Este contenido no está disponible en el idioma seleccionado.
Chapter 8. Bug fixes
This part describes bugs fixed in Red Hat Enterprise Linux 8.8 that have a significant impact on users.
8.1. Installer and image creation
Installer now lists all PPC PreP Boot
or BIOS Boot
partitions during custom partitioning
Previously, when adding multiple PPC PreP Boot
or BIOS Boot
partitions during custom partitioning, the Custom Partitioning screen displayed only one partition of a related type. As a consequence, the Custom Partitioning screen did not reflect the real state of the intended partitioning layout, making the partitioning process difficult and non-transparent.
With this update, the Custom Partitioning screen correctly displays all PPC PreP Boot
or BIOS Boot
partitions in the partitions list. As a result, users can now better understand and manage the intended partitioning layout.
The installer now adds configuration options correctly into the yum repo files
Previously, the installer did not add configuration options correctly into yum repo files while including and excluding packages from additional installation repositories. With this update, yum repo files are created correctly. As a result, using the --excludepkgs=
or --includepkgs=
options in the repo
kickstart command now excludes or includes the specified packages during installation as expected.
Using the filename
DHCP option no longer blocks downloading the kickstart
file for installation
Previously, when building a path for getting the kickstart file from an NFS server, the installer did not consider the filename
DHCP option. As a consequence, the installer did not download the kickstart file and was blocking the installation process. With this update, the filename
DHCP option correctly constructs a path to the kickstart file. As a result, the kickstart file is downloaded properly, and the installation process starts correctly.
The installer now creates a new GPT disk layout while custom partitioning
Previously, the installer did not change the disk layout to GPT when inst.gpt
was specified on the kernel command line, and the user removed all partitions from a disk with the MBR disk layout on the custom partitioning spoke. As a consequence, the MBR disk layout remained on the disk.
With this update, the installer creates a new GPT disk layout on the disk if inst.gpt
is specified on the kernel command line, and all partitions are removed from a disk on the custom partitioning spoke.
Bugzilla:2094977
The --size
parameter of the composer-cli compose start
command now treats its values as MiB
Previously, when using the composer-cli compose start --size size_value blueprint_name image_type
command, the composer-cli
tool treated the --size
parameter values as byte units. This update fixes the issue, and the --size
parameter values are now correctly used in the MiB format.
8.2. Software management
RPM no longer hangs during a transaction involving the fapolicyd
service restart
Previously, if you tried to update a package that caused the fapolicyd
service to be restarted, for example, systemd
, the RPM transaction stopped responding because the fapolicyd
plug-in failed to communicate with the fapolicyd
daemon.
With this update, the fapolicyd
plug-in now correctly communicates with the fapolicyd
daemon. As a result, RPM no longer hangs during a transaction which involves the fapolicyd
service restart.
Security YUM upgrade is now possible for packages that change their architecture through the upgrade
Patch for BZ#2088149 introduced with RHBA-2022:7711 caused a regression where YUM upgrade using security filters skipped packages that changed their architecture from or to noarch
through the upgrade. Consequently, the missing security upgrades for these packages could leave the system in a vulnerable state.
With this update, the issue has been fixed, and security YUM upgrade no longer skips packages that change architecture from or to noarch
.
Bugzilla:2124483
Reverting a YUM upgrade transaction is now possible for a package group or environment
Previously, the yum history rollback
command failed when attempting to revert an upgrade transaction for a package group or an environment.
With this update, the issue has been fixed, and you can now revert the YUM upgrade transaction for a package group or environment.
8.3. Shells and command-line tools
wsmancli
handles HTTP 401 Unauthorized statuses correctly
The wsmancli
utility for managing systems using Web Services Management protocol now handles authentication to better conform to RFC 2616.
Previously, when connecting to a service that requires authentication, the wsmancli
command returned the error message Authentication failed, please retry
immediately after receiving an HTTP 401 Unauthorized response, for example, because of incomplete credentials. To proceed, wsmancli
prompted you to provide both the username and the password, even in situations where you had already provided a part of your credentials.
With this update, wsmancli
requires only credentials that were not previously provided. As a result, the first authentication attempt does not display any error message. An error message is displayed only after you provide the complete credentials and authentication fails.
