Chapter 12. Fixed issues

Before this update, the blueprint incorrectly used the user command to configure the root password for ISO images. As a consequence, the root password was not set, preventing users from logging in. With this release, the root password is correctly applied for the root user during the ISO image build process, enabling successful system access.

Jira:RHEL-4644

Before this release, the installer did not set the display mode (text, graphical, or non-interactive) early enough during startup. As a result, the check to determine whether a selected language is supported in text mode did not run. In text mode installations, languages that are not supported in the text user interface, such as Japanese, could be used, resulting in unreadable output.

With this fix, the installer correctly detects languages that are not supported in the text mode. If an unsupported language is selected, the text user interface falls back to English. The installed system is still configured to use the originally selected language.

Jira:RHEL-16168

Before this release, when starting a RHEL installation with the inst.dd kernel command-line option, the console failed to render characters typed by the user. As a consequence, the lack of visual feedback made the application appear unresponsive, even though the input was still being processed in the background. With this update, this display issue has been resolved, and user input is now visible as expected during the driver disk selection process.

Jira:RHEL-58828

Before this update, while using the ostreecontainer Kickstart command to install a bootable container, the /boot partition was not created. As a consequence, the installation failed because it required a dedicated /boot partition to proceed with the container deployment.

With this update, you can use Anaconda to install a bootable container image without having a separate /boot partition.

Jira:RHEL-66155

Before this release, the rescue scanner failed to identify image-based installations due to their unique filesystem hierarchy. The environment now automatically mounts the system under the /mnt/sysroot mount point and provides the specific chroot command required to access the active deployment. As the image-based systems are immutable, manual changes should be limited to /etc or /var.

Jira:RHEL-135116

Before this update, AIDE terminated with an error if a file was truncated or removed while AIDE was computing its hash. With this update, AIDE detects when a file is truncated or deleted during hash calculation and handles the condition safely. As a result, AIDE successfully completes integrity checks even if a monitored file change size or is removed during processing.

Jira:RHEL-1383

Some files, for example, /usr/lib/rpm/redhat/redhat-annobin-cc1 or /etc/selinux/targeted/policy/policy.33, owned by an RPM package, are expected to be changed during and after the installation, but they are still owned by the corresponding package. Consequently, fapolicyd cannot verify such files. With this release, the fapolicyd framework no longer adds files that do not have size or checksum information in the RPM database to the trust database. As a result, the fapolicyd-cli --check-trustdb command does not report the miscompares: size sha256 error message for such files.

Jira:RHEL-94786

Before this update of the p11-kit packages, a zero-length recursive attribute array was improperly read in the remote procedure call (RPC) mechanism. Consequently, remote serving of PKCS #11 tokens broke due to a communication error. This update fixes the reading of zero-length attribute arrays. As a result, a p11-kit server can remotely serve PKCS #11 tokens.

Jira:RHEL-97770^[1]

Before this update, a bug in how NSS handled database re-encryption prevented the ML-DSA seed attribute from updating when you changed the database password. As a result, the seed value was permanently lost, even if you knew the previous password.

With this update, password changes correctly update the ML-DSA seed attribute and no longer cause the permanent loss of seed values. Previously lost seeds cannot be recovered.

Jira:RHEL-114443

Before this update, the Keylime agent used a single key for both the TLS identity and the payload encryption. As a consequence, when you configured the agent to use a certificate other than RSA, it attempted to use the same key for the payload mechanism and the enrollment process failed.

With this release, the agent relies on two separate keys. As a result, the mutual TLS (mTLS) identity can use alternative cryptographic schemes, and the Keylime agent successfully enrolls with Elliptic Curve Cryptography (ECC) certificates. The payload encryption mechanism still requires a dedicated RSA key pair.

Jira:RHEL-117122

Before this update, when generating signed Trusted Platform Module (TPM) quotes, the keylime-agent-rust component did not properly support Elliptic Curve Cryptography (ECC) key algorithms. This prevented the agent from generating TPM quote evidence and caused enrollment failures for the ECC key types.

With this update, the keylime-agent-rust component correctly handles ECC key algorithms during TPM quote generation. As a result, agents can successfully generate TPM quotes and enroll with the verifier to provide full attestation functionality with ECC keys generated by the TPM.

Jira:RHEL-117441

Before this update, when verifying signed Trusted Platform Module (TPM) quotes from agents, the Keylime verifier component did not properly support Elliptic Curve Cryptography (ECC) key algorithms. This caused attestation failures when agents used the ECC key types ecc521, ecc384, ecc256, ecc224, or ecc192.

With this update, the verifier correctly handles and verifies TPM quotes signed with ECC keys. As a result, Keylime provides full attestation functionality for these algorithms.

Jira:RHEL-117442

Before this update, the scp utility did not expand the .. parent directory indicator in a path to the directory name. Consequently, scp incorrectly handled relative paths containing ... This update adds special handling for parent directory indicators. As a result, scp now processes paths containing .. correctly.

Jira:RHEL-118406

Before this update, the keylime-policy command failed to close file handles during the analysis of remote RPM repositories, which caused file descriptor leaks. As a consequence, when you used the --remote-rpm-repo option to generate a runtime policy, keylime-policy failed with a Too many open files error. With this update, the command properly closes file handles for all repository metadata and package files and does not exceed the system file descriptor limit.

As a result, keylime-policy successfully generates runtime policies from remote RPM repositories.

Jira:RHEL-119028^[1]

Before this update, certificate bundles were removed from /etc/pki/tls and /etc/ssl as part of the transition to the directory-hash format. Consequently, applications relying on these bundles failed to establish secure connections.

With this update, Red Hat restored the certificate bundles and moved the directory-hash format to RHEL-11. Affected applications can now establish secure connections as before. For RHEL-11 transition guide, see Dropping of cert.pem file.

