Este contenido no está disponible en el idioma seleccionado.
5.9 Technical Notes
Detailed notes on the changes implemented in Red Hat Enterprise Linux 5.9
Edition 9
Abstract
Preface
Chapter 1. Technology Previews
- DFS
- Starting with Red Hat Enterprise Linux 5.3, CIFS supports Distributed File System (DFS) as a Technology Preview.Package: kernel-2.6.18-348
- LSI 12 Gb/s adapters with the MegaRAID SAS driver
- LSI MegaRAID SAS 9360/9380 12Gb/s controllers are now supported as a Technology Preview.Package: kernel-2.6.18-348
- CDTB
- CTDB is a clustered database based on Samba's Trivial Database (TDB). The ctdb package is a cluster implementation used to store temporary data. If an application is already using TBD for temporary data storage, it can be very easily converted to be cluster-aware and use CTDB.Package: ctdb-1.0.112-2
- Kerberos support for CIFS mounts
- In Red Hat Enterprise Linux 5.9, users can use their Kerberos credentials to perform a CIFS mount.Package: samba-client-3.0.33-3.39
- FreeIPMI
- FreeIPMI is included in as a Technology Preview. FreeIPMI is a collection of Intelligent Platform Management IPMI system software. It provides in-band and out-of-band software, along with a development library conforming to the Intelligent Platform Management Interface (IPMI v1.5 and v2.0) standards.For more information about FreeIPMI, refer to http://www.gnu.org/software/freeipmi/Package: freeipmi-0.5.1-7
- TrouSerS and tpm-tools
- TrouSerS and
tpm-tools
are included in this release to enable use of Trusted Platform Module (TPM) hardware. TPM hardware features include (among others):- Creation, storage, and use of RSA keys securely (without being exposed in memory)
- Verification of a platform's software state using cryptographic hashes
TrouSerS is an implementation of the Trusted Computing Group's Software Stack (TSS) specification. You can use TrouSerS to write applications that make use of TPM hardware.tpm-tools
is a suite of tools used to manage and utilize TPM hardware.For more information about TrouSerS, refer to http://trousers.sourceforge.net/.Packages: tpm-tools-1.3.1-1, trousers-0.3.1-4 - eCryptfs
- eCryptfs is a stacked cryptographic file system for Linux. It mounts on individual directories in existing mounted lower file systems such as EXT3; there is no need to change existing partitions or file systems in order to start using eCryptfs. eCryptfs is released as a Technology Preview for Red Hat Enterprise Linux 5.9.For more information about eCryptfs, refer to http://ecryptfs.sf.net. You can also refer to http://ecryptfs.sourceforge.net/README and http://ecryptfs.sourceforge.net/ecryptfs-faq.html for basic setup information.Package: ecryptfs-utils-75-8
- Stateless Linux
- Stateless Linux, included as a Technology Preview, is a new way of thinking about how a system should be run and managed, designed to simplify provisioning and management of large numbers of systems by making them easily replaceable. This is accomplished primarily by establishing prepared system images which get replicated and managed across a large number of stateless systems, running the operating system in a read-only manner (refer to
/etc/sysconfig/readonly-root
for more details).In its current state of development, the Stateless features are subsets of the intended goals. As such, the capability remains as Technology Preview.Red Hat recommends that those interested in testing stateless code join the stateless-list@redhat.com mailing list.The enabling infrastructure pieces for Stateless Linux were originally introduced in Red Hat Enterprise Linux 5. - AIGLX
- AIGLX is a Technology Preview feature of the otherwise fully supported X server. It aims to enable GL-accelerated effects on a standard desktop. The project consists of the following:
- A lightly modified X server.
- An updated Mesa package that adds new protocol support.
By installing these components, you can have GL-accelerated effects on your desktop with very few changes, as well as the ability to enable and disable them at will without replacing your X server. AIGLX also enables remote GLX applications to take advantage of hardware GLX acceleration.Packages: X Window System group of packages. - FireWire
- The
firewire-sbp2
module is included in this update as a Technology Preview. This module enables connectivity with FireWire storage devices and scanners.At present, FireWire does not support the following:- IPv4
- pcilynx host controllers
- multi-LUN storage devices
- non-exclusive access to storage devices
In addition, the following issues still exist in FireWire:- a memory leak in the
SBP2
driver may cause the machine to become unresponsive. - a code in this version does not work properly in big-endian machines. This could lead to unexpected behavior in PowerPC.
Package: kernel-2.6.18-348 - Device Failure Monitoring of RAID sets
- Device Failure Monitoring, using the dmraid and dmevent_tool tools, is included in Red Hat Enterprise Linux 5.9 as a Technology Preview. This Technology Preview provides the ability to watch and report device failures on component devices of RAID sets.Packages: dmraid-1.0.0.rc13-65, dmraid-events-1.0.0.rc13-65
- SGPIO Support for dmraid
- Serial General Purpose Input Output (SGPIO) is an industry standard communication method used between a main board and a variety of internal and external hard disk drive bay enclosures. This method can be used to control LED lights on an enclosure through the AHCI driver interface.In this release, SGPIO support in dmraid is included as a technology preview. This will allow dmraid to work properly with disk enclosures.Package: dmraid-1.0.0.rc13-65
- Kernel Tracepoint Facility
- In this update, the kernel marker/tracepoint facility remains a Technology Preview. This interface adds static probe points into the kernel, for use with tools such as SystemTap.Package: kernel-2.6.18-348
- Software based Fibre Channel over Ethernet (FCoE)
- The Fibre Channel over Ethernet (FCoE) driver (fcoe.ko), along with libfc, provides the ability to run FCoE over a standard Ethernet card. This capability is provided as a Technology Preview in Red Hat Enterprise Linux 5.9.To enable this feature, you must login by writing the network interface name to the
/sys/module/fcoe/parameters/create
file, for example:~]#
To logout, write the network interface name to theecho eth6 > /sys/module/fcoe/parameters/create
/sys/module/fcoe/parameters/destroy
file, for example:~]#
For further information on software based FCoE refer to: http://www.open-fcoe.org/open-fcoe/wiki/quickstart.echo eth6 > /sys/module/fcoe/parameters/destroy
Red Hat Enterprise Linux 5.9 provides full support for FCoE on three specialized hardware implementations. These are: Ciscofnic
driver, the Emulexlpfc
driver, and the Qlogicqla2xx
driver.Package: kernel-2.6.18-348 - iSER Support
- iSER support, allowing for block storage transfer across a network and provided by the scsi-target-utils package, remains a Technology Preview in Red Hat Enterprise Linux 5.9. In this release, single portal and multiple portals on different subnets are supported. There are known issues related to using multiple portals on the same subnet.To set up the iSER target component install the scsi-target-utils and libibverbs-devel packages. The library package for the InfiniBand hardware that is being used is also required. For example: host channel adapters that use the
cxgb3
driver thelibcxgb3
package is needed, and for host channel adapters using themthca
driver thelibmthca
package is needed.There is also a known issue relating to connection timeouts in some situations. Refer to BZ#470627 for more information on this issue.Package: scsi-target-utils-1.0.14-2, other above-mentioned system-specific packages - cman fence_virsh fence agent
- The fence_virsh fence agent is provided in this release of Red Hat Enterprise Linux as a Technology Preview. fence_virsh provides the ability for one guest (running as a domU) to fence another using the libvirt protocol. However, as fence_virsh is not integrated with cluster-suite it is not supported as a fence agent in that environment.Package: cman-2.0.115-109
- glibc new MALLOC behavior
- The upstream glibc has been changed to enable higher scalability across many sockets and cores. This is done by assigning threads their own memory pools and by avoiding locking in some situations. The amount of additional memory used for the memory pools (if any) can be controlled using the environment variables
MALLOC_ARENA_TEST
andMALLOC_ARENA_MAX
.MALLOC_ARENA_TEST
specifies that a test for the number of cores is performed once the number of memory pools reaches this value.MALLOC_ARENA_MAX
sets the maximum number of memory pools used, regardless of the number of cores.The glibc in the Red Hat Enterprise Linux 5.9 release has this functionality integrated as a Technology Preview of the upstream malloc. To enable the per-thread memory pools the environment variableMALLOC_PER_THREAD
needs to be set in the environment. This environment variable will become obsolete when this new malloc behavior becomes default in future releases. Users experiencing contention for the malloc resources could try enabling this option.Package: glibc-2.5-107
Chapter 2. Known Issues
2.1. anaconda
- When installing Red Hat Enterprise Linux 5.8 on a machine that had previously used a GPT partitioning table, Anaconda does not provide the option to remove the previous disk layout and is unable to remove the previously used GPT partitioning table. To work around this issue, switch to the tty2 terminal (using CTRL+ALT+F2), execute the following command, and restart the installation process:
dd if=/dev/zero of=/dev/USED_DISK count=512
- Starting with Red Hat Enterprise Linux 5.2, to boot with
ibft
, the iSCSI boot firmware table support, use theip=ibft
option as the network install option:ip=<ip> IP to use for a network installation, use 'dhcp' for DHCP.
By default, the installer waits 5 seconds for a network device with a link. If an iBFT network device is not detected in this time, you may need to specify thelinksleep=SECONDS
parameter in addition to theip=ibft
parameter by replacingSECONDS
with an integer specifying the number of seconds the installer should wait, for example:linksleep=10
- Setting the
dhcptimeout=0
parameter does not mean that DHCP will disable timeouts. If the user requires the clients to wait indefinitely, thedhcptimeout
parameter needs to be set to a large number. - When starting an installation on IBM S/390 systems using SSH, re-sizing the terminal window running the SSH client may cause the installer to unexpectedly exit. Once the installer has started in the SSH session, do not resize the terminal window. If you want to use a different size terminal window during installation, re-size the window before connecting to the target system via SSH to begin installation.
- Installing on June with a RAID backplane on Red Hat Enterprise Linux 5.7 and later does not work properly. Consider the following example: a test system which had two disks with two redundant paths to each disk was set up:
mpath0: sdb, sdd mpath1: sda, sdc
In the above setup, Anaconda created the PReP partition on mpath0 (sdb/sdd), but set the bootlist to boot from sda. To work around this issue, follow these steps:- Add
mpath
to the append line in the/etc/yaboot.conf
file. - Use the
--ondisk=mapper/mpath0
in allpart
directives of the kickstart file. - Add the following script to the
%post
section of the kickstart file.%post # Determine the boot device device=; # Set the bootlist in NVRAM if [ "z$device" != "z" ]; then bootlist -m normal $device; # Print the resulting boot list in the log bootlist -m normal -o; bootlist -m normal -r; else echo "Could not determine boot device!"; exit 1; fi
The above script simply ensures that the bootlist is set to boot from the disk with the PReP partition.
- Mounting an NFS volume in the rescue environment requires portmap to be running. To start portmap, run:
/usr/sbin/portmap
Failure to start portmap will return the following NFS mount errors:sh-3.2# mount 192.168.11.5:/share /mnt/nfs mount: Mounting 192.168.11.5:/share on /mnt/nfs failed: Input/output error
- The order of device names assigned to USB attached storage devices is not guaranteed. Certain USB attached storage devices may take longer to initialize than others, which can result in the device receiving a different name than you expect (for example,
sdc
instead ofsda
).During installation, be sure to verify the storage device size, name, and type when configuring partitions and file systems. - anaconda occasionally crashes while attempting to install on a disk containing partitions or file systems used by other operating systems. To workaround this issue, clear the existing partition table using the command:
clearpart --initlabel [disks]
(BZ#530465) - Performing a System z installation, when the
install.img
is located on direct access storage device (DASD) disk, causes the installer to crash, returning a backtrace. anaconda is attempting to re-write (commit) all disk labels when partitioning is complete, but is failing because the partition is busy. To work around this issue, a non-DASD source should be used forinstall.img
. (BZ#455929) - When installing to an
ext3
orext4
file system, anaconda disables periodic file system checking. Unlikeext2
, these file systems are journaled, removing the need for a periodic file system check. In the rare cases where there is an error detected at runtime or an error while recovering the file system journal, the file system check will be run at boot time. (BZ#513480) - Red Hat Enterprise Linux 5 does not support having a separate
/var
on a network file system (nfs
,iSCSI
disk,nbd
, etc.) This is because/var
contains the utilities required to bring up the network, for example/var/lib/dhcp
. However, you may have/var/spool
,/var/www
or the like on a separate network disk, just not the complete /var file system. (BZ#485478) - When using rescue mode on an installation which uses iSCSI drives which were manually configured during installation, the automatic mounting of the root file system does not work. You must configure iSCSI and mount the file systems manually. This only applies to manually configured iSCSI drives; iSCSI drives which are automatically detected through iBFT are fully supported in rescue mode.To rescue a system which has
/
on a non-iBFT configured iSCSI drive, choose to skip the mounting of the root file system when asked, and then follow the steps below:$TARGET_IP: IP address of the iSCSI target (drive) $TARGET_IQN: name of the iSCSI target as printed by the discovery command $ROOT_DEV: devicenode (/dev/.....) where your root fs lives
- Define an initiator name:
$ mkdir /etc/iscsi $ cat << EOF>> /etc/iscsi/initiatorname.iscsi InitiatorName=iqn.1994-05.com.fedora:d62f2d7c09f EOF
- Start iscsid:
$ iscsid
- Discover and login to target:
$ iscsiadm -m discovery -t st -p $TARGET_IP $ iscsiadm -m node -T $TARGET_IQN -p $TARGET_IP --login
- If the iSCSI LUN is part of a LVM Logical volume group:
$ lvm vgscan $ lvm vgchange -ay
- Mount your
/
partition:$ mount /dev/path/to/root /mnt/sysimage $ mount -t bind /dev /mnt/sysimage/dev $ mount -t proc proc /mnt/sysimage/proc $ mount -t sysfs sysfs /mnt/sysimage/sys
- Now you can
chroot
to the root file system of your installation if wanted$ chroot /mnt/sysimage /bin/su -
- When installing KVM or Xen guests, always create a partition for the guest disk, or create an LVM volume. Guests should not be installed to block devices or raw disk devices. Anaconda includes disk label duplication avoidance code, but when installing within a VM, it has no visibility to the disk labels elsewhere on the host and cannot detect duplicates.If guest file systems, especially the root file system, are directly visible to the host, a host OS reboot may inadvertently parse the partition table and mount the guest file systems. This can lead to highly undesirable outcomes.
- The minimum memory requirement when installing all Red Hat Enterprise Linux packages (i.e.
*
or@everything
is listed in the%packages
section of thekickstart
file) on a fully virtualized Itanium guest is 768MB. After installation, the memory allocated to the guest can be lowered to the desired amount. - Upgrading a system using Anaconda is not possible if the system is installed on disks attached using zFCP or iSCSI (unless booted from the disk using a network adapter with iBFT). Such disks are activated after Anaconda scans for upgradable installations and are not found. To update please use the Red Hat Network with the hosted Web user interface, a Red Hat Network Satellite, the local graphical Updater, or the yum command line.
- Anaconda's graphical installer fails to start at the default 800x600 resolution on systems utilizing Intel Graphics Device Next Generation (IGDNG) devices. To work around this issue, ensure anaconda uses a higher resolution by passing the parameters
resolution=1024x768
orresolution=1280x1024
to the installer using the boot command line. - The NFS default for RHEL5 is
locking
. Therefore, to mountnfs
shares from the%post
section of anaconda, use themount -o nolock,udp
command to start the locking daemon before usingnfs
to mount shares. (BZ#426053) - If you are using the Virtualized kernel when upgrading from Red Hat Enterprise Linux 5.0 to a later 5.x release, you must reboot after completing the upgrade. You should then boot the system using the updated Virtualized kernel.The hypervisor ABI changes in an incompatible way between Red Hat Enterprise Linux 5 and 5.1. If you do not boot the system after upgrading from Red Hat Enterprise Linux 5.0 using the updated Virtualized kernel, the upgraded Virtualization RPMs will not match the running kernel. (BZ#251669)
- When upgrading from Red Hat Enterprise Linux 4.6 to Red Hat Enterprise Linux 5.1 or later, gcc4 may cause the upgrade to fail. As such, you should manually remove the gcc4 package before upgrading. (BZ#432773)
- When provisioning guests during installation, theoption will not be available. When this occurs, the system will require an additional entitlement, separate from the entitlement used by
dom0
.To prevent the consumption of additional entitlements for guests, install therhn-virtualization-common
package manually before attempting to register the system to Red Hat Network. (BZ#431648) - When installing Red Hat Enterprise Linux 5 on a guest, the guest is configured to explicitly use a temporary installation kernel provided by
dom0
. Once installation finishes, it can then use its own bootloader. However, this can only be achieved by forcing the guest's first reboot to be a shutdown.As such, when thebutton appears at the end of the guest installation, clicking it shuts down the guest, but does not reboot it. This is an expected behavior.Note that when you boot the guest after this it will then use its own bootloader. - Using the
swap --grow
parameter in akickstart
file without setting the--maxsize
parameter at the same time makes anaconda impose a restriction on the maximum size of the swap partition. It does not allow it to grow to fill the device.For systems with less than 2GB of physical memory, the imposed limit is twice the amount of physical memory. For systems with more than 2GB, the imposed limit is the size of physical memory plus 2GB. (BZ#462734) - Existing encrypted block devices that contain
vfat
file systems will appear as typeforeign
in the partitioning interface; as such, these devices will not be mounted automatically during system boot. To ensure that such devices are mounted automatically, add an appropriate entry for them to/etc/fstab
. For details on how to do so, refer toman fstab
. (BZ#467202) - When using anaconda's automatic partitioning on an IBM System p partition with multiple hard disks containing different Linux distributions, the anaconda installer may overwrite the bootloaders of the other Linux installations although their hard disks have been unchecked. To work around this, choose manual partitioning during the installation process.
- The minimum RAM required to install Red Hat Enterprise Linux 5.8 is 1GB; the recommended RAM is 2GB. If a machine has less than 1GB RAM, the installation process may hang.Furthermore, PowerPC-based machines that have only 1GB of RAM experience significant performance issues under certain RAM-intensive workloads. For a Red Hat Enterprise Linux 5.8 system to perform RAM-intensive processes optimally, 4GB of RAM is recommended. This ensures the system has the same number of physical pages as was available on PowerPC machines with 512MB of RAM running Red Hat Enterprise Linux 4.5 or earlier.
- Installation on a machine with existing Linux or non-Linux file systems on DASD block devices may cause the installer to halt. If this happens, it is necessary to clear out all existing partitions on the DASD devices you want to use and restart the installer.
- If your system only has 512MB of RAM, attempting to install Red Hat Enterprise Linux 5.4 may fail. To prevent this, perform a base installation first and install all other packages after the installation finishes. (BZ#435271)
2.2. autofs
- When using NFSv4 with a global root, autofs has no way to know which server export path corresponds to the global root. Consequently, the internal hosts map fails to mount server exports. For detailed information on this problem, refer the following Knowledge Base article:
- Starting with Red Hat Enterprise Linux 5.4, behavior of the
umount -l
autofs command has changed. For more information, refer to BZ#452122.Previously, theumount -l
would unmount all autofs-managed mounts and autofs internal mounts at start-up, and then mounted all autofs mounts again as a part of the start-up procedure. As a result, the execution of the externalumount -l
command was not needed.The previous autofs behavior can be used via the following commands:~]#
service autofs forcerestart
or~]#
service autofs forcestart
2.3. cmirror
- Due to limitations in the cluster infrastructure, cluster mirrors greater than 1.5TB cannot be created with the default region size. If larger mirrors are required, the region size should be increased from its default (512kB), for example:
# -R <region_size_in_MiB> lvcreate -m1 -L 2T -R 2 -n mirror vol_group
Failure to increase the region size will result in the LVM creation process hanging and may cause other LVM commands to hang. (BZ#514814)
2.4. cpio
- The cpio utility uses a default block size of 512 bytes for I/O operations. This may not be supported by certain types of tape devices. If a tape device does not support this block size, cpio fails with the following error message:
cpio: read error: Cannot allocate memory
To work around this issue, modify the default block size with the--block-size long
option, or use the-B
option to set the block size to 5120 bytes. When the block size supported by the tape device is provided, the cpio utility works as expected. (BZ#573943)
2.5. compiz
- Running
rpmbuild
on thecompiz
source RPM will fail if any KDE orqt
development packages (for example,qt-devel
) are installed. This is caused by a bug in thecompiz
configuration script.To work around this, remove any KDE orqt
development packages before attempting to build thecompiz
package from its source RPM. (BZ#444609)
2.6. device-mapper-multipath
- Note that under certain circumstances, the multipathd daemon can terminate unexpectedly during shutdown.
- It is possible to overwrite the default hardware table. However, regular expression matches are not allowed; the vendor and product strings need to be matched exactly. These strings can be found by running the following command:
~]# multipathd -k"show config"
- By default, the
multipathd
service starts up before theiscsi
service. This provides multipathing support early in the bootup process and is necessary for multipathed iSCSI SAN boot setups. However, once started, themultipathd
service adds paths as informed about them by udev. As soon as themultipathd
service detects a path that belongs to a multipath device, it creates the device. If the first path that multipathd notices is a passive path, it attempts to make that path active. If it later adds a more optimal path,multipathd
activates the more optimal path. In some cases, this can cause a significant overhead during a startup.If you are experiencing such performance problems, define themultipathd
service to start after theiscsi
service. This does not apply to systems where the root device is a multipathed iSCSI device, since it the system would become unbootable. To move the service start time run the following commands:~]#
To restore the original start time, run the following command:mv /etc/rc5.d/S06multipathd /etc/rc5.d/S14multipathd
~]#mv /etc/rc3.d/S06multipathd /etc/rc3.d/S14multipathd
~]#
(BZ#500998)chkconfig multipathd resetpriorities
- Running the
multipath
command with the-ll
option can cause the command to hang if one of the paths is on a blocking device. Note that the driver does not fail a request after some time if the device does not respond.This is caused by the cleanup code, which waits until the path checker request either completes or fails. To display the currentmultipath
state without hanging the command, usemultipath -l
instead. (BZ#214838)
2.7. dmraid
- The installation procedure stores the name of RAID volume and partition in an initscript. When the system boots, dmraid enables the RAID partition (that are named implicitly in the init script. This action functions until the volume and partition names are changed. In these cases, the system may not boot, and the user is given an option to reboot system and start the rebuild procedure in OROM.OROM changes the name of RAID volume (as seen by dmraid) and dmraid cannot recognize the array identified by previous name stored in initscript. The system no longer boots from RAID partition, since it is not enabled by dmraid. In case of RAID 1 (mirror), the system may be booted from disk that is part of RAID volume. However, dmraid does not allow to active or rebuild the volume which component in mounted.To work around this issue, do not rebuild the RAID array in OROM. Start the rebuild procedure by dmraid in the operating system, which performs all the steps of rebuilding. dmraid does not change the RAID volume name, therefore the system can be booted from RAID array without the need of init script modification.To modify init script after OROM has started rebuild:
- Start the system in rescue mode from the installation disk, skip finding and mounting previous installations.
- At the command line, find and enable the raid volume that is to be booted from (the RAID volume and partitions will be activated)
~]#
dmraid -ay isw_effjffhbi_Volume0
- Mount the root partition:
~]#
mkdir /tmp/raid
~]#mount /dev/mapper/isw_effjffhbi_Volume0p1 /tmp/raid
- Decompress the boot image:
~]#
mkdir /tmp/raid/tmp/image
~]#cd /tmp/raid/tmp/image
~]#gzip -cd /tmp/raid/boot/inird-2.6.18-155.el5.img | cpio -imd –quiet
- Change the names of the RAID volumes in the initscript to use the new names of RAID:
~]#
dmraid –ay –I –p –rm_partition “/dev/mapper/isw_effjffhbi_Volume0”
~]#kpartx –a –p p “/dev/mapper/isw_effjffhbi_Volume0”
~]#mkrtootdev –t ext3 –o defaults,ro /dev/mapper/isw_effjffhbi_Volume0p1
- Compress and copy initrd image with the modified init script to the boot directory
~]#
cd /tmp/raid/tmp/image
~]#find . –print | cpio –c –o | gzip -9 > /tmp/raid/boot/inird-2.6.18-155.el5.img
- Unmount the raid volume and reboot the system:
~]#
umount /dev/mapper/isw_effjffhbi_Volume0p1
~]#dmraid -an
2.8. dogtail
- Attempting to run
sniff
may result in an error. This is because some required packages are not installed withdogtail
. (BZ#435702)To prevent this from occurring, install the following packages manually:- librsvg2
- ghostscript-fonts
- pygtk2-libglade
2.9. file
- The file utility can exit with the 0 exit code even if some input files have not been found. This behavior is correct; refer to the file(1) man page for more information.
2.10. firefox
- In certain environments, storing personal Firefox configuration files (~/.mozilla/) on an NFS share, such as when your home directory is on a NFS share, led to Firefox functioning incorrectly, for example, navigation buttons not working as expected, and bookmarks not saving. This update adds a new configuration option, storage.nfs_filesystem, that can be used to resolve this issue. If you experience this issue:
- Start Firefox.
- Type
about:config
into the URL bar and press the Enter key. - If prompted with "This might void your warranty!", click thebutton.
- Right-click in thelist. In the menu that opens, select → .
- Type "storage.nfs_filesystem" (without quotes) for the preference name and then click thebutton.
- Select
true
for the boolean value and then press the button.
2.11. firstboot
- When firstboot is running in text mode, the user can only register to Red Hat Netwrork legacy, not with subscription-manager. When firstboot is running in GUI mode, both options are available.
- The IBM System z does not provide a traditional Unix-style physical console. As such, Red Hat Enterprise Linux 5 for the IBM System z does not support the firstboot functionality during initial program load.To properly initialize setup for Red Hat Enterprise Linux 5 on the IBM System z, run the following commands after installation:
/usr/bin/setup
— provided by thesetuptool
package./usr/bin/rhn_register
— provided by therhn-setup
package.
(BZ#217921)
2.12. gfs2-utils
GFS2
file systems.
fsck.gfs2: invalid option -- a
". To work around this issue:
- Enter the root password when prompted.
- Mount the root file system manually:
~]#
mount -o remount,rw /dev/VolGroup00/LogVol00 /
- Edit the /etc/fstab file from:
/dev/VolGroup00/LogVol00 / gfs2 defaults 1 1
to/dev/VolGroup00/LogVol00 / gfs2 defaults 1 0
- Reboot the system.
Important
GFS2
as the root file system is unsupported.
2.13. gnome-volume-manager
- Removable storage devices (such as CDs and DVDs) do not automatically mount when you are logged in as root. As such, you will need to manually mount the device through the graphical file manager.Alternatively, you can run the following command to mount a device to
/media
:mount /dev/[device name] /media
2.14. grub
- Executing the
grub-install
command fails if the name of a volume group intended to be used for booting contains only non-digit characters. To prevent this problem, it is recommended to name the volume group with a combination of non-digit text followed by a digit; for example, system0.
2.15. initscripts
- On systems with more than two encrypted block devices, anaconda has a option to provide a global passphrase. The init scripts, however, do not support this feature. When booting the system, entering each individual passphrase for all encrypted devices will be required. (BZ#464895)
2.16. ipa-client
- Sometimes, the
krb5.conf
file contains incorrect SELinux context, namely, when the krb5.conf is not created by default, or the IPA client is installed, un-installed, or re-installed. AVC denials can therefore occur in such scenarios. - Attempting to run the
ipa-client-install
command with the--no-sssd
option fails with the following error message:authconfig: error: no such option: --enableforcelegacy
(BZ#852746)
2.17. iscsi-initiator-utils
- Broadcom L2 iSCSI (Internet Small Computer System Interface) boot is not supported in Red Hat Enterprise Linux 5. (BZ#831681)
- iSCSI iface binding is not supported during install or boot. The initiator only supports the ability to log into target portals using the default behavior where the initiator uses the network routing table to decide which NIC to use.To work around this limitation, booting or installation can be done using the default behavior. After the iscsi and iscsid services start, the iscsi service can log into the target using iSCSI iface binding. This however, will leave an extra session using the default behavior, and it has to be manually logged out using the following command:
iscsiadm -m node -T target -p ip -I default -u
(BZ#500273)
2.18. kernel-xen
- The Xen hypervisor will not start when booting from an iSCSI disk. To work around this issue, disable the Xen hypervisor's EDD feature with the "edd=off" kernel parameter. For example:
kernel /xen.gz edd=off
(BZ#568336) - With certain hardware,
blktap
may not function as expected, resulting in slow disk I/O causing the guest to operate slowly also. To work around this issue, guests should be installed using a physical disk (i.e. a real partition or a logical volume). (BZ#545692) - When booting paravirtualized guests that support gigabyte page tables (i.e. a Fedora 11 guest) on Red Hat Enterprise Linux 5.7 Xen, the domain may fail to start if more than 2047MB of memory is configured for the domain. To work around this issue, pass the "
nogbpages
" parameter on the guest kernel command-line. (BZ#502826) - Boot parameters are required to enable SR/IOV Virtual Function devices. SR/IOV Virtual Function devices can only be accessed if the parameter pci_pt_e820_access=on is added to the boot stanza in the /boot/grub/grub.conf file. For example:
title Red Hat Enterprise Linux Server (2.6.18-152.el5xen) root (hd0,1) kernel /xen.gz-2.6.18-152.el5 com1=115200,8n1 console=com1 iommu=1 module /vmlinuz-2.6.18-152.el5xen ro root=LABEL=/ console=ttyS0,115200 pci_pt_e820_access=on
This enables the MMCONF access method for the PCI configuration space, a requirement for VF device support - Diskette drive media will not be accessible when using the virtualized kernel. To work around this, use a USB-attached diskette drive instead.Note that diskette drive media works well with other non-virtualized kernels. (BZ#401081)
- Fully virtualized guests cannot correct for time lost due to the domain being paused and unpaused. Being able to correctly track the time across pause and unpause events is one of the advantages of paravirtualized kernels. This issue is being addressed upstream with replaceable timers, so fully virtualized guests will have paravirtualized timers. Currently, this code is under development upstream and should be available in later versions of Red Hat Enterprise Linux. (BZ#422531)
- Upgrading a host (
dom0
) system to Red Hat Enterprise Linux 5.7 may render existing Red Hat Enterprise Linux 5.4 SMP paravirtualized guests unbootable. This is more likely to occur when the host system has more than 4GB of RAM.
- On some Itanium systems configured for console output to VGA, the
dom0
virtualized kernel may fail to boot. This is because the virtualized kernel failed to properly detect the default console device from the Extensible Firmware Interface (EFI) settings.When this occurs, add the boot parameterconsole=tty
to the kernel boot options in/boot/efi/elilo.conf
. (BZ#249076) - On some Itanium systems (such as the Hitachi Cold Fusion 3e), the serial port cannot be detected in
dom0
when VGA is enabled by the EFI Maintenance Manager. As such, you need to supply the following serial port information to thedom0
kernel:- Speed in bits/second
- Number of data bits
- Parity
io_base
address
These details must be specified in theappend=
line of thedom0
kernel in/boot/efi/elilo.conf
. For example:append="com1=19200,8n1,0x3f8 -- quiet rhgb console=tty0 console=ttyS0,19200n8"
In this example,com1
is the serial port,19200
is the speed (in bits/second),8n1
specifies the number of data bits/parity settings, and0x3f8
is theio_base
address. (BZ#433771) - Virtualization does not work on some architectures that use Non-Uniform Memory Access (NUMA). As such, installing the virtualized kernel on systems that use NUMA will result in a boot failure.Some installation numbers install the virtualized kernel by default. If you have such an installation number and your system uses NUMA and does not work with kernel-xen, deselect the Virtualization option during installation.
2.19. kernel
- The Emulex
lpfc
driver is missing functionality required to support 16 Gb point-to-point configurations for all adapters in Red Hat Enterprise Linux 5. All other currently available 16 Gblpfc
configurations are supported on most adapters available. Specifically, the LPe16000B adapter is not supported for any configuration, and the LPe16000A adapter is supported for all configurations besides a point-to-point configuration. - The qla2xxx driver creates optrom and optrom_ctl files in sysfs which are used by some tools such as the scli command line tool from QLogic. However, the functions which implement these pseudo-files have race conditions. As a consequence, a kernel panic occurs when multiple tools use these files at the same time. To work around this problem, make sure only one such process is running at a given point of time.
- Red Hat Enterprise Linux 5 can become unresponsive or even terminate due to the lack of ticketed spinlocks in the
shrink_active_list()
function. - When USB hardware uses the ACM interface, there is a race condition that can lead to a system deadlock due to the spinlocks not disabling interrupts. This has been noticed through various types of softlockups. To workaround this problem, reboot the machine.
- If kdump is configured on an i686 system using a non-PAE kernel and memory larger than 4 GB, it creates an elf core header which includes extra unavailable memory range. This causes kdump to become unresponsive.
- A large number of kernel log messages may flood
netconsole
while under heavy RX traffic, causing thenetconsole
kernel module to stop working. To work around this issue, avoid the use ofnetconsole
, or remove the netconsole module using thermmod netconsole
command and re-configure it again using theinsmod netconsole
command. - To update firmware on Mellanox cards, use mstflint which replaces the outdated tvflash utility.
- The kernel in Red Hat Enterprise Linux 5 does not support Data Center Bridging (DCB). Software-based Fibre Channel over Etherner (FCoE) is a Technology Preview and it is therefore recommended to use Red Hat Enterprise Linux 6 for fully supported software-based FCoE. The following hardware-accelerated FCoE cards are fully supported in Red Hat Enterprise Linux 5: Emulex LPFC, QLogic qla2xxx, Brocade BFA. (BZ#860112)
- Throughput across machines using IPv6 addresses and with bnx2x interfaces set up can be degraded.
- The following problems can occur when using Brocade 1010 and 1020 Converged Network Adapters (CNAs):
- BIOS firmware may not be able to log in the Fibre Channel over Ethernet (FCoE) session when loading a Brocade optional BIOS, which causes the server to be unable to boot and the following error message to appear:
Adapter 1/0/0 Link initialization failed. Disabling BIOS
- Configuration cannot be saved via serial port of the server. Use a physical console or Brocade HSM software.
