このコンテンツは選択した言語では利用できません。
6.4 Technical Notes
Detailed notes on the changes implemented in Red Hat Enterprise Linux 6.4
Edition 4
Abstract
Preface
Note
Chapter 1. Important Changes to External Kernel Parameters
procfs
entries, sysfs
default values, boot parameters, kernel configuration options, or any noticeable behavior changes.
intel_idle.max_cstate
- A new kernel parameter,
intel_idle.max_cstate
, has been added to specify the maximum depth of a C-state, or to disableintel_idle
and fall back toacpi_idle
. For more information, refer to the/usr/share/doc/kernel-doc-<version>/Documentation/kernel-parameters.txt
file. nobar
- The new
nobar
kernel parameter, specific to the AMD64 / Intel 64 architecture, can be used to not assign address space to the Base Address Registers (BARs) that were not assigned by the BIOS. noari
- The new
noari
kernel parameter can disable the use of PCIe Alternative Routing ID Interpretation (ARI). - MD
state
file - The
state
file of an MD array component device (found in the/sys/block/md<md_number>/md/dev-<device_name>
directory) can now contain additional device states. For more information, refer to the/usr/share/doc/kernel-doc-<version>/Documentation/md.txt
file. route_localnet
- The
route_localnet
kernel parameter can be used to enable the use of 127/8 for local routing purposes. For more information, refer to the/usr/share/doc/kernel-doc-<version>/Documentation/networking/ip-sysctl.txt
file. pf_retrans
- The
pf_retrans
kernel parameter specifies the number of re-transmissions that will be attempted on a given path before traffic is redirected to an alternate transport (should one exist). For more information, refer to the/usr/share/doc/kernel-doc-<version>/Documentation/networking/ip-sysctl.txt
file. traceevent
- The new
traceevent
library, used by perf, uses the following sysfs control files:/sys/kernel/debug/tracing/events/header_page /sys/kernel/debug/tracing/events/.../.../format /sys/bus/event_source/devices/<dev>/format /sys/bus/event_source/devices/<dev>/events /sys/bus/event_source/devices/<dev>/type
/sys/kernel/fadump_*
- On 64-bit IBM POWER machines, the following control files have been added to be used by the firmware-assisted dump feature:
/sys/kernel/fadump_enabled /sys/kernel/fadump_registered /sys/kernel/fadump_release_mem
For more information about these files, refer to/usr/share/doc/kernel-doc-<version>/Documentation/powerpc/firmware-assisted-dump.txt
. - Transparent Hugepages
- The
/sys/kernel/mm/transparent_hugepage symbolic
link, which points to/sys/kernel/mm/redhat_transparent_hugepage
, has been added for consistency purposes.Documentation for transparent hugepages has been added to the following file:/usr/share/doc/kernel-doc-<version>/Documentation/vm/transhuge.txt
- vmbus_show_device_attr
- The
vmbus_show_device_attr
attribute of the Hyper-Vvmbus
driver shows the device attribute in sysfs. This is invoked when the/sys/bus/vmbus/devices/<busdevice>/<attr_name>
file is read. - BNA debugfs Interface
- The BNA debugfs interface can be accessed through the
bna/pci_dev:<pci_name>
hierarchy (note that the debugfs file system must be mounted). The following debugging services are available for eachpci_dev>
:fwtrc
— used to collect current firmware trace.fwsave
— used to collect last-saved firmware trace as a result of firmware crash.regwr
— used to write one word to the chip register.regrd
— used to read one or more words from the chip register.
iwlegacy
debug_level
- The
iwlegacy
driver includes a new sysfs control file,/sys/bus/pci/drivers/iwl/debug_level
, to control per-device level of debugging. TheCONFIG_IWLEGACY_DEBUG
option enables this feature. iwlwifi
debug_level
- The
iwlwifi
driver includes a new sysfs control file,/sys/class/net/wlan0/device/debug_level
, to control per-device level of debugging. TheCONFIG_IWLWIFI_DEBUG
option enables this feature. ie6xx_wdt
- If debugfs is mounted, the new
/sys/kernel/debug/ie6xx_wdt
file contains a value that determines whether the system was rebooted by watchdog. supported_krb5_enctypes
- The new
/proc/fs/nfsd/supported_krb5_enctypes
proc file lists the encryption types supported by the kernel'sgss_krb5
code. usbmixer
- The
/proc/asound/card<card_number>/usbmixer
proc file has been added. It contains a mapping between the ALSA control API and the USB mixer control units. This file can be used debugging and problem diagnostics. codec#<number>
- The
/proc/asound/card<card_number>/codec#<number>
proc files now contain information about the D3cold power state, the deepest power-saving state for a PCIe device. Thecodec#<number>
files now also contain additional power state information, specifically:reset status
,clock stop ok
, andpower states error
. The following is an example output:Power: setting=D0, actual=D0, Error, Clock-stop-OK, Setting-reset
cgroup.procs
- The
cgroup.procs
file is now writable. Writing a TGID into the cgroup.procs file of a cgroup moves that thread group into that cgroup. sysfs_dirent
- The last
sysfs_dirent
, which represents a single sysfs node, is now cached to improve scalability of thereaddir
function. iov
- The
iov
sysfs directory was added under theib
device. This directory is used to manage and examine the port P_Key and guid paravirtualization. - FDMI attributes
- Fabric Device Management Interface (FDMI) attributes can now be exposed to the
fcoe
driver via thefc_host
class object. ltm_capable
- The
/sys/bus/usb/devices/<device>/ltm_capable
file has been added to show whether a device supports Latency Tolerance Messaging (LTM). This file is present for both USB 2.0 and USB 3.0 devices. fwdump_state
- The
/sys/class/net/eth<number>/device/fwdump_state
file has been added to determine whether the firmware dump feature is enabled or disabled. flags
,registers
- The
Commands in Q
item was added to the/sys/block/rssd<number>/registers
file. This file's output was also re-formatted. Also, a new/sys/block/rssd<number>/flags
file has been added. This read-only file dumps the flags in a port and driver data structure. duplex
- The
/sys/class/net/eth<number>/duplex
file now reportsunknown
when the NIC duplex state isDUPLEX_UNKNOWN
. - Mountpoint Interface
- A sysfs mountpoint interface was added to the perf tool.
TCP_USER_TIMEOUT
TCP_USER_TIMEOUT
is a TCP level socket option that specifies the maximum amount of time (in milliseconds) that transmitted data may remain unacknowledged before TCP will forcefully close the corresponding connection and return ETIMEDOUT to the application. If the value0
is specified, TCP will continue to use the system default.IPPROTO_ICMP
- The
IPPROTO_ICMP
socket option makes it possible to sendICMP_ECHO
messages and receive the correspondingICMP_ECHOREPLY
messages without any special privileges. - Increased Default in
ST_MAX_TAPES
- In Red Hat Enterprise Linux 6.4, the number of supported tape drives has increased from 128 to 512.
- Increased Number of Supported IOMMUs
- The number of supported input/output memory management units (IOMMUs) has been increased to be the same as the number of I/O Advanced Programmable Interrupt Controllers (APICs; defined in
MAX_IO_APICS
). - New Module Parameters
- The following list summarizes new command line arguments passed to various kernel modules. For more information about the majority of these module parameters, refer to the output of the
modinfo <module>
command, for example,modinfo bna
.- New
kvm
module parameter:module_param(min_timer_period_us, uint, S_IRUGO | S_IWUSR);
min_timer_period_us
— Do not allow the guest to program periodic timers with small interval, since the hrtimers are not throttled by the host scheduler, and allow tuning the interval with this parameter. The default value is500us
.
- New
kvm-intel
module parameter:module_param_named(eptad, enable_ept_ad_bits, bool, S_IRUGO);
enable_ept_ad_bits
— Parameter to control enabling/disabling A/D bits, if supported by CPU. The default value isenabled
.
- New
ata_piix
module parameter:module_param(prefer_ms_hyperv, int, 0);
prefer_ms_hyperv
— On Hyper-V Hypervisors, the disks are exposed on both the emulated SATA controller and on the paravirtualized drivers. The CD/DVD devices are only exposed on the emulated controller. Request to ignore ATA devices on this host. The default value isenabled
.
- New
drm
module parameters:module_param_named(edid_fixup, edid_fixup, int, 0400); module_param_string(edid_firmware, edid_firmware, sizeof(edid_firmware), 0644);
edid_fixup
— Minimum number of valid EDID header bytes (0-8). The default value is6
.edid_firmware
— Do not probe monitor, use specified EDID blob from built-in data or/lib/firmware
instead.
- New
i915
module parameters:module_param_named(lvds_channel_mode, i915_lvds_channel_mode, int, 0600); module_param_named(i915_enable_ppgtt, i915_enable_ppgtt, int, 0600); module_param_named(invert_brightness, i915_panel_invert_brightness, int, 0600);
- New
nouveau
module parameter:module_param_named(vram_type, nouveau_vram_type, charp, 0400);
- New
radeon
module parameter:module_param_named(lockup_timeout, radeon_lockup_timeout, int, 0444);
- New
i2c-ismt
module parameters:module_param(stop_on_error, uint, S_IRUGO); module_param(fair, uint, S_IRUGO);
- New
iw-cxgb4
module parameters:module_param(db_delay_usecs, int, 0644); module_param(db_fc_threshold, int, 0644);
- New
mlx4_ib
module parameter:module_param_named(sm_guid_assign, mlx4_ib_sm_guid_assign, int, 0444);
- New
ib_qib
module parameter:module_param_named(cc_table_size, qib_cc_table_size, uint, S_IRUGO);
- New
bna
module parameter:module_param(bna_debugfs_enable, uint, S_IRUGO | S_IWUSR);
- New
cxgb4
module parameters:module_param(dbfifo_int_thresh, int, 0644); module_param(dbfifo_drain_delay, int, 0644);
- New
e1000e
module parameter:module_param(debug, int, 0);
- New
igb
module parameter:module_param(debug, int, 0);
- New
igbvf
module parameter:module_param(debug, int, 0);
- New
ixgbe
module parameter:module_param(debug, int, 0);
- New
ixgbevf
module parameter:module_param(debug, int, 0);
- New
hv_netvsc
module parameter:module_param(ring_size, int, S_IRUGO);
- New
mlx4_core
module parameter:module_param(enable_64b_cqe_eqe, bool, 0444);
enable_64b_cqe_eqe
— Enable 64 byte CQEs/EQEs when the firmware supports this.
- New
sfc
module parameters:module_param(vf_max_tx_channels, uint, 0444); module_param(max_vfs, int, 0444);
- New
ath5k
module parameter:module_param_named(no_hw_rfkill_switch, ath5k_modparam_no_hw_rfkill_switch, bool, S_IRUGO);
- New
iwlegacy
module parameters:module_param(led_mode, int, S_IRUGO); module_param(bt_coex_active, bool, S_IRUGO);
- New
wlcore
module parameter:module_param(no_recovery, bool, S_IRUSR | S_IWUSR);
- New s390
scm_block
module parameters:module_param(nr_requests, uint, S_IRUGO); module_param(write_cluster_size, uint, S_IRUGO)
- New s390
zfcp
module parameters:module_param_named(no_auto_port_rescan, no_auto_port_rescan, bool, 0600); module_param_named(datarouter, enable_multibuffer, bool, 0400); module_param_named(dif, enable_dif, bool, 0400);
- New
aacraid
module parameters:module_param(aac_sync_mode, int, S_IRUGO|S_IWUSR); module_param(aac_convert_sgl, int, S_IRUGO|S_IWUSR);
- New
be2iscsi
module parameter:module_param(beiscsi_##_name, uint, S_IRUGO);
- New
lpfc
module parameter:module_param(lpfc_req_fw_upgrade, int, S_IRUGO|S_IWUSR);
- New
megaraid_sas
module parameters:module_param(msix_vectors, int, S_IRUGO); module_param(throttlequeuedepth, int, S_IRUGO); module_param(resetwaittime, int, S_IRUGO);
- New
qla4xxx
module parameters:module_param(ql4xqfulltracking, int, S_IRUGO | S_IWUSR); module_param(ql4xmdcapmask, int, S_IRUGO); module_param(ql4xenablemd, int, S_IRUGO | S_IWUSR);
- New
hv_storvsc
module parameter:module_param(storvsc_ringbuffer_size, int, S_IRUGO);
- New
ehci-hcd
driver parameter:module_param(io_watchdog_force, uint, S_IRUGO);
io_watchdog_force
— Force I/O watchdog to be ON for all devices.
- New
ie6xx_wdt
module parameters:module_param(timeout, uint, 0); module_param(nowayout, bool, 0); module_param(resetmode, byte, 0);
- New
snd-ua101
module parameter:module_param(queue_length, uint, 0644);
Chapter 2. Device Drivers
Storage Drivers
- The Direct Access Storage Devices (
DASD
) device driver has been updated to detect path configuration errors that cannot be detected by hardware or microcode. Upon successful detection, the device driver does not use such paths. With this feature, for example, the DASD device driver detects paths that are assigned to a specific subchannel but lead to different storage servers. - The
zfcp
device driver has been updated to add data structures and error handling to support the enhanced mode of the System z Fibre Channel Protocol (FCP) adapter card. In this mode, the adapter passes data directly from memory to the SAN (data routing) when memory on the adapter card is blocked by large and slow I/O requests. - The
mtip32xx
driver has been updated to add support for the latest PCIe SSD drives. - The
lpfc
driver for Emulex Fibre Channel Host Bus Adapters has been updated to version 8.3.5.86.1p. - The
qla2xxx
driver for QLogic Fibre Channel HBAs has been updated to version 8.04.00.04.06.4-k, which adds support for QLogic's 83XX Converged Network Adapter (CNA), 16 GBps FC support for QLogic adapters, and new Form Factor CNA for HP ProLiant servers. - The
qla4xxxx
driver has been updated to version v5.03.00.00.06.04-k0, which addschange_queue_depth
API support, fixes a number of bugs, and introduces various enhancements. - The
ql2400-firmware
firmware for QLogic 4Gbps fibre channel HBA has been updated to version 5.08.00. - The
ql2500-firmware
firmware for QLogic 4Gbps fibre channel HBA has been updated to version 5.08.00. - The
ipr
driver for IBM Power Linux RAID SCSI HBAs has been updated to version 2.5.4, which adds support for the Power7 6Gb SAS adapters and enables SAS VRAID capability on these adapters. - The
hpsa
driver has been updated to version 2.0.2-4-RH1 to add PCI-IDs for the HP Smart Array Generation 8 family of controllers. - The
bnx2i
driver for Broadcom NetXtreme II iSCSI has been updated to version 2.7.2.2 with general hardware support enablements. iSCSI and FCoE boot support on Broadcom devices is now fully supported in Red Hat Enterprise Linux 6.4. These two features are provided by the bnx2i and bnx2fc Broadcom drivers. - The
bnx2fc
driver for the Broadcom Netxtreme II 57712 chip has been updated to version 1.0.12.iSCSI and FCoE boot support on Broadcom devices is now fully supported in Red Hat Enterprise Linux 6.4. These two features are provided by the bnx2i and bnx2fc Broadcom drivers. - The
mpt2sas
driver has been updated to version 13.101.00.00, which adds multi-segment mode support for the Linux BSG Driver. - The Brocade
bfa
Fibre Channel and FCoE driver has been updated to version 3.0.23.0 which includes Brocade 1860 16Gbps Fibre Channel Adapter support, new hardware support in Dell PowerEdge 12th Generation servers, andissue_lip
support. Thebfa
firmware was updated to version 3.0.3.1. - The
be2iscsi
driver for ServerEngines BladeEngine 2 Open iSCSI devices has been updated to version 4.4.58.0r to add iSCSI netlink VLAN support. - The
qib
driver for TrueScale HCAs has been updated to the latest version with the following enhancements:- Enhanced NUMA awareness
- Congestion Control Agent (CCA) for Performance Scale Messaging (PSM) fabrics
- Dual Rail for PSM fabrics
- Performance enhancements and bug fixes
- The following drivers have been updated to include latest upstream features and bug fixes:
ahci
,md
/bitmap
,raid0
,raid1
,raid10
, andraid456
.
Network Drivers
- The
netxen_nic
driver for NetXen Multi port (1/10) Gigabit Network has been updated to version 4.0.80, which adds miniDIMM support. Thenetxen_nic
firmware has been updated to version 4.0.588. - The
bnx2x
driver has been updated to the version 1.72.51-0 to include support for Broadcom 57800/57810/57811/57840 chips as well as general bug fixes and updated firmware for Broadcom 57710/57711/57712 chips. This update also includes the following enhancements:- Support for iSCSI offload and Data Center Bridging/Fibre Channel over Ethernet (DCB/FCOE) on Broadcom 57712/578xx chips. The Broadcom 57840 chip is supported in a 4x10G configuration only and does not support iSCSI offload and FCoE. Future releases will support additional configurations and iSCSI offload and FCoE.
- Additional physical layer support, including Energy Efficient Ethernet (EEE).
- iSCSI offload enhancements
- OEM-specific features
- The
be2net
driver for Emulex OneConnect 10GbE Network Adapters has been updated to version 4.4.31.0r. The SR-IOV functionality of the Emulexbe2net
driver is now fully supported in Red Hat Enterprise Linux 6.4. SR-IOV runs on all Emulex-branded and OEM variants of BE3-based hardware (with minimum firmware version 4.2.324.30), which all require thebe2net
driver software. - The
ixgbevf
driver has been updated to version 2.6.0-k to include the latest hardware support, enhancements, and bug fixes. - The
cxgb4
driver for Chelsio Terminator4 10G Unified Wire Network Controllers has been updated to add support for Chelsio's T480-CR and T440-LP-CR adapters. - The
cxgb3
driver for the Chelsio T3 Family of network devices has been updated to version 1.1.5-ko. - The
ixgbe
driver for Intel 10 Gigabit PCI Express network devices has been updated to version 3.9.15-k to include support for SR-IOV with Data Center Bridging (DCB) or Receive-Side Scaling (RSS), PTP support as a Technology Preview, latest hardware support, enhancements, and bug fixes. - The
iw_cxgb3
driver has been updated. - The
iw_cxgb4
driver has been updated. - The
e1000e
driver for Intel PRO/1000 network devices has been updated to add the latest hardware support, features, and provide a number of bug fixes. - The
enic
driver for Cisco 10G Ethernet devices has been updated to version 2.1.1.39. - The
igbvf
driver (Intel Gigabit Virtual Function Network driver) has been updated to the latest upstream version. - The
igb
driver for Intel Gigabit Ethernet Adapters has been updated to version 4.0.1 to add the latest hardware support. Also, PTP support has been added to theigb
driver as a Technology Preview. - The
tg3
driver for Broadcom Tigon3 Ethernet devices has been updated to version 3.124 to add new hardware support. Also, PTP support has been added to thetg3
driver as a Technology Preview. - The
qlcnic
driver for the HP NC-Series QLogic 10 Gigabit Server Adapters has been updated to version 5.0.29. - The Brocade
bna
driver for Brocade 10Gb PCIe Ethernet Controllers driver has been updated to version 3.0.23.0 to add new hardware support for Dell PowerEdge 12th Generation servers, and enable the use of non-Brocade Twinax Copper cables. Thebna
firmware was updated to version 3.0.3.1. - The Broadcom NetXtreme II
cnic
driver has been updated to version 2.5.13 to include new features, bug fixes, and support for new OEM platforms. - The wireless drivers have been updated to upstream version 3.5, including the
iwlwifi
driver for Intel wireless LAN adapters and theath9k
driver for PCI/PCI-Express adapters with Atheros wireless LAN chipsets. Additionally, thert2800pci
andrt2800usb
drivers have been added to support various USB and PCI/PCI-Express adapters with Ralink wireless LAN chipsets.
Miscellaneous Drivers
- The
intel_idle
cpuidle driver for Intel processors has been updated to add support for Intel's Xeon E5-XXX V2 series of processors. - The
wacom
driver has been updated to add support for the CTL-460 Wacom Bamboo Pen, the Wacom Intuos5 Tablet, and the Wacom Cintiq 22HD Pen Display. - The ALSA HDA audio driver has been updated to enable or improve support for new hardware and fix a number of bugs.
- The
mlx4_en
driver has been updated to the latest upstream version. - The
mlx4_ib
driver has been updated to the latest upstream version. - The
mlx4_core
driver has been updated to the latest upstream version. - The
z90crypt
device driver has been updated to support the new Crypto Express 4 (CEX4) adapter card.
Chapter 3. Deprecated Functionality
systemtap
component- The systemtap-grapher package has been removed from Red Hat Enterprise Linux 6. For more information, see https://access.redhat.com/solutions/757983.
matahari
component- The Matahari agent framework (matahari-*) packages have been removed from Red Hat Enterprise Linux 6. Focus for remote systems management has shifted towards the use of the CIM infrastructure. This infrastructure relies on an already existing standard which provides a greater degree of interoperability for all users.
distribution
component- The following packages have been deprecated and are subjected to removal in a future release of Red Hat Enterprise Linux 6. These packages will not be updated in the Red Hat Enterprise Linux 6 repositories and customers who do not use the MRG-Messaging product are advised to uninstall them from their system.
- mingw-gcc
- mingw-boost
- mingw32-qpid-cpp
- python-qmf
- python-qpid
- qpid-cpp
- qpid-qmf
- qpid-tests
- qpid-tools
- ruby-qpid
- saslwrapper
Red Hat MRG-Messaging customers will continue to receive updated functionality as part of their regular updates to the product. fence-virt
component- The libvirt-qpid is no longer part of the fence-virt package.
openscap
component- The openscap-perl subpackage has been removed from openscap.
Chapter 4. Technology Previews
4.1. Storage and File Systems
- Cross Realm Kerberos Trust Functionality for samba4 Libraries
- The Cross Realm Kerberos Trust functionality provided by Identity Management, which relies on the capabilities of the samba4 client library, is included as a Technology Preview starting with Red Hat Enterprise Linux 6.4. This functionality uses the libndr-nbt library to prepare Connection-less Lightweight Directory Access Protocol (CLDAP) messages.Package: samba-3.6.9-151
- Open multicast ping (Omping), BZ#657370
- Open Multicast Ping (Omping) is a tool to test the IP multicast functionality, primarily in the local network. This utility allows users to test IP multicast functionality and assists in the diagnosing if an issues is in the network configuration or elsewhere (that is, a bug). In Red Hat Enterprise Linux 6 Omping is provided as a Technology Preview.Package: omping-0.0.4-1
- System Information Gatherer and Reporter (SIGAR)
- The System Information Gatherer and Reporter (SIGAR) is a library and command-line tool for accessing operating system and hardware level information across multiple platforms and programming languages. In Red Hat Enterprise Linux 6.4, SIGAR is considered a Technology Preview package.Package: sigar-1.6.5-0.4.git58097d9
- fsfreeze
- Red Hat Enterprise Linux 6 includes fsfreeze as a Technology Preview. fsfreeze is a new command that halts access to a file system on a disk. fsfreeze is designed to be used with hardware RAID devices, assisting in the creation of volume snapshots. For more details on the fsfreeze utility, refer to the
fsfreeze(8)
man page.Package: util-linux-ng-2.17.2-12.9 - DIF/DIX support
- DIF/DIX, is a new addition to the SCSI Standard and a Technology Preview in Red Hat Enterprise Linux 6. DIF/DIX increases the size of the commonly used 512-byte disk block from 512 to 520 bytes, adding the Data Integrity Field (DIF). The DIF stores a checksum value for the data block that is calculated by the Host Bus Adapter (HBA) when a write occurs. The storage device then confirms the checksum on receive, and stores both the data and the checksum. Conversely, when a read occurs, the checksum can be checked by the storage device, and by the receiving HBA.The DIF/DIX hardware checksum feature must only be used with applications that exclusively issue
O_DIRECT
I/O. These applications may use the raw block device, or the XFS file system inO_DIRECT
mode. (XFS is the only file system that does not fall back to buffered I/O when doing certain allocation operations.) Only applications designed for use withO_DIRECT
I/O and DIF/DIX hardware should enable this feature.For more information, refer to section Block Devices with DIF/DIX Enabled in the Storage Administration Guide.Package: kernel-2.6.32-358 - Filesystem in user space
- Filesystem in Userspace (FUSE) allows for custom file systems to be developed and run in user space.Package: fuse-2.8.3-4
- Btrfs, BZ#614121
- Btrfs is under development as a file system capable of addressing and managing more files, larger files, and larger volumes than the ext2, ext3, and ext4 file systems. Btrfs is designed to make the file system tolerant of errors, and to facilitate the detection and repair of errors when they occur. It uses checksums to ensure the validity of data and metadata, and maintains snapshots of the file system that can be used for backup or repair. The Btrfs Technology Preview is only available on AMD64 and Intel 64 architectures.
Warning
Red Hat Enterprise Linux 6 includes Btrfs as a technology preview to allow you to experiment with this file system. You should not choose Btrfs for partitions that will contain valuable data or that are essential for the operation of important systems.Package: btrfs-progs-0.20-0.2.git91d9eec - LVM Application Programming Interface (API)
- Red Hat Enterprise Linux 6 features the new LVM application programming interface (API) as a Technology Preview. This API is used to query and control certain aspects of LVM.Package: lvm2-2.02.98-9
- FS-Cache
- FS-Cache in Red Hat Enterprise Linux 6 enables networked file systems (for example, NFS) to have a persistent cache of data on the client machine.Package: cachefilesd-0.10.2-1
- eCryptfs File System
- eCryptfs is a stacked, cryptographic file system. It is transparent to the underlying file system and provides per-file granularity. eCryptfs is provided as a Technology Preview in Red Hat Enterprise Linux 6.Package: ecryptfs-utils-82-6
4.2. Networking
- linuxptp
- The linuxptp package, included in Red Hat Enterprise Linux 6.4 as a Technology Preview, is an implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux. The dual design goals are to provide a robust implementation of the standard and to use the most relevant and modern Application Programming Interfaces (API) offered by the Linux kernel. Supporting legacy APIs and other platforms is not a goal.Package: linuxptp-0-0.6.20121114gite6bbbb
- PTP support in kernel drivers
- PTP support has been added as a technology preview to the ixgbe, igb, and tg3 kernel drivers.Packages: kernel-2.6.32-335
- QFQ queuing discipline
- In Red Hat Enterprise Linux 6, the tc utility has been updated to work with the Quick Fair Scheduler (QFQ) kernel features. Users can now take advantage of the new QFQ traffic queuing discipline from userspace. This feature is considered a Technology Preview.Package: kernel-2.6.32-358
- vios-proxy, BZ#721119
- vios-proxy is a stream-socket proxy for providing connectivity between a client on a virtual guest and a server on a Hypervisor host. Communication occurs over virtio-serial links.Package: vios-proxy-0.1-1
- IPv6 support in IPVS
- The IPv6 support in IPVS (IP Virtual Server) is considered a Technology Preview.Package: kernel-2.6.32-358
4.3. Clustering and High Availability
- pcs
- The pcs package has been added to Red Hat Enterprise Linux 6 as a Technology Preview. This package provides a command-line tool configure and manage the corosync and pacemaker utilities.Package: pcs-0.9.26-10
- luci support for fence_sanlock
- The luci tool now supports the Sanlock fence agent as a Technology Preview, which is available in the luci's list of agents.Package: luci-0.26.0-37
- Recovering a node via a hardware watchdog device
- New fence_sanlock agent and checkquorum.wdmd, included in Red Hat Enterprise Linux 6.4 as a Technology Preview, provide new mechanisms to trigger the recovery of a node via a hardware watchdog device. Tutorials on how to enable this Technology Preview will be available at https://fedorahosted.org/cluster/wiki/HomePageNote that SELinux in enforcing mode is currently not supported.Package: cluster-3.0.12.1-49
- keepalived
- Red Hat Enterprise Linux 6.4 includes the keepalived package as a Technology Preview. The keepalived package provides simple and robust facilities for load-balancing and high-availability. The load-balancing framework relies on the well-know and widely used Linux Virtual Server kernel module providing Layer4 network load-balancing. The keepalived daemon implements a set of health checkers to load-balanced server pools according to their state. The keepalived daemon also implements the Virtual Router Redundancy Protocol (VRRP), allowing router or director failover to achieve high availability.Package: keepalived-1.2.7-3
- HAProxy
- HAProxy is a stand-alone, layer-7, high-performance network load balancer for TCP and HTTP-based applications which can perform various types of scheduling based on the content of the HTTP requests. Red Hat Enterprise Linux 6.4 introduces the haproxy package as a Technology Preview.Package: haproxy-1.4.22-3
- libqb package
- The libqb package provides a library with the primary purpose of providing high performance client server reusable features, such as high performance logging, tracing, inter-process communication, and polling. This package is introduced as a dependency of the pacemaker package, and is considered a Technology Preview.Package: libqb-0.14.2-3
- pacemaker, BZ#456895
- Pacemaker, a scalable high-availability cluster resource manager, is included in Red Hat Enterprise Linux 6 as a Technology Preview. Pacemaker is not fully integrated with the Red Hat cluster stack.Package: pacemaker-1.1.8-7
4.4. Authentication
- Simultaneous maintaining of TGTs for multiple KDCs
- Kerberos version 1.10 added a new cache storage type, DIR:, which allows Kerberos to maintain Ticket Granting Tickets (TGTs) for multiple Key Distribution Centers (KDCs) simultaneously and auto-select between them when negotiating with Kerberized resources. In Red Hat Enterprise Linux 6.4, SSSD has been enhanced to allow you to select the DIR: cache for users that are logging in via SSSD. This feature is introduced as a Technology Preview.Package: sssd-1.9.2-82
4.5. Security
- TPM
- TPM (Trusted Platform Module) hardware can create, store and use RSA keys securely (without ever being exposed in memory), verify a platform's software state using cryptographic hashes and more. The trousers and tpm-tools packages are considered a Technology Preview.Packages: trousers-0.3.4-4, tpm-tools-1.3.4-2
4.6. Devices
- mpt2sas lockless mode
- The
mpt2sas
driver is fully supported. However, when used in the lockless mode, the driver is a Technology Preview.Package: kernel-2.6.32-358
4.7. Kernel
- Thin-provisioning and scalable snapshot capabilities
- The
dm-thinp
targets,thin
andthin-pool
, provide a device mapper device with thin-provisioning and scalable snapshot capabilities. This feature is available as a Technology Preview.Package: kernel-2.6.32-358 - Kernel Media support
- The following features are presented as Technology Previews:
- The latest upstream video4linux
- Digital video broadcasting
- Primarily infrared remote control device support
- Various webcam support fixes and improvements
Package: kernel-2.6.32-358 - Remote audit logging
- The audit package contains the user space utilities for storing and searching the audit records generated by the
audit
subsystem in the Linux 2.6 kernel. Within the audispd-plugins sub-package is a utility that allows for the transmission of audit events to a remote aggregating machine. This remote audit logging application, audisp-remote, is considered a Technology Preview in Red Hat Enterprise Linux 6.Package: audispd-plugins-2.2-2 - Linux (NameSpace) Container [LXC]
- Linux containers provide a flexible approach to application runtime containment on bare-metal systems without the need to fully virtualize the workload. Red Hat Enterprise Linux 6 provides application level containers to separate and control the application resource usage policies via cgroups and namespaces. This release includes basic management of container life-cycle by allowing creation, editing and deletion of containers via the libvirt API and the virt-manager GUI. Linux Containers are a Technology Preview.Packages: libvirt-0.9.10-21, virt-manager-0.9.0-14
- Diagnostic pulse for the fence_ipmilan agent, BZ#655764
- A diagnostic pulse can now be issued on the IPMI interface using the
fence_ipmilan
agent. This new Technology Preview is used to force a kernel dump of a host if the host is configured to do so. Note that this feature is not a substitute for theoff
operation in a production cluster.Package: fence-agents-3.1.5-25
4.8. Virtualization
- Performance monitoring in KVM guests, BZ#645365
- KVM can now virtualize a performance monitoring unit (vPMU) to allow virtual machines to use performance monitoring. Note that the
-cpu
flag must be set when using this feature.With this feature, Red Hat virtualization customers running Red Hat Enterprise Linux 6 guests can use the CPU's PMU counter while using the performance tool for profiling. The virtual performance monitoring unit feature allows virtual machine users to identify sources of performance problems in their guests, thereby improving the ability to profile a KVM guest from the host.This feature is a Technology Preview in Red Hat Enterprise Linux 6.4.Package: kernel-2.6.32-358 - Dynamic virtual CPU allocation
- KVM now supports dynamic virtual CPU allocation, also called vCPU hot plug, to dynamically manage capacity and react to unexpected load increases on their platforms during off-peak hours.The virtual CPU hot-plugging feature gives system administrators the ability to dynamically adjust CPU resources in a guest. Because a guest no longer has to be taken offline to adjust the CPU resources, the availability of the guest is increased.This feature is a Technology Preview in Red Hat Enterprise Linux 6.4. Currently, only the vCPU hot-add functionality works. The vCPU hot-unplug feature is not yet implemented.Package: qemu-kvm-0.12.1.2-2.355
- System monitoring via SNMP, BZ#642556
- This feature provides KVM support for stable technology that is already used in data center with bare metal systems. SNMP is the standard for monitoring and is extremely well understood as well as computationally efficient. System monitoring via SNMP in Red Hat Enterprise Linux 6 allows the KVM hosts to send SNMP traps on events so that hypervisor events can be communicated to the user via standard SNMP protocol. This feature is provided through the addition of a new package: libvirt-snmp. This feature is a Technology Preview.Package: libvirt-snmp-0.0.2-3
- Wire speed requirement in KVM network drivers
- Virtualization and cloud products that run networking work loads need to run wire speeds. Up until Red Hat Enterprise Linux 6.1, the only way to reach wire speed on a 10 GB Ethernet NIC with a lower CPU utilization was to use PCI device assignment (passthrough), which limits other features like memory overcommit and guest migrationThe macvtap/vhost zero-copy capabilities allow the user to use those features when high performance is required. This feature improves performance for any Red Hat Enterprise Linux 6.x guest in the VEPA use case. This feature is introduced as a Technology Preview.Package: qemu-kvm-0.12.1.2-2.355
Chapter 5. Known Issues
5.1. Installation
anaconda
component, BZ#895982- Physical-extents size less than 32MB on top of an MD physical volume leads to problems with calculating the capacity of a volume group. To work around this problem, use a physical-extent size of 32MB or leave space double the physical-extent size free when allocating logical volumes. Another option is to change the default 4MB size of a physical extent to 32MB.