The translator.sty
LaTeX style document has been added
Previously, the translator.sty
LaTeX style document, which is necessary for certain tools that depend on texlive-beamer
, was missing. As a consequence, these tools failed with a LaTeX Error: File `translator.sty' not found.
error. This update adds the missing texlive-translator
package that contains the translator.sty
LaTeX style document. As a result, tools that depend on texlive-beamer
work correctly.
ReaR handles excluded DASDs on the IBM Z architecture correctly
Previously on the IBM Z architecture, ReaR reformatted all connected Direct Access Storage Devices (DASD) during the recovery process, including those DASDs that users excluded from the saved layout and did not intend to restore their content. As a consequence, if you excluded some DASDs from the saved layout, their data were lost during system recovery. With this update, ReaR no longer formats excluded DASDs during system recovery, including the device from which the ReaR rescue system was booted (using the zIPL bootloader). You are also prompted to confirm the DASD formatting script before ReaR reformats DASDs. This ensures that the data on excluded DASDs survive a system recovery.
ReaR no longer fails to restore non-LVM XFS filesystems
Previously, when you used ReaR to restore a non-LVM XFS filesystems with certain settings and disk mapping, ReaR created the file system with the default settings instead of the specified settings.
For example, if you had a file system with the sunit
and swidth
parameters set to non-zero values and you restored the file system using ReaR with disk mapping, the file system would be created with default sunit
and swidth
parameters ignoring the specified values.
As a consequence, ReaR failed during mounting the filesystem with specific XFS options. With this update, ReaR correctly restores the file system with the specified settings.
8.4. Infrastructure services
rsync
no longer fails while using regular expressions for extended attributes
Previously, the rsync
utility for transferring and synchronizing files was not able to handle extended attributes in RHEL 8 correctly. For example, if you passed the --delete
option together with the --filter '-x string.*'
option for extended attributes to the rsync
command, and a file on your system satisfied the regular expression, this resulted in an error message stating protocol incompatibilities. With this update, the rsync
utility handles extended attributes correctly and you can use regular expressions for these attributes.
8.5. Security
Scans and remediations correctly ignore SCAP Audit rules Audit key
Previously, Audit watch rules that were defined without an Audit key (-k
or -F
key) encountered the following problems:
- The rules were marked as non-compliant even if other parts of the rule were correct.
- Bash remediation fixed the path and permissions of the watch rule, but it did not add the Audit key correctly.
-
Remediation sometimes did not fix the missing key, returning an
error
instead of afixed
value.
This affected the following rules:
-
audit_rules_login_events
-
audit_rules_login_events_faillock
-
audit_rules_login_events_lastlog
-
audit_rules_login_events_tallylog
-
audit_rules_usergroup_modification
-
audit_rules_usergroup_modification_group
-
audit_rules_usergroup_modification_gshadow
-
audit_rules_usergroup_modification_opasswd
-
audit_rules_usergroup_modification_passwd
-
audit_rules_usergroup_modification_shadow
-
audit_rules_time_watch_localtime
-
audit_rules_mac_modification
-
audit_rules_networkconfig_modification
-
audit_rules_sysadmin_actions
-
audit_rules_session_events
-
audit_rules_sudoers
-
audit_rules_sudoers_d
With this update, the Audit key has been removed from checks and from Bash and Ansible remediations. As a result, inconsistencies caused by the key field during checking and remediating no longer occur, and auditors can choose these keys arbitrarily to make searching Audit logs easier.
crypto-policies
no longer creates unnecessary symlink
During system installation, the crypto-policies
scriptlet creates symlinks from the /usr/share/crypto-policies/DEFAULT
file or /usr/share/crypto-policies/FIPS
in FIPS mode and saves them in the /etc/crypto-policies/back-ends
directory. Previously, crypto-policies
incorrectly included directories, and created a /etc/crypto-policies/back-ends/.config
symlink that pointed to the /usr/share/crypto-policies/DEFAULT
or /usr/share/crypto-policies/FIPS
directories. With this update, crypto-policies
does not create symlinks from directories, and therefore does not create this unnecessary symlink.
crypto-policies
now disable NSEC3DSA
for BIND
Previously, the system-wide cryptographic policies did not control the NSEC3DSA
algorithm in the BIND configuration. Consequently, NSEC3DSA
, which does not meet current security requirements, was not disabled on DNS servers. With this update, all cryptographic policies disable NSEC3DSA
in the BIND configuration by default.
