5.9 Technical Notes

Security Fix

CVE-2012-0774, CVE-2012-0775, CVE-2012-0777

This update fixes multiple security flaws in Adobe Reader. These flaws are detailed on the Adobe security page APSB12-08. A specially-crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened.

BZ#811936

Previously, the aide utility incorrectly initialized the gcrypt library. This consequently prevented aide to initialize its database if the system was running in FIPS-compliant mode. The initialization routine has been corrected, and along with an extension to the libgcrypt's API introduced in the RHEA-2012:0484 advisory, aide now initializes its database as expected if run in a FIPS-compliant way.

BZ#547658

The help output of the aide executable did not mention the "-D" option which is a shortcut for "--config-check". The option could only be found on the aide(1) man page. With this update, the "-D" option is mentioned in both the help output and on the man page.

BZ#553137

Previously, the aide utility incorrectly initialized the gcrypt library. This consequently prevented aide to initialize its database if the system was running in FIPS-compliant mode. The initialization routine has been corrected, and along with an extension to the libgcrypt's API introduced in the RHEA-2012:0484 advisory, aide now initializes its database as expected if run in a FIPS-compliant way.

BZ#580253

The compare_dbline() function returned an "int" value, even though the function can operate with variables of size larger than "int" (for example, DB_SELINUX, DB_XATTRS or DB_WHIRPOOL). As a consequence, aide could produce incorrect results when checking a database for inconsistencies. The underlying source code has been modified so that the compare_dbline() function now returns an "unsigned long long" value, and aide correctly detects and reports database inconsistencies.

BZ#854012

Due to an incorrect configuration of the alsaloop utility from the alsa-utils package, high CPU usage occurred when using alsaloop. This also affected the alsa-delay script, which uses alsaloop for the configurable audio delay functionality. With this update, the alsaloop function has been reconfigured. As a result, the CPU usage is now optimized when alsaloop is used.

Bug Fixes

BZ#750681

When a host name provided by the user could not be resolved during system installation, it was added to the /etc/hosts file as a localhost record (under 127.0.0.1). Thus when configuring the network, DNS resolution of the host name did not work properly. This update ensures that user-provided host names are no longer written to the /etc/hosts file and host name resolution now works as expected.

BZ#760496

During the installation process, Anaconda failed to read the Release Notes using the getReleaseNotes() function. Consequently, the Release Notes button showed a pop-up error “Release Notes are missing”. The getReleaseNotes() function has been fixed and now properly presents the Release Notes when the Release Notes button is pressed.

BZ#769287

The maximum size limit for all ext file systems was set to 8 TB. Consequently, Anaconda limited the maximum size artificially for the ext3 and ext4 file systems, even though these systems support sizes up to 16 TB. The size limits for ext3 and ext4 have been extended to 16 TB.

BZ#773573

Pressing the ESC key in certain Anaconda dialog boxes behaved the same way as if the OK button was hit. This has been fixed and pressing the ESC key now has the same effect as hitting the Cancel button.

BZ#784159

Previously, symbolic links in the /dev/ directory, such as /dev/fd/, were not created during installation. Consequently, an attempt to use these links during the installation failed. The source code has been updated and symbolic links are now created correctly and can be used during installation.

BZ#788871

The openibd service was not enabled after installation when using IP over InfiniBand (IPoIB). Consequently, an InfiniBand device did not come up after installation. The underlying source code has been modified and the openibd service is now enabled when using IPoIB during installation.

BZ#797075

Previously, the --label option in the part section of a kickstart file was not honored. Consequently, partitions were not labeled in accordance with the kickstart option after system installation. The source code that handles partition label setting has been fixed, and partition labeling via a kickstart file works as expected.

BZ#812719

Kernel and initrd image sizes grew slightly in Red Hat Enterprise Linux 5.8. Consequently, the diskboot.img file did not have enough space to store all files and some of them were truncated or were not included in the image. The size of diskboot.img has been increased and all files fit as expected.

BZ#819721

Due to improper handling of invalid disks referenced in the kickstart file, Anaconda could crash with a traceback when attempting to execute the partitioning instructions. This bug has been fixed, Anaconda now checks for invalid BIOS disk references correctly and exits gracefully indicating that the referenced BIOS disk cannot be found.

BZ#841136

Newer versions of nfs-utils and mount.nfs are set to use the TCP protocol by default and Anaconda mounting code conflicted with this new default. Consequently, the Network File System (NFS) sources were not mountable and users were unable to install the system over this protocol. The Anaconda NFS mounting code has been updated to use TCP by default. As result, installations over NFS function as expected.

Enhancements

BZ#756213

This enhancement adds a class for Global File System (GFS) to the Anaconda code base. As a result, the lines with the “gfs” string in the /etc/fstab file are preserved on upgrade and using the gfs boot option enables a way to create new GFS partitions during installation. The lines with the unknown (unsupported) file system type are just commented out on upgrade instead of removed from the /etc/fstab file.

BZ#824880

This enhancement includes Microsoft ParaVirtualized (PV) drivers into the installation environment. Previously, running Red Hat Enterprise Linux as a guest on Microsoft provided only a sub-part user experience with need to download and install Microsoft tools and add the PV support. This update enables seamless installation of Red Hat Enterprise Linux as a guest on a Hyper-V server and Red Hat Enterprise Linux works out-of-the-box now.

BZ#562286

Prior to this update, the default English dictionary contained profanity. With this update, the profanity is moved from the default dictionary to the "en-complete" dictionary. To run aspell with this dictionary, use the "-d" switch: "aspell -d en-complete".

BZ#810126

A function to check validity of a mount location was meant to check only for a small subset of map location errors. A recent improvement modification in error reporting inverted a logic test in this validating function. Consequently, the scope of the test was widened, which caused automount to report false positive failures. With this update, the faulty logic test has been corrected and false positive failures no longer occur.

Security Fix

CVE-2012-2697

A bug fix included in RHBA-2012:0264 introduced a denial of service flaw in autofs. When using autofs with LDAP, a local user could use this flaw to crash autofs, preventing future mount requests from being processed until the autofs service was restarted. Note: This flaw did not impact existing mounts (except for preventing mount expiration).

BZ#585058

The autofs init script sometimes timed out waiting for the automount daemon to exit and returned a shutdown failure if the daemon failed to exit in time. To resolve this problem, the amount of time that the init script waits for the daemon has been increased to allow for cases where servers are slow to respond or there are many active mounts.

BZ#767428

Due to an omission when backporting a change, autofs attempted to download the entire LDAP map at startup. This mistake has now been corrected.

BZ#798448

A function to check the validity of a mount location was meant to check only for a small subset of map location errors. A recent modification in error reporting inverted a logic test in this validating function. Consequently, the scope of the test was widened, which caused the automount daemon to report false positive failures. With this update, the faulty logic test has been corrected and false positive failures no longer occur.

BZ#847101

When there were many attempts to access invalid or non-existent keys, the automount daemon used excessive CPU resources. As a consequence, systems sometimes became unresponsive. The code has been improved so that automount checks for invalid keys earlier in the process which has eliminated a significant amount of the processing overhead.

BZ#859890

The auto.master(5) man page did not document the "-t, --timeout" option in the FORMAT options section. This update adds this information to the man page.

BZ#690404

Previously, it was not possible to configure separate timeout values for individual direct map entries in the autofs master map. This update adds this functionality.

BZ#885731

Previously, the "named" name service daemon could terminate unexpectedly due to a race condition in the socket module. This race condition has been fixed and the "named" daemon no longer crashes.

Security Fixes

CVE-2012-1667

A flaw was found in the way BIND handled zero length resource data records. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records that would cause a recursive resolver or secondary server to crash or, possibly, disclose portions of its memory.

CVE-2012-1033

A flaw was found in the way BIND handled the updating of cached name server (NS) resource records. A malicious owner of a DNS domain could use this flaw to keep the domain resolvable by the BIND server even after the delegation was removed from the parent DNS zone. With this update, BIND limits the time-to-live of the replacement record to that of the time-to-live of the record being replaced.

Security Fix

CVE-2012-3817

An uninitialized data structure use flaw was found in BIND when DNSSEC validation was enabled. A remote attacker able to send a large number of queries to a DNSSEC validating BIND resolver could use this flaw to cause it to exit unexpectedly with an assertion failure.

Security Fix

CVE-2012-4244

A flaw was found in the way BIND handled resource records with a large RDATA value. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records, that would cause a recursive resolver or secondary server to exit unexpectedly with an assertion failure.

BZ#857056

The bind-chroot-admin script, executed when upgrading the bind-chroot package, failed to correctly update the permissions of the /var/named/chroot/etc/named.conf file. Depending on the permissions of the file, this could have prevented named from starting after installing package updates. With this update, bind-chroot-admin correctly updates the permissions and ownership of the file.

Security Fix

CVE-2012-5166

A flaw was found in the way BIND handled certain combinations of resource records. A remote attacker could use this flaw to cause a recursive resolver, or an authoritative server in certain configurations, to lockup.

BZ#883402

When authoritative servers did not return a Start of Authority (SOA) record, the "named" daemon failed to cache and return answers. A patch has been provided to address this issue and "named" is now able to handle such under-performing servers correctly.

Bug Fixes

BZ#657260

Previously, the DNS server (named) init script killed all named processes when stopping the named daemon. This caused a problem for container-virtualized hosts, such as OpenVZ, because their named processes were killed by the init script. The init script has been fixed and now only kills the correct named processes.

BZ#703452

When the /etc/resolv.conf file contained the search keyword with no arguments, the host/nslookup/dig utility failed to parse it correctly. With this update, such lines are ignored.

BZ#719855

The /etc/named.root.key file was not listed in the ROOTDIR_MOUNT variable. Consequently, when using bind97 with chroot, the named.root.key file was not mounted to the chroot environment. A patch has been applied and /etc/named.root.key is now mounted into chroot.

BZ#758057

A non-writable working directory is a long time feature on all Red Hat systems. Previously, named wrote the working directory is not writable as an error to the system log. This update changes the code so that named now writes this information only into the debug log.

BZ#803369

During a DNS zone transfer, named sometimes terminated unexpectedly with an assertion failure. A patch has been applied to make the code more robust, and named no longer crashes in the scenario described.

BZ#829823

Due to an error in the bind spec file, the bind-chroot subpackage did not create a /dev/null device. In addition, some empty directories were left behind after uninstalling bind. With this update, the bind-chroot packaging errors have been fixed.

BZ#829829

Previously, the nslookup utility did not return a non-zero exit code when it failed to get an answer. Consequently, it was impossible to determine if an nslookup run was successful or not from the error code. The nslookup utility has been fixed and now it returns 1 as the exit code when it fails to get an answer.

BZ#829831

The named daemon, configured as master server, sometimes failed to transfer an uncompressible zone. The following error message was logged:

transfer of './IN': sending zone data: ran out of space

The code which handles zone transfers has been fixed and this error no longer occurs in the scenario described.

Enhancements

BZ#693788

Previously, bind97 did not contain the root zone DNSKEY. DNSKEY is now located in /etc/named.root.key.

BZ#703096

With this update, the size, MD5 checksum, and modification time of the /etc/sysconfig/named configuration file is no longer checked via the rpm -V bind command.

BZ#703397

The host utility now honors debug, attempts, and timeout options in the /etc/resolv.conf file.

BZ#703411

The DISABLE_ZONE_CHECKING option has been added to /etc/sysconfig/named. This option adds the possibility to bypass zone validation via the named-checkzone utility in the /etc/init.d/named init script and allows starting named with misconfigured zones.

BZ#749214

The return codes of the dig utility are now documented in the dig man page.

BZ#811566

The option to disable Internationalized Domain Name (IDN) support in the dig utility was incorrectly documented in the man page. The dig man page has been corrected to explain the use of the libidn environment option CHARSET for disabling IDN.

BZ#829827

Previously, the rndc.key file was generated during package installation by the rndc-confgen -a command, but this feature was removed in Red Hat Enterprise Linux 5.8 because users reported that installation of the bind package sometimes became unresponsive due to lack of entropy in /dev/random. The named init script now generates rndc.key during the service startup if it does not exist.

Security Fixes

CVE-2012-1667

A flaw was found in the way BIND handled zero length resource data records. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records that would cause a recursive resolver or secondary server to crash or, possibly, disclose portions of its memory.

CVE-2012-1033

A flaw was found in the way BIND handled the updating of cached name server (NS) resource records. A malicious owner of a DNS domain could use this flaw to keep the domain resolvable by the BIND server even after the delegation was removed from the parent DNS zone. With this update, BIND limits the time-to-live of the replacement record to that of the time-to-live of the record being replaced.

Security Fix

CVE-2012-3817

An uninitialized data structure use flaw was found in BIND when DNSSEC validation was enabled. A remote attacker able to send a large number of queries to a DNSSEC validating BIND resolver could use this flaw to cause it to exit unexpectedly with an assertion failure.

Security Fix

CVE-2012-4244

A flaw was found in the way BIND handled resource records with a large RDATA value. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records, that would cause a recursive resolver or secondary server to exit unexpectedly with an assertion failure.

Security Fix

CVE-2012-5166

A flaw was found in the way BIND handled certain combinations of resource records. A remote attacker could use this flaw to cause a recursive resolver, or an authoritative server in certain configurations, to lockup.

BZ#818708

Due to instability in calculating the program header size, the GNU linker could terminate unexpectedly with the "looping in map_segments" error message. With this update, the linker has been modified to properly handle changes in the size of the segment map, which prevents the instability and the linker no longer crashes in this scenario.

BZ#834277

When attempting to mount an NFS file system, the mount command in the busybox package was using the UDP protocol by default while the standard mount utility uses the TCP protocol by default. Consequently, directories could not be mounted from the server. With this update, the mount command in busybox has been fixed to use TCP by default, thus preventing this bug.

BZ#765665

The fence_rhevm fencing agent uses the Red Hat Enterprise Virtualization API to check the power status ("on" or "off") of a virtual machine. In addition to the states of "up" and "down", the API includes other states like "unassigned", "powering_up", "paused", "migrating", "unknown", "not_responding", "wait_for_launch", "reboot_in_progress", "saving_state", "restoring_state", "suspended", "image_illegal", "image_locked" or "powering_down". Previously, only if the machine was in the "up" state, the "on" power status was returned. The "off" status was returned for all other states although the machine was actually running. This allowed for successful fencing even before the machine was really powered off. With this update, the fence_rhevm agent detects power status of a cluster node more conservatively, and the "off" status is returned only if the machine is really powered off, it means in the "off" state.

BZ#811939

Previously, cman did not handle idle connection timeout correctly when fencing a cluster node. Consequently, a connection to a fence device timed out and fencing failed if the "delay" option was set to more than 5 seconds. With this update, the "delay" option is applied before the connection is opened and the fencing thus no longer fails in this scenario.

BZ#861392

The speed of fencing is critical because otherwise, broken nodes have more time to corrupt data. Previously, the operation of the fence_vmware_soap fencing agent was slow when used on the VMWare vSphere platform with hundreds of virtual machines. This update fixes a problem with virtual machines that do not have a valid UUID, which can be created during failed P2V (Physical-to-Virtual) processes. Now, the fencing process is also much faster and it does not terminate if a virtual machines without an UUID is encountered.

Bug Fixes

BZ#674497

With this update, several typographical errors in the fence/agents/scsi/fence_scsi.pl file have been fixed. As a result, the debug messages of this file are now typographically correct.

BZ#745985

Prior to this update, the VMware vSphere 5.0 SOAP API was not listed as a version supported by the fence_vmware_soap fence agent. Consequently, the fence agent did not function properly with virtual machines managed by VMware vSphere 5.0. With this update, VMware vSphere 5.0 has been added to the list of supported interfaces, and is fully compatible with fence_vmware_soap.

BZ#753839

Previously, the fence_scsi man page contained incorrect information about the limitations of the fence_scsi agent. The correct description of these limitations can be found in the in the Cluster Administration guide. With this update, the misleading section has been removed from the manual page in order to avoid the potential confusion.

BZ#782919

Prior to this update, when attempting to create registrations on a multipath device with the fence_scsi_test -o command, some registrations failed without signalization. Consequently, there was a need to verify that all registrations had been successfully created. With this update, a --strict option has been added into the fence_scsi_test program. This option forces the verification step to compare the number of paths to the number of times the registration key appears on the device. Without this option, the verification step only inspects the existence of a registration key on the device. Although it is usually safe to omit the --strict option, it is strongly recommended to use --strict on multipath devices.

BZ#786485

The fence_rhevm fencing agent uses the Red Hat Enterprise Virtualization API to check the power status ("on" or "off") of a virtual machine. In addition to the states of "up" and "down", the API includes other states like "unassigned", "paused", etc. (14 in sum). Previously, only when the machine was in the "up" state, the "on" power status was returned. The "off" status was returned for all other states even though the machine was actually running. This behavior allowed for successful fencing even before the machine was powered off. The bug has been fixed and the "off" status is now returned only in a case the machine is in the "off" state.

BZ#804170

Previously, the cman utility did not apply the --delay option correctly when fencing a cluster node. Consequently, a connection to a fence device timed out and fencing failed when --delay was set to more than 5 seconds. With this update, --delay is applied before the connection is opened and the fencing no longer fails in the described scenario.

BZ#809390

Prior to this update, when the method name setting was left empty in the /etc/cluster/cluster.conf configuration file, an unintended core file was created. Consequently, a fenced cloud terminated with a segmentation fault. This bug has been fixed, and the termination no longer occurs in the aforementioned scenario.

BZ#809481

Due to a bug in the fence_scsi_test function, failing to create a reservation led to an incorrect reset of the error count to zero. The bug has been fixed, and the error count is now incremented properly when the error occurs.

BZ#836654

Previously, the fence_vmware_soap fencing agent operated slowly on the VMware vSphere platform with hundreds of virtual machines (VM). This behavior was caused by requesting for needless attributes. With this update, the unnecessary requests have been removed. This update also handles the VMs with invalid UUIDs, which can occur as a result of the failed P2V (physical to virtual machine) process. As a result, fence_vmware_soap performs fencing with increased speed and the process is no longer terminated when a VM without an UUID is encountered.

BZ#843083

In certain cases, the fence_xvm fencing agent incorrectly reported successful fencing, and ignored a communication issue between the agent and the fence_xvmd fencing host. This bug has been fixed and the communication errors are now reported correctly.

BZ#863567

The new href attribute on the /vms/vm element in the Red Hat Enterprise Virtualization Manager 3.1 API caused the get_id regular expression of the fence_rhevm fencing agent to fail. Consequently, the plug status was not available. With this update, get_id has been modified to allow arbitrary attributes to be added to the element. As a result, the plug status is now correctly shown.

Enhancements

BZ#738705

RHEL5 Cluster Suite now supports using RHEV shared storage disks as the shared storage between cluster nodes. Highly Available Logical Volume Manager (HA-LVM), Clustered Logical Volume Manager (CLVM), and the qDisk daemon are all supported on this storage. Fencing via fence_scsi will not work as shared disks are only exposed as VirtIO or IDE devices.