anaconda
component, BZ#875644- After upgrading the system using kickstart, IBM System z machines halt instead of rebooting, despite the instruction to reboot. To work around this problem, boot the system manually.
anaconda
component- Setting the qla4xxx parameter
ql4xdisablesysfsboot
to1
may cause boot from SAN failures. anaconda
component- To automatically create an appropriate partition table on disks that are uninitialized or contain unrecognized formatting, use the
zerombr
kickstart command. The--initlabel
option of theclearpart
command is not intended to serve this purpose. anaconda
component, BZ#676025- Users performing an upgrade using the Anaconda's text mode interface who do not have a boot loader already installed on the system, or who have a non-GRUB boot loader, need to select
Skip Boot Loader Configuration
during the installation process. Boot loader configuration will need to be completed manually after installation. This problem does not affect users running Anaconda in the graphical mode (graphical mode also includes VNC connectivity mode). anaconda
component- On s390x systems, you cannot use automatic partitioning and encryption. If you want to use storage encryption, you must perform custom partitioning. Do not place the
/boot
volume on an encrypted volume. anaconda
component- The order of device names assigned to USB attached storage devices is not guaranteed. Certain USB attached storage devices may take longer to initialize than others, which can result in the device receiving a different name than you expect (for example,
sdc
instead ofsda
).During installation, verify the storage device size, name, and type when configuring partitions and file systems. -
kernel
component - Recent Red Hat Enterprise Linux 6 releases use a new naming scheme for network interfaces on some machines. As a result, the installer may use different names during an upgrade in certain scenarios (typically
em1
is used instead ofeth0
on new Dell machines). However, the previously used network interface names are preserved on the system and the upgraded system will still use the previously used interfaces. This is not the case for Yum upgrades. -
anaconda
component - The
kdump default on
feature currently depends on Anaconda to insert thecrashkernel=
parameter to the kernel parameter list in the boot loader's configuration file. firstaidkit
component- The firstaidkit-plugin-grub package has been removed from Red Hat Enterprise Linux 6.2. As a consequence, in rare cases, the system upgrade operation may fail with unresolved dependencies if the plug-in has been installed in a previous version of Red Hat Enterprise Linux. To avoid this problem, the firstaidkit-plugin-grub package should be removed before upgrading the system. However, in most cases, the system upgrade completes as expected.
anaconda
component, BZ#623261- In some circumstances, disks that contain a whole disk format (for example, an LVM Physical Volume populating a whole disk) are not cleared correctly using the
clearpart --initlabel
kickstart command. Adding the--all
switch—as inclearpart --initlabel --all
—ensures disks are cleared correctly. anaconda
component- When installing on the IBM System z architecture, if the installation is being performed over SSH, avoid resizing the terminal window containing the SSH session. If the terminal window is resized during the installation, the installer will exit and the installation will terminate.
yaboot
component, BZ#613929- The kernel image provided on the CD/DVD is too large for Open Firmware. Consequently, on the POWER architecture, directly booting the kernel image over a network from the CD/DVD is not possible. Instead, use yaboot to boot from a network.
anaconda
component- The Anaconda partition editing interface includes a button labeled Resize. This feature is intended for users wishing to shrink an existing file system and an underlying volume to make room for an installation of a new system. Users performing manual partitioning cannot use the Resize button to change sizes of partitions as they create them. If you determine a partition needs to be larger than you initially created it, you must delete the first one in the partitioning editor and create a new one with the larger size.
system-config-kickstart
component- Channel IDs (read, write, data) for network devices are required for defining and configuring network devices on IBM S/390 systems. However, system-config-kickstart—the graphical user interface for generating a kickstart configuration—cannot define channel IDs for a network device. To work around this issue, manually edit the kickstart configuration that system-config-kickstart generates to include the desired network devices.
5.2. Entitlement
subscription-manager
component- When firstboot is running in text mode, the user can only register via Red Hat Network Register, not with subscription-manager. Both are available in GUI mode.
subscription-manager
component- If multiple repositories are enabled, subscription-manager installs product certificates from all repositories instead of installing the product certificate only from the repository from which the RPM package was installed.
subscription-manager
component- firstboot fails to provide Red Hat Network registration to a virtual machine in a NAT-based network; for example, in the libvirt environment. Note that this problem only occurs during the first boot after installation. If you run firstboot manually later, the registration finishes successfully.
5.3. Deployment
389-ds-base
component, BZ#878111- The ns-slapd utility terminates unexpectedly if it cannot rename the
dirsrv-<instance>
log files in the/var/log/
directory due to incorrect permissions on the directory. cpuspeed
component, BZ#626893- Some HP Proliant servers may report incorrect CPU frequency values in
/proc/cpuinfo
or/sys/device/system/cpu/*/cpufreq
. This is due to the firmware manipulating the CPU frequency without providing any notification to the operating system. To avoid this ensure that theHP Power Regulator
option in the BIOS is set toOS Control
. An alternative available on more recent systems is to setCollaborative Power Control
toEnabled
. releng
component, BZ#644778- Some packages in the Optional repositories on RHN have multilib file conflicts. Consequently, these packages cannot have both the primary architecture (for example, x86_64) and secondary architecture (for example, i686) copies of the package installed on the same machine simultaneously. To work around this issue, install only one copy of the conflicting package.
grub
component, BZ#695951- On certain UEFI-based systems, you may need to type
BOOTX64
rather thanbootx64
to boot the installer due to case sensitivity issues. grub
component, BZ#698708- When rebuilding the grub package on the x86_64 architecture, the glibc-static.i686 package must be used. Using the glibc-static.x86_64 package will not meet the build requirements.
5.4. Virtualization
qemu-kvm
component, BZ#1159613- If a
virtio
device is created where the number of vectors is set to a value higher than 32, the device behaves as if it was set to a zero value on Red Hat Enterprise Linux 6, but not on Enterprise Linux 7. The resulting vector setting mismatch causes a migration error if the number of vectors on anyvirtio
device on either platform is set to 33 or higher. It is, therefore, not recommended to set thevector
value to be greater than 32. kernel
component- In Red Hat Enterprise Linux 6.4, if Large Receive Offload (LRO) is enabled with the
macvtap
driver, a kernel panic can occur on the host machine. This problem was observed on machines using Broadcom, QLogic and Intel cards. To work around the problem, disable LRO by runningethtool -K large-receive-offload off
. kernel
component- There is a known issue with the Microsoft Hyper-V host. If a legacy network interface controller (NIC) is used on a multiple-CPU virtual machine, there is an interrupt problem in the emulated hardware when the IRQ balancing daemon is running. Call trace information is logged in the
/var/log/messages
file. libvirt
component, BZ#888635- Under certain circumstances, virtual machines try to boot from an incorrect device after a network boot failure. For more information, please refer to this article on Customer Portal.
qemu-kvm
component, BZ#894277- "Fast startup" used in Microsoft Windows 8 is not fully compatible with qemu-kvm in Red Hat Enterprise Linux 6. Windows 8 can therefore fail to boot the second time after its shutdown. To ensure successful boot of Windows 8 inside qemu-kvm, disable Windows 8 "fast startup" in .
numad
component, BZ#872524- If numad is run on a system with a task that has very large resident memory (>= 50% total system memory), then the numad-initiated NUMA page migrations for that task can cause swapping. The swapping can then induce long latencies for the system. An example is running a 256GB Microsoft Windows KVM Virtual Machine on a 512GB host. The Windows guest will fault in all pages on boot in order to zero them. On a four node system, numad will detect that a 256GB task can fit in a subset of two or three nodes, and then attempt to migrate it to that subset. Swapping can then occur and lead to latencies. These latencies may then cause the Windows guest to hang, as timing requirements are no longer met. Therefore, on a system with only one or two very large Windows machines, it is recommended to disable numad.Note that this problem is specific to Windows 2012 guests that use more memory than exists in a single node. Windows 2012 guests appear to allocate memory more gradually than other Windows guest types, which triggers the issue. Other varieties of Windows guests do not seem to experience this problem. You can work around this problem by:
- limiting Windows 2012 guests to less memory than exists in a given node -- so on a typical 4 node system with even memory distribution, the guest would need to be less than the total amount of system memory divided by 4; or
- allowing the Windows 2012 guests to finish allocating all of its memory before allowing numad to run. numad will handle extremely huge Windows 2012 guests correctly after allowing a few minutes for the guest to finish allocating all of its memory.
grubby
component, BZ#893390- When a Red Hat Enterprise Linux 6.4 guest updates the kernel and then the guest is turned of through Microsoft Hyper-V Manager, the guest fails to boot due to incomplete grub information. This is because the data is not synced properly to disk when the machine is turned off through Hyper-V Manager. To work around this problem, execute the
sync
command before turning the guest off. kernel
component- Using the mouse scroll wheel does not work on Red Hat Enterprise Linux 6.4 guests that run under Microsoft Hyper-V Manager installed on a physical machine. However, the scroll wheel works as expected when the vncviewer utility is used.
kernel
component, BZ#874406- Microsoft Windows Server 2012 guests using the e1000 driver can become unresponsive consuming 100% CPU during reboot.
kernel
component- When a kernel panic is triggered on a Microsoft Hyper-V guest, the kdump utility does not capture the kernel error information; an error is only displayed on the command line.
kernel
component- Due to a bug in Microsoft Hyper-V Server 2008 R2, attempting to remove and then reload the hv_utils module on a Hyper-V guest running Red Hat Enterprise Linux 6.4 will cause a shutdown and the heartbeat service to not work. To work around this issue, upgrade the host system to Microsoft Hyper-V Server 2012.
quemu-kvm
component, BZ#871265- AMD Opteron G1, G2 or G3 CPU models on qemu-kvm use the family and models values as follows: family=15 and model=6. If these values are larger than 20, the
lahfm_lm
CPU feature is ignored by Linux guests, even when the feature is enabled. To work around this problem, use a different CPU model, for example AMD Opteron G4. qemu-kvm
component, BZ#860929- KVM guests must not be allowed to update the host CPU microcode. KVM does not allows this and instead always returns the same microcode revision or patch level value to the guest. If the guest tries to update the CPU microcode, it will fail and show an error message similar to:
CPU0: update failed (for patch_level=0x6000624)
To work around this, configure the guest to not install CPU microcode updates; for example, uninstall the microcode_ctl package Red Hat Enterprise Linux of Fedora guests. virt-p2v
component, BZ#816930- Converting a physical server running either Red Hat Enterprise Linux 4 or Red Hat Enterprise Linux 5 which has its file system root on an MD device is not supported. Converting such a guest results in a guest which fails to boot. Note that conversion of a Red Hat Enterprise Linux 6 server which has its root on an MD device is supported.
virt-p2v
component, BZ#808820- When converting a physical host with a multipath storage, Virt-P2V presents all available paths for conversion. Only a single path must be selected. This must be a currently active path.
virtio-win
component, BZ#615928- The balloon service on Windows 7 guests can only be started by the Administrator user.
libvirt
component, BZ#622649- libvirt uses transient iptables rules for managing NAT or bridging to virtual machine guests. Any external command that reloads the iptables state (such as running system-config-firewall) will overwrite the entries needed by libvirt. Consequently, after running any command or tool that changes the state of iptables, guests may lose access to the network. To work around this issue, use the
service libvirt reload
command to restore libvirt's additional iptables rules. virtio-win
component, BZ#612801- A Windows virtual machine must be restarted after the installation of the kernel Windows driver framework. If the virtual machine is not restarted, it may crash when a memory balloon operation is performed.
qemu-kvm
component, BZ#720597- Installation of Windows 7 Ultimate x86 (32-bit) Service Pack 1 on a guest with more than 4GB of RAM and more than one CPU from a DVD medium often crashes during the final steps of the installation process due to a system hang. To work around this issue, use the Windows Update utility to install the Service Pack.
qemu-kvm
component, BZ#612788- A dual function Intel 82576 Gigabit Ethernet Controller interface (codename: Kawela, PCI Vendor/Device ID: 8086:10c9) cannot have both physical functions (PF's) device-assigned to a Windows 2008 guest. Either physical function can be device assigned to a Windows 2008 guest (PCI function 0 or function 1), but not both.
virt-v2v
component, BZ#618091- The virt-v2v utility is able to convert guests running on an ESX server. However, if an ESX guest has a disk with a snapshot, the snapshot must be on the same datastore as the underlying disk storage. If the snapshot and the underlying storage are on different datastores, virt-v2v will report a 404 error while trying to retrieve the storage.
virt-v2v
component, BZ#678232- The VMware Tools application on Microsoft Windows is unable to disable itself when it detects that it is no longer running on a VMware platform. Consequently, converting a Microsoft Windows guest from VMware ESX, which has VMware Tools installed, will result in errors. These errors usually manifest as error messages on start-up, and a "Stop Error" (also known as a BSOD) when shutting down the guest. To work around this issue, uninstall VMware Tools on Microsoft Windows guests prior to conversion.
5.5. Storage and File Systems
anaconda
component- In UEFI mode, when creating a partition for software RAID, anaconda can be unable to allocate the
/boot/efi
mount point to the software RAID partition and fails with the "have not created /boot/efi" message in such a scenario. Driver Update Disk
component, BZ#904945- The hpsa driver installed from the AMD64 and Intel 64 Driver Update Program ISO might not be loaded properly on Red Hat Enterprise Linux 6.3. Consequently, the system can become unresponsive. To work around this problem, use the
pci=nomsi
kernel parameter before installing the driver from the ISO. kernel
component, BZ#918647- Thin provisioning uses reference counts to indicate that data is shared between a thin volume and snapshots of the thin volume. There is a known issue with the way reference counts are managed in the case when a discard is issued to a thin volume that has snapshots. Creating snapshots of a thin volume and then issuing discards to the thin volume can therefore result in data loss in the snapshot volumes. Users are strongly encouraged to disable discard support on the thin-pool for the time being. To do so using lvm2 while the pool is offline, use the
lvchange --discard ignore <pool>
command. Any discards that might be issued to thin volumes will be ignored. kernel
component- Storage that reports a discard_granularity that is not a power of two will cause the kernel to improperly issue discard requests to the underlying storage. This results in I/O errors associated with the failed discard requests. To work around the problem, if possible, do not upgrade to newer vendor storage firmware that reports discard_granularity that is not a power of two.
parted
component- Users might be unable to access a partition created by parted. To work around this problem, reboot the machine.
lvm2
component, BZ#852812- When filling a thin pool to 100% by writing to thin volume device, access to all thin volumes using this thin pool can be blocked. To prevent this, try not to overfill the pool. If the pool is overfilled and this error occurs, extend the thin pool with new space to continue using the pool.
dracut
component- The Qlogic QLA2xxx driver can miss some paths after booting from Storage Area Network (SAN). To workaround this problem, run the following commands:
echo "options qla2xxx ql2xasynclogin=0" > /etc/modprobe.d/qla2xxx.conf mkinitrd /boot/initramfs-`uname -r`.img `uname -r` --force
lvm2
component, BZ#903411- Activating a logical volume can fail if the
--thinpool
and--discards
options are specified on logical-volume creation. To work around this problem, manually deactivate all thin volumes related to the changed thin pool prior to running thelvchange
command. kernel
component- Unloading the
nfs
module can cause the system to terminate unexpectedly if the fsx utility was ran with NFSv4.1 before. kernel
component- Due to a bug in the CIFS mount code, it is not possible to mount Distributed File System (DFS) shares in Red Hat Enterprise Linux 6.4.
device-mapper-multipath
component- When the
multipathd
service is not running, failed devices will not be restored. However, the multipath command gives no indication that multipathd is not running. Users can unknowingly set up multipath devices without starting themultipathd
service, keeping failed paths from automatically getting restored. Make sure to start multipathing by- either running:
~]# mpathconf --enable ~]# service multipathd start
- or:
~]# chkconfig multipathd on ~]# service multipathd start
multipathd
will automatically start on boot, and multipath devices will automatically restore failed paths. lvm2
component, BZ#837603- When the administrator disables use of the
lvmetad
daemon in thelvm.conf
file, but the daemon is still running, the cached metadata are remembered until the daemon is restarted. However, if theuse_lvmetad
parameter inlvm.conf
is reset to1
without an interveninglvmetad
restart, the cached metadata can be incorrect. Consequently, VG metadata can be overwritten with previous versions. To work around this problem, stop thelvmedat
daemon manually when disablinguse_lvmetad
inlvm.conf
. The daemon can only be restarted afteruse_lvmetad
has been set to 1. To recover from an out-of-synclvmetad
cache, execute thepvscan --cache
command or restartlvmetad
. To restore metadata to correct versions, use vgcfrestore with a corresponding file in/etc/lvm/archive
. lvm2
component, BZ#563927- Due to the limitations of the LVM 'mirror' segment type, it is possible to encounter a deadlock situation when snapshots are created of mirrors. The deadlock can occur if snapshot changes (e.g. creation, resizing or removing) happen at the same time as a mirror device failure. In this case, the mirror blocks I/O until LVM can respond to the failure, but the snapshot is holding the LVM lock while trying to read the mirror.If the user wishes to use mirroring and take snapshots of those mirrors, then it is recommended to use the 'raid1' segment type for the mirrored logical volume instead. This can be done by adding the additional arguments '--type raid1' to the command that creates the mirrored logical volume, as follows:
~]$ lvcreate --type raid1 -m 1 -L 1G -n my_mirror my_vg
kernel
component, BZ#606260- The NFSv4 server in Red Hat Enterprise Linux 6 currently allows clients to mount using UDP and advertises NFSv4 over UDP with rpcbind. However, this configuration is not supported by Red Hat and violates the RFC 3530 standard.
-
lvm2
component - The
pvmove
command cannot currently be used to move mirror devices. However, it is possible to move mirror devices by issuing a sequence of two commands. For mirror images, add a new image on the destination PV and then remove the mirror image on the source PV:~]$
lvconvert -m +1 <vg/lv> <new PV>
~]$lvconvert -m -1 <vg/lv> <old PV>
Mirror logs can be handled in a similar fashion:~]$
lvconvert --mirrorlog core <vg/lv>
~]$lvconvert --mirrorlog disk <vg/lv> <new PV>
or~]$
lvconvert --mirrorlog mirrored <vg/lv> <new PV>
~]$lvconvert --mirrorlog disk <vg/lv> <old PV>
5.6. Networking
samba4
component, BZ#878168- If configured, the Active Directory (AD) DNS server returns IPv4 and IPv6 addresses of an AD server. If the FreeIPA server cannot connect to the AD server with an IPv6 address, running the
ipa trust-add
command will fail even if it would be possible to use IPv4. To work around this problem, add the IPv4 address of the AD server to the/etc/hosts
file. In this case, the FreeIPA server will use only the IPv4 address and executingipa trust-add
will be successful. kernel
component- Destroying the root port before any NPIV ports can cause unexpected system behavior, including a full system crash. Note that one instance where the root port is destroyed before the NPIV ports is when the system is shut down. To work around this problem, destroy NPIV ports before destroying the root port that the NPIV ports were created on. This means that for each created NPIV port, the user should write to the
sysfs vport_delete
interface to delete that NPIV port. This should be done before the root port is destroyed. Users are advised to script the NPIV port deletion and configure the system such that the script is executed before thefcoe
service is stopped, in the shutdown sequence. kernel
component- A Linux LIO FCoE target causes the
bfa
driver to reset all FCoE targets which might lead to data corruption on LUN. To avoid these problems, do not use thebfa
driver with a Linux FCoE target. NetworkManager
component, BZ#896198- A
GATEWAY
setting in the/etc/sysconfig/network
file causes NetworkManager to assign that gateway to all interfaces with static IP addresses, even if their configuration did not specify a gateway or specified a different gateway. Interfaces have the incorrect gateway information and the wrong interface may have the default route. Instead of usingGATEWAY
in/etc/sysconfig/network
to specify which interface receives the default route, setDEFROUTE=no
in eachifcfg
file that should not have the default route. Any interface connected using configuration from anifcfg
file containingDEFROUTE=no
will never receive the default route. kernel
component- Typically, on platforms with no Intelligent Platform Management Interface (IPMI) hardware the user can see the following message the on the boot console and in dmesg log:
Could not set up I/O space
This message can be safely ignored, unless the system really does have IPMI hardware. In that case, the message indicates that the IPMI hardware could not be initialized. In order to support Advanced Configuration and Power Interface (ACPI) opregion access to IPMI functionality early in the boot, the IPMI driver has been statically linked with the kernel image. This means that the IPMI driver is "loaded" whether or not there is any hardware. The IPMI driver will try to initialize the IPMI hardware, but if there is no IPMI hardware present on the booting platform, the driver will print error messages on the console and in the dmesg log. Some of these error messages do not identify themselves as having been issued by the IPMI driver, so they can appear to be serious, when they are harmless. kernel
component- Shutting down the
fcoe-target
service while the Fibre Channel over Ethernet (FCoE) can lead to a kernel crash. Please minimize FCoE traffic before stopping or restarting this service. fcoe-utils
component- After an ixgbe Fibre Channel over Ethernet (FCoE) session is created, server reboot can cause some or all of the FCoE sessions to not be created automatically. To work around this problem, follow the following steps (assuming that eth0 is the missing NIC for the FCoE session):
ifconfig eth0 down ifconfig eth0 up sleep 5 dcbtool sc eth0 dcb on sleep 5 dcbtool sc eth0 pfc e:1 a:1 w:1 dcbtool sc eth0 app:fcoe e:1 a:1 w:1 service fcoe restart
fcoe-target-utils
component- Using
targetcli
to configure the FCoE Target will fail with the messageCould not create RTSRoot in configFS
. To prevent this, ensure that thefcoe-target
service is running by executingservice fcoe-target start
. libibverbs
component- The InfiniBand UD transport test utility could become unresponsive when the
ibv_ud_pingpong
command was used with a packet size of 2048 or greater. UD is limited to no more than the smallest MTU of any point in the path between point A and B, which is between 0 and 4096 given that the largest MTU supported (but not the smallest nor required) is 4096. If the underlying Ethernet is jumbo frame capable, and with a 4096 IB MTU on an RoCE device, the max packet size that can be used with UD is 4012 bytes. bind-dyndb-ldap
component- IPA creates a new DNS zone in two separate steps. When the new zone is created, it is invalid for a short period of time.
A/AAAA
records for the name server belonging to the new zone are created after this delay. Sometimes, BIND attempts to load this invalid zone and fails. In such a case, reload BIND by running eitherrndc reload
orservice named restart
. selinux-policy
component- SELinux can prevent the
nmbd
service from writing into the/var/
, which breaks NetBIOS name resolution and leads to SELinux AVC denials. kernel
component- If multiple DHCP6 servers are configured on multiple VLANs, for example two DHCP6 servers on VLAN1 and VLAN3, the bna driver NIC does not set up a VLAN interface but can get the VLAN3 IPv6 address.
kernel
component- The latest version of the sfc NIC driver causes lower UDP and TX performance with large amounts of fragmented UDP packets. This problem can be avoided by setting a constant interrupt moderation period (not adaptive moderation) on both sides, sending and receiving.
kernel
component- When IPv6 is administratively disabled via
disable=1
module parameter, all of the IPv6 protocol handlers are disabled. This includes any offload handlers that support TSO/GSO. The lack of handlers results in the host dropping any TSO/GSO IPv6 packets it may receive from the guest. This can cause problems with retransmission on the guest and throughput. If you want to disable IPV6 support on the host administratively while enabling and providing IPv6 support to the guest without incurring a performance penalty:- set the
disable_ipv6
module to 1 - or use the following sysctl entries:
- net.ipv6.conf.all.disable_ipv6 = 1
- net.ipv6.conf.default.disable_ipv6 = 1
kernel
component- Some network interface cards (NICs) may not get an IPv4 address assigned after the system is rebooted. To work around this issue, add the following line to the
/etc/sysconfig/network-scripts/ifcfg-<interface>
file:LINKDELAY=10
NetworkManager
component, BZ#758076- If a Certificate Authority (CA) certificate is not selected when configuring an 802.1x or WPA-Enterprise connection, a dialog appears indicating that a missing CA certificate is a security risk. This dialog presents two options: ignore the missing CA certificate and proceed with the insecure connection, or choose a CA certificate. If the user elects to choose a CA certificate, this dialog disappears and the user may select the CA certificate in the original configuration dialog.
samba
component- Current Samba versions shipped with Red Hat Enterprise Linux 6.4 are not able to fully control the user and group database when using the
ldapsam_compat
back end. This back end was never designed to run a production LDAP and Samba environment for a long period of time. Theldapsam_compat
back end was created as a tool to ease migration from historical Samba releases (version 2.2.x) to Samba version 3 and greater using the newldapsam
back end and the new LDAP schema. Theldapsam_compat
back end lack various important LDAP attributes and object classes in order to fully provide full user and group management. In particular, it cannot allocate user and group IDs. In the Red Hat Enterprise Linux Reference Guide, it is pointed out that this back end is likely to be deprecated in future releases. Refer to Samba's documentation for instructions on how to migrate existing setups to the new LDAP schema.When you are not able to upgrade to the new LDAP schema (though upgrading is strongly recommended and is the preferred solution), you may work around this issue by keeping a dedicated machine running an older version of Samba (v2.2.x) for the purpose of user account management. Alternatively, you can create user accounts with standard LDIF files. The important part is the assignment of user and group IDs. In that case, the old Samba 2.2 algorithmic mapping from Windows RIDs to Unix IDs is the following: user RID = UID * 2 + 1000, while for groups it is: group RID = GID * 2 + 1001. With these workarounds, users can continue using theldapsam_compat
back end with their existing LDAP setup even when all the above restrictions apply. kernel
component- Because Red Hat Enterprise Linux 6.4 defaults to using Strict Reverse Path filtering, packets are dropped by default when the route for outbound traffic differs from the route of incoming traffic. This is in line with current recommended practice in RFC3704. For more information about this issue please refer to
/usr/share/doc/kernel-doc-<version>/Documentation/networking/ip-sysctl.txt
and https://access.redhat.com/site/solutions/53031.
5.7. Clustering
corosync
component- The redundant ring feature of corosync is not fully supported in combination with InfiniBand or Distributed Lock Manager (DLM). A double ring failure can cause both rings to break at the same time on different nodes. In addition, DLM is not functional if ring0 is down.
selinux-policy
component- The fence-sanlock agent does not support SELinux in Enforcing mode at the moment.
lvm2
component, BZ#814779- Clustered environment is not supported by
lvmetad
at the moment. If global/use_lvmetad=1 is used together with global/locking_type=3 configuration setting (clustered locking), the use_lvmetad setting is automatically overriden to0
andlvmetad
is not used in this case at all. Also, the following warning message is displayed:WARNING: configuration setting use_lvmetad overriden to 0 due to locking_type 3. Clustered environment not supported by lvmetad yet.
luci
component, BZ#615898luci
will not function with Red Hat Enterprise Linux 5 clusters unless each cluster node hasricci
version 0.12.2-14.
5.8. Authentication
ipa
component, BZ#894388- The Identity Management installer configures all integrated services to listen on all interfaces. The administrator has no means to instruct the Identity Management installer to listen only on chosen interfaces even though the installer requires a valid interface IP address as one installation parameter. To work around this problem, change service configuration after Identity Management installation.
ipa
component, BZ#894378- Identity Management LDAP permission manipulation plugin validates subtree and filter permission specifiers as mutually exclusive even though it is a valid combination in the underlying LDAP Access Control Instruction (ACI). Permissions with filter and subtree specifiers can be neither created nor modified. This affects for example the
Add Automount Keys
permission which cannot be modified. ipa
component, BZ#817080- In some cases the certificates tracked by certmonger are not cleared when running the
ipa-server-install --uninstall
command. This will cause a subsequent re-installation to fail with an unexpected error. sssd
component, BZ#892604- The ssh_cache utility sets the DEBUG level after it processes the command-line parameters. If the command-line parameters cannot be processed, the utility prints DEBUG lines that are not supposed to be printed by default. To avoid this, correct parameters must be used.
sssd
component, BZ#891647- It is possible to specify the
enumerate=true
value in thesssd.conf
file to access all users in the system. However, usingenumerate=true
is not recommended in large environments as this can lead to high CPU consumption. As a result, operations like login or logout can be slowed down. ipa
component, BZ#888579- The Identity Management server processes Kerberos Password Expiration Time field as a 32-bit integer. If Maximum Lifetime of a user password in Identity Management Password Policy is set to a value causing the resulting Kerberos Password Expiration Time timestamp to exceed 32 bits and to overflow, the passwords that are being changed are configured with an expiration time that lies in the past and are always rejected. To ensure that new user passwords are valid and can be changed properly, do not set password Maximum Lifetime in Identity Management Password Policy to values that would cause the Kerberos Password Expiration Time timestamp to exceed 32 bits; that is, passwords that would expire after 2038-01-19. At the moment, recommended values for the Maximum Lifetime field are numbers lower than 9000 days.
sssd
component, BZ#785877- When reconnecting to an LDAP server, SSSD does not check it was re-initialized during the downtime. If the server was re-initialized during the downtime and was filled with completely different data, SSSD does not update its database. As a consequence, the user can get invalid information from SSSD. To work around this problem:
- stop SSSD before reconnecting to the re-initialized server;
- clear the SSSD caches manually before reconnecting;
- start SSSD.
krb5
component- In environments where entropy is scarce, the kadmind tool can take longer to initialize after startup than it did in previous releases as it attempts to read data from the
/dev/random
file and seed its internal random number generator (RNG). Clients which attempt to connect to thekadmin
service can time out and fail with a GSS-API or Kerberos error. After the service completely finishes initializing itself, it will process messages received from now-disconnected clients and can log clock-skew or decrypt-integrity-check-failed errors for those connections. To work around this problem, use a service such asrngd
to seed the system RNG using hardware sources of entropy. ipa
component, BZ#887193- The Identity Management server in Red Hat Enterprise Linux 6.3 introduced a technical preview of SELinux user mapping feature, which enabled a mapping of SELinux users to users managed by the Identity Management based on custom rules. However, the default configured SELinux user (
guest_u:s0
) used when no custom rule matches is too constraining. An Identity Management user authenticating to Red Hat Enterprise Linux 6.4 can be assigned the too constraining SELinux user in which case a login through graphical session would always fail. To work around this problem, change a too constraining default SELinux user in the Identity Management server fromguest_u:s0
to a more relaxed valueunconfined_u:s0-s0:c0.c1023
:kinit admin ipa config-mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023
An unconfined SELinux user will be now assigned to the Identity Management user by default, which will allow the user to successfully authenticate through graphical interface. ipa
component, BZ#761574- When attempting to view a host in the web UI, the following message can appear:
Certificate operation cannot be completed: Unable to communicate with CMS (Unauthorized)
Attempting to delete installed certificates through the web UI or command-line interface can fail with the same error message. To work around this problem, run the following command:~]# yum downgrade ipa-server libipa_hbac libipa_hbac-python ipa-python ipa-client ipa-admintools ipa-server-selinux
ipa
component, BZ#877324- After upgrading to Red Hat Identity Manager 2.2, it is not possible to add SSH public keys in the web UI. However, SSH public keys can be added on the command line by running
ipa user-mod <user> --sshpubkey
. sssd
component, BZ#880150- Rules with
sudoUser
specified as+netgroup
are always matched with the sssd sudoers plugin. sssd
component- When the
ldap_sasl_authid
is not configured in thesssd.conf
file, SSSD terminates unexpectedly with a segmentation fault. To avoid this problem, ensure that the option is configured. ipa
component- When upgrading the ipa-server package using anaconda, the following error message is logged in the
upgrade.log
file:/sbin/restorecon: lstat(/var/lib/pki-ca/publish*) failed: No such file or directory
This problem does not occur when using yum. sssd
component- In the Identity Manager subdomain code, a User Principal Name (UPN) is by default built from the SAM Account Name and Active Directory trust users, that is
user@DOMAIN
. The UPN can be changed to differ from the UPN in Active Directory, however only the default format,user@DOMAIN
, is supported. sssd
component, BZ#805921- Sometimes, group members may not be visible when running the
getent group groupname
command. This can be caused by an incorrectldap_schema
in the[domain/DOMAINNAME]
section of thesssd.conf
file. SSSD supports three LDAP schema types: RFC 2307, RFC 2307bis, and IPA. By default, SSSD uses the more common RFC 2307 schema. The difference between RFC 2307 and RFC 2307bis is the way which group membership is stored in the LDAP server. In an RFC 2307 server, group members are stored as the multi-valued memberuid attribute which contains the name of the users that are members. In an RFC2307bis server, group members are stored as the multi-valued attribute member (or sometimes uniqueMember) which contains the DN of the user or group that is a member of this group. RFC2307bis allows nested groups to be maintained as well.When encountering this problem:- add
ldap_schema = rfc2307bis
in thesssd.conf
file, - detele the
/var/lib/sss/db/cache_DOMAINNAME.ldb
file, - and restart SSSD.