Libreswan no longer rejects SHA-1 signature verification in the FUTURE
and FIPS
cryptographic policies
Previously, from update to 4.9, Libreswan rejected SHA-1 signature verification in the FUTURE
and FIPS
cryptographic policies, and peer authentication failed when authby=rsasig
or authby=rsa-sha1
connection options were used. This update reverts this behavior by relaxing how Libreswan handles the crypto-policies
settings. As a consequence, you can now use the authby=rsasig
and authby=rsa-sha1
connection options using SHA-1 signature verification.
crontab
bash scripts no longer execute in incorrect context
Previously, a bug fix published in erratum RHBA-2022:7691 used too general transition rule. Consequently, a bash script executed from the crontab
file was executed in the rpm_script_t
context instead of the system_cronjob_t
context. With this update, bash scripts are now executed in the correct context.
selinux-policy
supports service execution in SAP Host Agent
Previously, the SELinux policy did not support the insights-client
service interacting with SAP Host Agent and other services. As a consequence, some commands did not work correctly when started from Red Hat Insights. With this update, the SELinux policy supports SAP service execution. As a result, SAP services started from Insights run successfully.
selinux-policy
now allows pmcd
to execute its private memfd:
objects
Previously, the SELinux policy did not allow the pmcd
process from the Performance Co-Pilot (PCP) framework to execute its private memory file-system objects (memfd:
). Consequently, SELinux denied the Performance Metric Domain Agent (PMDA) BPF Compiler Collection (BCC) service to execute memfd:
objects. In this update, the SELinux policy contains new rules for pcmd
. As a result, pmcd
can now execute memfd:
objects with SELinux in enforcing mode.
SELinux policy allows sysadm_r
to use subscription-manager
Previously, users in the sysadm_r
SELinux role were not allowed to execute some subcommands of the subscription-manager
utility. Consequently, the subcommands failed to read the memory device. This update adds a new rule to the SELinux policy that allows the sysadm_t type
to read /dev/mem
. As a consequence, the subscription-manager
subcommands do not fail.
samba-dcerpcd
process now works correctly with nscd
Previously, the samba-dcerpcd
process could not communicate with the nscd
process because of the SELinux policy. Consequently, the samba-dcerpcd
service did not work properly when the nscd
service was enabled. With this update, the SELinux policy has been updated with new rules for samba-dcerpcd
.
vlock
now works properly for confined users
Previously, the confined user could not use vlock
due to SELinux policy. Consequently, the vlock
command did not work properly for confined users. With this update, the SELinux policy has been updated with new rules for confined users.
Confined users now can log in without a reported denial
Previously, SELinux policy did not allow all permissions needed to log in a SELinux confined user using GUI. Consequently, AVC denials were audited and some services like dbus
or pulseaudio
did not work properly. With this update, the SELinux policy has been updated with new rules for confined users.
insights-client
now has additional permissions in the SELinux policy
The updated insights-client
service requires additional permissions, which were not included in the previous versions of the selinux-policy
packages. As a consequence, certain components of insights-client
did not work correctly with SELinux in enforcing mode, and the system reported access vector cache (AVC) error messages. This update adds the missing permissions to the SELinux policy. As a result, insights-client
now works correctly without reporting AVC errors.
The SELinux policy allows smb
access to user shares
Previously, the samba-dcerpcd
process was separated from the smb
service, but did not have access to user shares. As a consequence, smb
clients could not access files on user smb
shares. This update adds rules to the SELinux policy for managing user home content for the samba-dcerpcd
binary when the samba_enable_home_dirs
boolean is enabled. As a result, samba-dcerpcd
can access user shares when samba_enable_home_dirs
is on.
The SELinux policy now allows confined administrators to access ipmi
devices when IPMItool runs
Previously, the SELinux policy did not allow confined administrators to read and write ipmi
devices when the IPMItool utility is run. As a consequence, when a confined administrator ran ipmitool
, it failed. This update adds allow rules to selinux-policy
for administrators assigned to the sysadm_r
SELinux role. As a result, if a confined administrator runs ipmitool
it works correctly.