BZ#741985

A new fence agent, fence_ipdu, that handles the IBM iPDU fence device over the Simple Network Management Protocol (SNMP) has been added. As a result, the cman package now provides compatibility with IBM iPDU.

BZ#782900

Previously, using the qdiskd daemon for multipath devices required tuning with the device-mapper-multipath tool, which was a complex and error-prone process. With this update, the qdiskd input and output operations have been improved to automatically detect the multipath-related timeouts without requiring a manual configuration. As a result, qdiskd can now be easily deployed with device-mapper-multipath.

BZ#810949

Various cman fence agents differ in handling of the end-of-line (EOL) markers. Previously, changing the universal \r\n EOL could make the login process impossible for the fence agent. With this update, an automatic detection of EOL has been added to a fencing library and the described error no longer occurs.

BZ#821857

Prior to this update, it was not possible to specify more than four fencing devices per method with the cman utility. With this update, the maximum number of devices per method has increased to eight.

BZ#836963

The Distributed Lock Manager (DLM) now allows tuning of DLM hash table sizes from the /etc/sysconfig/cman file. The following parameters can be set in the /etc/sysconfig/cman file:

DLM_LKBTBL_SIZE=<size_of_table>
DLM_RSBTBL_SIZE=<size_of_table>
DLM_DIRTBL_SIZE=<size_of_table>

which, in turn, modifies the values in the following files respectively:

/sys/kernel/config/dlm/cluster/lkbtbl_size
/sys/kernel/config/dlm/cluster/rsbtbl_size
/sys/kernel/config/dlm/cluster/dirtbl_size

BZ#856954

Previously, it was not possible to modify the default TCP port (21064) of the Distributed Lock Manager (DLM). With this update, the DLM_TCP_PORT configuration parameter has been added into the /etc/sysconfig/cman file. As a result, the DLM TCP port can be manually configured.

BZ#878998

Support for clusters utilizing VMware's VMDK disk image technology with the multi-writer option is now provided. It is now possible to deploy Global File System 2 (GFS2) on top of VMDK.

BZ#809642

Previously, when successively activating and deactivating cluster mirrors, cmirror could fail to initialize the mirrors properly. Consequently, any I/O operations to the device and further LVM commands became unresponsive. With this update, cmirror has been modified to fix this bug; however, the problem can still occur after a large number of iterations.

BZ#816973

The cluster mirror daemon sends information between cluster nodes to keep the mirror log state consistent. Information about the state and health of the mirror and its devices is gathered as needed from the daemon. Some of the information does not change after the device has reached a certain state, for example when the mirror becomes "in-sync", while other information can change, for example the health of the log device in response to a failure. To limit the amount of such requests and reduce the load on the network, processing of information which cannot change is done locally. Previously, also requests for information regarding the health of the log device - which ultimately controls the fault handling behavior of the mirror - were processed locally, which caused the daemon to miss the failure of the log device on a remote machine. With this update, the information is requested from the cluster so that log device failures are detected and processed as expected.

BZ#711594

Prior to this update, requests for information about the health of the log device were processed locally. As a consequence, the cluster mirror daemon could not detect log device failures on remote machines. With this update, the information is requested from the cluster so that log device failures are detected and processed as expected.

BZ#806919

Prior to this update, the cmirror utility could fail to initialize the mirrors correctly when successively activating and deactivating cluster mirrors. As a consequence, any I/O operation to the device and further LVM commands became unresponsive.This update modifies the underlying code so that the problem only occurs after a large number of iterations.

Security Fix

CVE-2012-3359

It was discovered that luci stored usernames and passwords in session cookies. This issue prevented the session inactivity timeout feature from working correctly, and allowed attackers able to get access to a session cookie to obtain the victim's authentication credentials.

BZ#832181

Prior to this update, luci did not allow the fence_apc_snmp agent to be configured. As a consequence, users could not configure or view an existing configuration for fence_apc_snmp. This update adds a new screen that allows fence_apc_snmp to be configured.

BZ#832183

Prior to this update, luci did not allow the SSL operation of the fence_ilo fence agent to be enabled or disabled. As a consequence, users could not configure or view an existing configuration for the 'ssl' attribute for fence_ilo. This update adds a checkbox to show whether the SSL operation is enabled and allows users to edit that attribute.

BZ#832185

Prior to this update, luci did not allow the "identity_file" attribute of the fence_ilo_mp fence agent to be viewed or edited. As a consequence, users could not configure or view an existing configuration for the "identity_file" attribute of the fence_ilo_mp fence agent. This update adds a text input box to show the current state of the "identity_file" attribute of fence_ilo_mp and allows users to edit that attribute.

BZ#835649

Prior to this update, redundant files and directories remained on the file system at /var/lib/luci/var/pts and /usr/lib{,64}/luci/zope/var/pts when the luci package was uninstalled. This update removes these files and directories when the luci package is uninstalled.

BZ#839732

Prior to this update, the "restart-disable" recovery policy was not displayed in the recovery policy list from which users could select when they configure a recovery policy for a failover domain. As a consequence, the "restart-disable" recovery policy could not be set with the luci GUI. This update adds the "restart-disable" recovery option to the recovery policy pulldown list.

BZ#842865

Prior to this update, line breaks that were not anticipated in the "yum list" output could cause package upgrade and/or installation to fail when creating clusters or adding nodes to existing clusters. As a consequence, creating clusters and adding cluster nodes to existing clusters could fail. This update modifies the ricci daemon to be able to correctly handle line breaks in the "yum list" output.

BZ#741986

This update adds support for configuring the Intel iPDU fence agent to the luci package.

BZ#822633

This update adds support for viewing and changing the state of the new 'nfsrestart' attribute to the FS and Cluster FS resource agent configuration screens.

BZ#803356

An incomplete fix for behavior of the "mv --backup" command, that was released with the RHBA-2011:1074 errata advisory, caused the "cp --backup" command to work incorrectly. When used with a directory as a source argument, the "cp --backup" command did not backup individual files within the directory but whole directory. This update corrects the problem and the "--backup" feature of the "cp" utility now works as intended again.

BZ#573943

Prior to this update, the cpio man page did not document how to use tape devices that do not use the default block size of 512 bytes for I/O operations. As a result, the cpio utility could fail with the error message "cpio: read error: Cannot allocate memory" if another block size was used. With this update, the man page states that setting the block size with the "--block-size" long option avoids this problem.

BZ#883727

The Xen dom0 dump files created with the "makedumpfile -d1" command on very large systems could create an ELF vmcore that the crash utility incorrectly determined to be an old-style netdump vmcore. Consequently, the crash session failed during initialization with the error message "crash: cannot read xen kdump p2m mfn page". With this update, the code has been fixed and the crash utility now properly starts in the described scenario.

BZ#532157

The cron daemon had no mechanism to manage cron job rescheduling in a shared environment selectively. Therefore, when a large number of hosts attempted to execute their jobs at the same time, a network or server running the jobs could become overloaded. This update modifies the run-parts script to provide cron job randomization. When cron job randomization is enabled and configured, and a cron job fails to be executed at the scheduled time, cron retries to execute jobs after a random interval. The network and server overloading due to too many simultaneous cron jobs can no longer occur.

BZ#440628

Previously, the spec file contained the %{dist} tag on the "Release" line. To comply with the packaging and naming guidelines, the tag has been changed to %{?dist} with this update.

BZ#739502

Due to a name conflict of tools provided by the samba and tdb-tools packages, some binaries from the tdb-tools have to be renamed upon installation. The ctdb init script did not contain the updated names for the tdb-tools utilities. Consequently, the ctdb service could not be started via the init script. This update corrects the ctdb init script to search for tdb-tools utilities under their new name.

BZ#849581

A memory leak in the digest-md5 plugin was discovered. Specifically, make_client_request was called twice without being freed. Consequently, applications that used DIGEST-MD5 with very large datasets could (and did) crash. This update frees make_client_request correctly and closes the memory leak. Applications using DIGEST-MD5 as part of authentication with large datasets now work as expected.

BZ#806204

The multipathd daemon creates its private namespace which is supposed to keep only the file systems that are necessary for multipathd to run. However, multipathd did not check every file system in the namespace, and the namespace thus could contain also non-essential file systems. As a consequence, devices containing such file systems could not be removed from the system. With this update, multipathd verifies all file systems in its private namespace and removes every non-essential file system found. The devices containing the non-essential file systems can now be removed as expected when the file systems are unmounted.

BZ#858010

If the initrd RAM disk was not rebuilt when a new storage device was added to the system, the new device could be assigned a user_friendly_names value that collided with a value already assigned to another device. Consequently, the original device then stopped working correctly. Now, the multipathd daemon accepts the "-B" option, which makes the user_friendly_names bindings file read-only. When initrd calls multipath with the "-B" option, devices without a binding to a user_friendly_names use their World Wide Identifier (WWID) instead, thus fixing this bug.

BZ#833193

The multipathd daemon ignored all subdirectories in /var/lib/ when deciding which file systems to unmount. Now, the only subdirectory of /var/lib/ that multipathd does not unmount is /var/lib/multipath/. Also, multipathd now unmounts all unnecessary file systems before mounting the ramfs on the /tmp/, /bin/, and /sbin/ directories.

BZ#769990

If initrd was not rebuilt when a new storage device was added to the system, the new device could have been assigned a user_friendly_names value already assigned to another device, and the device stopped working correctly. multipathd now accepts the -B option, which makes the user_friendly_names bindings file read-only. When started with the -B option, multipath devices without a binding to a user_friendly_names use their World Wide Identifier (WWID).

BZ#803849

The multipathd daemon failed to unmount some file systems because the daemon was deleting unnecessary file systems while reading through the list of mounted file systems. Consequently, Multipath could have missed the deleted file systems. The multipathd daemon now reads through all file systems first and creates a list of the file systems to unmount, which are then unmounted based on this list.

BZ#771571

The multipathd daemon incorrectly returned exit code 1 when called with the -h option. The deamon now returns exit code 0 when called with the -h option.

BZ#783522

The multipathd daemon did not always flush the log buffer if it failed during start-up and error messages logged during start-up could be lost. multipathd now always flushes the log buffer on failures and error messages are logged correctly if multipathd terminates unexpectedly during start-up.

BZ#781480

The multipath priority callout programs did not work correctly with CCISS (Compaq Command Interface for SCSI-3 Support) devices because multipath could not convert the ! character in a CCISS sysfs name to the / character in the CCISS device name. Consequently, callout programs failed to set path priorities for these devices. The code has been modified and Multipath now supports the "%c" wildcard for callout functions and the CCISS names are converted correctly.

BZ#742906

This update adds the default configuration for HP P2000 G3 MSA Smart Array Systems.

BZ#744231

Multiple default settings and parameters have been enhanced: - The multipathd daemon did not set the max_fds option and the user had to manually set the max_fds option in multipath.conf. - Multipath did not disable queuing when it stopped: when multipathd stopped on node shutdown, if a multipath device had no working paths and was set to queue_if_no_path, the device queued outstanding IO forever, rendering the machine unresponsive. - The user_friendly_names option was only configurable in the defaults section and users could not override its value in their device-specific configurations. - A path group with many secondary paths could be used instead of the path group with the primary path by default. This happened because Multipath set the priority of path groups to the sum of their path priorities and used the path group with the primary path instead of using a path group with many secondary paths.

Device Mapper Multipath now sets max_fds to the system maximum, queue_if_no_daemon to the "no", and pg_prio_calc to "average" by default. The user_friendly_names property can be configured in the devices section of multipath.conf.

BZ#788965

Configuration for Fujitsu ETERNUS storage systems has been added.

BZ#799847

The built-in configuration for NetApp LUNs has been updated to use the tur path checker by default and multiple hardware table parameters have been updated.

CVE-2012-3571

A denial of service flaw was found in the way the dhcpd daemon handled zero-length client identifiers. A remote attacker could use this flaw to send a specially-crafted request to dhcpd, possibly causing it to enter an infinite loop and consume an excessive amount of CPU time.

BZ#484892

Prior to this update, the "-E" option of the sdiff command was not accepted and returned the following error message:

sdiff: invalid option -- E sdiff: Try `sdiff --help' for more information.

This was because the "-E" option was accidentally omitted from the list of accepted options. This update fixes this bug, and the "-E" option works as expected.

BZ#563618

When using the cmp command's "-s" option to compare files, incorrect results were returned for special files whose metadata is not accurate, for example files in the proc file system. This update fixes this bug by always reading the content of files whose length is reported as zero bytes.

BZ#448293

Prior to this update, the doxygen utility could create conflicts with multilib when doxygen added timestamps by creating doc files. This update modifies doxygen so that no more conflicts between multilib and doxygen occur.

BZ#824051

Previously, the status of the uuidd daemon was not correct when shown by the service tool, because the stored PID was not the PID of the running uuidd daemon. This was due to the incorrect PID that was written by the uuidd daemon upon startup. With this update, this bug has been fixed so that the returned status of the uuidd daemon is now correct.

BZ#701776

Due to a bug in the resize2fs program, the size of the ext3 file system created on a 16TB block device could not be modified. Consequently, the "device too big" error occurred. This bug has been fixed and file systems residing on 16T block devices can now be re-sized within the existing file system size limits.

BZ#707433

Previously, the uuidd daemon (uuidd) wrote an incorrect PID on startup to the /var/lib/libuuid/uuidd.pid file. Consequently, the service utility showed the incorrect status of uuidd because the stored PID was not the PID of the running uuidd process. This bug has been fixed and the returned status of uuidd is now correct in the described scenario.

Bug Fixes

BZ#707314

Due to a bug in the resize2fs program, the size of the ext4 file system created on a 16TB block device could not be modified. Consequently, the "device too big" error occurred. This bug has been fixed and file systems residing on 16TB block devices can now be re-sized within the existing file system size limits.

BZ#785200

Prior to this update, the mke4fs command created an ext2 file system by default. In order to create an ext4 file system, the "-t ext4" command-line option had to be inserted. This behavior has been changed, and mke4fs now creates an ext4 file system by default, without the need for extending the command.

BZ#807269

The ESC utility did not start when the latest 10 series release of the XULRunner runtime environment was installed on the system. This update includes necessary changes to ensure that ESC works as expected with the latest version of XULRunner.

BZ#807801

After removing and replacing an enrolled token, ESC could terminate unexpectedly followed by a traceback. A patch has been applied to address this issue and ESC now displays the enrolled smart card details as expected.

BZ#714880

The etherboot-zroms-kvm package runs the update-alternatives utility during installation; however, the chkconfig package which provides the utility was previously not required by etherboot-zroms-kvm. As a consequence, the installation could fail with a "No such file or directory" error message. The chkconfig package has been added as a dependency to ensure successful installation of etherboot-zroms-kvm.

Security Fixes

CVE-2012-0876

A denial of service flaw was found in the implementation of hash arrays in Expat. An attacker could use this flaw to make an application using Expat consume an excessive amount of CPU time by providing a specially-crafted XML file that triggers multiple hash function collisions. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions.

CVE-2012-1148

A memory leak flaw was found in Expat. If an XML file processed by an application linked against Expat triggered a memory re-allocation failure, Expat failed to free the previously allocated memory. This could cause the application to exit unexpectedly or crash when all available memory is exhausted.

BZ#758105

Prior to this update, the swap signature on the Itanium architecture was not stored in the same place as on other architectures. As a consequence, the file utility failed to detect the swap signature on Itanium. This update adds a new "magic" pattern to detect the swap signature on Itanium architecture.

BZ#789830

Prior to this update, the "magic" pattern to detect Infocom Game Data was too weak. As a consequence, Some files were wrongly identified as Infocom Game Data when they were actually in different format. This update modifies the Infocom Game Data "magic" pattern so only valid Infocom Game Data files are detected by this pattern.

BZ#758631

Prior to this update, the file utility did not contain a "magic" pattern to detect zip64 (zip 3.0) files. As a consequence, the file utility failed to detect archives in the zip64 format. This update adds a new "magic" pattern to detect the zip64 format.

BZ#758634

Prior to this update, the file utility did not contain a "magic" pattern to detect WebM video files. As a consequence, the file utility failed to detect WebM video files. This update adds a new "magic" pattern to detect the WebM files.

BZ#809801

Prior to this update, the file utility did not contain a "magic" pattern to detect LZMA archives. As a consequence, the file utility failed to detect archives in LZMA format were not detected. This update adds a new "magic" pattern to detect the LZMA files.

BZ#826899

Prior to this update, the "magic" pattern to detect Dell BIOS headers was outdated. As a consequence, the file utility failed to detect newer BIOS formats. This update modifies the ""magic"" pattern to detect also new formats of Dell BIOS correctly.

BZ#826901

Prior to this update, the file utility contained ""magic"" patterns that incorrectly detected files according to one byte only. As a consequence, Unicode text files that contained the particular byte in a particular position could be incorrectly recognized as DOS executable files. This update removes the problematic patterns. Patterns that match less than 16 bits are no longer accepted, and the utility no longer detects Unicode files as DOS executables.

BZ#871568

The "out-of-process plug-ins" feature was previously disabled for wrapped plug-ins by default. This could cause Firefox to terminate unexpectedly when accessing a page that contained a flash object and the flash plug-in and the nswrapperplugin plug-in viewer were installed. To resolve this problem, the "out-of-process plug-ins" feature has been enabled for the wrapped plug-ins. Firefox no longer crashes in this scenario.

Security Fixes

CVE-2012-3969, CVE-2012-3970

A web page containing a malicious Scalable Vector Graphics (SVG) image file could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.

CVE-2012-3967, CVE-2012-3968

Two flaws were found in the way Firefox rendered certain images using WebGL. A web page containing malicious content could cause Firefox to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Firefox.

CVE-2012-3966

A flaw was found in the way Firefox decoded embedded bitmap images in Icon Format (ICO) files. A web page containing a malicious ICO file could cause Firefox to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-3966)

CVE-2012-3980

A flaw was found in the way the "eval" command was handled by the Firefox Web Console. Running "eval" in the Web Console while viewing a web page containing malicious content could possibly cause Firefox to execute arbitrary code with the privileges of the user running Firefox.

CVE-2012-3972

An out-of-bounds memory read flaw was found in the way Firefox used the format-number feature of XSLT (Extensible Stylesheet Language Transformations). A web page containing malicious content could possibly cause an information leak, or cause Firefox to crash.

CVE-2012-3976

It was found that the SSL certificate information for a previously visited site could be displayed in the address bar while the main window displayed a new page. This could lead to phishing attacks as attackers could use this flaw to trick users into believing they are viewing a trusted site.

CVE-2012-3978

A flaw was found in the location object implementation in Firefox. Malicious content could use this flaw to possibly allow restricted content to be loaded.