Jira:RHEL-120696^[1]

Before this update, if you did not specify a file path for the --ima-measurement-list option, the keylime-policy command did not properly set the default value. This error blocked other options, such as --keyrings, and keylime-policy failed to create the runtime policy.

With this update, the keylime-policy command uses the default path, /sys/kernel/security/ima/ascii_runtime_measurements, when you do not provide a specific value for the --ima-measurement-list option. As a result, keylime-policy successfully creates the runtime policy.

Jira:RHEL-130158

The rust-rpm-sequoia package requires the openssl packages in version 3.5, but this was not reflected in the RPM dependency chain. Consequently, you were able to install rust-rpm-sequoia without OpenSSL 3.5, but the RPM package management tool subsequently stopped working. With this update, the explicit dependency on OpenSSL 3.5 has been added. As a result, you cannot install rust-rpm-sequoia without the required OpenSSL version, which prevents the RPM tool from failing.

Jira:RHEL-130960

Before this update, the fapolicyd service did not add binaries from /usr/share/*/bin/ directories to the trust database. For example, the /usr/share/Modules/bin/mkroot binary was not added. Consequently, users could not run these binaries when using the trust=1 option in fapolicyd rules. With this fix, the fapolicyd-filter.conf file contains */bin/*. As a result, you can run binaries from /usr/share/*/bin/ with the fapolicyd service active.

Jira:RHEL-131723

Before this update, user and group membership updates from package installations were not properly applied when migrating from package mode to image mode. Consequently, the clevis user was not added to the tss security group, preventing Clevis from accessing a trusted platform module (TPM) device and retrieving encryption keys during system boot. With this update, the Clevis package installation process is updated to ensure that the clevis user is properly added to the tss group during image mode updates, even when existing configuration files are preserved. As a result, Clevis can properly access the TPM device and successfully retrieve an encryption key on systems in image mode.

Jira:RHEL-132188

Before this update, the clevis-pin-tpm2 command did not validate JSON field names during encryption with TPM2 and silently ignored typos and invalid fields, for example, pcrs_ids instead of pcr_ids. Consequently, users could inadvertently create LUKS bindings with incorrect TPM2 configurations due to typos. This could lead to unlock failures when TPM state changes, potentially making systems unbootable.

This update adds JSON schema validation to reject unknown fields in the TPM2 configuration during encryption. As a result, invalid field names in TPM2 JSON configuration are properly rejected with clear error messages to prevent silent misconfigurations that could cause unlock failures.

Jira:RHEL-138591^[1]

Before this update, a missing SELinux policy rule prevented the systemd-hostnamed service from creating a Varlink socket file in the /run directory. This issue caused hostname configuration to fail during PXE installations that used Kickstart with bootc, which resulted in failed installations.

With this update, the SELinux policy permits the systemd_hostnamed_t domain to create the required socket file. As a result, hostname configuration completes successfully.

Jira:RHEL-139385^[1]

Before this update, when handling signatures with algorithms disallowed by the system-wide cryptographic policies, the rust-rpm-sequoia library reported a generic failure error to the RPM package management tool. Consequently, RPM failed to validate signatures on RPM packages with such algorithms. In this update, when rust-rpm-sequoia encounters an algorithm disallowed by crypto-policies, it reports the NOTTRUSTED error message. As a result, you can use crypto-policies to disallow one of the algorithms used for signing packages without causing RPM to fail the whole package verification.

Jira:RHEL-144414

Before this update, if the dnf-automatic utility used the command_email emitter to send emails to multiple recipients and also used the /usr/bin/mail utility installed with the s-nail package, /usr/bin/mail failed to send an email. With this update, the dnf-automatic utility expands the email_to keyword in the command_format formatting string from a single argument to multiple arguments. As a result, dnf-automatic sends emails to multiple recipients with the default /usr/bin/mail utility.

Jira:RHEL-94331

Before this update, when you installed or verified a package with multiple signatures, RPM did not correctly determine the overall verification result when the rpmkeys(8) utility reported some of the package signatures as NOTTRUSTED. A signature can become NOTTRUSTED if, for example, its certificate is expired or revoked, or if its algorithm is disabled by system-wide cryptographic policies. As a consequence, RPM failed to install or verify the package even if the package had at least one valid and trusted signature.

This update fixes the verification logic in RPM to correctly handle packages with NOTTRUSTED signatures. This update also improves error reporting around this functionality.

As a result, RPM ignores NOTTRUSTED package signatures and successfully installs or verifies a package with multiple signatures if the package has at least one valid signature and no invalid signatures. Error messages are also clearer and more accurate when verification actually fails.

Jira:RHEL-112394

Before this update, you could not install packages with signatures that used both supported and unsupported package signing algorithms. As a consequence, DNF rejected such packages when verifying their signatures because of the unsupported algorithms. With this update, DNF ignores signatures classified as NOTTRUSTED in the rpmkeys command output. As a result, DNF can install packages that use both supported and unsupported signing algorithms.

Jira:RHEL-112730

Before this update, you could use centralized identity management, for example, through the Lightweight Directory Access Protocol (LDAP), and build a custom package that contains files to be owned by corresponding users or groups. As a consequence, when you installed this custom package, RPM failed to resolve any non-local user and group names, and defaulted to root in both cases. This caused files owned by non-local users or groups to be owned by root when installed on disk.

With this update, RPM consults the Name Service Switch (NSS) file when resolving user and group names. As a result, as long as the NSS configuration on the system is correct, RPM resolves such non-local users and groups correctly, and the files are owned by the correct User Identifier (UID) and Group Identifier (GID) when installed on disk.