SCAP Security Guide rule file_permissions_sshd_private_key
is aligned with STIG configuration RHEL-08-010490
Previously, the implementation of rule file_permissions_sshd_private_key
allowed private SSH keys to be readable by the ssh_keys
group with mode 0644
, while DISA STIG version RHEL-08-010490 required private SSH keys to have mode 0600
. As a consequence, evaluation with DISA’s automated STIG benchmark failed for configuration RHEL-08-010490.
For this update, we worked with DISA to align the expected permissions for private SSH keys, and now private keys are expected to have mode 0644
or less permissive. As a result, the rule file_permissions_sshd_private_key
and configuration RHEL-08-010490 are now aligned.
The sudo_require_reauthentication
SCAP Security Guide rule accepts correct spacing in sudoers
Previously, a bug in the checking of the xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
rule caused it to require specific spacing between the timestamp_timeout
key and its value in the /etc/sudoers
file and the /etc/sudoers.d
directory. Consequently, valid and compliant syntax caused the rule to fail incorrectly. With this update, the check for xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
has been updated to accept blank spaces around the equal sign. As a result, the rule accepts correct and compliant definitions of timestamp_timeout
with any of the following spacing formats:
-
Defaults timestamp_timeout = 5
-
Defaults timestamp_timeout= 5
-
Defaults timestamp_timeout =5
-
Defaults timestamp_timeout=5
Old Kerberos rules changed to notapplicable
in new versions of RHEL
Previously, some Kerberos-related rules failed while scanning against the DISA STIG profile on RHEL 8.8 and later systems in FIPS mode, even though the system should have been compliant. This was caused by the following rules:
-
xccdf_org.ssgproject.content_rule_package_krb5-server_removed
-
xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed
-
xccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab
This update makes these rules not applicable for RHEL versions 8.8 and later. As a result, the scan correctly returns the notapplicable
result for these rules.
scap-security-guide
STIG profiles no longer require specific text in /etc/audit/rules.d/11-loginuid.rules
Previously, the SCAP rule audit_immutable_login_uids
used in RHEL 8 profiles stig
and stig_gui
passed only if file /etc/audit/rules.d/11-loginuid.rules
contained exact text. This is, however, not necessary to fulfill the STIG requirement (RHEL-08-030122). With this update, the new rule audit_rules_immutable_login_uids
replaces audit_immutable_login_uids
in RHEL 8 stig
and stig_gui
profiles. As a result, you can now specify the --loginuid-immutable
parameter that fulfills the rule in any file with the .rules
extension within the /etc/audit/rules.d
directory or in the /etc/audit/audit.rules
file, depending on usage of auditctl
or augen-rules
.
Rules for CIS profiles in scap-security-guide
are better aligned
Previously, some rules were incorrectly assigned to certain Center for Internet Security (CIS) profiles (cis
, cis_server_l1
, cis_workstation_1
, and cis_workstation_l2
). As a consequence, scanning according to some CIS profiles could skip rules from the CIS benchmark or check for unnecessary rules.
The following rules were assigned to incorrect profiles:
-
Rules
kernel_module_udf_disabled
,sudo_require_authentication
andkernel_module_squashfs_disabled
were incorrectly placed in CIS Server Level 1 and CIS Workstation Level 1. -
Rules
package_libselinux_installed
,grub2_enable_selinux
,selinux_policytype
,selinux_confinement_of_daemons
,rsyslog_nolisten
,service_systemd-journald_enabled
were missing from CIS Server Level 1 and CIS Workstation Level 1 profiles. -
Rules
package_setroubleshoot_removed
andpackage_mcstrans_removed
were missing from the CIS Server Level 1 profile.
This update assigns the misaligned rules to the correct CIS profiles, but does not introduce new rules or entirely removes any rules. As a result, SCAP CIS profiles are better aligned with the original CIS benchmark.
Clevis ignores commented devices in crypttab
Previously, Clevis tried to unlock commented devices in the crypttab
file, causing the clevis-luks-askpass
service to run even if the device was not valid. This caused unnecessary service runs and made it difficult to troubleshoot.