BZ#794721, BZ#789051

Previously, with the xulrunner-5.0-2.el6 package installed, the yelp plug-in failed to start and returned the "Could not initialize gecko!" error message. Now, the updated yelp package has been provided and yelp works as expected in the described scenario.

CVE-2012-0461, CVE-2012-0462, CVE-2012-0464

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.

CVE-2012-0456, CVE-2012-0457

Two flaws were found in the way Firefox parsed certain Scalable Vector Graphics (SVG) image files. A web page containing a malicious SVG image file could cause an information leak, or cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.

CVE-2012-0455

A flaw could allow a malicious site to bypass intended restrictions, possibly leading to a cross-site scripting (XSS) attack if a user were tricked into dropping a "javascript:" link onto a frame.

CVE-2012-0458

It was found that the home page could be set to a "javascript:" link. If a user were tricked into setting such a home page by dragging a link to the home button, it could cause Firefox to repeatedly crash, eventually leading to arbitrary code execution with the privileges of the user running Firefox.

CVE-2012-0459

A flaw was found in the way Firefox parsed certain web content containing "cssText". A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.

CVE-2012-0460

It was found that by using the DOM fullscreen API, untrusted content could bypass the mozRequestFullscreen security protections. A web page containing malicious web content could exploit this API flaw to cause user interface spoofing.

CVE-2012-0451

A flaw was found in the way Firefox handled pages with multiple Content Security Policy (CSP) headers. This could lead to a cross-site scripting attack if used in conjunction with a website that has a header injection flaw.

BZ#729632

When using the Traditional Chinese locale (zh-TW), a segmentation fault sometimes occurred when closing Firefox.

BZ#784048

Inputting any text in the Web Console (Tools -> Web Developer -> Web Console) caused Firefox to crash.

BZ#799042

The java-1.6.0-ibm-plugin and java-1.6.0-sun-plugin packages require the "/usr/lib/mozilla/plugins/" directory on 32-bit systems, and the "/usr/lib64/mozilla/plugins/" directory on 64-bit systems. These directories are created by the xulrunner package; however, they were missing from the xulrunner package provided by the RHEA-2012:0327 update. Therefore, upgrading to RHEA-2012:0327 removed those directories, causing dependency errors when attempting to install the java-1.6.0-ibm-plugin or java-1.6.0-sun-plugin package. With this update, xulrunner once again creates the plugins directory. This issue did not affect users of Red Hat Enterprise Linux 6.

Security Fixes

CVE-2011-3062

A flaw was found in Sanitiser for OpenType (OTS), used by Firefox to help prevent potential exploits in malformed OpenType fonts. A web page containing malicious content could cause Firefox to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Firefox.

CVE-2012-0467, CVE-2012-0468, CVE-2012-0469

A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.

CVE-2012-0470

A web page containing a malicious Scalable Vector Graphics (SVG) image file could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.

CVE-2012-0472

A flaw was found in the way Firefox used its embedded Cairo library to render certain fonts. A web page containing malicious content could cause Firefox to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Firefox.

CVE-2012-0478

A flaw was found in the way Firefox rendered certain images using WebGL. A web page containing malicious content could cause Firefox to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Firefox.

CVE-2012-0471

A cross-site scripting (XSS) flaw was found in the way Firefox handled certain multibyte character sets. A web page containing malicious content could cause Firefox to run JavaScript code with the permissions of a different website.

CVE-2012-0473

A flaw was found in the way Firefox rendered certain graphics using WebGL. A web page containing malicious content could cause Firefox to crash.

CVE-2012-0474

A flaw in Firefox allowed the address bar to display a different website than the one the user was visiting. An attacker could use this flaw to conceal a malicious URL, possibly tricking a user into believing they are viewing a trusted site, or allowing scripts to be loaded from the attacker's site, possibly leading to cross-site scripting (XSS) attacks.

CVE-2012-0477

A flaw was found in the way Firefox decoded the ISO-2022-KR and ISO-2022-CN character sets. A web page containing malicious content could cause Firefox to run JavaScript code with the permissions of a different website.

CVE-2012-0479

A flaw was found in the way Firefox handled RSS and Atom feeds. Invalid RSS or Atom content loaded over HTTPS caused Firefox to display the address of said content in the location bar, but not the content in the main window. The previous content continued to be displayed. An attacker could use this flaw to perform phishing attacks, or trick users into thinking they are visiting the site reported by the location bar, when the page is actually content controlled by an attacker.

Security Fixes

CVE-2011-3101, CVE-2012-1937, CVE-2012-1938, CVE-2012-1939, CVE-2012-1940, CVE-2012-1941, CVE-2012-1946, CVE-2012-1947

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.

CVE-2012-1944

Note: CVE-2011-3101 only affected users of certain NVIDIA display drivers with graphics cards that have hardware acceleration enabled.

It was found that the Content Security Policy (CSP) implementation in Firefox no longer blocked Firefox inline event handlers. A remote attacker could use this flaw to possibly bypass a web application's intended restrictions, if that application relied on CSP to protect against flaws such as cross-site scripting (XSS).

CVE-2012-1945

If a web server hosted HTML files that are stored on a Microsoft Windows share, or a Samba share, loading such files with Firefox could result in Windows shortcut files (.lnk) in the same share also being loaded. An attacker could use this flaw to view the contents of local files and directories on the victim's system. This issue also affected users opening HTML files from Microsoft Windows shares, or Samba shares, that are mounted on their systems.

Security Fixes

CVE-2012-3982, CVE-2012-3988, CVE-2012-3990, CVE-2012-3995, CVE-2012-4179, CVE-2012-4180, CVE-2012-4181, CVE-2012-4182, CVE-2012-4183, CVE-2012-4185, CVE-2012-4186, CVE-2012-4187, CVE-2012-4188

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.

CVE-2012-3986, CVE-2012-3991

Two flaws in Firefox could allow a malicious website to bypass intended restrictions, possibly leading to information disclosure, or Firefox executing arbitrary code. Note that the information disclosure issue could possibly be combined with other flaws to achieve arbitrary code execution.

CVE-2012-1956, CVE-2012-3992, CVE-2012-3994

Multiple flaws were found in the location object implementation in Firefox. Malicious content could be used to perform cross-site scripting attacks, script injection, or spoofing attacks.

CVE-2012-3993, CVE-2012-4184

Two flaws were found in the way Chrome Object Wrappers were implemented. Malicious content could be used to perform cross-site scripting attacks or cause Firefox to execute arbitrary code.

BZ#809571, BZ#816234

In certain environments, storing personal Firefox configuration files (~/.mozilla/) on an NFS share, such as when your home directory is on a NFS share, led to Firefox functioning incorrectly, for example, navigation buttons not working as expected, and bookmarks not saving. This update adds a new configuration option, storage.nfs_filesystem, that can be used to resolve this issue.

If you experience this issue:

1) Start Firefox.

2) Type "about:config" (without quotes) into the URL bar and press the Enter key.

3) If prompted with "This might void your warranty!", click the "I'll be careful, I promise!" button.

4) Right-click in the Preference Name list. In the menu that opens, select New -> Boolean.

5) Type "storage.nfs_filesystem" (without quotes) for the preference name and then click the OK button.

6) Select "true" for the boolean value and then press the OK button.

Security Fix

CVE-2012-4194, CVE-2012-4195, CVE-2012-4196

Multiple flaws were found in the location object implementation in Firefox. Malicious content could be used to perform cross-site scripting attacks, bypass the same-origin policy, or cause Firefox to execute arbitrary code.

Security Fixes

CVE-2012-4214, CVE-2012-4215, CVE-2012-4216, CVE-2012-5829, CVE-2012-5830, CVE-2012-5833, CVE-2012-5835, CVE-2012-5839, CVE-2012-5840, CVE-2012-5842

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.

CVE-2012-4202

A buffer overflow flaw was found in the way Firefox handled GIF (Graphics Interchange Format) images. A web page containing a malicious GIF image could cause Firefox to crash or, possibly, execute arbitrary code with the privileges of the user running Firefox.

CVE-2012-4210

A flaw was found in the way the Style Inspector tool in Firefox handled certain Cascading Style Sheets (CSS). Running the tool (Tools -> Web Developer -> Inspect) on malicious CSS could result in the execution of HTML and CSS content with chrome privileges.

CVE-2012-4207

A flaw was found in the way Firefox decoded the HZ-GB-2312 character encoding. A web page containing malicious content could cause Firefox to run JavaScript code with the permissions of a different website.

CVE-2012-4209

A flaw was found in the location object implementation in Firefox. Malicious content could possibly use this flaw to allow restricted content to be loaded by plug-ins.

CVE-2012-5841

A flaw was found in the way cross-origin wrappers were implemented. Malicious content could use this flaw to perform cross-site scripting attacks.

CVE-2012-4201

A flaw was found in the evalInSandbox implementation in Firefox. Malicious content could use this flaw to perform cross-site scripting attacks.

Security Fixes

CVE-2012-1948, CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954, CVE-2012-1958, CVE-2012-1962, CVE-2012-1967

A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.

CVE-2012-1959

A malicious web page could bypass same-compartment security wrappers (SCSW) and execute arbitrary code with chrome privileges.

CVE-2012-1966

A flaw in the context menu functionality in Firefox could allow a malicious website to bypass intended restrictions and allow a cross-site scripting attack.

CVE-2012-1950

A page different to that in the address bar could be displayed when dragging and dropping to the address bar, possibly making it easier for a malicious site or user to perform a phishing attack.

CVE-2012-1955

A flaw in the way Firefox called history.forward and history.back could allow an attacker to conceal a malicious URL, possibly tricking a user into believing they are viewing a trusted site.

CVE-2012-1957

A flaw in a parser utility class used by Firefox to parse feeds (such as RSS) could allow an attacker to execute arbitrary JavaScript with the privileges of the user running Firefox. This issue could have affected other browser components or add-ons that assume the class returns sanitized input.

CVE-2012-1961

A flaw in the way Firefox handled X-Frame-Options headers could allow a malicious website to perform a clickjacking attack.

CVE-2012-1963

A flaw in the way Content Security Policy (CSP) reports were generated by Firefox could allow a malicious web page to steal a victim's OAuth 2.0 access tokens and OpenID credentials.

CVE-2012-1964

A flaw in the way Firefox handled certificate warnings could allow a man-in-the-middle attacker to create a crafted warning, possibly tricking a user into accepting an arbitrary certificate as trusted.

CVE-2012-1965

A flaw in the way Firefox handled feed:javascript URLs could allow output filtering to be bypassed, possibly leading to a cross-site scripting attack.

Bug Fix

BZ#838879

The nss update RHBA-2012:0337 for Red Hat Enterprise Linux 5 and 6 introduced a mitigation for the CVE-2011-3389 flaw. For compatibility reasons, it remains disabled by default in the nss packages. This update makes Firefox enable the mitigation by default. It can be disabled by setting the NSS_SSL_CBC_RANDOM_IV environment variable to 0 before launching Firefox.

Security Fix

CVE-2012-3547

A buffer overflow flaw was discovered in the way radiusd handled the expiration date field in X.509 client certificates. A remote attacker could possibly use this flaw to crash radiusd if it were configured to use the certificate or TLS tunnelled authentication methods (such as EAP-TLS, EAP-TTLS, and PEAP).

Security Fix

CVE-2011-4966

It was found that the "unix" module ignored the password expiration setting in "/etc/shadow". If FreeRADIUS was configured to use this module for user authentication, this flaw could allow users with an expired password to successfully authenticate, even though their access should have been denied.

BZ#787111

After log rotation, the freeradius logrotate script failed to reload the radiusd daemon and log messages were lost. This update has added a command to the freeradius logrotate script to reload the radiusd daemon and the radiusd daemon re-initializes and reopens its log files after log rotation as expected.

BZ#846476

The radtest script with the "eap-md5" option failed because it passed the IP family argument when invoking the radeapclient utility and the radeapclient utility did not recognize the IP family. The radeapclient utility now recognizes the IP family argument and radtest now works with eap-md5 as expected.

BZ#846471

Previously, freeradius was compiled without the "--with-udpfromto" option. Consequently, with a multihomed server and explicitly specifying the IP address, freeradius sent the reply with the wrong IP source address. With this update, freeradius has been built with the "--with-udpfromto" configuration option and the RADIUS reply is always sourced from the IP address the request was sent to.

BZ#818885

Due to invalid syntax in the PostgreSQL admin schema file, the FreeRADIUS PostgreSQL tables failed to be created. With this update, the syntax has been adjusted and the tables are created as expected.

BZ#846475

FreeRADIUS has a thread pool that dynamically grows based on load. If multiple threads using the "rlm_perl()" function are spawned in quick succession, the FreeRADIUS server sometimes terminated unexpectedly with a segmentation fault due to parallel calls to the "rlm_perl_clone()" function. With this update, a mutex for the threads has been added and the problem no longer occurs.

BZ#781877

The man page for "rlm_dbm_parser" was incorrectly installed as "rlm_dbm_parse", omitting the trailing "r". The man page now correctly appears as rlm_dbm_parser.

Security Fixes

CVE-2012-1134, CVE-2012-1136, CVE-2012-1142, CVE-2012-1144

Multiple flaws were found in the way FreeType handled TrueType Font (TTF), Glyph Bitmap Distribution Format (BDF), Windows .fnt and .fon, and PostScript Type 1 fonts. If a specially-crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.

CVE-2012-1126, CVE-2012-1127, CVE-2012-1130, CVE-2012-1131, CVE-2012-1132, CVE-2012-1137, CVE-2012-1139, CVE-2012-1140, CVE-2012-1141, CVE-2012-1143

Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially-crafted font file was loaded by an application linked against FreeType, it could cause the application to crash.

BZ#665240

Previously, the command line width in the ftp client was limited to 200 characters. With this update, the maximum possible length of the FTP command line is extended to 4296 characters.

BZ#827372

Prior to this update, the "re_string_skip_chars" function incorrectly used the character count instead of the raw length to estimate the string length. As a consequence, text in multi-byte encoding that did not use the UTF-8 format failed to be processed correctly. This update modifies the underlying code so that the correct string length is used. multi-byte encoding is processed correctly.

BZ#806394

GCC did not, under rare circumstances, handle exceptions properly when GCC 4.1 libstdc++ was used with GCC 4.4 or later C++11 code. This update improves exception handling so that GCC now processes exceptions as expected when using GCC 4.4 or later to compile code written in C++11.

BZ#750545

GCC was missing a lazy declaration of a class type destructor in the locate_dtor function in the method implementation. As a consequence, exception handling did not work as expected under certain circumstances and the generated code could terminate unexpectedly. This update adds the missing destructor declaration and the problem no longer occurs.

BZ#760417

Previously, GCC did not correctly handle processor registers and used an incorrect memory operand when processing the CMPXCHG8B instruction. As a consequence, the compiler generated erroneous code if the "-fPIC" option was used. This update modifies the underlying source code so that GCC now handles memory operands correctly and compiles position-independent code with the "fPIC" option as expected.

BZ#797938

GCC previously used incorrect flags for IBM System z specific options, such as "-m31", "-m64", "-mesa", "-mzarch", "-msoft-float", "-mhard-float", "-mlong-double-64" and "-mlong-double-128". As a consequence, when compiling code with any of these options, GCC did not recognize the option and the command failed. With this update, negative flags are now used for these options and code can be compiled successfully in this scenario.

BZ#806275

GCC did not, under rare circumstances, handle exceptions properly when GCC 4.1 libstdc++ was used with GCC 4.4 or later C++11 code. This update improves exception handling so that GCC now processes exceptions as expected when using GCC 4.4 or later to compile code written in C++11.

BZ#815207

Previous version of gcc44 incorrectly stated that the gcc44 package includes a technical preview of GCC version 4.4. The package description has been corrected and no longer claims to provide the technical preview of GCC version 4.4.

BZ#784360

Due to misplaced space characters in the x86 architecture driver, the "-mxop", "-mfma4", "-mbmi" and "-mtbm" compiler options were concatenated incorrectly when compiling code with gcc44. Consequently, compilation failed with an "unrecognized command line option" error. This update fixes space characters position and the options are concatenated correctly. Code is now compiled successfully with these options.

BZ#556962

G++ previously assumed that a value of enumeration type is always in the range specified by the C++ standard. Consequently, if a program converted an arbitrary integer value to the enumeration type, the code compiled with the "-fPIC -O2" or "-fPIC -O3" options could terminate unexpectedly. With this update, the underlying code has been modified to no longer assume strict evaluation of enumeration type. The old functionality can be turned on by specifying the "fstrict-enums" option.

BZ#837894

When a struct member was at an offset greater than 256 MB, the resulting bit position within the struct overflowed and caused an invalid access by GDB. With this update, the code has been modified to ensure that GDB can access such positions.

BZ#795423

Prior to this update, a bit position within a structure overflowed when a member of this structure was at an offset greater than 256 MB and GDB failed to access the position. This update modifies the underlying code to ensure that GDB can access such positions.

BZ#818343

Prior to this update, GDB incorrectly tried to load virtual dynamic shared objects (vDSO) from the file system when using the "solib-absolute-prefix" command. As a consequence, vDSOs could abort. This update modifies the underlying code to handle vDSOs as expected.

BZ#823789

Prior to this update, GDB failed to debug XLF generated code due to incorrect symbol handling. As a consequence, the type of variable in modules was not found. This update modifies the underlying code to handle symbols correctly and the type of a variable is found.

BZ#671156

Prior to this update, gdbm-devel had no explicit requirements to gdbm, which could introduce interoperability problems. With this update, the gdbm-devel adds explicit requirements to the gdbm package.

Bug Fix

BZ#788694

Prior to this update, registered kobjects could, under certain circumstances, be freed while they were still in use. As a consequence, a kernel panic could occur when processing the gfs_controld daemon. This update adds the kobject release() method. Now, processing the gfs_controld daemon no longer causes a kernel panic.

Bug Fix

BZ#788694

Prior to this update, the gfs_fsck file system checker failed to detect "bad indirect block pointer" corruptions due to incorrect error paths. This update modifies the gfs_fsck error paths. Now, gfs_fsck detects and repairs corruptions as expected.

BZ#838910

Prior to this update, an overly long cluster name in /etc/cluster/cluster.conf could cause a buffer overflow when running fsck.gfs2 on a GFS2 file system with a corrupt super block. This update modifies the underlying code to to ensure that the cluster name is truncated appropriately when the super block is being rebuilt. Now, this buffer overflow condition is prevented.

Security Fix

CVE-2012-4405

An integer overflow flaw, leading to a heap-based buffer overflow, was found in Ghostscript's International Color Consortium Format library (icclib). An attacker could create a specially-crafted PostScript or PDF file with embedded images that would cause Ghostscript to crash or, potentially, execute arbitrary code with the privileges of the user running Ghostscript.

Bug Fix

BZ#452998

Prior to this update, the Postscript plug-in could abort with a segmentation fault when saving images as Postscript files from GIMP if a preview was embedded in the file. This update modifies the underlying code so to handle embedded previews.