Contact Brocade for additional information on these problems. - In network only, use of Brocade Converged Network Adapters (CNAs) switches that are not properly configured to work with Brocade FCoE functionality can cause a continuous linkup/linkdown condition. This causes error messages to continuously appear on the host console:
bfa xxxx:xx:xx.x: Base port (WWN = xx:xx:xx:xx:xx:xx:xx:xx) lost fabric connectivity
To work around this problem, unload the Brocade BFA driver. - Master Boot Record (MBR) or the /boot partition can be installed on an incorrect disk if the server boots from storage area network (SAN) with many Logical Unit Numbers (LUNs) assigned. To work around this problem, partition the space manually so that the operating system uses only the boot LUN as the root (/) and /boot partitions. (BZ#852305)
- Qemu-kvm does not check if a given CPU flag is really supported by the KVM kernel module. Attempting to enable the "acpi" flag can lead to a kernel panic on guest machines. To work around this problem, do not enable the "acpi" CPU flag in the configuration of a virtual machine. (BZ#838921)
- Running the
ethtool --identify
command in a production environment blocks network traffic and certain network configuration operations until ethtool is aborted. To prevent this problem, do not runethtool --identify
in a production environment; this command is supposed for debugging purposes only. - Starting with Red Hat Enterprise Linux 5.8, the size of I/O operations allowed by the NFS server has been increased by default. The new default max block size varies depending on RAM size, with a maximum of 1M (1048576 bytes).This may cause problems for 32-bit servers configured to use large numbers of
nfsd
threads. For such servers, we recommend decreasing the number of threads, or decreasing the I/O size by writing to the/proc/fs/nfsd/max_block_size
file before startingnfsd
. For example, the following command restores the previous defaultiosize
of 32k:~]#
echo 32767 >/proc/fs/nfsd/max_block_size
(BZ#765751 ) - If the
qla4xxx
driver fails to discover all iSCSI targets, make sure toClear Persistent Targets
and set up iSCSI again via CTRL+Q in the Qlogic iSCSI option ROM BIOS. - The OProfile infrastructure in Red Hat Enterprise Linux 5 does not support the hardware performance counters of the AMD family 0x15 processor family; profiling is only available in timer interrupt mode. When profiling on bare metal, OProfile automatically selects the timer interrupt mode. When running under kernel-xen, due to different CPU family reporting, OProfile must be explicitly configured to use timer interrupt mode. This is possible by adding
options oprofile timer=1
to the/etc/modprobe.conf
file. (BZ#720587) - Red Hat Enterprise Linux 5 may become unresponsive due to the lack of ticketed spinlocks in the
shrink_active_list()
function. As a result, thespin_lock_irq(&zone->lru_lock)
operation disables interrupts, and the following error message is returned when the system hangs:NMI Watchdog detected LOCKUP
- Booting a Red Hat Enterprise Linux 5 system with a connected DVD drive and the
smartd
service running hangs with the following error messages:Starting smartd: hdc: drive_cmd: status=0x58 { DriveReady SeekComplete DataRequest } ide: failed opcode was: 0xa1 hdc: status error: status=0x58 { DriveReady SeekComplete DataRequest } ide: failed opcode was: unknown hdc: drive not ready for command hdc: status timeout: status=0xd8 { Busy } ide: failed opcode was: unknown hdc: drive not ready for command hdc: ATAPI reset complete hdc: status error: status=0x58 { DriveReady SeekComplete DataRequest } ⋮
To work around this issue, disconnect the DVD drive or turn thesmartd
service off with the following command:~]#
chkconfig smartd off
- The
modify SRQ
verb is not supported by theeHCA
adapter and will fail with an error code when called from an application context. - In RHEL 5.8, machine check (MCE) support for Intel Nehalem or newer CPUs (family 6, model >= 26) is disabled. This is a change from RHEL5.6 and earlier where basic MCE support was provided for these CPUs. Uncorrected CPU and memory errors will cause an immediate CPU shut down and system panic.
- On a Red Hat Enterprise Linux 5.8 system and later, while hand-loading the i386 (32-bit) kernel on z210/z210 SFF with BIOS 1.08, the system may fail to boot. To workaround this issue, please add the following parameter to the boot command line option:
pci=nosort
(BZ#703538) - Red Hat Enterprise Linux 5.7 has introduced a new multicast snooping feature for the bridge driver used for virtualization (virt-bridge). This feature is disabled by default in order to not break any existing configurations. To enable this feature, please set the following tunnable parameter to
1
:/sys/class/net/breth0/bridge/multicast_snooping
Please note that when multicast snooping is enabled, it may cause a regression with certain switches where it causes a break in the multicast forwarding for some peers. - By default, libsas defines a wideport based on the attached SAS address, rather than the specification compliant “strict” definition of also considering the local SAS address. In Red Hat Enterprise Linux 5.8 and later, only the default “loose” definition is available. The implication is that if an OEM configures an SCU controller to advertise different SAS addresses per PHY, but hooks up a wide target or an expander to those PHYs, libsas will only create one port. The expectation, in the “strict” case, is that this would result in a single controller multipath configuration.It is not possible to use a single controller multipath without the
strict_wide_port
functionality. Multi-controller multipath should behave as a expected.A x8 multipath configuration through a single expander can still be obtained under the following conditions:- Start with an SCU SKU that exposes (2) x4 controllers (total of 8 PHYs)
- Assign
sas_address1
to all the PHYs oncontroller1
- Assign
sas_address2
to all the PHYs oncontroller2
- Hook up the expander across all 8 PHYs
- Configure multipath across the two controller instances
It is critical forcontroller1
to have a distinct address fromcontroller2
, otherwise the expander will be unable to correctly route connection requests to the proper initiator. (BZ#651837) - On a Red Hat Enterprise Linux 5 system, it is advisable to update the firmware of the HP ProLiant Generation 6 (G6) controller's firmware to version 5.02 or later. Once the firmware is successfully updated, reboot the system and Kdump will work as expected.HP G6 controllers include: P410i, P411, P212, P712, and P812In addition, kdump may fail when using the HP Smart Array 5i Controller on a Red Hat Enterprise Linux 5 system. (BZ#695493)
- On Red Hat Enterprise Linux 5.5 and later, suspending the system with the
lpfc
driver loaded may crash the system during the resume operation. Therefore, systems using thelpfc
driver, either unload thelpfc
driver before the system is suspended, or ,if that is not possible, do not suspend the system. (BZ#703631) - NUMA class systems should not be booted with a single memory node configuration. Configuration of single node NUMA systems will result in contention for the memory resources on all of the non-local memory nodes. As only one node will have local memory the CPUs on that single node will starve the remaining CPUs for memory allocations, locks, and any kernel data structure access. This contention will lead to the "CPU#n stuck for 10s!" error messages. This configuration can also result in NMI watchdog timeout panics if a spinlock is acquired via
spinlock_irq()
and held for more than 60 seconds. The system can also hang for indeterminate lengths of time.To minimize this problem, NUMA class systems need to have their memory evenly distributed between nodes. NUMA information can be obtained from dmesg output as well as from thenumastat
command. (BZ#529428) - When upgrading from Red Hat Enterprise Linux 5.0, 5.1 or 5.2 to more recent releases, the gfs2-kmod may still be installed on the system. This package must be manually removed or it will override the (newer) version of GFS2 which is built into the kernel. Do not install the
gfs2-kmod
package on later versions of Red Hat Enterprise Linux.gfs2-kmod
is not required since GFS2 is built into the kernel from 5.3 onwards. The content of the gfs2-kmod package is considered a Technology Preview of GFS2, and has not received any updates since Red Hat Enterprise Linux 5.3 was released.Note that this note only applies to GFS2 and not to GFS, for which the gfs-kmod package continues to be the only method of obtaining the required kernel module. - Issues might be encountered on a system with 8Gb/s LPe1200x HBAs and firmware version 2.00a3 when the Red Hat Enterprise Linux 5.8 kernel is used with the in-box LPFC driver. Such issues include loss of LUNs and/or fiber channel host hangs during fabric faults with multipathing.To work around these issues, it is recommended to either:
- Downgrade the firmware revision of the 8Gb/s LPe1200x HBA to revision 1.11a5, or
- Modify the LPFC driver’s
lpfc_enable_npiv
module parameter to zero.When loading the LPFC driver from the initrd image (i.e. at system boot time), add the lineoptions lpfc_enable_npiv=0
to/etc/modprobe.conf
and re-build the initrd image.When loading the LPFC driver dynamically, include thelpfc_enable_npiv=0
option in the insmod or modprobe command line.
For additional information on how to set the LPFC driver module parameters, refer to the Emulex Drivers for Linux User Manual. - If AMD IOMMU is enabled in BIOS on ProLiant DL165 G7 systems, the system will reboot automatically when IOMMU attempts to initialize. To work around this issue, either disable IOMMU, or update the BIOS to version
2010.09.06
or later. (BZ#628534) - As of Red Hat Enterprise Linux 5.6, the
ext4
file system is fully supported. However, provisioning ext4 file systems with the anaconda installer is not supported, and ext4 file systems need to be provisioned manually after the installation. (BZ#563943) - In some cases the NFS server fails to notify NFSv4 clients about renames and unlinks done by other clients, or by non-NFS users of the server. An application on a client may then be able to open the file at its old pathname (and read old cached data from it, and perform read locks on it), long after the file no longer exists at that pathname on the server.To work around this issue, use NFSv3 instead of NFSv4. Alternatively, turn off support for leases by writing
0
to/proc/sys/fs/leases-enable
(ideally on boot, before the nfs server is started). This change prevents NFSv4 delegations from being given out, restore correctness at the expense of some performance. - Some laptops may generate continuous events in response to the lid being shut. Consequently, the gnome-power-manager utility will consume CPU resources as it responds to each event. (BZ#660644)
- A kernel panic may be triggered by the lpfc driver when multiple Emulex OneConnect Universal Converged Network Adapter initiators are included in the same Storage Area Network (SAN) zone. Typically, this kernel panic will present after a cable is pulled or one of the systems is rebooted. To work around this issue, configure the SAN to use single initiator zoning. (BZ#574858)
- If a Huawei USB modem is unplugged from a system, the device may not be detected when it is attached again. To work around this issue, the usbserial and usb-storage driver modules need to be reloaded, allowing the system to detect the device. Alternatively, the if the system is rebooted, the modem will be detected also. (BZ#517454)
- Memory on-line is not currently supported with the Boxboro-EX platform. (BZ#515299)
- Unloading a PF (SR-IOV Physical function) driver from a host when a guest is using a VF (virtual function) from that device can cause a host crash. A PF driver for an SR-IOV device should not be unloaded until after all guest virtual machines with assigned VFs from that SR-IOV device have terminated. (BZ#514360)
- Data corruption on NFS file systems might be encountered on network adapters without support for error-correcting code (ECC) memory that also have TCP segmentation offloading (TSO) enabled in the driver. Note: data that might be corrupted by the sender still passes the checksum performed by the IP stack of the receiving machine A possible work around to this issue is to disable TSO on network adapters that do not support ECC memory. (BZ#504811)
- After installation, a System z machine with a large number of memory and CPUs (e.g. 16 CPU's and 200GB of memory) might may fail to IPL. To work around this issue, change the line
ramdisk=/boot/initrd-2.6.18-<kernel-version-number>.el5.img
toramdisk=/boot/initrd-2.6.18-<kernel-version-number>.el5.img,0x02000000
The commandzipl -V
should now show0x02000000
as the starting address for the initial RAM disk (initrd). Stop the logical partition (LPAR), and then manually increase the storage size of the LPAR. - On certain hardware configurations the kernel may panic when the Broadcom iSCSI offload driver (
bnx2i.ko
andcnic.ko
) is loaded. To work around this do not manually load the bnx2i or cnic modules, and temporarily disable theiscsi
service from starting. To disable the iscsi service, run:~]#
chkconfig --del iscsi
~]#chkconfig --del iscsid
On the first boot of your system, theiscsi
service may start automatically. To bypass this, during bootup, enter interactive start up and stop the iscsi service from starting. - In Red Hat Enterprise Linux 5, invoking the kernel system call "setpriority()" with a "which" parameter of type "PRIO_PROCESS" does not set the priority of child threads. (BZ#472251)
- A change to the cciss driver in Red Hat Enterprise Linux 5.4 made it incompatible with the
echo disk < /sys/power/state
suspend-to-disk operation. Consequently, the system will not suspend properly, returning messages such as:Stopping tasks: ====================================================================== stopping tasks timed out after 20 seconds (1 tasks remaining): cciss_scan00 Restarting tasks...<6> Strange, cciss_scan00 not stopped done
(BZ#513472) - The kernel is unable to properly detect whether there is media present in a CD-ROM drive during kickstart installs. The function to check the presence of media incorrectly interprets the "logical unit is becoming ready" sense, returning that the drive is ready when it is not. To work around this issue, wait several seconds between inserting a CD and asking the installer (anaconda) to refresh the CD. (BZ#510632)
- When a cciss device is under high I/O load, the kdump kernel may panic and the vmcore dump may not be saved successfully. (BZ#509790)
- Configuring IRQ SMP affinity has no effect on some devices that use message signaled interrupts (MSI) with no MSI per-vector masking capability. Examples of such devices include Broadcom NetXtreme Ethernet devices that use the
bnx2
driver.If you need to configure IRQ affinity for such a device, disable MSI by creating a file in/etc/modprobe.d/
containing the following line:options bnx2 disable_msi=1
Alternatively, you can disable MSI completely using the kernel boot parameterpci=nomsi
. (BZ#432451) - The
smartctl
tool cannot properly read SMART parameters from SATA devices. (BZ#429606) - IBM T60 laptops will power off completely when suspended and plugged into a docking station. To avoid this, boot the system with the argument
acpi_sleep=s3_bios
. (BZ#439006) - The QLogic iSCSI Expansion Card for the IBM Bladecenter provides both ethernet and iSCSI functions. Some parts on the card are shared by both functions. However, the current
qla3xxx
andqla4xxx
drivers support ethernet and iSCSI functions individually. Both drivers do not support the use of ethernet and iSCSI functions simultaneously.Because of this limitation, successive resets (via consecutiveifdown
/ifup
commands) may hang the device. To avoid this, allow a 10-second interval after anifup
before issuing anifdown
. Also, allow the same 10-second interval after anifdown
before issuing anifup
. This interval allows ample time to stabilize and re-initialize all functions when anifup
is issued. (BZ#276891) - Laptops equipped with the Cisco Aironet MPI-350 wireless may hang trying to get a DHCP address during any network-based installation using the wired ethernet port.To work around this, use local media for your installation. Alternatively, you can disable the wireless card in the laptop BIOS prior to installation (you can re-enable the wireless card after completing the installation). (BZ#213262)
- Hardware testing for the Mellanox MT25204 has revealed that an internal error occurs under certain high-load conditions. When the
ib_mthca
driver reports a catastrophic error on this hardware, it is usually related to an insufficient completion queue depth relative to the number of outstanding work requests generated by the user application.Although the driver will reset the hardware and recover from such an event, all existing connections at the time of the error will be lost. This generally results in a segmentation fault in the user application. Further, ifopensm
is running at the time the error occurs, then you need to manually restart it in order to resume proper operation. (BZ#251934) - The IBM T41 laptop model does not enter properly; as such, will still consume battery life as normal. This is because Red Hat Enterprise Linux 5 does not yet include the
radeonfb
module.To work around this, add a script namedhal-system-power-suspend
to/usr/share/hal/scripts/
containing the following lines:chvt 1 radeontool light off radeontool dac off
This script will ensure that the IBM T41 laptop enters properly. To ensure that the system resumes normal operations properly, add the scriptrestore-after-standby
to the same directory as well, containing the following lines:radeontool dac on radeontool light on chvt 7
(BZ#227496) - If the
edac
module is loaded, BIOS memory reporting will not work. This is because theedac
module clears the register that the BIOS uses for reporting memory errors.The current Red Hat Enterprise Linux Driver Update Model instructs the kernel to load all available modules (including theedac
module) by default. If you wish to ensure BIOS memory reporting on your system, you need to manually blacklist theedac
modules. To do so, add the following lines to/etc/modprobe.conf
:blacklist edac_mc blacklist i5000_edac blacklist i3000_edac blacklist e752x_edac
(BZ#441329) - Due to outstanding driver issues with hardware encryption acceleration, users of Intel WiFi Link 4965, 5100, 5150, 5300, and 5350 wireless cards are advised to disable hardware accelerated encryption using module parameters. Failure to do so may result in the inability to connect to Wired Equivalent Privacy (WEP) protected wireless networks after connecting to WiFi Protected Access (WPA) protected wireless networks.To do so, add the following options to
/etc/modprobe.conf
:alias wlan0 iwlagn options iwlagn swcrypto50=1 swcrypto=1
where wlan0 is the default interface name of the first Intel WiFi Link device.(BZ#468967) - A kernel security fix released between Red Hat Enterprise Linux 5.7 and 5.8 may prevent PCI passthrough working and guests starting. Refer to Red Hat Knowledgebase article 66747 for further details.
- The size of the PowerPC kernel image is too large for OpenFirmware to support. Consequently, network booting will fail, resulting in the following error message:
Please wait, loading kernel... /pci@8000000f8000000/ide@4,1/disk@0:2,vmlinux-anaconda: No such file or directory boot:
To work around this:- Boot to the OpenFirmware prompt, by pressing the '8' key when the IBM splash screen is displayed.
- Run the following command:
~]#
setenv real-base 2000000
- Boot into System Management Services (SMS) with the command:
~]#
0> dev /packages/gui obe
(BZ#462663)
2.20. kexec-tools
- Executing
kdump
on an IBM Bladecenter QS21 or QS22 configured with NFS root will fail. To avoid this, specify an NFS dump target in/etc/kdump.conf
. (BZ#368981) - Some
forcedeth
based devices may encounter difficulty accessing memory above 4GB during operation in akdump
kernel. To work around this issue, add the following line to the/etc/sysconfig/kdump
file:KDUMP_COMMANDLINE_APPEND="dma_64bit=0"
This work around prevents theforcedeth
network driver from using high memory resources in the kdump kernel, allowing the network to function properly. - The system may not successfully reboot into a
kexec
/kdump
kernel if X is running and using a driver other than vesa. This problem only exists with ATI Rage XL graphics chipsets.If X is running on a system equipped with ATI Rage XL, ensure that it is using the vesa driver in order to successfully reboot into akexec
/kdump
kernel. (BZ#221656) - kdump now serializes drive creation registration with the rest of the kdump process. Consequently, kdump may hang waiting for IDE drives to be initialized. In these cases, it is recommended that IDE disks not be used with kdump. (BZ#473852)
- It is possible in rare circumstances, for
makedumpfile
to produce erroneous results but not have them reported. This is due to the fact thatmakedumpfile
processes its output data through a pipeline consisting of several stages. Ifmakedumpfile
fails, the other stages will still succeed, effectively masking the failure. Should a vmcore appear corrupt, and makedumpfile is in use, it is recommended that the core be recorded without makedumpfile and a bug be reported. (BZ#475487) - kdump now restarts when CPUs or DIMMs are hot-added to a system. If multiple items are added at the same time, several sequential restarts may be encountered. This behavior is intentional, as it minimizes the time-frame where a crash may occur while memory or processors are not being tracked by kdump. (BZ#474409)
- Some Itanium systems cannot properly produce console output from the
kexec
purgatory
code. This code contains instructions for backing up the first 640k of memory after a crash.Whilepurgatory
console output can be useful in diagnosing problems, it is not needed forkdump
to properly function. As such, if your Itanium system resets during akdump
operation, disable console output inpurgatory
by adding--noio
to theKEXEC_ARGS
variable in/etc/sysconfig/kdump
. (BZ#436426)
2.21. kvm
- A CD-ROM device can be assigned to a guest by configuring the guest to back a virtual CD-ROM device with a physical device's special file, for example, /dev/sr0. When a physical CD-ROM device is assigned to a guest, the guest assumes it has full control of the device. However, it is still possible to access the device from the host. In such a case, the guest can become confused about the CD-ROM state; for instance, running eject commands in the host to change media can cause the guest to attempt to read beyond the size of the new medium, resulting in I/O errors. To work around this problem, do not access a CD-ROM device from the host while it is assigned to a guest. (BZ#847259)
- VNC password authentication is disabled when the host system is operating in FIPS mode. QEMU exits if it is configured to run as a password-authenticated VNC server; if QEMU is configured to run as an unauthenticated VNC server, it will continue to run as expected.
- Erroneous boot-index of a guest with mixed virtio/IDE disks causes the guest to boot from the wrong disk after the OS installation and hang with the error message
boot from HD
. - When using PCI device assignment with a 32-bit Microsoft Windows 2008 guest on an AMD-based host system, the assigned device may fail to work properly if it relies on MSI or MSI-X based interrupts. The reason for this is that the 32-bit version of Microsoft Windows 2008 does not enable MSI based interrupts for the family of processor exposed to the guest. To work around this problem, the user may wish to move to a RHEL6 host, use a 64-bit version of the guest operating system, or employ a wrapper script to modify the processor family exposed to the guest as follows (Note that this is only for 32-bit Windows guests):
- Create the following wrapper script:
~]$ cat /usr/libexec/qemu-kvm.family16 #!/bin/sh ARGS=$@ echo $ARGS | grep -q ' -cpu ' if [ $? -eq 0 ]; then for model in $(/usr/libexec/qemu-kvm -cpu ? \ | sed 's|^x86||g' | tr -d [:blank:]); do ARGS=$(echo $ARGS | \ sed "s|-cpu $model|-cpu $model,family=16|g") done else ARGS="$ARGS -cpu qemu64,family=16" fi echo "$0: exec /usr/libexec/qemu-kvm $ARGS" >&2 exec /usr/libexec/qemu-kvm $ARGS
- Make the script executable:
~]$
chmod 755 /usr/libexec/qemu-kvm.family16
- Set proper SELinux permissions:
~]$
restorecon /usr/libexec/qemu-kvm.family16
- Update the guest XML to use the new wrapper:
~]#
virsh edit $GUEST
and replace:<emulator>/usr/libexec/qemu-kvm</emulator>
with:<emulator>/usr/libexec/qemu-kvm.family16</emulator>
(BZ#654208) - Booting a Linux guest causes 1.5 to 2 second time drift from the host time when the default
hwclock
service starts. It is recommended to disable the hwclock service. Alternatively, enable thentp
service so that it can correct the time once the service is started. (BZ#523478) - By default, KVM virtual machines created in Red Hat Enterprise Linux 5.6 have a virtual Realtek 8139 (rtl8139) network interface controller (NIC). The rtl8139 virtual NIC works fine in most environments, but may suffer from performance degradation issues on some networks for example, a 10 GigE (10 Gigabit Ethernet) network.One workaround for this issue is switch to a different type of virtual NIC, for example, Intel PRO/1000 (e1000) or virtio (a virtual I/O driver for Linux that can talk to the hypervisor).To switch to e1000:
- Shutdown the guest OS
- Edit the guest OS definition with the command-line tool virsh:
virsh edit GUEST
- Locate the network interface section and add a model line as shown:
<interface type='network'> ... <model type='e1000' /> </interface>
- Save the changes and exit the text editor
- Restart the guest OS
Alternatively, if you're having trouble installing the OS on the virtual machine because of the rtl8139 NIC (for example, because you're installing the OS over the network), you can create a virtual machine from scratch with an e1000 NIC. This method requires you to have at least one virtual machine already created (possibly installed from CD or DVD) to use as a template.- Create an XML template from an existing virtual machine:
virsh dumpxml GUEST > /tmp/guest.xml
- Copy and edit the XML file and update the unique fields: virtual machine name, UUID, disk image, MAC address, etc. Note that you can delete the UUID and MAC address lines and virsh will generate a UUID and MAC address.
cp /tmp/guest.xml /tmp/new-guest.xml
vi /tmp/new-guest.xml
- Locate the network interface section and add a model line as shown:
<interface type='network'> ... <model type='e1000' /> </interface>
- Create the new virtual machine:
virsh define /tmp/new-guest.xml
virsh start new-guest
- The mute button in the audio control panel on a Windows virtual machine does not mute the sound.
- When migrating KVM guests between hosts, the NX CPU feature setting on both source and destination must match. Migrating a guest between a host with the NX feature disabled (i.e. disabled in the BIOS settings) and a host with the NX feature enabled may cause the guest to crash. (BZ#516029)
- The use of the qcow2 disk image format with KVM is considered a Technology Preview. (BZ#517880)
- 64-bit versions of Windows 7 do not have support for the AC'97 Audio Codec. Consequently, the virtualized sound device Windows 7 kvm guests will not function. (BZ#563122)
- Hot plugging emulated devices after migration may result in the virtual machine crashing after a reboot or the devices no longer being visible. (BZ#507191)
- The KVM modules from the
kmod-kvm
package do not support kernels prior to version 2.6.18-203.el5. If kmod-kvm is updated and an older kernel is kept installed, error messages similar to the following will be returned if attempting to install these modules on older kernels:WARNING: /lib/modules/2.6.18-194.el5/weak-updates/kmod-kvm/ksm.ko needs unknown symbol kvm_ksm_spte_count
(BZ#509361) - The KVM modules available in the
kmod-kvm
package are loaded automatically at boot time if the kmod-kvm package is installed. To make these KVM modules available after installing thekmod-kvm
package the system either needs to be rebooted or the modules can be loaded manually by running the/etc/sysconfig/modules/kvm.modules
script. (BZ#501543) - The Preboot eXecution Environment (PXE) boot ROMs included with KVM are from the Etherboot project. Consequently, some bug fixes or features that are present on the newer gPXE project are not available on Etherboot. For example, Virtual Machines (VMs) cannot boot using Microsoft based PXE (that is, Remote Installation Services (RIS) or Windows Deployment Services (WDS)).
- The following QEMU / KVM features are currently disabled and not supported: (BZ#512837)
- smb user directories
- scsi emulation
- "isapc" machine type
- nested KVM guests
- usb mass storage device emulation
- usb wacom tablet emulation
- usb serial emulation
- usb network emulation
- usb bluetooth emulation
- device emulation for vmware drivers
- sb16 and es1370 sound card emulations
- bluetooth emulation
- qemu CPU models other than qemu32/64 and pentium3
- qemu block device drivers other than raw, qcow2, and host_device
2.22. less
- The "less" command has been updated. less no longer adds the "carriage return" character when wrapping long lines. Consequently, lines longer than the terminal width will be displayed incorrectly when browsing the file line per line. The command line option "--old-bot" forces less to behave as it did previously, with long text lines displayed correctly. (BZ#441691)
2.23. lftp
- As a side effect of changing the underlying cryptographic library from OpenSSL to GnuTLS in the past, starting with lftp-3.7.11-4.el5_5.3, some previously offered TLS ciphers were dropped. In handshake, lftp does not offer these previously available ciphers:
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA
lftp still offers variety of other TLS ciphers:TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_RC4_128_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
For servers without support for any of these ciphers, it is now possible to force SSLv3 connection instead of TLS using theset ftp:ssl-auth SSL
configuration directive. This works both for implicit and explicit FTPS. (BZ#532099)
2.24. lvm2
- LVM no longer scans multipath member devices (underlying paths for active multipath devices) and prefers top level devices. This behavior can be switched off using the
multipath_component_detection
option in the/etc/lvm/lvm.conf
.
2.25. mesa
- On an IBM T61 laptop, Red Hat recommends that you refrain from clicking the
glxgears
window (whenglxgears
is run). Doing so can lock the system.To prevent this from occurring, disable the tiling feature. To do so, add the following line in theDevice
section of/etc/X11/xorg.conf
:Option "Tiling" "0"
(BZ#444508)
2.26. mkinitrd
- When running Red Hat Enterprise Linux 5 with an older kernel in a Microsoft Hyper-V virtualization guest, mkinitrd does not include the Microsoft Hyper-V drivers when asked to generate the initial RAM disk for a Red Hat Enterprise Linux 5.9 kernel or later. This causes a kernel panic when the guest is rebooted with such a kernel as there is no driver available for the storage hosting the guest's root file system. To work around this problem, run the mkinitrd utility with either the
--preload
option that loads the module before any SCSI modules are loaded, or with the--with
option that loads the module after SCSI modules are loaded. For more information, refer to the following Knowledge Base article: - When using an encrypted device, the following error message may be reported during bootup:
insmod: error inserting '/lib/aes_generic.ko': -1 File exists
This message can safely be ignored. (BZ#466296) - Installation using a Multiple Device (MD) RAID on top of multipath will result in a machine that cannot boot. Multipath to Storage Area Network (SAN) devices which provide RAID internally are not affected. (BZ#467469)
- When installing Red Hat Enterprise Linux 5, the following errors may be returned in
install.log
:Installing kernel-2.6.18-158.el5.s390x cp: cannot stat `/sbin/dmraid.static': No such file or directory
This message can be safely ignored. - iSCSI root devices do not function correctly if used over an IPv6 network connection. While the installation will appear to succeed, the system will fail to find the root file system during the first boot. (BZ#529636)
2.27. mod_revocator
- In order to run mod_revocator successfully, the following command must be executed in order to allow
httpd
to connect to a remote port which SELinux would otherwise deny:~]#
setsebool -P httpd_can_network_connect=1
This is due to the fact that by default, Apache is not allowed to also be used as an HTTP client (that is, send HTTP messages to an external host).
2.28. nfs-utils
- In the previous version of the nfs-utils package, the mount utility incorrectly reported the rpc.idmapd mapping daemon as not running when the daemon was executed. This bug has been fixed; however the problem can occur after upgrading nfs-utils to a later version. Note that the mount operation is successful and the warning can be safely ignored. To avoid this problem, perform a clean installation of the package.
- Currently, the rpc.gssd daemon looks only for the the "nfs/*" keys in the keytab file. Other keys are not supported.
2.29. openib
- Running
perftest
will fail if different CPU speeds are detected. As such, you should disable CPU speed scaling before runningperftest
. (BZ#433659)
2.30. openmpi
mvapich
andmvapich2
in Red Hat Enterprise Linux 5 are compiled to support only InfiniBand/iWARP interconnects. Consequently, they will not run over ethernet or other network interconnects. (BZ#466390)- When upgrading openmpi using yum, the following warning may be returned:
cannot open `/tmp/openmpi-upgrade-version.*' for reading: No such file or directory
The message is harmless and can be safely ignored. (BZ#463919) - A bug in previous versions of
openmpi
andlam
may prevent you from upgrading these packages. This bug manifests in the following error (when attempting to upgradeopenmpi
orlam
:error: %preun(openmpi-[version]) scriptlet failed, exit status 2
As such, you need to manually remove older versions ofopenmpi
andlam
in order to install their latest versions. To do so, use the followingrpm
command:rpm -qa | grep '^openmpi-\|^lam-' | xargs rpm -e --noscripts --allmatches
(BZ#433841)
2.31. openswan
- Openswan generates a Diffie-Hellman (DH) shared key that is 1 byte short because nss does not add leading zero bytes when needed. Also, openswan in Red Hat Enterprise Linux 5.9 does not support setting of the sha2_truncbug parameter in Red Hat Enterprise Linux 5.9, because the kernel does not support it.
2.32. perl-libxml-enno
- Note: the perl-libxml-enno library did not ship in any Red Hat Enterprise Linux 5 release. (BZ#612589)
2.33. pm-utils
- nVidia video devices on laptops can not be correctly re-initialized using VESA in Red Hat Enterprise Linux 5. Attempting to do so results in a black laptop screen after resume from suspend.
2.34. rpm
- Users of a freshly-installed PowerPC Red Hat Enterprise Linux 5 system may encounter package-related operation failures with the following errors:
rpmdb: PANIC: fatal region error detected; run recovery error: db4 error(-30977) from db->sync: DB_RUNRECOVERY: Fatal error, run database recovery
2.35. redhat-release-notes
- The Release Notes shipped in Red Hat Enterprise Linux 5.9 through the redhat-release-notes package contain an incorrect driver version number for the
qla2xxx
driver. In Red Hat Enterprise Linux 5.9, theqla2xxx
driver for QLogic Fibre-Channel HBAs has been updated to version 8.03.07.15.05.09-k, not 8.04.00.05.05.09-k.
2.36. rhn-client-tools
- Attempting to subscribe a system during firstboot can fail with a traceback. To work around this problem, register the system from the command line.
2.37. qspice
- Occasionally, the video compression algorithm starts when the guest is accessing text instead of video. This caused the text to be blurred. The SPICE server now has an improved heuristic for distinguishing between videos and textual streams.
2.38. samba3x
- The updated samba3x packages change the way ID mapping is configured. Users are advised to modify their existing Samba configuration files. Also, due to the ID mapping changes, authconfig does not create a working smb.conf file for the latest samba3x package, it only produces a valid configuration for the samba package.Note that several tdb files have been updated and the printing support has been rewritten to use the actual registry implementation. This means that all tdb files are upgraded as soon as you start the new version of smbd. You cannot downgrade to an older samba3x version unless you have backups of the tdb files.For more information about these changes, refer to the Release Notes for Samba 3.6.0.
- In Samba 3.0, the privilege
SeSecurityPrivilege
was granted to a user by default. To make Samba more secure, this privilege is no longer granted to a user by default. If you use an application that requires this privilege, like the IBM Tivoli Storage Manager, you need to grant it to the user running the Storage Manager with the following command:net sam rights grant <username> SeSecurityPrivilege
Seenet sam rights list
for a list of available privileges.
2.39. shadow-utils
- Previously, under certain circumstances, the faillog utility created huge files. This problem has been fixed; however, the useradd utility can still create large files. To avoid such a situation, use the
-l
option when creating a user with a very high user or group ID (UID or GID). (BZ#670364)
2.40. sos
- If the sosresport utility becomes unresponsive, a keyboard interrupt (CTRL+C) can fail to terminate it. In such a case, to terminate the process:
- press Ctrl+Z and execute
kill %N
(N represents the number of the sosreport job; usually 1) or - execute
kill -9 %N
(N represents the number of the sosreport job; usually 1). (BZ#708346)
2.41. subscription-manager
- For virtual guests, the Subscription Manager daemons use dmidecode to read the System Management BIOS (SMBIOS), which is used to retrieve the guest UUID. On 64-bit Intel architecture, the SMBIOS information is controlled by the Intel firmware and stored in a read-only binary entry. Therefore, it is not possible to retrieve the UUID or set a new and readable UUID. Because the guest UUID is unreadable, running the
facts
command on the guest system shows a value ofUnknown
in thevirt.facts
file for the system (virt.uuid: Unknown
). This means that the guest does not have any association with the host machine and, therefore, does not inherit some subscriptions. The facts used by Subscription Manager can be edited manually to add the UUID:- Obtain the guest name or guest ID.