With this fix, Clevis ignores commented devices. Now, if an invalid device is commented, Clevis does not attempt to unlock it and clevis-luks-askpass.service
finishes appropriately. This makes it easier to troubleshoot and reduces unnecessary service runs.
Clevis no longer requests too much entropy from pwmake
Previously, the pwmake
password generation utility displayed unwanted warnings when Clevis used pwmake
to create passwords for storing data in LUKS
metadata, which caused Clevis to use lower entropy. With this update, Clevis is limited to 256 entropy bits provided to pwmake
, which eliminates an unwanted warning and uses the correct amount of entropy.
logrotate
no longer incorrectly signals Rsyslog in log rotation
Previously, the argument order was incorrectly set in the logrotate
script, which caused a syntax error. This resulted in logrotate
not correctly signaling Rsyslog during log rotation.
With this update, the order of the arguments in logrotate
is fixed and logrotate
signals Rsyslog correctly after log rotation even when the POSIXLY_CORRECT
environment variable is set.
Rsyslog no longer crashes due to a bug in imklog
Previously, Rsyslog could encounter a segmentation fault if the imklog
module was enabled and a free()
call using an invalid object was freed during use. With this update, the freed object is correctly deallocated at the correct place. As a result, the segmentation fault no longer occurs.
USBGuard no longer causes a confusing warning
Previously, a race condition could happen in USBGuard when a parent process finished sooner than the first child process. As a consequence, systemd
reported that a process was present with a wrongly identified parent PID (PPID). With this update, a parent process waits for the first child process to finish in working mode. As a result, systemd
no longer reports such warnings.
The usbguard
service file did not define OOMScore
Previously, the usbguard
service file did not define the OOMScoreAdjust
option. Consequently, the process could be identified as a candidate for killing before unprivileged processes when the system resources are closed to running out. With this update, the new OOMScoreAdjust
setting was introduced to the usbguard.service
file, to disable OOM killing processes of the usbguard unit.
USBGuard saves rules even if RuleFile is not defined
Previously, if the RuleFile
configuration directive in USBGuard was set but RuleFolder
was not, the rule set could not be changed. With this update, you can now change the rule set even if RuleFolder is set but RuleFile is not. As a result, you can modify the permanent policy in USBGuard to permanently save newly added rules.
8.6. Networking
xdp-tools rebased to version 1.2.10
The xdp-tools
packages have been upgraded to upstream version 1.2.10, which provides a number of bug fixes over the previous version.
conntrackd
functions properly even if HashSize
and HashLimit
are not set manually
Previously, the conntrackd
service did not set default values for the HashSize
and HashLimit
configuration variables. Consequently, conntrackd
could become unstable or stop functioning entirely if you did not specify those values. The problem has been fixed by making the configuration reader set the default values for HashSize
and HashLimit
before conntrackd
parses the configuration file. As a result, conntrackd
now functions correctly even if you do not specify the values.
The nm-cloud-setup
service no longer removes routes and manually-configured secondary IP addresses from interfaces
Based on the information received from the cloud environment, the nm-cloud-setup
service configures network interfaces. Previously, administrators had to disable nm-cloud-setup
to manually configure routes and secondary IP addresses on interfaces to avoid that the service removes them. This update adds a flag to the Reapply()
function to preserve externally added addresses and routes. As a result, administrators no longer need to disable the nm-cloud-setup
service in the mentioned scenario.
8.7. Kernel
kpatch-patch
works correctly on systems with an idle isolated CPU
Previously, when you attempted to install kpatch-patch
CVE mitigation packages on systems with the kernel CPU isolation feature, the kpatch-patch
RPMs did install, but failed to load their CVE mitigation kernel module. With this fix, the two features co-exist, and you can now successfully deploy kpatch
CVE fixes when CPU isolation is in place.
Bugzilla:2134931
Enabling VMD works again
Previously, the operating system would fail to boot if Volume Management Device (VMD) was enabled. This update provides numerous bug fixes essential for VMD to work as expected.
Bugzilla:2127028
8.8. File systems and storage
System works correctly without the soft lockup while starting a VDO volume
Due to fixing a Kernel Application Binary Interface (kABI) bug in the pv_mmu_ops
structure, RHEL 8.7 systems with kernel version 4.18.0-425.10.1.el8_7
, that is RHEL-8.7.0.2-BaseOS, hung or encountered a kernel panic due to soft lockup while starting a Virtual Data Optimizer (VDO) volume.