Jira:RHEL-118365

Before this update, DNF incorrectly performed comparison of the epoch-version-release (EVR) RPM package information. As a consequence, if you performed two subsequent upgrade transactions for a package that had the same epoch-version but different release, DNF identified the overall transaction as a downgrade. This update fixes the EVR comparison. As a result, DNF identifies two subsequent package upgrades with different release versions as an upgrade.

Jira:RHEL-128443^[1]

Before this update, if you installed a protected package as a dependency required by only one other package and had the clean_requirements_on_remove configuration option enabled, DNF failed to perform any transaction that tried to remove the protected package if this package became an unused dependency. This prevented the removal of the package that depended on it, because DNF would automatically attempt to remove the protected dependency as well. With this update, DNF treats all protected packages as explicitly installed by the user. As a result, DNF no longer attempts to automatically remove protected packages, allowing the removal of the package that depends on it.

Jira:RHEL-128445^[1]

Before this update, the ipmievd systemd service failed to start because the service did not create the required PID file during initialization. As a result, the service could not store its process ID and timed out. With this update, the service configuration creates the PID file before starting ipmievd to ensure that the service starts correctly.

Jira:RHEL-112449^[1]

Before this update, the volume_key utility used functions that were incompatible with Federal Information Processing Standards (FIPS) when retrieving a backup passphrase from an escrow packet. Consequently, volume_key failed and reported an error on systems with FIPS mode enabled. This update ensures that the backup passphrase retrieval function is FIPS-compliant. As a result, you can successfully retrieve backup passphrases on FIPS-enabled systems.

Jira:RHEL-146218^[1]

Before this update, NetworkManager could not dynamically apply changes if a user changed the sriov.vfs property. As a consequence, NetworkManager connections with Single Root I/O Virtualization (SR-IOV) settings required a restart after modifications. With this release, sriov.vfs now supports the reapply operation if the total number of virtual functions (VFs) does not change. As a result, restarting a connection after modifying SR-IOV settings is no longer required in the mentioned scenario.

Jira:RHEL-95844

Before this update, the xdp-trafficgen utility failed on ARM systems with a Missing required option '--interface' error even if you specified the -i <interface> option. As a consequence, it was not possible to probe eXpress Data Path (XDP) support on a specific interface. This update fixes the problem, and the -i <interface> option works correctly on ARM systems.

Jira:RHEL-105793

Before this update, if a client, such as the Nmstate API or the GNOME control center application, used the D-Bus API for changes on a global level, it was not possible to set DNS search domains without defining a DNS server. This update fixes the problem, and clients can define only a global-level DNS search domain.

Jira:RHEL-109853

Before this update, the nmstate.service systemd unit had a strict Requires dependency on the NetworkManager-wait-online.service unit. Consequently, in environments where NetworkManager-wait-online failed or timed out, the nmstate state service failed to start and Nmstate could not apply the necessary network configurations. This update replaces Requires in the unit with Wants. As a result, the nmstate service starts regardless of the status of NetworkManager-wait-online, and Nmstate can apply network configurations.

Jira:RHEL-114959

Before this update, the Unbound package explicitly disabled TLS 1.2 on server sockets for DNS over TLS (DoT). Consequently, servers could not use TLS 1.2 regardless of system settings.

With this update, the default system-wide crypto-policies manage protocol disabling . As a result, TLS server sockets accept older protocols like TLS 1.2, and TLS 1.1 in LEGACY policy mode.

Jira:RHEL-147790

Before this update, a memory leak of USB protocol data in the USB bulk transport path could expose bytes from the USB protocol into user space when devices incorrectly skipped the data phase. This behavior was detected by the Linux Test Project (LTP) ioctl_sg01 test and indicated that the SCSI request block (SRB) transfer buffer was not cleared in these situations.

With this update, the RHEL kernel is updated to clear the SRB transfer buffer when the data phase is incorrectly skipped. As a result, the USB bulk transport path no longer leaks USB protocol bytes into the user space, and the ioctl_sg01 test now completes successfully.

Jira:RHEL-2588^[1]

Before this update, the incorrect state decoding in perf_sched caused the perf tool test suite to fail. This affected the perf tool test suite results. With this release, a patch for correct process state decoding in perf_sched test has been implemented. As a result, the perf_sched test suite now passes.

Jira:RHEL-68347^[1]

Before this update, the uprobe events test during ftrace testing failed due to an issue with entry point determination. This fix involves using readelf for entry point determination in the uprobe tests. As a result, ftrace testing failures for uprobe events and Kprobe event parsing are resolved, improving ftrace test stability.

Jira:RHEL-87219^[1]

Before this update, a regression in the SCSI tape (st) driver caused certain tape applications to fail after a device reset (such as a third-party power-on reset). When these applications attempted to verify device ID information by using ioctl commands, the driver blocked the request if the buffer state was not ready. This caused errors such as "device /dev/nst1 failed on scsi ioctl(idlun)" and the affected tapes entered an error state.

With this update, the st driver has been fixed to ensure that informational ioctl commands, such as idlun, can execute regardless of the internal buffer state. As a result, tape applications can now successfully verify device information after a reset.

Jira:RHEL-115965^[1]

Before this update, the libmpathpersist library, which is used by the mpathpersist command, had several issues and corner cases that affected persistent reservation handling for multipath devices. This caused the following problems:

With this release, multiple areas of libmpathpersist have been redesigned and fixed to ensure correct and consistent behavior. As a result, mpathpersist commands on multipath devices now work the same as the equivalent sg_persist commands on SCSI devices. I/O access to multipath devices also consistently reflects the device’s persistent reservation state.

Jira:RHEL-118720^[1]

Before this update, starting an operating system installation on a system that used iSCSI storage could cause the Anaconda installer to crash. This occurred when the iSCSI Logical Unit Number (LUN) ID was 256 or higher.

This update includes a fix to the LUN ID parsing logic in the blivet library. As a result, installations on systems that use iSCSI targets with LUN IDs of 256 or greater can now proceed.