If the workaround does not work, addldap_group_member = uniqueMember
in thesssd.conf
file, delete the cache file and restart SSSD. - Identity Management component, BZ#826973
- When Identity Management is installed with its CA certificate signed by an external CA, the installation is processed in 2 stages. In the first stage, a CSR is generated to be signed by an external CA. The second stage of the installation then accepts a file with the new signed certificate for the Identity Management CA and a certificate of the external CA. During the second stage of the installation, a signed Identity Management CA certificate subject is validated. However, there is a bug in the certificate subject validation procedure and its default value (
O=$REALM
, where$REALM
is the realm of the new Identity Management installation) is never pulled. Consequently, the second stage of the installation process always fails unless the--subject
option is specified. To work around this issue, add the following option for the second stage of the installation:--subject "O=$REALM"
where$REALM
is the realm of the new Identity Management installation. If a custom subject was used for the first stage of the installation, use its value instead. Using this work around, the certificate subject validation procedure succeeds and the installation continues as expected. - Identity Management component, BZ#822350
- When a user is migrated from a remote LDAP, the user's entry in the Directory Server does not contain Kerberos credentials needed for a Kerberos login. When the user visits the password migration page, Kerberos credentials are generated for the user and logging in via Kerberos authentication works as expected. However, Identity Management does not generate the credentials correctly when the migrated password does not follow the password policy set on the Identity Management server. Consequently, when the password migration is done and a user tries to log in via Kerberos authentication, the user is prompted to change the password as it does not follow the password policy, but the password change is never successful and the user is not able to use Kerberos authentication. To work around this issue, an administrator can reset the password of a migrated user with the
ipa passwd
command. When reset, user's Kerberos credentials in the Directory Server are properly generated and the user is able to log in using Kerberos authentication. - Identity Management component
- In the Identity Management webUI, deleting a DNS record may, under come circumstances, leave it visible on the page showing DNS records. This is only a display issue and does not affect functionality of DNS records in any way.
- Identity Management component, BZ#790513
- The ipa-client package does not install the policycoreutils package as its dependency, which may cause install/uninstall issues when using the
ipa-client-install
setup script. To work around this issue, install the policycoreutils package manually:~]#
yum install policycoreutils
- Identity Management component, BZ#813376
- Updating the Identity Management LDAP configuration via the
ipa-ldap-updater
fails with a traceback error when executed by a non-root user due to the SASL EXTERNAL bind requiring root privileges. To work around this issue, run the aforementioned command as the root user. - Identity Management component, BZ#794882
- With netgroups, when adding a host as a member that Identity Management does not have stored as a host already, that host is considered to be an external host. This host can be controlled with netgroups, but Identity Management has no knowledge of it. Currently, there is no way to use the
netgroup-find
option to search for external hosts.Also, note that when a host is added to a netgroup as an external host, rather than being added in Identity Management as an external host, that host is not automatically converted within the netgroup rule. - Identity Management component, BZ#786629
- Because a permission does not provide write access to an entry, delegation does not work as expected. The 389 Directory Server (389-ds) distinguishes access between entries and attributes. For example, an entry can be granted add or delete access, whereas an attribute can be granted read, search, and write access. To grant write access to an entry, the list of writable attributes needs to be provided. The
filter
,subtree
, and other options are used to target those entries which are writable. Attributes define which part(s) of those entries are writable. As a result, the list of attributes will be writable to members of the permission. sssd
component, BZ#808063- The manpage entry for the
ldap_disable_paging
option in thesssd-ldap
man page does not indicate that it accepts the boolean values True or False, and defaulting to False if it is not explicitly specified. - Identity Management component, BZ#812127
- Identity Management relies on the LDAP schema to know what type of data to expect in a given attribute. If, in certain situations (such as replication), data that does not meet those expectations is inserted into an attribute, Identity Management will not be able to handle the entry, and LDAP tools have do be used to manually clean up that entry.
- Identity Management component, BZ#812122
- Identity Management
sudo
commands are not case sensitive. For example, executing the following commands will result in the latter one failing due to the case insensitivity:~]$
ipa sudocmd-add /usr/bin/X
⋮ ~]$ipa sudocmd-add /usr/bin/x
ipa: ERROR: sudo command with name "/usr/bin/x" already exists - Identity Management component
- When an Identity Management server is installed with a custom hostname that is not resolvable, the
ipa-server-install
command should add a record to the static hostname lookup table in/etc/hosts
and enable further configuration of Identity Management integrated services. However, a record is not added to/etc/hosts
when an IP address is passed as an CLI option and not interactively. Consequently, Identity Management installation fails because integrated services that are being configured expect the Identity Management server hostname to be resolvable. To work around this issue, complete one of the following:- Run the
ipa-server-install
without the--ip-address
option and pass the IP address interactively. - Add a record to
/etc/hosts
before the installation is started. The record should contain the Identity Management server IP address and its full hostname (thehosts(5)
man page specifies the record format).
As a result, the Identity Management server can be installed with a custom hostname that is not resolvable. sssd
component- Upgrading SSSD from the version provided in Red Hat Enterprise Linux 6.1 to the version shipped with Red Hat Enterprise Linux 6.2 may fail due to a bug in the dependent library
libldb
. This failure occurs when the SSSD cache contains internal entries whose distinguished name contains the\,
character sequence. The most likely example of this is for an invalidmemberUID
entry to appear in an LDAP group of the form:memberUID: user1,user2
memberUID
is a multi-valued attribute and should not have multiple users in the same attribute.If the upgrade issue occurs, identifiable by the following debug log message:(Wed Nov 2 15:18:21 2011) [sssd] [ldb] (0): A transaction is still active in ldb context [0xaa0460] on /var/lib/sss/db/cache_<DOMAIN>.ldb
remove the/var/lib/sss/db/cache_<DOMAIN>.ldb
file and restart SSSD.Warning
Removing the/var/lib/sss/db/cache_<DOMAIN>.ldb
file purges the cache of all entries (including cached credentials). sssd
component, BZ#751314- When a group contains certain incorrect multi-valued
memberUID
values, SSSD fails to sanitize the values properly. ThememberUID
value should only contain one username. As a result, SSSD creates incorrect users, using the brokenmemberUID
values as their usernames. This, for example, causes problems during cache indexing. - Identity Management component
- Two Identity Management servers, both with a CA (Certificate Authority) installed, use two replication replication agreements. One is for user, group, host, and other related data. Another replication agreement is established between the CA instances installed on the servers. If the CA replication agreement is broken, the Identity Management data is still shared between the two servers, however, because there is no replication agreement between the two CAs, issuing a certificate on one server will cause the other server to not recognize that certificate, and vice versa.
- Identity Management component
- The Identity Management (ipa) package cannot be build with a
6ComputeNode
subscription. sssd
component, BZ#741264- Active Directory performs certain LDAP referral-chasing that is incompatible with the referral mechanism included in the openldap libraries. Notably, Active Directory sometimes attempts to return a referral on an LDAP bind attempt, which used to cause a hang, and is now denied by the openldap libraries. As a result, SSSD may suffer from performance issues and occasional failures resulting in missing information.To work around this issue, disable referral-chasing by setting the following parameter in the
[domain/DOMAINNAME]
section of the/etc/sssd/sssd.conf
file:ldap_referrals = false
5.9. Devices
kernel
component- A Linux LIO FCoE target causes the bnx2fc driver to perform sequence level error recovery when the target is down. As a consequence, the FCoE session cannot be resumed after the Ethernet link is bounced, the bnx2fc kernel module cannot be unloaded and the FCoE session cannot be removed when running the
fcoeadm -d eth0
command. To avoid these problems, do not use the bnx2fc driver with a Linux FCoE target. kernel
component- When using large block size (1MB), the tape driver sometimes returns an EBUSY error. To work around this problem, use a smaller block size, that is 256KB.
kernel
component- On some of the older Broadcom tg3 devices, the default Maximum Read Request Size (MRRS) value of 512 byte is known to cause lower performance. It is because these devices perform direct memory access (DMA) requests serially. 1500-byte ethernet packet will be broken into 3 PCIE read requests using 512 byte MRRS. When using a higher MRRS value, the DMA transfer can be faster as fewer requests will be needed. However, the MRRS value is meant to be tuned by system software and not by the driver. PCIE Base spec 3.0 section 7.8.4 contains an implementation note that illustrates how system software might tune the MRRS for all devices in the system. As a result, Broadcom modified the tg3 driver to remove the code that sets the MRRS to 4K bytes so that any value selected by system software (BIOS) will be preserved.
kernel
component- The Brocade BFA Fibre Channel and FCoE driver does not currently support dynamic recognition of Logical Unit addition or removal using the sg3_utils utilities (for example, the
sg_scan
command) or similar functionality. Please consult Brocade directly for a Brocade equivalent of this functionality. kernel
component- iSCSI and FCoE boot support on Broadcom devices is not included in Red Hat Enterprise Linux 6.4. These two features, which are provided by the
bnx2i
andbnx2fc
Broadcom drivers, remain a Technology Preview until further notice. kexec-tools
component- Starting with Red Hat Enterprise Linux 6.0 and later, kexec kdump supports dumping core to the Brtfs file system. However, note that because the findfs utility in busybox does not support Btrfs yet,
UUID/LABEL
resolving is not functional. Avoid using theUUID/LABEL
syntax when dumping core to Btrfs file systems. trace-cmd
component- The
trace-cmd
service does start on 64-bit PowerPC and IBM System z systems because thesys_enter
andsys_exit
events do not get enabled on the aforementioned systems. trace-cmd
component- trace-cmd's subcommand,
report
, does not work on IBM System z systems. This is due to the fact that theCONFIG_FTRACE_SYSCALLS
parameter is not set on IBM System z systems. libfprint
component- Red Hat Enterprise Linux 6 only has support for the first revision of the UPEK Touchstrip fingerprint reader (USB ID 147e:2016). Attempting to use a second revision device may cause the fingerprint reader daemon to crash. The following command returns the version of the device being used in an individual machine:
~]$
lsusb -v -d 147e:2016 | grep bcdDevice
kernel
component- The Emulex Fibre Channel/Fibre Channel-over-Ethernet (FCoE) driver in Red Hat Enterprise Linux 6 does not support DH-CHAP authentication. DH-CHAP authentication provides secure access between hosts and mass storage in Fibre-Channel and FCoE SANs in compliance with the FC-SP specification. Note, however that the Emulex driver (
lpfc
) does support DH-CHAP authentication on Red Hat Enterprise Linux 5, from version 5.4. Future Red Hat Enterprise Linux 6 releases may include DH-CHAP authentication. kernel
component- The recommended minimum HBA firmware revision for use with the
mpt2sas
driver is "Phase 5 firmware" (that is, with version number in the form05.xx.xx.xx
). Note that following this recommendation is especially important on complex SAS configurations involving multiple SAS expanders.
5.10. Kernel
kernel
component- In Red Hat Enterprise Linux 6.4, irqbalance has been updated to upstream version 1.0.4. This version of irqbalance requires
/sys/device/system/cpu/cpu?/node*
to exist; however, kernel-2.6.32-358 or earlier does not include support for this sysfs node. To work around this problem, use the irqbalance-0.55-35.el6_3 package or earlier. kernel
component- Red Hat Enterprise Linux 6.4 changed the maximum read/write socket memory default value to be higher, allowing for better performance on some machines. It was observed that if the values of
?mem_max
are not symmetrical between two machines, the performance can be negatively affected. To work around this problem, adjust the value of?mem_max
to be equal across all Red Hat Enterprise Linux systems in the network. kabi-whitelists
component- The vxfs module might not work properly on Red Hat Enterprise Linux 6.4 because of the broken
radix_tree_gang_lookup_slot
symbol. Consult Symantec should you require a workaround for this issue. kernel
component- Enabling TCP Segmentation Offload (TSO) on TAP interface may cause low throughput when the uplink is a high-speed interface. To improve throughput, turn off TSO on the tap interface of the virtual machine.
kabi-whitelists
component, BZ#871580- A patch submitted in Red Hat Enterprise Linux 6.3 broke a kABI symbol. Consequently, the previously working Red Hat Enterprise Linux 6.2 Veritas
vxfs
module did not work on the 6.3 kernel; a newer compiled version of the Red Hat Enterprise Linux 6.3 Veritasvxfs
module had to be used. In Red Hat Enterprise Linux 6.4, the kABI issue has been fixed, and the Red Hat Enterprise Linux 6.3 Veritasvxfs
module works as expected. Refer to Table 5.1, “Functionality Matrix” for a summary of what versions of Red Hat Enterprise Linux 6 andvxfs
function as expected.Table 5.1. Functionality Matrix Red Hat Enterprise Linux Version (Kernel Version) 6.2 GA (2.6.32-220.el6) 6.3 GA (2.6.32-279.el6) 6.4 pre-alpha (2.6.32-330.el6) vxfs
Module Version5.1.120.000-SP1PR2 works fails works 5.1.133.000-SP1RP3 - works fail kernel
component- When using Chelsio's iSCSI HBAs for an iSCSI root partition, the first boot after install fails. This occurs because Chelsio's iSCSI HBA is not properly detected. To work around this issue, users must add the
iscsi_firmware
parameter to grub's kernel command line. This will signal to dracut to boot from the iSCSI HBA. kernel
component- The installation of Red Hat Enterprise Linux 6.4 i386 may occasionally fail. To work around this issue, add the following parameter to the kernel command line:
vmalloc=256MB
kernel
component- If a device reports an error, while it is opened (via the
open(2)
system call), then the device is closed (via theclose(2)
system call), and the/dev/disk/by-id
link for the device may be removed. When the problem on the device that caused the error is resolved, theby-id
link is not re-created. To work around this issue, run the following command:~]#
echo 'change' > /sys/class/block/sdX/uevent
kernel
component- When an HBA that uses the
mpt2sas
driver is connected to a storage using an SAS switch LSI SAS 6160, the driver may become unresponsive during Controller Fail Drive Fail (CFDF) testing. This is due to faulty firmware that is present on the switch. To fix this issue, use a newer version (14.00.00.00 or later) of firmware for the LSI SAS 6160 switch. kernel
component, BZ#745713- In some cases, Red Hat Enterprise Linux 6 guests running fully-virtualized under Red Hat Enterprise Linux 5 experience a time drift or fail to boot. In other cases, drifting may start after migration of the virtual machine to a host with different speed. This is due to limitations in the Red Hat Enterprise Linux 5 Xen hypervisor. To work around this, add the
nohpet
parameter or, alternatively, theclocksource=jiffies
parameter to the kernel command line of the guest. Or, if running under Red Hat Enterprise Linux 5.7 or newer, locate the guest configuration file for the guest and add thehpet=0
parameter in it. kernel
component- On some systems, Xen full-virt guests may print the following message when booting:
WARNING: BIOS bug: CPU MTRRs don't cover all of memory, losing <number>MB of RAM
It is possible to avoid the memory trimming by using thedisable_mtrr_trim
kernel command line option. kernel
component- The
perf record
command becomes unresponsive when specifying a tracepoint event and a hardware event at the same time. kernel
component- On 64-bit PowerPC, the following command may cause kernel panic:
~]#
./perf record -agT -e sched:sched_switch -F 100 -- sleep 3
kernel
component- Applications are increasingly using more than 1024 file descriptors. It is not recommended to increase the default soft limit of file descriptors because it may break applications that use the
select()
call. However, it is safe to increase the default hard limit; that way, applications requiring a large amount of file descriptors can increase their soft limit without needing root privileges and without any user intervention. kernel
component- In network only use of Brocade Converged Network Adapters (CNAs), switches that are not properly configured to work with Brocade FCoE functionality can cause a continuous linkup/linkdown condition. This causes continuous messages on the host console:
bfa xxxx:xx:xx.x: Base port (WWN = xx:xx:xx:xx:xx:xx:xx:xx) lost fabric connectivity
To work around this issue, unload the Brocadebfa
driver. kernel
component- In Red Hat Enterprise Linux 6, a legacy bug in the PowerEdge Expandable RAID Controller 5 (PERC5) which causes the kdump kernel to fail to scan for
scsi
devices. It is usually triggered when a large amounts of I/O operations are pending on the controller in the first kernel before performing a kdump. kernel
component, BZ#679262- In Red Hat Enterprise Linux 6.2 and later, due to security concerns, addresses in
/proc/kallsyms
and/proc/modules
show all zeros when accessed by a non-root user. kernel
component- Superfluous information is displayed on the console due to a correctable machine check error occurring. This information can be safely ignored by the user. Machine check error reporting can be disabled by using the
nomce
kernel boot option, which disables machine check error reporting, or themce=ignore_ce
kernel boot option, which disables correctable machine check error reporting. -
kernel
component - The order in which PCI devices are scanned may change from one major Red Hat Enterprise Linux release to another. This may result in device names changing, for example, when upgrading from Red Hat Enterprise Linux 5 to 6. You must confirm that a device you refer to during installation, is the intended device.One way to assure the correctness of device names is to, in some configurations, determine the mapping from the controller name to the controller's PCI address in the older release, and then compare this to the mapping in the newer release, to ensure that the device name is as expected.The following is an example from /var/log/messages:
kernel: cciss0: <0x3230> at PCI 0000:1f:00.0 IRQ 71 using DAC … kernel: cciss1: <0x3230> at PCI 0000:02:00.0 IRQ 75 using DAC
If the device name is incorrect, add thepci=bfsort
parameter to the kernel command line, and check again. kernel
component- The minimum firmware version for NIC adapters managed by
netxen_nic
is 4.0.550. This includes the boot firmware which is flashed in option ROM on the adapter itself. kernel
component- High stress on 64-bit IBM POWER series machines prevents kdump from successfully capturing the
vmcore
. As a result, the second kernel is not loaded, and the system becomes unresponsive. kernel
component- Triggering kdump to capture a
vmcore
through the network using the Intel 82575EB ethernet device in a 32 bit environment causes the networking driver to not function properly in the kdump kernel, and prevent thevmcore
from being captured. -
kernel
component - Memory Type Range Register (MTRR) setup on some hyperthreaded machines may be incorrect following a suspend/resume cycle. This can cause graphics performance (specifically, scrolling) to slow considerably after a suspend/resume cycle.To work around this issue, disable and then re-enable the hyperthreaded sibling CPUs around suspend/resume, for example:
#!/bin/sh # Disable hyper-threading processor cores on suspend and hibernate, re-enable # on resume. # This file goes into /etc/pm/sleep.d/ case $1 in hibernate|suspend) echo 0 > /sys/devices/system/cpu/cpu1/online echo 0 > /sys/devices/system/cpu/cpu3/online ;; thaw|resume) echo 1 > /sys/devices/system/cpu/cpu1/online echo 1 > /sys/devices/system/cpu/cpu3/online ;; esac
kernel
component- In Red Hat Enterprise Linux 6.2,
nmi_watchdog
registers with theperf
subsystem. Consequently, during boot, theperf
subsystem grabs control of the performance counter registers, blocking OProfile from working. To resolve this, either boot with thenmi_watchdog=0
kernel parameter set, or run the following command to disable it at run time:echo 0 > /proc/sys/kernel/nmi_watchdog
To re-enablenmi-watchdog
, use the following commandecho 1 > /proc/sys/kernel/nmi_watchdog
kernel
component, BZ#603911- Due to the way ftrace works when modifying the code during start-up, the NMI watchdog causes too much noise and ftrace can not find a quiet period to instrument the code. Consequently, machines with more than 512 CPUs will encounter issues with the NMI watchdog. Such issues will return error messages similar to
BUG: NMI Watchdog detected LOCKUP
and have eitherftrace_modify_code
oripi_handler
in the backtrace. To work around this issue, disable NMI watchdog by setting thenmi_watchdog=0
kernel parameter, or using the following command at run time:echo 0 > /proc/sys/kernel/nmi_watchdog
kernel
component- On 64-bit POWER systems the EHEA NIC driver will fail when attempting to dump a
vmcore
via NFS. To work around this issue, utilize other kdump facilities, for example dumping to the local file system, or dumping over SSH. kernel
component, BZ#587909- A BIOS emulated floppy disk might cause the installation or kernel boot process to hang. To avoid this, disable emulated floppy disk support in the BIOS.
kernel
component- The preferred method to enable nmi_watchdog on 32-bit x86 systems is to use either
nmi_watchdog=2
ornmi_watchdog=lapic
parameters. The parameternmi_watchdog=1
is not supported. -
kernel
component - The kernel parameter,
pci=noioapicquirk
, is required when installing the 32-bit variant of Red Hat Enterprise Linux 6 on HP xw9300 workstations. Note that the parameter change is not required when installing the 64-bit variant.
5.11. Desktop
firefox
package- In certain environments, storing personal Firefox configuration files (~/.mozilla/) on an NFS share, such as when your home directory is on a NFS share, led to Firefox functioning incorrectly, for example, navigation buttons not working as expected, and bookmarks not saving. This update adds a new configuration option, storage.nfs_filesystem, that can be used to resolve this issue. If you experience this issue:
- Start Firefox.
- Type
about:config
into the URL bar and press the Enter key. - If prompted with "This might void your warranty!", click thebutton.
- Right-click in thelist. In the menu that opens, select → .
- Type "storage.nfs_filesystem" (without quotes) for the preference name and then click thebutton.
- Select
true
for the boolean value and then press the button.
Red_Hat_Enterprise_Linux-Release_Notes-6
component- The link in the
RELEASE-NOTES-si-LK.html
file (provided by the Red_Hat_Enterprise_Linux-Release_Notes-6-si-LK package) incorrectly points at the Beta online version of the 6.4 Release Notes. Because the si-LK language is no longer supported, the link should correctly point to the en-US online 6.4 Release Notes located at: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/6.4_Release_Notes/index.html. libwacom
component- The Lenovo X220 Tablet Touchscreen is not supported in the kernel shipped with Red Hat Enterprise Linux 6.4.
wacomcpl
package, BZ#769466- The wacomcpl package has been deprecated and has been removed from the package set. The wacomcpl package provided graphical configuration of Wacom tablet settings. This functionality is now integrated into the GNOME Control Center.
acroread
component- Running a AMD64 system without the sssd-client.i686 package installed, which uses SSSD for getting information about users, causes acroread to fail to start. To work around this issue, manually install the sssd-client.i686 package.
kernel
component, BZ#681257- With newer kernels, such as the kernel shipped in Red Hat Enterprise Linux 6.1, Nouveau has corrected the Transition Minimized Differential Signaling (TMDS) bandwidth limits for pre-G80 NVIDIA chipsets. Consequently, the resolution auto-detected by X for some monitors may differ from that used in Red Hat Enterprise Linux 6.0.
fprintd
component- When enabled, fingerprint authentication is the default authentication method to unlock a workstation, even if the fingerprint reader device is not accessible. However, after a 30 second wait, password authentication will become available.
evolution
component- Evolution's IMAP backend only refreshes folder contents under the following circumstances: when the user switches into or out of a folder, when the auto-refresh period expires, or when the user manually refreshes a folder (that is, using the menu item→ ). Consequently, when replying to a message in the Sent folder, the new message does not immediately appear in the Sent folder. To see the message, force a refresh using one of the methods describe above.
anaconda
component- The clock applet in the GNOME panel has a default location of Boston, USA. Additional locations are added via the applet's preferences dialog. Additionally, to change the default location, left-click the applet, hover over the desired location in the Locations section, and click the button that appears.
xorg-x11-server
component, BZ#623169- In some multi-monitor configurations (for example, dual monitors with both rotated), the cursor confinement code produces incorrect results. For example, the cursor may be permitted to disappear off the screen when it should not, or be prevented from entering some areas where it should be allowed to go. Currently, the only workaround for this issue is to disable monitor rotation.
5.12. Tools
coolkey
component, BZ#906537- Personal Identity Verification (PIV) Endpoint Cards which support both CAC and PIV interfaces might not work with the latest coolkey update; some signature operations like PKINIT can fail. To work around this problem, downgrade coolkey to the version shipped with Red Hat Enterprise Linux 6.3.
libreport
component- Even if the stored credentials are used , the report-gtk utility can report the following error message:
Wrong settings detected for Red Hat Customer Support [..]
To work around this problem, close the dialog window; theLogin=<rhn-user>
andPassword=<rhn-password>
credentials in the/etc/libreport/plugins/rhtsupport.conf
will be used in the same way they are used by report-rhtsupport.For more information, refer to this Knowledge Base article. vlock
component- When a user password is used to lock a console with vlock, the console can only be unlocked with the user password, not the root password. That is, even if the first inserted password is incorrect, and the user is prompted to provide the root password, entering the root password fails with an error message.
libreoffice
component- Libreoffice contains a number of harmless files used for testing purposes. However, on Microsoft Windows system, these files can trigger false positive alerts on various anti-virus software, such as Microsoft Security Essentials. For example, the alerts can be triggered when scanning the Red Hat Enterprise Linux 6 ISO file.
gnome-power-manager
component- When the computer runs on battery, custom brightness level is not remembered and restored if power saving features like "dim display when idle" or "reduce backlight brightness when idle" are enabled.
rsyslog
component- rsyslog does not reload its configuration after a
SIGHUP
signal is issued. To reload the configuration, thersyslog
daemon needs to be restarted:~]#
service rsyslog restart
parted
component- The parted utility in Red Hat Enterprise Linux 6 cannot handle Extended Address Volumes (EAV) Direct Access Storage Devices (DASD) that have more than 65535 cylinders. Consequently, EAV DASD drives cannot be partitioned using parted, and installation on EAV DASD drives will fail. To work around this issue, complete the installation on a non EAV DASD drive, then add the EAV device after the installation using the tools provided in the s390-utils package.
Chapter 6. New Packages
Chapter 7. Updated Packages
7.1. 389-ds-base
Lightweight Directory Access Protocol
(LDAP) server and command-line utilities for server administration.
Note
Security Fixes
- CVE-2012-4450
- A flaw was found in the way 389 Directory Server enforced ACLs after performing an LDAP modify relative distinguished name (modrdn) operation. After modrdn was used to move part of a tree, the ACLs defined on the moved (Distinguished Name) were not properly enforced until the server was restarted. This could allow LDAP users to access information that should be restricted by the defined ACLs.
Bug Fixes
- BZ#742054
- Previously, 389 Directory Server did not support the Simple Authentication and Security Layer (SASL) PLAIN mechanism. This mechanism has been added to the list of supported SASL mechanisms.
- BZ#742381
- Due to certain changes under the
cn=config
suffix, when an attribute value was deleted and then added back in the same modify operation,error 53
was returned. Consequently, the configuration could not be reset. This update allows delete operations to succeed if the attribute is added back in the same modify operation and reset the configuration file as expected. - BZ#757836
- Previously, the
logconv.pl
script used a connection number equal to 0 (conn=0
) as a restart point, which caused the script to return incorrect restart statistics. The underlying source code has been modified and 389 Directory Server is now configured to use connection number equal to 1 (conn=1
) as the restart point. - BZ#803873
- The
Windows Sync
feature uses the name in a search filter to perform an internal search to find an entry. Parentheses, “(” and “)” are special characters in theLDAP
protocol and therefore must be escaped. However, an attempt to synchronize an entry containing parentheses in the name from an Active Directory (AD) server failed with an error. With this update, 389 Directory Server properly escapes the parentheses and synchronization now proceeds correctly as expected. - BZ#818762
- When having an entry in a directory server (DS) with the same user name, group name, or both as an entry in AD and simultaneously the entry in AD was out of scope of the
Windows Sync
feature, the DS entry was deleted. This update adds the newwinSyncMoveAction
DS attribute for the Windows Sync agreement entry, which allows the user to specify the behavior of out-of-scope AD entries. The value could be set to:By default, the value is set tonone
, which means that an out-of-scope AD entry does nothing to the corresponding DS entry;delete
, which means that an out-of-scope AD entry deletes the corresponding DS entry;unsync
, which means that an out-of-scope AD entry is unsynchronized with the corresponding DS entry and changes made to either entry are not synchronized.
none
, which fixes this bug. - BZ#830334
- Due to an incorrect interpretation of an error code, a directory server considered an invalid chaining configuration setting as the
disk full
error and shut down unexpectedly. This bug has been fixed by using the correct error code and a directory server now no longer terminates due to an invalid chaining of a configuration setting. - BZ#830335
- Previously, restoring an
ldif
file from a replica, which had older changes that other servers did not see yet, could lead to these updates not being replicated to other replicas. With this update, 389 Directory Server checks the Change Sequence Numbers (CSNs) and allows the older updates to be replicated. As a result, all replicas remain synchronized. - BZ#830336
- When a directory server was under a heavy read and write load, and an update request was processed, the following error message or other similar
DB_LOCK_DEADLOCK
error messages appeared in the error log:entryrdn-index - _entryrdn_put_data: Adding the parent link (XXX) failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)
These errors are common under these circumstances and there is no need to report them in the error log. With this update,389 Directory Server
ensures that these errors are handled properly and no longer logs these messages in the error log. - BZ#830337
- When a directory server was configured to use multi-master replication and the
Entry USN
plug-in, the delete operation was not replicated to the other masters. This update modifies theEntry USN
plug-in to prevent it from changing the delete operation into a delete tombstone operation, and from removing the operation before it logs into the change log to replay to other servers. As a result, the delete operation is replicated to all servers as expected. - BZ#830338
- Previously, 389 Directory Server did not refresh its Kerberos cache. Consequently, if a new Kerberos ticket was issued for a host that had already authenticated against a directory server, it would be rejected by this server until it was restarted. With this update, the Kerberos cache is flushed after an authentication failure and 389 Directory Server works as expected in the described scenario.