With this update, the kmod-kvdo
package was rebuilt any time a new kernel was available that is no longer kABI compatible with the current version of kmod-kvdo
. As a result, the system works correctly while starting a VDO volume.
VDO driver bug no longer causing device freezes through journal blocks
Previously, a bug in the VDO driver caused the system to mark some journal blocks as waiting for metadata updates. This problem was triggered when increasing the size of the VDO pool or the logical volume on top of it, or when using the pvmove
and lvchange
operations on LVM tools managed VDO devices. The bug was caused by incomplete resets that left some journal pages unavailable for use, and an incorrect notion of how many slots in the recovery journal were available to be filled. As a result, the device would freeze.
This issue has now been fixed with the latest version of the kernel modules for the virtual data optimizer kmod-kvdo-6.2.8.1-87.el8. Currently, all incomplete metadata blocks are saved in each section of the code in phases, while also updating in-memory data structures and resetting state on resume if needed. With this fix, users should no longer experience device freezes due to this issue.
8.9. High availability and clusters
pcs
no longer allows you to modify cluster properties that should not be changed
Previously, the pcs
command line interface allowed you to modify cluster properties that should not be changed or for which change does not take effect. With this fix, pcs
no longer allows you to modify these cluster properties: cluster-infrastructure
, cluster-name
, dc-version
, have-watchdog
, and last-lrm-refresh
.
pcs
now displays cluster properties that are not explicitly configured
Previously, a pcs
command to display the value of a specific cluster property did not list values that are not explicitly configured in the CIB. With this fix, if a cluster property is not set pcs
displays the default value for the property.
Cluster resources that call crm_mon
now stop cleanly at shutdown
Previously, the crm_mon
utility returned a nonzero exit status while Pacemaker was in the process of shutting down. Resource agents that called crm_mon
in their monitor action, such as ocf:heartbeat:pqsql
, could incorrectly return a failure at cluster shutdown. With this fix, crm_mon
returns success even if the cluster is in the process of shutting down. Resources that call crm_mon
now stop cleanly at cluster shutdown.
OCF resource agent metadata actions can now call crm_node
without causing unexpected fencing
As of RHEL 8.5, OCF resource agent metadata actions blocked the controller and crm_node
queries performed controller requests. As a result, if an agent’s metadata action called crm_node
, it blocked the controller for 30 seconds until the action timed out. This could cause other actions to fail and the node to be fenced.
With this fix, the controller now performs metadata actions asynchronously. An OCF resource agent metadata action can now call crm_node
without issue.
Enabling a single resource and monitoring operation no longer enables monitoring operations for all resources in a resource group
Previously, after unmanaging all resources and monitoring operations in a resource group, managing one of the resources in that group along with its monitoring operation re-enabled the monitoring operations for all resources in the resource group. This could trigger unexpected cluster behavior.
With this fix, managing a resource and re-enabling its monitoring operation re-enables the monitoring operation for that resource only and not for the other resources in a resource group.
Pacemaker now rechecks resource assignments immediately when resource order changes
As of RHEL 8.7, Pacemaker did not recheck resource assignments when the order of resources in the CIB changed with no changes to the resource definition. If configuration reordering would cause resources to move, that would not take place until the next natural transition, up to the value of cluster-recheck-interval-property
. This could cause issues if resource stickiness is not configured for a resource.
With this change, Pacemaker rechecks resource assignments when the order of the resources in the CIB changes, as it did for earlier Pacemaker releases. The cluster now responds immediately to these changes, if needed.
8.10. Compilers and development tools
You can install SciPy using pip
on all architectures
Previously, the openblas-devel
package did not contain a pkg-config file for the OpenBLAS library. As a consequence, in certain scenarios, it was impossible to determine the compiler and linker flags using the pkgconf
utility while compiling with OpenBLAS. For example, this caused a failure of the pip install scipy
command on the 64-bit IBM Z and IBM Power Systems, Little Endian architectures.