Jira:RHEL-122305

This update introduces the vdocalculatesize utility. The vdocalculatesize computes Virtual Data Optimizer (VDO) volume size and memory requirements based on parameters such as logical size, physical size, slab size, index memory size, and block map cache size. As a result, you can accurately plan and provision VDO volumes, reducing configuration uncertainty for VDO storage deployment.

This release also fixes error handling for scenarios in which VDO metadata becomes corrupted.

Jira:RHEL-129906

Before this update, if multipathd started or reconfigured while a path was offline, the daemon did not print regular offline warnings for that path. This made it difficult to identify issues with uninitialized paths.

With this update, multipathd prints offline messages for uninitialized paths. As a result, you can monitor path status consistently.

Jira:RHEL-133815^[1]

Before this update, issuing the nvme subsystem-reset command on the PowerPC platform caused the Non-volatile Memory Express (NVMe) device to enter the resetting state and it failed to recover. As a consequence, the device hung and required a system reboot to recover.

With this release, the NVMe device recovers correctly after a subsystem reset. It is temporarily inaccessible while transitioning from the resetting state to the live state.

Jira:RHEL-137767^[1]

Before this update, when a node left a cluster, the cleanup of its transient attributes was handled by two separate components. As a consequence, a node’s shutdown attribute might not have been cleared before the node attempted to rejoin the cluster, causing the node to immediately leave again.

With this release, the responsibility for clearing all transient node attributes has been consolidated into a single component.

As a result, these timing issues are no longer possible, and nodes can rejoin the cluster without being immediately removed due to stale shutdown attributes.

Jira:RHEL-23082

Before this update, when a user executed pcs resource delete, pcs cluster node remove-remote, or pcs booth remove using the -f flag to modify a CIB file directly, pcs would perform the deletion but silently omit cleanup actions that require a live cluster, such as stopping resources or removing nodes from Pacemaker.

With this update, warning messages are displayed whenever live cluster cleanup actions are skipped due to the use of the -f flag.

As a result, users are alerted that they must perform manual cleanup actions on the live cluster when modifying configuration files offline. Note that the usage of the --force flag to skip resource stopping in these commands has been deprecated and will be removed in a future release. The --force flag retains its functionality to override validation errors. Users should now use the --no-stop flag to explicitly skip resource stopping before deletion.

Jira:RHEL-76157

Before this update, if you attempted to delete an unmanaged resource by using pcs resource delete while that resource was still running, the resource would be removed from the Cluster Information Base (CIB) but remain active in the running configuration. This left the resource in an ORPHANED state, which could lead to cluster instability and resource management issues.

With this update, pcs returns an error if a deletion request includes any unmanaged resources that are currently running.

As a result, pcs resource delete prevents the creation of orphaned resources by requiring that they be stopped before deletion.

Jira:RHEL-76162

Before this update, pcs automatically wrapped resource and stonith agent descriptions to fit within the terminal window. Consequently, any formatting done by the agents' authors-such as new lines, paragraphs, lists, or tables-was removed, often making the descriptions difficult to read.

With this update, pcs no longer reformats the description text.

As a result, pcs displays resource and stonith agent descriptions exactly as the agents' authors intended, preserving the original structure and improving readability.

Jira:RHEL-111451

Before this update, the db2 resource agent could encounter a race condition when a node was reintegrating into the cluster. Consequently, the reintegrating node could incorrectly attempt to start as a "Primary" instance.

With this update, a "reintegration" attribute has been added to the agent. This allows the agent to correctly identify whether it is expected to join as a "Primary" or not, avoiding the race condition.

As a result, reintegration works correctly. Note that in order to prevent issues during the upgrade, you must disable all db2 resources before applying the update and re-enable them only after the update is complete on all nodes.

Jira:RHEL-115495^[1]

Before this update, the glibc-locale-source package provided character maps in gzip compressed format but did not declare a dependency on the gzip package. As a consequence, using localedef with a character map provided by glibc-locale-source could fail if gzip was not installed on the system because the compressed archive could not be uncompressed.

With this release, glibc-locale-source now depends on the gzip package. This change ensures the required compression utility is present, allowing localedef to process character maps correctly. As a result, using localedef with character maps provided by glibc-locale-source now works as expected even on systems where gzip was previously missing.

Jira:RHEL-102553

Before this update, simultaneous calls to the glibc exit function and concurrent stdio.h stream operations in multi-threaded applications were not synchronized. As a consequence, applications could terminate unexpectedly or experience data corruption. With this update, the exit and quick_exit functions synchronize stdio.h stream flushing and allow only one exit call to proceed. As a result, applications no longer crash in this scenario, and overall reliability is improved.

Applications that perform blocking read operations on stdio.h streams, such as with getchar, or that use flockfile to lock streams, cannot exit until the read operation completes or the lock is released. This behavior is required by the POSIX standard.

Jira:RHEL-111117^[1]

Before this update, when looking up group membership on systems where Name Service Switch (NSS) merged groups from more than two services, a merge between two groups that failed due to an insufficient internal buffer caused glibc to skip the merge result instead of retrying the operation with a larger buffer.

As a consequence, on systems with more than two group database sources, querying group information, such as with the getent group command, produced incomplete or empty group membership results in some cases.

With this update, glibc no longer skips merge failures that are caused by an insufficient internal buffer and instead retries the merge with a larger buffer as intended.

As a result, group membership lookups on systems with multiple group database sources now return complete and correct group membership data.

Jira:RHEL-114265^[1]

Before this update, calling the sem_open function for a named semaphore that did not exist and without specifying the O_CREAT flag could return an uninitialized value instead of a defined error indicator.

As a consequence, affected applications observed undefined behavior, such as attempting to use an invalid semaphore handle and misinterpreting the failure because errno was not set to a meaningful value.