- BZ#830343
- Using the
Managed Entry
plug-in in conjunction with other plug-ins, such asDistributed Numeric Assignment
(DNA),Member of
, andAuto Member
, led to problems with delete operations on entries that managed theManaged Entry
plug-in. Themanager
entry was deleted, but themanaged
entry was not. The deadlock retry handling has been improved so that both entries are deleted during the same database operation. - BZ#830344
- Previously, replication errors logged in the error log could contain incorrect information. With this update, the replication errors have been modified to be more useful in diagnosing and fixing problems.
- BZ#830346
- When audit logging in a directory server was enabled, LDAP ADD operations were ignored and were not logged. This update removes a regression in the audit log code that caused the ADD operation to be ignored, and LDAP ADD operations are now logged to the audit log as expected.
- BZ#830348
- 389 Directory Server with a large number of replication agreements took a considerable amount of time to shut down due to a long sleep interval coded in the replication stop code. This sleep interval has been reduced to speed up the system termination.
- BZ#830349
- Previously, in a SASL map definition, using a compound search filter that included the “&” character failed because the “&” character was escaped. The underlying source code has been modified and searching with a filter that includes the “&” character works as expected.
- BZ#830353
- When 389 Directory Server used the
Managed Entry
plug-in or theDNA
plug-in, thevalgrind
tool reported memory errors and leaks. With this update, a patch has been applied to prevent these problems, and memory is now used and deleted correctly. - BZ#832560
- When replication was configured and a conflict occurred, under certain circumstances, an error check did not reveal this conflict, because a
to-be-deleted
attribute was already deleted by another master. Consequently, the conflict terminated the server. This update improves error checks to prevent replication conflicts from crashing the server. - BZ#833202
- Previously, internal entries that were in the cache were freed when retrying failed transactions due to a deadlock. This behavior caused problems in a directory server and this server could terminate under a heavy update load. With this update, the cached internal entries are no longer freed and directory servers do not crash in the described scenario.
- BZ#833218
- Due to improper deadlock handling, the database reported an error instead of retrying the transaction. Consequently, under a heavy load, the directory server got deadlock errors when attempting to write to the database. The deadlock handling has been fixed and 389 Directory Server works as expected in such a case.
- BZ#834047
- Internal access control prohibited deleting newly added or modified passwords. This update allows the user to delete any password if they have the modify rights.
- BZ#834054
- Certain operations, other than
LDAP Modify
operations, can cause the 389 Directory Server to modify internal attributes. For example, aBIND
operation can cause updates to password failure counters. In these cases, 389 Directory Server was updating attributes that could only be updated during an explicitLDAP Modify
operation, such as themodifyTimestamp
attribute. This update adds a new internal flag to skip the update of these attributes on other thanModify
operations. - BZ#834056
- Due to an invalid configuration setup in the
Auto Memmber
plug-in, the directory server became unresponsive under certain circumstances. With this update, the configuration file is validated, invalid configurations are not allowed, and the server no longer hangs. - BZ#834057
- When using SNMP monitoring, 389 Directory Server terminated at startup due to multiple
ldap
servers listed in theldap-agent.conf
file. With this update, the buffer betweenldap
servers no longer resets and 389 Directory Server starts up regardless of the number ofldap
servers listed in the configuration file. - BZ#834064
- Previously, the
dnaNextValue
counter was incremented in the pre-operation stage. Consequently, if the operation failed, the counter was still incremented. This bug has been fixed and thednaNextValue
counter is not incremented if the operation fails. - BZ#834065
- When a replication agreement was added without the LDAP BIND credentials, the replication process failed with a number of errors. With this update, 389 Directory Server validates the replication configuration and ensures that all needed credentials are supplied. As a result, 389 Directory Server rejects invalid replication configuration before attempting to replicate with invalid credentials.
- BZ#834075
- Previously, the
logconv.pl
script did not grab the correct search base, and as a consequence, the searching statistics were invalid. A new hash has been created to store connections and operation numbers from search operations. As a result,logconv.pl
now grabs the correct search base and no longer produces incorrect statistics. - BZ#838706
- When using the
Referential Integrity
plug-in, renaming a user DN did not rename the user's DN in the user's groups, unless that case matched exactly. With this update, case-insensitive comparisons or DN normalizations are performed, so that the member attributes are updated when the user is renamed. - BZ#840153
- Previously, the
Attribute Uniqueness
plug-in did comparisons of un-normalized values. Consequently, using this plug-in and performing theLDAP RENAME
operation on an entry containing one of the attributes which were tested for uniqueness by this plug-in caused theLDAP RENAME
operation to fail with the following error:Constraint Violation - Another entry with the same attribute value already exists.
With this update,Attribute Uniqueness
ensures that comparisons are performed between values which were normalized the same way, andLDAP RENAME
works as expected in this situation. - BZ#841600
- When the
Referential Integrity
plug-in was used with a delay time greater than 0, and theLDAP RENAME
operation was performed on auser
entry with DN specified by one or moregroup
entries under the scope of theReferential Integrity
plug-in, the user entry DN in thegroup
entries did not change. The underlying source code has been modified andLDAP RENAME
operations work as expected in the described scenario. - BZ#842437
- Previously, the
DNA
plug-in could leak memory in certain cases for certainMODIFY
operations. This update applies a patch to fix this bug and the modifications are freed as expected with no memory leaks. - BZ#842438
- To improve the performance, the entry cache size is supposed to be larger then the primary database size if possible. Previously, 389 Directory Server did not alert the user that the size of the entry cache was too small. Consequently, the user could not notice that the size of the entry cache was too small and that they should enlarge it. With this update, the configured entry cache size and the primary database size are examined, and if the entry cache is too small, a warning is logged in the error log.
- BZ#842440
- Previously, the
Memberof
plug-in code executed redundant DN normalizations and therefore slowed down the system. The underlying source code has been modified to eliminate redundant DN normalizations. - BZ#842441
- Previously, the directory server could disallow changes that were made to the
nsds5ReplicaStripAttrs
attribute using theldapmodify
operation. Consequently, the attribute could only be set manually in thedse.ldif
file when the server was shut down. With this update, the user is now able to set thensds5ReplicaStripAttrs
attribute using theldapmodify
operation. - BZ#850683
- Previously, 389 Directory Server did not check attribute values for the
nsds5ReplicaEnabled
feature which caused this feature to be disabled. With this update, 389 Directory Server checks if the attribute value fornsds5ReplicaEnabled
is valid and reports an error if it is not. - BZ#852088
- When multi-master replication or database chaining was used with the
TLS/SSL
protocol, a server using client certificate-based authentication was unable to connect and connection errors appeared in the error log. With this update, the internal TLS/SSL and certificate setup is performed correctly and communication between servers works as expected. - BZ#852202
- Previously, there was a race condition in the replication code. When two or more suppliers were attempting to update a heavily loaded consumer at the same time, the consumer could, under certain circumstances, switch to total update mode, erase the database, and abort replication with an error. The underlying source code has been modified to prevent the race condition. As a result, the connection is now protected against access from multiple threads and multiple suppliers.
- BZ#852839
- Due to the use of an uninitialized variable, a heavily loaded server processing multiple simultaneous delete operations could terminate unexpectedly under certain circumstances. This update provides a patch that initializes the variable properly and the directory server no longer crashes under these circumstances.
- BZ#855438
- Due to an incorrect attempt to send the
cleanallruv
task to the Windows WinSync replication agreements, the task became unresponsive. With this update, the WinSync replication agreements are ignored and thecleanallruv
task no longer hangs in the described scenario. - BZ#856657
- Previously, the
dirsrv
init script always returned 0, even when one or all the defined instances failed to start. This update applies a patch that improves the underlying source code anddirsrv
no longer returns 0 if any of the defined instances failed. - BZ#858580
- The schema reload task reloads schema files in the schema directory. Simultaneously,
Directory server
has several internal schemas which are not stored in the schema directory. These schemas were lost after the schema reload task was executed. Consequently, adding aposixAccount
class failed. With this update, the internal schemas are stashed in a hash table and reloaded with external schemas. As result, adding aposixAccount
is successful. - BZ#863576
- When abandoning a Simple Paged Result request, 389 Directory Server tried to acquire a connection lock twice, and because the connection lock is not self reentrant, 389 Directory Server was waiting for the lock forever and stopped the server. This update provides a patch that eliminates the second lock and 389 Directory Server works as expected in the described scenario.
- BZ#864594
- Previously, Anonymous Resource Limits applied to the
Directory Manager
. However, the Directory Manager should never have any limits. With this update, Anonymous Resource Limits no longer apply to Directory Manager. - BZ#868841
- Even if an entry in AD did not contain all the required attributes for the POSIX account entry, the entry was synchronized to the DS as a POSIX entry. Consequently, the synchronization failed due to a “missing attribute” error. With this update, if an entry does not have all the required attributes, the POSIX account related attributes are dropped and the entry is synchronized as an ordinary entry. As a result, the synchronization is successful.
- BZ#868853
- When enabling replication level logging, the
Windows Sync
feature prints out what version of Windows or AD it detects. Previously, if the feature detected Windows Server 2003 or later, it printed out the following message:detected win2k3 peer
This message could be confusing for users who had a later version of Windows, such as Windows Server 2008. This update modifies the message and now the following message is printed out:detected win2k3 or later peer
- BZ#870158
- When a directory server was under a heavy load, deleting entries using the
Entry USN
feature caused tombstone entry indexes to be processed incorrectly. Consequently, the server could become unresponsive. This update fixes 389 Directory Server to process tombstone indexes correctly, so that the server no longer hangs in this situation. - BZ#870162
- Previously, the abandon request checked if the operation to abandon existed. When a search operation was already finished and an operation object had been released, a Simple Page Results request could fail due to this check. This update modifies 389 Directory Server to skip operation existence checking, so that Simple Paged Results requests are always successfully aborted.
- BZ#875862
- Previously, the
DNA
plug-in attempted to dereference a NULL pointer value for thednaMagicRegen
attribute. Consequently, ifDNA
was enabled with nodnamagicregen
value specified in its configuration and an entry with an attribute that triggered the DNA value generation was added, the server could terminate unexpectedly. This update improves the 389 Directory Server to check for an emptydnamagicregen
value before it attempts to dereference this value. As a result, 389 Directory Server no longer crashes if nodnamagicregen
attribute is specified. - BZ#876694
- Previously, the code to check if a new superior entry existed, returned the “No such object” error only when the operation was requested by the directory manager. Consequently, if an ordinary non-root user attempted to use the
modrdn
operation to move an entry to a non-existing parent, the server terminated unexpectedly. This update provides a patch that removes the operator condition so that the check returns the “No such object” error even if the requester is an ordinary user, and themodrdn
operation performed to the non-existing parent successfully fails for any user. - BZ#876727
- aIf a filter contained a range search, the search retrieved one ID per one
idl_fetch
attribute and merged it to the ID list using theidl_union()
function. This process is slow, especially when the range search result size is large. With this update, 389 Directory Server switches toALLID
mode by using thensslapd-rangelookthroughlimit
switch instead of creating a complete ID list. As a result, the range search takes less time. - BZ#889083
- Previously, if an entry was added or created without plug-in interference, the
nsslapd-plugin-track-binddn
feature filled the value of theinternalModifiersname
andinternalCreatorsname
attributes with the original bind DN instead of the name of the actual plug-in that modified or added the entry. This behavior is undesired; thus thensslapd-plugin-track-binddn
has been modified to always show the name of the actual plug-in that performed these operations. - BZ#891930
- In previous versions of the 389-ds-base packages, an attempt to add a new entry to the
DNA
plug-in when the range of values was depleted caused the following error message to be returned:ipa: ERROR: Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.
This message was missing all additional information in recent versions of the 389-ds-base packages. With this update, a patch is applied to provide the returned error message with additional information. - BZ#896256
- Previously, an upgrade of the 389-ds-base packages affected configuration files. Consequently, custom configuration files were reverted to by default. This update provides a patch to ensure that custom changes in configuration files are preserved during the upgrade process.
Enhancements
- BZ#746642
- This update allows the
PAM Pass-through
plug-in to pass through the authentication process to different PAM stacks, based on domain membership or some property of the user entry, or both. Users now can login to Red Hat Directory Server using the credentials and account data from the correct AD server. - BZ#768084
- This enhancement improves the
automember
plug-in to check existing entries and writes out the changes which occur if these entries are added. - BZ#782975
- Previously, certain BINDs could cause only entries with the
modifiersname
ormodifystimestamp
attribute to be updated. This behavior led to unnecessary replication traffic. This enhancement introduces the newreplication
feature to decrease replication traffic caused by BINDs. - BZ#830331
- This enhancement adds the new
Disk Monitoring
plug-in. When disk partitions fill up,Disk Monitoring
returns a warning. - BZ#830340
- Previously, two tasks were needed to be performed to clean an entire replication environment, the clean task and the release task. With this update, these tasks are incorporated in the
Cleanallruv
feature. - BZ#830347
- Previously, the
Paged Results
search was allowed to perform only one request per connection. If the user used one connection, multiple Paged Results requests were not supported. This update adds support for multiple Paged Results requests. - BZ#830355
- With this enhancement, obsolete elements in the Database Replica Update Vector (RUV) can be removed with the
CLEANRUV
operation, which removes them on a single supplier or master. - BZ#833222
- This enhancement improves the
memberOf
plug-in to work across multiple back ends or suffixes. - BZ#834046
- With this update, the
Directory Server
schema has been updated with thensTLS1
attribute to makeTLS/SSL
configuration easier. - BZ#834049
- With this update, the
Directory Server
schema has been updated to include theDNA
plug-in attributes. - BZ#834052
- This enhancement improves the
Access Control
feature to control the Directory Manager account. - BZ#834053
- This enhancement adds the ability to execute internal modification operations without changing the operational
modifiersname
attribute. - BZ#834058
- With this update, the
logconv.pl
script has been enhanced with thegetopts()
function. - BZ#834060
- Previously, the password lockout process was triggered not when maximum the number of tries was reached, but the time after. This behavior was not consistent with other vendors' LDAP servers. This enhancement adds the new option which allows users to specify the behavior of password lockout.
- BZ#834061
- Previously, DS did not include the
SO_KEEPALIVE
settings and connections could not be closed properly. This enhancement implements theSO_KEEPALIVE
settings to the DS connections. - BZ#834063
- With this update, the new
passwordTrackUpdateTime
attribute has been added. This attribute records a timestamp when the password was last changed. - BZ#834074
- This enhancement adds the new
nsds5ReplicaEnabled
attribute to the replication agreement. If the replication agreement is disabled, it appears to be removed, but can be easily re-enabled and resumed. - BZ#847868
- Previously, the
Windows Sync
plug-in did not support the RFC 2307 and 2307bis types of POSIX schema which supports Windows Active Directory (AD). Under these circumstances, users had to synchronize data between AD and DS manually which could return errors. This enhancement changes the POSIX attributes to prevent these consequences.Note
Note, that for the initial release, when adding new user and group entries to the DS, the POSIX attributes are not synchronized with AD. Adding new user and group entries to AD synchronizes to DS, and modifying attributes synchronizes both ways. - BZ#852087
- This enhancement improves the
Directory Server
schema to allow setting up an access control for thensslapd-readonly
attribute.
Security Fix
- CVE-2013-4283
- It was discovered that the 389 Directory Server did not properly handle the receipt of certain MOD operations with a bogus Distinguished Name (DN). A remote, unauthenticated attacker could use this flaw to cause the 389 Directory Server to crash.
7.2. abrt, libreport and btparser
libreport
libraries provide an API for reporting different problems in applications to different bug targets like Bugzilla, ftp, and trac.
Note
Bug Fixes
- BZ#799909
- When the user attempted to remove a non-existing problem directory using the abrt-cli utility, abrt-cli emitted a confusing error message, such as in the following example:
# abrt-cli rm sdfsdf 'sdfsdf' does not exist Can't connect to '/var/run/abrt/abrt.socket': Connection refused
With this update, abrt-cli has been modified to display only a message informing that such a problem directory does not exist. - BZ#808721, BZ#814594
- When multiple kernel oopses occur in a short period of time, ABRT saves only the first oops because the later oopses are mostly only consequences of the first problem. However, ABRT sorted the processed oopses incorrectly so that the last oops that occurred was saved instead of the first oops. With this update, ABRT has been modified to process multiple kernel oopses in the correct order so that ABRT now saves the first oops as expected.
- BZ#810309
- Due to incorrect configuration, ABRT attempted to use the abrt-bodhi command, which is not available in Red Hat Enterprise Linux, while analyzing a backtrace. As a consequence, the user could see the following error message in the problem backtrace:
/bin/sh: line 6: abrt-bodhi: command not found
However, the error message had no influence on the problem reporting process. This update corrects the ABRT configuration so that the abrt-bodhi command is removed from the analyzer events and the error message no longer occurs. - BZ#811901
- Previously, ABRT expected the dbus-send command to be always present on a system. However, ABRT does not depend on the related dbus package so there is no guarantee that the command is installed on the system. Therefore, when processing events that use the dbus-send command and the dbus package was not installed, ABRT emitted the following error message to the system log:
abrtd: /bin/sh: dbus-send: command not found
With this update, ABRT has been modified to verify the existence of dbus-send before attempting to call this command. The aforementioned error messages no longer occur in the system log. - BZ#813283
- Previously, when running the report-gtk command with a non-existing problem directory, ABRT GUI attempted to process the problem directory. As a consequence, the terminal was flooded with GTK error messages. With this update, the ABRT GUI has been modified to no longer process non-existing problem directories. GUI now only prints a message informing that the processed directory does not exist and exits gracefully.
- BZ#817051
- The report tool always had to be executed from a problem directory even to perform actions which do not require the problem directory, such as adding an attachment to the existing bug report. When running from a directory that was not a problem directory, the report tool failed with the following error message:
'.' is not a problem directory
With this update, the report tool has been modified to not require a problem directory if the "-t" option is specified. The report tool can now be used to update existing bug reports without a need to run inside a problem directory. - BZ#815339, BZ#828673
- Due to an error in the default libreport configuration, ABRT attempted to run the reporter-bugzilla command, which is not installed by default. This caused the following warning message to appear during problem reporting:
/bin/sh: line 4: reporter-bugzilla: command not found
However, the reporting process was not affected by this warning message. With this update, the default configuration of libreport has been corrected and reporter-bugzilla is no longer called by ABRT in the default configuration. The aforementioned warning message is no longer displayed during the reporting process. - BZ#820475
- Previously, the abrt-ccpp init script did not emit any status message so that the service abrt-ccpp status command did not display any output. This update corrects the abrt-ccpp init script so that if the abrt-ccpp service is running the "abrt-ccpp hook is installed" message is displayed. If abrt-ccpp is stopped, the "abrt-ccpp hook is not installed" message appears.
- BZ#826745
- Certain ABRT libraries were previously built with wrong linker parameters and when running prelink on these libraries, the process returned error messages that the library contains "undefined non-weak symbols". With this update, the related makefiles have been corrected and the aforementioned errors no longer occur during prelink phase.
- BZ#826924
- ABRT ran the sosreport utility whenever a problem was detected. However, if the detected problem was caused by sosreport, ABRT could run sosreport in an infinite loop. Consequently, abrtd became unresponsive with extensive consumption of system resources. This update modifies ABRT to ignore consequent crashes in the same component that occur within a 20-second time period. The abrtd daemon no longer hangs if sosreport crashes.
- BZ#847227
- ABRT previously moved captured vmcore files from the default location in the /var/crash/ directory to the /var/spool/abrt/ directory. This affected the functioning of various tools that expected a vmcore file to be present in the /var/crash/ directory. This update modifies ABRT to use the CopyVMcore configuration option to specify whether to copy or move the core file. By default, ABRT no longer moves vmcore from the /var/crash/ directory but copies it.
- BZ#847291
- When disk space usage of the /var/spool/abrt/ directory reaches the specified disk space quota, ABRT finds and removes the largest problem directory. However, ABRT was previously unable to handle situations when the largest directory in /var/spool/abrt/ was not a problem directory. ABRT could not remove this directory and entered an infinite loop while searching for the largest directory to be removed. This update modifies ABRT to exclude unknown directories when determining which problem directory needs to be removed. The abrtd daemon no longer hangs in this scenario.
- BZ#856960
- When configured for centralized crash collection, ABRT previously printed logging credentials in plain text into the /var/log/messages log file on a dedicated system while uploading a crash report. This was a security risk, and so ABRT has been modified to no longer print the libreport-plugin-reportuploader plug-in credentials in log messages.
- BZ#873815
- When processing a large amount of problems, the inotify handling code could become out of sync, causing abrtd to be unable to read inotify events. Eventually, abrtd became unresponsive while trying to read an inotify event. If this happened and a Python application attempted to communicate with ABRT, abrtd and the Python application entered a deadlock situation. The daemon was busy trying to read an incoming inotify event and the Python script was waiting for a response from abrtd, which caused the application to become unresponsive as well. With this update, the ABRT exception handler sets timeout on a socket used for communication between abrtd and Python scripts, and also the inotify handling code has been modified. The abrtd daemon and Python applications no longer hang, however under heavy load, the inotify handling code can still become out of sync, which would cause abrtd to stop accepting new problems. If abrtd stops accepting new problems, it has to be restarted to work correctly again.
7.3. alsa-utils
Note
Enhancement
- BZ#814832
- The alsa-utils package has been enhanced to work better with the GNOME volume control applet and sound preferences user interface.
7.4. amanda
Bug Fix
- BZ#752096
- Previously, the amandad daemon, which is required for successful running of AMANDA, was located in the amanda-client package; however, this package was not required during installation of the amanda-server package. Consequently, AMANDA did not work properly. The amanda-client package has been added to the amanda-server dependencies and AMANDA works correctly now.
7.5. anaconda
Bug fixes
- BZ#803883
- Due to a bug in the multipath output parsing code, when installing Red Hat Enterprise Linux 6 on an IBM Power system with JBOD (Joined Body Of Disks — more than one hard drive attached to the same SAS controller), Anaconda could detect these multiple hard drives as a multipath device. This in turn caused the partitioning of the hard drive to fail, causing the installation of the system to fail as well. This update fixes the parsing code and the system is installed correctly.
- BZ#848741
- The Anaconda installer did not wait for BIOS storage devices to initialize when booted with the
ks:bd:<bios disk>:/ks.cfg
command-line option. As a consequence, BIOS storage devices could not be found and the installation could fail. To fix this bug, a delay algorithm for BIOS devices has been added to the code path used when booting withks:bd:<bios disk>:/ks.cfg
. As a result, Anaconda tries to wait for BIOS devices to initialize. - BZ#828650
- The file system migration from ext2 to ext3 did not work because Anaconda did not modify the
/etc/fstab
file with the new ext3 file system type. Consequently, after the installation, the file system was mounted as an ext2 file system. With this update, Anaconda properly sets the migrated file system type in/etc/fstab
. Thus, the file system is mounted as expected after installation. - BZ#886150
- When installing Red Hat Enterprise Linux 6.4 Beta using the kickstart file, which included the partition scheme, LVM incorrectly removed the dashes from Logical Volume and Volume Group names. This caused the names to be malformed. This update fixes the aforementioned function to correctly format Logical Volume and Volume Group names during the installation process.
- BZ#819486
- Using IPv6 to install Red Hat Enterprise Linux 6.3 (both Alpha and Beta) on a z/VM guest enabled the user to SSH to the system and proceed with the language selection screen. However, after this step, the installation stopped and the SSH session was closed. With this update, the IPv6 installation on a z/VM guest is successful on Red Hat Enterprise Linux 6.4.
- BZ#824963
- A kickstart installation on unsupported hardware resulted in a dialog box asking for confirmation before proceeding with the installation process. As a consequence, it was not possible to perform a kickstart installation on unsupported hardware without any user input. To fix this bug, a new
unsupported_hardware
kickstart command has been added, which skips the interactive dialog warning when installing a system on unsupported hardware without user input. - BZ#811197
- When a
/boot
partition was on a RAID device, inconsistent messages were returned because it was not supported to have this partition on such a device. These varied messages were confusing. To fix this bug, the error messages have been corrected to make sense and to not duplicate each other. - BZ#834689
- Kernel modules containing Microsoft paravirtualized drivers were missing in the installation environment. To fix this bug, kernel modules with Microsoft PV have been added to the installation environment. As a result, better support for Microsoft virtualization is provided.
- BZ#837835
- Modules with VMware PV drivers were not included in the installation environment. This update adds the modules with VMware PV drivers to provide better virtualization support.
- BZ#809641
- The
udev
device manager was not used to resolve kickstartraid --onpart
disk references. As a consequence, the/dev/disk/by-id/
path could not be used properly. With this update, theudev_resolve_devspec()
function is used to resolve the--onpart
command option. As a result, theraid --onpart
command can now use the/dev/disk/by-id/
paths as expected. - BZ#809640
- The Anaconda installer did not use the
udev
device manager to resolve/dev/disk/by-id/
names. This meant the kickstart installation method did not work with/dev/disk/by-id/
names. To fix this bug, Anaconda is now usingudev
to resolve/dev/disk/by-id/
names. As a result, kickstart installations using/dev/disk/by-id/
names work as expected. - BZ#804557
- When installing a system using the text mode on a machine which already had Red Hat Enterprise Linux installed on it, a traceback error occurred when thebutton was used to go back from any dialog after the time zone dialog. With this update, disks are rescanned when moving back through the upgrade dialog, thus preventing this bug.
- BZ#840723
- The Anaconda installer called the
modprobe
tool without the-b
argument that enabled blacklists. Consequently, modules were not blacklisted. To fix this bug, the required argument has been added to modprobe call. As a result, modules are blacklisted as expected. - BZ#851249
- The Anaconda installer appended the
boot=
parameter on the command line whenever thefips=1
parameter was used. With this update, Anaconda appends theboot=
parameter only when thefips=1
parameter is used and/boot
is on a separate partition. - BZ#828029
- This update fixes a typographical error in Korean version of a warning message used to alert users of a root password that is too simple.
- BZ#681224
- The Anaconda installer did not verify package checksums against the checksum in the repository metadata. A package which did not match the repo metadata checksum could be installed by the Yum utility. As a consequence, an incorrect package could be installed with no errors returned. This update adds verification of the package checksum against the checksum in the repository metadata.
- BZ#656315
- IPv6 configuration options of the installer's text UI (user interface) were using descriptions suggesting misleading meaning. Consequently, the description could mislead the users with DHCPv6 configured to use Dynamic IPv6 configuration (DHCPv6) which used DHCPv6 exclusively without using SLAAC automatic configuration. To fix this bug, the first option (
Automatic neighbor discovery
) has been renamed toAutomatic
; it is the (SLAAC) automatic configuration with the option of using a DHCPv6 server based on RA server configuration. The second option (Dynamic IP configuration (DHCPv6)
) was renamed toAutomatic, DHCP only
, which describes the actual configuration to be used more accurately. These descriptions are now the same as those used by Network Manager. As a result, it is now clearer that the third option (Automatic, DHCP only
) is using the DHCPv6 server exclusively. - BZ#836321
- The command-line interface of the fcoe-utils package in Red Hat Enterprise Linux 6.3 was changed but the installer did not adapt to this change correctly. As a consequence, FCoE initiators were not able to log in to remote storages, which could then not be used for installation. To fix this bug, the
fipvlan
command arguments have been fixed to use the new-f
option correctly. As a result, the installer now logs in to a FCoE remote storage correctly, and can be used for installation purposes. - BZ#823690
- Repositories without size data caused a divide-by-zero error. Consequently, the installation failed. With this update, repositories without size data do not cause a divide-by-zero error and the installation succeeds.
- BZ#848818
- Support for the
--hibernation
option was only added to thepart
command. Consequently,--hibernation
did not work with thelogvol
command. To fix this bug, support for--hibernation
has been added to thelogvol
command. As a result,--hibernation
now works with thelogvol
command. - BZ#784001
- The
linksleep
option used to be applied only for theksdevice=
boot parameter using the value link. Consequently, when theksdevice
boot parameter was supplied a value containing a device name or a MAC address, thelinksleep
boot parameter did not take effect. Without waiting for the link, as required by thelinksleep
boot parameter, the installer could fail. To fix this bug, thelinksleep
boot parameter has been added to code paths where the to-be-activated device is specified. As a result, thelinksleep
boot parameter is honored also for installation where theksdevice
boot parameter is supplied a value containing a device name or a MAC address. - BZ#747278
- The Anaconda installer did not check lengths of Logical Volume Manager (LVM) Volume Group names or Logical Volume names. As a consequence, an error occurred when creating disk partitions. To fix this bug, the length of LVM Volume Group names has been truncated to 32 characters and Logical Volume names to 16 characters. As a result, the installation completes successfully.
- BZ#746925
- Previously, Anaconda failed to enable add-on repositories when upgrading the system. Consequently, packages from the add-on repositories were not upgraded. This update allows Anaconda to enable add-on repositories when the system is upgrading and packages from the add-on repositories are upgraded as expected.
Enhancements
- BZ#668065
- With this update, the
vlanid=boot
and--vlanid=kickstart
options can be used to allow users to set a virtual LAN ID (802.1q tag) for a specified network device. By specifying either one of these options, installation of the system can be done over a VLAN. - BZ#838736
- This update allows users to select a LUKS encryption type in the kickstart configuration file.
- BZ#662007
- The
bond boot
,--bondslaves
and--bondopts kickstart
options can now be used to configure bonding as a part of the installation process. For more information on how to configure bonding, refer to the following parts of the Red Hat Enterprise Linux 6 Installation Guide: the Kickstart Options section and the Boot Options chapter. - BZ#813998
- When using a kickstart file to install Red Hat Enterprise Linux 6.4, with the new
fcoe kickstart
option, users can now specify, which Fibre Channel over Ethernet (FCoE) devices should be activated automatically in addition to those discovered by Enhanced Disk Drive (EDD) services. For more information, refer to the Kickstart Options section in Red Hat Enterprise Linux 6 Installation Guide. - BZ#838742
- RPM signatures are now generated using the sha256sum utility instead of the md5sum utility. With this update, the sha256sum command-line utility is included in Anaconda and is available in the shell during the installation process.
7.6. authconfig
Bug Fixes
- BZ#862195
- Prior to this update, the authconfig utility used old syntax for configuring the idmap mapping in the smb.conf file when started with the "--smbidmapuid" and "--smbidmapgid" command line options. Consequently, Samba 3.6 ignored the configuration. This update adapts authconfig to use the new syntax of the idmap range configuration so that Samba 3.6 can read it.
- BZ#874527
- Prior to this update, the authconfig utility could write an incomplete sssd.conf file when using the options "--enablesssd" or "--enablesssdauth". As a consequence, the sssd daemon did not start. With this update, authconfig no longer tries to create the sssd.conf file without complete information, and the sssd daemon can now start as expected.
7.7. autofs
Bug Fixes
- BZ#585059
- When the automount daemon managed a large number of mount points, unmounting all active mount points could take a longer period of time than expected. If the daemon failed to exit within 45 seconds, the autofs init script timed out and returned a false-positive shutdown failure. To resolve this problem, the init script restart behavior has been modified. If the init script repeatedly fails to stop the daemon, the script terminates the daemon by sending the SIGKILL signal, which allows autofs to be restarted correctly.
- BZ#819703
- The automount interface matching code was able to detect only IPv4 interfaces. As a consequence, mount points were mounted with an incorrect mount type when using IPv6. To fix this problem, the automount interface matching code has been modified to use the getifaddrs() function insted of ioctl(). The automount interface matching code now properly recognizes IPv6 interfaces and both, IPv4 and IPv6 mounts are now mounted as expected.
- BZ#827024, BZ#846852, BZ#847873
- Previously, automount could terminate unexpectedly with a segmentation fault when using the internal hosts map. This could happen due to a function name collision between autofs and the libtirpc library. Both utilities called a debug logging function of the same name but with a different call signature. This update applies a series of patches that fix this problem by redefining the internal debug logging function in autofs. Also, several other bugs related to the autofs RPC function have been fixed. The automount daemon no longer crashes when using the internal hosts map and the libtirpc library is installed on the system.
