed, and ipa sudorule-add-option
now displays an accurate output in the described scenario.
(BZ#1691939)
IdM no longer drops all custom attributes when moving an account from preserved to stage
Previously, IdM processed only some of the attributes defined in a preserved account. Consequently, when moving an account from preserved to stage, all the custom attributes were lost. With this update, IdM processes all the attributes defined in a preserved account and the described problem no longer occurs.
(BZ#1583950)
Sub-CA key replication no longer fails
Previously, a change to the credential cache (ccache) behaviour in the Kerberos library caused lightweight Certificate Authority (CA) key replication to fail. This update adapts the IdM lightweight CA key replication client code to the changed ccache behaviour. As a result, the lightweight CA key replication now works correctly.
Certificate System now records audit events if the system acts as a client to other subsystems or to the LDAP server
Previously, Certificate System did not contain audit events if the system acted as a client to other subsystems or to the LDAP server. As a consequence, the server did not record any events in this situation. This update adds the CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE
, CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS
, and CLIENT_ACCESS_SESSION_TERMINATED
events to Certificate System. As a result, Certificate System records these events when acting as a client.
(BZ#1523330)
The python-kdcproxy
library no longer drops large Kerberos replies
Previously, if an Active Directory Kerberos Distribution Center (KDC) split large Kerberos replies into multiple TCP packets, the python-kdcproxy
library dropped these packages. This update fixes the problem. As a result, python-kdcproxy
processes large Kerberos replies correctly.
6.2. Compiler and Tools
Socket::inet_aton()
can now be used from multiple threads safely
Previously, the Socket::inet_aton()
function, used for resolving a domain name from multiple Perl threads, called the unsafe gethostbyname()
glibc
function. Consequently, an incorrect IPv4 address was occasionally returned, or the Perl interpreter terminated unexpectedly. With this update, the Socket::inet_aton()
implementation has been changed to use the thread-safe getaddrinfo()
glibc
function instead of gethostbyname()
. As a result, the inet_aton()
function from Perl Socket
module can be used from multiple threads safely.
sosreport
now generates HTML reports faster
Previously, when the sosreport
utility collected tens of thousands of files, generation of HTML report was very slow. This update provides changes to the text report code, improving the report structure and formatting. Additionally, support for reports in the JSON file format has been added. As a result, HTML reports are now generated without delay.
6.3. Desktop
32- and 64-bit fwupd packages can now be used together when installing or upgrading the system
Previously, the /usr/lib/systemd/system/fwupd.service
file in the fwupd packages was different for 32- and 64-bit architectures. Consequently, it was impossible to install both 32- and 64-bit fwupd packages or to upgrade a Red Hat Enterprise Linux 7.5 system with both 32- and 64-bit fwupd packages to a later version. This update fixes fwupd so that the /usr/lib/systemd/system/fwupd.service
file is same for both 32- and 64-bit architectures. As a result, installing both 32- and 64-bit fwupd packages, or upgrading a Red Hat Enterprise Linux 7.5 system with both 32- and 64-bit fwupd packages to a later version is now possible.
(BZ#1623466)
A memory leak in libteam
has been fixed
Previously, the libteam
library used an incorrect JSON API when a user queried the status of a network team. As a consequence, the teamdctl <team_device> state
command leaked memory. With this update, the library uses the correct API, and querying the status of a team no longer leaks memory.
6.4. Installation and Booting
The installation program correctly sets the connection type for Kickstart network team devices
Previously, the installation program used the TYPE="Team"
parameter instead of the DEVICETYPE="Team"
parameter to specify the connection type in the ifcfg
file that is created for Kickstart network team devices. As a consequence, any network team devices using network
service were not activated during the boot process. With this update, the installation program uses the DEVICETYPE
parameter to specify the connection type in the ifcfg
file. As a result, Kickstart network team devices are activated during the boot process even if the system is using network
service for network configuration, for example, the NetworkManager service is disabled.
(BZ#1680606)
The installation program correctly handles an exception when GTK is not installed
Previously, the installation program failed to handle an exception when the GTK GUI toolkit was not installed in the environment. As a consequence, the exception was not communicated to the user. With this update, the installation program correctly handles an exception when the GTK GUI toolkit is not installed, and the user is also notified of the exception.
(BZ#1712987)
6.5. Kernel
The IBM Z systems no longer become unresponsive when using certain BCC tools
Previously, due to a bug in the kernel, running dcsnoop
, runqlen
, and slabratetop
utilities from the bcc-tools
package caused the IBM Z systems to become unresponsive. This update fixes the problem and IBM Z systems no longer hang in the described scenario.
(BZ#1724027)
Virtual machines no longer enable unnecessary CPU vulnerability mitigation
Previously, the MDS_NO
CPU flags, which indicate that the CPU was not vulnerable to the Microarchitectural Data Sampling (MDS) vulnerability, were not exposed to guest operating systems when the virtual machine was using CPU host-passthrough. As a consequence, the guest operating system in some cases automatically enabled CPU vulnerability mitigation features that were not necessary for the host. This update ensures that the MDS_NO
flag is properly visible to the guest operating system when using CPU host-passthrough, which prevents the described problem from occurring.