- On the virtual host, use virsh to retrieve the guest UUID. For example, for a guest named 'rhel5server_virt1':
virsh domuuid rhel5server_virt1
- On the guest, manually create a facts file:
vim /etc/rhsm/facts/virt.facts
- Add a line which contains the given UUID.
{ "virt.uuid": "$VIRSH_UUID" }
Creating thefacts
file and inserting the proper UUID means that Subscription Manager properly identifies the guest rather than using anUnknown
value. - Japanese SCIM input-method editor cannot be activated and cannot input locale string in the data field for non-root users. To work around this problem, follow these steps:
- Log in to the system as a non-root user.
- As root, run the following commands:
~]# export GTK_IM_MODULE=scim-bridge ~]# subscription-manager-gui
- Using Subscription Manager in the following use case fails: a user installs Red Hat Enterprise Linux Desktop from a Red Hat Enterprise Linux 5.7 Client CD/DVD without an installation number. A user uses Subscription Manager, which finds one Red Hat Enterprise Linux Desktop product ID to subscribe to a Red Hat Enterprise Linux Workstation subscription. A user downloads content from a Workstation repository.The use case scenario described above fails because the rhel-workstation repositories require the rhel-5-workstation product tag in the product certification beforehand in order to view them.To work around this issue, follow these steps:
- Install a rhel-5-client system.
- Mount the ISO to your file system.
- Copy
<path_to_ISO>/Workstation/repodata/productid
to the/etc/pki/product/
directory, making sure that the file copied ends with.pem
(for example,/etc/pki/product/productid.pem
) - Subscribe to a Workstation subscription.
- Install a package from a Workstation repository.
2.42. systemtap
- The systemap-testsuite subpackage is designed for installation on development Workstation machines, not limited Client variants. More complete RPM dependencies now mandate the presence of several non-Client RPM packages, so it is no longer installable on the Client variant. Attempting to update can fail if the update includes the system-testsuite subpackage. To work around this problem remove the systemtap-testsuite subpackage from a Client machine before upgrading the systemtap package.
- Running some user-space probe test cases provided by the
systemtap-testsuite
package fail with anUnknown symbol in module
error on some architectures. These test cases include (but are not limited to):systemtap.base/uprobes.exp
systemtap.base/bz10078.exp
systemtap.base/bz6850.exp
systemtap.base/bz5274.exp
Because of a known bug in the latest SystemTap update, new SystemTap installations do not unload old versions of theuprobes.ko
module. Some updated user-space probe tests provided by the systemtap-testsuite package use symbols available only in the latestuprobes.ko
module (also provided by the latest SystemTap update). As such, running these user-space probe tests result in the error mentioned earlier.If you encounter this error, simply runrmmod uprobes
to manually remove the olderuprobes.ko
module before running the user-space probe test again. (BZ#499677) - SystemTap currently uses GCC to probe user-space events. GCC is, however, unable to provide debuggers with precise location list information for parameters. In some cases, GCC also fails to provide visibility on some parameters. As a consequence, SystemTap scripts that probe user-space may return inaccurate readings. (BZ#239065)
2.43. xen
- In some cases, Red Hat Enterprise Linux 6 guests running fully-virtualized under Red Hat Enterprise Linux 5 experience a time drift or fail to boot. In some cases, drifting may start after migration of the virtual machine to a host with different speed. This is due to limitations in the Red Hat Enterprise Linux 5 Xen Hypervisor. To work around this, add
clocksource=acpi_pm
orclocksource=jiffies
to the kernel command line for the guest. Alternatively, if running under Red Hat Enterprise Linux 5.7 or newer, locate the guest configuration file for the guest and add thehpet=0
option in it. - There are only 2 virtual slots (00:06.0 and 00:07.0) that are available for hot plug support in a virtual guest. (BZ#564261)
- As of Red Hat Enterprise Linux 5.4, PCI devices connected to a single PCI-PCI bridge can no longer be assigned to different PV guests. If the old, unsafe behavior is required, disable pci-dev-assign-strict-check in /etc/xen/xend-config.sxp. (BZ#508310)
- When running x86_64 Xen, it is recommended to set dom0-min-mem in /etc/xen/xend-config.sxp to a value of 1024 or higher. Lower values may cause the dom0 to run out of memory, resulting in poor performance or out-of-memory situations. (BZ#519492)
- The Red Hat Enterprise Linux 3 kernel does not include SWIOTLB support. SWIOTLB support is required for Red Hat Enterprise Linux 3 guests to support more than 4GB of memory on AMD Opteron and Athlon-64 processors. Consequently, Red Hat Enterprise Linux 3 guests are limited to 4GB of memory on AMD processors. (BZ#504187)
- The Hypervisor outputs messages regarding attempts by any guest to write to an MSR. Such messages contain the statement
Domain attempted WRMSR
. These messages can be safely ignored; furthermore, they are rate limited and should pose no performance risk. (BZ#477647)
- Installing Red Hat Enterprise Linux 3.9 on a fully virtualized guest may be extremely slow. In addition, booting up the guest after installation may result in
hda: lost interrupt
errors.To avoid this bootup error, configure the guest to use the SMP kernel. (BZ#249521)
2.44. vdsm22
- Adding Red Hat Enterprise Virtualization Hypervisor as a Red Hat Enterprise Linux host is not supported in Red Hat Enterprise Linux 5, and will therefore fail.
2.45. virt-v2v
- VMware Tools on Microsoft Windows is unable to disable itself when it detects that it is no longer running on a VMware platform. As a consequence, converting a Microsoft Windows guest from VMware ESX, which has VMware Tools installed, resulted in multiple error messages being displayed on startup. In addition, a
Stop Error
(also known as Blue Screen of Death, or BSOD) was displayed every time when shutting down the guest. To work around this issue, users are advised to uninstall VMware Tools from Microsoft Windows guests before conversion. (BZ#711972)
2.46. virtio-win
- Low performance with UDP messages larger than 1024 is a known Microsoft issue: http://support.microsoft.com/default.aspx/kb/235257. For the message larger than 1024 bytes follow the workaround procedure detailed in the above Microsoft knowledgebase article.
- Installation of Windows XP with the floppy containing guest drivers (in order to get the virtio-net drivers installed as part of the installation), will return messages stating that the viostor.sys file could not be found. viostor.sys is not part of the network drivers, but is on the same floppy as portions of the virtio-blk drivers. These messages can be safely ignored, simply accept the installation's offer to reboot, and the installation will continue normally.
2.47. xorg-x11-drv-i810
- When switching from the X server to a virtual terminal (VT) on a Lenovo ThinkPad T510 laptop, the screen can remain blank. Switching back to the X server will restore the screen.
- Running a screensaver or resuming a suspended laptop with an external monitor attached may result in a blank screen or a brief flash followed by a blank screen. If this occurs with the screensaver, the prompt for your password is being obscured, the password can still be entered blindly to get back to the desktop. To work around this issue, physically disconnect the external monitor and then press the video hotkey (usually Fn-F7) to rescan the available outputs, before suspending the laptop.
- If your system uses an Intel 945GM graphics card, do not use the
i810
driver. You should use the defaultintel
driver instead. (BZ#468218) - On dual-GPU laptops, if one of the graphics chips is Intel-based, the Intel graphics mode cannot drive any external digital connections (including HDMI, DVI, and DisplayPort). This is a hardware limitation of the Intel GPU. If you require external digital connections, configure the system to use the discrete graphics chip (in the BIOS). (BZ#468259)
2.48. xorg-x11-drv-nv
- Improvements have been made to the 'nv' driver, enhancing suspend and resume support on some systems equipped with nVidia GeForce 8000 and 9000 series devices. Due to technical limitations, this will not enable suspend/resume on all hardware. (BZ#414971)
2.49. xorg-x11-drv-vesa
- When running the bare-metal (non-Virtualized) kernel, the X server may not be able to retrieve
EDID
information from the monitor. When this occurs, the graphics driver will be unable to display resolutions highers than 800x600.To work around this, add the following line to theServerLayout
section of/etc/X11/xorg.conf
:Option "Int10Backend" "x86emu"
(BZ#236416)
2.50. xorg-x11-server
- On HP Z1 AIO workstations using Intel embedded graphics, the Anaconda installer uses graphical install mode, but displays it only in one quarter of the screen. Although the installation completes successfully, navigation can be difficult in this mode. To work around this problem, use the text-based installation instead of graphical mode, which correctly uses the entire screen on the mentioned workstations.
2.51. yaboot
- If the string that represents the path to kernel (or ramdisk) is greater than 63 characters, network booting an IBM POWER5 series system may result in the following error:
FINAL File Size = 8948021 bytes. load-base=0x4000 real-base=0xc00000 DEFAULT CATCH!, exception-handler=fff00300
The firmware for IBM POWER6 and IBM POWER7 systems contains a fix for this issue. (BZ#550086)
Chapter 3. New Packages
Chapter 4. Package Updates
4.1. acroread
Security Fix
- CVE-2012-0774, CVE-2012-0775, CVE-2012-0777
- This update fixes multiple security flaws in Adobe Reader. These flaws are detailed on the Adobe security page APSB12-08. A specially-crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened.
4.2. aide
Bug Fix
- BZ#811936
- Previously, the aide utility incorrectly initialized the gcrypt library. This consequently prevented aide to initialize its database if the system was running in FIPS-compliant mode. The initialization routine has been corrected, and along with an extension to the libgcrypt's API introduced in the RHEA-2012:0484 advisory, aide now initializes its database as expected if run in a FIPS-compliant way.
Bug Fixes
- BZ#547658
- The help output of the aide executable did not mention the "-D" option which is a shortcut for "--config-check". The option could only be found on the aide(1) man page. With this update, the "-D" option is mentioned in both the help output and on the man page.
- BZ#553137
- Previously, the aide utility incorrectly initialized the gcrypt library. This consequently prevented aide to initialize its database if the system was running in FIPS-compliant mode. The initialization routine has been corrected, and along with an extension to the libgcrypt's API introduced in the RHEA-2012:0484 advisory, aide now initializes its database as expected if run in a FIPS-compliant way.
- BZ#580253
- The compare_dbline() function returned an "int" value, even though the function can operate with variables of size larger than "int" (for example, DB_SELINUX, DB_XATTRS or DB_WHIRPOOL). As a consequence, aide could produce incorrect results when checking a database for inconsistencies. The underlying source code has been modified so that the compare_dbline() function now returns an "unsigned long long" value, and aide correctly detects and reports database inconsistencies.
4.3. alsa-utils
Bug Fix
- BZ#854012
- Due to an incorrect configuration of the alsaloop utility from the alsa-utils package, high CPU usage occurred when using alsaloop. This also affected the alsa-delay script, which uses alsaloop for the configurable audio delay functionality. With this update, the alsaloop function has been reconfigured. As a result, the CPU usage is now optimized when alsaloop is used.
4.4. anaconda
Bug Fixes
- BZ#750681
- When a host name provided by the user could not be resolved during system installation, it was added to the
/etc/hosts
file as a localhost record (under 127.0.0.1). Thus when configuring the network, DNS resolution of the host name did not work properly. This update ensures that user-provided host names are no longer written to the/etc/hosts
file and host name resolution now works as expected. - BZ#760496
- During the installation process, Anaconda failed to read the Release Notes using the
getReleaseNotes()
function. Consequently, the button showed a pop-up error “Release Notes are missing”. ThegetReleaseNotes()
function has been fixed and now properly presents the Release Notes when the button is pressed. - BZ#769287
- The maximum size limit for all
ext
file systems was set to 8 TB. Consequently, Anaconda limited the maximum size artificially for theext3
andext4
file systems, even though these systems support sizes up to 16 TB. The size limits forext3
andext4
have been extended to 16 TB. - BZ#773573
- Pressing the ESC key in certain Anaconda dialog boxes behaved the same way as if thebutton was hit. This has been fixed and pressing the ESC key now has the same effect as hitting the button.
- BZ#784159
- Previously, symbolic links in the
/dev/
directory, such as/dev/fd/
, were not created during installation. Consequently, an attempt to use these links during the installation failed. The source code has been updated and symbolic links are now created correctly and can be used during installation. - BZ#788871
- The
openibd
service was not enabled after installation when using IP over InfiniBand (IPoIB). Consequently, an InfiniBand device did not come up after installation. The underlying source code has been modified and theopenibd
service is now enabled when usingIPoIB
during installation. - BZ#797075
- Previously, the
--label
option in thepart
section of a kickstart file was not honored. Consequently, partitions were not labeled in accordance with the kickstart option after system installation. The source code that handles partition label setting has been fixed, and partition labeling via a kickstart file works as expected. - BZ#812719
- Kernel and
initrd
image sizes grew slightly in Red Hat Enterprise Linux 5.8. Consequently, thediskboot.img
file did not have enough space to store all files and some of them were truncated or were not included in the image. The size ofdiskboot.img
has been increased and all files fit as expected. - BZ#819721
- Due to improper handling of invalid disks referenced in the kickstart file, Anaconda could crash with a traceback when attempting to execute the partitioning instructions. This bug has been fixed, Anaconda now checks for invalid BIOS disk references correctly and exits gracefully indicating that the referenced BIOS disk cannot be found.
- BZ#841136
- Newer versions of nfs-utils and mount.nfs are set to use the
TCP
protocol by default and Anaconda mounting code conflicted with this new default. Consequently, the Network File System (NFS) sources were not mountable and users were unable to install the system over this protocol. The Anaconda NFS mounting code has been updated to useTCP
by default. As result, installations over NFS function as expected.
Enhancements
- BZ#756213
- This enhancement adds a class for Global File System (GFS) to the Anaconda code base. As a result, the lines with the “gfs” string in the
/etc/fstab
file are preserved on upgrade and using thegfs
boot option enables a way to create new GFS partitions during installation. The lines with the unknown (unsupported) file system type are just commented out on upgrade instead of removed from the/etc/fstab
file. - BZ#824880
- This enhancement includes Microsoft ParaVirtualized (PV) drivers into the installation environment. Previously, running Red Hat Enterprise Linux as a guest on Microsoft provided only a sub-part user experience with need to download and install Microsoft tools and add the PV support. This update enables seamless installation of Red Hat Enterprise Linux as a guest on a
Hyper-V
server and Red Hat Enterprise Linux works out-of-the-box now.
4.5. aspell-en
Enhancement
- BZ#562286
- Prior to this update, the default English dictionary contained profanity. With this update, the profanity is moved from the default dictionary to the "en-complete" dictionary. To run aspell with this dictionary, use the "-d" switch: "aspell -d en-complete".
4.6. autofs
Bug Fix
- BZ#810126
- A function to check validity of a mount location was meant to check only for a small subset of map location errors. A recent improvement modification in error reporting inverted a logic test in this validating function. Consequently, the scope of the test was widened, which caused automount to report false positive failures. With this update, the faulty logic test has been corrected and false positive failures no longer occur.
Security Fix
- CVE-2012-2697
- A bug fix included in RHBA-2012:0264 introduced a denial of service flaw in autofs. When using autofs with LDAP, a local user could use this flaw to crash autofs, preventing future mount requests from being processed until the autofs service was restarted. Note: This flaw did not impact existing mounts (except for preventing mount expiration).
Bug Fixes
- BZ#585058
- The autofs init script sometimes timed out waiting for the automount daemon to exit and returned a shutdown failure if the daemon failed to exit in time. To resolve this problem, the amount of time that the init script waits for the daemon has been increased to allow for cases where servers are slow to respond or there are many active mounts.
- BZ#767428
- Due to an omission when backporting a change, autofs attempted to download the entire LDAP map at startup. This mistake has now been corrected.
- BZ#798448
- A function to check the validity of a mount location was meant to check only for a small subset of map location errors. A recent modification in error reporting inverted a logic test in this validating function. Consequently, the scope of the test was widened, which caused the automount daemon to report false positive failures. With this update, the faulty logic test has been corrected and false positive failures no longer occur.
- BZ#847101
- When there were many attempts to access invalid or non-existent keys, the automount daemon used excessive CPU resources. As a consequence, systems sometimes became unresponsive. The code has been improved so that automount checks for invalid keys earlier in the process which has eliminated a significant amount of the processing overhead.
- BZ#859890
- The auto.master(5) man page did not document the "-t, --timeout" option in the FORMAT options section. This update adds this information to the man page.
Enhancement
- BZ#690404
- Previously, it was not possible to configure separate timeout values for individual direct map entries in the autofs master map. This update adds this functionality.
4.7. bind
Bug Fix
- BZ#885731
- Previously, the "named" name service daemon could terminate unexpectedly due to a race condition in the socket module. This race condition has been fixed and the "named" daemon no longer crashes.
Security Fixes
- CVE-2012-1667
- A flaw was found in the way BIND handled zero length resource data records. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records that would cause a recursive resolver or secondary server to crash or, possibly, disclose portions of its memory.
- CVE-2012-1033
- A flaw was found in the way BIND handled the updating of cached name server (NS) resource records. A malicious owner of a DNS domain could use this flaw to keep the domain resolvable by the BIND server even after the delegation was removed from the parent DNS zone. With this update, BIND limits the time-to-live of the replacement record to that of the time-to-live of the record being replaced.
Security Fix
- CVE-2012-3817
- An uninitialized data structure use flaw was found in BIND when DNSSEC validation was enabled. A remote attacker able to send a large number of queries to a DNSSEC validating BIND resolver could use this flaw to cause it to exit unexpectedly with an assertion failure.
Security Fix
- CVE-2012-4244
- A flaw was found in the way BIND handled resource records with a large RDATA value. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records, that would cause a recursive resolver or secondary server to exit unexpectedly with an assertion failure.
Bug Fix
- BZ#857056
- The bind-chroot-admin script, executed when upgrading the bind-chroot package, failed to correctly update the permissions of the /var/named/chroot/etc/named.conf file. Depending on the permissions of the file, this could have prevented named from starting after installing package updates. With this update, bind-chroot-admin correctly updates the permissions and ownership of the file.
Security Fix
- CVE-2012-5166
- A flaw was found in the way BIND handled certain combinations of resource records. A remote attacker could use this flaw to cause a recursive resolver, or an authoritative server in certain configurations, to lockup.
4.8. bind97
Bug Fix
- BZ#883402
- When authoritative servers did not return a Start of Authority (SOA) record, the "named" daemon failed to cache and return answers. A patch has been provided to address this issue and "named" is now able to handle such under-performing servers correctly.
Bug Fixes
- BZ#657260
- Previously, the
DNS
server (named
) init script killed allnamed
processes when stopping thenamed
daemon. This caused a problem for container-virtualized hosts, such as OpenVZ, because theirnamed
processes were killed by the init script. The init script has been fixed and now only kills the correctnamed
processes. - BZ#703452
- When the
/etc/resolv.conf
file contained thesearch
keyword with no arguments, the host/nslookup/dig utility failed to parse it correctly. With this update, such lines are ignored. - BZ#719855
- The
/etc/named.root.key
file was not listed in theROOTDIR_MOUNT
variable. Consequently, when using bind97 with chroot, thenamed.root.key
file was not mounted to the chroot environment. A patch has been applied and/etc/named.root.key
is now mounted into chroot. - BZ#758057
- A non-writable working directory is a long time feature on all Red Hat systems. Previously,
named
wrotethe working directory is not writable
as an error to the system log. This update changes the code so thatnamed
now writes this information only into the debug log. - BZ#803369
- During a
DNS
zone transfer,named
sometimes terminated unexpectedly with an assertion failure. A patch has been applied to make the code more robust, andnamed
no longer crashes in the scenario described. - BZ#829823
- Due to an error in the bind spec file, the bind-chroot subpackage did not create a
/dev/null
device. In addition, some empty directories were left behind after uninstalling bind. With this update, the bind-chroot packaging errors have been fixed. - BZ#829829
- Previously, the nslookup utility did not return a non-zero exit code when it failed to get an answer. Consequently, it was impossible to determine if an nslookup run was successful or not from the error code. The nslookup utility has been fixed and now it returns
1
as the exit code when it fails to get an answer. - BZ#829831
- The
named
daemon, configured as master server, sometimes failed to transfer an uncompressible zone. The following error message was logged:transfer of './IN': sending zone data: ran out of space
The code which handles zone transfers has been fixed and this error no longer occurs in the scenario described.
Enhancements
- BZ#693788
- Previously, bind97 did not contain the root zone
DNSKEY
.DNSKEY
is now located in/etc/named.root.key
. - BZ#703096
- With this update, the size, MD5 checksum, and modification time of the
/etc/sysconfig/named
configuration file is no longer checked via therpm -V bind
command. - BZ#703397
- The host utility now honors
debug
,attempts
, andtimeout
options in the/etc/resolv.conf
file. - BZ#703411
- The
DISABLE_ZONE_CHECKING
option has been added to/etc/sysconfig/named
. This option adds the possibility to bypass zone validation via the named-checkzone utility in the/etc/init.d/named
init script and allows startingnamed
with misconfigured zones. - BZ#749214
- The return codes of the dig utility are now documented in the dig man page.
- BZ#811566
- The option to disable Internationalized Domain Name (IDN) support in the dig utility was incorrectly documented in the man page. The dig man page has been corrected to explain the use of the
libidn
environment optionCHARSET
for disabling IDN. - BZ#829827
- Previously, the
rndc.key
file was generated during package installation by therndc-confgen -a
command, but this feature was removed in Red Hat Enterprise Linux 5.8 because users reported that installation of the bind package sometimes became unresponsive due to lack of entropy in/dev/random
. Thenamed
init script now generatesrndc.key
during the service startup if it does not exist.
Security Fixes
- CVE-2012-1667
- A flaw was found in the way BIND handled zero length resource data records. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records that would cause a recursive resolver or secondary server to crash or, possibly, disclose portions of its memory.
- CVE-2012-1033
- A flaw was found in the way BIND handled the updating of cached name server (NS) resource records. A malicious owner of a DNS domain could use this flaw to keep the domain resolvable by the BIND server even after the delegation was removed from the parent DNS zone. With this update, BIND limits the time-to-live of the replacement record to that of the time-to-live of the record being replaced.
Security Fix
- CVE-2012-3817
- An uninitialized data structure use flaw was found in BIND when DNSSEC validation was enabled. A remote attacker able to send a large number of queries to a DNSSEC validating BIND resolver could use this flaw to cause it to exit unexpectedly with an assertion failure.
Security Fix
- CVE-2012-4244
- A flaw was found in the way BIND handled resource records with a large RDATA value. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records, that would cause a recursive resolver or secondary server to exit unexpectedly with an assertion failure.
Security Fix
- CVE-2012-5166
- A flaw was found in the way BIND handled certain combinations of resource records. A remote attacker could use this flaw to cause a recursive resolver, or an authoritative server in certain configurations, to lockup.
4.9. binutils
Bug Fix
- BZ#818708
- Due to instability in calculating the program header size, the GNU linker could terminate unexpectedly with the "looping in map_segments" error message. With this update, the linker has been modified to properly handle changes in the size of the segment map, which prevents the instability and the linker no longer crashes in this scenario.
4.10. busybox
Bug Fix
- BZ#834277
- When attempting to mount an NFS file system, the mount command in the busybox package was using the UDP protocol by default while the standard mount utility uses the TCP protocol by default. Consequently, directories could not be mounted from the server. With this update, the mount command in busybox has been fixed to use TCP by default, thus preventing this bug.
4.11. cman
Bug Fix
- BZ#765665
- The fence_rhevm fencing agent uses the Red Hat Enterprise Virtualization API to check the power status ("on" or "off") of a virtual machine. In addition to the states of "up" and "down", the API includes other states like "unassigned", "powering_up", "paused", "migrating", "unknown", "not_responding", "wait_for_launch", "reboot_in_progress", "saving_state", "restoring_state", "suspended", "image_illegal", "image_locked" or "powering_down". Previously, only if the machine was in the "up" state, the "on" power status was returned. The "off" status was returned for all other states although the machine was actually running. This allowed for successful fencing even before the machine was really powered off. With this update, the fence_rhevm agent detects power status of a cluster node more conservatively, and the "off" status is returned only if the machine is really powered off, it means in the "off" state.
Bug Fix
- BZ#811939
- Previously, cman did not handle idle connection timeout correctly when fencing a cluster node. Consequently, a connection to a fence device timed out and fencing failed if the "delay" option was set to more than 5 seconds. With this update, the "delay" option is applied before the connection is opened and the fencing thus no longer fails in this scenario.
Bug Fix
- BZ#861392
- The speed of fencing is critical because otherwise, broken nodes have more time to corrupt data. Previously, the operation of the fence_vmware_soap fencing agent was slow when used on the VMWare vSphere platform with hundreds of virtual machines. This update fixes a problem with virtual machines that do not have a valid UUID, which can be created during failed P2V (Physical-to-Virtual) processes. Now, the fencing process is also much faster and it does not terminate if a virtual machines without an UUID is encountered.
Bug Fixes
- BZ#674497
- With this update, several typographical errors in the
fence/agents/scsi/fence_scsi.pl
file have been fixed. As a result, the debug messages of this file are now typographically correct. - BZ#745985
- Prior to this update, the VMware vSphere 5.0 SOAP API was not listed as a version supported by the fence_vmware_soap fence agent. Consequently, the fence agent did not function properly with virtual machines managed by VMware vSphere 5.0. With this update, VMware vSphere 5.0 has been added to the list of supported interfaces, and is fully compatible with fence_vmware_soap.
- BZ#753839
- Previously, the
fence_scsi
man page contained incorrect information about the limitations of the fence_scsi agent. The correct description of these limitations can be found in the in the Cluster Administration guide. With this update, the misleading section has been removed from the manual page in order to avoid the potential confusion. - BZ#782919
- Prior to this update, when attempting to create registrations on a multipath device with the
fence_scsi_test -o
command, some registrations failed without signalization. Consequently, there was a need to verify that all registrations had been successfully created. With this update, a--strict
option has been added into the fence_scsi_test program. This option forces the verification step to compare the number of paths to the number of times the registration key appears on the device. Without this option, the verification step only inspects the existence of a registration key on the device. Although it is usually safe to omit the--strict
option, it is strongly recommended to use--strict
on multipath devices. - BZ#786485
- The fence_rhevm fencing agent uses the Red Hat Enterprise Virtualization API to check the power status ("on" or "off") of a virtual machine. In addition to the states of "up" and "down", the API includes other states like "unassigned", "paused", etc. (14 in sum). Previously, only when the machine was in the "up" state, the "on" power status was returned. The "off" status was returned for all other states even though the machine was actually running. This behavior allowed for successful fencing even before the machine was powered off. The bug has been fixed and the "off" status is now returned only in a case the machine is in the "off" state.
- BZ#804170
- Previously, the cman utility did not apply the
--delay
option correctly when fencing a cluster node. Consequently, a connection to a fence device timed out and fencing failed when--delay
was set to more than 5 seconds. With this update,--delay
is applied before the connection is opened and the fencing no longer fails in the described scenario. - BZ#809390
- Prior to this update, when the
method name
setting was left empty in the/etc/cluster/cluster.conf
configuration file, an unintended core file was created. Consequently, a fenced cloud terminated with a segmentation fault. This bug has been fixed, and the termination no longer occurs in the aforementioned scenario. - BZ#809481
- Due to a bug in the
fence_scsi_test
function, failing to create a reservation led to an incorrect reset of the error count to zero. The bug has been fixed, and the error count is now incremented properly when the error occurs. - BZ#836654
- Previously, the fence_vmware_soap fencing agent operated slowly on the VMware vSphere platform with hundreds of virtual machines (VM). This behavior was caused by requesting for needless attributes. With this update, the unnecessary requests have been removed. This update also handles the VMs with invalid UUIDs, which can occur as a result of the failed P2V (physical to virtual machine) process. As a result, fence_vmware_soap performs fencing with increased speed and the process is no longer terminated when a VM without an UUID is encountered.
- BZ#843083
- In certain cases, the fence_xvm fencing agent incorrectly reported successful fencing, and ignored a communication issue between the agent and the fence_xvmd fencing host. This bug has been fixed and the communication errors are now reported correctly.
- BZ#863567
- The new href attribute on the /vms/vm element in the Red Hat Enterprise Virtualization Manager 3.1 API caused the get_id regular expression of the fence_rhevm fencing agent to fail. Consequently, the plug status was not available. With this update, get_id has been modified to allow arbitrary attributes to be added to the element. As a result, the plug status is now correctly shown.
Enhancements
- BZ#738705
- RHEL5 Cluster Suite now supports using RHEV shared storage disks as the shared storage between cluster nodes. Highly Available Logical Volume Manager (HA-LVM), Clustered Logical Volume Manager (CLVM), and the qDisk daemon are all supported on this storage. Fencing via
fence_scsi
will not work as shared disks are only exposed as VirtIO or IDE devices. - BZ#741985
- A new fence agent, fence_ipdu, that handles the IBM iPDU fence device over the Simple Network Management Protocol (SNMP) has been added. As a result, the cman package now provides compatibility with IBM iPDU.
- BZ#782900
- Previously, using the qdiskd daemon for multipath devices required tuning with the device-mapper-multipath tool, which was a complex and error-prone process. With this update, the qdiskd input and output operations have been improved to automatically detect the multipath-related timeouts without requiring a manual configuration. As a result, qdiskd can now be easily deployed with device-mapper-multipath.
- BZ#810949
- Various cman fence agents differ in handling of the end-of-line (EOL) markers. Previously, changing the universal
\r\n
EOL could make the login process impossible for the fence agent. With this update, an automatic detection of EOL has been added to a fencing library and the described error no longer occurs. - BZ#821857
- Prior to this update, it was not possible to specify more than four fencing devices per method with the cman utility. With this update, the maximum number of devices per method has increased to eight.
- BZ#836963
- The Distributed Lock Manager (DLM) now allows tuning of DLM hash table sizes from the
/etc/sysconfig/cman
file. The following parameters can be set in the/etc/sysconfig/cman
file:DLM_LKBTBL_SIZE=
<size_of_table>
DLM_RSBTBL_SIZE=<size_of_table>
DLM_DIRTBL_SIZE=<size_of_table>
which, in turn, modifies the values in the following files respectively:/sys/kernel/config/dlm/cluster/lkbtbl_size /sys/kernel/config/dlm/cluster/rsbtbl_size /sys/kernel/config/dlm/cluster/dirtbl_size
- BZ#856954
- Previously, it was not possible to modify the default TCP port (21064) of the Distributed Lock Manager (DLM). With this update, the
DLM_TCP_PORT
configuration parameter has been added into the/etc/sysconfig/cman
file. As a result, the DLM TCP port can be manually configured. - BZ#878998
- Support for clusters utilizing VMware's VMDK disk image technology with the
multi-writer
option is now provided. It is now possible to deploy Global File System 2 (GFS2) on top of VMDK.
4.12. cmirror
Bug Fix
- BZ#809642
- Previously, when successively activating and deactivating cluster mirrors, cmirror could fail to initialize the mirrors properly. Consequently, any I/O operations to the device and further LVM commands became unresponsive. With this update, cmirror has been modified to fix this bug; however, the problem can still occur after a large number of iterations.
Bug Fix
- BZ#816973
- The cluster mirror daemon sends information between cluster nodes to keep the mirror log state consistent. Information about the state and health of the mirror and its devices is gathered as needed from the daemon. Some of the information does not change after the device has reached a certain state, for example when the mirror becomes "in-sync", while other information can change, for example the health of the log device in response to a failure. To limit the amount of such requests and reduce the load on the network, processing of information which cannot change is done locally. Previously, also requests for information regarding the health of the log device - which ultimately controls the fault handling behavior of the mirror - were processed locally, which caused the daemon to miss the failure of the log device on a remote machine. With this update, the information is requested from the cluster so that log device failures are detected and processed as expected.
Bug Fixes
- BZ#711594
- Prior to this update, requests for information about the health of the log device were processed locally. As a consequence, the cluster mirror daemon could not detect log device failures on remote machines. With this update, the information is requested from the cluster so that log device failures are detected and processed as expected.
- BZ#806919
- Prior to this update, the cmirror utility could fail to initialize the mirrors correctly when successively activating and deactivating cluster mirrors. As a consequence, any I/O operation to the device and further LVM commands became unresponsive.This update modifies the underlying code so that the problem only occurs after a large number of iterations.
4.13. conga
Security Fix
- CVE-2012-3359
- It was discovered that luci stored usernames and passwords in session cookies. This issue prevented the session inactivity timeout feature from working correctly, and allowed attackers able to get access to a session cookie to obtain the victim's authentication credentials.
Bug Fixes
- BZ#832181
- Prior to this update, luci did not allow the fence_apc_snmp agent to be configured. As a consequence, users could not configure or view an existing configuration for fence_apc_snmp. This update adds a new screen that allows fence_apc_snmp to be configured.
- BZ#832183
- Prior to this update, luci did not allow the SSL operation of the fence_ilo fence agent to be enabled or disabled. As a consequence, users could not configure or view an existing configuration for the 'ssl' attribute for fence_ilo. This update adds a checkbox to show whether the SSL operation is enabled and allows users to edit that attribute.
- BZ#832185
- Prior to this update, luci did not allow the "identity_file" attribute of the fence_ilo_mp fence agent to be viewed or edited. As a consequence, users could not configure or view an existing configuration for the "identity_file" attribute of the fence_ilo_mp fence agent. This update adds a text input box to show the current state of the "identity_file" attribute of fence_ilo_mp and allows users to edit that attribute.
- BZ#835649
- Prior to this update, redundant files and directories remained on the file system at /var/lib/luci/var/pts and /usr/lib{,64}/luci/zope/var/pts when the luci package was uninstalled. This update removes these files and directories when the luci package is uninstalled.
- BZ#839732
- Prior to this update, the "restart-disable" recovery policy was not displayed in the recovery policy list from which users could select when they configure a recovery policy for a failover domain. As a consequence, the "restart-disable" recovery policy could not be set with the luci GUI. This update adds the "restart-disable" recovery option to the recovery policy pulldown list.