This update adds the openblas.pc
file to the openblas-devel
package on all supported architectures. As a result, you can install the SciPy library using the pip
package installer.
Bugzilla:2115722
Functions in go
no longer cause memory leak
Previously, the EVP_PKEY_sign_raw
and EVP_PKEY_verify_raw
functions did not call free to clean the memory. Consequently, the memory leaked and has not been recovered. With this updated, the EVP_PKEY_sign_raw
and EVP_PKEY_verify_raw
functions now call free and memory is not leaking.
Bugzilla:2132767
golang
now supports 4096 bit keys in x509 FIPS mode
Previously, golang
did not support the 4096 bit keys in x509 FIPS mode. Consequently, when the user used 4096 bit keys the program crashed. With this update, golang
now supports 4096 bit keys in x509 FIPS mode.
libffi
can now probe for executable memory with SELinux enabled
By default, libffi
does not probe for executable memory when SELinux is enabled. As a consequence, programs which use libffi
closures and fork()
without immediately executing some other processes terminate unexpectedly when SELinux is enabled. With this update, libffi
looks for a /etc/sysconfig/libffi-force-shared-memory-check-first
file and, if it exists, probes for executable memory regardless of if SELinux is enabled. As a result, programs using libffi
can safely fork()
without crashing with SELinux enabled.
Implemented big endian support in OpenSSL
bindings for golang
Previously, the OpenSSL
bindings for golang
did not have support for big-endian, leading to potential issues with the conversion of BigInt
values. As a result, the crypto routines were unable to perform this conversion. To fix this issue, big-endian support was implemented in the OpenSSL
bindings for golang
. As a result, conversions from BigInt
are now successful, and the tests pass as expected.
8.11. Identity Management
Authentication to external IdPs that require a client secret is now possible
Previously, SSSD did not properly pass client secrets to external identity providers (IdPs). Consequently, authentication failed against external IdPs that you previously configured with the ipa idp-add --secret
command to require a client secret. With this update, SSSD passes the client secret to the IdP and users can authenticate.
Jira:RHELPLAN-148303
IdM now supports setting hostmasks for sudo
rules using Ansible
Previously, the ipa sudorule-add-host
command allowed setting a hostmask to be used by the sudo
rule, but this option was not present in the ansible-freeipa
package. With this update, you can now use the ansible-freeipa
hostmask
variable to define a list of hostmasks to which a particular sudo
rule, defined in Identity Management (IdM), applies.
As a result, you can now automate setting host masks for IdM sudo
rules with Ansible.
The scheduled time of the changelog compaction now works correctly
Previously, when you configured a custom scheduled time for the changelog compaction, the server did not apply the new setting, and the changelog compaction could start during peak times. With this release, the server now correctly applies the custom time of the changelog compaction.
IdM clients correctly retrieve information for trusted AD users when their names contain mixed case characters
Previously, if you attempted a user lookup or authentication of a user, and that trusted Active Directory (AD) user contained mixed case characters in their names and they were configured with overrides in IdM, an error was returned preventing users from accessing IdM resources.
With the release of RHBA-2023:4525, a case-sensitive comparison is replaced with a case-insensitive comparison that ignores the case of a character. As a result, IdM clients can now lookup users of an AD trusted domain, even if their usernames contain mixed case characters and they are configured with overrides in IdM.
Jira:SSSD-6096
8.12. Graphics infrastructure
Matrox G200e now works correctly with a VGA display
Previously, your display might have shown no graphical output if you used the following system configuration:
- The Matrox G200e GPU
- A display connected over the VGA controller
As a consequence, you could not use or install RHEL on this configuration.
With this release, the problem has been fixed. As a result, RHEL boots and shows graphical output as expected.
Bugzilla:2130159
8.13. The web console
The web console NBDE binding steps now work also on volume groups with a root file system
In RHEL 8.8.0, due to a bug in the code for determining whether or not the user was adding a Tang key to the root file system, the binding process in the web console crashed when there was no file system on the LUKS container at all. Because the web console displayed the error message TypeError: Qe(…) is undefined
after you had clicked the Trust key
button in the Verify key
dialog, you had to perform all the required steps in the command-line interface in the described scenario.