- BZ#834641
- Due to an incorrectly placed port test in the get_nfs_info() function, autofs attempted to contact the portmap service when mounting NFSv4 file systems. Consequently, if the portmap service was disabled on the server, automount failed to mount the NFSv4 file systems with the following error message:
mount(nfs): no hosts available
With this update, the port check has been moved to the correct location in the code so that automount no longer contacts the server's port mapper when mounting NFSv4 file systems. NFSv4 file systems are mounted as expected in this scenario. - BZ#836422
- Previously, the autofs internal hosts map could not be refreshed until all entries in the map had been unmounted. Consequently, users could not access newly exported NFS shares and any attempt to access such shares failed with the "No such file or directory" error message. This update allows the server export list to be updated by sending a HUP signal to the automount daemon. This causes automount to request server exports so the hosts map and associated automounts can be updated. Newly exported NFS shares can now be accessed as expected.
- BZ#845512
- Previously, the usage message displayed by the autofs init script did not contain the "usage" command entry. This update corrects the init script so it now displays all commands that can be used with the autofs service as expected.
- BZ#856296
- When stopping the autofs service, autofs did not correctly handle situations where a null map entry appeared after a corresponding indirect map entry in the autofs master map. As a consequence, automount attempted to unmount a unmount a non-existing automount point and became unresponsive. This update modifies autofs to process null map entries correctly so it no longer attempts to unmount non-existing automount points. The autofs service now stops gracefully as expected.
- BZ#860184
- Previously, the autofs init script did not allow any commands to be run by unprivileged users. However, it is desirable to let a non-root user check the status of autofs for example for monitoring purposes. Therefore, this update modifies the autofs init script to allow unprivileged users to execute the service autofs status command.
- BZ#865311
- Previous versions of autofs contained several typographical errors and misleading information in the auto.master(5) man page, and autofs.sysconfig and autofs.conf configuration files. This update corrects these bugs including the description of the MOUNT_NFS_DEFAULT_PROTOCOL and MOUNT_WAIT options.
- BZ#868973
- When attempting to mount an NFSv4 share from an unreachable NFSv4 server, autofs did not close IPv6 UDP sockets. This could eventually lead to depletion of free file descriptors and an automount failure. This update modifies autofs to close IPv6 UDP sockets as expected, and automount no longer fails due to too many open files in the described scenario.
- BZ#892846
- When using autofs with LDAP, the code used to perform a base DN search allowed a race between two threads executing the same function simultaneously to occur. As a result of this race, autofs could attempt to access already freed memory and terminate unexpectedly with a segmentation fault. With this update, the code used to perform base DN searches has been moved to the function protected by a mutex, which prevents the race from occurring. The base DN searches are now performed only when refreshing settings of the map lookup modules.
Enhancements
- BZ#846870
- This update modifies autofs to allow configuring of separate timeout values for individual direct map entries in the autofs master map.
- BZ#859947
- With this update, the auto.master(5) man page has been updated to document the "-t, --timeout" option in the FORMAT options section.
- BZ#866338
- The auto.master(5) man page has been updated to clarify description of the "nobind" option when it is used with direct mount maps.
- BZ#866396
- The autofs.spec file has been modified to update build dependency of the autofs sss interface library. The library now requires the libsss_autofs package instead of sssd.
- BZ#822733
- This update improves debug logging of autofs. With debug logging set on, automount now reports whether it needs to read a mount map or not.
Bug Fix
- BZ#921147
- Previously, when two nearly simultaneous mount requests occurred, NFS mounts mounted by autofs sometimes failed. This caused a fatal error for the host being probed and autofs failed the mount attempt with a "mount(nfs): no hosts available" error message. This update provides a patch which uses numeric protocol IDs, instead of protoent structures, and NFS mount attempts by autofs no longer fail in the described scenario.
Bug Fix
- BZ#1006163
- Previously, when mounting new mounts, the automount daemon stopped responding. This occurred due to an execution order race during an expire thread creation. This update refactors the code handling the expire thread creation and the problem no longer occurs.
7.8. automake
Security Fix
- CVE-2012-3386
- It was found that the distcheck rule in Automake-generated Makefiles made a directory world-writable when preparing source archives. If a malicious, local user could access this directory, they could execute arbitrary code with the privileges of the user running "make distcheck".
7.9. avahi
Bug Fix
- BZ#599435
- Previously, the Avahi library packages required the Avahi daemon packages as a dependency. Consequently, whenever installing some of the Avahi libraries, the Avahi daemon was installed as well, which could pose a security risk in certain environments. This update removes these dependencies so that the Avahi libraries are now installed without the Avahi daemon.
7.10. bacula
Bug Fixes
- BZ#728693
- Prior to this update, the logwatch tool did not check the "/var/log/bacula*" file. As a consequence, the logwatch report was incomplete. This update adds all log files to the logwatch configuration file. Now, the logwatch report is complete.
- BZ#728697
- Prior to this update, the bacula tool itself created the "/var/spool/bacula/log" file. As a consequence, this log file used an incorrect SELinux context. This update modifies the underlying code to create the /var/spool/bacula/log file in the bacula package. Now, this log file has the correct SELinux context.
- BZ#729008
- Prior to this update, the bacula packages were built without the CFLAGS variable "$RPM_OPT_FLAGS". As a consequence, the debug information was not generated. This update modifies the underlying code to build the packages with CFLAGS="$RPM_OPT_FLAGS. Now, the debug information is generated as expected.
- BZ#756803
- Prior to this update, the perl script which generates the my.conf file contained a misprint. As a consequence, the port variable was not set correctly. This update corrects the misprint. Now, the port variable is set as expected.
- BZ#802158
- Prior to this update, values for the "show pool" command was obtained from the "res->res_client" item. As a consequence, the output displayed incorrect job and file retention values. This update uses the "res->res_pool" item to obtain the correct values.
- BZ#862240
- Prior to this update, bacula-storage-common utility wrongly removed alternatives for the bcopy function during the update. As a consequence, the Link to bcop.{mysql,sqlite,postgresql} disappeared after updating. This update modifies the underlying code to remove these links directly in storage-{mysql,sqlite,postgresql} and not in bacula-storage-common.
7.11. bash
Bug Fixes
- BZ#695656
- Prior to this update, the trap handler could, under certain circumstances, lose signals during another trap initialization. This update blocks the signal while the trap string and handler are being modified. Now, the signals are no longer lost.
- BZ#799958
- Prior to this update, the manual page for trap in Bash did not mention that signals ignored upon entry cannot be listed later. This is now fixed and the manual page entry text is amended to "Signals ignored upon entry to the shell cannot be trapped, reset or listed".
- BZ#800473
- Prior to this update, the Bash shell called the trap handler within a signal handler when a SIGCHLD signal was received in job control mode and a handler for the signal was installed. This was a security risk and could cause Bash to enter a deadlock or to terminate unexpectedly with a segmentation fault due to memory corruption. With this update, the trap handler is now called outside of the signal handler, and Bash no longer enters a deadlock.
Enhancement
- BZ#677439
- This update enables the system-wide "/etc/bash.bash_logout" file. This allows administrators to write system-wide logout actions for all users.
Bug Fix
- BZ#982610
- When a trap handler was invoked while running another trap handler, which was invoked during a pipeline call, bash was unresponsive. With this update, pipeline calls are saved and subsequently restored in this scenario, and bash responds normally.
7.12. bfa-firmware
Note
7.13. bind-dyndb-ldap
Note
Bug Fixes
- BZ#767496
- When persistent search was in use, the plug-in sometimes terminated unexpectedly due to an assertion failure when the "rndc reload" command was issued and the LDAP server was not reachable. With this update, the code has been improved so that connection failures and reconnects are now handled more robustly. As a result, the plug-in no longer crashes in the scenario described.
- BZ#829388
- Previously, some relative domain names were not expanded correctly to FQDNs. Consequently, zone transfers sometimes contained relative domain names although they should only contain FQDNs (for example, they contained "name." record instead of "name.example.com."). The plug-in has been patched, and as a result, zone transfers now contain the correct domain names.
- BZ#840381
- Due to a bug in bind-dyndb-ldap, the named process sometimes terminated unexpectedly when a connection to LDAP timed out. Consequently, when a connection to LDAP timed out (or failed), the named process was sometimes aborted and DNS service was unavailable. The plug-in has been fixed and as a result, the plug-in now handles situations when a connection to LDAP fails gracefully.
- BZ#856269
- Due to a race condition, the plug-in sometimes caused the named process to terminate unexpectedly when it received a request to reload. Consequently, the DNS service was sometimes unavailable. A patch has been applied and as a result, the race condition during reload no longer occurs.
Enhancements
- BZ#733711
- LDAP in Red Hat Enterprise Linux 6.4 includes support for persistent search for both zones and their resource records. Persistent search allows the bind-dyndb-ldap plug-in to be immediately informed about all changes in an LDAP database. It also decreases network bandwidth usage required by repeated polling.
- BZ#829340
- Previously, it was only possible to configure IPv4 forwarders in LDAP. With this update, a patch has been added to the plug-in, and as a result, the plug-in is now able to parse and use IPv6 forwarders. BIND9 syntax for "forwarders" is required.
- BZ#829385
- Previously, it was impossible to share one LDAP database between multiple master servers; only one master server could be used. A new bind-dyndb-ldap option "fake_mname" which allows for overriding the master server name in the SOA record has been added. With this option it is now possible to override the master server name in the SOA record so that multiple servers can act as master server for one LDAP database.
- BZ#840383
- When multiple named processes shared one LDAP database and dynamically updated DNS records (via DDNS), they did not update the SOA serial numbers so it was impossible to serve such zones on secondary servers correctly (that is to say, they were not updated on slave servers). With this update, the plug-in can now update SOA serial numbers automatically, if configured to do so. Refer to the new "serial_autoincrement" option in the /usr/share/doc/bind-dyndb-ldap/README file for more details.
- BZ#869323
- This update provides support for the per-zone disabling of forwarding. Some setups require the disabling of forwarding per-zone. For example, company servers are configured as authoritative for a non-public zone and have global forwarding turned on. When the non-public zone contains delegation for a non-public subdomain, the zone must have explicitly disabled forwarding otherwise the glue records will not be returned. As a result, a server can now return delegation glue records for private zones when global forwarding is turned on. Refer to /usr/share/doc/bind-dyndb-ldap/README for detailed information.
Bug Fix
- BZ#928429
- The bind-dyndb-ldap plug-in processed settings too early, which led to the daemon terminating unexpectedly with a segmentation fault during startup or reload. The bind-dyndb-ldap plug-in has been fixed to process its options later, and so, no longer crashes during startup or reload.
7.14. bind
Security Fix
- CVE-2012-5689
- A flaw was found in the DNS64 implementation in BIND when using Response Policy Zones (RPZ). If a remote attacker sent a specially-crafted query to a named server that is using RPZ rewrite rules, named could exit unexpectedly with an assertion failure. Note that DNS64 support is not enabled by default.
Enhancement
- BZ#906312
- Previously, it was impossible to configure the maximum number of responses sent per second to one client. This allowed remote attackers to conduct traffic amplification attacks using DNS queries with spoofed source IP addresses. With this update, it is possible to use the new "rate-limit" configuration option in named.conf and configure the maximum number of queries which the server responds to. Refer to the BIND documentation for more details about the "rate-limit" option.
Bug Fixes
- BZ#827282
- Previously, initscript sometimes reported a spurious error message "initscript: silence spurious "named.pid: No such file or directory" due to a race condition when the DNS server (named) was stopped. This spurious error message has been suppressed and is no longer reported in this scenario.
- BZ#837165
- Due to a race condition in the rbtdb.c source file, the named daemon could terminate unexpectedly with the INSIST error code. This bug has been fixed in the code and the named daemon no longer crashes in the described scenario.
- BZ#853806
- Previously, BIND rejected "forward" and "forwarders" statements in static-stub zones. Consequently, it was impossible to forward certain queries to specified servers. With this update, BIND accepts those options for static-stub zones properly, thus fixing this bug.
Security Fix
- CVE-2013-2266
- A denial of service flaw was found in the libdns library. A remote attacker could use this flaw to send a specially-crafted DNS query to named that, when processed, would cause named to use an excessive amount of memory, or possibly crash.
Bug Fix
- BZ#928439
- Previously, rebuilding the bind-dyndb-ldap source RPM failed with a "/usr/include/dns/view.h:76:21: error: dns/rrl.h: No such file or directory" error.
Bug Fix
- BZ#996955
- Due to a missing gss_release_name() call, the BIND DNS server leaked memory when the "tkey-gssapi-credential" option was used in the BIND configuration. This update properly frees all memory in case the "tkey-gssapi-credential" is used, and BIND no longer leaks memory when GSSAPI credentials are used internally by the server for authentication.
Security Fix
- CVE-2013-4854
- A denial of service flaw was found in BIND. A remote attacker could use this flaw to send a specially-crafted DNS query to named that, when processed, would cause named to crash when rejecting the malformed query.
7.15. binutils
Bug Fixes
- BZ#773526
- In order to display a non-printing character, the readelf utility adds the "0x40" string to the character. However, readelf previously did not add that string when processing multibyte characters, so that multibyte characters in the ELF headers were displayed incorrectly. With this update, the underlying code has been corrected and readelf now displays multibyte and non-ASCII characters correctly.
- BZ#825736
- Under certain circumstances, the linker could fail to produce the GNU_RELRO segment when building an executable requiring GNU_RELRO. As a consequence, such an executable failed upon start-up. This problem affected also the libudev library so that the udev utility did not work. With this update, the linker has been modified so that the GNU_RELRO segment is now correctly created when it is needed, and utilities such as udev now work correctly.
7.16. biosdevname
Note
Bug Fixes
- BZ#751373
- The biosdevname utility ignored the SMBIOS version check for PCI network adapters. Consequently, PCI network adapter interfaces were renamed according to PCI slot and port numbers on systems with unsupported SMBIOS versions. With this update, the new biosdevname utility ensures that if the SMBIOS version is not supported, PCI network adapter interfaces are not renamed. As a result, PCI network adapters are named with the kernel default name in the scenario described.
- BZ#804754
- When using Single Root I/O Virtualization (SR-IOV) with embedded network interface devices, the biosdevname utility did not check the System Management BIOS (SMBIOS) type of the physical function for corresponding virtual functions. Consequently, biosdevname did not find SMBIOS type 41 structure for the device virtual functions and did not suggest interface names for these onboard network interfaces. With this update, biosdevname now looks up the SMBIOS type 41 structure for the device virtual functions in the corresponding physical function table. As a result, onboard network devices with virtual network interfaces are now renamed according to the biosdevname naming scheme.
- BZ#815724
- The biosdevname utility did not handle PCI cards with multiple ports. Consequently, only the network interface of the first port of these cards was renamed according to the biosdevname naming scheme. An upstream patch has been applied and biosdevname now handles PCI cards with multiple ports. As a result, all ports of multiple port PCI cards are now renamed according to the biosdevname naming scheme.
7.17. bridge-utils
Enhancements
- BZ#676355
- The man page was missing the multicast option descriptions. This update adds that information to the man page.
- BZ#690529
- This enhancement adds the missing feature described in the BRCTL(8) man page, that allows the user to get the bridge information for a simple bridge using the "brctl show $BRIDGE" command.
7.18. brltty
Bug Fixes
- BZ#684526
- Previously, building the brltty package could fail on the ocaml's unpackaged files error. This happened only if the ocaml package was pre-installed in the build root. The "--disable-caml-bindings" option has been added in the %configure macro so that the package now builds correctly.
- BZ#809326
- Previously, the /usr/lib/libbrlapi.so symbolic link installed by the brlapi-devel package incorrectly pointed to ../../lib/libbrlapi.so. The link has been fixed to correctly point to ../../lib/libbrlapi.so.0.5.
7.19. btrfs-progs
Note
7.20. ccid
Security Fix
- CVE-2010-4530
- An integer overflow, leading to an array index error, was found in the way the CCID driver processed a smart card's serial number. A local attacker could use this flaw to execute arbitrary code with the privileges of the user running the PC/SC Lite pcscd daemon (root, by default), by inserting a specially-crafted smart card.
Bug Fix
- BZ#808115
- Previously, CCID only recognized smart cards with 5V power supply. With this update, CCID also supports smart cards with different power supply.
7.21. cdrkit
Bug Fix
- BZ#797990
- Prior to this update, overlapping memory was handled incorrectly. As a consequence, newly created paths could be garbled when calling "genisoimage" with the "-graft-points" option to graft the paths at points other than the root directory. This update modifies the underlying code to generate graft paths as expected.
7.22. certmonger
Note
Bug Fixes
- BZ#810016
- When certmonger was set up to not attempt to obtain a new certificate and the certificate's valid remaining time crossed a configured time to live (TTL) threshold, certmonger warned of a certificate's impending not-valid-after date. Certmonger then immediately logged the warning again, and continued to do so indefinitely, causing the /var/log/messages file to fill up with warnings. This bug has been fixed and certmonger returns a warning again only when another configured TTL threshold is crossed or the service is restarted.
- BZ#893611
- When certmonger attempts to save a certificate to an NSS database, it necessarily opens that database for writing. Previously, if any other process, including any other certmonger tasks that could require access to that database, had the database open for writing, that database could become corrupted. This update backports changes from later versions of certmonger which change its behavior. Now, actions that could result in database modifications are only performed one at a time.
7.23. cifs-utils
Bug Fixes
- BZ#856729
- When the mount.cifs utility ran out of addresses to try, it returned the "System error" error code (EX_SYSERR) to the caller service. The utility has been modified and it now correctly returns the "Mount failure" error code (EX_FAIL).
- BZ#826825
- Typically, "/" characters are not allowed in user names for Microsoft Windows systems, but they are common in certain types of kerberos principal names. However, mount.cifs previously allowed the use of "/" in user names, which caused attempts to mount CIFS file systems to fail. With this package, "/" characters are now allowed in user names if the "sec=krb5" or "sec=krb5i" mount options are specified, thus CIFS file systems can now be mounted as expected.
- BZ#838606
- Previously, the cifs-utils packages were compiled without the RELRO (read-only relocations) and PIE (Position Independent Executables) flags. Programs provided by this package could be vulnerable to various attacks based on overwriting the ELF section of a program. The "-pie" and "-fpie" options enable the building of position-independent executables, and the "-Wl","-z","relro" turns on read-only relocation support in gcc. These options are important for security purposes to guard against possible buffer overflows that lead to exploits. The cifs-utils binaries are now built with PIE and full RELRO support. The cifs-utils binary is now more secured against "return-to-text" and memory corruption attacks and also against attacks based on the program's ELF section overwriting.
Enhancements
- BZ#843596
- With this update, the "strictcache", "actimeo", "cache=" and "rwpidforward" mount options are now documented in the mount.cifs(8) manual page.
- BZ#843612
- The "getcifsacl", "setcifsacl" and "cifs.idmap" programs have been added to the package. These utilities allow users to manipulate ACLs on CIFS shares and allow the mapping of Windows security IDs to POSIX user and group IDs.
- BZ#843617
- With this update, the cifs.idmap helper, which allows SID to UID and SID to GID mapping, has been added to the package. Also, the manual page cifs.upcall(8) has been updated and cifs.idmap(8) has been added.
7.24. clustermon
Bug Fixes
- BZ#865588
- Prior to this update, the dynamic library that represents the CIM provider of a cluster status was not built with all the required dependencies and therefore certain symbols could not be resolved. As a consequence, the cluster status could not be accessed via CIM. This update adds the missing dependencies to the dynamic library. Now, the cluster status is accessible as expected.
- BZ#885830
- Prior to this update, the size of XML-formatted cluster configuration (as in cluster.conf file) greater than 200 kB might have crashed modcluster, a program assisting the ricci daemon in handling the cluster configuration file (cluster.conf), or modclusterd, a daemon providing cluster status. This update drops this restriction and both executables no longer abort with larger configurations.
7.25. cluster and gfs2-utils
Bug Fixes
- BZ#785866
- With this update, a minor typographical error has been fixed in the
/usr/share/cluster/cluster.rng.in.head
RELAX NG schema. - BZ#803477
- Previously, the fsck.gfs2 program printed irrelevant error messages when reclaiming free metadata blocks. These messages could have been incorrectly understood as file system errors. With this update, these messages are no longer displayed.
- BZ#814807
- The
master_wins
implementation of theqdiskd
daemon was not sufficiently fast to hand over the master status during the ordered shutdown. Consequently, a temporary loss of quorum in the cluster could have occurred. With this update,master_wins
has been modified to operate more quickly. - BZ#838047
- Previously, the
master_wins
implementation of theqdiskd
daemon did not check strictly for errors in the/etc/cluster/cluster.conf
file. Consequently, with several incorrect options incluster.conf
, two quorate partitions could have been created at the same time. With this update,master_wins
has been modified to perform strict error checking to avoid the creation of multiple quorate partitions. - BZ#838945
- Prior to this update, an overly long cluster name in the
/etc/cluster/cluster.conf
file could cause a buffer overflow when running the fsck.gfs2 utility on a GFS2 file system with a corrupt super block. With this update, the cluster name is truncated appropriately when the super block is being rebuilt. Now, the buffer overflow condition no longer occurs in the described case. - BZ#839241
- Under certain circumstances, the cman cluster manager did not propagate two internal values across configuration reloads. Consequently, runtime inconsistencies could occur. This bug has been fixed, and the aforementioned error no longer occurs. Also, a corner case memory leak has been fixed.
- BZ#845341
- Prior to this update, the
fenced
daemon created the/var/log/cluster/fenced.log
file with world readable permissions. With this update,fenced
has been modified to set more strict security permissions for its log file. Also, permissions of an existing log file are automatically corrected if necessary. - BZ#847234
- Previously, an insufficient buffer length limitation did not allow long configuration lines in the
/etc/cluster/cluster.conf
configuration file. Consequently, a long entry in the file caused the corosync utility to terminate unexpectedly with a segmentation fault. With this update, the length limit has been extended. As a result, the segmentation fault no longer occurs in this situation. - BZ#853180
- When a GFS2 file system was mounted with the
lock_nolock
option enabled, the cman cluster manager incorrectly checked the currently used resources. Consequently, cman failed to start. This bug has been fixed, and cman now starts successfully in the described case. - BZ#854032
- In certain corner cases, triggered especially when shutting down all cluster nodes at the same time, the cluster daemons failed to quit within the cman shutdown limit (10 seconds). Consequently, the cman cluster manager declared a shutdown error. With this update, the default shutdown timeout has been increased to 30 seconds to prevent the shutdown error.
- BZ#857952
- Under rare circumstances, the
fenced
daemon polled an incorrect file descriptor from the cman cluster manager. Consequently,fenced
entered a loop and the cluster became unresponsive. This bug has been fixed, and the aforementioned error no longer occurs. - BZ#861340
- The
fenced
daemon is usually started before themessagebus
(D-BUS) service, which has no harmful operational effects. Previously, this behavior was recorded as an error message in the/var/log/cluster/fenced.log
file. To avoid confusion, this error message is now entered into/var/log/cluster/fenced.log
only when the log level is set to debugging. - BZ#862847
- Previously, the
mkfs.gfs2 -t
command accepted non-standard characters, like slash (/
), in the lock table name. Consequently, only the first cluster node was able to mount a GFS2 file system successfully. The next node attempting to mount a GFS2 file system became unresponsive. With this update, a more strict validation of lock table names has been introduced. As a result, cluster nodes no longer hang when special characters are used in lock table. - BZ#887787
- Previously, when the client using the cman API called the
cman_stop_notification()
function after cman was already closed, the client terminated with theSIGPIPE
signal. With this update, the underlying source code has been modified to address this issue, and theMSG_NOSIGNAL
message is now displayed to warn the user in the described scenario. - BZ#888053
- Prior to this update, the gfs2_convert tool was unable to handle certain corner cases when converting between GFS1 and GFS2 file systems. Consequently, the converted GFS2 file system contained errors. With this update, gfs2_convert has been fixed to detect these corner cases and adjust the converted file system accordingly
Enhancements
- BZ#661764
- The cman cluster manager is now supported with the
bonding mode
options0
,1
, and2
. Prior to this update, onlybonding mode 1
was supported. - BZ#738704
- This update adds support for clusters utilizing the Red Hat Enterprise Virtualization Manager native shared storage between nodes.
- BZ#786118
- The hostname aliases from the
/etc/hosts
file are now accepted as cluster node names across cluster applications. - BZ#797952
- A new tool, fence_check, has been added to provide a method to test the fence configuration in a non disruptive way. The tool has been designed to run via the crontab utility for regular monitoring of fence devices.
- BZ#821016
- This update enables passing additional command line options to the
dlm_controld
daemon using the/etc/sysconfig/cman
file. - BZ#842370
- The Distributed Lock Manager (DLM) now allows tuning of DLM hash table sizes from the
/etc/sysconfig/cman
file. The following parameters can be set in the/etc/sysconfig/cman
file:DLM_LKBTBL_SIZE=
<size_of_table>
DLM_RSBTBL_SIZE=<size_of_table>
DLM_DIRTBL_SIZE=<size_of_table>
which, in turn, modifies the values in the following files respectively:/sys/kernel/config/dlm/cluster/lkbtbl_size /sys/kernel/config/dlm/cluster/rsbtbl_size /sys/kernel/config/dlm/cluster/dirtbl_size
- BZ#857299
- Previously, it was not possible to modify the default TCP port (21064) of the Distributed Lock Manager (DLM). With this update, the
DLM_TCP_PORT
configuration parameter has been added into the/etc/sysconfig/cman
file. As a result, the DLM TCP port can be manually configured. - BZ#860048
- The fsck.gfs2 program now checks for formal mismatches between disk inode numbers and directory entries in the GFS2 file system.
- BZ#860847
- This update adds support for two and four node clusters utilizing the
rgmanager
daemon with therrp_mode
option enabled. - BZ#878196
- This update adds support for clusters utilizing the VMware's VMDK (Virtual Machine Disk) disk image technology with the
multi-writer
option. This allows using VMDK-based storage with themulti-writer
option for clustered file systems such as GFS2.
7.26. control-center
Bug Fix
- BZ#805069
- Prior to this update, the status LEDs on Wacom tablets did not correctly indicate the current mode. With this update, the LEDs now indicate which of the Touch Ring or Touch Strip modes are active.
7.27. coolkey
Bug Fixes
- BZ#861108
- Previously, Coolkey was unable to recognize PIV-I cards. This update fixes the bug and Coolkey now allows these cards to be read and display certificate information as expected.
- BZ#879563
- Prior to this update, The pkcs11_listcerts and pklogin_finder utilities were unable to recognize certificates and USB tokens on smart cards after upgrading the Coolkey library. A patch has been provided to address this issue and these utilities now work as expected.
- BZ#806038
- Previously, the remote-viewer utility failed to utilize a plugged smart card reader when a Spice client was running. Eventually, the client could terminate unexpectedly. Now, remote-viewer recognizes the reader and offers authentication once the card is inserted and the crashes no longer occur.
- BZ#884266
- Previously, certain new PIV-II smart cards could not be recognized by client card readers, the ESC card manager, or the pklogin_finder utility. A patch has been provided to address this issue and PIV-II cards now work with Coolkey as expected.
Enhancement
- BZ#805693
- Support for Oberthur Smart Cards has been added to the Coolkey library.
7.28. Core X11 Libraries
Package name | Upstream version | BZ number |
---|---|---|
libxcb | 1.8.1 | 755654 |
libXcursor | 1.1.13 | 755656 |
libX11 | 1.5.0 | 755657 |
libXi | 1.6.1 | 755658 |
libXt | 1.1.3 | 755659 |
libXfont | 1.4.5 | 755661 |
libXrender | 0.9.7 | 755662 |
libXtst | 1.2.1 | 755663 |
libXext | 1.3.1 | 755665 |
libXaw | 1.0.11 | 755666 |
libXrandr | 1.4.0 | 755667 |
libXft | 2.3.1 | 755668 |
Package name | Upstream version | BZ number |
---|---|---|
libXau | 1.0.6 | 835172 |
libXcomposite | 0.4.3 | 835183 |
libXdmcp | 1.1.1 | 835184 |
libXevie | 1.0.3 | 835186 |
libXinerama | 1.1.2 | 835187 |
libXmu | 1.1.1 | 835188 |
libXpm | 3.5.10 | 835190 |
libXres | 1.0.6 | 835191 |
libXScrnSaver | 1.2.2 | 835192 |
libXv | 1.0.7 | 835193 |
libXvMC | 1.0.7 | 835195 |
libXxf86dga | 1.1.3 | 835196 |
libXxf86misc | 1.0.3 | 835197 |
libXxf86vm | 1.1.2 | 835198 |
libdrm | 2.4.39 | 835202 |
libdmx | 1.1.2 | 835203 |
pixman | 0.26.2 | 835204 |
xorg-x11-proto-devel | 7.6 | 835206 |
xorg-x11-util-macros | 1.17 | 835207 |
xorg-x11-xtrans-devel | 1.2.7 | 835276 |
xkeyboard-config | 2.6 | 835284 |
libpciaccess | 0.13.1 | 843585 |
xcb-proto | 1.7 | 843593 |
libSM | 1.2.1 | 843641 |
Bug Fixes
- BZ#802559
- Previously, in the xorg-x11-proto-devel package, the definition of the
_X_NONNULL
macro was incompatible with C89 compilers. Consequently, C89 applications could not be built in C89 mode if theX11/Xfuncproto.h
file was included. This update fixes the macro definition to be compatible with C89 mode. - BZ#804907
- Prior to this update, XI2 events were not properly initialized and could contain garbage values. A patch for the libXi package, which had been setting values to garbage, has been provided to fix this bug. Now, actual events no longer contain garbage values and are initialized as expected.
- BZ#871460
- Previously, the spec file of the xkeyboard-config package used the
%{dist}
macro in the Version tag. Although the standard Red Hat Enterprise Linux build environment defines this macro, it does not need to be defined. If it was not defined,%{dist}
appeared literally in the resulting RPM package's version string when the package was rebuilt. The spec file has been corrected to use the conditional%{?dist}
form, which expands to an empty string if%{dist}
is not defined.
7.29. Core X11 clients
Security Fix
- CVE-2011-2504
- It was found that the x11perfcomp utility included the current working directory in its PATH environment variable. Running x11perfcomp in an attacker-controlled directory would cause arbitrary code execution with the privileges of the user running x11perfcomp.
Note
7.30. corosync
Bug Fixes
- BZ#783068
- Prior to this update, the corosync-notifyd service did not run after restarting the process. This update modifies the init script to wait for the actual exit of previously running instances of the process. Now, the corosync-notifyd service runs as expected after restarting.
- BZ#786735
- Prior to this update, an incorrect node ID was sent in recovery messages when corosync entered recovery. As a consequence, debugging problems in the source code was difficult. This update sets the correct node ID.
- BZ#786737
- Upon receiving the JoinMSG message in the OPERATIONAL state, a node enters the GATHER state. However, if JoinMSG was discarded, the nodes sending this JoinMSG could not receive a response until other nodes have had their tokens expired. This caused the nodes having entered the GATHER state spend more time to rejoin the ring. With this update, the underlying source code has been modified to address this issue.
- BZ#787789
- Prior to this update the netfilter firewall blocked input and output multicast packets, corosync coould become suspended, failed to create membership and cluster could not be used. After this update, corosync is no longer dependent on multicast loop kernel feature for local messages delivery, but uses the socpair unix dgram socket.
- BZ#794744
- Previously, on InfiniBand devices, corosync autogenerated the node ID when the configuration file or the cluster manager (cman) already set one. This update modifies the underlying code to recognize user-set mode IDs. Now, corosync autogenerates node IDs only when the user has not entered one.
- BZ#821352
- Prior to this update, corosync sockets were bound to a PEERs IP address instead of the local IP address when the IP address was configured as peer-to-peer (netmask /32). As a consequence, corosync was unable to create memberships. This update modifies the underlying code to use the correct information about the local IP address.
- BZ#824902
- Prior to this update, the corosync logic always used the first IP address that was found. As a consequence, users could not use more than one IP address on the same network. This update modifies the logic to use the first network address if no exact match was found. Now, users can bind to the IP address they select.
- BZ#827100
- Prior to this update, some sockets were not bound to a concrete IP address but listened on all interfaces in the UDPU mode. As a consequence, users could encounter problems when configuring the firewall. This update binds all sockets correctly.