- BZ#842865
- Prior to this update, line breaks that were not anticipated in the "yum list" output could cause package upgrade and/or installation to fail when creating clusters or adding nodes to existing clusters. As a consequence, creating clusters and adding cluster nodes to existing clusters could fail. This update modifies the ricci daemon to be able to correctly handle line breaks in the "yum list" output.
Enhancements
4.14. coreutils
Bug Fix
- BZ#803356
- An incomplete fix for behavior of the "mv --backup" command, that was released with the RHBA-2011:1074 errata advisory, caused the "cp --backup" command to work incorrectly. When used with a directory as a source argument, the "cp --backup" command did not backup individual files within the directory but whole directory. This update corrects the problem and the "--backup" feature of the "cp" utility now works as intended again.
4.15. cpio
- BZ#573943
- Prior to this update, the cpio man page did not document how to use tape devices that do not use the default block size of 512 bytes for I/O operations. As a result, the cpio utility could fail with the error message "cpio: read error: Cannot allocate memory" if another block size was used. With this update, the man page states that setting the block size with the "--block-size" long option avoids this problem.
4.16. crash
Bug Fix
- BZ#883727
- The Xen dom0 dump files created with the "makedumpfile -d1" command on very large systems could create an ELF vmcore that the crash utility incorrectly determined to be an old-style netdump vmcore. Consequently, the crash session failed during initialization with the error message "crash: cannot read xen kdump p2m mfn page". With this update, the code has been fixed and the crash utility now properly starts in the described scenario.
4.17. crontabs
Enhancement
- BZ#532157
- The cron daemon had no mechanism to manage cron job rescheduling in a shared environment selectively. Therefore, when a large number of hosts attempted to execute their jobs at the same time, a network or server running the jobs could become overloaded. This update modifies the run-parts script to provide cron job randomization. When cron job randomization is enabled and configured, and a cron job fails to be executed at the scheduled time, cron retries to execute jobs after a random interval. The network and server overloading due to too many simultaneous cron jobs can no longer occur.
4.18. cscope
Bug Fix
- BZ#440628
- Previously, the spec file contained the %{dist} tag on the "Release" line. To comply with the packaging and naming guidelines, the tag has been changed to %{?dist} with this update.
4.19. ctdb
Bug Fix
- BZ#739502
- Due to a name conflict of tools provided by the samba and tdb-tools packages, some binaries from the tdb-tools have to be renamed upon installation. The ctdb init script did not contain the updated names for the tdb-tools utilities. Consequently, the ctdb service could not be started via the init script. This update corrects the ctdb init script to search for tdb-tools utilities under their new name.
4.20. cyrus-sasl
Bug Fix
- BZ#849581
- A memory leak in the digest-md5 plugin was discovered. Specifically, make_client_request was called twice without being freed. Consequently, applications that used DIGEST-MD5 with very large datasets could (and did) crash. This update frees make_client_request correctly and closes the memory leak. Applications using DIGEST-MD5 as part of authentication with large datasets now work as expected.
4.21. device-mapper-multipath
Bug Fix
- BZ#806204
- The multipathd daemon creates its private namespace which is supposed to keep only the file systems that are necessary for multipathd to run. However, multipathd did not check every file system in the namespace, and the namespace thus could contain also non-essential file systems. As a consequence, devices containing such file systems could not be removed from the system. With this update, multipathd verifies all file systems in its private namespace and removes every non-essential file system found. The devices containing the non-essential file systems can now be removed as expected when the file systems are unmounted.
Bug Fix
- BZ#858010
- If the initrd RAM disk was not rebuilt when a new storage device was added to the system, the new device could be assigned a user_friendly_names value that collided with a value already assigned to another device. Consequently, the original device then stopped working correctly. Now, the multipathd daemon accepts the "-B" option, which makes the user_friendly_names bindings file read-only. When initrd calls multipath with the "-B" option, devices without a binding to a user_friendly_names use their World Wide Identifier (WWID) instead, thus fixing this bug.
Bug Fix
- BZ#833193
- The multipathd daemon ignored all subdirectories in /var/lib/ when deciding which file systems to unmount. Now, the only subdirectory of /var/lib/ that multipathd does not unmount is /var/lib/multipath/. Also, multipathd now unmounts all unnecessary file systems before mounting the ramfs on the /tmp/, /bin/, and /sbin/ directories.
- BZ#769990
- If initrd was not rebuilt when a new storage device was added to the system, the new device could have been assigned a user_friendly_names value already assigned to another device, and the device stopped working correctly. multipathd now accepts the -B option, which makes the user_friendly_names bindings file read-only. When started with the -B option, multipath devices without a binding to a user_friendly_names use their World Wide Identifier (WWID).
- BZ#803849
- The multipathd daemon failed to unmount some file systems because the daemon was deleting unnecessary file systems while reading through the list of mounted file systems. Consequently, Multipath could have missed the deleted file systems. The multipathd daemon now reads through all file systems first and creates a list of the file systems to unmount, which are then unmounted based on this list.
- BZ#771571
- The multipathd daemon incorrectly returned exit code 1 when called with the -h option. The deamon now returns exit code 0 when called with the -h option.
- BZ#783522
- The multipathd daemon did not always flush the log buffer if it failed during start-up and error messages logged during start-up could be lost. multipathd now always flushes the log buffer on failures and error messages are logged correctly if multipathd terminates unexpectedly during start-up.
- BZ#781480
- The multipath priority callout programs did not work correctly with CCISS (Compaq Command Interface for SCSI-3 Support) devices because multipath could not convert the ! character in a CCISS sysfs name to the / character in the CCISS device name. Consequently, callout programs failed to set path priorities for these devices. The code has been modified and Multipath now supports the "%c" wildcard for callout functions and the CCISS names are converted correctly.
Enhancements
- BZ#742906
- This update adds the default configuration for HP P2000 G3 MSA Smart Array Systems.
- BZ#744231
- Multiple default settings and parameters have been enhanced: - The multipathd daemon did not set the max_fds option and the user had to manually set the max_fds option in multipath.conf. - Multipath did not disable queuing when it stopped: when multipathd stopped on node shutdown, if a multipath device had no working paths and was set to queue_if_no_path, the device queued outstanding IO forever, rendering the machine unresponsive. - The user_friendly_names option was only configurable in the defaults section and users could not override its value in their device-specific configurations. - A path group with many secondary paths could be used instead of the path group with the primary path by default. This happened because Multipath set the priority of path groups to the sum of their path priorities and used the path group with the primary path instead of using a path group with many secondary paths.Device Mapper Multipath now sets max_fds to the system maximum, queue_if_no_daemon to the "no", and pg_prio_calc to "average" by default. The user_friendly_names property can be configured in the devices section of multipath.conf.
- BZ#788965
- Configuration for Fujitsu ETERNUS storage systems has been added.
- BZ#799847
- The built-in configuration for NetApp LUNs has been updated to use the tur path checker by default and multiple hardware table parameters have been updated.
4.22. dhcp
- CVE-2012-3571
- A denial of service flaw was found in the way the dhcpd daemon handled zero-length client identifiers. A remote attacker could use this flaw to send a specially-crafted request to dhcpd, possibly causing it to enter an infinite loop and consume an excessive amount of CPU time.
4.23. diffutils
Bug Fixes
- BZ#484892
- Prior to this update, the "-E" option of the sdiff command was not accepted and returned the following error message:sdiff: invalid option -- E sdiff: Try `sdiff --help' for more information.This was because the "-E" option was accidentally omitted from the list of accepted options. This update fixes this bug, and the "-E" option works as expected.
- BZ#563618
- When using the cmp command's "-s" option to compare files, incorrect results were returned for special files whose metadata is not accurate, for example files in the proc file system. This update fixes this bug by always reading the content of files whose length is reported as zero bytes.
4.24. doxygen
Bug Fix
- BZ#448293
- Prior to this update, the doxygen utility could create conflicts with multilib when doxygen added timestamps by creating doc files. This update modifies doxygen so that no more conflicts between multilib and doxygen occur.
4.25. e2fsprogs
Bug Fix
- BZ#824051
- Previously, the status of the uuidd daemon was not correct when shown by the service tool, because the stored PID was not the PID of the running uuidd daemon. This was due to the incorrect PID that was written by the uuidd daemon upon startup. With this update, this bug has been fixed so that the returned status of the uuidd daemon is now correct.
Bug Fixes
- BZ#701776
- Due to a bug in the resize2fs program, the size of the ext3 file system created on a 16TB block device could not be modified. Consequently, the "device too big" error occurred. This bug has been fixed and file systems residing on 16T block devices can now be re-sized within the existing file system size limits.
- BZ#707433
- Previously, the uuidd daemon (uuidd) wrote an incorrect PID on startup to the /var/lib/libuuid/uuidd.pid file. Consequently, the service utility showed the incorrect status of uuidd because the stored PID was not the PID of the running uuidd process. This bug has been fixed and the returned status of uuidd is now correct in the described scenario.
4.26. e4fsprogs
Bug Fixes
- BZ#707314
- Due to a bug in the resize2fs program, the size of the ext4 file system created on a 16TB block device could not be modified. Consequently, the "device too big" error occurred. This bug has been fixed and file systems residing on 16TB block devices can now be re-sized within the existing file system size limits.
- BZ#785200
- Prior to this update, the mke4fs command created an ext2 file system by default. In order to create an ext4 file system, the "-t ext4" command-line option had to be inserted. This behavior has been changed, and mke4fs now creates an ext4 file system by default, without the need for extending the command.
4.27. esc
Bug Fixes
- BZ#807269
- The ESC utility did not start when the latest 10 series release of the XULRunner runtime environment was installed on the system. This update includes necessary changes to ensure that ESC works as expected with the latest version of XULRunner.
- BZ#807801
- After removing and replacing an enrolled token, ESC could terminate unexpectedly followed by a traceback. A patch has been applied to address this issue and ESC now displays the enrolled smart card details as expected.
4.28. etherboot
Bug Fix
- BZ#714880
- The etherboot-zroms-kvm package runs the update-alternatives utility during installation; however, the chkconfig package which provides the utility was previously not required by etherboot-zroms-kvm. As a consequence, the installation could fail with a "No such file or directory" error message. The chkconfig package has been added as a dependency to ensure successful installation of etherboot-zroms-kvm.
4.29. expat
Security Fixes
- CVE-2012-0876
- A denial of service flaw was found in the implementation of hash arrays in Expat. An attacker could use this flaw to make an application using Expat consume an excessive amount of CPU time by providing a specially-crafted XML file that triggers multiple hash function collisions. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions.
- CVE-2012-1148
- A memory leak flaw was found in Expat. If an XML file processed by an application linked against Expat triggered a memory re-allocation failure, Expat failed to free the previously allocated memory. This could cause the application to exit unexpectedly or crash when all available memory is exhausted.
4.30. file
Bug Fixes
- BZ#758105
- Prior to this update, the swap signature on the Itanium architecture was not stored in the same place as on other architectures. As a consequence, the file utility failed to detect the swap signature on Itanium. This update adds a new "magic" pattern to detect the swap signature on Itanium architecture.
- BZ#789830
- Prior to this update, the "magic" pattern to detect Infocom Game Data was too weak. As a consequence, Some files were wrongly identified as Infocom Game Data when they were actually in different format. This update modifies the Infocom Game Data "magic" pattern so only valid Infocom Game Data files are detected by this pattern.
- BZ#758631
- Prior to this update, the file utility did not contain a "magic" pattern to detect zip64 (zip 3.0) files. As a consequence, the file utility failed to detect archives in the zip64 format. This update adds a new "magic" pattern to detect the zip64 format.
- BZ#758634
- Prior to this update, the file utility did not contain a "magic" pattern to detect WebM video files. As a consequence, the file utility failed to detect WebM video files. This update adds a new "magic" pattern to detect the WebM files.
- BZ#809801
- Prior to this update, the file utility did not contain a "magic" pattern to detect LZMA archives. As a consequence, the file utility failed to detect archives in LZMA format were not detected. This update adds a new "magic" pattern to detect the LZMA files.
- BZ#826899
- Prior to this update, the "magic" pattern to detect Dell BIOS headers was outdated. As a consequence, the file utility failed to detect newer BIOS formats. This update modifies the ""magic"" pattern to detect also new formats of Dell BIOS correctly.
- BZ#826901
- Prior to this update, the file utility contained ""magic"" patterns that incorrectly detected files according to one byte only. As a consequence, Unicode text files that contained the particular byte in a particular position could be incorrectly recognized as DOS executable files. This update removes the problematic patterns. Patterns that match less than 16 bits are no longer accepted, and the utility no longer detects Unicode files as DOS executables.
4.31. firefox
Bug Fix
- BZ#871568
- The "out-of-process plug-ins" feature was previously disabled for wrapped plug-ins by default. This could cause Firefox to terminate unexpectedly when accessing a page that contained a flash object and the flash plug-in and the nswrapperplugin plug-in viewer were installed. To resolve this problem, the "out-of-process plug-ins" feature has been enabled for the wrapped plug-ins. Firefox no longer crashes in this scenario.
Security Fixes
- CVE-2012-3969, CVE-2012-3970
- A web page containing a malicious Scalable Vector Graphics (SVG) image file could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-3967, CVE-2012-3968
- Two flaws were found in the way Firefox rendered certain images using WebGL. A web page containing malicious content could cause Firefox to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-3966
- A flaw was found in the way Firefox decoded embedded bitmap images in Icon Format (ICO) files. A web page containing a malicious ICO file could cause Firefox to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-3966)
- CVE-2012-3980
- A flaw was found in the way the "eval" command was handled by the Firefox Web Console. Running "eval" in the Web Console while viewing a web page containing malicious content could possibly cause Firefox to execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-3972
- An out-of-bounds memory read flaw was found in the way Firefox used the format-number feature of XSLT (Extensible Stylesheet Language Transformations). A web page containing malicious content could possibly cause an information leak, or cause Firefox to crash.
- CVE-2012-3976
- It was found that the SSL certificate information for a previously visited site could be displayed in the address bar while the main window displayed a new page. This could lead to phishing attacks as attackers could use this flaw to trick users into believing they are viewing a trusted site.
- CVE-2012-3978
- A flaw was found in the location object implementation in Firefox. Malicious content could use this flaw to possibly allow restricted content to be loaded.
Bug Fix
- CVE-2012-0461, CVE-2012-0462, CVE-2012-0464
- Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-0456, CVE-2012-0457
- Two flaws were found in the way Firefox parsed certain Scalable Vector Graphics (SVG) image files. A web page containing a malicious SVG image file could cause an information leak, or cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-0455
- A flaw could allow a malicious site to bypass intended restrictions, possibly leading to a cross-site scripting (XSS) attack if a user were tricked into dropping a "javascript:" link onto a frame.
- CVE-2012-0458
- It was found that the home page could be set to a "javascript:" link. If a user were tricked into setting such a home page by dragging a link to the home button, it could cause Firefox to repeatedly crash, eventually leading to arbitrary code execution with the privileges of the user running Firefox.
- CVE-2012-0459
- A flaw was found in the way Firefox parsed certain web content containing "cssText". A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-0460
- It was found that by using the DOM fullscreen API, untrusted content could bypass the mozRequestFullscreen security protections. A web page containing malicious web content could exploit this API flaw to cause user interface spoofing.
- CVE-2012-0451
- A flaw was found in the way Firefox handled pages with multiple Content Security Policy (CSP) headers. This could lead to a cross-site scripting attack if used in conjunction with a website that has a header injection flaw.
Bug Fixes
- BZ#729632
- When using the Traditional Chinese locale (zh-TW), a segmentation fault sometimes occurred when closing Firefox.
- BZ#784048
- Inputting any text in the Web Console (Tools -> Web Developer -> Web Console) caused Firefox to crash.
- BZ#799042
- The java-1.6.0-ibm-plugin and java-1.6.0-sun-plugin packages require the "/usr/lib/mozilla/plugins/" directory on 32-bit systems, and the "/usr/lib64/mozilla/plugins/" directory on 64-bit systems. These directories are created by the xulrunner package; however, they were missing from the xulrunner package provided by the RHEA-2012:0327 update. Therefore, upgrading to RHEA-2012:0327 removed those directories, causing dependency errors when attempting to install the java-1.6.0-ibm-plugin or java-1.6.0-sun-plugin package. With this update, xulrunner once again creates the plugins directory. This issue did not affect users of Red Hat Enterprise Linux 6.
Security Fixes
- CVE-2011-3062
- A flaw was found in Sanitiser for OpenType (OTS), used by Firefox to help prevent potential exploits in malformed OpenType fonts. A web page containing malicious content could cause Firefox to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-0467, CVE-2012-0468, CVE-2012-0469
- A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-0470
- A web page containing a malicious Scalable Vector Graphics (SVG) image file could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-0472
- A flaw was found in the way Firefox used its embedded Cairo library to render certain fonts. A web page containing malicious content could cause Firefox to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-0478
- A flaw was found in the way Firefox rendered certain images using WebGL. A web page containing malicious content could cause Firefox to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-0471
- A cross-site scripting (XSS) flaw was found in the way Firefox handled certain multibyte character sets. A web page containing malicious content could cause Firefox to run JavaScript code with the permissions of a different website.
- CVE-2012-0473
- A flaw was found in the way Firefox rendered certain graphics using WebGL. A web page containing malicious content could cause Firefox to crash.
- CVE-2012-0474
- A flaw in Firefox allowed the address bar to display a different website than the one the user was visiting. An attacker could use this flaw to conceal a malicious URL, possibly tricking a user into believing they are viewing a trusted site, or allowing scripts to be loaded from the attacker's site, possibly leading to cross-site scripting (XSS) attacks.
- CVE-2012-0477
- A flaw was found in the way Firefox decoded the ISO-2022-KR and ISO-2022-CN character sets. A web page containing malicious content could cause Firefox to run JavaScript code with the permissions of a different website.
- CVE-2012-0479
- A flaw was found in the way Firefox handled RSS and Atom feeds. Invalid RSS or Atom content loaded over HTTPS caused Firefox to display the address of said content in the location bar, but not the content in the main window. The previous content continued to be displayed. An attacker could use this flaw to perform phishing attacks, or trick users into thinking they are visiting the site reported by the location bar, when the page is actually content controlled by an attacker.
Security Fixes
- CVE-2011-3101, CVE-2012-1937, CVE-2012-1938, CVE-2012-1939, CVE-2012-1940, CVE-2012-1941, CVE-2012-1946, CVE-2012-1947
- Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-1944
- Note: CVE-2011-3101 only affected users of certain NVIDIA display drivers with graphics cards that have hardware acceleration enabled.It was found that the Content Security Policy (CSP) implementation in Firefox no longer blocked Firefox inline event handlers. A remote attacker could use this flaw to possibly bypass a web application's intended restrictions, if that application relied on CSP to protect against flaws such as cross-site scripting (XSS).
- CVE-2012-1945
- If a web server hosted HTML files that are stored on a Microsoft Windows share, or a Samba share, loading such files with Firefox could result in Windows shortcut files (.lnk) in the same share also being loaded. An attacker could use this flaw to view the contents of local files and directories on the victim's system. This issue also affected users opening HTML files from Microsoft Windows shares, or Samba shares, that are mounted on their systems.
Security Fixes
- CVE-2012-3982, CVE-2012-3988, CVE-2012-3990, CVE-2012-3995, CVE-2012-4179, CVE-2012-4180, CVE-2012-4181, CVE-2012-4182, CVE-2012-4183, CVE-2012-4185, CVE-2012-4186, CVE-2012-4187, CVE-2012-4188
- Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-3986, CVE-2012-3991
- Two flaws in Firefox could allow a malicious website to bypass intended restrictions, possibly leading to information disclosure, or Firefox executing arbitrary code. Note that the information disclosure issue could possibly be combined with other flaws to achieve arbitrary code execution.
- CVE-2012-1956, CVE-2012-3992, CVE-2012-3994
- Multiple flaws were found in the location object implementation in Firefox. Malicious content could be used to perform cross-site scripting attacks, script injection, or spoofing attacks.
- CVE-2012-3993, CVE-2012-4184
- Two flaws were found in the way Chrome Object Wrappers were implemented. Malicious content could be used to perform cross-site scripting attacks or cause Firefox to execute arbitrary code.
Bug Fix
- BZ#809571, BZ#816234
- In certain environments, storing personal Firefox configuration files (~/.mozilla/) on an NFS share, such as when your home directory is on a NFS share, led to Firefox functioning incorrectly, for example, navigation buttons not working as expected, and bookmarks not saving. This update adds a new configuration option, storage.nfs_filesystem, that can be used to resolve this issue.
If you experience this issue:
1) Start Firefox.2) Type "about:config" (without quotes) into the URL bar and press the Enter key.3) If prompted with "This might void your warranty!", click the "I'll be careful, I promise!" button.4) Right-click in the Preference Name list. In the menu that opens, select New -> Boolean.5) Type "storage.nfs_filesystem" (without quotes) for the preference name and then click the OK button.6) Select "true" for the boolean value and then press the OK button.
Security Fix
- CVE-2012-4194, CVE-2012-4195, CVE-2012-4196
- Multiple flaws were found in the location object implementation in Firefox. Malicious content could be used to perform cross-site scripting attacks, bypass the same-origin policy, or cause Firefox to execute arbitrary code.
Security Fixes
- CVE-2012-4214, CVE-2012-4215, CVE-2012-4216, CVE-2012-5829, CVE-2012-5830, CVE-2012-5833, CVE-2012-5835, CVE-2012-5839, CVE-2012-5840, CVE-2012-5842
- Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-4202
- A buffer overflow flaw was found in the way Firefox handled GIF (Graphics Interchange Format) images. A web page containing a malicious GIF image could cause Firefox to crash or, possibly, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-4210
- A flaw was found in the way the Style Inspector tool in Firefox handled certain Cascading Style Sheets (CSS). Running the tool (Tools -> Web Developer -> Inspect) on malicious CSS could result in the execution of HTML and CSS content with chrome privileges.
- CVE-2012-4207
- A flaw was found in the way Firefox decoded the HZ-GB-2312 character encoding. A web page containing malicious content could cause Firefox to run JavaScript code with the permissions of a different website.
- CVE-2012-4209
- A flaw was found in the location object implementation in Firefox. Malicious content could possibly use this flaw to allow restricted content to be loaded by plug-ins.
- CVE-2012-5841
- A flaw was found in the way cross-origin wrappers were implemented. Malicious content could use this flaw to perform cross-site scripting attacks.
- CVE-2012-4201
- A flaw was found in the evalInSandbox implementation in Firefox. Malicious content could use this flaw to perform cross-site scripting attacks.
Security Fixes
- CVE-2012-1948, CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954, CVE-2012-1958, CVE-2012-1962, CVE-2012-1967
- A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-1959
- A malicious web page could bypass same-compartment security wrappers (SCSW) and execute arbitrary code with chrome privileges.
- CVE-2012-1966
- A flaw in the context menu functionality in Firefox could allow a malicious website to bypass intended restrictions and allow a cross-site scripting attack.
- CVE-2012-1950
- A page different to that in the address bar could be displayed when dragging and dropping to the address bar, possibly making it easier for a malicious site or user to perform a phishing attack.
- CVE-2012-1955
- A flaw in the way Firefox called history.forward and history.back could allow an attacker to conceal a malicious URL, possibly tricking a user into believing they are viewing a trusted site.
- CVE-2012-1957
- A flaw in a parser utility class used by Firefox to parse feeds (such as RSS) could allow an attacker to execute arbitrary JavaScript with the privileges of the user running Firefox. This issue could have affected other browser components or add-ons that assume the class returns sanitized input.
- CVE-2012-1961
- A flaw in the way Firefox handled X-Frame-Options headers could allow a malicious website to perform a clickjacking attack.
- CVE-2012-1963
- A flaw in the way Content Security Policy (CSP) reports were generated by Firefox could allow a malicious web page to steal a victim's OAuth 2.0 access tokens and OpenID credentials.
- CVE-2012-1964
- A flaw in the way Firefox handled certificate warnings could allow a man-in-the-middle attacker to create a crafted warning, possibly tricking a user into accepting an arbitrary certificate as trusted.
- CVE-2012-1965
- A flaw in the way Firefox handled feed:javascript URLs could allow output filtering to be bypassed, possibly leading to a cross-site scripting attack.
Bug Fix
- BZ#838879
- The nss update RHBA-2012:0337 for Red Hat Enterprise Linux 5 and 6 introduced a mitigation for the CVE-2011-3389 flaw. For compatibility reasons, it remains disabled by default in the nss packages. This update makes Firefox enable the mitigation by default. It can be disabled by setting the NSS_SSL_CBC_RANDOM_IV environment variable to 0 before launching Firefox.
4.32. freeradius2
Security Fix
- CVE-2012-3547
- A buffer overflow flaw was discovered in the way radiusd handled the expiration date field in X.509 client certificates. A remote attacker could possibly use this flaw to crash radiusd if it were configured to use the certificate or TLS tunnelled authentication methods (such as EAP-TLS, EAP-TTLS, and PEAP).
Security Fix
- CVE-2011-4966
- It was found that the "unix" module ignored the password expiration setting in "/etc/shadow". If FreeRADIUS was configured to use this module for user authentication, this flaw could allow users with an expired password to successfully authenticate, even though their access should have been denied.
Bug Fixes
- BZ#787111
- After log rotation, the freeradius logrotate script failed to reload the radiusd daemon and log messages were lost. This update has added a command to the freeradius logrotate script to reload the radiusd daemon and the radiusd daemon re-initializes and reopens its log files after log rotation as expected.
- BZ#846476
- The radtest script with the "eap-md5" option failed because it passed the IP family argument when invoking the radeapclient utility and the radeapclient utility did not recognize the IP family. The radeapclient utility now recognizes the IP family argument and radtest now works with eap-md5 as expected.
- BZ#846471
- Previously, freeradius was compiled without the "--with-udpfromto" option. Consequently, with a multihomed server and explicitly specifying the IP address, freeradius sent the reply with the wrong IP source address. With this update, freeradius has been built with the "--with-udpfromto" configuration option and the RADIUS reply is always sourced from the IP address the request was sent to.
- BZ#818885
- Due to invalid syntax in the PostgreSQL admin schema file, the FreeRADIUS PostgreSQL tables failed to be created. With this update, the syntax has been adjusted and the tables are created as expected.
- BZ#846475
- FreeRADIUS has a thread pool that dynamically grows based on load. If multiple threads using the "rlm_perl()" function are spawned in quick succession, the FreeRADIUS server sometimes terminated unexpectedly with a segmentation fault due to parallel calls to the "rlm_perl_clone()" function. With this update, a mutex for the threads has been added and the problem no longer occurs.
- BZ#781877
- The man page for "rlm_dbm_parser" was incorrectly installed as "rlm_dbm_parse", omitting the trailing "r". The man page now correctly appears as rlm_dbm_parser.
4.33. freetype
Security Fixes
- CVE-2012-1134, CVE-2012-1136, CVE-2012-1142, CVE-2012-1144
- Multiple flaws were found in the way FreeType handled TrueType Font (TTF), Glyph Bitmap Distribution Format (BDF), Windows .fnt and .fon, and PostScript Type 1 fonts. If a specially-crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
- CVE-2012-1126, CVE-2012-1127, CVE-2012-1130, CVE-2012-1131, CVE-2012-1132, CVE-2012-1137, CVE-2012-1139, CVE-2012-1140, CVE-2012-1141, CVE-2012-1143
- Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially-crafted font file was loaded by an application linked against FreeType, it could cause the application to crash.
4.34. ftp
Enhancement
- BZ#665240
- Previously, the command line width in the ftp client was limited to 200 characters. With this update, the maximum possible length of the FTP command line is extended to 4296 characters.
4.35. gawk
Bug Fix
- BZ#827372
- Prior to this update, the "re_string_skip_chars" function incorrectly used the character count instead of the raw length to estimate the string length. As a consequence, text in multi-byte encoding that did not use the UTF-8 format failed to be processed correctly. This update modifies the underlying code so that the correct string length is used. multi-byte encoding is processed correctly.
4.36. gcc
Bug Fix
- BZ#806394
- GCC did not, under rare circumstances, handle exceptions properly when GCC 4.1 libstdc++ was used with GCC 4.4 or later C++11 code. This update improves exception handling so that GCC now processes exceptions as expected when using GCC 4.4 or later to compile code written in C++11.
Bug Fixes
- BZ#750545
- GCC was missing a lazy declaration of a class type destructor in the locate_dtor function in the method implementation. As a consequence, exception handling did not work as expected under certain circumstances and the generated code could terminate unexpectedly. This update adds the missing destructor declaration and the problem no longer occurs.
- BZ#760417
- Previously, GCC did not correctly handle processor registers and used an incorrect memory operand when processing the CMPXCHG8B instruction. As a consequence, the compiler generated erroneous code if the "-fPIC" option was used. This update modifies the underlying source code so that GCC now handles memory operands correctly and compiles position-independent code with the "fPIC" option as expected.
- BZ#797938
- GCC previously used incorrect flags for IBM System z specific options, such as "-m31", "-m64", "-mesa", "-mzarch", "-msoft-float", "-mhard-float", "-mlong-double-64" and "-mlong-double-128". As a consequence, when compiling code with any of these options, GCC did not recognize the option and the command failed. With this update, negative flags are now used for these options and code can be compiled successfully in this scenario.
- BZ#806275
- GCC did not, under rare circumstances, handle exceptions properly when GCC 4.1 libstdc++ was used with GCC 4.4 or later C++11 code. This update improves exception handling so that GCC now processes exceptions as expected when using GCC 4.4 or later to compile code written in C++11.
4.37. gcc44
Note
Bug Fixes
- BZ#815207
- Previous version of gcc44 incorrectly stated that the gcc44 package includes a technical preview of GCC version 4.4. The package description has been corrected and no longer claims to provide the technical preview of GCC version 4.4.
- BZ#784360
- Due to misplaced space characters in the x86 architecture driver, the "-mxop", "-mfma4", "-mbmi" and "-mtbm" compiler options were concatenated incorrectly when compiling code with gcc44. Consequently, compilation failed with an "unrecognized command line option" error. This update fixes space characters position and the options are concatenated correctly. Code is now compiled successfully with these options.
Enhancement
- BZ#556962
- G++ previously assumed that a value of enumeration type is always in the range specified by the C++ standard. Consequently, if a program converted an arbitrary integer value to the enumeration type, the code compiled with the "-fPIC -O2" or "-fPIC -O3" options could terminate unexpectedly. With this update, the underlying code has been modified to no longer assume strict evaluation of enumeration type. The old functionality can be turned on by specifying the "fstrict-enums" option.
4.38. gdb
Bug Fix
- BZ#837894
- When a struct member was at an offset greater than 256 MB, the resulting bit position within the struct overflowed and caused an invalid access by GDB. With this update, the code has been modified to ensure that GDB can access such positions.
Bug Fixes
- BZ#795423
- Prior to this update, a bit position within a structure overflowed when a member of this structure was at an offset greater than 256 MB and GDB failed to access the position. This update modifies the underlying code to ensure that GDB can access such positions.
- BZ#818343
- Prior to this update, GDB incorrectly tried to load virtual dynamic shared objects (vDSO) from the file system when using the "solib-absolute-prefix" command. As a consequence, vDSOs could abort. This update modifies the underlying code to handle vDSOs as expected.
- BZ#823789
- Prior to this update, GDB failed to debug XLF generated code due to incorrect symbol handling. As a consequence, the type of variable in modules was not found. This update modifies the underlying code to handle symbols correctly and the type of a variable is found.
4.39. gdbm
Bug Fix
- BZ#671156
- Prior to this update, gdbm-devel had no explicit requirements to gdbm, which could introduce interoperability problems. With this update, the gdbm-devel adds explicit requirements to the gdbm package.
4.40. gfs-kmod
Bug Fix
- BZ#788694
- Prior to this update, registered kobjects could, under certain circumstances, be freed while they were still in use. As a consequence, a kernel panic could occur when processing the gfs_controld daemon. This update adds the kobject release() method. Now, processing the gfs_controld daemon no longer causes a kernel panic.
4.41. gfs-utils
Bug Fix
- BZ#788694
- Prior to this update, the gfs_fsck file system checker failed to detect "bad indirect block pointer" corruptions due to incorrect error paths. This update modifies the gfs_fsck error paths. Now, gfs_fsck detects and repairs corruptions as expected.
4.42. gfs2-utils
Bug Fix
- BZ#838910
- Prior to this update, an overly long cluster name in /etc/cluster/cluster.conf could cause a buffer overflow when running fsck.gfs2 on a GFS2 file system with a corrupt super block. This update modifies the underlying code to to ensure that the cluster name is truncated appropriately when the super block is being rebuilt. Now, this buffer overflow condition is prevented.
4.43. ghostscript
Security Fix
- CVE-2012-4405
- An integer overflow flaw, leading to a heap-based buffer overflow, was found in Ghostscript's International Color Consortium Format library (icclib). An attacker could create a specially-crafted PostScript or PDF file with embedded images that would cause Ghostscript to crash or, potentially, execute arbitrary code with the privileges of the user running Ghostscript.
4.44. gimp
Bug Fix
- BZ#452998
- Prior to this update, the Postscript plug-in could abort with a segmentation fault when saving images as Postscript files from GIMP if a preview was embedded in the file. This update modifies the underlying code so to handle embedded previews.
Security Fixes
- CVE-2009-3909, CVE-2012-3402
- Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the GIMP's Adobe Photoshop (PSD) image file plug-in. An attacker could create a specially-crafted PSD image file that, when opened, could cause the PSD plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the GIMP.
- CVE-2012-3481
- An integer overflow flaw, leading to a heap-based buffer overflow, was found in the GIMP's GIF image format plug-in. An attacker could create a specially-crafted GIF image file that, when opened, could cause the GIF plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the GIMP.
- CVE-2011-2896
- A heap-based buffer overflow flaw was found in the Lempel-Ziv-Welch (LZW) decompression algorithm implementation used by the GIMP's GIF image format plug-in. An attacker could create a specially-crafted GIF image file that, when opened, could cause the GIF plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the GIMP.
- CVE-2012-3403
- A heap-based buffer overflow flaw was found in the GIMP's KiSS CEL file format plug-in. An attacker could create a specially-crafted KiSS palette file that, when opened, could cause the CEL plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the GIMP.