With the release of the RHBA-2023:3829 advisory, the web console correctly handles additions of Tang keys to root file systems. As a result, the web console finishes all binding steps required for the automated unlocking of LUKS-encrypted volumes using Network-Bound Disk Encryption (NBDE) in various scenarios.
8.14. Red Hat Enterprise Linux system roles
The nbde_client
system role now correctly handles different names of clevis-luks-askpass
The nbde_client
system role has been updated to handle the systems on which the clevis-luks-askpass
systemd
unit has a different name. The role now correctly works with different names of clevis-luks-askpass
on managed nodes, which requires unlocking also LUKS-encrypted volumes that mount late in the boot process.
The ha_cluster
system role logs no longer display unencrypted passwords and secrets
The ha_cluster
system role accepts parameters that can be passwords or other secrets. Previously, some of the tasks would log their inputs and outputs. As a result, the role logs could contain unencrypted passwords and other secrets.
With this update, the tasks have been changed to use the Ansible no_log: true
directive and the task output is no longer displayed in the role logs. The ha_cluster
system role logs no longer contain passwords and other secrets. While this update protects secure information, the role logs now provide less information that you can use when debugging your configuration.
Clusters configured with ha_cluster
system role to use SBD and not start on boot now work correctly
Previously, if a user configured a cluster using the ha_cluster
system role to use SBD and not start on boot, then the SBD service was disabled and SBD did not start. With this fix, the SBD service is always enabled if a cluster is set to use SBD whether or not the cluster is configured to start on boot.
Setting stonith-watchdog-timeout
property with the ha_cluster
system role now works in a stopped cluster
Previously, when you set the stonith-watchdog-timeout
property with the ha_cluster
system role in a stopped cluster, the property reverted to its previous value and the role failed. With this fix, configuring the stonith-watchdog-timeout
property by using the ha_cluster
system role works properly.
Enabling implicit files provider to fix rhel-system-roles
SSSD configuration
A disabled SSSD implicit files provider caused the rhel-system-roles
modules to create an invalid System Security Services Daemon (SSSD) configuration. This update unconditionally enables the files provider and as a result, the SSSD configuration created by rhel-system-roles
now works as expected.
Network traffic is now directed through the intended network interface when using initscripts
with the networking
RHEL system role
Previously, when using the initscripts
provider, the routing configuration for network connections did not specify the output device that the traffic should go through. Consequently, the kernel could use a different output device than the user intended. Now, if the network interface name is specified in the playbook for the connection, it is used as the output device in the route configuration file. This aligns the behavior with NetworkManager, which configures the output device in routes when activating profiles on devices. As a result, the users can ensure that the traffic is directed through the intended network interface.
The nbde_client_clevis
role no longer reports traceback to users
Previously, the nbde_client_clevis
role sometimes failed in exception, causing a traceback and reporting sensitive data, such as the encryption_password
field, back to the user. With this update, the role no longer reports sensitive data, only the appropriate error messages.
Bugzilla:2162782
8.15. Virtualization
System time on nested VMs now works reliably
Previously, system time on nested virtual machines (VMs) in some cases desynchronised from the Level 0 and level 1 hosts. This also sometimes caused the nested VM to become unresponsive or terminate unexpectedly.
With this update, the time handling code in the KVM host kernel code has been fixed, which prevents the described errors from occurring.
Bugzilla:2151854
Network traffic performance in virtual machines is no longer reduced
Previously, RHEL virtual machines had, in some cases, decreased performance when handling high levels of network traffic. The underlying code has been fixed and the network traffic performance is not affected anymore.
Bugzilla:2069047
Virtual machines using memfd
run as expected
Previously, virtual machines (VMs) running on the 64-bit IBM Z processor architecture that used memfd
to back memory with hugepages failed to run. With this update, the problem has been fixed and VMs using memfd
can now be defined on the 64-bit IBM Z processor architecture. As a result, you can now run VMs which use memfd
to back the memory with hugepages.
System time in VMs now synchronizes correctly with the host
Previously, the KVM module performed the real-time clock (RTC) synchronization less frequently than intended. As a consequence, the system time in VMs hosted on RHEL 8 sometimes did not correctly reflect the system time on the host. This update fixes the RTC scheduling in KVM, which prevents the described problem from occurring.
Bugzilla:2135417