Security Fixes

CVE-2009-3909, CVE-2012-3402

Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the GIMP's Adobe Photoshop (PSD) image file plug-in. An attacker could create a specially-crafted PSD image file that, when opened, could cause the PSD plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the GIMP.

CVE-2012-3481

An integer overflow flaw, leading to a heap-based buffer overflow, was found in the GIMP's GIF image format plug-in. An attacker could create a specially-crafted GIF image file that, when opened, could cause the GIF plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the GIMP.

CVE-2011-2896

A heap-based buffer overflow flaw was found in the Lempel-Ziv-Welch (LZW) decompression algorithm implementation used by the GIMP's GIF image format plug-in. An attacker could create a specially-crafted GIF image file that, when opened, could cause the GIF plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the GIMP.

CVE-2012-3403

A heap-based buffer overflow flaw was found in the GIMP's KiSS CEL file format plug-in. An attacker could create a specially-crafted KiSS palette file that, when opened, could cause the CEL plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the GIMP.

BZ#810323

Previously, glibc did not walk through the entire list of Network Information Service (NIS) password or group buffers. As a consequence, when utilizing the NIS password or group maps, allocated memory was not freed properly, which caused memory leaks. This update modifies glibc to walk through the entire lists so that memory is freed as expected and memory leaks no longer occur in this scenario.

Bug Fixes

BZ#823905

Using the iconv() or the iconv command to convert a file or string from IBM-930 encoding to another encoding, such as UTF-8, resulted in a segmentation fault. This happened if the file or string contained the invalid multibyte character 0xffff. Now, the conversion code for the IBM-930 encoding recognizes this invalid character and calls an error handler and the segmentation fault no longer occurs.

BZ#837852

Due to logic errors, functions exp(), exp2(), pow(), sin(), tan(), and rint() could return different results in non-default rounding modes or terminate with a segmentation fault. Multiple fixes have been applied to the function implementations and the functions now return correct results in all rounding modes.

Note that the change can cause runtime performance loss as values which were previously handled by the fast function implementation are now handled by the slower multi-precision library to achieve accurate results.

BZ#813348

The dynamic linker previously sorted cyclic dependencies incorrectly when there were more that 127 Dynamic Shared Objects (DSO). The changed order of the dependencies caused some programs to behave differently or crash due to symbol resolution failure. This update fixes the initialization order of the cyclic dependencies and the problem no longer occurs.

BZ#848481

Various functions that called the nl_explode_name() function failed to check its return value for errors. As a result, applications could terminate unexpectedly after passing a NULL pointer or uninitialized values to the calling functions. The callers of nl_explode_name() have been updated to check for error conditions and fail gracefully.

BZ#808014

Previously, if the Name Service Cache Daemon (nscd) daemon received a CNAME (Canonical Name) record as a response to a DNS (Domain Name System) query, the cached DNS entry adopted the TTL (Time to Live) value of the underlying A or AAAA response. This caused the nscd daemon to wait for an unexpectedly long time before reloading the DNS entry. With this update, nscd uses the shortest TTL from the response as the TTL value for the entire record and DNS entries are now reloaded as expected in this scenario.

BZ#799853

The Slovak currency was set to the Slovak Crown. However, Slovakia now uses the Euro. The Slovak currency was set to the Euro.

BZ#809325

Previously, glibc did not walk through the entire list of buffers. As a consequence, when utilizing the NIS password or group maps, allocated memory was not freed properly, which caused memory leaks. This update modifies glibc to walk through the entire list so that memory is freed as expected and memory leaks no longer occur in this scenario.

BZ#751748

A race between the _IO_flush_all_lockp() function and pthread_cancel() function could cause a process to become unresponsive during forking. This happened because the _IO_unlock_lock macro decremented the lock count before it attempted to unlock its lock and did not check if the count contained a positive value. If the lock was never held since _IO_unlock_lock(), the macro did not release the lock due to the lock count being less than zero. With this update, the lock count is decremented only if it contains a positive value.

BZ#639000

The Ukrainian currency symbol was incorrectly set to rp. With this update, the currency symbol was corrected to rpH.

BZ#759341

A race condition existed between functions which allocated and reclaimed stacks in multi-threaded applications. As a result, some applications could enter a deadlock. The code for managing lists of stacks has been changed to publish its changes to all threads at the appropriate time. This fixes synchronization between the multiple threads and eliminates the race condition.

BZ#788989

The Name Service Cache Daemon (nscd) terminated unexpectedly if a group contained a few thousand members. This was caused by a stack overflow which resulted in a segmentation fault in nscd. With this update, when a large amount of memory is needed for a group with many members, the memory is allocated on the heap instead of the stack. This prevents the stack overflow and nscd no longer crashes in this scenario.

BZ#839572

During installation on IBM System z, Red Hat Enterprise Linux Server installer returned traceback with the following error value after the stage2 download:

ValueError: (3, 'No such process')

This was due to a workaround implementation for IBM System z in the fegetenv() function in the math.h header file. With this update, the function implementation was modified so as to follow the IEEE standard and the problem no longer occurs.

BZ#769852

A race condition between the setuid() function and the sighandler_setxid() function could result in a lock remaining unreleased. As a result, an application could remain in a deadlock. With this update, the lock is released in this scenario and proper synchronization between the threads is maintained.

BZ#843672

Prior to this update, when a multi-threaded process called the qsort() function, a race condition could occur. This could result in an uninitialized memory read and the process could receive a floating point exception or other fault condition. The race condition in the function code has been fixed and the problem no longer occurs.

BZ#766832

Calling the strncmp() function on the Power4 processors could cause the program to terminate unexpectedly. This occurred because the function occasionally attempted to read past the zero byte in certain cases. With this update, strings are aligned correctly and the function no longer attempts to read past the zero byte.

BZ#710216

The Portuguese locale (pt_PT.utf8) incorrectly used the $ character instead of the , character as its decimal point. The error has been corrected and the , character is now used as the decimal point as expected.

BZ#703239

Previously, if the /etc/resolv.conf file contained an IPv6 DNS server address with trailing spaces, the address failed to be parsed correctly and DNS lookups with the ping6 command failed. With this update, the parsing code has been corrected so as to cope with trailing spaces and the problem no longer occurs.

BZ#692182

The sysconf() function allows applications to determine values for system limits or options at runtime. The mechanism that sysconf uses to acquire various CACHE parameters previously failed to look up the requested information on Intel Xeon X5670 processors and incorrectly returned zero values. The sysconf() function has been modified to acquire the system information on these processors correctly and the problem no longer occurs.

BZ#806403

A missing check of memory allocation and an incorrect loop test in the nss/getnssent.c source file could cause an application to fail. The memory allocation check and the loop test code have been added and the problem no longer occurs.

BZ#851450

Previously, the ttyname() and ttyname_r() calls returned an error if the /proc/ directory was not mounted. Consequently, some applications did not run in the chroot environment properly. With this update, if the /proc/self/fd/ directory cannot be read, the calls iterate through devices first and only then return an error. As a result, applications which were previously failing now work correctly.

BZ#500767

The getgrent() function generated an error when it requested to read a Network Information Services (NIS) group record of 1024 bytes from the NIS master server. This happened because the function attempted to free an unallocated pointer. With this update, the free() function is not called under these circumstances and getgrent() now works as expected in this scenario.

BZ#797096

Various functions (glob_in_dir, getaddrinfo) could potentially allocate unlimited amounts of data on the stack. As a result, these functions were potential security attack vectors. With this update, these routines use malloc() when allocating large amounts of memory and the security issue is eliminated.

BZ#657266

The Finnish locale included redundant trailing spaces in month abbreviations. This could cause parsing and conversion problems when working with dates. With this update, the trailing spaces have been removed from the definition of abbreviated month format and the parsing and conversion of abbreviated month names work as expected.

BZ#657588

Abbreviated month names in the simplified Chines locale (zh_CN) contained redundant spaces, which caused incorrect output of dates. With this update, the spaces have been removed from the format definition and the system returns dates formatted correctly.

BZ#678227

The Name Service Cache Daemon (nscd) initscript was returning a non-zero exit status when a stop was requested on an already stopped daemon. However, the expected behavior is to consider the request to be successful and return the exit status of zero. The nscd initscript has been modified to handle this case correctly and set the exit status appropriately.

BZ#819430

Previously, the fnmatch() function failed and returned the -1 status code when its pattern argument contained the wildcard character * and the file name argument contained an invalid multibyte encoding character. The fnmatch() function now handles such arguments gracefully: it considers the invalid characters not to match and proceeds.

BZ#800240

If the maximum number of memory pools (arenas) used by a thread was set to 1 (MALLOC_ARENA_MAX=1), the setting was ignored and the program still used multiple pools due to incorrect logic when checking the number of pools in use and reusing pools. With this update, the underlying code has been modified and the pool setting is applied as expected.

BZ#857387

The vfprintf() function returned the ERANGE errno instead of EOVERFLOW when a string of a too long format was specified. The errno is now set correctly to EOVERFLOW in this scenario.

Enhancements

BZ#795896

A Virtual Dynamic Shared Object (VDSO) allows an application in user space to perform some kernel actions with less overhead than if using a system call. The VDSO is often used to provide fast access to the gettimeofday system call data. Support for VDSOs on the IBM System z series platform has been added to glibc.

BZ#641094

Previously, the pthread_create() function used the MAP_32BIT flag to reserve the lower 32 bits of virtual address space for thread stacks so as to provide better performance. This setting is no longer of benefit and in some cases can negatively impact performance. A patch has been backported so that pthread_create() now uses the MAP_STACK flag instead of the MAP_32BIT flag.

BZ#765710

The getaddrinfo() function returns one or more addrinfo structures, each of which contains an Internet socket address. If the hints argument to getaddrinfo() is not NULL, it specifies criteria for selecting the socket address structures to be returned. Previously, getaddrinfo() did not support the Stream Control Transmission Protocol (SCTP) hints. With this update, the getaddrinfo() function has been enhanced to accept SCTP hints.

Security Fix

CVE-2012-0864

An integer overflow flaw was found in the implementation of the printf functions family. This could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort.

Security Fix

CVE-2012-3406

It was discovered that the formatted printing functionality in glibc did not properly restrict the use of alloca(). This could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort.

BZ#837896

If a file or a string was in the IBM-930 encoding, and contained the invalid multibyte character "0xffff", attempting to use iconv() (or the iconv command) to convert that file or string to another encoding, such as UTF-8, resulted in a segmentation fault. With this update, the conversion code for the IBM-930 encoding recognizes this invalid character and calls an error handler, rather than causing a segmentation fault.

Security Fix

CVE-2012-3480

Multiple integer overflow flaws, leading to stack-based buffer overflows, were found in glibc's functions for converting a string to a numeric representation (strtod(), strtof(), and strtold()). If an application used such a function on attacker controlled input, it could cause the application to crash or, potentially, execute arbitrary code.

BZ#839411

Previously, logic errors in various mathematical functions, including exp, exp2, expf, exp2f, pow, sin, tan, and rint, caused inconsistent results when the functions were used with the non-default rounding mode. This could also cause applications to crash in some cases. With this update, the functions now give correct results across the four different rounding modes.

Bug Fix

BZ#500591

Prior to this update, the gnbd makefile stripped the binaries of their debugging symbols. As a consequence, the gnbd debuginfo package was empty. This update removes the strip commands from the gnbd makefiles. Now, the debuginfo packages have all the appropriate information.

BZ#477688

Prior to this update, the gnome-session utility did not fully honor the "Hidden=" key in autostart desktop files. As a consequence, users could not mark autostart files as Hidden= in their home directory to disable autostart files in system directories.With this update, gnome-session allows users to "mask" system autostart files by installing a file of the same name in ~/.config/autostart with a key Hidden=true when loading autostart files.

Security Fix

CVE-2009-2473

A denial of service flaw was found in the neon Extensible Markup Language (XML) parser. Visiting a malicious DAV server with an application using gnome-vfs2 (such as Nautilus) could possibly cause the application to consume an excessive amount of CPU and memory.

BZ#580855

When extracted from the Uniform Resource Identifier (URI), gnome-vfs2 returned escaped file paths. If a path, as stored in the URI, contained non-ASCII characters or ASCII characters which are parsed as something other than a file path (for example, spaces), the escaped path was inaccurate. Consequently, files with the described type of URI could not be processed. With this update, gnome-vfs2 properly unescapes paths that are required for a system call. As a result, these paths are parsed properly.

BZ#586015

In certain cases, the trash info file was populated by foreign entries, pointing to live data. Emptying the trash caused an accidental deletion of valuable data. With this update, a workaround has been applied in order to prevent the deletion. As a result, the accidental data loss is prevented, however further information is still gathered to fully fix this problem.

BZ#621394

Due to a wrong test checking for a destination file system, the Nautilus file manager failed to delete a symbolic link to a folder which was residing in another file system. With this update, a special test has been added. As a result, a symbolic link pointing to another file system can be trashed or deleted properly.

BZ#772307

Prior to this update, when directories without a read permission were marked for copy, the Nautilus file manager skipped these unreadable directories without notification. With this update, Nautilus displays an error message and properly informs the user about the aforementioned problem.

BZ#822817

Previously, gnome-vfs2 used the stat() function calls for every file on the MultiVersion File System (MVFS), used for example by IBM Rational ClearCase. This behavior significantly slowed down file operations. With this update, the unnecessary stat() operations have been limited. As a result, gnome-vfs2 user interfaces, such as Nautilus, are more responsive.

BZ#789041

Under certain circumstances, a NULL pointer could have been dereferenced in the GnuTLS library. This caused TLS clients, such as the rsyslog utility, to terminate unexpectedly with a segmentation fault. This update adds a test condition ensuring that a NULL pointer can no longer be dereferenced and TLS clients no longer crash.

BZ#592112

The gnutls packages reported wrong distinguished names (DNs) for chain CA certificates used for the client authentication; the issuer DN was reported instead of the subject DN. As a consequence, the TLS clients were not able to provide a client certificate signed by a chain CA certificate when connecting to a gnutls TLS server. The underlying source code has been modified and gnutls now reports the right DN and the TLS clients work as expected in the described scenario.

BZ#730816

Previously, in the certool utility was a missing check used for an empty string when a challenge password was entered. Consequently, certificate requests generated by certtool were sometimes invalid when an empty challenge password was used. This missing empty-string check has been added and now the certtool's certificate requests are valid even if the challenge password is not entered.

BZ#785001

Under certain circumstances, a null pointer could be dereferenced in the GnuTLS library. This caused TLS clients, such as the rsyslog utility, to terminate unexpectedly with a segmentation fault. This update adds a test condition ensuring that null pointers can no longer be dereferenced and TLS clients no longer crash.

Security Fixes

CVE-2012-1573

A flaw was found in the way GnuTLS decrypted malformed TLS records. This could cause a TLS/SSL client or server to crash when processing a specially-crafted TLS record from a remote TLS/SSL connection peer.

CVE-2012-1569

A flaw was found in the way libtasn1 decoded DER data. An attacker could create a carefully-crafted X.509 certificate that, when parsed by an application that uses GnuTLS, could cause the application to crash.

CVE-2011-4128

A boundary error was found in the gnutls_session_get_data() function. A malicious TLS/SSL server could use this flaw to crash a TLS/SSL client or, possibly, execute arbitrary code as the client, if the client passed a fixed-sized buffer to gnutls_session_get_data() before checking the real size of the session data provided by the server.

BZ#714882

The gpxe-roms-qemu runs the update-alternatives utility during installation; however, the chkconfig package, which provides the utility, was previously not required by gpxe-roms-qemu. As a consequence, the installation could fail with a "No such file or directory" error message. The chkconfig package has been added as a dependency to ensure successful installation of gpxe-roms-qemu.

BZ#212649

The grub documentation contained incorrect information about the planned but unimplemented "grub-set-default" command; the "savedefault" command has been implemented instead, providing similar functionality. This update corrects the grub documentation that now reflect only those commands which have been implemented in GRUB.

BZ#782096

Prior to this update, the "grub-install" command was matching only against one letter after the "sd" string in the disk's device path name. Consequently, disks named "sdaa" and higher were not recognized as disks. The matching expression has been changed and now the "grub-install" command matches against any number of reasonable characters after the "sd" string in the disk's device path name.

BZ#829228

Previously, the number of disks was hard-coded to a maximum of 8. As a consequence, no more than 8 devices could be used. This update has changed the definition of allowed disks to a maximum of 128 and now up to 128 devices can be used.

BZ#694888

Using a Wacom tablet with a dual head configuration caused an error in the GTK+ toolkit when the input coordinates of the Wacom tablet were bound to a single monitor. Consequently, drawing with a pen with pressure sensitivity enabled led to an offset between the pen position and the content drawn on the screen. This update changes the way that input coordinates are translated by the library in this specific case.

BZ#830901

Previously, performing drag-and-drop operations on tabs in applications using the GtkNotebook widget could lead to releasing the same resource twice. Eventually, this behavior caused a segmentation fault. This bug has been fixed, and the applications using GtkNotebook no longer crash in the described scenario.

Security Fix

CVE-2012-2370

An integer overflow flaw was found in the X BitMap (XBM) image file loader in GTK+. A remote attacker could provide a specially-crafted XBM image file that, when opened in an application linked against GTK+ (such as Nautilus), would cause the application to crash.

BZ#487630

Due to a bug in the Input Method GTK+ module, the usage of the Taiwanese Big5 (zh_TW.Big-5) locale led to the unexpected termination of certain applications, such as the GDM greeter. The bug has been fixed, and the Taiwanese locale no longer causes applications to terminate unexpectedly.

BZ#518483

When a file was initially selected after the GTK+ file chooser dialog was opened and the Location field was visible, pressing the Enter key did not open the file. With this update, the initially selected file is opened regardless of the visibility of the Location field.

BZ#523657

When a file was initially selected after the GTK+ file chooser dialog was opened and the Location field was visible, pressing the Enter key did not change into the directory. With this update, the dialog changes into the initially selected directory regardless of the visibility of the Location field.

BZ#603809

Previously, the GTK Print dialog did not reflect the user-defined printer preferences stored in the ~/.cups/lpoptions file, such as those set in the Default Printer preferences panel. Consequently, the first device in the printer list was always set as a default printer. With this update, the underlying source code has been enhanced to parse the option file. As a result, the default values in the print dialog are set to those previously specified by the user.

BZ#702342

The GTK+ file chooser did not properly handle saving of nameless files. Consequently, attempting to save a file without specifying a file name caused GTK+ to become unresponsive. With this update, an explicit test for this condition has been added into the underlying source code. As a result, GTK+ no longer hangs in the described scenario.

BZ#743658

When using certain graphics tablets, the GTK+ library incorrectly translated the input coordinates. Consequently, an offset occurred between the position of the pen and the content drawn on the screen. This issue was limited to the following configuration: a Wacom tablet with input coordinates bound to a single monitor in a dual head configuration, drawing with a pen with the pressure sensitivity option enabled. With this update, the coordinate translation method has been changed, and the offset is no longer present in the described configuration.