- BZ#847232
- Prior to this update, configuration file names that consisted of more than 255 characters could cause corosync to abort unexpectedly. This update returns the complete item value. In case of the old ABI, corosync prints an error. Now, corosync no longer aborts with longer names.
- BZ#838524
- When corosync was running with the votequorum library enabled, votequorum's register reloaded the configuration handler after each change in the configuration database (confdb). This caused corosync to run slower and to eventually encounter an Out Of Memory error. After this update, a register callback is only performed during startup. As a result, corosync no longer slows down or encounters an Out Of Memory error.
- BZ#848210
- Prior to this update, the corosync-notifyd output was considerably slow and corosync memory grew when D-Bus output was enabled. Memory was not freed when corosync-notifyd was closed. This update modifies the corosync-notifyd event handler not to wait when there is nothing to receive and send from or to D-Bus. Now, corosync frees memory when the IPC client exits and corosync-notifyd produces output in speed of incoming events.
- BZ#830799
- Previously, the node cluster did not correspond with the
CPG
library membership. Consequently, the nodes were recognized asunknown
, andcorosync
warning messages were not returned. A patch with an enhanced log fromCPG
has been provided to fix this bug. Now, the nodes work withCPG
correctly, and appropriate warning messages are returned. - BZ#902397
- Due to a regression, the
corosync
utility did not work with IPv6, which caused the network interface to be down. A patch has been provided to fix this bug. Corosync now works with IPv6 as expected, and the network interface is up. - BZ#838524
- When corosync was running with the votequorum library enabled, votequorum's register reloaded the configuration handler after each change in the configuration database (confdb). This caused corosync to run slower and to eventually encounter an Out Of Memory error. After this update, a register callback is only performed during startup. As a result, corosync no longer slows down or encounters an Out Of Memory error.
- BZ#865039
- Previously, during heavy cluster operations, one of the nodes failed sending numerous of the following messages to the syslog file:
dlm_controld[32123]: cpg_dispatch error 2
A patch has been applied to address this issue. - BZ#850757
- Prior to this update, corosync dropped ORF tokens together with memb_join packets when using CPU timing on certain networks. As a consequence, the RRP interface could be wrongly marked as faulty. This update drops only memb_join messages.
- BZ#861032
- Prior to this update, the corosync.conf parser failed if the ring number was larger than the allowed maximum of 1. As a consequence, corosync could abort with a segmentation fault. This update adds a check to the corosync.conf parser. Now, an error message is printed if the ring number is larger than 1.
- BZ#863940
- Prior to this update, corosync stopped on multiple nodes. As a consequence, corosync could, under certain circumstances, abort with a segmentation fault. This update ensures that the corosync service no longer calls callbacks on unloaded services.
- BZ#869609
- Prior to this update, corosync could abort with a segmentation fault when a large number of corosync nodes were started together. This update modifies the underlying code to ensure that the NULL pointer is not dereferenced. Now, corosync no longer encounters segmentation faults when starting multiple nodes at the same time.
- BZ#876908
- Prior to this update, the parsercorosync-objctl command with additional parameters could cause the error "Error reloading DB 11". This update removes the reloading function and handles changes of changed objects in the configuration data base (confdb). Now, the logging level can be changed as expected.
- BZ#873059
- Several typos in the corosync(8) manual page have been fixed. Also, manual pages for confdb_* functions have been added.
Enhancements
- BZ#770455
- With this update, the corosync log includes the hostname and the process ID of the processes that join the cluster to allow for better troubleshooting.
- BZ#794522
- This update adds the manual page confdb_keys.8 to provide descriptions for corosync runtime statistics that are returned by corosync-objctl.
- BZ#838743
- This update adds the new trace level to filter corosync flow messages to improve debugging.
Bug Fix
- BZ#929101
- When running applications which used the Corosync IPC library, some messages in the dispatch() function were lost or duplicated. This update properly checks the return values of the dispatch_put() function, returns the correct remaining bytes in the IPC ring buffer, and ensures that the IPC client is correctly informed about the real number of messages in the ring buffer. Now, messages in the dispatch() function are no longer lost or duplicated.
7.31. cpuspeed
Bug Fix
- BZ#876738
- Previously, the cpuspeed daemon used a naive method of getting the highest available scaling frequency. Consequently, on certain platforms, cpuspeed did not set the CPU to the correct maximum limit. A patch has been provided to address this issue and cpuspeed now sets the maximum speed correctly.
Bug Fixes
- BZ#642838
- Prior to this update, the PCC driver used the “userspace” governor was loaded instead of the “ondemand” governor when loading. This update modifies the init script to also check the PCC driver.
- BZ#738463
- Prior to this update, the cpuspeed init script tried to set cpufrequency system files on a per core basis which was a deprecated procedure. This update sets thresholds globally.
- BZ#616976
- Prior to this update, the cpuspeed tool did not reset MIN and MAX values, when the configuration file was emptied. As a consequence, the MIN_SPEED or MAX_SPEED values were not reset as expected. This update adds conditionals in the init script to check these values. Now, the MIN_SPEED or MAX_SPEED values are reset as expected.
- BZ#797055
- Prior to this update, the init script did not handle the IGNORE_NICE parameter as expected. As a consequence, "-n" was added to command options when the IGNORE_NICE parameter was set. This update modifies the init script to stop adding the NICE option when using the IGNORE_NICE parameter.
Bug Fix
- BZ#990474
- The cpuspeed init script relied on the presence of the scaling_available_frequencies sysfs file to get the maximum possible scaling frequency for the system. Certain platforms did not provide the scaling_available_frequencies sysfs file, which caused the attempt to set the maximum scaling frequency to fail. With this update, the init script now reads the frequency from cpuinfo_max_speed, and setting the maximum scaling frequency now works on all platforms.
7.32. crash
Note
Bug Fix
- BZ#843093
- A recent time-keeping backport to the Red Hat Enterprise Linux 6 kernel caused the crash utility to fail during initialization with the "crash: cannot resolve: xtime" error message. This update modifies crash to recognize and handle the time-keeping change in the kernel so that crash now successfully starts up as expected.
Enhancements
- BZ#739094
- The crash utility has been modified to support dump files in the firmware-assisted dump (fadump) format for the 64-bit PowerPC architecture.
- BZ#834260
- The "struct -o" option has been enhanced to accept a virtual address argument. If an address argument is entered, the structure members are prepended by their virtual address.
- BZ#834276
- The "bt" command has been enhanced by adding new "-s" and "[-xd]" options that allow displaying symbol names plus their offset in each frame. The default behavior is unchanged where only the symbol name is displayed. The symbol offset is expressed in the default output format, which can be overridden using the "-x" (hexadecimal) or "-d" (decimal) options.
7.33. createrepo
Note
Bug Fix
- BZ#833350
- Previously, the createrepo utility ignored the "umask" command for files created in the createrepo cache directory. This behavior caused problems when more than one user was updating repositories. The bug has been fixed, and multiple users can now update repositories without complications.
Enhancements
- BZ#646644
- It is now possible to use the "createrepo" command with both the "--split" and the "--pkglist" options simultaneously.
- BZ#714094
- It is now possible to remove metadata from the repodata directory using the modifyrepo program. This update also enhances updating of the existing metadata.
7.34. ctdb
Note
Bug Fixes
- BZ#758367
- While running ctdb on the GFS2 file system, ctdb could ban a stable node when another node was started or stopped. This bug has been fixed by the rebase and stable nodes get no longer banned in the described scenario.
- BZ#821715
- Previously, on the Glusterfs file system, the ctdb lock file and configuration files were shared. Consequently, the ctdbd daemon running on a node terminated unexpectedly when another node in the cluster was brought down. This bug has been fixed by the rebase and ctdbd no longer crashes in the described scenario.
- BZ#866670
- After removing a ctdb node, the "ctdb status" command reported the same number of nodes as before the node was removed. A patch has been provided to address this issue and "ctdb status" now returns an accurate number of nodes after a remove operation.
7.35. curl
cURL
utility for getting files from HTTP, FTP, FILE, LDAP, LDAPS, DICT, TELNET, and TFTP servers, using any of the supported protocols. This utility offers many useful capabilities, such as proxy support, user authentication, FTP upload, HTTP post, and file transfer resume.
Bug Fixes
- BZ#741935
- The
libssh2
library did not sufficiently reflect its ABI extensions in its version, which prevented the RPM dependency scanner from adding the correct dependency oflibcurl
on an updated version oflibssh2
. Consequently, if the user updatedlibcurl
without first updatinglibssh2
, the update ended with incorrect linkage oflibcurl
and the user was then unable to updatelibssh2
using yum. An explicit dependency oflibcurl
on an update version oflibssh2
has been added and yum can now be used to updatelibcurl
. - BZ#746629
- Previously,
libcurl
required certificates loaded from files to have unique file base names due to limitation of the legacy API of NSS (Network Security Services). Some packages usinglibcurl
did not fulfil this requirement and caused nickname collisions within NSS. Now,libcurl
has been modified to use a newer API of NSS, which does not suffer from this limitation, and packages usinglibcurl
are now allowed to load certificates from files with unrestricted file names. - BZ#813127
- Previously,
libcurl
misinterpreted the Content-Length HTTP header when receiving data using the chunked encoding. Consequently,libcurl
failed to read the last chunk of data and the transfer terminated prematurely. An upstream patch has been applied to fix the handling of the header and the chunked encoding inlibcurl
now works as expected. - BZ#841905
- A sub-optimally chosen identifier in cURL source files clashed with an identifier from a public header file introduced in a newer version of
libssh2
, which prevented the curl package from a successful build. An upstream patch has been applied on cURL source files, which fixes the identifier collisions and the package now builds as expected. - BZ#738456
- The OpenLDAP suite was recently modified to use NSS instead of OpenSSL as the SSL back end. This change led to collisions between
libcurl
and OpenLDAP on NSS initialization and shutdown. Consequently, applications that were using bothlibcurl
and OpenLDAP failed to establish SSL connections. This update modifieslibcurl
to use the same NSS API as OpenLDAP, which prevents collisions from occurring. Applications using OpenLDAP andlibcurl
can now connect to the LDAP server over SSL as expected. - BZ#719938
- As a solution to a security issue, GSSAPI credential delegation was disabled, which broke the functionality of applications that were relying on delegation, incorrectly enabled by libcurl. To fix this issue, the
CURLOPT_GSSAPI_DELEGATION
libcurl
option has been introduced in order to enable delegation explicitly when applications need it. All applications using GSSAPI credential delegation can now use this newlibcurl
option to be able to run properly. - BZ#772642
- SSL connections could not be established with
libcurl
if the selected NSS database was broken or invalid. This update modifies the code oflibcurl
to initialize NSS without a valid database, which allows applications to establish SSL connections as expected. - BZ#873789
- Previously,
libcurl
incorrectly checked return values of the SCP/SFTP write functions provided bylibssh2
. Negative values returned by those functions were treated as negative download amounts, which caused applications to terminate unexpectedly. With this update, all negative values are treated as errors and as such are properly handled on thelibcurl
level, thus preventing the crashes. - BZ#879592
- Prior to this update,
libcurl
used an obsoletelibssh2
API for uploading files over the SCP protocol, which limited the maximum size of files being transferred on 32-bit architectures. Consequently, the 32-bit packages oflibcurl
were unable to transfer large files over SCP. With this update, a newlibssh2
API for SCP uploads is used, which does not suffer from this limitation, thus fixing this bug.
Enhancements
- BZ#676596
- Previously,
libcurl
provided only HTTP status codes in error messages when reporting HTTP errors. This could confuse users not familiar with HTTP. Now,libcurl
has been improved to include the HTTP reason phrase in error messages, thus providing more understandable output. - BZ#730445
- This update introduces a new option,
--delegation
, which enables Kerberos credential delegation in cURL.
7.36. cvs
- BZ#671145
- Prior to this update, the C shell (csh) did not set the CVS_RSH environment variable to "ssh" and the remote shell (rsh) was used instead when the users accessed a remote CVS server. As a consequence, the connection was vulnerable to attacks because the remote shell is not encrypted or not necessarily enabled on every remote server. The cvs.csh script now uses valid csh syntax and the CVS_RSH environment variable is properly set at log-in.
- BZ#695719
- Prior to this update, the xinetd package was not a dependency of the cvs package. As a result, the CVS server was not accessible through network. With this update, the cvs-inetd package, which contains the CVS inetd configuration file, ensures that the xinetd package is installed as a dependency and the xinetd daemon is available on the system.
7.37. dash
Bug Fix
- BZ#706147
- Prior to this update, the dash shell was not an allowed login shell. As a consequence, users could not log in using the dash shell. This update adds the dash to the /etc/shells list of allowed login shells when installing or upgrading dash package and removes it from the list when uninstalling the package. Now, users can login using the dash shell.
7.38. device-mapper-multipath
Bug Fixes
- BZ#578114
- When the
kpartx
tool tried to delete a loop device that was previously created, and the udev utility had this loop device still open, the delete process would fail with theEBUSY
error andkpartx
did not attempt retry this operation. Thekpartx
tool has been modified to wait for one second and then retry deleting up to three times after theEBUSY
error. As a result, loop devices created bykpartx
are now always deleted as expected. - BZ#595692
- The
multipathd
daemon only checked SCSI IDs when determining World Wide Identifiers (WWIDs) for devices. However, CCISS devices do not support SCSI IDs and could not be used by Device Mapper Multipath. With this update,multipathd
checks CCISS devices for CCISS IDs properly and the devices are detected as expected. - BZ#810755
- Some device configurations in the
/usr/share/doc/device-mapper-multipath-0.X.X/multipath.conf.defaults
file were out of date. Consequently, if users copied those configurations into the/etc/multipath.conf
file, their devices would be misconfigured. Themultipath.conf.defaults
file has been updated and users can now copy configurations from it without misconfiguring their devices. Note that copying configurations from themultipath.conf.defaults
file is not recommended as the configurations in that file are built into dm-multipath by default. - BZ#810788
- Previously, Device Mapper Multipath stored multiple duplicate blacklist entries, which were consequently shown when listing the device-mapper-multipath's configuration. Device Mapper Multipath has been modified to check for duplicates before storing configuration entries and to store only the unique ones.
- BZ#813963
- Device Mapper Multipath had two Asymmetric Logical Unit Access (ALUA) prioritizers, which checked two different values. Certain ALUA setups were not correctly failing back to the primary path using either prioritizer because both values need to be checked and neither prioritizer checked them both. With this update, configuration options of both ALUA prioritizers now select the same prioritizer function, which checks both values as expected.
- BZ#816717
- When removing
kpartx
device partitions, themultipath -f
option accepted only the device name, not the full pathname. Consequently, an attempt to delete a mulitpath device by the full pathname failed if the device had thekpartx
partitions. Device Mapper Mulitpath has been modified to except the full pathname, when removingkpartx
device partitions and deleting process no longer fails in the described scenario. - BZ#821885
- Previously, the
multipath -c
option incorrectly listed SCSI devices, which were blacklisted by device type, as valid mulitpath path devices. As a consequence, Device Mapper Multipath could remove the partitions from SCSI devices that never ended up getting multipathed. With this update,multipath -c
now checks if a SCSI device is blacklisted by device type, and reports it as invalid if it is. - BZ#822389
- On reload, if a multipath device was not set to use the
user_friendly_names
parameter or a user-defined alias, Device Mapper Multipath would use its existing name instead of setting the WWID. Consequently, disablinguser_friendly_names
did not cause the multipath device names to change back to WWIDs on reload. This bug has been fixed and Device Mapper Mulitpath now sets the device name to its WWID if nouser_friendly_names
or user defined aliases are set. As a result, disablinguser_friendly_names
now allows device names to switch back to WWIDs on reload. - BZ#829065
- When the Redundant Disk Array Controller (RDAC) checker returned the
DID_SOFT_ERROR
error, Device Mapper Multipath did not retry running the RDAC checker. This behavior caused Device Mapper Multipath to fail paths for transient issues that may have been resolved if it retried the checker. Device Mapper Multipath has been modified to retry the RDAC checker if it receives theDID_SOFT_ERROR
error and no longer fails paths due to this error. - BZ#831045
- When a multipath vector, which is a dynamically allocated array, was shrunk, Device Mapper Multipath was not reassigning the pointer to the array. Consequently, if the array location was changed by the shrinking, Device Mapper Multipath would corrupt its memory with unpredictable results. The underlying source code has been modified and Device Mapper Multipath now correctly reassigns the pointer after the array has been shrunk.
- BZ#836890
- Device Mapper Multipath was occasionally assigning a WWID with a white space for AIX VDASD devices. As a consequence, there was no single blacklist of WWID entry that could blacklist the device on all machines. With this update, Device Mapper Multipath assigns WWIDs without any white space characters for AIX VDASD devices, so that all machines assign the same WWID to an AIX VDASD device and the user is always able to blacklist the device on all machines.
- BZ#841732
- If two multipath devices had their aliases swapped, Device Mapper Multipath switched their tables. Consequently, if the user switched aliases on two devices, any application using the device would be pointed to the incorrect Logical Unit Number (LUN). Device Mapper Multipath has been modified to check if the device's new alias matches a different multipath device, and if so, to not switch to it.
- BZ#860748
- Previously, Device Mapper Multipath did not check the device type and WWID blacklists as soon as this information was available for a path device. Device Mapper Multipath has been modified to check the device type and WWID blacklists as soon as this information is available. As a result, Device Mapper Multipath no longer waits before blacklisting invalid paths.
- BZ#869253
- Previously, the
multipathd
daemon and thekpartx
tool did not instruct thelibdevmapper
utility to skip the device creation process and let udev create it. As a consequence, sometimeslibdevmapper
created a block device in the/dev/mapper/
directory, and sometimes udev created a symbolic link in the same directory. With this update,multipathd
andkpartx
preventlibdevmapper
from creating a block device and udev always creates a symbolic link in the/dev/mapper/
directory as expected.
Enhancements
- BZ#619173
- This enhancement adds a built-in configuration for SUN StorageTek 6180 to Device Mapper Multipath.
- BZ#735459
- To set up persistent reservations on multipath devices, it was necessary to set it up on all of the path devices. If a path device was added later, the user had to manually add reservations to that path. This enhancement adds the ability to set up and manage SCSI persistent reservations using device-mapper devices with the
mpathpersist
utility. As a result, when path devices are added, persistent reservations are set up as well. - BZ#810989
- This enhancement updates the
multipathd init
script to load thedm-multipathd
module, so that users do not have to do this manually in cases when no/etc/multipath.conf
file is present during boot. Note that it is recommended to create themultipath.conf
file by running thempathconf --enable
command, which also loads thedm-multipath
module. - BZ#818367
- When the RDAC path device is in service mode, it is unable to handle I/O requests. With this enhancement, Device Mapper Multipath puts an RDAC path device into a failed state if it is in the service mode.
- BZ#839386
- This update adds two new options to the defaults and devices sections of the
multipath.conf
file; theretain_attached_hw_hander
option and thedetect_prio
option. By default, both of these options are set tono
in the defaults section of themultipath.conf
file. However, they are set toyes
in the NETAPP/LUN device configuration file. Ifretain_attach_hw_handler
is set toyes
and the SCSI layer has attached a hardware handler to the device, Device Mapper Multipath sets the hardware as usual. Ifdetect_prio
is set toyes
, Device Mapper Multipath will check if the device supports ALUA. If so, it automatically sets the prioritizer to thealua
value. If the device does not support ALUA, Device Mapper Multipath sets the prioritizer as usual. This behavior allows NETAPP devices to work in ALUA or non-ALUA mode without making users change to built-in config.In order forretain_attached_hw_handler
to work, the SCSI layer must have already attached the device handler. To do this, the appropriatescsi_dh_XXX
module, for instancescsi_dh_alua
, must be loaded before the SCSI layer discovers the devices. To guarantee this, add the following parameter to the kernel command line:rdloaddriver=scsi_dh_XXX
Bug Fix
- BZ#988704
- Prior to this update, Device Mapper Multipath did not check for NULL pointers before dereferencing them in the sysfs functions. As a result, the multipathd daemon could crash if a multipath device was resized while a path device was being removed. With this update, Device Mapper Multipath checks for NULL pointers in sysfs functions and no longer crashes when a multipath device is resized at the same time as a path device is removed.
Enhancement
- BZ#993545
- This update adds a new /etc/multipath.conf file default keyword, "reload_readwrite". If set to "yes", multipathd will listen to path device change events, and if the device has read-write access, it will reload the multipath device. This allows multipath devices to automatically have read-write permissions, as soon as the path devices have read-write access, instead of requiring manual intervention. Thus, when all the path devices belonging to a multipath device have read-write access, the multipath device will automatically allow read-write permissions.
7.39. dhcp
Security Fix
- CVE-2012-3955
- A flaw was found in the way the dhcpd daemon handled the expiration time of IPv6 leases. If dhcpd's configuration was changed to reduce the default IPv6 lease time, lease renewal requests for previously assigned leases could cause dhcpd to crash.
Bug Fixes
- BZ#803540
- Prior to this update, the DHCP server discovered only the first IP address of a network interface if the network interface had more than one configured IP address. As a consequence, the DHCP server failed to restart if the server was configured to serve only a subnet of the following IP addresses. This update modifies network interface addresses discovery code to find all addresses of a network interface. The DHCP server can also serve subnets of other addresses.
- BZ#824622
- Prior to this update, the dhclient rewrote the /etc/resolv.conf file with backup data after it was stopped even when the PEERDNS flag was set to "no" before shut down if the configuration file was changed while the dhclient ran with PEERDNS=yes. This update removes the backing up and restoring functions for this configuration file from the dhclient-script. Now, the dhclient no longer rewrites the /etc/resolv.conf file when stopped.
Bug Fix
- BZ#1005672
- Previously, the dhcpd daemon or dhclient tool were started to serve on an alias interface for Infiniband network interface card. Consequently, dhcpd/dhclient terminated unexpectedly. One of patches was improved to cover this specific case, thus fixing the bug. Now, both dhcpd and dhclient run correctly.
7.40. dnsmasq
Security Fix
- CVE-2012-3411
- It was discovered that dnsmasq, when used in combination with certain libvirtd configurations, could incorrectly process network packets from network interfaces that were intended to be prohibited. A remote, unauthenticated attacker could exploit this flaw to cause a denial of service via DNS amplification attacks.
Bug Fix
- BZ#815819
- Due to a regression, the lease change script was disabled. Consequently, the "dhcp-script" option in the /etc/dnsmasq.conf configuration file did not work. This update corrects the problem and the "dhcp-script" option now works as expected.
Enhancements
- BZ#824214
- Prior to this update, dnsmasq did not validate that the tftp directory given actually existed and was a directory. Consequently, configuration errors were not immediately reported on startup. This update improves the code to validate the tftp root directory option. As a result, fault finding is simplified especially when dnsmasq is called by external processes such as libvirt.
- BZ#850944
- The dnsmasq init script used an incorrect Process Identifier (PID) in the "stop", "restart", and "condrestart" commands. Consequently, if there were some dnsmasq instances running besides the system one started by the init script, then repeated calling of "service dnsmasq" with "stop" or "restart" would kill all running dnsmasq instances, including ones not started with the init script. The dnsmasq init script code has been corrected to obtain the correct PID when calling the "stop", "restart", and "condrestart" commands. As a result, if there are dnsmasq instances running in addition to the system one started by the init script, then by calling "service dnsmasq" with "stop" or "restart" only the system one is stopped or restarted.
- BZ#887156
- When two or more dnsmasq processes were running with DHCP enabled on one interface, DHCP RELEASE packets were sometimes lost. Consequently, when two or more dnsmasq processes were running with DHCP enabled on one interface, releasing IP addresses sometimes failed. This update sets the SO_BINDTODEVICE socket option on DHCP sockets if running dnsmasq with DHCP enabled on one interface. As a result, when two or more dnsmasq processes are running with DHCP enabled on one interface, they can release IP addresses as expected.
7.41. docbook-utils
Bug Fix
- BZ#639866
- Prior to this update, the Perl script used for generating manpages contained a misprint in the header. As a consequence, the header syntax of all manual pages that docbook-utils built was wrong. This update corrects the script. Now the manual page headers have the right syntax.
7.42. dovecot
Security Fixes
- CVE-2011-2166, CVE-2011-2167
- Two flaws were found in the way some settings were enforced by the script-login functionality of Dovecot. A remote, authenticated user could use these flaws to bypass intended access restrictions or conduct a directory traversal attack by leveraging login scripts.
- CVE-2011-4318
- A flaw was found in the way Dovecot performed remote server identity verification, when it was configured to proxy IMAP and POP3 connections to remote hosts using TLS/SSL protocols. A remote attacker could use this flaw to conduct man-in-the-middle attacks using an X.509 certificate issued by a trusted Certificate Authority (for a different name).
Bug Fix
- BZ#697620
- When a new user first accessed their IMAP inbox, Dovecot was, under some circumstances, unable to change the group ownership of the inbox directory in the user's Maildir location to match that of the user's mail spool (/var/mail/$USER). This correctly generated an "Internal error occurred" message. However, with a subsequent attempt to access the inbox, Dovecot saw that the directory already existed and proceeded with its operation, leaving the directory with incorrectly set permissions. This update corrects the underlying permissions setting error. When a new user now accesses their inbox for the first time, and it is not possible to set group ownership, Dovecot removes the created directory and generates an error message instead of keeping the directory with incorrect group ownership.
7.43. dracut
Bug Fixes
- BZ#835646
- Previously, dracut could not handle uppercase MAC addresses for the PXE "BOOTIF=" parameter. As a consequence, a machine with a dracut generated initramfs could not boot over the network, when the "BOOTIF=" parameter contained uppercase MAC addresses. With this update, dracut converts internally the MAC addresses to lowercase. Now, a machine with a dracut generated initramfs can boot over the network successfully when the "BOOTIF=" parameter contains uppercase MAC addresses.
- BZ#831338
- Previously, the default mount option of the /proc/ directory during boot up was "mount -t proc -o nosuid,noexec,nodev proc/proc". This resulted in inaccessible device nodes in the /proc/ directory for some kernel drivers. The default mount option of the /proc directory has been changed to "mount -t proc proc /proc" and all kernel modules now load successfully.
- BZ#794751
- Previously, dracut could not use the Internet Small Computer System Interface (iSCSI) and dmsquash-live module together. As a consequence, it was not possible to boot from a live medium over iSCSI. After this update, a dracut-generated initramfs, which contains the iSCSI and dmsquash-live modules, is able to boot a live medium via iSCSI. This can be done using the kernel command "root=live:LABEL=<partition-or-iso-label> netroot=iscsi: ".
- BZ#813057
- Previously, the new Brocade switch firmware took longer to complete the BCBx negotiation and a dracut-generated initramfs did not wait long enough for the DCBx negotiation. Now, the initramfs sleeps for three seconds after loading the "802q" kernel module and the DCBx negotiation with the new Brocade switch firmware completes successfully.
- BZ#843105
- When using the "live_ram" parameter for booting from live media, the dracut-generated initramfs ejected the medium. After this action, a reboot caused the machine to not boot from the medium again, even if it was intended. After this update, dracut honors the "no_eject" kernel command-line parameter. Now, if "no_eject" is given on the kernel command-line, the dracut-generated initramfs no longer ejects the live medium after copying it to the RAM.
- BZ#850493
- In FIPS mode, the kernel image has to be validated by a checksum. The sha512hmac tool reads the absolute path of the file to check from the checksum file. Previously, if "/boot" was not on a separate file system, dracut mounted the root file system to "/sysroot". The "/sysroot/boot" partition was not accessible with the "/boot" path and the sha512hmac tool could not access the file in "/boot" to check for. The check failed and the boot process was cancelled. Consequently, the boot processes did not succeed in FIPS mode if "/boot" was not on a separate file system. Now, dracut creates a symbolic link from the "/sysroot/boot" partition to the "/boot" partition in the initramfs and the sha512hmac tool can check the kernel image and the machine can continue booting, if the check was successful.
- BZ#890081
- Previously, the kernel module "scsi_dh_alua" was not included in the initramfs and as a consequence, "scsi_dh_alua" could not be preloaded via the "rdloaddriver" kernel command. The "scsi_dh_alua" kernel module is now included in the initramfs and "scsi_dh_alua" can be preloaded successfully using "rdloaddriver".
- BZ#854416
- Previously, dracut did not strip the kernel modules as mentioned in the man page. Consequently, initramfs size grew very big if the customer had kernel modules with a lot of debug info. The dracut utility now strips the kernel modules, except when in FIPS mode, and as a result, the initramfs size is smaller and can be loaded on machines with small memory.
Enhancements
- BZ#823507
- Documentation for the "rd_retry=" boot option has been added to the dracut(8) man page.
- BZ#858187
- The dracut utility can now boot from iSCSI on a network with virtual LANs configured, where the virtual LAN settings are stored in the iSCSI Boot Firmware Table BIOS.
7.44. dropwatch
Bug Fix
- BZ#725464
- Prior to this update, the dropwatch utility could become unresponsive because it was waiting for a deactivation acknowledgement to be issued by an already deactivated or stopped service. With this update, dropwatch detects an attempt to deactivate/stop an already deactivated/stopped service and no longer hangs.
7.45. dvd+rw-tools
- BZ#807474
- Prior to this update, the growisofs utility wrote chunks of 32KB and reported an error during the last chunk when burning ISO image files that were not aligned to 32KB. This update allows the written chunk to be smaller than a multiple of 16 blocks.
7.46. e2fsprogs
Bug Fixes
- BZ#806137
- On a corrupted file system, the "mke2fs -S" command could remove files instead of attempting to recover them. This bug has been fixed; the "mke2fs -S" command writes metadata properly and no longer removes files instead of recovering them.
- BZ#813820
- The resize2fs(8) man page did not list an ext4 file system as capable of on-line resizing. This omission has been fixed and the resize2fs(8) man page now includes all file systems that can be resized on-line.
- BZ#858338
- A special flag was used to indicate blocks allocated beyond the end of file on an ext4 file system. This flag was sometimes mishandled, resulting in file system corruption. Both the kernel and user space have been reworked to eliminate the use of this flag.
Enhancement
- BZ#824126
- Previously, users could use the e2fsck utility on a mounted file system, although it was strongly recommended not to do so. Using the utility on a mounted file system led to file system corruption. With this update, e2fsck opens the file system exclusively and fails when the file system is busy. This behavior avoids possible corruption of the mounted file system.
Bug Fix
- BZ#1023351
- The resize2fs utility did not properly handle resizing of an ext4 file system to a smaller size. As a consequence, files containing many extents could become corrupted if they were moved during the resize process. With this update, resize2fs now maintains a consistent extent tree when moving files containing many extents, and such files no longer become corrupted in this scenario.
Bug Fix
- BZ#974193
- Some ext4 extent tree corruptions were not detected or repaired by e2fsck. Inconsistencies related to overlapping interior or leaf nodes in the extent tree were not detected, and the file system remained in an inconsistent state after an e2fsck. These inconsistencies were then detected by the kernel at run time. e2fsck is now able to detect and repair this class of corruptions in the file system.
7.47. eclipse-nls
Note
7.48. environment-modules
Note
Bug Fixes
- BZ#818177
- Due to an error in the Tcl library, some allocated pointers were invalidated inside the library. Consequently, running the "module switch" command in the tcsh shell led to a segmentation fault. The bug has been fixed and the system memory is now allocated and pointed to correctly.
- BZ#848865
- Previously, the /usr/share/Modules/modulefiles/modules file contained an incorrect path. Consequently, an error occurred when the "module load modules" command was executed. With this update, the incorrect path has been replaced and the described error no longer occurs.
7.49. espeak
Bug Fix
- BZ#789997
- Previously, eSpeak manipulated the system sound volume. As a consequence, eSpeak could set the sound volume to maximum regardless of the amplitude specified. The sound volume management code has been removed from eSpeak, and now only PulseAudio manages the sound volume.
7.50. ethtool
Note
7.51. evolution-data-server
Bug Fix
- BZ#734048
- The CalDav calendar back end was converting Uniform Resource Identifiers (URIs) with unescaped space characters or the "%20" string to "%2520". As a consequence, rendering the back end did not allow to contact the remote CalDav service that caused CalDav calendars to be inaccessible. This bug has been fixed and evolution-data-server works correctly in the described scenario.