With this release, sem_open explicitly returns SEM_FAILED and sets errno to ENOENT when it is called for a semaphore that does not exist and the O_CREAT flag is not specified.

As a result, applications reliably detect this error condition and can handle missing semaphores in a predictable and standards-compliant way.

Jira:RHEL-119392^[1]

Before this update, the glibc standard I/O implementation did not fully comply with POSIX when flushing input streams. This caused fflush to mishandle input streams after ungetc, inconsistent behavior when called as fflush(NULL), and incorrect file offsets when fclose operated on shared file descriptors or special character devices.

As a consequence, applications might observe unexpected input stream state, incorrect underlying file positions, and file positioning errors when using fseek and fflush on memory-mapped input files, which can lead to misreads or subtle data-processing bugs.

With this release, the glibc stdio library is corrected so that fflush handles input streams in a POSIX-compliant way, including after ungetc and when invoked as fflush(NULL). In addition, fclose now updates the underlying file offset for shared file descriptors and works correctly with special character devices, and the file positioning logic for fseek and fflush on memory-mapped input files is fixed.

As a result, applications that rely on stdio for input processing, shared file descriptor usage, or memory-mapped input files now behave predictably and correctly after the update.

Jira:RHEL-119434^[1]

Before this update, missing checks in the __nss_database_get function in the glibc package could cause null pointer dereferences and assertion failures during Name Service Switch (NSS) database lookups. As a consequence, applications relying on NSS could terminate unexpectedly, or the C library could crash under specific lookup conditions.

With this release, additional validation checks are added to the NSS database lookup path in glibc to handle invalid or unexpected internal states safely. As a result, NSS database lookups are more robust, and system stability is improved.

Jira:RHEL-150270

Before this update, when the Domain Name System (DNS) search path in /etc/resolv.conf file contained a single . entry, the glibc DNS stub resolver queried both the original domain name and the same domain name with a trailing dot.

As a consequence, DNS queries for non-existent domains were duplicated, increasing the load on DNS servers.

After this update, the glibc DNS stub resolver no longer appends a trailing dot to domain names when the search path contains only a single . entry.

As a result, DNS queries are no longer duplicated in this configuration, reducing unnecessary DNS traffic and server load.

Jira:RHEL-142675

Before this update, dscreate and dsconf used different functions to parse and display the LMDB database maximum size (nsslapd-mdb-max-size). As a consequence, dscreate create-template displayed the value as a raw floating-point number in bytes, while dsconf backend config set --mdb-max-size accepted values in bytes only, making it difficult to configure consistent values across the two tools.

With this update, both tools use the same parsing functions and accept values with unit suffixes (k, m, g, t), automatically aligning the result to the nearest page boundary. As a result, administrators can use human-readable size values consistently across dscreate and dsconf when setting the LMDB database maximum size.

Jira:RHEL-64019

Before this update, the Directory Server web console only displayed sub-suffixes whose nsslapd-parent-suffix attribute exactly matched an existing backend suffix. As a consequence, sub-suffixes with a parent suffix pointing to a regular LDAP entry (rather than a backend suffix) were not visible in the console’s suffix tree, even though they appeared correctly in the dsconf backend suffix list output.

With this update, the web console correctly identifies sub-suffixes that fall under a backend suffix, regardless of whether the parent suffix is a backend suffix itself. As a result, all configured sub-suffixes are displayed in the web console suffix tree.

Jira:RHEL-76835

Before this update, the retro changelog plugin’s internal lock object was freed while the trimming thread was still holding a reference to it when ns-slapd started shutting down. As a consequence, the server could fail with a segmentation fault.

With this update, the server waits for all active plugin threads to finish before freeing plugin resources during shutdown. As a result, ns-slapd shuts down cleanly even when retro changelog trimming is in progress.

Jira:RHEL-86312

Before this update, Directory Server did not correctly evaluate compound LDAP filters that contained only a single filter component, such as (&(cn:dn:=groups)). As a consequence, group search queries using these filters returned no results, causing failed group lookups and potentially incorrect access control. With this update, filter evaluation logic is updated to correctly handle compound filters with a single component. As a result, existing group search filters such as (&(cn:dn:=groups)) return the expected entries, restoring predictable LDAP behavior for applications and scripts.

Jira:RHEL-89601

Before this update, when a name ID user override existed for IdM AD trusted users, user resolution failed because the auto private group could not be resolved. With this update, the IdM provider retries to fetch the user object if no group override is found. As a result, the auto private group of <overwritten_name>@ad.domain can be resolved, and user resolution succeeds.

Jira:RHEL-94545^[1]

Before this update, the memberOfDeferredUpdate configuration attribute, which is only effective for a Berkeley DB (BDB) backend, was not ignored on instances with a Lightning Memory-Mapped Database Manager (LMDB) backend. As a consequence, if memberOfDeferredUpdate was enabled on an LMDB instance, the Directory Server could become unresponsive during MemberOf plugin processing of large or complex groups.

With this update, Directory Server ignores the memberOfDeferredUpdate setting on instances with LMDB. As a result, processing large or complex groups no longer causes the server to become unresponsive.

Jira:RHEL-106502

Before this update, running dsctl db2index with the --attr option but without specifying a backend name caused the --attr option to be silently ignored. As a consequence, all attributes across all backends were reindexed instead of only the specified ones, which could take a significant amount of time on large databases.

With this update, dsctl db2index requires a backend name as a positional argument, and the --attr option correctly limits reindexing to the specified attributes for the given backend. As a result, only the requested attributes are reindexed when a backend name and the --attr option are both provided.

Jira:RHEL-111220^[1]

Before this update, when the MemberOf plugin completed a global fixup task, the plugin freed its configuration structure before logging the completion message. As a consequence, the completion log message displayed (null) instead of the membership attribute name.