BZ#830901

Previously, performing drag and drop operations on tabs in applications using the GtkNotebook widget could lead to releasing the same resource twice. Eventually, this behavior caused the applications to terminate with a segmentation fault. This bug has been fixed, and the applications using GtkNotebook no longer terminate in the aforementioned scenario.

Security Fixes

CVE-2011-3327

A heap-based buffer overflow flaw was found in the way the bgpd daemon processed malformed Extended Communities path attributes. An attacker could send a specially-crafted BGP message, causing bgpd on a target system to crash or, possibly, execute arbitrary code with the privileges of the user running bgpd. The UPDATE message would have to arrive from an explicitly configured BGP peer, but could have originated elsewhere in the BGP network.

CVE-2010-1674

A NULL pointer dereference flaw was found in the way the bgpd daemon processed malformed route Extended Communities attributes. A configured BGP peer could crash bgpd on a target system via a specially-crafted BGP message.

CVE-2011-3323

A stack-based buffer overflow flaw was found in the way the ospf6d daemon processed malformed Link State Update packets. An OSPF router could use this flaw to crash ospf6d on an adjacent router.

CVE-2011-3324

A flaw was found in the way the ospf6d daemon processed malformed link state advertisements. An OSPF neighbor could use this flaw to crash ospf6d on a target system.

CVE-2011-3325

A flaw was found in the way the ospfd daemon processed malformed Hello packets. An OSPF neighbor could use this flaw to crash ospfd on a target system.

CVE-2011-3326

A flaw was found in the way the ospfd daemon processed malformed link state advertisements. An OSPF router in the autonomous system could use this flaw to crash ospfd on a target system.

CVE-2012-0249

An assertion failure was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to cause ospfd on an adjacent router to abort.

CVE-2012-0250

A buffer overflow flaw was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to crash ospfd on an adjacent router.

BZ#704079

Previously, the HAL daemon sometimes identified a non-existent error when running a new process and displayed the following warning:

Warning: Error while wite r->input () to stdin_v.

This bug has been fixed and the HAL daemon now works properly in the described scenario.

BZ#555303

The previous version of the hal package did not provide a manual page for the hal-device utility. This update adds the hal-device(1) manual page to this package.

Security Fix

CVE-2011-2722

It was found that the HP CUPS (Common UNIX Printing System) fax filter in HPLIP created a temporary file in an insecure way. A local attacker could use this flaw to perform a symbolic link attack, overwriting arbitrary files accessible to a process using the fax filter (such as the hp3-sendfax tool).

BZ#501834

Previous modifications of the hplip3 package to allow it to be installed alongside the original hplip package introduced several problems to fax support; for example, the hp-sendfax utility could become unresponsive. These problems have been fixed with this update.

BZ#844877

The HSQLDB database did not depend on java packages of version 1:1.6.0 or later, which caused the hsqldb packages to be installed incorrectly in some cases. Consequently, the build-classpath command did not work on systems without the java-1.6.0-openjdk package installed. This update modifies the hsqldb spec file to add a requirement for java-1.6.0-openjdk, and the installation of hsqldb now proceeds correctly as expected.

BZ#825675

Due to a bug in the "mod_cache" module, an unexpected "304 Not Modified" HTTP response could be incorrectly returned to the client on non-conditional HTTP GET requests. With this update, the "mod_cache" module has been modified to correctly handle 304 responses, which are not returned in this scenario.

BZ#873677

Due to a bug in the "mod_mem_cache" module, an aborted HTTP connection could result in a cached entity becoming corrupt. With this update, the "mod_mem_cache" module has been fixed to correctly handle aborted connections, avoiding cache corruption in this scenario.

BZ#873730

Due to a bug in the "mod_cache" module, the "304 Not Modified" response from an origin server was not properly handled when a cached entity was being refreshed. Consequently, the entity could be returned to the HTTP client with incorrect headers. With this update, the "mod_cache" module has been modified to correctly handle headers in the "304 Not Modified" response. The cached entity is now returned with correct headers in this scenario.

Security Fix

CVE-2008-0455, CVE-2008-0456, CVE-2012-2687

Input sanitization flaws were found in the mod_negotiation module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use these flaws to conduct cross-site scripting and HTTP response splitting attacks against users visiting the site.

BZ#752618

Previously, no check was made to see if the /etc/pki/tls/private/localhost.key file was a valid key prior to running the "%post" script for the "mod_ssl" package. Consequently, when /etc/pki/tls/certs/localhost.crt did not exist and "localhost.key" was present but invalid, upgrading the Apache HTTP Server daemon (httpd) with mod_ssl failed. The "%post" script has been fixed to test for an existing SSL key. As a result, upgrading httpd with mod_ssl now proceeds as expected.

BZ#773473

The "mod_ssl" module did not support operation under FIPS mode. Consequently, when operating Red Hat Enterprise Linux 5 with FIPS mode enabled, httpd failed to start. An upstream patch has been applied to disable non-FIPS functionality if operating under FIPS mode and httpd now starts as expected.

BZ#783242

Prior to this update, httpd exit status codes were not Linux Standard Base (LSB) compliant. When the command "service httpd reload" was run and httpd failed, the exit status code returned was "0" and not in the range 1 to 6 as expected. A patch has been applied to the init script and httpd now returns "1" as an exit status code.

BZ#840845

Chunked Transfer Coding is described in RFC 2616. Previously, the Apache server did not correctly handle a chunked encoded POST request with a "chunk-size" or "chunk-extension" value of 32 bytes or more. Consequently, when such a POST request was made the server did not respond. An upstream patch has been applied and the problem no longer occurs.

BZ#845532

Due to a regression, when mod_cache received a non-cacheable 304 response, the headers were served incorrectly. Consequently, compressed data could be returned to the client without the cached headers to indicate the data was compressed. An upstream patch has been applied to merge response and cached headers before data from the cache is served to the client. As a result, cached data is now correctly interpreted by the client.

BZ#853128

In a proxy configuration, certain response-line strings were not handled correctly. If a response-line without a "description" string was received from the origin server, for a non-standard status code, such as the "450" status code, a "500 Internal Server Error" would be returned to the client. This bug has been fixed so that the original response line is returned to the client.

BZ#727342

The configuration directive "LDAPReferrals" is now supported in addition to the previously introduced "LDAPChaseReferrals".

BZ#767890

The AJP support module for "mod_proxy", "mod_proxy_ajp", now supports the "ProxyErrorOverride" directive. Consequently, it is now possible to configure customized error pages for web applications running on a backend server accessed via AJP.

BZ#833042

The "%posttrans" scriptlet which automatically restarts the httpd service after a package upgrade can now be disabled. If the file /etc/sysconfig/httpd-disable-posttrans exists, the scriptlet will not restart the daemon.

BZ#833043

The output of "httpd -S" now includes configured alias names for each virtual host.

BZ#840036

New certificate variable names are now exposed by "mod_ssl" using the "_DN_userID" suffix, such as "SSL_CLIENT_S_DN_userID", which use the commonly used object identifier (OID) definition of "userID", OID 0.9.2342.19200300.100.1.1.

BZ#873678

Due to a bug in the mod_mem_cache module, an aborted HTTP connection could result in a cached entity becoming corrupt. This update fixes mod_mem_cache to correctly handle aborted connections, thus avoiding cache corruption in this scenario.

Bug Fix

BZ#824559

Due to a syntax error in the usb.ids file, the lsusb utility failed to display a list of used USB devices. The syntax error has been removed from the usb.ids file and the lsusb utility now displays the information correctly.

Enhancement

BZ#839225, BZ#870363

The PCI ID numbers have been updated for the Beta and the Final compose lists.

CVE-2012-0247

A flaw was found in the way ImageMagick processed images with malformed Exchangeable image file format (Exif) metadata. An attacker could create a specially-crafted image file that, when opened by a victim, would cause ImageMagick to crash or, potentially, execute arbitrary code.

CVE-2012-0248

A denial of service flaw was found in the way ImageMagick processed images with malformed Exif metadata. An attacker could create a specially-crafted image file that, when opened by a victim, could cause ImageMagick to enter an infinite loop.

CVE-2012-0260

A denial of service flaw was found in the way ImageMagick decoded certain JPEG images. A remote attacker could provide a JPEG image with specially-crafted sequences of RST0 up to RST7 restart markers (used to indicate the input stream to be corrupted), which once processed by ImageMagick, would cause it to consume excessive amounts of memory and CPU time.

BZ#804546

The fix for Red Hat Bugzilla bug 694922, provided by the RHSA-2012:0301 ImageMagick update, introduced a regression. Attempting to use the "convert" utility to convert a PostScript document could fail with a "/undefinedfilename" error. With this update, conversion works as expected.

BZ#845246

Previously, the kpartx utility was not called with the "-p p" option in the netfs init script. Consequently, inconsistent partition mappings occurred. This bug has been fixed and kpartx is now called as expected.

BZ#818313

If the client requested keys for encryption types that the server did not support, and the requested key was not returned, the ipa-getkeytab utility, and consequently the client enrollment, failed. With this update, the ipa-getkeytab utility has been modified to no longer fail if the key is not retrieved; a warning message is now displayed instead.

BZ#813387

During the installation, the ipa-client-install utility created a zero-length /etc/sysconfig/network file. Consequently, the information about the network configuration was not specified. The underlying source code has been modified and the installation process no longer erases the configuration file.

BZ#816693

If the client requested keys for encryption types that the server did not support, and the requested key was not returned, the ipa-getkeytab utility, and consequently the client enrollment, failed. With this update, the ipa-getkeytab utility has been modified to no longer fail if the key is not retrieved; a warning message is now displayed instead.

BZ#738965

Prior to this update, the print_route() could, udner circumstances use the wrong "hz" value. As a consequence, the "ip route show" option returned an incorrect value for rto_min (minimum TCP retransmission timeout). This update modifies the underlying code to identify the different "hz" values. Now, the correct rto_min value is displayed.

BZ#751285

Prior to this update, the tc command-line utility generated a wrong filter match for the IPv6 "priority", the resulting match did not reflect the IPv6 header field proper. This update modifies the underlying code to match the IPv6 "Priority" header as expected.

BZ#750702

Prior to this update, the iprutils suite did not correctly compute the size of the serial number. As a consequence, the attempt to delete arrays could fail. This update modifies the serial number comparison and increases the buffer size for new adapter configuration data.

BZ#843639

Prior to this update, iprconfig tool failed to delete RAID arrays. This update modifies the underlying code by sending the "START_STOP_STOP" executible before deleting the device. Now, RAID arrays are deleted as expected.

BZ#852735

Under certain circumstances, the racoon daemon terminated unexpectedly due to referencing a NULL pointer when writing to the system log. The update ensures that the NULL pointer is never referenced by racoon in this scenario, thus fixing this bug.

BZ#852734

When using the setkey command to dump the pfkey database, the setkey command could decrease the size of a kernel buffer that is used to send the data. Consequently, the dumped database was incomplete and the operation failed with an error in the recv() function. With this update, setkey never decreases the kernel buffer size, thus preventing this bug.

BZ#847729

A new iptables module has been added that allows to configure the Differentiated Services Code Point (DSCP) match extension for the IPv6 protocol.

BZ#849661

The source RPM package for the iSCSI user-space driver, iscsiuio, did not include the NEW and AUTHORS files as required by the GNU packaging guidelines, and did not set the automake foreign option. The iscsiuio autoconf script uses libtool macros, but libtool was not specified as a build requirement in the RPM spec file. Consequently, attempting to rebuild the source RPM package in an environment with automake installed failed. Attempting to rebuild the source RPM package in an environment with autoconf installed, but without libtool, failed. The iscsiuio source has been updated to set the foreign automake option, in order to disable strict enforcing of the GNU packaging guidelines. In addition, libtool has been added as a build requirement for iscsi-initiator-utils, so that the required autoconf macros are available at build time. As a result, the iscsi-initiator-utils package can be built from the source RPM in a build environment that has automake and autoconf installed.

BZ#798178

Some iSCSI offload hardware requires the network interface to be "up" to function properly. Previously, this required additional network configuration steps before starting iSCSI. With this update, when the iSCSI daemon (iscsid) is starting an offloaded iSCSI session, the operational state of the associated network interface is now checked. The network interface is brought into an administrative up state automatically if needed. Offloaded iSCSI sessions can now be established without manually configuring the network interface first, iscsid will bring the interface up if needed.

BZ#729502

Previously, the CCacheInputStream class could not to read Kerberos ticket cache files as it failed to handle the configuration settings stored in the ticket cache file under a special principal name. The configuration credentials are now ignored and the ticket cache is parsed correctly. Also, the initial context token generated by the GSSAPI/SPNEGO plug-in was previously rejected by the MIT Kerberos library due to incorrect data type of the reqFlags and NegTokenInit fields. The fields now use the correct data types.

BZ#808293

A JStack exception was thrown when a program was trying to capture both java and native stacktrace (mixed mode). Safety checks have been added and the problem no longer occurs.

Security Fixes

CVE-2012-1711, CVE-2012-1719

Multiple flaws were discovered in the CORBA (Common Object Request Broker Architecture) implementation in Java. A malicious Java application or applet could use these flaws to bypass Java sandbox restrictions or modify immutable object data.

CVE-2012-1716

It was discovered that the SynthLookAndFeel class from Swing did not properly prevent access to certain UI elements from outside the current application context. A malicious Java application or applet could use this flaw to crash the Java Virtual Machine, or bypass Java sandbox restrictions.

CVE-2012-1713

Multiple flaws were discovered in the font manager's layout lookup implementation. A specially-crafted font file could cause the Java Virtual Machine to crash or, possibly, execute arbitrary code with the privileges of the user running the virtual machine.

CVE-2012-1723, CVE-2012-1725

Multiple flaws were found in the way the Java HotSpot Virtual Machine verified the bytecode of the class file to be executed. A specially-crafted Java application or applet could use these flaws to crash the Java Virtual Machine, or bypass Java sandbox restrictions.

CVE-2012-1724

It was discovered that the Java XML parser did not properly handle certain XML documents. An attacker able to make a Java application parse a specially-crafted XML file could use this flaw to make the XML parser enter an infinite loop.

CVE-2012-1718

It was discovered that the Java security classes did not properly handle Certificate Revocation Lists (CRL). CRL containing entries with duplicate certificate serial numbers could have been ignored.

CVE-2012-1717

It was discovered that various classes of the Java Runtime library could create temporary files with insecure permissions. A local attacker could use this flaw to gain access to the content of such temporary files.

Security Fixes

CVE-2012-1682

It was discovered that the Beans component in OpenJDK did not perform permission checks properly. An untrusted Java application or applet could use this flaw to use classes from restricted packages, allowing it to bypass Java sandbox restrictions.

CVE-2012-0547

A hardening fix was applied to the AWT component in OpenJDK, removing functionality from the restricted SunToolkit class that was used in combination with other flaws to bypass Java sandbox restrictions.

Security Fixes

CVE-2012-5086, CVE-2012-5084, CVE-2012-5089

Multiple improper permission check issues were discovered in the Beans, Swing, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.

CVE-2012-5068, CVE-2012-5071, CVE-2012-5069, CVE-2012-5073, CVE-2012-5072

Multiple improper permission check issues were discovered in the Scripting, JMX, Concurrency, Libraries, and Security components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.

CVE-2012-5079

It was discovered that java.util.ServiceLoader could create an instance of an incompatible class while performing provider lookup. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.

CVE-2012-5081

It was discovered that the Java Secure Socket Extension (JSSE) SSL/TLS implementation did not properly handle handshake records containing an overly large data length value. An unauthenticated, remote attacker could possibly use this flaw to cause an SSL/TLS server to terminate with an exception.

CVE-2012-5075

It was discovered that the JMX component in OpenJDK could perform certain actions in an insecure manner. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information.

CVE-2012-4416

A bug in the Java HotSpot Virtual Machine optimization code could cause it to not perform array initialization in certain cases. An untrusted Java application or applet could use this flaw to disclose portions of the virtual machine's memory.

CVE-2012-5077

It was discovered that the SecureRandom class did not properly protect against the creation of multiple seeders. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information.

CVE-2012-3216

It was discovered that the java.io.FilePermission class exposed the hash code of the canonicalized path name. An untrusted Java application or applet could possibly use this flaw to determine certain system paths, such as the current working directory.

CVE-2012-5085

This update disables Gopher protocol support in the java.net package by default. Gopher support can be enabled by setting the newly introduced property, "jdk.net.registerGopherProtocol", to true.

Security Fix

CVE-2012-5676, CVE-2012-5677, CVE-2012-5678

This update fixes three vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed in the Adobe Security bulletin APSB12-27. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content.

Security Fix

CVE-2012-5274, CVE-2012-5275, CVE-2012-5276, CVE-2012-5277, CVE-2012-5278, CVE-2012-5279, CVE-2012-5280

This update fixes several vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed in the Adobe Security bulletin APSB12-24. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content.

Security Fix

CVE-2012-5248, CVE-2012-5249, CVE-2012-5250, CVE-2012-5251, CVE-2012-5252, CVE-2012-5253, CVE-2012-5254, CVE-2012-5255, CVE-2012-5256, CVE-2012-5257, CVE-2012-5258, CVE-2012-5259, CVE-2012-5260, CVE-2012-5261, CVE-2012-5262, CVE-2012-5263, CVE-2012-5264, CVE-2012-5265, CVE-2012-5266, CVE-2012-5267, CVE-2012-5268, CVE-2012-5269, CVE-2012-5270, CVE-2012-5271, CVE-2012-5272

This update fixes several vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security page APSB12-22. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content.

Security Fixes

CVE-2012-1535, CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166, CVE-2012-4167

This update fixes several vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security pages APSB12-18 and APSB12-19. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content.

CVE-2012-4168

A flaw in flash-plugin could allow an attacker to obtain sensitive information if a victim were tricked into visiting a specially-crafted web page.

Security Fixes

CVE-2012-2034, CVE-2012-2035, CVE-2012-2036, CVE-2012-2037, CVE-2012-2039

This update fixes several vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security page APSB12-14.

Several security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content.

CVE-2012-2038

A flaw in flash-plugin could allow an attacker to obtain sensitive information if a victim were tricked into visiting a specially-crafted web page.

Security Fixes

CVE-2012-0779

This update fixes one vulnerability in Adobe Flash Player. This vulnerability is detailed on the Adobe security page APSB12-09, listed in associated with each description below. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the specially-crafted SWF content.

Security Fix

CVE-2012-0773

This update fixes one vulnerability in Adobe Flash Player. This vulnerability is detailed on the Adobe security page APSB12-07, listed in associated with each description below. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the specially-crafted SWF content.

Security Fixes

CVE-2012-0768

This update fixes two vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security page APSB12-05.