(BZ#1708465, BZ#1677209)
Disabling logging in the nf-logger
framework has been fixed
Previously, when an admin used the sysctl
or echo
commands to turn off an assigned netfilter
logger, a NUL
-character was not added to the end of the NONE
string. Consequently, the strcmp()
function failed with a No such file or directory
error. This update fixes the problem. As a result, commands, such as sysctl net.netfilter.nf_log.2=NONE
work as expected and turn off logging.
(BZ#1770232)
Resuming from hibernation now works on the megaraid_sas
driver
Previously, when the megaraid_sas
driver resumed from hibernation, the Message Signaled Interrupts (MSIx) allocation did not work correctly. As a consequence, resuming from hibernation failed, and restarting the system was required. This bug has been fixed, and resuming from hibernation now works as expected.
(BZ#1807077)
Kdump no longer fails in the second kernel
Previously, the kdump initramfs
image could fail in the second kernel after a disk migration or installation of a new machine with a disk image. This update adds the kdumpctl rebuild
command for rebuilding the kdump initramfs
image. As a result, users can now rebuild initramfs
to ensure that kdump does not fail in the second kernel.
(BZ#1723492)
6.6. Real-Time Kernel
The latency for isolated CPU’s is now reduced by avoiding spurious ktimersoftd
activation
Previously, for a KVM-RT configured system, per-CPU ktimersoftd
kernel threads ran once every second even in absence of a timer. Consequently, an increased latency occurred on the isolated CPU’s. This update adds an optimization into the real-time kernel that does not wake the ktimersoftd
on every tick. As a result, ktimersoftd
is not raised on isolated CPU’s, which prevents the interference and reduces the latency.
6.7. Networking
The tc filter show
command now displays filters correctly when the handle is 0xffffffff
Previously, a bug in the TC flower code caused an undesired integer overflow. As a consequence, dumping a flower rule that used 0xffffffff
as a handle could result in an infinite loop. This update prevents the integer overflow on 64-bit architectures. As a result, tc filter show
no longer loops in this scenario, and filters are now shown correctly.
(BZ#1712737)
The kernel no longer crashes when attempting to apply an invalid TC rule
Previously, while attempting to replace a traffic control (TC) rule with a rule having an invalid goto chain
parameter, a kernel crash occurred. With this update, the kernel avoids a NULL dereference in the described scenario. As a result, the kernel no longer crashes, and an error message is logged instead.
(BZ#1712918)
The kernel now correctly updates PMTU when receiving ICMPv6 Packet Too Big
message
In certain situations, such as for link-local addresses, more than one route can match a source address. Previously, the kernel did not check the input interface when receiving Internet Control Message Protocol Version 6 (ICMPv6) packets. Therefore, the route lookup could return a destination that did not match the input interface. Consequently, when receiving an ICMPv6 Packet Too Big
message, the kernel could update the Path Maximum Transmission Unit (PMTU) for a different input interface. With this update, the kernel checks the input interface during the route lookup. As a result, the kernel now updates the correct destination based on the source address and PMTU works as expected in the described scenario.
(BZ#1722686)
MACsec no longer drops valid frames
Previously, if the cryptographic context for AES-GCM was not completely initialized, decryption of incoming frames failed. Consequently, MACsec dropped valid incoming frames, and increased the InPktsNotValid
counter. With this update, the initialization of the cryptographic context has been fixed. Now, decryption with AES-GCM succeeds, and MACsec no longer drops valid frames.
(BZ#1698551)
The kernel no longer crashes when goto chain
is used as a secondary TC control action
Previously, when the act gact
and act police
traffic control (TC) rules used an invalid goto chain
parameter as a secondary control action, the kernel terminated unexpectedly. With this update, the kernel avoids using goto chain
with a NULL dereference and no longer crashes in the described scenario. Instead, the kernel returns an -EINVAL
error message.
(BZ#1729033)
Kernel no longer allows adding duplicate rules with NLM_F_EXCL
set
Previously, the kernel never checked the rule content when a new policy routing rule was added. Consequently, the kernel could have added two rules that were exactly the same. This complicated the rule set which could cause problems when NetworkManager tried to cache the rules. With this update, the NLM_F_EXCL
flag has been added to the kernel. Now, when a rule is added and the flag is set, the kernel checks the rule content, and returns an EEXIST
error if the rule already exists. As a result, kernel no longer adds duplicate rules.
(BZ#1700691)
The ipset list
command reports consistent memory for hash
set types
When you add entries to a hash
set type, the ipset
utility must resize the in-memory representation to for new entries by allocating an additional memory block. Previously, ipset
set the total per-set allocated size to only the size of the new block instead of adding the value to the current in-memory size. As a consequence, the ip list
command reported an inconsistent memory size. With this update, ipset
correctly calculates the in-memory size. As a result, the ipset list
command now displays the correct in-memory size of the set, and the output matches the actual allocated memory for hash
set types.
firewalld
no longer attempts to create IPv6 rules if the IPv6 protocol is disabled
Previously, if the IPv6 protocol was disabled, the firewalld
service incorrectly attempted to create rules using the ip6tables
utility, even though ip6tables
should not be usable. As a consequence, when firewalld
initialized the firewall, the service logged error messages. This update fixes the problem, and firewalld
now only initializes IPv4 rules if IPv6 is disabled.