With this update, the MemberOf plugin logs the fixup task completion message before freeing its configuration structure, ensuring the attribute name is available when the message is written. As a result, the completion log message displays the correct membership attribute name, making it easier for administrators to verify fixup operations and troubleshoot issues.

Jira:RHEL-117520^[1]

Before this update, when enabling replication on a consumer, the dsconf utility printed a warning about changelogs to the stdout stream instead of stderr. As a consequence, the textual warning broke JSON parsing in the Directory Server web console, which expects pure JSON on stdout.

With this update, dsconf utility was updated so that the warning about changelogs on consumer replicas is written to stderr. As a result, the Directory Server web console successfully loads the Replication tab after enabling replication on a consumer or changing a role to consumer.

Jira:RHEL-122674

Before this update, asynchronous requests that exceeded the maximum number of threads per connection caused server unresponsiveness without identification in the Directory Server access logs. As a consequence, it was difficult to diagnose server unresponsiveness.

With this release, Directory Server uses the new search indicators in the access logs to identify such requests: notes=N defines that the operation is not synchronous. notes=B defines that the operation blocks other new incoming operations: pending operations, not the read operations, are delayed.

In both cases, you might need to increase the nsslapd-maxthreadsperconn attribute value to allow a connection to use more threads.

Jira:RHEL-123220

Before this update, the replication agreement could send entries faster than the consumer was able to import during online initialization. In that situation, the consumer responded with an LDAP_BUSY error. As a consequence, the replication agreement did not handle this error and terminated the online initialization.

With this update, the replication agreement handles received LDAP_BUSY responses by retrying the operation after a delay. As a result, online initialization completes successfully even when the consumer temporarily cannot keep up with the rate of incoming entries.

Jira:RHEL-123663^[1]

Before this update, a regression in the handling of filters containing distinguished name (DN) caused LDAP searches with spaces inside DN values in the filter, such as (member=uid=user, ou=people,dc=example,dc=com), to be evaluated incorrectly. As a consequence, applications received incomplete group membership and search results.

With this update, Directory Server normalizes and correctly compares DN values in the filter, accepting filters both with and without spaces in DN components. As a result, LDAP searches that include spaces in DN values return the same, complete results as in earlier RHDS versions, restoring expected application behavior.

Jira:RHEL-123664^[1]

Before this update, when access log compression was enabled, the log rotation logic failed to correctly recognize .gz-suffixed rotated access log filenames while rebuilding the internal rotation information, so compressed logs were not associated with their corresponding rotation entries. As a consequence, the nsslapd-accesslog-list did not contain the actual files on disk, and access logs accumulated until manual cleanup was required to prevent disks from filling.

With this update, the log rotation logic was updated to correctly parse and match rotated access log filenames regardless of whether they are compressed (with a .gz suffix) or uncompressed, ensuring compressed logs are included when rebuilding rotation information and validating previous log files. As a result, compressed rotated access logs are properly tracked and removed according to the configured rotation settings.

Jira:RHEL-124694

Before this update, when initializing replication with very large databases, especially after major subtree moves, the initialization could appear stalled after sending the initial suffix entry, because it spent excessive time building and checking large internal ID lists. As a consequence, the server experienced long CPU spikes, initialization was delayed or incomplete, and replicas remained outdated for an extended period.

With this update, the internal ID list lookup logic used during online initialization was optimized, making it scalable even with very large datasets. As a result, replication online initialization progresses as expected on large databases.

Jira:RHEL-128906

Before this update, when a replica was reinitialized by using an offline import, the replication keep-alive update was triggered before the replica had time to synchronize with the other suppliers. As a consequence, Can’t locate CSN (Change Sequence Number) errors were logged and some changes were not replicated to consumers.

With this update, the initial delay before the first keep-alive update matches the value of the nsds5ReplicaKeepAliveUpdateInterval attribute, which defaults to 1 hour, and a warning is displayed if this interval is less than the maximum backoff timer. As a result, the replica has sufficient time to synchronize from other suppliers after a reinitialization, and replication proceeds without CSN errors.

Jira:RHEL-129675^[1]

Before this update, when indexing an attribute, Directory Server erroneously extended the prefix of the index key. The more values were indexed, the longer the prefix became. Adding entries with large values accelerated the issue, because the server also appended a hash to the key. For example, entries in a FreeIPA deployment with many certificates triggered an MDB_BAD_VALSIZE error. As a consequence, key sizes could exceed the LMDB maximum key size, and Directory Server could not initialize the database during import or replication when the dataset contained such entries.

With this update, Directory Server corrects the index key handling to prevent the MDB_BAD_VALSIZE condition. As a result, database initialization succeeds when importing or replicating datasets that contain entries with large numbers of long indexed attribute values.

Jira:RHEL-133085

Before this update, a defect in the concread dependency used by the Named Data Networking (NDN) cache caused LinCowCell chain drops to incorrectly free shared links when multiple references existed to the same chain. As a consequence, under heavy operations involving the NDN cache, the server could hit a use-after-free condition and fail with a segmentation fault in atomic_compare_exchange(), leading to erratic downtime.

With this update, the 389-ds-base package uses concread version 0.5.10, which correctly stops freeing data when a shared cache link is detected. As a result, NDN cache operations are handled safely, preventing the segmentation fault.

Jira:RHEL-138729

Before this update, the ipadnsrecord module in ansible-freeipa ignored the create_reverse parameter. As a consequence, when users attempted to add A or AAAA records, the module incorrectly always required an existing reverse DNS zone and the task failed with a "DNS zone not found" error.

With this release, the module logic verifies the status of the create_reverse flag before attempting to validate or locate a reverse zone and skips the check entirely if it is set to false. As a result, the ipadnsrecord module successfully adds A and AAAA records to IdM-managed zones without requiring an existing reverse zone when create_reverse is set to false.