A flaw was found in the way flash-plugin displayed certain SWF content. An attacker could use this flaw to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content.

CVE-2012-0769

A flaw in flash-plugin could allow an attacker to obtain sensitive information if a victim were tricked into visiting a specially-crafted web page.

Security Fix

CVE-2012-1531, CVE-2012-3216, CVE-2012-4820, CVE-2012-4822, CVE-2012-5073, CVE-2012-5079, CVE-2012-5081, CVE-2012-5083, CVE-2012-5084

This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.

Security Fix

CVE-2012-1713, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719

This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.

Security Fix

CVE-2011-3563, CVE-2012-0499, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506

This update fixes several vulnerabilities in the IBM Java 1.4.2 Runtime Environment and the IBM Java 1.4.2 Software Development Kit. Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.

Security Fix

CVE-2012-1531, CVE-2012-3143, CVE-2012-3216, CVE-2012-4820, CVE-2012-4822, CVE-2012-5069, CVE-2012-5071, CVE-2012-5073, CVE-2012-5075, CVE-2012-5079, CVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5089

This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.

Security Fix

CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1725

This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.

Security Fix

CVE-2011-3389, CVE-2011-3557, CVE-2011-3560, CVE-2011-3563, CVE-2012-0498, CVE-2012-0499, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507

This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.

Security Fix

CVE-2012-0547, CVE-2012-1531, CVE-2012-1532, CVE-2012-1533, CVE-2012-1682, CVE-2012-3143, CVE-2012-3159, CVE-2012-3216, CVE-2012-4820, CVE-2012-4822, CVE-2012-4823, CVE-2012-5068, CVE-2012-5069, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5075, CVE-2012-5079, CVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5089

This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.

Security Fix

CVE-2012-0551, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1721, CVE-2012-1722, CVE-2012-1725

This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.

Security Fix

CVE-2011-3563, CVE-2011-5035, CVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507

This update fixes several vulnerabilities in the IBM Java 6 Runtime Environment and the IBM Java 6 Software Development Kit. Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.

BZ#868174

Prior to this update, the java-1.6.0-sun-plugin package did not contain an architecture-specific dependency on the java-1.6.0-sun package. Consequently, an error occurred during package unpacking when installation was done in a specific sequence. With this update the dependency has been added, and the aforementioned error no longer occurs.

Security Fix

CVE-2012-0547, CVE-2012-1531, CVE-2012-1532, CVE-2012-1533, CVE-2012-3143, CVE-2012-3159, CVE-2012-3216, CVE-2012-4416, CVE-2012-5068, CVE-2012-5069, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5075, CVE-2012-5077, CVE-2012-5079, CVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5085, CVE-2012-5086, CVE-2012-5089

This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory and Oracle Security Alert pages.

Security Fix

CVE-2012-0551, CVE-2012-1711, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1721, CVE-2012-1722, CVE-2012-1723, CVE-2012-1724, CVE-2012-1725

This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch page.

Bug Fix

BZ#865102

Previously, jpackage-utils did not install java-1.7.0 directories in the /usr/share/ and /usr/lib/ directories. This caused failures when running the build-classpath script with Java 7 set as the javac alternative. These directories are now created and the build-classpath script works as expected with Java 7.

BZ#622981

Prior to this update, the "bin/unicode_start" script was called twice. As a consequence, "unicode_start" with environment variables set to "BASH_ENV=~/.bashrc" and "TERM=linux" could enter an infinite loop. This update modifies the "/etc/unicode_start" init script so that "unicode_start" is now called once and no longer causes a loop.

BZ#500399

If multiple users were using a KDE desktop on the same machine (for example by using the XDMCP protocol), only one user was able to lock the desktop. A patch has been applied to address this problem, and all users can now lock their desktops in the described scenario.

BZ#663638

Previously, the kdebase package did not honor mount options set in the HAL configuration files. This update corrects the problem, so that kdebase honors these mount options.

BZ#669354

On 64-bit systems, if the user changed time backwards, the KWin window manager incorrectly detected applications as not responding. This was due to a timestamp problem, which has been corrected, and KWIN no longer incorrectly reports applications as not responding.

Security Fixes

CVE-2013-2206, Important

A flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation handled duplicate cookies. If a local user queried SCTP connection information at the same time a remote attacker has initialized a crafted SCTP connection to the system, it could trigger a NULL pointer dereference, causing the system to crash.

CVE-2013-2224, Important

It was found that the fix for CVE-2012-3552 released via RHSA-2012:1540 introduced an invalid free flaw in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to corrupt kernel memory via crafted sendmsg() calls, allowing them to cause a denial of service or, potentially, escalate their privileges on the system.

CVE-2013-2232, Moderate

An invalid pointer dereference flaw was found in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system by using sendmsg() with an IPv6 socket connected to an IPv4 destination.

CVE-2013-2147, CVE-2013-2164, CVE-2013-2234, CVE-2013-2237, Low

Information leak flaws in the Linux kernel could allow a privileged, local user to leak kernel memory to user-space.

Bug Fixes

BZ#948187

Switching the FPU context was not properly handled in certain environments, such as systems with multi-core AMD processors using the 32-bit kernel. When running multiple instances of the applications using the FPU frequently, data corruption could occur because processes could often be restored with the context of another instance. This update applies series of patches that modifies the kernel's FPU behavior: the "lazy" FPU context switch is temporarily disabled after 5 consecutive context switches using the FPU, and restored again after the context is switched 256 times. The aforementioned data corruption problem no longer occurs.

BZ#972583

Due to a bug in memory management, a kernel thread process could become unresponsive for a significant amount of time, waiting for a quota of dirty pages to be met and written out, which caused a kernel panic. With this update, memory management allows processes to break out of the throttle loop if there are no more dirty pages available to be written out. This prevents a kernel panic from occurring in this situation.

BZ#976441

Previously, an NFS client could sometimes cache negative dentries until the page cache was flushed or the directory listing operation was performed on the parent directory. As a consequence, an incorrect dentry was never normally revalidated and a stat call always failed, providing incorrect results. This was caused by an incorrect resolution of an attribute indicating a cache change (cache_change_attribute) along with insufficient flushing of cached directories. A series of patches has been backported to resolve this problem so the cache_change_attribute is now updated properly and the cached directories are flushed more readily.

BZ#979920

Due to a segment register that was not reset after a transition to protected mode, a bug could have been triggered in certain older versions of the upstream kernel (the kernel 3.9 - 3.9.4), preventing a guest system from booting and rendering it unresponsive on certain Intel Virtualization Technology (VT) hardware. On the newer kernels, this behavior had a significant impact on the booting speed of virtual machines. This update applies a patch providing early segment setup for the VT feature which allows executing VT under KVM. Guest machines no longer hang on boot and the booting process is now significantly faster when using 64-bit Intel hardware with the VT feature enabled.

BZ#980811

A previous change in the port auto-selection code allowed sharing ports with no conflicts extending its usage. Consequently, when binding a socket with the SO_REUSEADDR socket option enabled, the bind(2) function could allocate an ephemeral port that was already used. A subsequent connection attempt failed in such a case with the EADDRNOTAVAIL error code. This update applies a patch that modifies the port auto-selection code so that bind(2) now selects a non-conflict port even with the SO_REUSEADDR option enabled.

BZ#983452

Due to a bug in the networking stack, the kernel could attempt to deference a NULL pointer if a VLAN was configured on top of a GRE tunnel and network packets were transmitted, which resulted in a kernel panic. A patch has been applied to fix this bug by modifying the net driver to test a VLAN hardware header for a NULL value properly. The kernel no longer panics in this scenario.

BZ#983628

The memory management code specific to the AMD64 and Intel 64 architectures previously did not contain proper memory barriers in the smp_invalidate_interrupt() routine. As a consequence, CPUs on AMD64 and Intel 64 systems containing modulo 8 number of CPUs (8, 16, 24 and so on) could sometimes heavily compete for spinlock resources, spending most of the CPU time by attempts to acquire spinlocks. Such systems could therefore rarely appear to be unresponsive with a very slow computing progress. This update applies a patch introducing proper memory barriers in the smp_invalidate_interrupt() routine so the problem can no longer occur.

BZ#987976

A panic could occur in the XEN hypervisor due to a race in the XEN's tracing infrastructure. The race allows an idle vCPU to attempt to log a trace record while another vCPU executes a hypercall to disable the active tracing using the xenmon.py performance monitoring utility. To avoid triggering the panic, the respective BUG_ON() routine call in the trace code has been replaced with a simple test condition. The XEN hypervisor no longer crashes due to aforementioned race condition.

Security Fixes

CVE-2012-5515, Moderate

It was found that the Xen hypervisor implementation did not perform range checking on the guest provided values in multiple hypercalls. A privileged guest user could use this flaw to trigger long loops, leading to a denial of service (Xen hypervisor hang).

CVE-2012-1568, Low

It was found that when running a 32-bit binary that uses a large number of shared libraries, one of the libraries would always be loaded at a predictable address in memory. An attacker could use this flaw to bypass the Address Space Layout Randomization (ASLR) security feature.

CVE-2012-4444, Low

A flaw was found in the way the Linux kernel's IPv6 implementation handled overlapping, fragmented IPv6 packets. A remote attacker could potentially use this flaw to bypass protection mechanisms (such as a firewall or intrusion detection system (IDS)) when sending network packets to a target system.

Bug Fixes

BZ#884702

Due to a regression introduced by a recent update of the be2net driver, 10Gb NICs configured to use multiple receive queues across multiple CPUs were restricted to use a single receive queue on a single CPU. This resulted in significant performance degradation. With this update, the be2net driver has been corrected to provide support for multiple receive queues on 10Gb NICs as expected.

BZ#884708

Under certain circumstances, a race between certain asynchronous operations, such as "silly rename" and "silly delete", and the invalidate_inodes() function could occur when unmounting an NFS file system. Due to this race, the system could become unresponsive, or a kernel oops or data corruption could occur if an inode was removed from the list of inodes while the invalidate_inodes() function performed an iteration on the inode. This update modifies the NFS code to wait until the asynchronous operations are finished before performing inode clean-up. The race condition no longer occurs and an NFS file system is unmounted as expected.

BZ#884740

Previously, if a target sent multiple local port logout (LOGO) events, the fc_rport_work() function in the Fibre Channel library module (libfc) tried to process all of them, irrespective of the status of processing prior to the LOGO events. Consequently, fc_rport_work() terminated unexpectedly with a stack trace. This update simplifies the remote port (rport) restart logic by making the decision to restart after deleting the transport rport. Now, all I/O operations run as expected and fc_rport_work() no longer crashes in the described scenario.

BZ#884742

With Red Hat Enterprise Linux 5.9, a patch that fixed IGMP reporting bug in a network bridge was backported to the bonding code from Red Hat Enterprise Linux 6. However, two other patches related to the problem were not included. This update backports these patches from Red Hat Enterprise Linux 6. Specifically, the first patch fixing a NULL pointer deference that could occur if the master bond was not a network bridge. The patch adds a testing condition which prevents the code from dereferencing a NULL pointer. The second patch introduces a hook that allows to identify which bridge port is used for the master bridge interface and modifies the bonding code to use new functions to determine whether the used bond is a network bridge.

BZ#885062

Previously, the Xen kernel used the memory size found at the "0x40e" address as the beginning of the Extended BIOS Data Area (EBDA). However, this is not valid on certain machines, such as Dell PowerEdge R710, which caused the system to become unresponsive during boot on these machines. This update modifies the kernel to use the multiboot structure to acquire the correct location of EBDA and the system boot now proceeds as expected in this scenario.

BZ#885692

A previous change in the tg3 driver corrected a bug causing DMA read engine of the Broadcom BCM5717 Ethernet controller to initiate multiple DMA reads across the PCIe bus. However, the original bug fix used the CHIPREV_ID_5717_A0 macro which is more restrictive so that the DMA read problem was not fixed for the Broadcom BCM5718 Ethernet controller. This update modifies the code to use the ASIC_REV_5717 macro, which corrects the original bug properly.

BZ#885700

Previously, when hot-unplugging a USB serial adapter device, the USB serial driver did not properly clean up used serial ports. Therefore, when hot-plugging the USB serial device again, the USB serial driver allocated new port IDs instead of using previously used ports. This update modifies the USB serial driver to clean up open ports correctly so that the ports can be reused next time the device is plugged in.

BZ#886124

Previously, GFS2 did not properly free directory hash table memory from cache when the directory was removed from cache. If the same GFS2 inode was later reused as another directory, the stale directory hash table was reused instead of reading the correct information from the media. If the GFS2 hash table was not reused, a small amount of memory was lost until the next reboot. If the hash table was reused, the directory could become corrupt. Later, GFS2 could discover the file system inconsistency and withdraw from the file system, making it unavailable until the system was rebooted. This update applies a patch to the kernel that frees the directory hash table correctly from cache and prevents this file system corruption.

BZ#886876

Certain recent Intel input/output memory management unit (IOMMU) systems reported very large numbers of supported mapping domains. Consequently, if the number was too large, booting a system with the intel_iommu kernel parameter enabled (intel_iommu=on) failed with the following error message:

Allocating domain array failed.

With this update, a limit of 4000 domains is set to avoid the described problems.

Bug Fixes

BZ#563247

Under memory pressure, memory pages that are still a part of a checkpointing transaction can be invalidated. However, when the pages were invalidated, the journal head was re-filed onto the transactions' forget list, which caused the current running transaction's block to be modified. As a result, block accounting was not properly performed on that modified block because it appeared to have already been modified due to the journal head being re-filed. This could trigger an assertion failure in the "journal_commit_transaction()" function on the system. With this update, the "b_modified" flag is cleared before the journal head is filed onto any transaction, and assertion failures no longer occur.

BZ#862811

On certain platforms, the be2net driver could incorrectly indicate UE bits and stop further access to be2net-based network interface cards (NICs). With this update, these UE bits are ignored and if a real UE occurs, the corresponding hardware block will automatically go offline and stop the traffic.

BZ#857448

Previously, two threads could race to automount the same Distributed File System (DFS) share. The second thread called the do_add_mount() function after the first thread had completed the automount, and received a reference to the existing vfs_mount inserted by the first thread. Consequently, the new vfs_mount created by this thread for the mount process was dropped. This resulted in the use count for the dentry pointed to by vfs_mount to drop to -1 and the system terminated with a kernel panic. The underlying source code has been modified, and a kernel panic no longer occurs under these circumstances.

BZ#854067

A bug in the ipvs code caused insufficient performance of the Transmission Control Protocol (TCP) when generic receive offload (GRO) or generic segmentation offload (GSO) was enabled on a machine running the IP Virtual Server (IPVS) or Linux Virtual Server (LVS). The TCP connection continued to work, however, only by retransmitting all data, as only TCP segments with a single packet were allowed to go through. This update allows reception of GRO-aggregated packet buffers, through the IPVS framework. On transmission the GSO-aggregated packet buffer is automatically deaggregated by GSO. Use of GSO/GRO together with this update will result in an improved throughput and lower CPU utilization.

BZ#852526

Prior to this update, a process of continuously opening and closing a file within a second could prevent the data cache of a file from ever expiring. This resulted in stale data being presented on the client. With this update, the modify time and size stored in cache for an existing inode are compared with the modify time and size returned by the open() call; the cache is invalidated if the values differ.

BZ#850977

To resolve a kernel panic that occurred under certain circumstances, an upstream cleanup patch for VFS automount support was backported to Red Hat Enterprise Linux 5, which also fixed the panic. This upstream change occurred after the VFS automount support was added to Red Hat Enterprise Linux 5 so was not present.

BZ#840642

An unnecessary check for the RXCW.CW bit could cause the Intel e1000e NIC (Network Interface Controller) to not work properly. The check has been removed so that the Intel e1000e NIC now works as expected.

BZ#839753

When attempting to mount a NFS share twice on the same mount point, a check in the do_add_mount() function causes an error to be returned. However, when using the "noac" option, the user was abe to mount the same share on the same mount point multiple times. This was because the "noac" option was automatically assigned the MS_SYNCHRONOUS flag in the nfs_initialise_sb() function. This flag was set after the check for already existing superblocks had been performed in the sget() function, and was therefore not taken into account during the check of mount flags. This update checks for the "noac" option and assigns the MS_SYNCHRONOUS fag before sget() is called to obtain an already existing superblock structure. As a result, it is no longer possible to mount a NFS share on the same location multiple times.

BZ#836244

Failures and errors could occur due to a NULL pointer dereference in the vm_enough_memory() function. To prevent such problems, the NULL checking has been revised

BZ#835660

Previously, if a command timed out to a device with a reservation conflict, the SCSI error handling marked the device as offline. This was because the RESERVATION_CONFLICT return code was treated as a fatal error when a TUR command was sent to confirm that the device was reachable and responding. Consequently, the error handling progressed to the next error routine, eventually marking the device offline. The error processing in the scsi_eh_completed_normally() function has been changed to consider RESERVATION_CONFLICT for a TUR command as success. This causes the scsi_eh_tur() call to pass successfully, and the devices are no longer set as offline.

BZ#834562

An insufficiently designed calculation in the CPU accelerator in the previous kernel caused an arithmetic overflow in the sched_clock() function when system uptime exceeded 208.5 days. This overflow led to a kernel panic on systems using the Time Stamp Counter (TSC) or Virtual Machine Interface (VMI) clock source. This update corrects the aforementioned calculation so that this arithmetic overflow and kernel panic can no longer occur under these circumstances.

BZ#746122

The way how the kernel processes dentries in the dcache when unmounting file systems allowed the concurrent activity on the list of dentries. If the list was large enough, the kernel could, under certain circumstances, panic due to NMI watchdog timeout triggered by the waiting concurrent process. This update modifies underlying functions to use a private dcache list for certain operations on the dcache so that concurrent activities are no longer affected in this scenario.

BZ#834379

When two processes attempted to automount an NFS file system at the same time, an account usage error occurred in the dentry of the mount point, leading to EBUSY errors when trying to unmount the file system. In addition, a kernel panic could occur when the automount timeout expired or the shutdown procedure tried to unmount the file system. This was because the vfsmount structure was missing a reference of the mount point. This update ensures that a reference of the mount point is placed on the vfsmount structure before the do_add_mount() function is called. The NFS file system can now be unmounted as expected, and the kernel panic no longer occurs in this scenario.

BZ#833000

Previously, the SAS-2 tape drive was not detected after connecting it to a SATA/SAS Storage Control Unit (SCU) port. This was because the speed values in the isci driver were not updated and the negotiated connection speed for the SAS-2 device was therefore incorrect. With this update, the PHY_LINKRATE values defined in the scsi_transport_sas header file are now used, which ensures correct detection of SAS-2 devices.

BZ#822166

A race condition between a device being opened and the device being disconnected occurred in the evdev code. During this condition, the evdev structure for a device continued to be used after it had been freed. If the memory was reallocated afterward and zeroed by the new owner, the evdev_open() function could become stuck and generate a soft lockup. This update directly uses a kref structure to implement proper reference counting, which prevents the race condition from occurring in this scenario.