4.45. glibc
Bug Fix
- BZ#810323
- Previously, glibc did not walk through the entire list of Network Information Service (NIS) password or group buffers. As a consequence, when utilizing the NIS password or group maps, allocated memory was not freed properly, which caused memory leaks. This update modifies glibc to walk through the entire lists so that memory is freed as expected and memory leaks no longer occur in this scenario.
Bug Fixes
- BZ#823905
- Using the
iconv()
or theiconv
command to convert a file or string from IBM-930 encoding to another encoding, such as UTF-8, resulted in a segmentation fault. This happened if the file or string contained the invalid multibyte character0xffff
. Now, the conversion code for the IBM-930 encoding recognizes this invalid character and calls an error handler and the segmentation fault no longer occurs. - BZ#837852
- Due to logic errors, functions
exp()
,exp2()
,pow()
,sin()
,tan()
, andrint()
could return different results in non-default rounding modes or terminate with a segmentation fault. Multiple fixes have been applied to the function implementations and the functions now return correct results in all rounding modes.Note that the change can cause runtime performance loss as values which were previously handled by the fast function implementation are now handled by the slower multi-precision library to achieve accurate results. - BZ#813348
- The dynamic linker previously sorted cyclic dependencies incorrectly when there were more that 127 Dynamic Shared Objects (DSO). The changed order of the dependencies caused some programs to behave differently or crash due to symbol resolution failure. This update fixes the initialization order of the cyclic dependencies and the problem no longer occurs.
- BZ#848481
- Various functions that called the
nl_explode_name()
function failed to check its return value for errors. As a result, applications could terminate unexpectedly after passing a NULL pointer or uninitialized values to the calling functions. The callers ofnl_explode_name()
have been updated to check for error conditions and fail gracefully. - BZ#808014
- Previously, if the Name Service Cache Daemon (nscd) daemon received a CNAME (Canonical Name) record as a response to a DNS (Domain Name System) query, the cached DNS entry adopted the TTL (Time to Live) value of the underlying
A
orAAAA
response. This caused the nscd daemon to wait for an unexpectedly long time before reloading the DNS entry. With this update, nscd uses the shortest TTL from the response as the TTL value for the entire record and DNS entries are now reloaded as expected in this scenario. - BZ#799853
- The Slovak currency was set to the Slovak Crown. However, Slovakia now uses the Euro. The Slovak currency was set to the Euro.
- BZ#809325
- Previously, glibc did not walk through the entire list of buffers. As a consequence, when utilizing the NIS password or group maps, allocated memory was not freed properly, which caused memory leaks. This update modifies glibc to walk through the entire list so that memory is freed as expected and memory leaks no longer occur in this scenario.
- BZ#751748
- A race between the
_IO_flush_all_lockp()
function andpthread_cancel()
function could cause a process to become unresponsive during forking. This happened because the_IO_unlock_lock
macro decremented the lock count before it attempted to unlock its lock and did not check if the count contained a positive value. If the lock was never held since_IO_unlock_lock()
, the macro did not release the lock due to the lock count being less than zero. With this update, the lock count is decremented only if it contains a positive value. - BZ#639000
- The Ukrainian currency symbol was incorrectly set to
rp
. With this update, the currency symbol was corrected torpH
. - BZ#759341
- A race condition existed between functions which allocated and reclaimed stacks in multi-threaded applications. As a result, some applications could enter a deadlock. The code for managing lists of stacks has been changed to publish its changes to all threads at the appropriate time. This fixes synchronization between the multiple threads and eliminates the race condition.
- BZ#788989
- The Name Service Cache Daemon (nscd) terminated unexpectedly if a group contained a few thousand members. This was caused by a stack overflow which resulted in a segmentation fault in nscd. With this update, when a large amount of memory is needed for a group with many members, the memory is allocated on the heap instead of the stack. This prevents the stack overflow and nscd no longer crashes in this scenario.
- BZ#839572
- During installation on IBM System z, Red Hat Enterprise Linux Server installer returned traceback with the following error value after the stage2 download:
ValueError: (3, 'No such process')
This was due to a workaround implementation for IBM System z in thefegetenv()
function in themath.h
header file. With this update, the function implementation was modified so as to follow the IEEE standard and the problem no longer occurs. - BZ#769852
- A race condition between the
setuid()
function and thesighandler_setxid()
function could result in a lock remaining unreleased. As a result, an application could remain in a deadlock. With this update, the lock is released in this scenario and proper synchronization between the threads is maintained. - BZ#843672
- Prior to this update, when a multi-threaded process called the
qsort()
function, a race condition could occur. This could result in an uninitialized memory read and the process could receive a floating point exception or other fault condition. The race condition in the function code has been fixed and the problem no longer occurs. - BZ#766832
- Calling the
strncmp()
function on the Power4 processors could cause the program to terminate unexpectedly. This occurred because the function occasionally attempted to read past the zero byte in certain cases. With this update, strings are aligned correctly and the function no longer attempts to read past the zero byte. - BZ#710216
- The Portuguese locale (pt_PT.utf8) incorrectly used the
$
character instead of the,
character as its decimal point. The error has been corrected and the,
character is now used as the decimal point as expected. - BZ#703239
- Previously, if the
/etc/resolv.conf
file contained an IPv6 DNS server address with trailing spaces, the address failed to be parsed correctly and DNS lookups with theping6
command failed. With this update, the parsing code has been corrected so as to cope with trailing spaces and the problem no longer occurs. - BZ#692182
- The
sysconf()
function allows applications to determine values for system limits or options at runtime. The mechanism that sysconf uses to acquire various CACHE parameters previously failed to look up the requested information on Intel Xeon X5670 processors and incorrectly returned zero values. Thesysconf()
function has been modified to acquire the system information on these processors correctly and the problem no longer occurs. - BZ#806403
- A missing check of memory allocation and an incorrect loop test in the
nss/getnssent.c
source file could cause an application to fail. The memory allocation check and the loop test code have been added and the problem no longer occurs. - BZ#851450
- Previously, the
ttyname()
andttyname_r()
calls returned an error if the/proc/
directory was not mounted. Consequently, some applications did not run in the chroot environment properly. With this update, if the/proc/self/fd/
directory cannot be read, the calls iterate through devices first and only then return an error. As a result, applications which were previously failing now work correctly. - BZ#500767
- The
getgrent()
function generated an error when it requested to read a Network Information Services (NIS) group record of 1024 bytes from the NIS master server. This happened because the function attempted to free an unallocated pointer. With this update, thefree()
function is not called under these circumstances andgetgrent()
now works as expected in this scenario. - BZ#797096
- Various functions (
glob_in_dir
,getaddrinfo
) could potentially allocate unlimited amounts of data on the stack. As a result, these functions were potential security attack vectors. With this update, these routines usemalloc()
when allocating large amounts of memory and the security issue is eliminated. - BZ#657266
- The Finnish locale included redundant trailing spaces in month abbreviations. This could cause parsing and conversion problems when working with dates. With this update, the trailing spaces have been removed from the definition of abbreviated month format and the parsing and conversion of abbreviated month names work as expected.
- BZ#657588
- Abbreviated month names in the simplified Chines locale (zh_CN) contained redundant spaces, which caused incorrect output of dates. With this update, the spaces have been removed from the format definition and the system returns dates formatted correctly.
- BZ#678227
- The Name Service Cache Daemon (nscd) initscript was returning a non-zero exit status when a stop was requested on an already stopped daemon. However, the expected behavior is to consider the request to be successful and return the exit status of zero. The nscd initscript has been modified to handle this case correctly and set the exit status appropriately.
- BZ#819430
- Previously, the
fnmatch()
function failed and returned the -1 status code when its pattern argument contained the wildcard character*
and the file name argument contained an invalid multibyte encoding character. Thefnmatch()
function now handles such arguments gracefully: it considers the invalid characters not to match and proceeds. - BZ#800240
- If the maximum number of memory pools (arenas) used by a thread was set to 1 (MALLOC_ARENA_MAX=1), the setting was ignored and the program still used multiple pools due to incorrect logic when checking the number of pools in use and reusing pools. With this update, the underlying code has been modified and the pool setting is applied as expected.
- BZ#857387
- The
vfprintf()
function returned theERANGE
errno instead ofEOVERFLOW
when a string of a too long format was specified. The errno is now set correctly toEOVERFLOW
in this scenario.
Enhancements
- BZ#795896
- A Virtual Dynamic Shared Object (VDSO) allows an application in user space to perform some kernel actions with less overhead than if using a system call. The VDSO is often used to provide fast access to the
gettimeofday
system call data. Support for VDSOs on the IBM System z series platform has been added to glibc. - BZ#641094
- Previously, the
pthread_create()
function used the MAP_32BIT flag to reserve the lower 32 bits of virtual address space for thread stacks so as to provide better performance. This setting is no longer of benefit and in some cases can negatively impact performance. A patch has been backported so thatpthread_create()
now uses the MAP_STACK flag instead of the MAP_32BIT flag. - BZ#765710
- The
getaddrinfo()
function returns one or moreaddrinfo
structures, each of which contains an Internet socket address. If the hints argument togetaddrinfo()
is not NULL, it specifies criteria for selecting the socket address structures to be returned. Previously,getaddrinfo()
did not support the Stream Control Transmission Protocol (SCTP) hints. With this update, thegetaddrinfo()
function has been enhanced to accept SCTP hints.
Security Fix
- CVE-2012-0864
- An integer overflow flaw was found in the implementation of the printf functions family. This could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort.
Security Fix
- CVE-2012-3406
- It was discovered that the formatted printing functionality in glibc did not properly restrict the use of alloca(). This could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort.
Bug Fix
- BZ#837896
- If a file or a string was in the IBM-930 encoding, and contained the invalid multibyte character "0xffff", attempting to use iconv() (or the iconv command) to convert that file or string to another encoding, such as UTF-8, resulted in a segmentation fault. With this update, the conversion code for the IBM-930 encoding recognizes this invalid character and calls an error handler, rather than causing a segmentation fault.
Security Fix
- CVE-2012-3480
- Multiple integer overflow flaws, leading to stack-based buffer overflows, were found in glibc's functions for converting a string to a numeric representation (strtod(), strtof(), and strtold()). If an application used such a function on attacker controlled input, it could cause the application to crash or, potentially, execute arbitrary code.
Bug Fix
- BZ#839411
- Previously, logic errors in various mathematical functions, including exp, exp2, expf, exp2f, pow, sin, tan, and rint, caused inconsistent results when the functions were used with the non-default rounding mode. This could also cause applications to crash in some cases. With this update, the functions now give correct results across the four different rounding modes.
4.46. gnbd
Bug Fix
- BZ#500591
- Prior to this update, the gnbd makefile stripped the binaries of their debugging symbols. As a consequence, the gnbd debuginfo package was empty. This update removes the strip commands from the gnbd makefiles. Now, the debuginfo packages have all the appropriate information.
4.47. gnome-session
Bug Fix
- BZ#477688
- Prior to this update, the gnome-session utility did not fully honor the "Hidden=" key in autostart desktop files. As a consequence, users could not mark autostart files as Hidden= in their home directory to disable autostart files in system directories.With this update, gnome-session allows users to "mask" system autostart files by installing a file of the same name in ~/.config/autostart with a key Hidden=true when loading autostart files.
4.48. gnome-vfs2
Security Fix
- CVE-2009-2473
- A denial of service flaw was found in the neon Extensible Markup Language (XML) parser. Visiting a malicious DAV server with an application using gnome-vfs2 (such as Nautilus) could possibly cause the application to consume an excessive amount of CPU and memory.
Bug Fixes
- BZ#580855
- When extracted from the Uniform Resource Identifier (URI), gnome-vfs2 returned escaped file paths. If a path, as stored in the URI, contained non-ASCII characters or ASCII characters which are parsed as something other than a file path (for example, spaces), the escaped path was inaccurate. Consequently, files with the described type of URI could not be processed. With this update, gnome-vfs2 properly unescapes paths that are required for a system call. As a result, these paths are parsed properly.
- BZ#586015
- In certain cases, the trash info file was populated by foreign entries, pointing to live data. Emptying the trash caused an accidental deletion of valuable data. With this update, a workaround has been applied in order to prevent the deletion. As a result, the accidental data loss is prevented, however further information is still gathered to fully fix this problem.
- BZ#621394
- Due to a wrong test checking for a destination file system, the Nautilus file manager failed to delete a symbolic link to a folder which was residing in another file system. With this update, a special test has been added. As a result, a symbolic link pointing to another file system can be trashed or deleted properly.
- BZ#772307
- Prior to this update, when directories without a read permission were marked for copy, the Nautilus file manager skipped these unreadable directories without notification. With this update, Nautilus displays an error message and properly informs the user about the aforementioned problem.
- BZ#822817
- Previously, gnome-vfs2 used the stat() function calls for every file on the MultiVersion File System (MVFS), used for example by IBM Rational ClearCase. This behavior significantly slowed down file operations. With this update, the unnecessary stat() operations have been limited. As a result, gnome-vfs2 user interfaces, such as Nautilus, are more responsive.
4.49. gnutls
Bug Fix
- BZ#789041
- Under certain circumstances, a NULL pointer could have been dereferenced in the GnuTLS library. This caused TLS clients, such as the rsyslog utility, to terminate unexpectedly with a segmentation fault. This update adds a test condition ensuring that a NULL pointer can no longer be dereferenced and TLS clients no longer crash.
Bug Fixes
- BZ#592112
- The gnutls packages reported wrong distinguished names (DNs) for chain CA certificates used for the client authentication; the issuer DN was reported instead of the subject DN. As a consequence, the TLS clients were not able to provide a client certificate signed by a chain CA certificate when connecting to a gnutls TLS server. The underlying source code has been modified and gnutls now reports the right DN and the TLS clients work as expected in the described scenario.
- BZ#730816
- Previously, in the certool utility was a missing check used for an empty string when a challenge password was entered. Consequently, certificate requests generated by certtool were sometimes invalid when an empty challenge password was used. This missing empty-string check has been added and now the certtool's certificate requests are valid even if the challenge password is not entered.
- BZ#785001
- Under certain circumstances, a null pointer could be dereferenced in the GnuTLS library. This caused TLS clients, such as the rsyslog utility, to terminate unexpectedly with a segmentation fault. This update adds a test condition ensuring that null pointers can no longer be dereferenced and TLS clients no longer crash.
Security Fixes
- CVE-2012-1573
- A flaw was found in the way GnuTLS decrypted malformed TLS records. This could cause a TLS/SSL client or server to crash when processing a specially-crafted TLS record from a remote TLS/SSL connection peer.
- CVE-2012-1569
- A flaw was found in the way libtasn1 decoded DER data. An attacker could create a carefully-crafted X.509 certificate that, when parsed by an application that uses GnuTLS, could cause the application to crash.
- CVE-2011-4128
- A boundary error was found in the gnutls_session_get_data() function. A malicious TLS/SSL server could use this flaw to crash a TLS/SSL client or, possibly, execute arbitrary code as the client, if the client passed a fixed-sized buffer to gnutls_session_get_data() before checking the real size of the session data provided by the server.
4.50. gpxe
Bug Fix
- BZ#714882
- The gpxe-roms-qemu runs the update-alternatives utility during installation; however, the chkconfig package, which provides the utility, was previously not required by gpxe-roms-qemu. As a consequence, the installation could fail with a "No such file or directory" error message. The chkconfig package has been added as a dependency to ensure successful installation of gpxe-roms-qemu.
4.51. grub
Bug Fixes
- BZ#212649
- The grub documentation contained incorrect information about the planned but unimplemented "grub-set-default" command; the "savedefault" command has been implemented instead, providing similar functionality. This update corrects the grub documentation that now reflect only those commands which have been implemented in GRUB.
- BZ#782096
- Prior to this update, the "grub-install" command was matching only against one letter after the "sd" string in the disk's device path name. Consequently, disks named "sdaa" and higher were not recognized as disks. The matching expression has been changed and now the "grub-install" command matches against any number of reasonable characters after the "sd" string in the disk's device path name.
- BZ#829228
- Previously, the number of disks was hard-coded to a maximum of 8. As a consequence, no more than 8 devices could be used. This update has changed the definition of allowed disks to a maximum of 128 and now up to 128 devices can be used.
4.52. gtk+
Bug Fix
- BZ#694888
- Using a Wacom tablet with a dual head configuration caused an error in the GTK+ toolkit when the input coordinates of the Wacom tablet were bound to a single monitor. Consequently, drawing with a pen with pressure sensitivity enabled led to an offset between the pen position and the content drawn on the screen. This update changes the way that input coordinates are translated by the library in this specific case.
4.53. gtk2
Bug Fix
- BZ#830901
- Previously, performing drag-and-drop operations on tabs in applications using the GtkNotebook widget could lead to releasing the same resource twice. Eventually, this behavior caused a segmentation fault. This bug has been fixed, and the applications using GtkNotebook no longer crash in the described scenario.
Security Fix
- CVE-2012-2370
- An integer overflow flaw was found in the X BitMap (XBM) image file loader in GTK+. A remote attacker could provide a specially-crafted XBM image file that, when opened in an application linked against GTK+ (such as Nautilus), would cause the application to crash.
Bug Fixes
- BZ#487630
- Due to a bug in the Input Method GTK+ module, the usage of the Taiwanese Big5 (zh_TW.Big-5) locale led to the unexpected termination of certain applications, such as the GDM greeter. The bug has been fixed, and the Taiwanese locale no longer causes applications to terminate unexpectedly.
- BZ#518483
- When a file was initially selected after the GTK+ file chooser dialog was opened and the Location field was visible, pressing the Enter key did not open the file. With this update, the initially selected file is opened regardless of the visibility of the Location field.
- BZ#523657
- When a file was initially selected after the GTK+ file chooser dialog was opened and the Location field was visible, pressing the Enter key did not change into the directory. With this update, the dialog changes into the initially selected directory regardless of the visibility of the Location field.
- BZ#603809
- Previously, the GTK Print dialog did not reflect the user-defined printer preferences stored in the ~/.cups/lpoptions file, such as those set in the Default Printer preferences panel. Consequently, the first device in the printer list was always set as a default printer. With this update, the underlying source code has been enhanced to parse the option file. As a result, the default values in the print dialog are set to those previously specified by the user.
- BZ#702342
- The GTK+ file chooser did not properly handle saving of nameless files. Consequently, attempting to save a file without specifying a file name caused GTK+ to become unresponsive. With this update, an explicit test for this condition has been added into the underlying source code. As a result, GTK+ no longer hangs in the described scenario.
- BZ#743658
- When using certain graphics tablets, the GTK+ library incorrectly translated the input coordinates. Consequently, an offset occurred between the position of the pen and the content drawn on the screen. This issue was limited to the following configuration: a Wacom tablet with input coordinates bound to a single monitor in a dual head configuration, drawing with a pen with the pressure sensitivity option enabled. With this update, the coordinate translation method has been changed, and the offset is no longer present in the described configuration.
- BZ#830901
- Previously, performing drag and drop operations on tabs in applications using the GtkNotebook widget could lead to releasing the same resource twice. Eventually, this behavior caused the applications to terminate with a segmentation fault. This bug has been fixed, and the applications using GtkNotebook no longer terminate in the aforementioned scenario.
4.54. guagga
Security Fixes
- CVE-2011-3327
- A heap-based buffer overflow flaw was found in the way the bgpd daemon processed malformed Extended Communities path attributes. An attacker could send a specially-crafted BGP message, causing bgpd on a target system to crash or, possibly, execute arbitrary code with the privileges of the user running bgpd. The UPDATE message would have to arrive from an explicitly configured BGP peer, but could have originated elsewhere in the BGP network.
- CVE-2010-1674
- A NULL pointer dereference flaw was found in the way the bgpd daemon processed malformed route Extended Communities attributes. A configured BGP peer could crash bgpd on a target system via a specially-crafted BGP message.
- CVE-2011-3323
- A stack-based buffer overflow flaw was found in the way the ospf6d daemon processed malformed Link State Update packets. An OSPF router could use this flaw to crash ospf6d on an adjacent router.
- CVE-2011-3324
- A flaw was found in the way the ospf6d daemon processed malformed link state advertisements. An OSPF neighbor could use this flaw to crash ospf6d on a target system.
- CVE-2011-3325
- A flaw was found in the way the ospfd daemon processed malformed Hello packets. An OSPF neighbor could use this flaw to crash ospfd on a target system.
- CVE-2011-3326
- A flaw was found in the way the ospfd daemon processed malformed link state advertisements. An OSPF router in the autonomous system could use this flaw to crash ospfd on a target system.
- CVE-2012-0249
- An assertion failure was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to cause ospfd on an adjacent router to abort.
- CVE-2012-0250
- A buffer overflow flaw was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to crash ospfd on an adjacent router.
4.55. hal
Bug Fixes
- BZ#704079
- Previously, the HAL daemon sometimes identified a non-existent error when running a new process and displayed the following warning:Warning: Error while wite r->input () to stdin_v.This bug has been fixed and the HAL daemon now works properly in the described scenario.
- BZ#555303
- The previous version of the hal package did not provide a manual page for the hal-device utility. This update adds the hal-device(1) manual page to this package.
4.56. hplip3
Security Fix
- CVE-2011-2722
- It was found that the HP CUPS (Common UNIX Printing System) fax filter in HPLIP created a temporary file in an insecure way. A local attacker could use this flaw to perform a symbolic link attack, overwriting arbitrary files accessible to a process using the fax filter (such as the hp3-sendfax tool).
Bug Fix
- BZ#501834
- Previous modifications of the hplip3 package to allow it to be installed alongside the original hplip package introduced several problems to fax support; for example, the hp-sendfax utility could become unresponsive. These problems have been fixed with this update.
4.57. hsqldb
- BZ#844877
- The HSQLDB database did not depend on java packages of version 1:1.6.0 or later, which caused the hsqldb packages to be installed incorrectly in some cases. Consequently, the build-classpath command did not work on systems without the java-1.6.0-openjdk package installed. This update modifies the hsqldb spec file to add a requirement for java-1.6.0-openjdk, and the installation of hsqldb now proceeds correctly as expected.
4.58. httpd
Bug Fix
- BZ#825675
- Due to a bug in the "mod_cache" module, an unexpected "304 Not Modified" HTTP response could be incorrectly returned to the client on non-conditional HTTP GET requests. With this update, the "mod_cache" module has been modified to correctly handle 304 responses, which are not returned in this scenario.
Bug Fixes
- BZ#873677
- Due to a bug in the "mod_mem_cache" module, an aborted HTTP connection could result in a cached entity becoming corrupt. With this update, the "mod_mem_cache" module has been fixed to correctly handle aborted connections, avoiding cache corruption in this scenario.
- BZ#873730
- Due to a bug in the "mod_cache" module, the "304 Not Modified" response from an origin server was not properly handled when a cached entity was being refreshed. Consequently, the entity could be returned to the HTTP client with incorrect headers. With this update, the "mod_cache" module has been modified to correctly handle headers in the "304 Not Modified" response. The cached entity is now returned with correct headers in this scenario.
Security Fix
- CVE-2008-0455, CVE-2008-0456, CVE-2012-2687
- Input sanitization flaws were found in the mod_negotiation module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use these flaws to conduct cross-site scripting and HTTP response splitting attacks against users visiting the site.
Bug Fix
- BZ#752618
- Previously, no check was made to see if the /etc/pki/tls/private/localhost.key file was a valid key prior to running the "%post" script for the "mod_ssl" package. Consequently, when /etc/pki/tls/certs/localhost.crt did not exist and "localhost.key" was present but invalid, upgrading the Apache HTTP Server daemon (httpd) with mod_ssl failed. The "%post" script has been fixed to test for an existing SSL key. As a result, upgrading httpd with mod_ssl now proceeds as expected.
- BZ#773473
- The "mod_ssl" module did not support operation under FIPS mode. Consequently, when operating Red Hat Enterprise Linux 5 with FIPS mode enabled, httpd failed to start. An upstream patch has been applied to disable non-FIPS functionality if operating under FIPS mode and httpd now starts as expected.
- BZ#783242
- Prior to this update, httpd exit status codes were not Linux Standard Base (LSB) compliant. When the command "service httpd reload" was run and httpd failed, the exit status code returned was "0" and not in the range 1 to 6 as expected. A patch has been applied to the init script and httpd now returns "1" as an exit status code.
- BZ#840845
- Chunked Transfer Coding is described in RFC 2616. Previously, the Apache server did not correctly handle a chunked encoded POST request with a "chunk-size" or "chunk-extension" value of 32 bytes or more. Consequently, when such a POST request was made the server did not respond. An upstream patch has been applied and the problem no longer occurs.
- BZ#845532
- Due to a regression, when mod_cache received a non-cacheable 304 response, the headers were served incorrectly. Consequently, compressed data could be returned to the client without the cached headers to indicate the data was compressed. An upstream patch has been applied to merge response and cached headers before data from the cache is served to the client. As a result, cached data is now correctly interpreted by the client.
- BZ#853128
- In a proxy configuration, certain response-line strings were not handled correctly. If a response-line without a "description" string was received from the origin server, for a non-standard status code, such as the "450" status code, a "500 Internal Server Error" would be returned to the client. This bug has been fixed so that the original response line is returned to the client.
Enhancements
- BZ#727342
- The configuration directive "LDAPReferrals" is now supported in addition to the previously introduced "LDAPChaseReferrals".
- BZ#767890
- The AJP support module for "mod_proxy", "mod_proxy_ajp", now supports the "ProxyErrorOverride" directive. Consequently, it is now possible to configure customized error pages for web applications running on a backend server accessed via AJP.
- BZ#833042
- The "%posttrans" scriptlet which automatically restarts the httpd service after a package upgrade can now be disabled. If the file /etc/sysconfig/httpd-disable-posttrans exists, the scriptlet will not restart the daemon.
- BZ#833043
- The output of "httpd -S" now includes configured alias names for each virtual host.
- BZ#840036
- New certificate variable names are now exposed by "mod_ssl" using the "_DN_userID" suffix, such as "SSL_CLIENT_S_DN_userID", which use the commonly used object identifier (OID) definition of "userID", OID 0.9.2342.19200300.100.1.1.
Bug Fix
- BZ#873678
- Due to a bug in the mod_mem_cache module, an aborted HTTP connection could result in a cached entity becoming corrupt. This update fixes mod_mem_cache to correctly handle aborted connections, thus avoiding cache corruption in this scenario.
4.59. hwdata
Bug Fix
- BZ#824559
- Due to a syntax error in the usb.ids file, the lsusb utility failed to display a list of used USB devices. The syntax error has been removed from the usb.ids file and the lsusb utility now displays the information correctly.
Enhancement
4.60. ImageMagick
- CVE-2012-0247
- A flaw was found in the way ImageMagick processed images with malformed Exchangeable image file format (Exif) metadata. An attacker could create a specially-crafted image file that, when opened by a victim, would cause ImageMagick to crash or, potentially, execute arbitrary code.
- CVE-2012-0248
- A denial of service flaw was found in the way ImageMagick processed images with malformed Exif metadata. An attacker could create a specially-crafted image file that, when opened by a victim, could cause ImageMagick to enter an infinite loop.
- CVE-2012-0260
- A denial of service flaw was found in the way ImageMagick decoded certain JPEG images. A remote attacker could provide a JPEG image with specially-crafted sequences of RST0 up to RST7 restart markers (used to indicate the input stream to be corrupted), which once processed by ImageMagick, would cause it to consume excessive amounts of memory and CPU time.
Bug Fix
- BZ#804546
- The fix for Red Hat Bugzilla bug 694922, provided by the RHSA-2012:0301 ImageMagick update, introduced a regression. Attempting to use the "convert" utility to convert a PostScript document could fail with a "/undefinedfilename" error. With this update, conversion works as expected.
4.61. initscripts
Bug Fix
- BZ#845246
- Previously, the kpartx utility was not called with the "-p p" option in the netfs init script. Consequently, inconsistent partition mappings occurred. This bug has been fixed and kpartx is now called as expected.
4.62. ipa-client
Bug Fix
- BZ#818313
- If the client requested keys for encryption types that the server did not support, and the requested key was not returned, the ipa-getkeytab utility, and consequently the client enrollment, failed. With this update, the ipa-getkeytab utility has been modified to no longer fail if the key is not retrieved; a warning message is now displayed instead.
Bug Fixes
- BZ#813387
- During the installation, the ipa-client-install utility created a zero-length /etc/sysconfig/network file. Consequently, the information about the network configuration was not specified. The underlying source code has been modified and the installation process no longer erases the configuration file.
- BZ#816693
- If the client requested keys for encryption types that the server did not support, and the requested key was not returned, the ipa-getkeytab utility, and consequently the client enrollment, failed. With this update, the ipa-getkeytab utility has been modified to no longer fail if the key is not retrieved; a warning message is now displayed instead.
4.63. iproute
Bug Fix
- BZ#738965
- Prior to this update, the print_route() could, udner circumstances use the wrong "hz" value. As a consequence, the "ip route show" option returned an incorrect value for rto_min (minimum TCP retransmission timeout). This update modifies the underlying code to identify the different "hz" values. Now, the correct rto_min value is displayed.
- BZ#751285
- Prior to this update, the tc command-line utility generated a wrong filter match for the IPv6 "priority", the resulting match did not reflect the IPv6 header field proper. This update modifies the underlying code to match the IPv6 "Priority" header as expected.
4.64. iprutils
Note
Bug Fixes
- BZ#750702
- Prior to this update, the iprutils suite did not correctly compute the size of the serial number. As a consequence, the attempt to delete arrays could fail. This update modifies the serial number comparison and increases the buffer size for new adapter configuration data.
- BZ#843639
- Prior to this update, iprconfig tool failed to delete RAID arrays. This update modifies the underlying code by sending the "START_STOP_STOP" executible before deleting the device. Now, RAID arrays are deleted as expected.
4.65. ipsec-tools
Bug Fixes
- BZ#852735
- Under certain circumstances, the racoon daemon terminated unexpectedly due to referencing a NULL pointer when writing to the system log. The update ensures that the NULL pointer is never referenced by racoon in this scenario, thus fixing this bug.
- BZ#852734
- When using the setkey command to dump the pfkey database, the setkey command could decrease the size of a kernel buffer that is used to send the data. Consequently, the dumped database was incomplete and the operation failed with an error in the recv() function. With this update, setkey never decreases the kernel buffer size, thus preventing this bug.
4.66. iptables
Enhancement
- BZ#847729
- A new iptables module has been added that allows to configure the Differentiated Services Code Point (DSCP) match extension for the IPv6 protocol.
4.67. iscsi-initiator-utils
Note
Bug Fix
- BZ#849661
- The source RPM package for the iSCSI user-space driver, iscsiuio, did not include the NEW and AUTHORS files as required by the GNU packaging guidelines, and did not set the automake foreign option. The iscsiuio autoconf script uses libtool macros, but libtool was not specified as a build requirement in the RPM spec file. Consequently, attempting to rebuild the source RPM package in an environment with automake installed failed. Attempting to rebuild the source RPM package in an environment with autoconf installed, but without libtool, failed. The iscsiuio source has been updated to set the foreign automake option, in order to disable strict enforcing of the GNU packaging guidelines. In addition, libtool has been added as a build requirement for iscsi-initiator-utils, so that the required autoconf macros are available at build time. As a result, the iscsi-initiator-utils package can be built from the source RPM in a build environment that has automake and autoconf installed.
Enhancement
- BZ#798178
- Some iSCSI offload hardware requires the network interface to be "up" to function properly. Previously, this required additional network configuration steps before starting iSCSI. With this update, when the iSCSI daemon (iscsid) is starting an offloaded iSCSI session, the operational state of the associated network interface is now checked. The network interface is brought into an administrative up state automatically if needed. Offloaded iSCSI sessions can now be established without manually configuring the network interface first, iscsid will bring the interface up if needed.
4.68. java-1.6.0-openjdk
Bug Fixes
- BZ#729502
- Previously, the CCacheInputStream class could not to read Kerberos ticket cache files as it failed to handle the configuration settings stored in the ticket cache file under a special principal name. The configuration credentials are now ignored and the ticket cache is parsed correctly. Also, the initial context token generated by the GSSAPI/SPNEGO plug-in was previously rejected by the MIT Kerberos library due to incorrect data type of the reqFlags and NegTokenInit fields. The fields now use the correct data types.
- BZ#808293
- A JStack exception was thrown when a program was trying to capture both java and native stacktrace (mixed mode). Safety checks have been added and the problem no longer occurs.
Security Fixes
- CVE-2012-1711, CVE-2012-1719
- Multiple flaws were discovered in the CORBA (Common Object Request Broker Architecture) implementation in Java. A malicious Java application or applet could use these flaws to bypass Java sandbox restrictions or modify immutable object data.
- CVE-2012-1716
- It was discovered that the SynthLookAndFeel class from Swing did not properly prevent access to certain UI elements from outside the current application context. A malicious Java application or applet could use this flaw to crash the Java Virtual Machine, or bypass Java sandbox restrictions.
- CVE-2012-1713
- Multiple flaws were discovered in the font manager's layout lookup implementation. A specially-crafted font file could cause the Java Virtual Machine to crash or, possibly, execute arbitrary code with the privileges of the user running the virtual machine.
- CVE-2012-1723, CVE-2012-1725
- Multiple flaws were found in the way the Java HotSpot Virtual Machine verified the bytecode of the class file to be executed. A specially-crafted Java application or applet could use these flaws to crash the Java Virtual Machine, or bypass Java sandbox restrictions.
- CVE-2012-1724
- It was discovered that the Java XML parser did not properly handle certain XML documents. An attacker able to make a Java application parse a specially-crafted XML file could use this flaw to make the XML parser enter an infinite loop.
- CVE-2012-1718
- It was discovered that the Java security classes did not properly handle Certificate Revocation Lists (CRL). CRL containing entries with duplicate certificate serial numbers could have been ignored.
- CVE-2012-1717
- It was discovered that various classes of the Java Runtime library could create temporary files with insecure permissions. A local attacker could use this flaw to gain access to the content of such temporary files.
Security Fixes
- CVE-2012-1682
- It was discovered that the Beans component in OpenJDK did not perform permission checks properly. An untrusted Java application or applet could use this flaw to use classes from restricted packages, allowing it to bypass Java sandbox restrictions.