Jira:RHEL-140606

Before this update, when connecting to a domain to update a password, adcli always used the Kerberos realm of the first entry in the keytab file. As a consequence, on systems where the keytab contained multiple realms, the renewal process failed with a "no suitable keys" error if the required realm was not listed first. With this release, adcli searches the keytab for a principal that matches the target domain. As a result, machine account password renewals now succeed regardless of the order of entries in the keytab.

Jira:RHEL-2518

Before this update, the adcli testjoin command unconditionally used the domain or realm from the first entry found in the keytab file to perform its diagnostic test. As a consequence, on systems where the keytab contained principals from multiple domains, adcli testjoin would often attempt to connect to an incorrect domain and fail with a "Realm not local to KDC" error.

With this release, adcli uses the realm from the keytab as the domain name when the domain is not explicitly specified. As a result, users can reliably verify domain connectivity without encountering false authentication failures.

Jira:RHEL-5044

Before this update, user creation with, for example, a User Principal Name (UPN) format that includes the @ character instead of a sAMAccountName attribute, caused adcli to create user objects with a sAMAccountName which contained invalid characters. As a consequence, Active Directory (AD) operations involving that user could break. With this release, adcli validates the input string for user creation against a list of illegal characters before attempting to create the entry. As a result, adcli terminates user creation if the input is not a valid sAMAccountName value. This prevents the creation of malformed user objects and ensures smoother AD operation.

Jira:RHEL-5050^[1]

The /usr/share/iproute2/rt_tables file contains certain built-in routing table names, such as main. Before this update, if an administrator used the network RHEL system role to modify the routing table and specified a routing table by its name in a playbook, the role failed with the following error:

cannot find route table main in /etc/iproute2/rt_tables or /etc/iproute2/rt_tables.d/

With this update, the network RHEL system role no longer fails to look up routing tables by name in /etc/iproute2/rt_tables and files in the /etc/iproute2/rt_tables.d/ directory.

Jira:RHEL-110865^[1]

Before this update, the storage role crashed on systems where /etc/fstab was absent. As a consequence, systems without a file system table configuration experienced failures.

With this update, the storage role checks whether /etc/fstab exists before attempting to parse it. As a result, systems without this file no longer experience a crash when using the storage role.

Jira:RHEL-115033

Before this update, external configuration files were not loaded first, which prevented overrides of all options in the sshd_config file. Consequently, users experienced incorrect OpenSSH daemon configuration. With this update, external configuration files take priority. As a result, users can override all options in the sshd_config file.

Jira:RHEL-123016

Before this release, when you used the network RHEL system role with the persistent_state: absent setting to remove undefined profiles, the role attempted to delete the loopback interface profile. Because the system automatically recreates this profile immediately, Ansible incorrectly reported a changed state. This bug fix adds the loopback device to the role-internal black_list_names variable. As a result, the network RHEL system role ignores the loopback interface. This prevents unnecessary changes and the role reports an ok state.

Jira:RHEL-123026

Before this update, creating an LVM volume without specifying a size could cause a ZeroDivisionError. This occurred because the blivet module treated a volume with no specified size as zero.

With this release, if you do not specify size, the volume uses all available space in the pool. As a result, LVM volumes are created successfully even when a size is omitted.

Jira:RHEL-123523

Before this update, when the nbde_client system role failed to add a required binding to a LUKS-encrypted volume, the rollback mechanism did not always function correctly. This caused idempotence issues, where subsequent attempts to run the role would fail or produce unexpected results because the system was left in a partially modified state.

With this update, the role performs a backup of the LUKS header before initiating any binding operations. If an operation fails, the role uses this backup to restore the header to its original state. As a result, the role correctly maintains idempotence and ensures the system remains in a consistent state even if a binding fails to be added.

Jira:RHEL-128428^[1]

Before this update, the aide system role used the deprecated database variable in its templates. On systems running Advanced Intrusion Detection Environment (AIDE) version 0.17 or later, including RHEL 10.2, RHEL 9.8, and CentOS Stream 9, this caused the AIDE service to fail during configuration parsing.

With this update, the role introduces the database_in and aide_version variables to dynamically detect the installed AIDE version and apply the appropriate configuration syntax automatically.

As a result, the aide system role provides consistent file integrity monitoring across different releases without requiring manual configuration changes.

Jira:RHEL-129309

Before this update, the code failed to check if the disks list was empty before accessing disks[0] in the blivet module. As a consequence, an unhandled IndexError caused playbook failures, leading to poor performance.

With this update, the module checks whether the disk list is empty before accessing it. If no disks are available, a clear error message is displayed instead of triggering an exception.

Jira:RHEL-137261

Before this update, when you tried to generate an ipsec.conf file for VPN connection between managed and unmanaged hosts, a logic error in the Ansible Playbook caused the task to fail. With this update, the Ansible Playbook references the host and subnet information correctly.

As a result, the vpn system role generates a valid ipsec.conf file for this scenario.

Jira:RHEL-145219

Before this update, undefined variables, such as module paths, caused the selinux system role to fail during template expansion if the import_role directive was used. This occurred because Ansible attempts to resolve variables in task name fields immediately, even if those tasks are within a block with a when condition that evaluates to false.

With this update, task names use the default, or d, filter to provide a fallback value for potentially undefined variables. This ensures that static imports succeed without error, and dynamic usage with the include_role module still provides detailed task information when variables are present.

As a result, the selinux role functions correctly in playbooks that use the import_role directive even when no specific module path is defined.