BZ#819830

Previously, when listing of IPv6 routing table was prematurely ended, it could cause corruption of that table, leading to various problems, including a kernel panic. To prevent the problems, the routing table is now traversed correctly.

BZ#818787

An insufficiently designed calculation in the CPU accelerator in the previous kernel caused an arithmetic overflow in the sched_clock() function when system uptime exceeded 208.5 days. This overflow led to a kernel panic on the systems using the Time Stamp Counter (TSC) or Virtual Machine Interface (VMI) clock source. This update corrects the calculation so that this arithmetic overflow and kernel panic can no longer occur under these circumstances. Note: This advisory does not include a fix for this bug for the 32-bit architecture

BZ#753244

The function that used to find a resource block (rsb) during directory recovery was searching the rsb's single linear list, which took an excessive amount of time. Consequently, recovery of Distributed Lock Manager (DLM) could take a long time. With this update, the standard hash table is used to find the rsb, which decreases the search time, and DLM recovery finishes in a reasonable time.

BZ#749813

If the IP stack proper is accessed from bridge netfilter, the socket buffer needs to be in a form the IP stack expects. Previously, the entry point on the NF_FORWARD hook did not meet the requirements of the IP stack. Consequently, hosts could terminate unexpectedly. A backported upstream patch has been provided to address this issue and the crashes no longer occur in the described scenario.

BZ#814626

The kernel version 2.6.18-308.4.1.el5 contained several bugs which led to an overrun of the NFS server page array. Consequently, any attempt to connect an NFS client running on Red Hat Enterprise Linux 5.8 to the NFS server running on the system with this kernel caused the NFS server to terminate unexpectedly and the kernel to panic. This update corrects the bugs causing NFS page array overruns and the kernel no longer crashes in this scenario.

BZ#809937

A process scheduler did not handle RPC priority wait queues correctly. Consequently, the process scheduler failed to wake up all scheduled tasks as expected after RPC timeout, which caused the system to become unresponsive and could significantly decrease system performance. This update modifies the process scheduler to handle RPC priority wait queues as expected. All scheduled tasks are now properly woken up after RPC timeout and the system behaves as expected.

BZ#756506

A kernel panic occurred when the size of a block device was changed and I/O was issued at the same time. This was because the direct and non-direct I/O code was written with the assumption that the block size would not change. This update introduces a new read-write lock, bd_block_size_semaphore. The lock is taken for read during I/O and for write when changing block size. As a result, block size cannot be changed while I/O is being submitted. This prevents the kernel from crashing in the described scenario.

BZ#808489

Previously, requests for large data blocks with the ZSECSENDCPRB ioctl() system call failed due to an invalid parameter. A misleading error code was returned, concealing the real problem. With this update, the parameter for the ZSECSENDCPRB request code constant is validated with the correct maximum value. Now, if the parameter length is not valid, the EINVAL error code is returned, thus fixing this bug.

BZ#805799

A bug in the vsyscall interface caused 32-bit multi-threaded programs, which received the SIGCANCEL signal right after they returned from a system call, to terminate unexpectedly with a segmentation fault when run on the AMD64 or Intel 64 architecture. A patch has been provided to address this issue and the crashes no longer occur in the described scenario.

BZ#804778

Previously, the restriction of the way epoll file descriptors could nest was overly aggressive. Consequently, certain applications were unable to add the desired number of epoll watches and possibly terminated unexpectedly or became unresponsive. With this update, there is no restriction on the number of epoll file descriptors that can be attached to the source file descriptor, thus preventing the described problems. Note that if an application requests a deeply-nested epoll file descriptor, the request fails gracefully rather that causing the kernel to terminate unexpectedly.

BZ#800653

The qla2xxx driver set up interrupts for Qlogic 4Gb Fibre Channel adapters incorrectly due to a bug in a test condition for MSI-X support. This update corrects the bug and qla2xxx now sets up interrupts as expected.

BZ#800575

When a slave started up, the active flags failed to be marked inactive while unsetting the current_arp_slave parameter. Consequently, more than one slave with active flags in active-backup mode could be present on the system. With this update, the active flags are properly marked inactive from a slave before the current_arp_slave is unset, thus preventing this bug.

BZ#799530

When the Fibre Channel (FC) layer sets a device to "running", the layer also scans for other new devices. Previously, there was a race condition between these two operations. Consequently, for certain targets, thousands of invalid devices were created by the SCSI layer and the udev service. This update ensures that the FC layer always sets a device to "online" before scanning for others, thus fixing this bug. Additionally, when attempting to transition priority groups on a busy FC device, the multipath layer retried immediately. If this was the only available path, a large number of retry operations was performed in a short period of time. Consequently, the logging of retry messages slowed down the system. This bug has been fixed by ensuring that the DM Multipath feature delays retry operations in the described scenario.

BZ#799170

When the kvmclock initialization was used in a guest, it could write to the time stamp counter (TSC) and, under certain circumstances, could cause the kernel to become unresponsive on boot. With this update, TSC synchronization, which is unnecessary due to kvmclock, has been disabled, thus fixing this bug.

BZ#798048

The mlx4 driver did not contain the necessary callbacks to implement Enhanced I/O Error Handling and recovery, so the PCI layer used the probe and remove callbacks to try to recover the device after an error occurred on the bus. However, a race condition occurred between these callbacks and the internal catastrophic error recovery functions which also detected the error, and consequently caused a kernel oops if both EEH and the internal recovery functions attempted to reset the device. This update adds the necessary error recovery callbacks and ensures that the internal catastrophic error functions do not try to reset the device in such scenarios. Also, additional calls have been added to suppress read and write operations on the bus when the slot cannot accept I/O operations, which prevents unnecessary accesses to the bus and speeds up the device removal.

BZ#797011

Due to a regression, the ifdef macro was used with an invalid value. Consequently, the tg3 driver did not support VLAN tagging and the vconfig utility was unable to configure VLAN tagging properly, thus blocking the network connection. This update removes incorrect usages of ifdef from the code and the VLAN support now works as expected.

BZ#771366

When using the Intel e1000e ethernet driver, the RXCW register's invalid bit (IV) was being set periodically due to incorrect register read logic for the 82571 Serializer-Deserializer (SERDES), which resulted in link flapping. The read logic has been improved: RXCW is now read twice to filter one-time false events and obtain correct values for the IV bit. Link flaps no longer occur in this scenario.

BZ#795672

Certain Broadcom devices, mostly the BMC5704 controllers, failed to work due to incorrect TSO (TCP Segmentation Offload) handling in the tg3 driver. The TSO handling code has been revised so that the devices now work as expected.

BZ#772192

Due to a bug in the qla2xxx driver and the HBA firmware, storage I/O traffic could become unresponsive during storage fault testing. With this update, these bugs have been fixed and the hangs no longer happen in the described scenario.

BZ#772216

Previously, secondary, tertiary, and other IP addresses added to bond interfaces could overwrite the bond->master_ip and vlan_ip values. Consequently, a wrong IP address could be occasionally used, the MII (Media Independent Interface) status of the backup slave interface went down, and the bonding master interfaces were switching. This update removes the master_ip and vlan_ip elements from the bonding and vlan_entry structures, respectively. Instead, devices are directly queried for the optimal source IP address for ARP requests, thus fixing this bug.

BZ#790900

When running more than 30 instances of the cclengine utility concurrently on IBM System z with IBM Communications Controller for Linux, the system could become unresponsive. This was caused by a missing wake_up() function call in the qeth_release_buffer() function in the QETH network device driver. This update adds the missing wake_up() function call and the system now responds as expected in this scenario.

BZ#773022

Due to a bug in the error clean-up code, the kernel could fail to boot when a tg3 NIC utilized the 4 KB transmit segmentation code but could not map all the physical memory fragments. This update rectifies the situation so that the tg3 driver no longer prevents the kernel from booting.

BZ#773735

When using the be2net driver, if a card was reset due to EEH (Enhanced Error Handling), the error recovery involves ring clean-up and re-creation. However, because worker threads touch this ring, there was a race condition that caused kernel to terminate unexpectedly. With this update, a worker thread is stopped during this clean-up process, thus preventing this bug.

BZ#790840

The QDIO (Queued Direct I/O) data transfer architecture maintains a "buffers-used" counter for its hardware buffers. If the buffers were returned in the ERROR state, the counter was updated incorrectly when running under the z/VM operating system with the QIOASSIST flag switched on. Consequently, the buffer handling logic in QDIO was working incorrectly. This update fixes the code to update the counter correctly in the described scenario, thus fixing this bug.

BZ#782124

When a network interface card (NIC) with a fan experiences a fan failure, the PHY chip is usually powered down by its firmware. Previously, the bnx2x driver did not handle fan failures correctly, which could trigger a non-maskable interrupt (NMI). Consequently, the kernel could crash or panic. This update modifies the bnx2x driver to handle fan failures properly, the NIC is now shut down as expected and the kernel does not crash in this scenario.

BZ#790103

A kernel panic could occur on IBM Power systems while running the fsfuzz test. This was caused by an attempt to perform an I/O operation on an unmapped buffer, which triggered a BUG_ON() function call. This update modifies the kernel so that I/O operations can be performed only on mapped buffers. The kernel no longer panics in this scenario.

BZ#782677

Due to recent changes in the tg3 driver, the driver attempted to use an already freed pointer to a socket buffer (SKB) when the NIC was recovering from unsuccessful memory mapping. Consequently, the NIC went offline and the kernel panicked. With this update, the SKB pointer is newly allocated in this scenario. The NIC recovers as expected and a kernel panic does not occur. Also, the tg3 driver could, under certain circumstances, attempt to unmap a memory fragment that had not been mapped. Consequently, the kernel panicked. This update fixes the bug by correcting the "last" parameter supplied.

BZ#782790

A recent change in the QLogic qla2xxx driver introduced a bug which could, under rare circumstances, cause the system to become unresponsive. This problem occurred during I/O error recovery on systems using SAN configurations with QLogic Fibre Channel Hot Bus Adapters (HBAs). This update corrects the qla2xxx driver so the system no longer hangs in this scenario.

BZ#788777

When SAS (Serial Attached SCSI) disks were present on the system and the CK_COND=1 parameter was set in the Command Descriptor Block (CDB), the SAT ATA PASS-THROUGH commands produced a large number of irrelevant warning messages, clogging up logs with useless information. With this update, the logging has been disabled in the described scenario, thus fixing this bug.

BZ#783043

An Ethernet physical transceiver (a PHY chip) was always powered up when a network interface card (NIC) using the igb driver was brought down. Recent changes had modified the kernel so that the PHY chip was powered down in such a scenario. With this PHY power saving feature, the PHY chip could unexpectedly lose its settings on rare occasions. Consequently, the PHY chip did not recover after the NIC had been re-attached and the NIC could not be brought up. The igb driver has been modified so that the PHY chip is now reset when the NIC is re-attached to the network. NICs using the igb driver are brought up as expected.

BZ#783540

Previously, a kernel panic could occur on IBM S/390 systems after a reboot. This happened due to a race condition between the raw3215_tasklet() and the tty3215_close() functions, which could result in calling the tty_wakeup() function with either a NULL pointer or with a pointer to an already freed tty structure. This update prevents the race condition by adding the tasklet_kill() function call to the tty3215_close() function. The kernel no longer panics when closing the 3215 console on IBM S/390 systems.

BZ#785062

In NFSv4, both write and open code paths depended on the I_LOCK flag in inode->i_state. In addition to this, the write code path also needs the latest stateid returned by open to before it can proceed. It waits for this while holding the I_LOCK bit in inode->state. As a consequence, multi-threaded applications could be blocked when using NFSv4. With this update, the nfs_fhget() function has been modified to use the I_NEW flag for the open code path, thus fixing this bug.

BZ#789067

When USB hardware uses the ACM interface, there is a race condition that can lead to a system deadlock due to the spinlocks not disabling interrupts. This has been noticed through various types of softlockups. The only workaround is to reboot. The fix is common, when taking a spinlock, disable the interrupts too.

BZ#773777

When a single, large data stream was being written to an NFS server while other applications periodically wrote small amounts of data to a local file system, other applications could experience long pauses when dirty memory reaches the dirty_ratio limit. With this update, the code for COMMIT calls has been improved to not skip such calls if the system is under memory pressure and to allow high priority COMMIT calls to bypass inode commit locks. Now, the pauses in traffic no longer occur in the described scenario.

BZ#798809

The vfs-automount infrastructure assumes that the LOOKUP_DIRECTORY flag is included in nameidata flags if a trailing slash character (/) is given on a path being walked. But this flag is private to the __link_path_walk() function so it must be added when looking up the last component. Previously, during a path walk where the path included a trailing slash character, LOOKUP_DIRECTORY was not propagated to path walk functions. Consequently, directories that needed to trigger an automount failed to do so, which resulted in a -ENOTDIR error. This bug has been fixed and the error code is no longer returned in the described scenario.

BZ#804800

Starting with Red Hat Enterprise Linux 5.6, all devices that used the ixgbe driver would stop stripping VLAN tags when the device entered promiscuous mode. Placing a device in a bridge group causes the device to enter promiscuous mode. This caused various issues under certain configurations of bridging and VLANs. A patch has been provided to address this issue and the devices now properly strip VLAN tags in the driver whether in promiscuous mode or not.

BZ#848098

Previously, the code checking for a NULL pointer was incorrect; it checked for a non-NULL pointer instead. As a consequence, this could lead to a kernel panic. This update corrects the problem, so that the kernel no longer crashes in this scenario.

BZ#830226

Recent changes removing support for the Flow Director from the ixgbe driver introduced bugs that caused the RSS (Receive Side Scaling) functionality to stop working correctly on Intel 82599EB 10 Gigabit Ethernet network devices. This update corrects the return code in the ixgbe_cache_ring_fdir function and setting of the registers that control the RSS redirection table. Also, obsolete code related to Flow Director support has been removed. The RSS functionality now works as expected on these devices.

BZ#814418

If a path followed a symlink that ended with the slash ("/") character, the LOOKUP_DIRECTORY flag could be set earlier than the last path component. This led to an ENOTDIR (Not a directory) error. The LOOKUP_DIRECTORY flag is now propagated only for the last component. For the purpose of possible automounting, the flag is not needed for intermediate path components; the LOOKUP_CONTINUE flag is set in such a case. The ENOTDIR error no longer occurs in this scenario.

BZ#839770

In the ext4 file system, splitting an unwritten extent while using Direct I/O could fail to mark the modified extent as dirty, resulting in multiple extents claiming to map the same block. This could lead to the kernel or fsck reporting errors due to multiply claimed blocks being detected in certain inodes. In the ext4_split_unwritten_extents() function used for Direct I/O, the buffer which contains the modified extent is now properly marked as dirty in all cases. Errors due to multiply claimed blocks in inodes should no longer occur for applications using Direct I/O.

BZ#830351

On ext4 file systems, when the fallocate() system call failed to allocate blocks due to the ENOSPC condition (no space left on device) for a file larger than 4 GB, the size of the file became corrupted and, consequently, caused file system corruption. This was due to a missing cast operator in the ext4_fallocate() function. With this update, the underlying source code has been modified to address this issue, and file system corruption no longer occurs.

BZ#756091

Calculations for sizing certain memory allocation thresholds (dcache, files-max, ...) depend on the number of physical pages found in a system; this generally includes (occasionally a large amount of) non-RAM pages. Due to a miscalculated number of usable RAM pages, memory allocation thresholds calculation on large systems with discontiguous memory (such as modern NUMA systems) could result in bad sizing. This could impact workload performance. With this update, the aforementioned calculation basis has been switched to what actually is usable as storage (RAM). The sizing of the memory allocation thresholds is now fixed and they render the expected values when they are verified.

BZ#852340

A kernel panic can occur when attempting to create a Fibre Channel over Ethernet (FCoE) session on a network interface controller (NIC) with a virtual LAN (VLAN) enabled. Software-based Fibre Channel over Ethernet (FCoE) is a Technology Preview in Red Hat Enterprise Linux 5, and it is therefore recommended to use Red Hat Enterprise Linux 6 for fully supported software-based FCoE. The following hardware-accelerated FCoE cards are fully supported in Red Hat Enterprise Linux 5: Emulex LPFC, QLogic qla2xxx, Brocade BFA.

BZ#858724

This update changes Xen hypervisor's behavior introduced in the CVE-2012-2934 issue: the host was prevented from booting on AMD processors with the AMD #121 erratum applied. Users were prompted to pass the "allow_unsafe" parameter on the command line to allow booting the Xen host. However, this could prevent remotely managed hosts from being started. With this update, the boot process is no longer denied by default; only guest creation is denied. The allow_unsafe semantics has changed to allow creation of guests instead of allowing booting the host.

BZ#800708

Previously, the interrupt handlers of the qla2xxx driver could clear pending interrupts right after the IRQ lines were attached during system start-up. Consequently, the kernel could miss the interrupt that reported completion of the link initialization, and the qla2xxx driver then failed to detect all attached LUNs. With this update, the qla2xxx driver has been modified to no longer clear interrupt bits after attaching the IRQ lines. The driver now correctly detects all attached LUNs as expected.

BZ#782866

The Ethernet channel bonding driver reported the MII (Media Independent Interface) status of the bond interface in 802.3ad mode as being up even though the MII status of all of the slave devices was down. This could pose a problem if the MII status of the bond interface was used to determine if failover should occur. With this update, the agg_device_up() function has been added to the bonding driver, which allows the driver to report the link status of the bond interface correctly, that is, down when all of its slaves are down, in the 802.3ad mode.

BZ#712513

The kdump kernel maintains the configuration of MSI-X interrupts as created by the crashed kernel but enables only one CPU in the new environment. Previously, this caused the tg3 driver to abort MSI-X setup which caused interrupt delivery to fail. Consequently, the link became unavailable and any attempt to dump a core file to a remote host to failed. With this update, the tg3 driver has been modified to enforce single-vector MSI-X interrupt mode by disabling the multivector interrupt mode for tg3 in the kdump kernel. The NIC is now brought up as expected and kdump can successfully dump a core file to the remote host in this scenario.

BZ#683303

The bnx2x driver performed the initialization of hardware in a way that was unsafe if the previous instance of the driver terminated in an unclean manner. Consequently, the kernel could become unresponsive or panic while initializing the NIC in the kdump environment. With this update, the bnx2x driver has been modified to perform a safer initialization, solving the possible crash scenarios. The NIC is now initialized as expected and kdump can successfully dump a core file to a remote host when using the bnx2x driver.

BZ#845169

Previously, when Enhanced I/O Error Handling (EEH) detected an error while a firmware dump was being collected, a reset of the PCI adapter could have been triggered before the dumping operation could complete. As a consequence, the firmware dump was interrupted and recovery of the PCI adapter failed leaving the adapter in an inconsistent state. This update modifies the be2net driver to wait for the firmware dump to complete before resetting EEH. A core file is successfully dumped and the PCI adapter recovers as expected in this scenario.