7.52. evolution
Security Fix
- CVE-2011-3201
- The way Evolution handled mailto URLs allowed any file to be attached to the new message. This could lead to information disclosure if the user did not notice the attached file before sending the message. With this update, mailto URLs cannot be used to attach certain files, such as hidden files or files in hidden directories, files in the /etc/ directory, or files specified using a path containing "..".
Bug Fixes
- BZ#707526
- Creating a contact list with contact names encoded in UTF-8 caused these names to be displayed in the contact list editor in the ASCII encoding instead of UTF-8. This bug has been fixed and the contact list editor now displays the names in the correct format.
- BZ#805239
- Due to a bug in the evolution-alarm-notify process, calendar appointment alarms did not appear in some types of calendars. The underlying source code has been modified and calendar notifications work as expected.
- BZ#890642
- An attempt to print a calendar month view as a PDF file caused Evolution to terminate unexpectedly. This update applies a patch to fix this bug and Evolution no longer crashes in this situation.
7.53. fcoe-target-utils
Bug Fixes
- BZ#819698
- Prior to this update, stopping the fcoe-target daemon did not stop the target session when rebooting. This update improves the fcoe-target script and the fcoe-target daemon can now properly shut down the kernel target.
- BZ#824227
- Prior to this update, a delay in the FCoE interface initialization sometimes resulted in the target configuration not being loaded for that interface. This update permits target configuration for absent interfaces, allowing target and interface configuration in any order.
- BZ#837730
- Prior to this update, specifying a nonexistent backing file when creating a backstore resulted in the unhelpful Python error "ValueError: No such path". This update reports the error in a more helpful way.
- BZ#837992
- Prior to this update, attempting to remove a storage object in a backstore resulted in a Python error. This update fixes the problem and storage objects can now be removed as expected.
- BZ#838442
- Prior to this update, attempting to redirect the output of targetcli resulted in a Python error. This update allows targetcli to be successfully redirected.
- BZ#846670
- Due to a regression, creating a backstore resulted in a Python error. This update allows backstore creation without error.
Enhancements
- BZ#828096
- Prior to this update, backstore size listing abbreviations did not clearly specify between power of 10 (for example Gigabyte) and power of 2 (Gibibyte). This update lists backstore sizes using power-of-2 sizes and labels them as such.
- BZ#828681
- The caching characteristics of backstores are now exposed via the SCSI Write Cache Enable (WCE) bit to initiators, instead of being set opaquely via the "buffered-mode" backstore setting. The default setting for WCE is "on".
7.54. fcoe-utils
Note
Bug Fix
- BZ#867117
- When turning off DCB on a Fibre Channel over Ethernet (FCoE) initiator interface connected to a Cisco Fibre Channel Forwarder (FCF), the fcoemon utility disabled the interface but the FCoE interface was re-enabled by a Netlink event before DCB was operational again. Consequently, the interface did not operate in degraded mode with LUNS present as expected and the output of the "ip l" and "fcoeadm -i" commands was contradictory. A patch has been applied to the fcoemon utility to ensure DCB is operational again before enabling the FCoE interface when a link is brought up. In addition, a patch has been applied to fcoe-utils to improve error handling and error messages related to creating and deleting of FCoE interfaces when DCB is not ready.
Enhancement
- BZ#826291
- Support for VLAN notification with VLAN ID 0 has been added. If a VLAN notification has the tag "VLAN 0", the physical port will now be activated. The VLAN interface will not be created but FCoE will be started on the physical interface itself.
7.55. febootstrap
Bug Fix
- BZ#803962
- The "febootstrap-supermin-helper" program is used when opening a disk image using the libguestfs API, or as part of virt-v2v conversion. Previously, this tool did not always handle the "-u" and "-g" options correctly when the host used an LDAP server to resolve user names and group names. This caused the virt-v2v command to fail when LDAP was in use. With this update, the "febootstrap-supermin-helper" program has been modified to parse the "-u" and "-g" options correctly, so that virt-v2v works as expected in the described scenario.
7.56. fence-agents
Bug Fixes
- BZ#908409
- Previously, when fencing a Red Hat Enterprise Linux cluster node with the fence_soap_vmware fence agent, the agent terminated unexpectedly with a traceback if it was not possible to resolve a hostname of an IP address. With this update, a proper error message is displayed in the described scenario.
- BZ#908401
- Due to incorrect detection on newline characters during an SSH connection, the fence_drac5 agent could terminate the connection with a traceback when fencing a Red Hat Enterprise Linux cluster node. Only the first fencing action completed successfully but the status of the node was not checked correctly. Consequently, the fence agent failed to report successful fencing. When the "reboot" operation was called, the node was only powered off. With this update, the newline characters are correctly detected and the fencing works as expected.
Bug Fixes
- BZ#769798
- The speed of fencing is critical because otherwise, broken nodes have more time to corrupt data. Prior to this update, the operation of the fence_vmware_soap fence agent was slower than expected when used on the VMWare vSphere platform with hundreds of virtual machines. With this update, the fencing process is faster and does not terminate if virtual machines without an UID are encountered.
- BZ#822507
- Prior to this update, the attribute "unique" in XML metadata was set to TRUE (1) by default. This update modifies the underlying code to use FALSE (0) as the default value because fence agents do not use these attributes.
- BZ#825667
- Prior to this update, certain fence agents did not generate correct metadata output. As a result, it was not possible to use the metadata for automatic generation of manual pages and user interfaces. With this update, all fence agents generate their metadata as expected.
- BZ#842314
- Prior to this update, the fence_apc script failed to log into APC power switches where firmware changed the end-of-line marker from CR-LF to LF. This update modifies the script to log into a fence device as expected.
- BZ#863568
- Prior to this update, the fence_rhevm agent failed to run the regular expression get_id regex when using a new href attribute. As a consequence, the plug status was not available. This update modifies the underlying code to show the correct status either as ON or OFF.
Enhancements
- BZ#740869
- This update adds the fence_ipdu agent to support IBM iPDU fence devices in Red Hat Enterprise Linux 6.
- BZ#752449
- This update adds the fence_eaton agent to support Eaton ePDU (Enclosure Power Distribution Unit) devices in Red Hat Enterprise Linux 6.
- BZ#800650
- This update adds symlinks for common fence types that utilize standards-based agents in Red Hat Enterprise Linux 6.
- BZ#818337
- This update adds the fence_bladecenter agent to the fence-agents packages in Red Hat Enterprise Linux 6 to support the --missing-as-off feature for the HP BladeSystem to handle missing nodes as switched off nodes so that fencing can end successfully even if a blade is missing.
- BZ#837174
- This update supports action=metadata via standard input for all fence agents.
7.57. fence-virt
Bug Fixes
- BZ#761228
- Previously, the fence_virt man page contained incorrect information in the "SERIAL/VMCHANNEL PARAMETERS" section. With this update, the man page has been corrected.
- BZ#853927
- Previously, the fence_virtd daemon returned an incorrect error code to the fence_virt agent when the virt domain did not exist. Consequently, the fence_node utility occasionally failed to detect fencing. With this update, the error codes have been changed and the described error no longer occurs.
Enhancements
- BZ#823542
- The "delay" (-w) option has been added to the fence_virt and fence_xvm fencing agents. The delay option can be used, for example, as a method of preloading a winner in a fence race in a CMAN cluster.
- BZ#843104
- With this update, the documentation of the "hash" parameter in the fence_virt.conf file has been improved to notify that hash is the weakest hashing algorithm allowed for client requests.
7.58. file
Bug Fixes
- BZ#795425
- The file utility did not contain a "magic" pattern for detecting QED images and was therefore not able to detect such images. A new "magic" pattern for detecting QED images has been added, and the file utility now detects these images as expected.
- BZ#795761
- The file utility did not contain a "magic" pattern for detecting VDI images and was therefore not able to detect such images. A new "magic" pattern for detecting VDI images has been added, and the file utility now detects these images as expected.
- BZ#797784
- Previously, the file utility did not attempt to load "magic" patterns from the ~/.magic.mgc file, which caused "magic" patterns stored in this file to be unusable. This update modifies the file utility so it now attempts to load the ~/.magic.mgc file. The file is loaded if it exists and "magic" patterns defined in this file work as expected.
- BZ#801711
- Previously, the file utility used read timeout when decompressing files using the "-z" option. As a consequence, the utility was not able to detect files compressed by the bzip2 tool. The underlying source code has been modified so that file no longer uses read timeout when decompressing compressed files. Compressed files are now detected as expected when using the "-z" option.
- BZ#859834
- Previously, the file utility contained multiple "magic" patterns to detect output of the "dump" backup tool. On big-endian architectures, the less detailed "magic" pattern was used and output of the file utility was inconsistent. The less detailed "magic" pattern has been removed, and only one, more detailed, "magic" pattern to detect "dump" output is used now.
7.59. firstboot
Enhancement
- BZ#831818
- Previously, the Firstboot utility allowed displaying only the English version of the End User Licence Agreement (EULA), which could be problematic for users who do not understand English. This update modifies Firstboot so that it uses the $LANG environment variable to find the localized EULA file according to the language set during installation. If the EULA file in the selected language is not found, the default EULA file, which is in English, is used. Users can now read the EULA document in the language chosen during installation before accepting it.
7.60. ftp
Bug Fix
- BZ#783868
- Prior to this update, using the ftp command "put" when the stack size was set to unlimited caused the sysconf(_SC_ARG_MAX) function to return -1, which in turn resulted in the malloc() function being called with an argument of 0 and causing an "Out of memory" message to be displayed. With this update, the underlying source code has been improved to allocate a reasonable minimum of memory. As a result, the "Out of memory" message no longer appears if the stack size was previously set to unlimited.
Bug Fixes
- BZ#869858
- Prior to this update, the ftp client could encounter a buffer overflow and aborted if a macro longer than 200 characters was defined and then used after a connection. This update modifies the underlying code and the buffer that holds memory for the macro name was extended. Now, ftp matches the length of the command line limit and the ftp client no longer aborts when a macro with a long name is executed.
Bug Fixes
- BZ#665337
- Previously, the command line width in the ftp client was limited to 200 characters. With this update, the maximum possible length of the FTP command line is extended to 4296 characters.
- BZ#786004
- Prior to this update, "append", "put", and "send" commands were causing system memory to leak. The memory holding the ftp command was not freed appropriately. With this update, the underlying source code has been improved to correctly free the system resources and the memory leaks are no longer present.
- BZ#849940
- Previously, the ftp client could not be invoked to run directly in the active mode. This functionality has been added to the source code and documented in the manual page. The client can now be executed with an additional "-A" command line parameter and will run in the active mode.
- BZ#852636
- Previously, the ftp client hung up when the ftp-data port (20) was not available (e.g. was blocked). The client then had to be terminated manually. Additional logic has been added to the source code. With this update, ftp has an internal timeout set to 30 seconds. If there is no answer from the server when this time has passed, ftp will now gracefully time out and not hang up.
7.61. gawk
Bug Fix
- BZ#829558
- Prior to this update, the "re_string_skip_chars" function incorrectly used the character count instead of the raw length to estimate the string length. As a consequence, any text in multi-byte encoding that did not use the UTF-8 format failed to be processed correctly. This update modifies the underlying code so that the correct string length is used. multi-byte encoding is processed correctly.
7.62. gcc
Bug Fixes
- BZ#801144
- Due to the incorrect size of a pointer in GCC GNAT code, GNAT used an incorrect function of the libgcc library when compiling 32-bit Ada binaries on PowerPC architecture. Consequently, these programs could not be linked and the compilation failed. This update fixes the problem so that the sizeof operator now returns the correct size of a pointer, and the appropriate function from libgcc is called. GNAT compiles Ada binaries as expected in this scenario.
- BZ#808590
- The Standard Template Library (STL) contained an incomplete move semantics implementation, which could cause GCC to generate incorrect code. The incorrect headers have been fixed so that GCC now produce the expected code when depending on move semantics.
- BZ#819100
- GCC did not, under certain circumstances, handle generating a CPU instruction sequence that would be independent of indexed addressing on PowerPC architecture. As a consequence, an internal compiler error occurred if the "__builtin_bswap64" built-in function was called with the "-mcpu=power6" option. This update corrects the relevant code so that GCC now generates an alternate instruction sequence that does not depend on indexed addressing in this scenario.
- BZ#821901
- A bug in converting the exception handling region could cause an internal compiler error to occur when compiling profile data with the "-fprofile-use" and "-freorder-basic-blocks-and-partition" options. This update fixes the erroneous code and the compilation of profile data now proceeds as expected in this scenario.
- BZ#826882
- Previously, GCC did not properly handle certain situations when an enumeration was type cast using the static_cast operator. Consequently, an enumeration item could have been assigned an integer value greater than the highest value of the enumeration's range. If the compiled code contained testing conditions using such enumerations, those checks were incorrectly removed from the code during code optimization. With this update, GCC was modified to handle enumeration type casting properly and C++ now no longer removes the mentioned checks.
- BZ#831832
- Previously, when comparing the trees equality, the members of a union or structure were not handled properly in the C++ compiler. This led to an internal compiler error. This update modifies GCC so that unions and structures are now handled correctly and code that uses tree equality comparing is now compiled successfully.
- BZ#867878
- GCC previously processed the "srak" instructions without the z196 flag, which enables a compiler to work with these instructions. Consequently, some binaries, such as Firefox, could not be compiled on IBM System z and IBM S/390 architectures. With this update, GCC has been modified to support the z196 flag for the srak instructions, and binaries requiring these instructions can now be compiled successfully on IBM System z and IBM S/390 architectures.
7.63. gdb
Security Fix
- CVE-2011-4355
- GDB tried to auto-load certain files (such as GDB scripts, Python scripts, and a thread debugging library) from the current working directory when debugging programs. This could result in the execution of arbitrary code with the user's privileges when GDB was run in a directory that has untrusted content.
Note
Bug Fixes
- BZ#795424
- When a struct member was at an offset greater than 256 MB, the resulting bit position within the struct overflowed and caused an invalid memory access by GDB. With this update, the code has been modified to ensure that GDB can access such positions.
- BZ#811648
- When a thread list of the core file became corrupted, GDB did not print this list but displayed the "Cannot find new threads: generic error" error message instead. With this update, GDB has been modified and it now prints the thread list of the core file as expected.
- BZ#836966
- GDB did not properly handle debugging of multiple binaries with the same build ID. This update modifies GDB to use symbolic links created for particular binaries so that debugging of binaries that share a build ID now proceeds as expected. Debugging of live programs and core files is now more user-friendly.
Bug Fixes
- BZ#952090
- When users tried to execute the "maintenance set python print-stack" command, gdb did not recognize it and issued an error stating the command was undefined. With this update, gdb now correctly recognizes and executes the command.
- BZ#952100
- When debugging a C++ program which declared a local static variable inside a class, gdb was unable to locate the local static variable. This caused problems when debugging some issues that required examining these kinds of variables. With this update, gdb now correctly identifies that the variable exists, and the debugging process functions normally.
- BZ#954300
- Previously, users experienced an internal error in the debugger when using a Thread Local Storage (TLS) modifier in a static variable declared inside a class on a C++ program, and asking gdb to print its value. This caused the debugging session to be compromised. With this update, gdb is now able to correctly deal with a static variable declared as a TLS inside a class and errors no longer occur in the described scenario.
7.64. gdm
Bug Fixes
- BZ#616755
- Previously, the gdm_smartcard_extension_is_visible() function returned "TRUE" instead of the "ret" variable. Consequently, the smartcard login could not be disabled in the system-config-authentication window if the pcsd package was installed. With this update, gdm_smartcard_extension_is_visible() has been modified to return the correct value. As a result, the described error no longer occurs.
- BZ#704245
- When GDM was used to connect to a host via XDMCP (X Display Manager Control Protocol), another connection to a remote system using the "ssh -X" command resulted in failed authentication with the X server. Consequently, applications such as xterm could not be displayed on a remote system. This update provides a compatible MIT-MAGIC-COOKIE-1 key in the described scenario, thus fixing this incompatibility.
- BZ#738462
- Previously, X server audit messages were not included by default in the X server log. Now, those messages are unconditionally included in the log. Also, with this update, verbose messages are added to the X server log if debugging is enabled in the /etc/gdm/custom.conf file by setting "Enable=true" in the "debug" section.
- BZ#820058
- Previously, after booting the system, the following message occurred in the /var/log/gdm/:0-greeter.log file:
gdm-simple-greeter[PID]: Gtk-WARNING: gtkwidget.c:5460: widget not within a GtkWindow
With this update, this warning is no longer displayed.
Enhancements
- BZ#719647
- With this update, GDM has been modified to allow smartcard authentication when the visible user list is disabled.
- BZ#834303
- Previously, the GDM debugging logs were stored in the /var/log/messages file. With this update, a separate /var/log/gdm/daemon.log file has been established for these debugging logs.
7.65. gd
- BZ#790400
- Prior to this update, ,the gd graphics library handled inverted Y coordinates incorrectly, when changing the thickness of a line. As a consequence, lines with changed thickness were drawn incorrectly. This update modifies the underlying code to draw lines with changed thickness correctly.
7.66. geronimo-specs
Bug Fix
- BZ#818755
- Prior to this update, the geronimo-specs-compat package description contained inaccurate references. This update removes these references so that the description is now accurate.
7.67. glibc
Bug Fixes
- BZ#804686
- Prior to this update, a logic error caused the DNS code of glibc to incorrectly handle rejected responses from DNS servers. As a consequence, additional servers in the
/etc/resolv.conf
file could not be searched after one server responded with a REJECT. This update modifies the logic in the DNS. Now, glibc cycles through the servers listed in/etc/resolv.conf
even if one returns a REJECT response. - BZ#806404
- Prior to this update, the
nss/getnssent.c
file contained an unchecked malloc call and an incorrect loop test. As a consequence, glibc could abort unexpectedly. This update modifies the malloc call and the loop test. - BZ#809726
- Prior to this update, locale data for the characters in the range a-z were incorrect in the Finnish locale. As a consequence, some characters in the range a-z failed to print correctly in the Finnish locale. This update modifies the underlying code to provide the correct output for these characters. Now, characters in the Finnish locale print as expected.
- BZ#823909
- If a file or a string was in the IBM-930 encoding, and contained the invalid multibyte character "0xffff", attempting to use
iconv()
(or theiconv
command) to convert that file or string to another encoding, such as UTF-8, resulted in a segmentation fault. Now, the conversion code for the IBM-930 encoding recognizes this invalid character and calls an error handler, rather than causing a segmentation fault. - BZ#826149
- Prior to this update, the
fnmatch()
function failed with the return value -1 when the wildcard character "*" was part of the pattern argument and thefile name argument
contained an invalid multibyte encoding. This update modifies thefnmatch()
code to recognize this case. Now, the invalid characters are treated as not matching and then the process proceeds. - BZ#827362
- Prior to this update, the internal
FILE
offset was set incorrectly in wide character streams. As a consequence, the offset returned byftell
was incorrect. In some cases, this could result in over-writing data. This update modifies theftell
code to correctly set the internalFILE
offset field for wide characters. Now,ftell
andfseek
handle the offset as expected. - BZ#829222
- Prior to this update, the
/etc/rpc
file was not set as a configuration file in the glibc build. As a consequence, updating glibc caused the/etc/rpc
file to be replaced without warning or creating a backup copy. This update correctly marks/etc/rpc
as a configuration file. Now, the existing/etc/rpc
file is left in place, and the bundled version can be installed in/etc/rpc.rpmnew
. - BZ#830127
- Prior to this update, the
vfprintf
command returned the wrong error codes when encountering an overflow. As a consequence, applications which checked return codes fromvfprintf
could get unexpected values. This update modifies the error codes for overflow situations. - BZ#832516
- Prior to this update, the
newlocale
flag relied entirely on failure of an underlying open() call to set the errno variable for an incorrect locale name. As a consequence, thenewlocale()
function did not set theerrno
variable to an appropriate value when failing, if it has already been asked about the same incorrect locale name. This update modifies the logic in theloadlocale
call so that subsequent attempts to load a non-existent locale more than once always set theerrno
variable appropriately. - BZ#832694
- Prior to this update, the ESTALE error message referred only to
NFS
file systems. As a consequence, users were confused when non-NFS
file systems triggered this error. This update modifies the error message to apply the error message to all file systems that can trigger this error. - BZ#835090
- Prior to this update, an internal array of name servers was only partially initialized when the
/etc/resolv.conf
file contained IPV6 name servers. As a consequence, applications could, depending on the exact contents of a nearby structure, abort. This update modifies the underlying code to handle IPV6 name servers listed in/etc/resolv.conf
. - BZ#837695
- Prior to this update, a buffer in the resolver code for glibc was too small to handle results for certain DNS queries. As a consequence, the query had to be repeated after a larger buffer was allocated and wasted time and network bandwidth. This update enlarges the buffer to handle the larger DNS results.
- BZ#837918
- Prior to this update, the logic for the functions
exp
,exp2
,pow
,sin
,tan
, andrint
was erroneous. As a consequence, these functions could fail when running them in the non-default rounding mode. With this update, the functions return correct results across all 4 different rounding modes. - BZ#841787
- Prior to this update, glibc incorrectly handled the
options rotate
option in the/etc/resolv.conf
file if this file also contained one or more IPv6 name servers. As a consequence, DNS queries could unexpectedly fail, particularly when multiple queries were issued by a single process. This update modifies the internalization of the listed servers from/etc/resolv.conf
into internal structures of glibc, as well as the sorting and rotation of those structures to implement theoptions rotate
capability. Now, DNS names are resolved correctly in glibc. - BZ#846342
- Prior to this update, certain user-defined 32 bit executables could issue calls to the
memcpy()
function with overlapping arguments. As a consequence, the applications invoked undefined behavior and could fail. With this update, users with 32 bit applications which issue thememcpy
function with overlapping arguments can create the/etc/sysconfig/32bit_ssse3_memcpy_via_32bit_ssse3_memmove
. If this file exists, glibc redirects all calls to the SSSE3 memcpy copiers to the SSSE3 memmove copier, which is tolerant of overlapping arguments.Important
We strongly encourage customers to identify and fix these problems in their source code. Overlapping arguments tomemcpy()
is a clear violation of the ANSI/ISO standards and Red Hat does not provide binary compatibility for applications which violate these standards. - BZ#847932
- Prior to this update, the
strtod()
,strtof()
, andstrtold()
functions to convert a string to a numeric representation in glibc contained multiple integer overflow flaws. This caused stack-based buffer overflows. As a consequence, these functions could cause an application to abort or, under certain circumstances, execute arbitrary code. This update modifies the underlying code to avoid these faults. - BZ#848082
- Prior to this update, the
setlocale()
function failed to detect memory allocation problems. As a consequence, thesetlocale()
function eventually core dumped, due to NULL pointers or uninitialized strings. This update modifies thesetlocale
code to insure that memory allocation succeeded. Now, thesetlocale()
function no longer core dumps. - BZ#849651
- Prior to this update, the
expf()
function was considerably slowed down when saving and restoring the FPU state. This update adds a hand optimized assembler implementation of theexpf()
function for Intel 64 and AMD64 platforms. Now, theexpf()
function is considerably faster. - BZ#852445
- Prior to this update, the PowerPC specific
pthread_once
code did not correctly publish changes it made. As a consequence, the changes were not visible to other threads at the right time. This update adds release barriers to the appropriate thread code to ensure correct synchronization of data between multiple threads. - BZ#861167
- This update adds the
MADV_DONTDUMP
andMADV_DODUMP
macros to themman.h
file to compile code that uses these macros. - BZ#863453
- Prior to this update, the nscd daemon attempted to free a pointer that was not provided by the
malloc()
function, due to an error in the memory management in glibc. As a consequence, nscd could terminate unexpectedly, when handling groups with a large number of members. This update ensures that memory allocated by the pool allocator is no longer passed tofree
. Now, the pool allocator's garbage collector reclaims the memory. As a result, nscd no longer crashes on groups with a large number of members. - BZ#864322
- Prior to this update, the
IPTOS_CLASS
definition referenced the wrong object. As a consequence, applications that referenced theIPTOS_CLASS
definition from theip.h
file did not build or failed to operate as expected. This update modifies the definition to reference the right object and applications that reference to theIPTOS_CLASS
definition.
Bug Fix
- BZ#989558
- The C library security framework was unable to handle dynamically loaded character conversion routines when loaded at specific virtual addresses. This resulted in an unexpected termination with a segmentation fault when trying to use the dynamically loaded character conversion routine. This update enhances the C library security framework to handle dynamically loaded character conversion routines at any virtual memory address, and crashes no longer occur in the described scenario.
Bug Fixes
- BZ#964044
- A fix to prevent logic errors in various mathematical functions, including exp, exp2, expf, exp2f, pow, sin, tan, and rint, caused by inconsistent results when the functions were used with the non-default rounding mode, creates performance regressions for certain inputs. The performance regressions have been analyzed and the core routines have been optimized to bring performance back to reasonable levels.
- BZ#970992
- A program that opens and uses dynamic libraries which use thread-local storage variables may terminate unexpectedly with a segmentation fault when it is being audited by a module that also uses thread-local storage. This update modifies the dynamic linker to detect such a condition, and crashes no longer occur in the described scenario.
Bug Fix
- BZ#1001050
- A defect in the name service cache daemon (nscd) caused cached DNS queries, under certain conditions, to return only IPv4 addresses when querying for an address using the AF_UNSPEC address family, even though IPv4 and IPv6 results existed. The defect has been corrected and nscd correctly returns both IPv4 and IPv6 results if they both exist.
7.68. gnome-desktop
Bug Fix
- BZ#829891
- Previously, when a user hit the system's hot-key (most commonly Fn+F7) to change display configurations, the system could potentially switch to an invalid mode, which would fail to display. With this update, gnome-desktop now selects valid XRandR modes and correctly switching displays with the hot-key works as expected.
7.69. gnome-packagekit
Bug Fixes
- BZ#744980
- If a package adds or removes a .repo file while updates are being installed, PackageKit (packagekitd) sends a RepoListChanged() message. If Software Update (/usr/bin/gpk-update-viewer) was being used to install these updates it responded to the message by attempting to refresh the available updates list. This resulted in said list going blank. As of this update, gpk-update-viewer ignores such signals from packagekitd, leaving the available updates list visible and unchanged.
- BZ#744906
- When a 64-bit Red Hat Enterprise Linux instance had both 32-bit and 64-bit versions of a package installed, and an update for both packages was available and presented in the Software Update (/usr/bin/gpk-update-viewer) window, the summary and package name appeared for both architectures. Package size and the errata note only presented for the 32-bit version, however. For the 64-bit version, the size column remained blank. And, when the 64-bit version was selected in Software list, the display pane below presented a ‘Loading...’ message rather than the errata note. With this update, gpk-update-viewer seeks out the exact package ID before falling back to the package name, ensuring both package versions are found and associated meta-data displayed when more than one package architecture is installed.
- BZ#694793
- When an application is installed using the Add/Remove Software interface (/usr/bin/gpk-application), a dialogue box appears immediately post-install offering a Run button. Clicking this button launches the newly-installed program. Previously, under some circumstances, an improperly assigned pointer value meant clicking this Run button caused gpk-application to crash (segfault). With this update, the pointer is correctly assigned and gpk-application no longer crashes when launching a newly-installed application.
- BZ#669798
- Previously, it was possible for an ordinary user to shutdown their system or log-out from a session while the PackageKit update tool was running. Depending on the transaction PackageKit was engaged in when the shutdown or logout was initiated, this could damage the RPM database and, consequently, damage the system. With this update, when ordinary users attempting to shutdown or log out while PackageKit is running an update, PackageKit inhibits the process and presents the user with an alert:
A transaction that cannot be interrupted is running.
Note: this update does not prevent a root user (or other user with equivalent administrative privileges) from shutting the system down or logging an ordinary user out of their session.
7.70. gnome-screensaver
Bug Fixes
- BZ#648869
- Previously, NVIDIA hardware did not support the X Resize and Rotate Extension (xRandR) gamma changes. Consequently, the fade-out function did not work on the NVIDIA hardware. With this update, xRandR gamma support detection code fails on NVIDIA cards, and the XF86VM gamma fade extension is automatically used as a fallback so the fade-out function works as expected.
- BZ#744763
- Previously, the mouse cursor could be moved to a non-primary monitor so the unlock dialog box did not appear when the user moved the mouse. This bug has been fixed and the mouse cursor can no longer be moved to a non-primary monitor. As a result, the unlock dialog box comes up anytime the user moves the mouse.
- BZ#752230
- Previously, the shake animation of the unlock dialog box could appear to be very slow. This was because the background was updated every time the window's size allocation changed, and the widget's size allocation consequently changed every frame of the shake animation. The underlying source code has been modified to ensure a reasonable speed of the shake animation.
- BZ#759395
- When a Mandatory profile was enabled, the "Lock screen when screen saver is active" option in the Screensaver Preferences window was not disabled. This bug could expose the users to a security risk. With this update, the lock-screen option is disabled as expected in the described scenario.
- BZ#824752
- When using dual screens, moving the mouse did not unlock gnome-screensaver after the initial timeout. The users had to press a key to unlock the screen. The underlying source code has been modified and the user can now unlock gnome-screensaver by moving the mouse.
Bug Fix
- BZ#994868
- Previously, when using virt-manager, virt-viewer, and spice-xpi applications, users were unable to enter the gnome-screensaver password after the screen saver started. This happened only when the VM system used the Compiz composting window manager. After users released the mouse cursor, then pressed a key to enter a password, the dialog did not accept any input. This happened due to incorrect assignment of window focus to applications that did not drop their keyboard grab. With this update, window focus is now properly assigned to the correct place, and attempts to enter the gnome-screensaver password no longer fail in the described scenario.
7.71. gnome-settings-daemon
Bug Fixes
- BZ#805064
- Previously, the LED indicators of some Wacom graphics tablets were not supported in the gnome-settings-daemon package. Consequently, the status LEDs on Wacom tablets would not accurately indicate the current control mode. With this update, LED support has been added to gnome-settings-daemon. As a result, the tablet LEDs now work as epected.
- BZ#812363
- Previously, using function keys without modifiers (F1, F2, and so on) as keyboard shortcuts for custom actions did not work. With this update, a patch has been added to fix this bug. As a result, gnome-settings-daemon now allows unmodified function keys to be used as keyboard shortcuts for custom actions.
- BZ#824757
- In certain cases, the gnome-settings-daemon did not properly handle the display configuration settings. Consequently, using the system's hot-key to change the display configuration either did not select a valid XRandR configuration or kept monitors in clone mode. This bug has been fixed and gnome-settings-daemon now selects valid XRandR modes and handles the clone mode as expected.
- BZ#826128
- Previously, connecting a screen tablet to a computer before activation of the tablet screen caused the input device to be matched with the only available monitor - the computer screen. Consequently, the stylus motions were incorrectly mapped to the computer screen instead of the tablet itself. With this update, a patch has been introduced to detect the tablet screen as soon as it becomes available. As a result, the device is correctly re-matched when the tablet screen is detected.
- BZ#839328
- Previously, using the shift key within a predefined keyboard shortcut mapped to the tablet's ExpressKey button caused gnome-settings-daemon to crash after pressing ExpressKey. This bug has been fixed, and the shortcuts which use the shift key can now be mapped to ExpressKey without complications.
- BZ#853181
- Prior to this update, the mouse plug-in in the gnome-settings-daemon package interfered with Wacom devices. Consequently, using ExpressKey on a tablet after hot-plugging generated mouse click events. With this update, the mouse plug-in has been fixed to ignore tablet devices and the interference no longer occurs.
- BZ#886922
- Previously, on tablets with multiple mode-switch buttons such as the Wacom Cintiq 24HD, all mode-switch buttons would cycle though the different modes. With this update, each different mode-switch button will select the right mode for the given button.
- BZ#861890
- Due to a bug in the gnome settings daemon, changing the monitor layout led to incorrect tablet mapping. With this update, the graphics tablet mapping is automatically updated when the monitor layout is changed. As a result, the stylus movements are correctly mapped after the layout change and no manual update is needed.
Enhancements
- BZ#772728
- With this update, several integration improvements for Wacom graphics tablets have been backported from upstream: - touchscreen devices are now automatically set in absolute mode instead of relative - memory leaks on tablet hot plug have been fixed - ExpressKeys no longer fail after the layout rotation - test applications are now included in the package to help with debugging issues.