- CVE-2012-0547
- A hardening fix was applied to the AWT component in OpenJDK, removing functionality from the restricted SunToolkit class that was used in combination with other flaws to bypass Java sandbox restrictions.
Security Fixes
- CVE-2012-5086, CVE-2012-5084, CVE-2012-5089
- Multiple improper permission check issues were discovered in the Beans, Swing, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
- CVE-2012-5068, CVE-2012-5071, CVE-2012-5069, CVE-2012-5073, CVE-2012-5072
- Multiple improper permission check issues were discovered in the Scripting, JMX, Concurrency, Libraries, and Security components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
- CVE-2012-5079
- It was discovered that java.util.ServiceLoader could create an instance of an incompatible class while performing provider lookup. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
- CVE-2012-5081
- It was discovered that the Java Secure Socket Extension (JSSE) SSL/TLS implementation did not properly handle handshake records containing an overly large data length value. An unauthenticated, remote attacker could possibly use this flaw to cause an SSL/TLS server to terminate with an exception.
- CVE-2012-5075
- It was discovered that the JMX component in OpenJDK could perform certain actions in an insecure manner. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information.
- CVE-2012-4416
- A bug in the Java HotSpot Virtual Machine optimization code could cause it to not perform array initialization in certain cases. An untrusted Java application or applet could use this flaw to disclose portions of the virtual machine's memory.
- CVE-2012-5077
- It was discovered that the SecureRandom class did not properly protect against the creation of multiple seeders. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information.
- CVE-2012-3216
- It was discovered that the java.io.FilePermission class exposed the hash code of the canonicalized path name. An untrusted Java application or applet could possibly use this flaw to determine certain system paths, such as the current working directory.
- CVE-2012-5085
- This update disables Gopher protocol support in the java.net package by default. Gopher support can be enabled by setting the newly introduced property, "jdk.net.registerGopherProtocol", to true.
4.69. flash-plugin
Security Fix
- CVE-2012-5676, CVE-2012-5677, CVE-2012-5678
- This update fixes three vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed in the Adobe Security bulletin APSB12-27. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content.
Security Fix
- CVE-2012-5274, CVE-2012-5275, CVE-2012-5276, CVE-2012-5277, CVE-2012-5278, CVE-2012-5279, CVE-2012-5280
- This update fixes several vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed in the Adobe Security bulletin APSB12-24. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content.
Security Fix
- CVE-2012-5248, CVE-2012-5249, CVE-2012-5250, CVE-2012-5251, CVE-2012-5252, CVE-2012-5253, CVE-2012-5254, CVE-2012-5255, CVE-2012-5256, CVE-2012-5257, CVE-2012-5258, CVE-2012-5259, CVE-2012-5260, CVE-2012-5261, CVE-2012-5262, CVE-2012-5263, CVE-2012-5264, CVE-2012-5265, CVE-2012-5266, CVE-2012-5267, CVE-2012-5268, CVE-2012-5269, CVE-2012-5270, CVE-2012-5271, CVE-2012-5272
- This update fixes several vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security page APSB12-22. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content.
Security Fixes
- CVE-2012-1535, CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166, CVE-2012-4167
- This update fixes several vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security pages APSB12-18 and APSB12-19. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content.
- CVE-2012-4168
- A flaw in flash-plugin could allow an attacker to obtain sensitive information if a victim were tricked into visiting a specially-crafted web page.
Security Fixes
- CVE-2012-2034, CVE-2012-2035, CVE-2012-2036, CVE-2012-2037, CVE-2012-2039
- This update fixes several vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security page APSB12-14.Several security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content.
- CVE-2012-2038
- A flaw in flash-plugin could allow an attacker to obtain sensitive information if a victim were tricked into visiting a specially-crafted web page.
Security Fixes
- CVE-2012-0779
- This update fixes one vulnerability in Adobe Flash Player. This vulnerability is detailed on the Adobe security page APSB12-09, listed in associated with each description below. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the specially-crafted SWF content.
Security Fix
- CVE-2012-0773
- This update fixes one vulnerability in Adobe Flash Player. This vulnerability is detailed on the Adobe security page APSB12-07, listed in associated with each description below. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the specially-crafted SWF content.
Security Fixes
- CVE-2012-0768
- This update fixes two vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security page APSB12-05.A flaw was found in the way flash-plugin displayed certain SWF content. An attacker could use this flaw to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content.
- CVE-2012-0769
- A flaw in flash-plugin could allow an attacker to obtain sensitive information if a victim were tricked into visiting a specially-crafted web page.
4.70. java-1.4.2-ibm
Security Fix
- CVE-2012-1531, CVE-2012-3216, CVE-2012-4820, CVE-2012-4822, CVE-2012-5073, CVE-2012-5079, CVE-2012-5081, CVE-2012-5083, CVE-2012-5084
- This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.
Security Fix
- CVE-2012-1713, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719
- This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.
Security Fix
- CVE-2011-3563, CVE-2012-0499, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506
- This update fixes several vulnerabilities in the IBM Java 1.4.2 Runtime Environment and the IBM Java 1.4.2 Software Development Kit. Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.
4.71. java-1.5.0-ibm
Security Fix
- CVE-2012-1531, CVE-2012-3143, CVE-2012-3216, CVE-2012-4820, CVE-2012-4822, CVE-2012-5069, CVE-2012-5071, CVE-2012-5073, CVE-2012-5075, CVE-2012-5079, CVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5089
- This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.
Security Fix
- CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1725
- This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.
Security Fix
- CVE-2011-3389, CVE-2011-3557, CVE-2011-3560, CVE-2011-3563, CVE-2012-0498, CVE-2012-0499, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507
- This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.
4.72. java-1.6.0-ibm
Security Fix
- CVE-2012-0547, CVE-2012-1531, CVE-2012-1532, CVE-2012-1533, CVE-2012-1682, CVE-2012-3143, CVE-2012-3159, CVE-2012-3216, CVE-2012-4820, CVE-2012-4822, CVE-2012-4823, CVE-2012-5068, CVE-2012-5069, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5075, CVE-2012-5079, CVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5089
- This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.
Security Fix
- CVE-2012-0551, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1721, CVE-2012-1722, CVE-2012-1725
- This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.
Security Fix
- CVE-2011-3563, CVE-2011-5035, CVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507
- This update fixes several vulnerabilities in the IBM Java 6 Runtime Environment and the IBM Java 6 Software Development Kit. Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.
4.73. java-1.6.0-sun
Bug Fix
- BZ#868174
- Prior to this update, the java-1.6.0-sun-plugin package did not contain an architecture-specific dependency on the java-1.6.0-sun package. Consequently, an error occurred during package unpacking when installation was done in a specific sequence. With this update the dependency has been added, and the aforementioned error no longer occurs.
Security Fix
- CVE-2012-0547, CVE-2012-1531, CVE-2012-1532, CVE-2012-1533, CVE-2012-3143, CVE-2012-3159, CVE-2012-3216, CVE-2012-4416, CVE-2012-5068, CVE-2012-5069, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5075, CVE-2012-5077, CVE-2012-5079, CVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5085, CVE-2012-5086, CVE-2012-5089
- This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory and Oracle Security Alert pages.
Security Fix
- CVE-2012-0551, CVE-2012-1711, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1721, CVE-2012-1722, CVE-2012-1723, CVE-2012-1724, CVE-2012-1725
- This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch page.
4.74. jpackage-utils
Bug Fix
- BZ#865102
- Previously, jpackage-utils did not install java-1.7.0 directories in the /usr/share/ and /usr/lib/ directories. This caused failures when running the build-classpath script with Java 7 set as the javac alternative. These directories are now created and the build-classpath script works as expected with Java 7.
4.75. kbd
Bug Fix
- BZ#622981
- Prior to this update, the "bin/unicode_start" script was called twice. As a consequence, "unicode_start" with environment variables set to "BASH_ENV=~/.bashrc" and "TERM=linux" could enter an infinite loop. This update modifies the "/etc/unicode_start" init script so that "unicode_start" is now called once and no longer causes a loop.
4.76. kdebase
Bug Fixes
- BZ#500399
- If multiple users were using a KDE desktop on the same machine (for example by using the XDMCP protocol), only one user was able to lock the desktop. A patch has been applied to address this problem, and all users can now lock their desktops in the described scenario.
- BZ#663638
- Previously, the kdebase package did not honor mount options set in the HAL configuration files. This update corrects the problem, so that kdebase honors these mount options.
- BZ#669354
- On 64-bit systems, if the user changed time backwards, the KWin window manager incorrectly detected applications as not responding. This was due to a timestamp problem, which has been corrected, and KWIN no longer incorrectly reports applications as not responding.
4.77. kernel
Security Fixes
- CVE-2013-2206, Important
- A flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation handled duplicate cookies. If a local user queried SCTP connection information at the same time a remote attacker has initialized a crafted SCTP connection to the system, it could trigger a NULL pointer dereference, causing the system to crash.
- CVE-2013-2224, Important
- It was found that the fix for CVE-2012-3552 released via RHSA-2012:1540 introduced an invalid free flaw in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to corrupt kernel memory via crafted sendmsg() calls, allowing them to cause a denial of service or, potentially, escalate their privileges on the system.
- CVE-2013-2232, Moderate
- An invalid pointer dereference flaw was found in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system by using sendmsg() with an IPv6 socket connected to an IPv4 destination.
- CVE-2013-2147, CVE-2013-2164, CVE-2013-2234, CVE-2013-2237, Low
- Information leak flaws in the Linux kernel could allow a privileged, local user to leak kernel memory to user-space.
Bug Fixes
- BZ#948187
- Switching the FPU context was not properly handled in certain environments, such as systems with multi-core AMD processors using the 32-bit kernel. When running multiple instances of the applications using the FPU frequently, data corruption could occur because processes could often be restored with the context of another instance. This update applies series of patches that modifies the kernel's FPU behavior: the "lazy" FPU context switch is temporarily disabled after 5 consecutive context switches using the FPU, and restored again after the context is switched 256 times. The aforementioned data corruption problem no longer occurs.
- BZ#972583
- Due to a bug in memory management, a kernel thread process could become unresponsive for a significant amount of time, waiting for a quota of dirty pages to be met and written out, which caused a kernel panic. With this update, memory management allows processes to break out of the throttle loop if there are no more dirty pages available to be written out. This prevents a kernel panic from occurring in this situation.
- BZ#976441
- Previously, an NFS client could sometimes cache negative dentries until the page cache was flushed or the directory listing operation was performed on the parent directory. As a consequence, an incorrect dentry was never normally revalidated and a stat call always failed, providing incorrect results. This was caused by an incorrect resolution of an attribute indicating a cache change (cache_change_attribute) along with insufficient flushing of cached directories. A series of patches has been backported to resolve this problem so the cache_change_attribute is now updated properly and the cached directories are flushed more readily.
- BZ#979920
- Due to a segment register that was not reset after a transition to protected mode, a bug could have been triggered in certain older versions of the upstream kernel (the kernel 3.9 - 3.9.4), preventing a guest system from booting and rendering it unresponsive on certain Intel Virtualization Technology (VT) hardware. On the newer kernels, this behavior had a significant impact on the booting speed of virtual machines. This update applies a patch providing early segment setup for the VT feature which allows executing VT under KVM. Guest machines no longer hang on boot and the booting process is now significantly faster when using 64-bit Intel hardware with the VT feature enabled.
- BZ#980811
- A previous change in the port auto-selection code allowed sharing ports with no conflicts extending its usage. Consequently, when binding a socket with the SO_REUSEADDR socket option enabled, the bind(2) function could allocate an ephemeral port that was already used. A subsequent connection attempt failed in such a case with the EADDRNOTAVAIL error code. This update applies a patch that modifies the port auto-selection code so that bind(2) now selects a non-conflict port even with the SO_REUSEADDR option enabled.
- BZ#983452
- Due to a bug in the networking stack, the kernel could attempt to deference a NULL pointer if a VLAN was configured on top of a GRE tunnel and network packets were transmitted, which resulted in a kernel panic. A patch has been applied to fix this bug by modifying the net driver to test a VLAN hardware header for a NULL value properly. The kernel no longer panics in this scenario.
- BZ#983628
- The memory management code specific to the AMD64 and Intel 64 architectures previously did not contain proper memory barriers in the smp_invalidate_interrupt() routine. As a consequence, CPUs on AMD64 and Intel 64 systems containing modulo 8 number of CPUs (8, 16, 24 and so on) could sometimes heavily compete for spinlock resources, spending most of the CPU time by attempts to acquire spinlocks. Such systems could therefore rarely appear to be unresponsive with a very slow computing progress. This update applies a patch introducing proper memory barriers in the smp_invalidate_interrupt() routine so the problem can no longer occur.
- BZ#987976
- A panic could occur in the XEN hypervisor due to a race in the XEN's tracing infrastructure. The race allows an idle vCPU to attempt to log a trace record while another vCPU executes a hypercall to disable the active tracing using the xenmon.py performance monitoring utility. To avoid triggering the panic, the respective BUG_ON() routine call in the trace code has been replaced with a simple test condition. The XEN hypervisor no longer crashes due to aforementioned race condition.
Security Fixes
- CVE-2012-5515, Moderate
- It was found that the Xen hypervisor implementation did not perform range checking on the guest provided values in multiple hypercalls. A privileged guest user could use this flaw to trigger long loops, leading to a denial of service (Xen hypervisor hang).
- CVE-2012-1568, Low
- It was found that when running a 32-bit binary that uses a large number of shared libraries, one of the libraries would always be loaded at a predictable address in memory. An attacker could use this flaw to bypass the Address Space Layout Randomization (ASLR) security feature.
- CVE-2012-4444, Low
- A flaw was found in the way the Linux kernel's IPv6 implementation handled overlapping, fragmented IPv6 packets. A remote attacker could potentially use this flaw to bypass protection mechanisms (such as a firewall or intrusion detection system (IDS)) when sending network packets to a target system.
Bug Fixes
- BZ#884702
- Due to a regression introduced by a recent update of the be2net driver, 10Gb NICs configured to use multiple receive queues across multiple CPUs were restricted to use a single receive queue on a single CPU. This resulted in significant performance degradation. With this update, the be2net driver has been corrected to provide support for multiple receive queues on 10Gb NICs as expected.
- BZ#884708
- Under certain circumstances, a race between certain asynchronous operations, such as "silly rename" and "silly delete", and the invalidate_inodes() function could occur when unmounting an NFS file system. Due to this race, the system could become unresponsive, or a kernel oops or data corruption could occur if an inode was removed from the list of inodes while the invalidate_inodes() function performed an iteration on the inode. This update modifies the NFS code to wait until the asynchronous operations are finished before performing inode clean-up. The race condition no longer occurs and an NFS file system is unmounted as expected.
- BZ#884740
- Previously, if a target sent multiple local port logout (LOGO) events, the fc_rport_work() function in the Fibre Channel library module (libfc) tried to process all of them, irrespective of the status of processing prior to the LOGO events. Consequently, fc_rport_work() terminated unexpectedly with a stack trace. This update simplifies the remote port (rport) restart logic by making the decision to restart after deleting the transport rport. Now, all I/O operations run as expected and fc_rport_work() no longer crashes in the described scenario.
- BZ#884742
- With Red Hat Enterprise Linux 5.9, a patch that fixed IGMP reporting bug in a network bridge was backported to the bonding code from Red Hat Enterprise Linux 6. However, two other patches related to the problem were not included. This update backports these patches from Red Hat Enterprise Linux 6. Specifically, the first patch fixing a NULL pointer deference that could occur if the master bond was not a network bridge. The patch adds a testing condition which prevents the code from dereferencing a NULL pointer. The second patch introduces a hook that allows to identify which bridge port is used for the master bridge interface and modifies the bonding code to use new functions to determine whether the used bond is a network bridge.
- BZ#885062
- Previously, the Xen kernel used the memory size found at the "0x40e" address as the beginning of the Extended BIOS Data Area (EBDA). However, this is not valid on certain machines, such as Dell PowerEdge R710, which caused the system to become unresponsive during boot on these machines. This update modifies the kernel to use the multiboot structure to acquire the correct location of EBDA and the system boot now proceeds as expected in this scenario.
- BZ#885692
- A previous change in the tg3 driver corrected a bug causing DMA read engine of the Broadcom BCM5717 Ethernet controller to initiate multiple DMA reads across the PCIe bus. However, the original bug fix used the CHIPREV_ID_5717_A0 macro which is more restrictive so that the DMA read problem was not fixed for the Broadcom BCM5718 Ethernet controller. This update modifies the code to use the ASIC_REV_5717 macro, which corrects the original bug properly.
- BZ#885700
- Previously, when hot-unplugging a USB serial adapter device, the USB serial driver did not properly clean up used serial ports. Therefore, when hot-plugging the USB serial device again, the USB serial driver allocated new port IDs instead of using previously used ports. This update modifies the USB serial driver to clean up open ports correctly so that the ports can be reused next time the device is plugged in.
- BZ#886124
- Previously, GFS2 did not properly free directory hash table memory from cache when the directory was removed from cache. If the same GFS2 inode was later reused as another directory, the stale directory hash table was reused instead of reading the correct information from the media. If the GFS2 hash table was not reused, a small amount of memory was lost until the next reboot. If the hash table was reused, the directory could become corrupt. Later, GFS2 could discover the file system inconsistency and withdraw from the file system, making it unavailable until the system was rebooted. This update applies a patch to the kernel that frees the directory hash table correctly from cache and prevents this file system corruption.
- BZ#886876
- Certain recent Intel input/output memory management unit (IOMMU) systems reported very large numbers of supported mapping domains. Consequently, if the number was too large, booting a system with the intel_iommu kernel parameter enabled (intel_iommu=on) failed with the following error message:
Allocating domain array failed.
With this update, a limit of 4000 domains is set to avoid the described problems.
Bug Fixes
- BZ#563247
- Under memory pressure, memory pages that are still a part of a checkpointing transaction can be invalidated. However, when the pages were invalidated, the journal head was re-filed onto the transactions' forget list, which caused the current running transaction's block to be modified. As a result, block accounting was not properly performed on that modified block because it appeared to have already been modified due to the journal head being re-filed. This could trigger an assertion failure in the "journal_commit_transaction()" function on the system. With this update, the "b_modified" flag is cleared before the journal head is filed onto any transaction, and assertion failures no longer occur.
- BZ#862811
- On certain platforms, the be2net driver could incorrectly indicate UE bits and stop further access to be2net-based network interface cards (NICs). With this update, these UE bits are ignored and if a real UE occurs, the corresponding hardware block will automatically go offline and stop the traffic.
- BZ#857448
- Previously, two threads could race to automount the same Distributed File System (DFS) share. The second thread called the do_add_mount() function after the first thread had completed the automount, and received a reference to the existing vfs_mount inserted by the first thread. Consequently, the new vfs_mount created by this thread for the mount process was dropped. This resulted in the use count for the dentry pointed to by vfs_mount to drop to -1 and the system terminated with a kernel panic. The underlying source code has been modified, and a kernel panic no longer occurs under these circumstances.
- BZ#854067
- A bug in the ipvs code caused insufficient performance of the Transmission Control Protocol (TCP) when generic receive offload (GRO) or generic segmentation offload (GSO) was enabled on a machine running the IP Virtual Server (IPVS) or Linux Virtual Server (LVS). The TCP connection continued to work, however, only by retransmitting all data, as only TCP segments with a single packet were allowed to go through. This update allows reception of GRO-aggregated packet buffers, through the IPVS framework. On transmission the GSO-aggregated packet buffer is automatically deaggregated by GSO. Use of GSO/GRO together with this update will result in an improved throughput and lower CPU utilization.
- BZ#852526
- Prior to this update, a process of continuously opening and closing a file within a second could prevent the data cache of a file from ever expiring. This resulted in stale data being presented on the client. With this update, the modify time and size stored in cache for an existing inode are compared with the modify time and size returned by the open() call; the cache is invalidated if the values differ.
- BZ#850977
- To resolve a kernel panic that occurred under certain circumstances, an upstream cleanup patch for VFS automount support was backported to Red Hat Enterprise Linux 5, which also fixed the panic. This upstream change occurred after the VFS automount support was added to Red Hat Enterprise Linux 5 so was not present.
- BZ#840642
- An unnecessary check for the RXCW.CW bit could cause the Intel e1000e NIC (Network Interface Controller) to not work properly. The check has been removed so that the Intel e1000e NIC now works as expected.
- BZ#839753
- When attempting to mount a NFS share twice on the same mount point, a check in the do_add_mount() function causes an error to be returned. However, when using the "noac" option, the user was abe to mount the same share on the same mount point multiple times. This was because the "noac" option was automatically assigned the MS_SYNCHRONOUS flag in the nfs_initialise_sb() function. This flag was set after the check for already existing superblocks had been performed in the sget() function, and was therefore not taken into account during the check of mount flags. This update checks for the "noac" option and assigns the MS_SYNCHRONOUS fag before sget() is called to obtain an already existing superblock structure. As a result, it is no longer possible to mount a NFS share on the same location multiple times.
- BZ#836244
- Failures and errors could occur due to a NULL pointer dereference in the vm_enough_memory() function. To prevent such problems, the NULL checking has been revised
- BZ#835660
- Previously, if a command timed out to a device with a reservation conflict, the SCSI error handling marked the device as offline. This was because the RESERVATION_CONFLICT return code was treated as a fatal error when a TUR command was sent to confirm that the device was reachable and responding. Consequently, the error handling progressed to the next error routine, eventually marking the device offline. The error processing in the scsi_eh_completed_normally() function has been changed to consider RESERVATION_CONFLICT for a TUR command as success. This causes the scsi_eh_tur() call to pass successfully, and the devices are no longer set as offline.
- BZ#834562
- An insufficiently designed calculation in the CPU accelerator in the previous kernel caused an arithmetic overflow in the sched_clock() function when system uptime exceeded 208.5 days. This overflow led to a kernel panic on systems using the Time Stamp Counter (TSC) or Virtual Machine Interface (VMI) clock source. This update corrects the aforementioned calculation so that this arithmetic overflow and kernel panic can no longer occur under these circumstances.
- BZ#746122
- The way how the kernel processes dentries in the dcache when unmounting file systems allowed the concurrent activity on the list of dentries. If the list was large enough, the kernel could, under certain circumstances, panic due to NMI watchdog timeout triggered by the waiting concurrent process. This update modifies underlying functions to use a private dcache list for certain operations on the dcache so that concurrent activities are no longer affected in this scenario.
- BZ#834379
- When two processes attempted to automount an NFS file system at the same time, an account usage error occurred in the dentry of the mount point, leading to EBUSY errors when trying to unmount the file system. In addition, a kernel panic could occur when the automount timeout expired or the shutdown procedure tried to unmount the file system. This was because the vfsmount structure was missing a reference of the mount point. This update ensures that a reference of the mount point is placed on the vfsmount structure before the do_add_mount() function is called. The NFS file system can now be unmounted as expected, and the kernel panic no longer occurs in this scenario.
- BZ#833000
- Previously, the SAS-2 tape drive was not detected after connecting it to a SATA/SAS Storage Control Unit (SCU) port. This was because the speed values in the isci driver were not updated and the negotiated connection speed for the SAS-2 device was therefore incorrect. With this update, the PHY_LINKRATE values defined in the scsi_transport_sas header file are now used, which ensures correct detection of SAS-2 devices.
- BZ#822166
- A race condition between a device being opened and the device being disconnected occurred in the evdev code. During this condition, the evdev structure for a device continued to be used after it had been freed. If the memory was reallocated afterward and zeroed by the new owner, the evdev_open() function could become stuck and generate a soft lockup. This update directly uses a kref structure to implement proper reference counting, which prevents the race condition from occurring in this scenario.
- BZ#819830
- Previously, when listing of IPv6 routing table was prematurely ended, it could cause corruption of that table, leading to various problems, including a kernel panic. To prevent the problems, the routing table is now traversed correctly.
- BZ#818787
- An insufficiently designed calculation in the CPU accelerator in the previous kernel caused an arithmetic overflow in the sched_clock() function when system uptime exceeded 208.5 days. This overflow led to a kernel panic on the systems using the Time Stamp Counter (TSC) or Virtual Machine Interface (VMI) clock source. This update corrects the calculation so that this arithmetic overflow and kernel panic can no longer occur under these circumstances. Note: This advisory does not include a fix for this bug for the 32-bit architecture
- BZ#753244
- The function that used to find a resource block (rsb) during directory recovery was searching the rsb's single linear list, which took an excessive amount of time. Consequently, recovery of Distributed Lock Manager (DLM) could take a long time. With this update, the standard hash table is used to find the rsb, which decreases the search time, and DLM recovery finishes in a reasonable time.
- BZ#749813
- If the IP stack proper is accessed from bridge netfilter, the socket buffer needs to be in a form the IP stack expects. Previously, the entry point on the NF_FORWARD hook did not meet the requirements of the IP stack. Consequently, hosts could terminate unexpectedly. A backported upstream patch has been provided to address this issue and the crashes no longer occur in the described scenario.
- BZ#814626
- The kernel version 2.6.18-308.4.1.el5 contained several bugs which led to an overrun of the NFS server page array. Consequently, any attempt to connect an NFS client running on Red Hat Enterprise Linux 5.8 to the NFS server running on the system with this kernel caused the NFS server to terminate unexpectedly and the kernel to panic. This update corrects the bugs causing NFS page array overruns and the kernel no longer crashes in this scenario.
- BZ#809937
- A process scheduler did not handle RPC priority wait queues correctly. Consequently, the process scheduler failed to wake up all scheduled tasks as expected after RPC timeout, which caused the system to become unresponsive and could significantly decrease system performance. This update modifies the process scheduler to handle RPC priority wait queues as expected. All scheduled tasks are now properly woken up after RPC timeout and the system behaves as expected.
- BZ#756506
- A kernel panic occurred when the size of a block device was changed and I/O was issued at the same time. This was because the direct and non-direct I/O code was written with the assumption that the block size would not change. This update introduces a new read-write lock, bd_block_size_semaphore. The lock is taken for read during I/O and for write when changing block size. As a result, block size cannot be changed while I/O is being submitted. This prevents the kernel from crashing in the described scenario.
- BZ#808489
- Previously, requests for large data blocks with the ZSECSENDCPRB ioctl() system call failed due to an invalid parameter. A misleading error code was returned, concealing the real problem. With this update, the parameter for the ZSECSENDCPRB request code constant is validated with the correct maximum value. Now, if the parameter length is not valid, the EINVAL error code is returned, thus fixing this bug.
- BZ#805799
- A bug in the vsyscall interface caused 32-bit multi-threaded programs, which received the SIGCANCEL signal right after they returned from a system call, to terminate unexpectedly with a segmentation fault when run on the AMD64 or Intel 64 architecture. A patch has been provided to address this issue and the crashes no longer occur in the described scenario.
- BZ#804778
- Previously, the restriction of the way epoll file descriptors could nest was overly aggressive. Consequently, certain applications were unable to add the desired number of epoll watches and possibly terminated unexpectedly or became unresponsive. With this update, there is no restriction on the number of epoll file descriptors that can be attached to the source file descriptor, thus preventing the described problems. Note that if an application requests a deeply-nested epoll file descriptor, the request fails gracefully rather that causing the kernel to terminate unexpectedly.
- BZ#800653
- The qla2xxx driver set up interrupts for Qlogic 4Gb Fibre Channel adapters incorrectly due to a bug in a test condition for MSI-X support. This update corrects the bug and qla2xxx now sets up interrupts as expected.
- BZ#800575
- When a slave started up, the active flags failed to be marked inactive while unsetting the current_arp_slave parameter. Consequently, more than one slave with active flags in active-backup mode could be present on the system. With this update, the active flags are properly marked inactive from a slave before the current_arp_slave is unset, thus preventing this bug.
- BZ#799530
- When the Fibre Channel (FC) layer sets a device to "running", the layer also scans for other new devices. Previously, there was a race condition between these two operations. Consequently, for certain targets, thousands of invalid devices were created by the SCSI layer and the udev service. This update ensures that the FC layer always sets a device to "online" before scanning for others, thus fixing this bug. Additionally, when attempting to transition priority groups on a busy FC device, the multipath layer retried immediately. If this was the only available path, a large number of retry operations was performed in a short period of time. Consequently, the logging of retry messages slowed down the system. This bug has been fixed by ensuring that the DM Multipath feature delays retry operations in the described scenario.
- BZ#799170
- When the kvmclock initialization was used in a guest, it could write to the time stamp counter (TSC) and, under certain circumstances, could cause the kernel to become unresponsive on boot. With this update, TSC synchronization, which is unnecessary due to kvmclock, has been disabled, thus fixing this bug.
- BZ#798048
- The mlx4 driver did not contain the necessary callbacks to implement Enhanced I/O Error Handling and recovery, so the PCI layer used the probe and remove callbacks to try to recover the device after an error occurred on the bus. However, a race condition occurred between these callbacks and the internal catastrophic error recovery functions which also detected the error, and consequently caused a kernel oops if both EEH and the internal recovery functions attempted to reset the device. This update adds the necessary error recovery callbacks and ensures that the internal catastrophic error functions do not try to reset the device in such scenarios. Also, additional calls have been added to suppress read and write operations on the bus when the slot cannot accept I/O operations, which prevents unnecessary accesses to the bus and speeds up the device removal.
- BZ#797011
- Due to a regression, the ifdef macro was used with an invalid value. Consequently, the tg3 driver did not support VLAN tagging and the vconfig utility was unable to configure VLAN tagging properly, thus blocking the network connection. This update removes incorrect usages of ifdef from the code and the VLAN support now works as expected.
- BZ#771366
- When using the Intel e1000e ethernet driver, the RXCW register's invalid bit (IV) was being set periodically due to incorrect register read logic for the 82571 Serializer-Deserializer (SERDES), which resulted in link flapping. The read logic has been improved: RXCW is now read twice to filter one-time false events and obtain correct values for the IV bit. Link flaps no longer occur in this scenario.
- BZ#795672
- Certain Broadcom devices, mostly the BMC5704 controllers, failed to work due to incorrect TSO (TCP Segmentation Offload) handling in the tg3 driver. The TSO handling code has been revised so that the devices now work as expected.
- BZ#772192
- Due to a bug in the qla2xxx driver and the HBA firmware, storage I/O traffic could become unresponsive during storage fault testing. With this update, these bugs have been fixed and the hangs no longer happen in the described scenario.
- BZ#772216
- Previously, secondary, tertiary, and other IP addresses added to bond interfaces could overwrite the bond->master_ip and vlan_ip values. Consequently, a wrong IP address could be occasionally used, the MII (Media Independent Interface) status of the backup slave interface went down, and the bonding master interfaces were switching. This update removes the master_ip and vlan_ip elements from the bonding and vlan_entry structures, respectively. Instead, devices are directly queried for the optimal source IP address for ARP requests, thus fixing this bug.
- BZ#790900
- When running more than 30 instances of the cclengine utility concurrently on IBM System z with IBM Communications Controller for Linux, the system could become unresponsive. This was caused by a missing wake_up() function call in the qeth_release_buffer() function in the QETH network device driver. This update adds the missing wake_up() function call and the system now responds as expected in this scenario.
- BZ#773022
- Due to a bug in the error clean-up code, the kernel could fail to boot when a tg3 NIC utilized the 4 KB transmit segmentation code but could not map all the physical memory fragments. This update rectifies the situation so that the tg3 driver no longer prevents the kernel from booting.
- BZ#773735
- When using the be2net driver, if a card was reset due to EEH (Enhanced Error Handling), the error recovery involves ring clean-up and re-creation. However, because worker threads touch this ring, there was a race condition that caused kernel to terminate unexpectedly. With this update, a worker thread is stopped during this clean-up process, thus preventing this bug.
- BZ#790840
- The QDIO (Queued Direct I/O) data transfer architecture maintains a "buffers-used" counter for its hardware buffers. If the buffers were returned in the ERROR state, the counter was updated incorrectly when running under the z/VM operating system with the QIOASSIST flag switched on. Consequently, the buffer handling logic in QDIO was working incorrectly. This update fixes the code to update the counter correctly in the described scenario, thus fixing this bug.
- BZ#782124
- When a network interface card (NIC) with a fan experiences a fan failure, the PHY chip is usually powered down by its firmware. Previously, the bnx2x driver did not handle fan failures correctly, which could trigger a non-maskable interrupt (NMI). Consequently, the kernel could crash or panic. This update modifies the bnx2x driver to handle fan failures properly, the NIC is now shut down as expected and the kernel does not crash in this scenario.
- BZ#790103
- A kernel panic could occur on IBM Power systems while running the fsfuzz test. This was caused by an attempt to perform an I/O operation on an unmapped buffer, which triggered a BUG_ON() function call. This update modifies the kernel so that I/O operations can be performed only on mapped buffers. The kernel no longer panics in this scenario.
- BZ#782677
- Due to recent changes in the tg3 driver, the driver attempted to use an already freed pointer to a socket buffer (SKB) when the NIC was recovering from unsuccessful memory mapping. Consequently, the NIC went offline and the kernel panicked. With this update, the SKB pointer is newly allocated in this scenario. The NIC recovers as expected and a kernel panic does not occur. Also, the tg3 driver could, under certain circumstances, attempt to unmap a memory fragment that had not been mapped. Consequently, the kernel panicked. This update fixes the bug by correcting the "last" parameter supplied.
- BZ#782790
- A recent change in the QLogic qla2xxx driver introduced a bug which could, under rare circumstances, cause the system to become unresponsive. This problem occurred during I/O error recovery on systems using SAN configurations with QLogic Fibre Channel Hot Bus Adapters (HBAs). This update corrects the qla2xxx driver so the system no longer hangs in this scenario.
- BZ#788777
- When SAS (Serial Attached SCSI) disks were present on the system and the CK_COND=1 parameter was set in the Command Descriptor Block (CDB), the SAT ATA PASS-THROUGH commands produced a large number of irrelevant warning messages, clogging up logs with useless information. With this update, the logging has been disabled in the described scenario, thus fixing this bug.