The --remove-rules
option of firewall-cmd
now removes only direct rules that match the specified criteria
Previously, the --remove-rules
option of the firewall-cmd
command did not check the rules to remove. As a consequence, the command removed all direct rules instead of a subset rule. This update fixes the problem. As a result, firewall-cmd
now removes only direct rules that match the specified criteria.
(BZ#1723610)
Deleting a firewalld
rich rule with forward-ports
works now as expected
Previously, the firewalld
service incorrectly handled the deletion of rules with the forward-ports
setting. As a consequence, deleting a rich rule with forward-ports
from the runtime configuration failed. This update fixes the problem. As a result, deleting a rich rule with forward-ports
works as expected.
Packets no longer drift to other zones and cause unexpected behavior
Previously, when setting up rules in one zone, the firewalld
daemon allowed the packets to be affected by multiple zones. This behavior violated the firewalld
zone concept, in which packets may only be part of a single zone. This update fixes the bug and firewalld
now prevents packets from being affected by multiple zones.
Warning: This change may affect the availability of some service if the user was knowingly or unknowingly relying on the zone drifting behavior.
6.8. Security
Accessibility of OpenSCAP
HTML reports has been improved
Previously, an Accessible Rich Internet Applications (ARIA) parameter was incorrectly defined in OpenSCAP
HTML reports. As a consequence, rule details in the reports were not accessible to users of screenreading software. With this update, the template for report generation has been changed. As a result, users with screen readers can now navigate through rule details and interact with links and buttons.
SELinux policy now allows sysadm_u
users to use semanage
with sudo
Previously, SELinux policy was missing rules to allow users with the sysadm_u
label to use the semanage
command with the sudo
command. As a consequence, sysadm_u
users could not configure SELinux on the system. This update adds the missing rules, and SELinux users labeled as sysadm_u
can now change SELinux configurations.
6.9. Servers and Services
Manual initialization of MariaDB using mysql_install_db
no longer fails
Prior to this update, the mysql_install_db
script for initializing the MariaDB database called the resolveip
binary from the /usr/libexec/
directory, while the binary was located in /usr/bin/
. Consequently, manual initialization of the database using mysql_install_db
failed. This update fixes mysql_install_db
to correctly locate resolveip
. As a result, manual initialization of MariaDB using mysql_install_db
no longer fails.
(BZ#1731062)
ReaR
updates
RHEL 7.8 introduces a number of updates to the Relax-and-Recover (ReaR
) utility.
The build directory handling has been changed. Previously, the build directory was kept in a temporary location in case ReaR
encountered a failure. With this update, the build directory is deleted by default in non-interactive runs to prevent consuming disk space.
The semantics of the KEEP_BUILD_DIR
configuration variable has been enhanced to include a new errors
value. You can set the KEEP_BUILD_DIR
variable to the following values:
-
errors
to preserve the build directory on errors for debugging (the previous behavior) -
y
(true
) to always preserve the build directory -
n
(false
) to never preserve the build directory
The default value is an empty string with the meaning of errors
when ReaR
is being executed interactively (in a terminal) and false
if ReaR
is being executed non-interactively. Note that KEEP_BUILD_DIR
is automatically set to true
in debug mode (-d
) and in debugscript mode (-D
); this behavior has not been changed.
Notable bug fixes include:
- Support for NetBackup 8.0 has been fixed.
-
ReaR
no longer aborts with a bash error similar toxrealloc: cannot allocate
on systems with a large number of users, groups, and users per group. -
The
bconsole
command now shows its prompt, which enables you to perform a restore operation when using the Bacula integration. -
ReaR
now correctly backs up files also in situations when thedocker
service is running but nodocker
root directory has been defined, or when it is impossible to determine the status of thedocker
service. - Recovery no longer fails when using thin pools or recovering a system in Migration Mode.
-
Extremely slow rebuild of
initramfs
during the recovery process with LVM has been fixed.
6.10. Storage
Concurrent SG_IO
requests in /dev/sg
no longer cause data corruption
Previously, the /dev/sg
device driver was missing synchronization of kernel data. Concurrent requests on the same file descriptor accessed the same data at the same time in the driver.
As a consequence, the ioctl
system call sometimes erroneously used the payload of an SG_IO
request for a different command that was sent at the same time as the correct one. This led to disk corruption in certain cases. Red Hat observed this bug in Red Hat Virtualization (RHV).
With this release, concurrency protection has been added in /dev/sg
, and the described problem no longer occurs.
(BZ#1710533)
When an image is split off from an active/active cluster mirror, the resulting logical volume is now properly activated
Previously, when you split off an image from an active/active cluster mirror, the resulting new logical volume appeared active but it had no active component. With this fix, the new logical volume is properly activated.