BZ#842486

When bringing up a network interface with VLANs configured on top of it using the mlx4 driver, the kernel could panic due to a NULL pointer dereference. This was caused by the core networking code which called the VLAN addition routine before setting the VLAN device entry in the VLAN group table. This update modifies the mlx4 driver to prevent this behavior so that the VLAN device entry in now added to the VLAN group table before adding the VLAN and the kernel no longer panics in this scenario.

BZ#786403

Due to incorrect information provided by firmware, the netxen_nic driver did not calculate the correct Generic Segmentation Offload (GSO) length of packets that were received using the Large Receive Offload (LRO) optimization. This caused network traffic flow to be extensively delayed for the NICs using LRO on netxen_nic, which had a huge impact on NIC's performance (in some cases, throughput for some 1 GB NICs could be below 100 kbs). With this update, firmware now provides the correct GSO packet length and the netxen_nic driver has been modified to handle new information provided by firmware correctly. Throughput of the NICs using the LRO optimization with the netxen_nic driver is now within expected levels.

Enhancements

BZ#872612

The INET socket interface has been modified to send a warning message when the ip_options structure is allocated directly by a third-party module using the kmalloc() function.

BZ#640206

With this update, NIC speed and duplex information are now exported through sysfs. This feature allows users to determine the state and status of the NIC and it's connections.

BZ#605727

This update modifies IPMI to support configurable timeouts and retry attempts for the keyboard controller-style (KCS) interface. Ability to configure timeouts and retry attempts ensures that no IPMI requests or responses are dropped due to the default limit of the KCS host driver, which increases reliability of communication over KCS.

BZ#790841

With this update, the mlx4 driver has been upgraded to the The OpenFabrics Alliance Enterprise Distribution (OFED) level 1.5.4.1 with the exception of the XRC support. Among other changes, the update includes support for IBoE, which is, however, disabled by default, and a fix for a bug related to the mlx4 multicast support.

BZ#749246

The root user without the CAP_SYS_ADMIN capability was able to reset the contents of the "/proc/sys/kernel/dmesg_restrict" configuration file to 0. Consequently, the unprivileged root user could bypass the protection of the "dmesg_restrict" file and read the kernel ring buffer. This update ensures that only the root user with the CAP_SYS_ADMIN capability is allowed to write to the dmesg_restrict file. Any unauthorized attempt on writing to this file now fails with an EPERM error.

BZ#786168

An Ethernet physical transceiver (a PHY chip) was always powered up when a network interface card (NIC) using the igb driver was brought down. Recent changes had modified the kernel so that the PHY chip was powered down in such a scenario. With this PHY power saving feature, the PHY chip could unexpectedly lose its settings on rare occasions. Consequently, the PHY chip did not recover after the NIC had been re-attached and the NIC could not be brought up. The igb driver has been modified so that the PHY chip is now reset when the NIC is re-attached to the network. NICs using the igb driver are brought up as expected.

BZ#789369

The way how the kernel processes dentries in the dcache when unmounting file systems allowed the concurrent activity on the list of dentries. If the list was large enough, the kernel could, under certain circumstances, panic due to NMI watchdog timeout triggered by the waiting concurrent process. This update modifies underlying functions to use a private dcache list for certain operations on the dcache so that concurrent activities are no longer affected in this scenario.

BZ#790778

The Abstract Control Model (ACM) driver uses spinlocks to protect the lists of USB Request Blocks (URBs) and read buffers maintained by the driver. Previously, when a USB device used the ACM interface, a race condition between scheduled ACM tasklets could occur. Consequently, the system could enter a deadlock situation because tasklets could take spinlocks without disabling interrupt requests (IRQs). This situation resulted in various types of soft lockups ending up with a kernel panic. This update fixes the problem so that IRQs are disabled when a spinlock is taken. Deadlocks no longer occur and the kernel no longer crashes in this scenario.

BZ#790907

A recent change in the QLogic qla2xxx driver introduced a bug which could, under rare circumstances, cause the system to become unresponsive. This problem occurred during I/O error recovery on systems using SAN configurations with QLogic Fibre Channel Hot Bus Adapters (HBAs). This update corrects the qla2xxx driver so the system no longer hangs in this scenario.

BZ#790910

Due to recent changes in the tg3 driver, the driver attempted to use an already freed pointer to a socket buffer (SKB) when the NIC was recovering from unsuccessful memory mapping. Consequently, the NIC went offline and the kernel panicked. With this update, the SKB pointer is newly allocated in this scenario. The NIC recovers as expected and a kernel panic does not occur. Also, the tg3 driver could, under certain circumstances, attempt to unmap a memory fragment that had not been mapped. Consequently, the kernel panicked. This update fixes the bug by correcting the "last" parameter supplied.

BZ#790912

When a network interface card (NIC) with a fan experiences a fan failure, the PHY chip is usually powered down by its firmware. Previously, the bnx2x driver did not handle fan failures correctly, which could trigger a non-maskable interrupt (NMI). Consequently, the kernel could crash or panic. This update modifies the bnx2x driver to handle fan failures properly, the NIC is now shut down as expected and the kernel does not crash in this scenario.

CVE-2012-3375, Moderate

The fix for CVE-2011-1083 (RHSA-2012:0150) introduced a flaw in the way the Linux kernel's Event Poll (epoll) subsystem handled resource clean up when an ELOOP error code was returned. A local, unprivileged user could use this flaw to cause a denial of service.

Bug Fixes

BZ#816373

The qla2xxx driver handled interrupts for QLogic Fibre Channel adapters incorrectly due to a bug in a test condition for MSI-X support. This update corrects the bug and qla2xxx now handles interrupts as expected.

BZ#817571

A process scheduler did not handle RPC priority wait queues correctly. Consequently, the process scheduler failed to wake up all scheduled tasks as expected after RPC timeout, which caused the system to become unresponsive and could significantly decrease system performance. This update modifies the process scheduler to handle RPC priority wait queues as expected. All scheduled tasks are now properly woken up after RPC timeout and the system behaves as expected.

BZ#820358

The kernel version 2.6.18-308.4.1.el5 contained several bugs which led to an overrun of the NFS server page array. Consequently, any attempt to connect an NFS client running on Red Hat Enterprise Linux 5.8 to the NFS server running on the system with this kernel caused the NFS server to terminate unexpectedly and the kernel to panic. This update corrects the bugs causing NFS page array overruns and the kernel no longer crashes in this scenario.

BZ#824654

An insufficiently designed calculation in the CPU accelerator in the previous kernel caused an arithmetic overflow in the sched_clock() function when system uptime exceeded 208.5 days. This overflow led to a kernel panic on the systems using the Time Stamp Counter (TSC) or Virtual Machine Interface (VMI) clock source. This update corrects the calculation so that this arithmetic overflow and kernel panic can no longer occur under these circumstances.

Note: This advisory does not include a fix for this bug for the 32-bit architecture.

BZ#827205

Under memory pressure, memory pages that are still a part of a checkpointing transaction can be invalidated. However, when the pages were invalidated, the journal head was re-filed onto the transactions' "forget" list, which caused the current running transaction's block to be modified. As a result, block accounting was not properly performed on that modified block because it appeared to have already been modified due to the journal head being re-filed. This could trigger an assertion failure in the "journal_commit_transaction()" function on the system. The "b_modified" flag is now cleared before the journal head is filed onto any transaction; assertion failures no longer occur.

BZ#829059

When running more than 30 instances of the cclengine utility concurrently on IBM System z with IBM Communications Controller for Linux, the system could become unresponsive. This was caused by a missing wake_up() function call in the qeth_release_buffer() function in the QETH network device driver. This update adds the missing wake_up() function call and the system now responds as expected in this scenario.

BZ#832169

Recent changes removing support for the Flow Director from the ixgbe driver introduced bugs that caused the RSS (Receive Side Scaling) functionality to stop working correctly on Intel 82599EB 10 Gigabit Ethernet network devices. This update corrects the return code in the ixgbe_cache_ring_fdir function and setting of the registers that control the RSS redirection table. Also, obsolete code related to Flow Director support has been removed. The RSS functionality now works as expected on these devices.

CVE-2012-1583, Important

A flaw in the xfrm6_tunnel_rcv() function in the Linux kernel's IPv6 implementation could lead to a use-after-free or double free flaw in tunnel6_rcv(). A remote attacker could use this flaw to send specially-crafted packets to a target system that is using IPv6 and also has the xfrm6_tunnel kernel module loaded, causing it to crash.

If you do not run applications that use xfrm6_tunnel, you can prevent the xfrm6_tunnel module from being loaded by creating (as the root user) a "/etc/modprobe.d/xfrm6_tunnel.conf" file, and adding the following line to it:

blacklist xfrm6_tunnel

This way, the xfrm6_tunnel module cannot be loaded accidentally. A reboot is not necessary for this change to take effect.

CVE-2012-2136, Important

It was found that the data_len parameter of the sock_alloc_send_pskb() function in the Linux kernel's networking implementation was not validated before use. A local user with access to a TUN/TAP virtual interface could use this flaw to crash the system or, potentially, escalate their privileges. Note that unprivileged users cannot access TUN/TAP devices until the root user grants them access.

CVE-2012-0217, Important

It was found that the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level.

CVE-2012-2934, Moderate

It was found that guests could trigger a bug in earlier AMD CPUs, leading to a CPU hard lockup, when running on the Xen hypervisor implementation. An unprivileged user in a 64-bit para-virtualized guest could use this flaw to crash the host. Warning: After installing this update, hosts that are using an affected AMD CPU (refer to Red Hat Bugzilla bug #824966 for a list) will fail to boot. In order to boot such hosts, the new kernel parameter, allow_unsafe, can be used ("allow_unsafe=on"). This option should only be used with hosts that are running trusted guests, as setting it to "on" reintroduces the flaw (allowing guests to crash the host).

CVE-2012-2313, Low

A flaw was found in the way the Linux kernel's dl2k driver, used by certain D-Link Gigabit Ethernet adapters, restricted IOCTLs. A local, unprivileged user could use this flaw to issue potentially harmful IOCTLs, which could cause Ethernet adapters using the dl2k driver to malfunction (for example, losing network connectivity).

CVE-2012-3412, Important

A flaw was found in the way socket buffers (skb) requiring TSO (TCP segment offloading) were handled by the sfc driver. If the skb did not fit within the minimum-size of the transmission queue, the network card could repeatedly reset itself. A remote attacker could use this flaw to cause a denial of service.

CVE-2012-3510, Moderate

A use-after-free flaw was found in the xacct_add_tsk() function in the Linux kernel's taskstats subsystem. A local, unprivileged user could use this flaw to cause an information leak or a denial of service.

CVE-2012-2319, Low

A buffer overflow flaw was found in the hfs_bnode_read() function in the HFS Plus (HFS+) file system implementation in the Linux kernel. A local user able to mount a specially-crafted HFS+ file system image could use this flaw to cause a denial of service or escalate their privileges.

CVE-2012-3430, Low

A flaw was found in the way the msg_namelen variable in the rds_recvmsg() function of the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation was initialized. A local, unprivileged user could use this flaw to leak kernel stack memory to user-space.

BZ#846125

The cpuid_whitelist() function, masking the Enhanced Intel SpeedStep (EST) flag from all guests, prevented the "cpuspeed" service from working in the privileged Xen domain (dom0). CPU scaling was therefore not possible. With this update, cpuid_whitelist() is aware whether the domain executing CPUID is privileged or not, and enables the EST flag for dom0.

BZ#847326

If a delayed-allocation write was performed before quota was enabled, the kernel displayed the following warning message:

        WARNING: at fs/quota/dquot.c:988 dquot_claim_space+0x77/0x112()

This was because information about the delayed allocation was not recorded in the quota structure. With this update, writes prior to enabling quota are properly accounted for, and the message is not displayed.

BZ#847327

In Red Hat Enterprise Linux 5.9, the DSCP (Differentiated Services Code Point) netfilter module now supports mangling of the DSCP field.

BZ#847359

Some subsystems clear the TIF_SIGPENDING flag during error handling in fork() paths. Previously, if the flag was cleared, the ERESTARTNOINTR error code could be returned. The underlying source code has been modified so that the error code is no longer returned.

BZ#852448

An unnecessary check for the RXCW.CW bit could cause the Intel e1000e NIC (Network Interface Controller) to not work properly. The check has been removed so that the Intel e1000e NIC works as expected.

Security Fix

CVE-2012-2100, Low

It was found that the RHSA-2010:0178 update did not correctly fix the CVE-2009-4307 issue, a divide-by-zero flaw in the ext4 file system code. A local, unprivileged user with the ability to mount an ext4 file system could use this flaw to cause a denial of service.

CVE-2012-4508, Important

A race condition in the way asynchronous I/O and fallocate() interacted when using ext4 could allow a local, unprivileged user to obtain random data from a deleted file.

CVE-2012-5513, Important

A flaw in the way the Xen hypervisor implementation range checked guest provided addresses in the XENMEM_exchange hypercall could allow a malicious, para-virtualized guest administrator to crash the hypervisor or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level.

CVE-2012-2372, Moderate

A flaw in the Reliable Datagram Sockets (RDS) protocol implementation could allow a local, unprivileged user to cause a denial of service.

CVE-2012-3552, Moderate

A race condition in the way access to inet->opt ip_options was synchronized in the Linux kernel's TCP/IP protocol suite implementation. Depending on the network facing applications running on the system, a remote attacker could possibly trigger this flaw to cause a denial of service. A local, unprivileged user could use this flaw to cause a denial of service regardless of the applications the system runs.

CVE-2012-4535, Moderate

The Xen hypervisor implementation did not properly restrict the period values used to initialize per VCPU periodic timers. A privileged guest user could cause an infinite loop on the physical CPU. If the watchdog were enabled, it would detect said loop and panic the host system.

CVE-2012-4537, Moderate

A flaw in the way the Xen hypervisor implementation handled set_p2m_entry() error conditions could allow a privileged, fully-virtualized guest user to crash the hypervisor.

BZ#870118

Previously, the interrupt handlers of the qla2xxx driver could clear pending interrupts right after the IRQ lines were attached during system start-up. Consequently, the kernel could miss the interrupt that reported completion of the link initialization, and the qla2xxx driver then failed to detect all attached LUNs. With this update, the qla2xxx driver has been modified to no longer clear interrupt bits after attaching the IRQ lines. The driver now correctly detects all attached LUNs as expected.

BZ#877943

The Ethernet channel bonding driver reported the MII (Media Independent Interface) status of the bond interface in 802.3ad mode as being up even though the MII status of all of the slave devices was down. This could pose a problem if the MII status of the bond interface was used to determine if failover should occur. With this update, the agg_device_up() function has been added to the bonding driver, which allows the driver to report the link status of the bond interface correctly, that is, down when all of its slaves are down, in the 802.3ad mode.

BZ#870120

This update backports several changes from the latest upstream version of the bnx2x driver. The most important change, the remote-fault link detection feature, allows the driver to periodically scan the physical link layer for remote faults. If the physical link appears to be up and a fault is detected, the driver indicates that the link is down. When the fault is cleared, the driver indicates that the link is up again.

BZ#874973

The INET socket interface has been modified to send a warning message when the ip_options structure is allocated directly by a third-party module using the kmalloc() function.

BZ#822617

When one interface was used for a iSCSI boot environment while is other was used by kdump with the "net" option on, the ifconfig utility caused an error. Consequently, vmcore was not collected in a dump server that stores vmcore specified in the kdump.conf file. This bug has been fixed and a memory dump capture now succeeds by kdump in an iSCSI boot environment.

Bug Fixes

BZ#716340

Previously, kdump could become unresponsive if a disk name was changed. This could happen because the kdump initrd did not include irrelevant disk drivers that were used in the first kernel. Persistent disk names change in kdump presents considerable risk to Red Hat Enterprise Linux 5 stability. Therefore, this problem has been resolved by updating the kdump.conf file to recommend to use disk UUIDs or LABELs instead of disk names for file-system based dump targets.

BZ#716386

Previously, kdump did not verify whether the target raw dump device exists before attempting to dump a core file. Instead, kdump started to rebuild an initrd image directly, which resulted in a kdump failure. Furthermore, even though raw dump succeeded, kdump did not verify whether the vmcore file was saved and the core file could not be recovered. This update modifies the kdump init script to perform verification tests on the target device. Kdump now no longer rebuilds the initrd image if the target device does not exist and properly recovers a core file if the raw dump has succeeded.

BZ#752930

Kdump previously used an IP address as a part of the core dump directory name only for remote core dumps, which was confusing the users. With this update, kdump was modified to use the IP address of the loopback device (127.0.0.1) for local dumps so that the core dump directory name has the same form for both local and remote core dumps.

BZ#771829

Usually, when dumping a vmcore file over network, kdump has to bring up only one network interface card (NIC). However, when dumping to an iSCSI device, kdump may need to bring up multiple NICs. This functionality was not previously implemented in kdump and any dump attempt to the iSCSI device that required multiple NICs failed. With this update, kdump has been modified to be able to bring up multiple NICs if needed, and vmcore can now be successfully dumped on the iSCSI device.

BZ#788678

The mkdumprd utility did not detect the /var file system if it was mounted on a separate partition, which caused kdump to fail to dump a core file. This update modifies mkdumprd to detect the partition that contains the /var file system correctly. Kdump no longer fails in this scenario.

BZ#801496

When dumping a core file using ssh and the remote kdump user is configured to use restricted shell (rksh), the core dump attempt failed. This happened because kdump used the cat > command to store the vmcore file and the restricted shell forbids redirection. This update modifies kdump to use the dd command to save the vmcore file instead and dumping is now successful in this scenario.

BZ#802928

The mkdumprd utility did not correctly handled NICs if the NIC had the BOOTPROTO=none parameter configured in the ifcfg file. Consequently, kdump was not able to bring the NIC up and failed to dump a core file over network. This update corrects mkdumprd to recognize the BOOTPROTO=none parameter, and such NICs are now properly brought up when dumping a core file over network.

BZ#809983

Previously for ext2, ext3 and ext4 file systems, if the dump location was on different file system than was the root file system, the mkdumprd utility searched only for the ext4 kernel module. Consequently, kdump failed to recognize a file system and dump a core file. This update modifies mkdumprd to find proper kernel module also for ext2 and ext3 file systems and kdump works as expected in this scenario.

BZ#832017

Currently on Red Hat Enterprise Linux 5, the dd utility is the default core collector when dumping on a raw partition. However, the only core collector supported by kdump is the makedumpfile utility, which is not able to recognize vmcore files copied by dd. Previously, when the vmcore file was dumped on a raw partition, it was considered invalid and the core file recovery failed. With this update, mkdumprd has been modified to display a warning message when a different core collector than makedumpfile was used to compress the core file on the raw partition. The user has to recover the core dump manually.