- BZ#783043
- An Ethernet physical transceiver (a PHY chip) was always powered up when a network interface card (NIC) using the igb driver was brought down. Recent changes had modified the kernel so that the PHY chip was powered down in such a scenario. With this PHY power saving feature, the PHY chip could unexpectedly lose its settings on rare occasions. Consequently, the PHY chip did not recover after the NIC had been re-attached and the NIC could not be brought up. The igb driver has been modified so that the PHY chip is now reset when the NIC is re-attached to the network. NICs using the igb driver are brought up as expected.
- BZ#783540
- Previously, a kernel panic could occur on IBM S/390 systems after a reboot. This happened due to a race condition between the raw3215_tasklet() and the tty3215_close() functions, which could result in calling the tty_wakeup() function with either a NULL pointer or with a pointer to an already freed tty structure. This update prevents the race condition by adding the tasklet_kill() function call to the tty3215_close() function. The kernel no longer panics when closing the 3215 console on IBM S/390 systems.
- BZ#785062
- In NFSv4, both write and open code paths depended on the I_LOCK flag in inode->i_state. In addition to this, the write code path also needs the latest stateid returned by open to before it can proceed. It waits for this while holding the I_LOCK bit in inode->state. As a consequence, multi-threaded applications could be blocked when using NFSv4. With this update, the nfs_fhget() function has been modified to use the I_NEW flag for the open code path, thus fixing this bug.
- BZ#789067
- When USB hardware uses the ACM interface, there is a race condition that can lead to a system deadlock due to the spinlocks not disabling interrupts. This has been noticed through various types of softlockups. The only workaround is to reboot. The fix is common, when taking a spinlock, disable the interrupts too.
- BZ#773777
- When a single, large data stream was being written to an NFS server while other applications periodically wrote small amounts of data to a local file system, other applications could experience long pauses when dirty memory reaches the dirty_ratio limit. With this update, the code for COMMIT calls has been improved to not skip such calls if the system is under memory pressure and to allow high priority COMMIT calls to bypass inode commit locks. Now, the pauses in traffic no longer occur in the described scenario.
- BZ#798809
- The vfs-automount infrastructure assumes that the LOOKUP_DIRECTORY flag is included in nameidata flags if a trailing slash character (/) is given on a path being walked. But this flag is private to the __link_path_walk() function so it must be added when looking up the last component. Previously, during a path walk where the path included a trailing slash character, LOOKUP_DIRECTORY was not propagated to path walk functions. Consequently, directories that needed to trigger an automount failed to do so, which resulted in a -ENOTDIR error. This bug has been fixed and the error code is no longer returned in the described scenario.
- BZ#804800
- Starting with Red Hat Enterprise Linux 5.6, all devices that used the ixgbe driver would stop stripping VLAN tags when the device entered promiscuous mode. Placing a device in a bridge group causes the device to enter promiscuous mode. This caused various issues under certain configurations of bridging and VLANs. A patch has been provided to address this issue and the devices now properly strip VLAN tags in the driver whether in promiscuous mode or not.
- BZ#848098
- Previously, the code checking for a NULL pointer was incorrect; it checked for a non-NULL pointer instead. As a consequence, this could lead to a kernel panic. This update corrects the problem, so that the kernel no longer crashes in this scenario.
- BZ#830226
- Recent changes removing support for the Flow Director from the ixgbe driver introduced bugs that caused the RSS (Receive Side Scaling) functionality to stop working correctly on Intel 82599EB 10 Gigabit Ethernet network devices. This update corrects the return code in the ixgbe_cache_ring_fdir function and setting of the registers that control the RSS redirection table. Also, obsolete code related to Flow Director support has been removed. The RSS functionality now works as expected on these devices.
- BZ#814418
- If a path followed a symlink that ended with the slash ("/") character, the LOOKUP_DIRECTORY flag could be set earlier than the last path component. This led to an ENOTDIR (Not a directory) error. The LOOKUP_DIRECTORY flag is now propagated only for the last component. For the purpose of possible automounting, the flag is not needed for intermediate path components; the LOOKUP_CONTINUE flag is set in such a case. The ENOTDIR error no longer occurs in this scenario.
- BZ#839770
- In the ext4 file system, splitting an unwritten extent while using Direct I/O could fail to mark the modified extent as dirty, resulting in multiple extents claiming to map the same block. This could lead to the kernel or fsck reporting errors due to multiply claimed blocks being detected in certain inodes. In the ext4_split_unwritten_extents() function used for Direct I/O, the buffer which contains the modified extent is now properly marked as dirty in all cases. Errors due to multiply claimed blocks in inodes should no longer occur for applications using Direct I/O.
- BZ#830351
- On ext4 file systems, when the fallocate() system call failed to allocate blocks due to the ENOSPC condition (no space left on device) for a file larger than 4 GB, the size of the file became corrupted and, consequently, caused file system corruption. This was due to a missing cast operator in the ext4_fallocate() function. With this update, the underlying source code has been modified to address this issue, and file system corruption no longer occurs.
- BZ#756091
- Calculations for sizing certain memory allocation thresholds (dcache, files-max, ...) depend on the number of physical pages found in a system; this generally includes (occasionally a large amount of) non-RAM pages. Due to a miscalculated number of usable RAM pages, memory allocation thresholds calculation on large systems with discontiguous memory (such as modern NUMA systems) could result in bad sizing. This could impact workload performance. With this update, the aforementioned calculation basis has been switched to what actually is usable as storage (RAM). The sizing of the memory allocation thresholds is now fixed and they render the expected values when they are verified.
- BZ#852340
- A kernel panic can occur when attempting to create a Fibre Channel over Ethernet (FCoE) session on a network interface controller (NIC) with a virtual LAN (VLAN) enabled. Software-based Fibre Channel over Ethernet (FCoE) is a Technology Preview in Red Hat Enterprise Linux 5, and it is therefore recommended to use Red Hat Enterprise Linux 6 for fully supported software-based FCoE. The following hardware-accelerated FCoE cards are fully supported in Red Hat Enterprise Linux 5: Emulex LPFC, QLogic qla2xxx, Brocade BFA.
- BZ#858724
- This update changes Xen hypervisor's behavior introduced in the CVE-2012-2934 issue: the host was prevented from booting on AMD processors with the AMD #121 erratum applied. Users were prompted to pass the "allow_unsafe" parameter on the command line to allow booting the Xen host. However, this could prevent remotely managed hosts from being started. With this update, the boot process is no longer denied by default; only guest creation is denied. The allow_unsafe semantics has changed to allow creation of guests instead of allowing booting the host.
- BZ#800708
- Previously, the interrupt handlers of the qla2xxx driver could clear pending interrupts right after the IRQ lines were attached during system start-up. Consequently, the kernel could miss the interrupt that reported completion of the link initialization, and the qla2xxx driver then failed to detect all attached LUNs. With this update, the qla2xxx driver has been modified to no longer clear interrupt bits after attaching the IRQ lines. The driver now correctly detects all attached LUNs as expected.
- BZ#782866
- The Ethernet channel bonding driver reported the MII (Media Independent Interface) status of the bond interface in 802.3ad mode as being up even though the MII status of all of the slave devices was down. This could pose a problem if the MII status of the bond interface was used to determine if failover should occur. With this update, the agg_device_up() function has been added to the bonding driver, which allows the driver to report the link status of the bond interface correctly, that is, down when all of its slaves are down, in the 802.3ad mode.
- BZ#712513
- The kdump kernel maintains the configuration of MSI-X interrupts as created by the crashed kernel but enables only one CPU in the new environment. Previously, this caused the tg3 driver to abort MSI-X setup which caused interrupt delivery to fail. Consequently, the link became unavailable and any attempt to dump a core file to a remote host to failed. With this update, the tg3 driver has been modified to enforce single-vector MSI-X interrupt mode by disabling the multivector interrupt mode for tg3 in the kdump kernel. The NIC is now brought up as expected and kdump can successfully dump a core file to the remote host in this scenario.
- BZ#683303
- The bnx2x driver performed the initialization of hardware in a way that was unsafe if the previous instance of the driver terminated in an unclean manner. Consequently, the kernel could become unresponsive or panic while initializing the NIC in the kdump environment. With this update, the bnx2x driver has been modified to perform a safer initialization, solving the possible crash scenarios. The NIC is now initialized as expected and kdump can successfully dump a core file to a remote host when using the bnx2x driver.
- BZ#845169
- Previously, when Enhanced I/O Error Handling (EEH) detected an error while a firmware dump was being collected, a reset of the PCI adapter could have been triggered before the dumping operation could complete. As a consequence, the firmware dump was interrupted and recovery of the PCI adapter failed leaving the adapter in an inconsistent state. This update modifies the be2net driver to wait for the firmware dump to complete before resetting EEH. A core file is successfully dumped and the PCI adapter recovers as expected in this scenario.
- BZ#842486
- When bringing up a network interface with VLANs configured on top of it using the mlx4 driver, the kernel could panic due to a NULL pointer dereference. This was caused by the core networking code which called the VLAN addition routine before setting the VLAN device entry in the VLAN group table. This update modifies the mlx4 driver to prevent this behavior so that the VLAN device entry in now added to the VLAN group table before adding the VLAN and the kernel no longer panics in this scenario.
- BZ#786403
- Due to incorrect information provided by firmware, the netxen_nic driver did not calculate the correct Generic Segmentation Offload (GSO) length of packets that were received using the Large Receive Offload (LRO) optimization. This caused network traffic flow to be extensively delayed for the NICs using LRO on netxen_nic, which had a huge impact on NIC's performance (in some cases, throughput for some 1 GB NICs could be below 100 kbs). With this update, firmware now provides the correct GSO packet length and the netxen_nic driver has been modified to handle new information provided by firmware correctly. Throughput of the NICs using the LRO optimization with the netxen_nic driver is now within expected levels.
Enhancements
Note
- BZ#872612
- The INET socket interface has been modified to send a warning message when the ip_options structure is allocated directly by a third-party module using the kmalloc() function.
- BZ#640206
- With this update, NIC speed and duplex information are now exported through sysfs. This feature allows users to determine the state and status of the NIC and it's connections.
- BZ#605727
- This update modifies IPMI to support configurable timeouts and retry attempts for the keyboard controller-style (KCS) interface. Ability to configure timeouts and retry attempts ensures that no IPMI requests or responses are dropped due to the default limit of the KCS host driver, which increases reliability of communication over KCS.
- BZ#790841
- With this update, the mlx4 driver has been upgraded to the The OpenFabrics Alliance Enterprise Distribution (OFED) level 1.5.4.1 with the exception of the XRC support. Among other changes, the update includes support for IBoE, which is, however, disabled by default, and a fix for a bug related to the mlx4 multicast support.
Bug Fix
- BZ#749246
- The root user without the CAP_SYS_ADMIN capability was able to reset the contents of the "/proc/sys/kernel/dmesg_restrict" configuration file to 0. Consequently, the unprivileged root user could bypass the protection of the "dmesg_restrict" file and read the kernel ring buffer. This update ensures that only the root user with the CAP_SYS_ADMIN capability is allowed to write to the dmesg_restrict file. Any unauthorized attempt on writing to this file now fails with an EPERM error.
- BZ#786168
- An Ethernet physical transceiver (a PHY chip) was always powered up when a network interface card (NIC) using the igb driver was brought down. Recent changes had modified the kernel so that the PHY chip was powered down in such a scenario. With this PHY power saving feature, the PHY chip could unexpectedly lose its settings on rare occasions. Consequently, the PHY chip did not recover after the NIC had been re-attached and the NIC could not be brought up. The igb driver has been modified so that the PHY chip is now reset when the NIC is re-attached to the network. NICs using the igb driver are brought up as expected.
- BZ#789369
- The way how the kernel processes dentries in the dcache when unmounting file systems allowed the concurrent activity on the list of dentries. If the list was large enough, the kernel could, under certain circumstances, panic due to NMI watchdog timeout triggered by the waiting concurrent process. This update modifies underlying functions to use a private dcache list for certain operations on the dcache so that concurrent activities are no longer affected in this scenario.
- BZ#790778
- The Abstract Control Model (ACM) driver uses spinlocks to protect the lists of USB Request Blocks (URBs) and read buffers maintained by the driver. Previously, when a USB device used the ACM interface, a race condition between scheduled ACM tasklets could occur. Consequently, the system could enter a deadlock situation because tasklets could take spinlocks without disabling interrupt requests (IRQs). This situation resulted in various types of soft lockups ending up with a kernel panic. This update fixes the problem so that IRQs are disabled when a spinlock is taken. Deadlocks no longer occur and the kernel no longer crashes in this scenario.
- BZ#790907
- A recent change in the QLogic qla2xxx driver introduced a bug which could, under rare circumstances, cause the system to become unresponsive. This problem occurred during I/O error recovery on systems using SAN configurations with QLogic Fibre Channel Hot Bus Adapters (HBAs). This update corrects the qla2xxx driver so the system no longer hangs in this scenario.
- BZ#790910
- Due to recent changes in the tg3 driver, the driver attempted to use an already freed pointer to a socket buffer (SKB) when the NIC was recovering from unsuccessful memory mapping. Consequently, the NIC went offline and the kernel panicked. With this update, the SKB pointer is newly allocated in this scenario. The NIC recovers as expected and a kernel panic does not occur. Also, the tg3 driver could, under certain circumstances, attempt to unmap a memory fragment that had not been mapped. Consequently, the kernel panicked. This update fixes the bug by correcting the "last" parameter supplied.
- BZ#790912
- When a network interface card (NIC) with a fan experiences a fan failure, the PHY chip is usually powered down by its firmware. Previously, the bnx2x driver did not handle fan failures correctly, which could trigger a non-maskable interrupt (NMI). Consequently, the kernel could crash or panic. This update modifies the bnx2x driver to handle fan failures properly, the NIC is now shut down as expected and the kernel does not crash in this scenario.
Security Fix
- CVE-2012-3375, Moderate
- The fix for CVE-2011-1083 (RHSA-2012:0150) introduced a flaw in the way the Linux kernel's Event Poll (epoll) subsystem handled resource clean up when an ELOOP error code was returned. A local, unprivileged user could use this flaw to cause a denial of service.
Bug Fixes
- BZ#816373
- The qla2xxx driver handled interrupts for QLogic Fibre Channel adapters incorrectly due to a bug in a test condition for MSI-X support. This update corrects the bug and qla2xxx now handles interrupts as expected.
- BZ#817571
- A process scheduler did not handle RPC priority wait queues correctly. Consequently, the process scheduler failed to wake up all scheduled tasks as expected after RPC timeout, which caused the system to become unresponsive and could significantly decrease system performance. This update modifies the process scheduler to handle RPC priority wait queues as expected. All scheduled tasks are now properly woken up after RPC timeout and the system behaves as expected.
- BZ#820358
- The kernel version 2.6.18-308.4.1.el5 contained several bugs which led to an overrun of the NFS server page array. Consequently, any attempt to connect an NFS client running on Red Hat Enterprise Linux 5.8 to the NFS server running on the system with this kernel caused the NFS server to terminate unexpectedly and the kernel to panic. This update corrects the bugs causing NFS page array overruns and the kernel no longer crashes in this scenario.
- BZ#824654
- An insufficiently designed calculation in the CPU accelerator in the previous kernel caused an arithmetic overflow in the sched_clock() function when system uptime exceeded 208.5 days. This overflow led to a kernel panic on the systems using the Time Stamp Counter (TSC) or Virtual Machine Interface (VMI) clock source. This update corrects the calculation so that this arithmetic overflow and kernel panic can no longer occur under these circumstances.Note: This advisory does not include a fix for this bug for the 32-bit architecture.
- BZ#827205
- Under memory pressure, memory pages that are still a part of a checkpointing transaction can be invalidated. However, when the pages were invalidated, the journal head was re-filed onto the transactions' "forget" list, which caused the current running transaction's block to be modified. As a result, block accounting was not properly performed on that modified block because it appeared to have already been modified due to the journal head being re-filed. This could trigger an assertion failure in the "journal_commit_transaction()" function on the system. The "b_modified" flag is now cleared before the journal head is filed onto any transaction; assertion failures no longer occur.
- BZ#829059
- When running more than 30 instances of the cclengine utility concurrently on IBM System z with IBM Communications Controller for Linux, the system could become unresponsive. This was caused by a missing wake_up() function call in the qeth_release_buffer() function in the QETH network device driver. This update adds the missing wake_up() function call and the system now responds as expected in this scenario.
- BZ#832169
- Recent changes removing support for the Flow Director from the ixgbe driver introduced bugs that caused the RSS (Receive Side Scaling) functionality to stop working correctly on Intel 82599EB 10 Gigabit Ethernet network devices. This update corrects the return code in the ixgbe_cache_ring_fdir function and setting of the registers that control the RSS redirection table. Also, obsolete code related to Flow Director support has been removed. The RSS functionality now works as expected on these devices.
Security Fix
- CVE-2012-1583, Important
- A flaw in the xfrm6_tunnel_rcv() function in the Linux kernel's IPv6 implementation could lead to a use-after-free or double free flaw in tunnel6_rcv(). A remote attacker could use this flaw to send specially-crafted packets to a target system that is using IPv6 and also has the xfrm6_tunnel kernel module loaded, causing it to crash.If you do not run applications that use xfrm6_tunnel, you can prevent the xfrm6_tunnel module from being loaded by creating (as the root user) a "/etc/modprobe.d/xfrm6_tunnel.conf" file, and adding the following line to it:
blacklist xfrm6_tunnel
This way, the xfrm6_tunnel module cannot be loaded accidentally. A reboot is not necessary for this change to take effect.
Security Fix
- CVE-2012-2136, Important
- It was found that the data_len parameter of the sock_alloc_send_pskb() function in the Linux kernel's networking implementation was not validated before use. A local user with access to a TUN/TAP virtual interface could use this flaw to crash the system or, potentially, escalate their privileges. Note that unprivileged users cannot access TUN/TAP devices until the root user grants them access.
Security Fixes
- CVE-2012-0217, Important
- It was found that the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level.
- CVE-2012-2934, Moderate
- It was found that guests could trigger a bug in earlier AMD CPUs, leading to a CPU hard lockup, when running on the Xen hypervisor implementation. An unprivileged user in a 64-bit para-virtualized guest could use this flaw to crash the host. Warning: After installing this update, hosts that are using an affected AMD CPU (refer to Red Hat Bugzilla bug #824966 for a list) will fail to boot. In order to boot such hosts, the new kernel parameter, allow_unsafe, can be used ("allow_unsafe=on"). This option should only be used with hosts that are running trusted guests, as setting it to "on" reintroduces the flaw (allowing guests to crash the host).
Security Fix
- CVE-2012-2313, Low
- A flaw was found in the way the Linux kernel's dl2k driver, used by certain D-Link Gigabit Ethernet adapters, restricted IOCTLs. A local, unprivileged user could use this flaw to issue potentially harmful IOCTLs, which could cause Ethernet adapters using the dl2k driver to malfunction (for example, losing network connectivity).
Security Fixes
- CVE-2012-3412, Important
- A flaw was found in the way socket buffers (skb) requiring TSO (TCP segment offloading) were handled by the sfc driver. If the skb did not fit within the minimum-size of the transmission queue, the network card could repeatedly reset itself. A remote attacker could use this flaw to cause a denial of service.
- CVE-2012-3510, Moderate
- A use-after-free flaw was found in the xacct_add_tsk() function in the Linux kernel's taskstats subsystem. A local, unprivileged user could use this flaw to cause an information leak or a denial of service.
- CVE-2012-2319, Low
- A buffer overflow flaw was found in the hfs_bnode_read() function in the HFS Plus (HFS+) file system implementation in the Linux kernel. A local user able to mount a specially-crafted HFS+ file system image could use this flaw to cause a denial of service or escalate their privileges.
- CVE-2012-3430, Low
- A flaw was found in the way the msg_namelen variable in the rds_recvmsg() function of the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation was initialized. A local, unprivileged user could use this flaw to leak kernel stack memory to user-space.
Bug Fixes
- BZ#846125
- The cpuid_whitelist() function, masking the Enhanced Intel SpeedStep (EST) flag from all guests, prevented the "cpuspeed" service from working in the privileged Xen domain (dom0). CPU scaling was therefore not possible. With this update, cpuid_whitelist() is aware whether the domain executing CPUID is privileged or not, and enables the EST flag for dom0.
- BZ#847326
- If a delayed-allocation write was performed before quota was enabled, the kernel displayed the following warning message:
WARNING: at fs/quota/dquot.c:988 dquot_claim_space+0x77/0x112()
This was because information about the delayed allocation was not recorded in the quota structure. With this update, writes prior to enabling quota are properly accounted for, and the message is not displayed. - BZ#847327
- In Red Hat Enterprise Linux 5.9, the DSCP (Differentiated Services Code Point) netfilter module now supports mangling of the DSCP field.
- BZ#847359
- Some subsystems clear the TIF_SIGPENDING flag during error handling in fork() paths. Previously, if the flag was cleared, the ERESTARTNOINTR error code could be returned. The underlying source code has been modified so that the error code is no longer returned.
- BZ#852448
- An unnecessary check for the RXCW.CW bit could cause the Intel e1000e NIC (Network Interface Controller) to not work properly. The check has been removed so that the Intel e1000e NIC works as expected.
Security Fix
- CVE-2012-2100, Low
- It was found that the RHSA-2010:0178 update did not correctly fix the CVE-2009-4307 issue, a divide-by-zero flaw in the ext4 file system code. A local, unprivileged user with the ability to mount an ext4 file system could use this flaw to cause a denial of service.
Security Fixes
- CVE-2012-4508, Important
- A race condition in the way asynchronous I/O and fallocate() interacted when using ext4 could allow a local, unprivileged user to obtain random data from a deleted file.
- CVE-2012-5513, Important
- A flaw in the way the Xen hypervisor implementation range checked guest provided addresses in the XENMEM_exchange hypercall could allow a malicious, para-virtualized guest administrator to crash the hypervisor or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level.
- CVE-2012-2372, Moderate
- A flaw in the Reliable Datagram Sockets (RDS) protocol implementation could allow a local, unprivileged user to cause a denial of service.
- CVE-2012-3552, Moderate
- A race condition in the way access to inet->opt ip_options was synchronized in the Linux kernel's TCP/IP protocol suite implementation. Depending on the network facing applications running on the system, a remote attacker could possibly trigger this flaw to cause a denial of service. A local, unprivileged user could use this flaw to cause a denial of service regardless of the applications the system runs.
- CVE-2012-4535, Moderate
- The Xen hypervisor implementation did not properly restrict the period values used to initialize per VCPU periodic timers. A privileged guest user could cause an infinite loop on the physical CPU. If the watchdog were enabled, it would detect said loop and panic the host system.
- CVE-2012-4537, Moderate
- A flaw in the way the Xen hypervisor implementation handled set_p2m_entry() error conditions could allow a privileged, fully-virtualized guest user to crash the hypervisor.
Bug Fixes
- BZ#870118
- Previously, the interrupt handlers of the qla2xxx driver could clear pending interrupts right after the IRQ lines were attached during system start-up. Consequently, the kernel could miss the interrupt that reported completion of the link initialization, and the qla2xxx driver then failed to detect all attached LUNs. With this update, the qla2xxx driver has been modified to no longer clear interrupt bits after attaching the IRQ lines. The driver now correctly detects all attached LUNs as expected.
- BZ#877943
- The Ethernet channel bonding driver reported the MII (Media Independent Interface) status of the bond interface in 802.3ad mode as being up even though the MII status of all of the slave devices was down. This could pose a problem if the MII status of the bond interface was used to determine if failover should occur. With this update, the agg_device_up() function has been added to the bonding driver, which allows the driver to report the link status of the bond interface correctly, that is, down when all of its slaves are down, in the 802.3ad mode.
Enhancements
- BZ#870120
- This update backports several changes from the latest upstream version of the bnx2x driver. The most important change, the remote-fault link detection feature, allows the driver to periodically scan the physical link layer for remote faults. If the physical link appears to be up and a fault is detected, the driver indicates that the link is down. When the fault is cleared, the driver indicates that the link is up again.
- BZ#874973
- The INET socket interface has been modified to send a warning message when the ip_options structure is allocated directly by a third-party module using the kmalloc() function.
4.78. kexec-tools
Bug Fix
- BZ#822617
- When one interface was used for a iSCSI boot environment while is other was used by kdump with the "net" option on, the ifconfig utility caused an error. Consequently, vmcore was not collected in a dump server that stores vmcore specified in the kdump.conf file. This bug has been fixed and a memory dump capture now succeeds by kdump in an iSCSI boot environment.
/sbin/kexec
binary and ancillary utilities that form the user-space component of the kernel's kexec feature.
Bug Fixes
- BZ#716340
- Previously, kdump could become unresponsive if a disk name was changed. This could happen because the kdump
initrd
did not include irrelevant disk drivers that were used in the first kernel. Persistent disk names change in kdump presents considerable risk to Red Hat Enterprise Linux 5 stability. Therefore, this problem has been resolved by updating the kdump.conf file to recommend to use diskUUIDs
orLABELs
instead of disk names for file-system based dump targets. - BZ#716386
- Previously, kdump did not verify whether the target raw dump device exists before attempting to dump a core file. Instead, kdump started to rebuild an
initrd
image directly, which resulted in a kdump failure. Furthermore, even though raw dump succeeded, kdump did not verify whether thevmcore
file was saved and the core file could not be recovered. This update modifies the kdump init script to perform verification tests on the target device. Kdump now no longer rebuilds the initrd image if the target device does not exist and properly recovers a core file if the raw dump has succeeded. - BZ#752930
- Kdump previously used an IP address as a part of the core dump directory name only for remote core dumps, which was confusing the users. With this update, kdump was modified to use the IP address of the
loopback
device (127.0.0.1
) for local dumps so that the core dump directory name has the same form for both local and remote core dumps. - BZ#771829
- Usually, when dumping a vmcore file over network, kdump has to bring up only one network interface card (NIC). However, when dumping to an iSCSI device, kdump may need to bring up multiple NICs. This functionality was not previously implemented in kdump and any dump attempt to the iSCSI device that required multiple NICs failed. With this update, kdump has been modified to be able to bring up multiple NICs if needed, and vmcore can now be successfully dumped on the iSCSI device.
- BZ#788678
- The
mkdumprd
utility did not detect the/var
file system if it was mounted on a separate partition, which caused kdump to fail to dump a core file. This update modifiesmkdumprd
to detect the partition that contains the/var
file system correctly. Kdump no longer fails in this scenario. - BZ#801496
- When dumping a core file using ssh and the remote kdump user is configured to use restricted shell (rksh), the core dump attempt failed. This happened because kdump used the
cat >
command to store thevmcore
file and the restricted shell forbids redirection. This update modifies kdump to use the dd command to save the vmcore file instead and dumping is now successful in this scenario. - BZ#802928
- The mkdumprd utility did not correctly handled NICs if the NIC had the
BOOTPROTO=none
parameter configured in the ifcfg file. Consequently, kdump was not able to bring the NIC up and failed to dump a core file over network. This update corrects mkdumprd to recognize theBOOTPROTO=none
parameter, and such NICs are now properly brought up when dumping a core file over network. - BZ#809983
- Previously for
ext2
,ext3
andext4
file systems, if the dump location was on different file system than was the root file system, the mkdumprd utility searched only for the ext4 kernel module. Consequently, kdump failed to recognize a file system and dump a core file. This update modifies mkdumprd to find proper kernel module also for ext2 and ext3 file systems and kdump works as expected in this scenario. - BZ#832017
- Currently on Red Hat Enterprise Linux 5, the
dd
utility is the default core collector when dumping on a raw partition. However, the only core collector supported by kdump is themakedumpfile
utility, which is not able to recognize vmcore files copied by dd. Previously, when the vmcore file was dumped on a raw partition, it was considered invalid and the core file recovery failed. With this update,mkdumprd
has been modified to display a warning message when a different core collector thanmakedumpfile
was used to compress the core file on the raw partition. The user has to recover the core dump manually.
Enhancement
- BZ#587361
- Previously, the
vmcore
file could not be dumped to amultipath
device because kexec-tools did not support this option. This update introduces multipath target support, which allows vmcore to be captured with multipath devices.
4.79. ksh
Bug Fix
- BZ#805459
- Previously, ksh did not expand the tilde (~) character properly. For example, characters in the tilde prefix were not treated as a login name but as a part of the path and the "No such file or directory" message was displayed. The underlying source code has been modified and tilde expansion now works as expected in such a scenario.
Bug Fixes
- BZ#771188
- Prior to this update, using the -R or -Z options of the typeset command did not work as expected. When a variable was assigned to a field that was of smaller size than the size of the variable, it would trim the incorrect values from the variable. Consequently, the resulting value in the trimmed variable was incorrect. The underlying source code has been modified and the typeset -R/-Z command works as expected.
- BZ#802565
- Previously, ksh did not expand the tilde (~) character properly. For example, characters in the tilde prefix were not treated as a login name but as a part of the path and the "No such file or directory" message was displayed. The underlying source code has been modified and tilde expansion now works as expected in such a scenario.
- BZ#804925
- In certain cases, ksh unnecessarily called the vfork() function. An extra process was created and it could be difficult to determine how many instances of a script were running. A patch has been applied to address this problem, and extra processes are no longer created if not required.
- BZ#811318
- Due to a missing patch that introduced the tsetio flag, the redirect output behavior changed depending on what ksh version was used. With this update, the missing patch was added and redirect output behavior is now consistent across all versions of ksh.
- BZ#812930
- Previously, ksh did not close certain file descriptors prior to execution. This could lead to a file descriptor leak, and certain applications could consequently report error messages. With this update, file descriptors are marked to be closed on execution if appropriate, so file descriptor leaks no longer occur.
- BZ#827522
- Due to a bug in the typeset command, when executed with the -Z option, output was being formatted to an incorrect width. As a result, exporting a right-aligned variable of smaller size than the predefined field size caused it to not be prepended with 0 characters. With this update, the typeset command works as expected in the aforementioned scenario.
- BZ#827613
- Previously, ksh did not allocate the correct amount of memory for its data structures containing information about file descriptors. When running a task that used file descriptors extensively, ksh terminated unexpectedly with a segmentation fault. With this update, the proper amount of memory is allocated, and ksh no longer crashes if file descriptors are used extensively.
4.80. kudzu
Bug Fix
- BZ#748481
- Prior to this update, the X11 configuration of video cards was skipped if no kernel driver was available, even if a corresponding Xorg driver existed. This update skips the configuration only in cases when none of the mentioned drivers are aqvailable.
Enhancement
- BZ#819903
- This update adds native support for Microsoft Hyper-V virtual hardware.
4.81. kvm
Bug Fix
- BZ#802429
- An accounting error in the I/O thread subsystem in QEMU could, under certain circumstances, lead to I/O stalls on the guest. This would typically cause the guest to become unresponsive. With this update, the accounting error has been corrected, and I/O stalls no longer occur in this scenario.
Bug Fixes
- BZ#814096
- Under certain circumstances, the qemu-kvm utility tried to invalidate an incorrect physical memory block, which resulted in qemu-kvm to terminate unexpectedly with a segmentation fault. The code has been fixed and the crashes no longer occur.
- BZ#684745
- Previously, when an I/O error occurred on a KVM host, the guest running on it became paused. After the guest was migrated to another host, the guest could not be properly resumed. Consequently, it was impossible to log in to the guest via SSH or a console. This bug has been fixed and migrated guests can now be resumed as expected.
- BZ#782631
- Due to an accounting error in the QEMU I/O thread subsystem, I/O delays were occurring on guests, which were observed as unresponsive for the time of the delay. This bug has been fixed and the delays no longer occur.
- BZ#805676
- Due to an incompatibility between previously used encryption modes and FIPS mode, it was impossible to start KVM guests when running kernel in FIPS mode. With this update, VNC password authentication is disabled when the host system is operating in FIPS mode, and QEMU exits and returns an error message if it is configured to run as a password-authenticated VNC server. If QEMU is configured to run as an unauthenticated VNC server, it will work as expected.
- BZ#838466
- Previously, the typeperf command of the virtualized Microsoft Windows Server 2008 Service Pack 2 for the x86 architecture with the SQL Server 2005 Service Pack 3 installed returned an invalid value for the Processor Time. This bug has been fixed and typeperf now returns a correct value.
- BZ#761350
- Previously, a simple counter was used to track GSIs (Global System Interrupts) that were given to devices. Consequently, when a hot plug or unplug operation was performed approximately 30 times on certain Ethernet controllers in a Microsoft Windows Server 2008 guest on the AMD64 and Intel 64 architectures, the controller driver returned a large number of error messages on incorrectly deallocated MSI-X table entries. This update uses a bitmap to track GSIs and the errors no longer occur.
- BZ#843683
- Previously, KVM did not provide receive overrun status information, which is used for virtual serial devices. Consequently, virtual machines using a serial console redirection became unresponsive on startup. This update implements receive overrun status and the hangs no longer occur.
- BZ#829040
- Due to a coding bug, the masking in the device assignment function was invalid. Consequently, the KVM device assignment bridge test could break virtual function of certain devices that implement BAR (Base Address Register) resources. This bug has been fixed and the test now works as expected.
- BZ#781922
- Under certain circumstances, implementation of the Realtek 8139 Ethernet driver allowed the qemu-kvm utility to attempt to allocate unlimited buffer size. If it happened, qemu-kvm terminated unexpectedly with a glib error, unable to allocate such a buffer. This update limits the transmission buffer size of the driver, thus fixing this bug.
- BZ#819413
- Previously, it was possible to shut down a guest using the system_powerdown command even if the "-no-shutdown" option was specified on the command line. This bug has been fixed and "-no-shutdown" is now handled properly.
Security Fixes
- CVE-2012-1601
- A flaw was found in the way the KVM_CREATE_IRQCHIP ioctl was handled. Calling this ioctl when at least one virtual CPU (VCPU) already existed could lead to a NULL pointer dereference later when the VCPU is scheduled to run. A malicious user in the kvm group on the host could use this flaw to crash the host.
- CVE-2012-2121
- A flaw was found in the way device memory was handled during guest device removal. Upon successful device removal, memory used by the device was not properly unmapped from the corresponding IOMMU or properly released from the kernel, leading to a memory leak. A malicious user in the kvm group on the host who has the ability to assign a device to a guest could use this flaw to crash the host.