Jira:RHEL-145247

Previously, if you wanted to look up the interface name by specifying the PCI id for the interface by using the interface_pci_id parameter, and NetworkManager was not installed, the firewall RHEL system role was unable to look up the interface by PCI ID and displayed a warning. As a consequence, the role failed to configure the firewalld service by using the specified interface_pci_id variable. With this update, the role ensures that NetworkManager is installed, and the firewall RHEL system role works as expected.

Jira:RHEL-150780

Before this update, if you used import_role with modules that had no path set, the role issued undefined variable errors. This occurred because Ansible attempted to expand templates in task names within a block regardless of the when conditions.

With this update, the d filter provides a default value for these variables. As a result, the role no longer errors with import_role and modules without a defined path, and continues to provide additional context in task names when used with include_role.

Jira:RHEL-150788

Before this update, the blivet module called an undefined function during loop mounts on Red Hat Enterprise Linux 7 because the libblockdev-loop package was missing. As a consequence, the role failed with the "The function 'bd_loop_get_backing_file' called, but not implemented" error.

With this update, the libblockdev-loop package is installed, which prevents blivet errors during loop mounts on RHEL 7.

Jira:RHEL-151437

After migrating a virtual machine (VM) between IBM Z hosts by using post-copy migration, the VM previously in some cases lost network connection and required resetting its network interface to reconnect. With this update, the kernel handles post-copy initiation properly, and the problem no longer occurs.

Jira:RHEL-42486

Before this update, virtiofsd used file descriptors to hold references to files in a virtiofs-shared directory until the guest kernel invalidated its cache. As a consequence, when accessing a large number of files through virtiofs, virtiofsd accumulated open file descriptors and exceeded the system limit. This caused commands such as rsync and du to fail with Too many open files errors and in some cases caused virtiofsd to crash.

With this update, virtiofsd defaults to using inode file handles instead of file descriptors to hold references to files. As a result, virtiofsd no longer exhausts the open file descriptor limit when working with virtiofs-shared directories that contain a large number of files.

Jira:RHEL-99895^[1]

Before this update, the libvirt package reported the ht (Hyper-Threading) CPU feature flag inconsistently between the source and destination hosts during live migration. As a consequence, live migration of virtual machines (VMs) that were configured with multiple CPU threads could fail with the following error:

guest CPU doesn't match specification: extra features: ht

With this update, the libvirt package correctly handles the ht CPU feature flag during migration. As a result, VMs configured with multiple CPU threads can be successfully migrated between hosts.

Jira:RHEL-104216

Previously, after you installed the linux-sgx packages on your host, Intel Trust Domain Extensions (TDX) attestation on your virtual machines (VMs) only worked after you rebooted the host. Now, the /dev/sgx_provision device has correct correct ownership configured after installing linux-sgx, and you can proceed with TDX attestation without rebooting the host.

Jira:RHEL-110112

Before this update, when a virtual Trusted Platform Module (vTPM) data directory was stored on a shared file system, such as NFS, the system failed to create the directory on the destination host during migration, even if it did not exist. This caused virtual machine (VM) migrations to fail. With this update, the system correctly identifies missing vTPM data directories on the destination host and creates them as needed. As a result, virtual machines with a vTPM on shared storage now migrate successfully.

Jira:RHEL-132534^[1]

Previously, attempting to create a memory dump of a running VM by using the virsh dump --live command on an IBM Z host sometimes caused the VM to become unresponsive. In rare cases, creating a snapshot of a running VM can also caused the VM to become unresponsive. With this update, this issue has been fixed, and VMs on IBM Z work as expected in the described scenarios.

Jira:RHELDOCS-21707^[1]

Before this update, the sos report inadvertently started rhsm.service service even when it was stopped. This caused the service to run in scenarios where there was no internet connection, generating error messages.

With this fix, the sos report no longer starts rhsm.service service when it is disabled, improving system stability in offline environments.

Jira:RHEL-112563

Before this update, password detection was strict for obfuscating non-alphanumeric characters. With this release, password scrubbing now accepts non-alphanumeric characters. As a result, password detection no longer rejects non-alphanumeric characters, improving password input flexibility.

Jira:RHEL-121515

Before this update, the netmask portion of IPv6 addresses remained visible during the data cleaning process. With this release, both the address and the netmask are properly obfuscated, preventing the accidental exposure of network topology.

Jira:RHEL-121517

Before this update, the obfuscate_file function overwrote the file content with the filename, causing issues with the main archive population in the cleaner. Consequently, incorrectly overwritten file content in sos caused user data corruption. This update introduces the following notable enhancements:

Jira:RHEL-121531

Before this update, the passwords were never scrubbed. With this update, the obfuscation is applied only to the /var/lib/openstack/config/nova directory and obfuscating passwords from transport URLs, not the entire URL.

Jira:RHEL-121534

Before this update, the unscrubbed passwords were collected from containerized AAP deployments because of the improper scrubbing in the aap_containerized plugin. As a consequence, a password leak occurred in these deployments.

With this release, secret obfuscation has been added to the plugin. As a result, sensitive data is properly obfuscated in the containerized AAP deployments, reducing the risk of password leaks.

Jira:RHEL-142618

With this update, Skopeo supports a Sequoia-PGP-based backend for OpenPGP image signatures. Previously, skopeo used GnuPG (gpgme/pgpme bindings) for OpenPGP operations. This update includes the following enhancements:

Jira:RHEL-56364^[1]

Previously, the Buildah and Podman utilities repeatedly requested tokens during each operation. This sometimes caused a race condition in the hosted repository manager.

This update fixes the issue, it prevents multiple token requests which improves the performance and stability of the hosted repository manager.

Jira:RHEL-164030

Before this update, the lightspeed keyword was missing from the command-line assistant (CLA) package summary. As a consequence, users could not easily find the package when performing a dnf search. With this update, the keyword is added to the package metadata. As a result, users can now find the package by searching for lightspeed, which makes the CLA easier to install.

Jira:RHEL-114376