Bug Fix
- BZ#816207
- An off-by-one error in the QEMU guest's memory management could, in rare cases, cause QEMU-KVM to crash due to a segmentation fault in tb_invalidate_phys_page_range() if a device initiated DMA into a specific guest address. In a reported case, this issue presented on a system that had a guest using the 8139cp network driver.
Security Fix
- CVE-2012-3515
- A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host.This flaw did not affect the default use of KVM. Affected configurations were:* When guests were started from the command line ("/usr/libexec/qemu-kvm"), and without specifying a serial or parallel device that specifically does not use a virtual console (vc) back-end. (Note that Red Hat does not support invoking "qemu-kvm" from the command line on Red Hat Enterprise Linux 5.)* Guests that were managed via libvirt, such as when using Virtual Machine Manager (virt-manager), but that have a serial or parallel device that uses a virtual console back-end. By default, guests managed via libvirt will not use a virtual console back-end for such devices.
4.82. lftp
Bug Fix
- BZ#810217
- Due to an incorrect evaluation of the length of an uploaded file, the lftp tool became unresponsive after a file transfer in ASCII mode. With this update, the volume of transferred data is recognized correctly and the lftp program no longer hangs in this scenario.
4.83. libexif
Security Fix
- CVE-2012-2812, CVE-2012-2813, CVE-2012-2814, CVE-2012-2836, CVE-2012-2837, CVE-2012-2840, CVE-2012-2841
- Multiple flaws were found in the way libexif processed Exif tags. An attacker could create a specially-crafted image file that, when opened in an application linked against libexif, could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
4.84. libgcrypt
Enhancement
- BZ#810319
- With Federal Information Processing Standards (FIPS) mode enabled, the libgcrypt library always started in the soft FIPS mode which allows applications to use the MD5 cryptographic hash algorithm. The libgcrypt API previously did not allow the library to programmatically switch from the soft FIPS mode to the enforced FIPS mode. With this update, if the application does not need MD5 support for the Transport Layer Security (TLS) protocol or non-cryptographic purposes, libgcrypt can be preset in the enforced FIPS mode.
4.85. libpng
Security Fix
- CVE-2011-3045
- A heap-based buffer overflow flaw was found in the way libpng processed compressed chunks in PNG image files. An attacker could create a specially-crafted PNG image file that, when opened, could cause an application using libpng to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
Security Fix
- CVE-2011-3048
- A heap-based buffer overflow flaw was found in the way libpng processed tEXt chunks in PNG image files. An attacker could create a specially-crafted PNG image file that, when opened, could cause an application using libpng to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
4.86. libtalloc
Note
Bug Fix
- BZ#837853, BZ#855387
- The talloc() hierarchical allocator did not ensure that the child pointers of a pointer did not become invalid during memory freeing operation. Consequently, processes that use the talloc library, such as the spoolss process of samba, could have terminated with a segmentation fault. The underlying source code has been modified and talloc() no longer causes Samba to fail in this situation.
4.87. libtdb
Note
Bug Fix
- BZ#736112
- Prior to this update, several names and file paths of binaries and manual pages in the tdb-tools package were in conflict with binaries and manual pages that are shipped in the samba package. With this update, these files have been renamed to avoid conflicts.
4.88. libtiff
Security Fix
- CVE-2012-1173
- Two integer overflow flaws, leading to heap-based buffer overflows, were found in the way libtiff attempted to allocate space for a tile in a TIFF image file. An attacker could use these flaws to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash or, possibly, execute arbitrary code.
Security Fixes
- CVE-2012-2088
- libtiff did not properly convert between signed and unsigned integer values, leading to a buffer overflow. An attacker could use this flaw to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash or, possibly, execute arbitrary code.
- CVE-2012-2113
- Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the tiff2pdf tool. An attacker could use these flaws to create a specially-crafted TIFF file that would cause tiff2pdf to crash or, possibly, execute arbitrary code.
Security Fixes
- CVE-2012-4447
- A heap-based buffer overflow flaw was found in the way libtiff processed certain TIFF images using the Pixar Log Format encoding. An attacker could create a specially-crafted TIFF file that, when opened, could cause an application using libtiff to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
- CVE-2012-5581
- A stack-based buffer overflow flaw was found in the way libtiff handled DOTRANGE tags. An attacker could use this flaw to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash or, possibly, execute arbitrary code.
- CVE-2012-3401
- A heap-based buffer overflow flaw was found in the tiff2pdf tool. An attacker could use this flaw to create a specially-crafted TIFF file that would cause tiff2pdf to crash or, possibly, execute arbitrary code.
- CVE-2012-4564
- A missing return value check flaw, leading to a heap-based buffer overflow, was found in the ppm2tiff tool. An attacker could use this flaw to create a specially-crafted PPM (Portable Pixel Map) file that would cause ppm2tiff to crash or, possibly, execute arbitrary code.
4.89. libuser
Bug Fixes
- BZ#506628
- Prior to this update, libuser could not signal the name service caching daemon (nscd) to refresh the cache. As a consequence, delays in the name service could occur when the user account information was changed. With this update, the libuser signals nscd to rebuild its cache. Now, changes that affect the name service take effect more quickly.
- BZ#670279
- Prior to this update, libuser used the value of the "gecos" attribute for the "cn" attribute by default when creating a user account with the Lightweight Directory Access Protocol (LDAP). As a consequence, an invalid value for "cn" was used and the user account was not created if the "gecos" attribute was empty. With this update, the user name of the account is stored in the "cn" attribute if the "gecos" attribute is empty, thus allowing successful creation of the user account.
- BZ#758117
- Prior to this update, libuser could attempt to access unallocated virtual memory when searching for account information in files of certain sizes. As a consequence, libuser could terminate unexpectedly with a segmentation fault when looking for user or group account information. This update modifies modifies the libuser library to only access memory related to the file being processed.
4.90. libvirt
Security Fix
- CVE-2012-2693
- Bus and device IDs were ignored when attempting to attach multiple USB devices with identical vendor or product IDs to a guest. This could result in the wrong device being attached to a guest, giving that guest root access to the device.
Bug Fixes
- BZ#675319
- Previously, the libvirtd library failed to set the autostart flags for already defined QEMU domains. This bug has been fixed, and the domains can now be successfully marked as autostarted.
- BZ#680289
- Prior to this update, the virFileAbsPath() function was not taking into account the slash ("/") directory separator when allocating memory for combining the cwd() function and a path. This behavior could lead to a memory corruption. With this update, a transformation to the virAsprintff() function has been introduced into virFileAbsPath(). As a result, the aforementioned behavior no longer occurs.
- BZ#783001
- With this update, a man page of the virsh user interface has been enhanced with information on the "domxml-from-native" and "domxml-to-native" commands. A correct notation of the format argument has been clarified. As a result, confusion is avoided when setting the format argument in the described commands.
4.91. libwpd
Security Fix
- CVE-2012-2149
- A buffer overflow flaw was found in the way libwpd processed certain Corel WordPerfect Office documents (.wpd files). An attacker could provide a specially-crafted .wpd file that, when opened in an application linked against libwpd, such as OpenOffice.org, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
4.92. libxml2
Security Fixes
- CVE-2012-2807
- Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way libxml2 handled documents that enable entity expansion. A remote attacker could provide a large, specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
- CVE-2011-3102
- A one byte buffer overflow was found in the way libxml2 evaluated certain parts of XML Pointer Language (XPointer) expressions. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
Security Fix
- CVE-2012-5134
- A heap-based buffer underflow flaw was found in the way libxml2 decoded certain entities. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
4.93. libxslt
Security Fixes
- CVE-2012-2871
- A heap-based buffer overflow flaw was found in the way libxslt applied templates to nodes selected by certain namespaces. An attacker could use this flaw to create a malicious XSL file that, when used by an application linked against libxslt to perform an XSL transformation, could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
- CVE-2012-2825, CVE-2012-2870, CVE-2011-3970
- Several denial of service flaws were found in libxslt. An attacker could use these flaws to create a malicious XSL file that, when used by an application linked against libxslt to perform an XSL transformation, could cause the application to crash.
- CVE-2011-1202
- An information leak could occur if an application using libxslt processed an untrusted XPath expression, or used a malicious XSL file to perform an XSL transformation. If combined with other flaws, this leak could possibly help an attacker bypass intended memory corruption protections.
4.94. linuxwacom
Bug Fix
- BZ#843859
- Due to a regression, when a Wacom tablet was used with only a lens cursor device attached to it for input, the lens cursor could not be moved. This update fixes this bug and lens cursor devices now work as expected in the described scenario.
4.95. logrotate
Bug Fixes
- BZ#644741
- Prior to this update, a conflict could occur when string arrays between the popt library and a hand-coded method written in logrotate were allocated and freed. As a consequence, the "compressoptions" directive in the logrotate configuration file caused logrotate to abort unexpectedly. This update modifies the underlying code to use the popt library instead. Now, logrotate works as expected.
- BZ#795405
- Prior to this update, the ".rhn-cfg-tmp-" file exension was missing from the the list of extensions to be skipped when loading the configuration files. As a consequence, ".rhn-cfg-tmp-" files were loaded as normal configuration files and the rotation process was interrupted. This update adds the ".rhn-cfg-tmp-" extension to the list of extensions to be skipped.
- BZ#736045
- Prior to this update, the logrotate utility did not check whether brackets were correctly matched in the configuration file. As a consequence, files were removed because logrotate did not detect the incorrectly matched brackets and did not stop the rotation process for the particular configuration file. This update modifies the underlying code to check the presence of brackets whether they are matched. Now, configuration files with bad syntax are skipped.
Enhancement
- BZ#510124
- With this update, logrotate can rotate logs defined in configuration files that contain configuration errors.
4.96. logwatch
Bug Fixes
- BZ#578806
- Due to an incorrect regular expression, positive changes in temperatures reported by the smartd daemon were shown as unmatched entries in the logwatch output. This update fixes the faulty regular expression and temperature log information is now displayed correctly.
- BZ#583607
- Prior to this update, logwatch did not correctly parse the RSYSLOG_FileFormat time stamps and displayed them as unmatched entries. With this update, parsing of the rsyslog time stamps has been fixed and works as expected.
- BZ#583721
- Yum's "applydate" time ranges were not correctly parsed by logwatch and were displayed as unmatched entries. This has been fixed and "applydate" time ranges are no longer displayed as unmatched entries.
- BZ#595068
- Xen virtual console logins were not correctly parsed by logwatch and were displayed as unmatched entries. This update fixes this bug.
- BZ#668067
- Logins initiated with the "su -" or "su -l" command were not correctly parsed by logwatch and were displayed as unmatched entries. This update fixes this bug.
- BZ#684577
- SSH Kerberos (GSS) logins were not correctly parsed by logwatch and were displayed as unmatched entries. This update fixes this bug.
4.97. lvm2
Bug Fixes
- BZ#770970
- Prior to this update, the --alloc option in the lvm2 man pages was insufficiently documented. A more detailed specification of allocation policies was needed. With this update, the description has been enhanced and provides a more comprehensive insight into the allocation process.
- BZ#786009
- Previously, when the pv_min_size setting in the lvm.conf configuration file (/etc/lvm/lvm.conf) was set to value smaller than the default value of 2048 KB, the system ignored this configuration later on. Consequently, the lvm commands returned the following warning when processing smaller physical volumes:Ignoring too small pv_min_size 512KB, using default 2048KB.This bug has been fixed, and user-set pv_min_size is no longer ignored in the aforementioned case.
- BZ#820237
- Previously, when a physical volume (PV) with no physical extents (PE) was in a volume group (VG), the vgcfgrestore command executed on the VG failed with the following message:Floating point exceptionThis behavior was caused by a division by zero error. With this update, a fix has been introduced to avoid the aforementioned exception. As a result, vgcfgrestore no longer fails in the described scenario.
- BZ#821013
- Previously, it was possible to use the lvcreate command with the --alloc cling option to create a linear device that exceeded any single physical volume (PV) within the volume group (VG). The lvcreate command placed the data across multiple PVs, which was in conflict with the cling allocation policy. This bug has been fixed and lvcreate now works in accordance with the selected allocation policy.
4.98. lvm2-cluster
Bug Fix
- BZ#824813
- If a physical volume (PV) presented in a volume group (VG) contained only metadata and no physical extents (PE), an attempt to write the volume group's metadata by running the "vgcfgrestore" command was not successful. Running the command failed with the "Floating point exception" error message, which was caused by a "division by zero" error. This bug has been fixed and lvm2-cluster now works correctly in such a case.
4.99. m2crypto
Bug Fix
- BZ#520817
- M2Crypto generated an invalid exception object on SSL timeouts, causing an IndexError in the Python httplib module. This made it impossible to correctly handle SSL timeouts in applications. This updated package adds the required attributes to the SSL timeout exception object and lets httplib process this information correctly.
Enhancement
- BZ#761596
- The M2Crypto.httpslib.HTTPSConnection class always created an IPv4 socket. This made it impossible to connect to IPv6 servers using this class. With this update, the implementation now correctly creates an IPv4 or IPv6 socket, as necessary, thus adding support for IPv6 servers.
4.100. man
4.100.1. RHBA-2012:0700 — man bug fix update
Bug Fix
- BZ#749288
- Prior to this update, the makewhatis script, which creates the whatis database of manual pages, ignored symbolic links between pages. With this update, the makewhatis script includes symbolic links in the whatis database.
4.101. man-pages-overrides
Bug Fixes
- BZ#621953
- Previously, the size of the buffer "entry" for the readdir_r() function was undocumented in the readdir(3) manual page. Consequently, a buffer overflow in user programs could occur. With this update, the readdir(3) manual page has been backported from Red Hat Enterprise Linux 6. As a result, the documentation of the readdir() and readdir_r() functions is now more accurate.
- BZ#695783
- Previously, the proper usage of the IPv6 addresses was not described in the ssh(1), scp(1), sftp(1) and sshd(8) manual pages. This update adapts these manual pages to reduce the possible ambiguity in the IPv6 address notation.
- BZ#782006
- Prior to this update, the vpdupdate(8) manual page did not contain any description of the "-a", "-s" and "-v" options. The manual page has been updated and the aforementioned options are now documented properly.
- BZ#783739
- The nscd.conf(5) manual page was missing some descriptions and contained several duplicate entries. With this update, the text has been clarified and redundant entries have been removed.
- BZ#786684
- Previously, the nsswitch.conf(5) manual page lacked information on the search mechanism, particularly about the "notfound" status. This update adds this information to the manual page.
- BZ#787567
- Prior to this update, the behavior of the connect() call with the local address set to INADDR_ANY was insufficiently described in the ip(7) manual page. Possible duplication of the local port after the call was not acknowledged. With this update, the documentation has been reworked in order to reflect the behavior of the connect() call correctly.
- BZ#809490
- Due to a vague description of the getdents() call in the getdents(2) manual page, the risk of using this call directly was not clear enough. The description has been extended with a warning to prevent incorrect usage of the getdents() call.
- BZ#838395
- Previously, the "-q" option of the scp program was insufficiently described in the scp(1) manual page. Part of its functionality was not mentioned, which could lead to unwanted results. The description has been extended and now provides a full characteristic of the "-q" option.
4.102. mdadm
Bug Fixes
- BZ#566828
- Due to a bug in the raid-check script, non-zero mismatch counts were reported on RAID 1 arrays, although this could happen legitimately on this type of array. Consequently, the "repair" and "check" commands did not work as expected. The raid-check script has been fixed and now non-zero mismatch counts are no longer reported in the described scenario.
- BZ#735803
- Under certain circumstances, arrays that were always busy when running the raid-check script would never be checked due to a bug in the script. This script has been modified and all RAIDs with active I/0 are checked as expected.
4.103. microcode_ctl
Enhancement
- BZ#790195
- The Intel CPU microcode file has been updated to version 20120606. This is the most recent version of the microcode available from Intel.
4.104. mkinitrd
Bug Fixes
- BZ#556785
- Prior to this update, the "mkrootdev" command could incorrectly use the slave device instead of the intended multipath device to create the /dev/root node when a multipath root device was specified by the label "LABEL". As a consequence, the slave device could not be mounted as it was already used by the master and creating the "/dev/root" node failed. This update modifies the mkinitrd code so that "mkrootdev" now ignores devices which are in use.
- BZ#782615
- Prior to this update, the bindings file in the initial RAM disk (initrd) could, under certain circumstances, fail to match the bindings file on the root file system. As a consequence, the boot process was interrupted and the system rebooted. This update modifies the underlying code so match the bindings file as expected.
Enhancements
4.105. mod_auth_kerb
Bug Fixes
- BZ#456662
- Prior to this update, the mod_auth_kerb source RPM could not be built by a non-root user. This was because the httpd-devel package places the apxs utility, which is needed to build the mod_auth_kerb package, into the /usr/sbin directory. This directory is not specified in the PATH variable for non-root users. With this update, the apxs utility is defined as being placed in the /usr/bin directory in the "mod_auth_kerb.spec" file, and the mod_auth_kerb SRPM can now be successfully built by non-root users.
- BZ#734098
- The "mod_auth_kerb" module did not use the Kerberos libraries in a thread-safe way. Therefore, if mod_auth_kerb ran under a multi-threaded Apache HTTP Server, authentication requests could terminate unexpectedly with a segmentation fault. With this update, the thread-safety problem has been fixed, and crashes no longer occur under these circumstances.
- BZ#446670
- The "KrbLocalUserMapping" Apache directive has been added to allow Kerberos principal names to be mapped to system user names.
4.106. mod_nss
Bug Fix
- BZ#849044
- Due to a regression, the mod_proxy module no longer worked when configured to support SSL reverse proxy operation. The following error message was logged:[error] SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up.A new patch has been applied and the mod_proxy module now works correctly to support SSL reverse proxy.
Bug Fixes
- BZ#669963
- The previous release had an incorrect post-install script. Consequently, when upgrading "mod_nss" from version 1.0.3 to 1.0.8, the group and file permissions were incorrectly set. The HTTP server (httpd) did not start and the following error message was displayed:[error] NSS_Initialize failed. Certificate database: /etc/httpd/alias. [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZEDThis update improves the post-install script to set file permissions and ownership correctly. As a result, all child processes of the Apache HTTP Server can enable SSL and now httpd starts as expected in the scenario described.
- BZ#677698
- With the release of "mod_nss" version 1.0.8 there was no lock mechanism to control sequential httpd process access to the "nss_pcache" process. This sometimes resulted in multiple requests being interpreted as a single request by "nss_pcache" and a single result returned. The calling process sometimes experienced a timeout error or a failure with the error message:
[error] Unable to read from pin store
With this update the code has been improved and multiple requests to the "nss_pcache" process are processed sequentially without the errors described. - BZ#692868
- Due to a regression, the "mod_proxy" module no longer worked when configured to support reverse proxy operation. The following error was logged:
[error] SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up.
A new patch has been applied and the "mod_proxy" module now works correctly to support SSL reverse proxy. - BZ#714255
- Previously, a static array containing the arguments for launching the "nss_pcache" command overflowed the array size by one. This could lead to a variety of problems including unexpected termination. This bug has been fixed, and "mod_nss" now uses a properly sized static array when launching "nss_pcache".
- BZ#749401
- Due to an incorrect use of the memcpy() function in the "mod_nss" module, running the Apache HTTP Server with this module enabled could cause some requests to fail with the following message written to the error_log file:
request failed: error reading the headers
This update applies a patch to ensure that the memcpy() function is now used in accordance with the current specification, and using the "mod_nss" module no longer causes HTTP requests to fail. - BZ#749402
- Prior to this update, client certificates were only retrieved during the initial SSL handshake if the NSSVerifyClient option was set to "require" or "optional". Also, the FakeBasicAuth option only retrieved Common Name rather than the entire certificate subject. Consequently, it was possible to spoof an identity using that option. This bug has been fixed, the FakeBasicAuth option is now prefixed with "/" and is thus compatible with OpenSSL. Certificates are now retrieved on all subsequent requests beyond the first one.
- BZ#749405, BZ#784548
- When the NSS library was not initialized and "mod_nss" tried to clear its SSL cache on start-up, "mod_nss" terminated unexpectedly when the NSS library was built with debugging enabled. With this update, "mod_nss" does not try to clear the SSL cache in the described scenario, thus preventing this bug.
- BZ#749406
- The "Requires: %{_libdir}/libnssckbi.so" directive has been added to the spec file to make "libnssckbi.so" a runtime dependency. This is to prevent symbolic links failing.
4.107. mod_python
Bug Fix
- BZ#431684
- Prior to this update, the publisher module did not correctly handle certain authentication variables. As a consequence, the web server could return an "400 Bad Request" error if the "publisher" handler was used with an authentication scheme other than "Basic". This update modifies the publisher.py code to handle the autentication as expected.
4.108. mozldap
Bug Fix
- BZ#753014
- Prior to this update, the ldapsearch tool could, under certain circumstances, access or free uninitialized memory when following a smart referral entry using anonymous credentials. As a consequence, the ldapsearch tool could encounter a segmentation fault. This update ensures that the memory is initialized. Now, ldapsearch works with anonymous credentials as expected.
4.109. mt-st
Bug Fix
- BZ#501014
- Prior to this update, it was not possible to use a symbolic name for the SILI bit on the command line; the bit could only be specified as a hexadecimal constant (0x4000). With this update, users can use the "sili" symbolic name on the command line.
4.110. mutt
4.110.1. RHBA-2012:1143 — mutt bug fix update
Bug Fix
- BZ#313291
- Prior to this update, the mutt agent failed to allow interruptions during getch calls. As a consequence, the signal "SIGINT" (Ctrl-C) was not handled correctly when waiting for user input. This update modifies the underlying code to allow interruptions.
4.111. mysql
Security Fix
- CVE-2012-4452
- It was found that the fix for the CVE-2009-4030 issue, a flaw in the way MySQL checked the paths used as arguments for the DATA DIRECTORY and INDEX DIRECTORY directives when the "datadir" option was configured with a relative path, was incorrectly removed when the mysql packages in Red Hat Enterprise Linux 5 were updated to version 5.0.95 via RHSA-2012:0127. An authenticated attacker could use this flaw to bypass the restriction preventing the use of subdirectories of the MySQL data directory being used as DATA DIRECTORY and INDEX DIRECTORY paths. This update re-applies the fix for CVE-2009-4030.Note: If the use of the DATA DIRECTORY and INDEX DIRECTORY directives were disabled as described in RHSA-2010:0109 (by adding "symbolic-links=0" to the "[mysqld]" section of the "my.cnf" configuration file), users were not vulnerable to this issue.This issue was discovered by Karel Volný of the Red Hat Quality Engineering team.
Bug Fixes
- 647223
- Prior to this update, the log file path in the logrotate script did not behave as expected. As a consequence, the logrotate function failed to rotate the "/var/log/mysqld.log" file. This update modifies the logrotate script to allow rotating the mysqld.log file.
- 654000
- Prior to this update, the mysqld daemon could fail when using the EXPLAIN flag in prepared statement mode. This update modifies the underlying code to handle the EXPLAIN flag as expected.
- 703476
- Prior to this update, the mysqld init script could wrongly report that mysql server startup failed when the server was actually started. This update modifies the init script to report the status of the mysqld server as expected.
- 806365
- Prior to this update, the "--enable-profiling" option was by default disabled. This update enables the profiling feature.
4.112. net-snmp
Bug Fix
- BZ#820850
- The SNMP daemon (snmpd) did not properly encode a negative Request-ID in outgoing requests (for example during trap operations). As a consequence, a 32-bit value could be encoded in 5 bytes instead of 4, and the outgoing requests could be refused by some implementations of the SNMP protocol as invalid. With this update, a Request-ID can no longer become negative and is always encoded in 4 bytes.
Security Fix
- CVE-2012-2141
- An out-of-bounds buffer read flaw was found in the net-snmp agent. A remote attacker with read privileges to a Management Information Base (MIB) subtree handled by the "extend" directive (in "/etc/snmp/snmpd.conf") could use this flaw to crash snmpd via a crafted SNMP GET request.
Bug Fix
- BZ#754652, BZ#755958, BZ#822061
- Devices that used certain file systems were not reported in the "HOST-RESOURCES-MIB::hrStorageTable" table. As a result, the snmpd daemon did not recognize devices using tmpfs, ReiserFS, and Oracle Cluster File System (OCFS2) file systems. This update recognizes these devices and reports them in the "HOST-RESOURCES-MIB::hrStorageTable" table.
- BZ#760001
- The snmptrapd (8) man page did not correctly describe how to load multiple configuration files using the "-c" option. This update describes correctly that multiple configuration files must be separated by a comma.
- BZ#783892
- Integers truncated from 64 to 32-bit were not correctly evaluated. As a consequence, the snmpd daemon could enter an endless loop when encoding the truncated integers to network format. This update modifies the underlying code so that snmpd correctly checks truncated 64-bit integers. Now, snmpd avoids an endless loop.
- BZ#799699
- snmpd did not correctly check for interrupted system calls when enumerating existing IPv6 network prefixes during startup. As a consequence, snmpd could prematurely exit when receiving a signal during this enumeration. This update checks the network prefix enumeration code for interrupted system calls. Now, snmpd no longer terminates when a signal is received.
- BZ#803585
- snmpd used the wrong length of COUNTER64 values in the AgentX protocol. As a consequence, snmpd could not decode two consecutive COUNTER64 values in one AgentX packet. This update uses the correct COUNTER64 size and can process two or mode COUNTER64 values in AgentX communication.
- BZ#805689
- snmpd ignored the "-e" parameter of the "trapsess" option in the snmpd configuration file. As a result, outgoing traps were incorrectly sent with the default EngineID of snmpd when configuring "trapsess" with an explicit EngineID. This update modifies the underlying code to send outgoing traps using the EngineID as specified in the "trapsess -e" parameter in the configuration file.
- BZ#818259
- snmpd did not correctly encode negative Request-IDs in outgoing requests, for example during trap operations. As a consequence, a 32-bit value could be encoded in 5 bytes instead of 4, and the outgoing requests were refused by certain implementations of the SNMP protocol as invalid. With this update, a Request-ID can no longer become negative and is always encoded in 4 bytes.
- BZ#828691
- snmpd ignored the port number of the "clientaddr" option when specifying the source address of outgoing SNMP requests. As a consequence, the system assigned a random address. This update allows to specify both the port number and the source IP address in the "clientaddr" option. Now, administrators can increase security with firewall rules and Security-Enhanced Linux (SELinux) policies by configuring a specific source port of outgoing traps and other requests.
- BZ#830042
- snmpd did not correctly process responses to internal queries when initializing monitoring enabled by the "monitor" option in the "/etc/snmp/snmpd.conf" configuration file. As a consequence, snmpd was not fully initialized and the error message "failed to run mteTrigger query" appeared in the system log 30 seconds after the snmpd startup. This update explicitly checks for responses to internal monitoring queries.
4.113. nss
Note
Bug Fixes
- BZ#789043
- A lack of robustness flaw caused crashes in the administration server for Red Hat Directory Server because the mod_nss module made nss calls before initializing nss per documented API. With this update, nss protects itself against being called before it as been properly initialized by the caller.
- BZ#786436
- Previously, due to a bug in the FreeBL library, Openswan could generate a Key Exchange payload that was one byte shorter than what was required by the Diffie Hellman (DH) protocol. As a consequence, Openswan dropped connections during such payloads. With this update, the size of the payload is set to zero by default, and the Softoken module is queried for the size. Connections are no longer dropped by Openswan in the described scenario.
4.113.2. RHBA-2012:0344 — nss bug fix update
Bug Fix
- BZ#798461, BZ#798462
- Crashes were reported in the messaging daemon (qpidd) included in Red Hat Enterprise MRG after a recent update to nss. This occurred as qpidd made nss calls before initializing nss. These updated packages prevent qpidd, and other affected processes that call nss without initializing as mandated by the API, from crashing.
Bug Fixes
- BZ#633519
- Due to errors in the Netscape Portable Runtime (NSPR) code responsible for thread synchronization, memory corruption sometimes occurred. Consequently, the web server daemon (httpd) sometimes terminated unexpectedly with a segmentation fault after making more than 1023 calls to the NSPR library. With this update, an improvement to the way NSPR frees previously allocated memory has been made and httpd no longer crashes in the scenario described.
- BZ#797939
- Some Network Security Services (NSS) clients call NSS without initializing first as mandated by the API and NSS did not protect itself against such improper usage. Consequently, this caused unexpected terminations on shutdown as some variables had not been properly initialized. Such crashes were reported in the messaging daemon (qpidd), included in Red Hat Enterprise MRG, after a recent update to the nss package. This occurred as qpidd made NSS calls before initializing NSS. With this update, NSS now protects itself against potential improper use by client code. As a result, NSS prevents qpidd, and other processes that may call NSS without initializing as mandated by the API, from crashing.
Enhancement
- BZ#820684
- The certutil tool was enhanced to support creation of Elliptic Curve (EC) key pairs on Hardware Security Modules.
Security Fix
- CVE-2012-0441
- A flaw was found in the way the ASN.1 (Abstract Syntax Notation One) decoder in NSS handled zero length items. This flaw could cause the decoder to incorrectly skip or replace certain items with a default value, or could cause an application to crash if, for example, it received a specially-crafted OCSP (Online Certificate Status Protocol) response.
Note
4.114. nss_ldap
Bug Fixes
- BZ#761281
- When parsing an ldap.conf file that contained a host and a port definition, the nss_ldap "do_add_hosts()" function always created a URI starting with "ldap://" regardless of SSL being enabled. Consequently, when the response included an "ldaps://..." referral to the same server and port, the libldap library considered this to be a different scheme ("ldaps" vs. the initial "ldap") and opened new connections for each referral lookup instead of reusing the existing persistent connection. The code has been improved and now when the SSL option is enabled the initial URI will be in the format "ldaps://...". As a result, nss_ldap now correctly uses the LDAPS scheme with SSL connections.
- BZ#797410
- Due to a regression in the configuration parser, the "do_readline()" function did not return the correct exit code when the last line of "/etc/ldap.secret" did not contain a newline. Consequently, the nss_ldap module failed to bind to the LDAP server. With this update the parser now returns the correct exit code when parsing /etc/ldap.secret and nss_ldap works as expected in the scenario described.
- BZ#835555
- The nss_ldap module used to leak memory when an entry that did not exist on the remote server was requested. The memory leak has been fixed by freeing an internal search structure even in cases where the search does not finish successfully.
4.115. OFED
Note
Bug Fixes
- BZ#536690
- IP over InfinBand (IPoIB) interfaces are artificial constructs created on top of InfiniBand RDMA devices. The IPoIB interface has a generated hardware MAC address. The queue pair that the interface is attached to is encoded in the hardware MAC address. However, when unloading and reloading the IPoIB module, it is likely that a different queue pair to the IPoIB queue pair will be assigned. Because the queue pair number is encoded in the MAC address of the IPoIB interface, and because it can change when the IPoIB module is unloaded and reloaded, the final MAC address of IPoIB interfaces can change. Consequently, when users created
ifcfg-ibX
files that specified the MAC address of the IPoIB interface, after a reload of the IPoIB kernel module, when the MAC address no longer matched, the IPoIB interface failed to be recognized as a configured interface by the network subsystem. To solve this problem, this update implements customifup-ib
andifdown-ib
network scripts that are aware of the portion of an IPoIB's MAC address that is constant versus the portion that is subject to change. As a result, when a user reloads the IPoIB module, and when the IPoIB interface's MAC address changes, theifup-ib
andifdown-ib
scripts will properly match against the portion that did not change and recognize the interface correctly. - BZ#571779
- Imperfect argument processing in the ibv_rc_pingpong program allowed arguments that were too large to be passed to the program. Consequently, the program terminated unexpectedly with a segmentation fault when attempting to set up transfers using large arguments. The checking of arguments in ibv_rc_pingpong has been strengthened. As a result, the program no longer crashes on bad arguments.
- BZ#575608
- Insufficient state checking in the
ifup-ib
script could cause it to create an invalid state on bond devices that had IPoIB slaves. Consequently, when the user calledifup
on the IPoIB interface, and expected it to be working, the master bond device was sometimes taken down. A check to make sure that the device is not already present in the bond device before attempting to add it is now made. As a result, the device is now initialized properly. - BZ#578640
- The
libibverbs.spec
file was missing theBuildRequires: valgrind-devel
line. Consequently, the libibverbs package was built without valgrind memory allocation debugging support. The required line has been added to the spec file and the libibverbs package now supports valgrind memory debugging. - BZ#668913
- When passed the
-r
flag, the ibdiagnet program attempted to free the same memory twice. Consequently, the program would trigger protection built into glibc and end the execution. The program has been fixed to no longer attempt to free the same memory twice and as a result the program completes as expected. - BZ#772602
- The ibnodes program is a simple shell wrapper script that calls ibhosts and ibswitches. When passed the
-h
switch to get help for the program, it passed that switch on to both ibhosts and ibswitches. Consequently, when the user ranibnodes -h
they saw help output for ibhosts and ibswitches. A simple help handler in the ibnodes program that outputs ibnodes-specific help information has been implemented and the problem no longer occurs. - BZ#773718
- A race condition on handling of completion events could confuse the ib_send_lat test program. Consequently, the ib_send_lat test program sometimes terminated unexpectedly with a segmentation fault. Completion processing has now been separated into two separate queues, one for send completions and one for receive completions. As a result, out of order and unexpected completions no longer confuse the test program, nor cause crashes.
- BZ#783945
- An error in thread handling resulted in the rping binary freeing resources before all threads that accessed those resources had exited. Consequently, the rping binary terminated unexpectedly with a segmentation fault when attempting to access already freed resources. Thread handling has been improved to wait for all threads to exit in various locations before proceeding with freeing memory resources. As a result, the rping application no longer crashes on iWARP hardware in the scenario described.
- BZ#846162
- The openibd init script loaded the parent
RDS
module if configured to do so, but did not load either of the RDS transports (TCP
andRDMA
). RDS is non-functional without at least one transport module loaded. Consequently, the RDS protocol was listed as available, but was not usable because no suitable interfaces with a supported transport could be found. The openibd init script has been updated to always load the TCP and RDMA transports if the RDS service is configured to be enabled in/etc/ofed/ofed.conf
. As a result, the RDS protocol is now functional and can find suitable interfaces over which to operate. - BZ#846164
- Early versions of the Qperf