- BZ#858255
- With this update, the touch feature of input devices has been enabled in the default settings of gnome-settings-daemon.
7.72. gnome-terminal
Bug Fix
- BZ#819796
- Prior to this update, gnome-terminal was not completely localized into Asamese. With this update, the Assamese locale has been updated.
7.73. gnutls
Bug Fixes
- BZ#648297
- Previously, the gnutls_priority_init.3 man page contained incorrect information on the gnutls-2.8.5-safe-renegotiation patch, particularly on special control keywords. The manual page has been updated to provide accurate information about the described subject.
- BZ#745242
- Prior to this update, the gnutls_x509_privkey_import() function failed to load private keys in the PKCS#8 format. Consequently, these keys were not processed by applications which use gnutls_x509_privkey_import(). This bug has been fixed, and gnutls_x509_privkey_import() now allows loading of private keys formatted in PKCS#8.
- BZ#771378
- Multiple bugs were present in the implementation of the TLS-1.2 protocol in the gnutls package. Consequently, gnutls was incompatible with clients and servers conforming to the TLS-1.2 protocol standard. With this update, the TLS-1.2 implementation has been fixed. As a result, the compatibility of gnutls with other TLS-1.2 clients and servers is now assured.
- BZ#807746
- Previously, the gnutls-cli-debug man page contained typographical errors and incorrect information on the command-line options. The manual page has been updated, and no longer contains the aforementioned errors.
Security Fix
- CVE-2013-2116
- It was discovered that the fix for the CVE-2013-1619 issue released via RHSA-2013:0588 introduced a regression in the way GnuTLS decrypted TLS/SSL encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to crash a server or client application that uses GnuTLS.
7.74. graphviz
Bug Fixes
- BZ#772637
- Previously, the dot tool could generate different images on 32-bit and 64-bit architectures, which could consequently lead to multilib conflicts of packages that use graphviz during its build process. The problem was caused by different instructions used for floating points processing. On 32-bit Intel architecture, the code is now compiled with the "--ffloat-store" compiler flag, which ensures that identical images are generated regardless of the used architecture.
- BZ#821920
- The graphviz-tcl package included the "demo" directory, which contained examples in various languages. This caused implicit dependencies to be introduced. With this update, all examples are installed as documentation, which reduces the number of implicit dependencies.
- BZ#849134
- The "dot -c" command which is run in the %postun scriptlet recreates graphviz configuration files to be up-to-date with the current state of the installed plug-ins. Previously, if the command failed to load plug-ins specified in the configuration files, warning messages were printed when removing the graphviz-gd package. These messages could have been confusing, and have been therefore removed.
7.75. grub
Bug Fixes
- BZ#783169
- When the BIOS was set to Unified Extensible Firmware Interface (UEFI) mode, all legacy option ROMs in the setup were disabled, and the grub.efi utility was loaded, an attempt to access the network with the NET0 protocol was not successful and the "nd" root command did not work. This bug has been fixed and GRUB works correctly in this situation.
- BZ#814014
- Previously, the GRUB utility did not scan for KVM virtio disks when creating a device map. Consequently, these disks were not added to this map. This bug has been fixed and GRUB now scans for vd* devices located in the /dev/ directory, so virtio disks are added to a device map as expected.
- BZ#825054
- The GRUB utility did not pass high order address bits for the Extensible Firmware Interface (EFI) memory map and system table high order bits. As a consequence, the EFI system map and memory map did not work correctly on computers with RAM bigger then 4 GB. This bug has been fixed by passing high order address bits, so that grub works properly in the described scenario.
- BZ#870420
- When symbolic links in the /dev/mapper/ directory were resolved to the original file, this file did not match proper file entry in the device.map file. Consequently, the grub-install package failed and an error message was returned. With this update, symbolic links are now prevented to resolve in the /dev/mapper/ directory. As a result, grub-install proceeds as expected.
- BZ#876519
- Due to an error in the underlying source code, an incorrect attempt to dereference a NULL pointer could previously cause GRUB to terminate unexpectedly. This update corrects the underlying source code to prevent this error so that GRUB no longer crashes.
Enhancements
- BZ#642396
- This enhancement includes support for IPV6 UEFI 2.3.1 netboot, which was previously missing.
- BZ#737732
- With this update, the users can use EFI boot partition as a root partition, which can be specified in the grub.conf file. As a consequence, the users do not have to specify particular drive, but can use the one specified in the EFI boot manager.
7.76. gstreamer-plugins-base
Enhancement
- BZ#755777
- This update adds color-matrix support for color conversions to the ffmpegcolorspace plugin.
7.77. gtk2
Bug Fixes
- BZ#882346
- Due to a recent change in the behavior of one of the X.Org Server components, GTK+ applications could not use certain key combinations for key bindings. This update makes GTK+ compatible with the new behavior, which ensures that no regressions occur in applications that use the library.
- BZ#889172
- Previously, when switching between the "Recently Used" and "Search" tabs in the “Open Files” dialog box, the "Size" column in the view disappeared. This update ensures the column is visible when the relevant option is selected.
7.78. gvfs
Bug Fixes
- BZ#599055
- Previously, rules for ignoring mounts were too restrictive. If the user clicked on an encrypted volume in the Nautilus' sidebar, an error message was displayed and the volume could not be accessed. The underlying source code now contains additional checks so that encrypted volumes have proper mounts associated (if available), and the file system can be browsed as expected.
- BZ#669526
- Due to a bug in the kernel, a freshly formatted Blu-ray Disk Rewritable (BD-RE) medium contains a single track with invalid data that covers the whole medium. This empty track was previously incorrectly detected, causing the drive to be unusable for certain applications, such as Brasero. This update adds a workaround to detect the empty track, so that freshly formatted BD-RE media are properly recognized as blank.
- BZ#682799, BZ#746977, BZ#746978, BZ#749369, BZ#749371, BZ#749372
- The code of the gvfs-info, gvfs-open, gvfs-cat, gvfs-ls and gvfs-mount utilities contained hard-coded exit codes. This caused the utilities to always return zero on exit. The exit codes have been revised so that the mentioned gvfs utilities now return proper exit codes.
- BZ#746905
- When running gvfs-set-attribute with an invalid command-line argument specified, the utility terminated unexpectedly with a segmentation fault. The underlying source code has been modified so that the utility now prints a proper error message when an invalid argument is specified.
- BZ#809708
- Due to missing object cleanup calls, the gvfsd daemon could use excessive amount of memory, which caused the system to become unresponsive. Proper object cleanup calls have been added with this update, which ensures that the memory consumption is constant and the system does not hang in this scenario.
7.79. hivex
Bug Fixes
- BZ#822741
- Previously, the description of the package contained inappropriate text. This update provides a correction of the language used and now, the spec file contains only neutral expressions.
- BZ#841924
- Certain hive files that had a very large number of child nodes under a single parent node could not be parsed. A patch has been added to allow read-only access to these child nodes.
7.80. hplip
Security Fix
- CVE-2013-0200, CVE-2011-2722
- Several temporary file handling flaws were found in HPLIP. A local attacker could use these flaws to perform a symbolic link attack, overwriting arbitrary files accessible to a process using HPLIP.
Note
Bug Fixes
- BZ#829453
- Previously, the hpijs package required the obsolete cupsddk-drivers package, which was provided by the cups package. Under certain circumstances, this dependency caused hpijs installation to fail. This bug has been fixed and hpijs no longer requires cupsddk-drivers.
- BZ#683007
- The configuration of the Scanner Access Now Easy (SANE) back end is located in the /etc/sane.d/dll.d/ directory, however, the hp-check utility checked only the /etc/sane.d/dll.conf file. Consequently, hp-check checked for correct installation, but incorrectly reported a problem with the way the SANE back end was installed. With this update, hp-check properly checks for installation problems in both locations as expected.
Security Fix
- CVE-2013-4325
- HPLIP communicated with PolicyKit for authorization via a D-Bus API that is vulnerable to a race condition. This could lead to intended PolicyKit authorizations being bypassed. This update modifies HPLIP to communicate with PolicyKit via a different API that is not vulnerable to the race condition.
7.81. hsqldb
Bug Fix
- BZ#827343
- Prior to this update, the hsqldb database did not depend on java packages of version 1:1.6.0 or later. As a consequence, the build-classpath command failed on systems without the java-1.6.0-openjdk package installed and the hsqldb packages could be installed incorrectly. This update adds a requirement for java-1.6.0-openjdk. Now, the installation of hsqldb proceeds correctly as expected.
7.82. httpd
Security Fixes
- CVE-2008-0455, CVE-2012-2687
- An input sanitization flaw was found in the mod_negotiation Apache HTTP Server module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use this flaw to conduct cross-site scripting attacks against users visiting the site.
- CVE-2012-4557
- It was discovered that mod_proxy_ajp, when used in configurations with mod_proxy in load balancer mode, would mark a back-end server as failed when request processing timed out, even when a previous AJP (Apache JServ Protocol) CPing request was responded to by the back-end. A remote attacker able to make a back-end use an excessive amount of time to process a request could cause mod_proxy to not send requests to back-end AJP servers for the retry timeout period or until all back-end servers were marked as failed.
Bug Fixes
- BZ#787247
- When the Apache module mod_proxy was configured, and a particular back-end URL was reverse proxied into the server two or more times, a spurious warning in the following format was given:
[warn] worker [URL] already used by another worker
The level of this message has been changed from WARNING to INFO as it is not incorrect to proxy more than one URL to the same back-end server. - BZ#822587
- The mod_cache module did not handle
206
partialHTTP
responses correctly. This resulted in incorrect responses being returned to clients if a cache was configured. With this update, mod_cache no longer caches206
responses, thus ensuring correct responses are returned. - BZ#829689
- If
LDAP
authentication was used with a Novell eDirectory LDAP server, mod_ldap could return500 Internal Server Error
response if the LDAP server was temporarily unavailable. This update fixes mod_ldap to retry LDAP requests if the server is unavailable, and the500
errors will not be returned in this case. - BZ#837086
- Previously, mod_proxy_connect performed unnecessary
DNS
queries whenProxyRemote
was configured. Consequently, in configurations withProxyRemote
, mod_proxy_connect could either fail to connect, or be slow to connect to the remote server. This update changes mod_proxy to omit DNS queries ifProxyRemote
is configured. As a result, the proxy no longer fails in such configurations. - BZ#837613
- When an
SSL
request failed and the-v 2
option was used, the ApacheBench (ab) benchmarking tool tried to free a certificate twice. Consequently, ab terminated unexpectedly due to a doublefree()
error. The ab tool has been fixed to free certificates only once. As a result, the ab tool no longer crashes in the scenario described. - BZ#848954
- Previously, mod_ssl presumed the private key was set after the certificate in
SSLProxyMachineCertificateFile
. Consequently, httpd terminated unexpectedly if the private key had been set before the certificate in SSLProxyMachineCertificateFile. This update improves mod_ssl to check if the private key is set before the certificate. As a result, mod_ssl no longer crashes in this situation and prints an error message instead. - BZ#853160
- Prior to this update, mod_proxy_ajp did not correctly handle a
flush
message from a Java application server if received before theHTTP
response headers had been sent. Consequently, users could receive a truncated response page without the correct HTTP headers. This update fixes mod_proxy_ajp to ignoreflush
messages before the HTTP response headers have been sent. As a result, truncated responses are no longer sent in scenario described. - BZ#853348
- In a proxy configuration, certain response-line strings were not handled correctly. If a response-line without a
description
string was received from the origin server, for a non-standard status code, such as the450
status code, a500 Internal Server Error
would be returned to the client. This bug has been fixed so that the original response line is returned to the client. - BZ#867268
- Previously, the value of
${cookie}C
in theLogFormat
directive's definition matched substrings of cookie. Consequently, a bad cookie could be printed if its name contained a substring of the name defined inLogFormat
using the${cookie}C
string. With this update, the code is improved so that cookie names are now matched exactly. As a result, a proper cookie is returned even when there are other cookies with its substring in their name. - BZ#867745
- Previously, no check was made to see if the
/etc/pki/tls/private/localhost.key
file was a valid key prior to running the%post
script for the mod_ssl package. Consequently, when/etc/pki/tls/certs/localhost.crt
did not exist andlocalhost.key
was present but invalid, upgrading the Apache HTTP Server daemon (httpd) with mod_ssl failed. The%post
script has been fixed to test for an existingSSL
key. As a result, upgrading httpd with mod_ssl now proceeds as expected. - BZ#868253
- Previously, in a reverse proxy configuration, mod_cache did not correctly handle a
304 Not Modified
response from the origin server when refreshing a cache entry. Consequently, in some cases an empty page was returned to a client requesting an entity which already existed in the cache. This update fixes handling of304 Not Modified
responses in mod_cache and as a result no empty pages will be displayed in the scenario described. - BZ#868283
- Due to a regression, when mod_cache received a non-cacheable
304
response, the headers were served incorrectly. Consequently, compressed data could be returned to the client without the cached headers to indicate the data was compressed. An upstream patch has been applied to merge response and cached headers before data from the cache is served to the client. As a result, cached data is now correctly interpreted by the client.
Enhancements
- BZ#748400
- The Apache module mod_proxy now allows changing the BalancerMember state in the web interface.
- BZ#757735
- The rotatelogs program now provides a new
rotatelogs
-p
option to execute a custom program after each log rotation. - BZ#757739
- The rotatelogs program now provides a new
rotatelogs
-c
option to create log files for each set interval, even if empty. - BZ#796958
- The
LDAPReferrals
configuration directive has been added, as an alias for the existingLDAPChaseReferrals
directive. - BZ#805720
- The mod_proxy and mod_ssl modules have been updated to support the concurrent use of the mod_nss (NSS) and mod_ssl (OpenSSL) modules.
- BZ#805810
- An init script for the
htcacheclean
daemon has been added. - BZ#824571
- The
failonstatus
parameter has been added for balancer configuration in mod_proxy. - BZ#828896
- Previously, mod_authnz_ldap had the ability to set environment variables from received
LDAP
attributes, but only by LDAP authentication, not by LDAP authorization. Consequently, if the mod_authnz_ldap module was used to enable LDAP for authorization but not authentication, theAUTHORIZE_
environment variables were not populated. This update applies a patch to implement setting ofAUTHORIZE_
environment variables using LDAP authorization. As a result, other methods of authentication can be used while using LDAP authorization for setting environment variables for all configured LDAP attributes. - BZ#833064
- The %posttrans scriptlet which automatically restarts the httpd service after a package upgrade can now be disabled. If the file
/etc/sysconfig/httpd-disable-posttrans
exists, the scriptlet will not restart the daemon. - BZ#833092
- The output of
httpd -S
now includes configured alias names for each virtual host. - BZ#838493
- The rotatelogs program has been updated to support the
-L
option to create a hard link from the current log to a specified path. - BZ#842375
- New certificate variable names are now exposed by mod_ssl using the
_DN_userID
suffix, such asSSL_CLIENT_S_DN_userID
, which uses the commonly used object identifier (OID) definition ofuserID
, OID 0.9.2342.19200300.100.1.1. - BZ#842376
- Chunked Transfer Coding is described in RFC 2616. Previously, the Apache server did not correctly handle a chunked encoded POST request with a
chunk-size
orchunk-extension
value of 32 bytes or more. Consequently, when such a POST request was made the server did not respond. An upstream patch has been applied and the problem no longer occurs.
7.83. hwdata
Enhancements
- BZ#839221
- The PCI ID numbers have been updated for the Beta and the Final compose lists.
- BZ#739816
- Support for NVidia graphic card N14E-Q5, 0x11BC has been added.
- BZ#739819
- Support for NVidia graphic card N14E-Q3, 0x11BD has been added.
- BZ#739821
- Support for NVidia graphic card N14E-Q1, 0x11BE has been added.
- BZ#739824
- Support for NVidia graphic card N14P-Q3, 0x0FFB has been added.
- BZ#739825
- Support for NVidia graphic card N14P-Q1, 0x0FFC has been added.
- BZ#760031
- Support for Broadcom BCM943228HM4L 802.11a/b/g/n 2x2 Wi-Fi Adapter has been added.
- BZ#830253
- Support for Boot from Dell PowerEdge Express Flash PCIe SSD devices has been added.
- BZ#841423
- Support for the Intel C228 chipset and a future Intel processor based on Socket H3 has been added.
- BZ#814114
- This update also adds the current hardware USB IDs file from the upstream repository. This file provides support for Broadcom 20702 Bluetooth 4.0 Adapter Softsailing.
7.84. hwloc
Note
7.85. icedtea-web
Bug Fix
- BZ#838084
- Previously, the IcedTea-Web plug-in was built against JDK 6, but in runtime it was possible to use it with JDK 7. Consequently, IcedTea-Web sometimes failed to run. With this update, the icedtea-web package is built against JDK 7 and IcedTea-Web is using JDK 7 in runtime, thus preventing this bug. Note that the end of public updates for JDK 6 is scheduled to go into effect in upcoming weeks.
Bug Fix
- BZ#975426
- A java-1.7.0-openjdk package change released via RHSA-2013:0957 caused the icedtea-web browser plug-in and the javaws application to exit with a NullPointerException. This update fixes icedtea-web to work correctly with the updated java-1.7.0-openjdk packages.
7.86. infinipath-psm
Bug Fix
- BZ#907361
- Due to a packaging error, not all object files required for the infinipath-psm library were built into the library, rendering it non-functional. This update fixes the infinipath-psm Makefile, which now properly includes all required object files, and the library works as expected.
7.87. initscripts
Bug Fixes
- BZ#893395
- Previously, an
ip link
command was called before the master device was properly set. Consequently, the slaves could be in theunknown
state. This has been fixed by callingip link
for master after the device is installed properly, and all slaves are up. As a result, all slaves are in the expected state and connected to the master device. - BZ#714230
- Previously, the naming policy for VLAN names was too strict. Consequently, the
ifdown
utility failed to work with descriptively-named interfaces. To fix this bug, the name format check has been removed andifdown
now works as expected. - BZ#879243
- Prior to this update, there was a typographic error in the
/etc/sysconfig/network-scripts/ifup-aliases
file, which caused the duplicate check to fail. The typo has been corrected and the check works again. - BZ#885235
- The
BONDING_OPTS
variable was applied by theifup
utility on a slave interface, even if the master was already on and had active slaves. This caused an error message to be returned byifup
. To address this bug, it is now checked whether the master does not have any active slaves before applyingBONDING_OPTS
, and no error messages are returned. - BZ#880684
- Prior to this update, the
arping
utility, which checks for IP address duplicates in the network, failed when the parent device was not up. Consequently, the failure was handled the same way as finding of a second IP address in the network. To fix this bug,ifup-aliases
files have been set to be checked whether the master device is up before the duplicity check is run. As a result, no error messages are returned when the parent device is down in the described scenario. - BZ#723936
- The
rename_device.c
file did not correspond with VLAN interfaces, and thus could lead to improperly named physical interfaces. A patch has been provided to address this bug and interfaces are now named predictably and properly. - BZ#856209
- When calling the
vgchange -a y
command instead ofvgchange -a ay
on thenetfs
interface by therc.sysinit
daemon, all volumes were activated. This update provides a patch to fix this bug. Now, only the volumes declared to be activated are actually activated. If the list is not declared, all volumes are activated by default. - BZ#820430
- Previously, when a slave was attached to a master interface, which did not have a correct mode set, the interface did not work properly and could eventually cause a kernel oops. To fix this bug, the
BONDING_OPTS
variables are set before the master interface is brought up, which is the correct order of setting. - BZ#862788
- If there was a process blocking a file system from unmounting, the
/etc/init.d/halt
script tried to kill all processes currently using the file system, including the script itself. Consequently, the system became unresponsive during reboot. With this update, shutdown script PIDs are excluded from the kill command, which enables the system to reboot normally. - BZ#874030
- When the
ifup
utility was used to set up a master interface, theBONDING_OPTS
variables were not applied. Consequently, bonding mode configuration done through theifcfg
utility had no effect. A patch has been provided to fix this bug.BONDING_OPTS
are now applied and bonding mode works in the described scenario. - BZ#824175
- If a network bond device had a name that was a substring of another bond device, both devices changed their states due to an incorrect test of the bond device name. A patch has been provided in the regular expression test and bond devices change their states as expected.
- BZ#755699
- The
udev
daemon is an event-driven hot-plug agent. Previously, anudev
event for serial console availability was emitted only on boot. If runlevels were changed, the process was not restarted, because the event had already been processed. Consequently, the serial console was not restarted when entering and then exiting runlevel 1. With this update, thefedora.serial-console-available
event is emitted on the post-stop of the serial console, and the console is now restarted as expected. - BZ#852005
- Prior to this update, no check if an address had already been used was performed for alias interfaces. Consequently, an already used IP address could be assigned to an alias interface. To fix this bug, the IP address is checked whether it is already used. If it is, an error message is returned and the IP address is not assigned.
- BZ#852176
- Previously, the
init
utility tried to add a bond device even if it already existed. Consequently, a warning message was returned. A patch that checks whether a bond device already exists has been provided and warning messages are no longer returned. - BZ#846140
- Prior to this update, the
crypttab(5)
manual page did not describe handling white spaces in passwords. Now, the manual page has been updated and contains information concerning a password with white spaces. - BZ#870025
- Previous
crypttab (5)
manual page contained a typografic error (crypptab insted of crypttab), which has now been corrected. - BZ#795778
- Previously, usage description was missing in the
/init/tty.conf
and/init/serial.conf
files and this information was not returned in error messages. With this update, the information has been added to the aforementioned files and is now returned via an error message. - BZ#669700
- Prior to this update, the
/dev/shm
file system was mounted by thedracut
utility without attributes from the/etc/fstab
file. To fix this bug,/dev/shm
is now remounted by therc.sysinit
script. As a result,/dev/shm
now contains the attributes from/etc/fstab
. - BZ#713757
- Previous version of the
sysconfig.txt
file instructed users to put theVLAN=yes
option in the global configuration file. Consequently, interfaces with names containing a dot were recognized as VLAN interfaces. Thesysconfig.txt
file has been changed so that the VLAN describing line instructs users to include the VLAN option in the interface configuration file, and the aforementioned devices are no longer recognized as VLAN interfaces. - BZ#869075
- The
sysconfig.txt
file advised users to use thesaslauthd -a
command instead ofsaslauthd -v
, which caused the command to fail with an error message. Insysconfig.txt
, the error in the command has been corrected and thesaslauthd
utility now returns expected results. - BZ#714250
- When the
ifup
utility initiated VLAN interfaces, thesysctl
values were not used. With this update,ifup
rereads thesysctl
values in the described scenario and VLAN interfaces are configured as expected.
Enhancements
- BZ#851370
- The
brctl
daemon is used to connect two Ethernet segments in a protocol-independent way, based on an Ethernet address, rather than an IP address. In order to provide a simple and centralized bridge configuration, bridge options can now be used viaBRIDGING_OPTS
. As a result, a space-separated list of bridging options for either a bridge device or a port device can be added when theifup
utility is used. - BZ#554392
- The updated
halt.local
file has been enhanced with new variables to reflect the character of call. This change leaves users with better knowledge of howhalt.local
was called during a halt sequence. - BZ#815431
- With this update, it is possible to disable duplicate address detection in order to allow administrators to use direct routing without ARP checks.
7.88. iok
Bug Fixes
- BZ#814541, BZ#814548
- Previously, when saving a keymap with a specified name, predefined naming convention was followed and the file name was saved with the "-" prefix without noticing the user. With this update, if the user attempts to save a keymap, a dialog box displaying the required file name format appears.
- BZ#819795
- This update provides the complete iok translation for all supported locales.
7.89. ipa
Note
Security Fix
- CVE-2012-4546
- It was found that the current default configuration of IPA servers did not publish correct CRLs (Certificate Revocation Lists). The default configuration specifies that every replica is to generate its own CRL, however this can result in inconsistencies in the CRL contents provided to clients from different Identity Management replicas. More specifically, if a certificate is revoked on one Identity Management replica, it will not show up on another Identity Management replica.
Bug Fixes
- BZ#784378
- When a master was removed from a replicated environment via the "ipa-replica-manage del" command, the metadata for that master was still contained in the other servers, thus the Directory Server replication plug-in produced warnings about the outdated metadata. Now, the Directory Server CLEANALLRUV task is triggered to handle outdated metadata in the whole replicated Directory Server environment and deleting an Identity Management replica no longer causes problems.
- BZ#790515
- When the "ipactl" command was used to start Identity Management, it waited only 6 seconds for the Directory Server to start and when the Directory Server did not start in time, the start procedure was aborted. A higher default start up wait value was added. A configurable value, "startup_timeout", can be added to /etc/ipa/default.conf or /etc/ipa/server.conf files when the default value of 120 seconds is not sufficient to start the Directory Server.
- BZ#809565
- Previously, DNS records could not be renamed and administrators had to re-enter all DNS records under certain names when the name changed. Now, rename operations for DNS records names and the rename option in the Identity Management CLI interface are able to rename a DNS name and all of its records to other names within the same zone.
- BZ#811295
- Before, when installing Identity Management, there was an option to choose a certificate subject base with a Common Name (CN) as one component. However, it is illegal to have more than one CN attribute in a certificate subject. This caused the Identity Management installation to fail. Now, the CN attribute in a subject base option is no longer allowed, administrators are warned when they choose an incorrect certificate subject base and Identity Management installs properly.
- BZ#815837
- The Identity Management Certificate Authority component did not accept Directory Manager passwords which were set to a non-ASCII control character, "&" or "\". Use of these characters in passwords caused a malformed XML error and the Identity Management installation failed when such characters were a part of the Directory Manager password. Currently, these characters are not allowed in the Identity Management installer and IdM installs successfully.
- BZ#816317
- The Identity Management server or client used programs from the policycoreutils package when SELinux was enabled. However, the installers did not check if the package was actually installed. This caused the Identity Management installation to terminate with a python backtrace when SELinux was enabled and the policycoreutils package was not installed on a system. Currently, the Identity Management installers no longer fail when SELinux is enabled and the policycoreutils package is missing, but, instead, ask the administrator to install it first.
- BZ#817865
- The "ipa" command or Identity Management installers forced a set of address families (IPv4, IPv6) when a network connection was established, instead of letting the system choose the right address family for the new connection. In some cases this caused the connection, command or installer to fail, or the connection to take longer than normal. Automatic address family detection has been implemented and is now respected, with the result that network connections established with an "ipa" command are faster and less vulnerable to errors caused by non-common network settings.
- BZ#819629
- Identity Management DNS modules used a "pull" model for updating DNS records provisioned to the BIND name server by a bind-dyndb-ldap plug-in. When a DNS zone LDAP entry or DNS records present in bind-dyndb-ldap cache were changed via Identity Management CLI or Web UI, the update was not provisioned to the BIND nameserver until a zone was checked with a periodic poll or the DNS record in the cache expired. Now, persistent search is enabled by default for new Identity Management installations and for running Identity Management server instances. A change to the DNS zone LDAP entry or to the DNS record that is already cached by bind-dydnb-ldap is instantly provisioned to the BIND name server and thus resolvable.
- BZ#820003
- The default value of the Directory Server in-memory entry cache was configured to a lower value than the size of an administrator's deployment, which caused the Directory Server to underperform. Now, the Identity Management package requires an updated version of the Directory Server, which warns administrators when the in-memory cache is too small and allows administrators to adjust the value appropriate to ratio of deployment.
- BZ#822608
- When users were migrated from the remote Directory Server, entries in the Identity Management Directory Server did not have complete Kerberos data needed for Kerberos authentication, even though the users passed the Identity Management password migration page. The migrated Identity Management user was not able to authenticate via Identity Management until the password was manually reset. Currently, the Kerberos authentication data generates properly during the migration process and users can successfully access Identity Management.
- BZ#824488
- The Identity Management Kerberos data back end did not support an option to control automatic user log-on attributes, which were updated with every authentication. Administrators with large deployments and high numbers of authentication events in their Identity Management realm could not disable these automatic updates to avoid numerous Directory Server modification and replication events. Now, users can utilize options in Identity Management to customize automatic Kerberos authentication attribute updates.
- BZ#824490
- Previously, Identity Management enforced lowercase letters for all user IDs which caused some operations, such as password changes, to fail when the user ID was uppercase. Also, the WinSync agreement with Active Directory replicated such user information into the Identity Management database. Currently, the Identity Management WinSync plug-in can convert user names and Kerberos principal user parts to lowercase, and passwords replicated from Active Directory via the Winsync agreement can now be changed.
- BZ#826677
- When Identity Management replicas were deleted using the "ipa-replica-manage" command, the script did not verify if the deletion would orphan other Identity Management replicas. Users unaware of the Identity Management replication graph structure might accidentally delete a replica forcing them to reinstall the orphaned replicas. Now, the "ipa-replica-manage" command will not allow users to delete a remote replica if such operation would orphan a replica with a replication agreement.
- BZ#832243
- Identity Management Web UI was not fully compatible with the Microsoft Internet Explorer browser, which caused glitches when working with the Identity Management administration interface. Identity Management Web UI is now compatible with Microsoft Internet Explorer versions 9 or later and glitches no longer occur when working with the Web UI.
- BZ#837356
- Several attributes in the Identity Manager Directory Server that are used to store links to other objects in the directory were not added to the Directory Server Referential Integrity plug-in configuration. When a referred object was deleted or renamed it caused some links to break in the affected attribute and made them point to an invalid object. This update adds all attributes storing links to other objects to the Referential Integrity plug-in configuration, which are updated when the referred object is deleted or renamed.
- BZ#839008
- The Identity Management Web UI Administrator interface was not enabled for users who were indirect members of administrative roles. These users were not able to perform administrative tasks in the Web UI. Presently, indirect members of administrative roles can use the Web UI Administrator interface and are able to perform administrative tasks within the Identity Management Web UI.
- BZ#840657
- Normally, Identity Management SSH capabilities allow storage of public user or host SSH keys, but the keys did not accept the OpenSSH-style public key format. This caused Identity Management to estimate public key type based on the public key blob, which could have caused an issue in the future with new public key types. Now, Identity Management stores SSH public keys in extended OpenSSH format and SSH public keys now contain all required parts, making the functionality acceptable in more deployments.
- BZ#855278
- Previously, Identity Management Web UI used a jQuery library to raise errors when processing Directory Server records with some strings, for example, sudo commands with the "??" string in the name, which, in turn, caused the Web UI to be unable to show, modify or add such records. With this jQuery library update, Identity Management Web UI no longer reports errors for these strings and processes them normally.
- BZ#859968
- Firefox 15 and newer versions did not allow signed JavaScript JAR files to gain privilege escalation to change browser configuration. The Identity Management browser auto configuration configured the browser to access Web UI through Kerberos authentication, which affects these versions of Firefox. Now Identity Management is deployed with its own Firefox extension and is able to auto configure and authenticate using Kerberos.
- BZ#868956
- The Identity Management "dnszone-add" command accepts the "--name-server" option specifying a host name of the primary name server resolving the zone. The option considered all host names as fully qualified domain names (FQDN) even though they were not FQDN, for example, name server "ns.example.com." for zone example.com and were relative to the zone name, such as, name server "ns" for zone "example.com." Users were not able to specify the name server in the relative name format when using the Identity Management "dnszone-add" command. Presently, Identity Management detects the name server format correctly and the "dnszone-add" command can process both relative and fully qualified domain names.
- BZ#877324
- After upgrading to Red Hat Identity Management 2.2, it was not possible to add SSH public keys in the Web UI. However, SSH public keys could be added on the command line by running the "ipa user-mod user --sshpubkey" command. This update allows SSH public keys to be added in the Web UI normally.
- BZ#883484
- Previously, the IPA automatic certificate renewal, in some cases, did not function properly and some certificates were not renewed while other certificates with the same "Not After" values were renewed. Certmonger is now updated, users can serialize access to the NSS databases to prevent corruption and do not have to renew and restart all the services at the same time.
- BZ#888956
- A 389-ds-base variable set during the PKI install "nsslapd-maxbersize" was not dynamically initialized and a restart was required for it to take effect. This caused installation to fail during the replication phase when building a replica from a PKI-CA master with a large CRL. This update includes an LDIF file (/usr/share/pki/ca/conf/database.ldif) to set the default maxbersize to a larger value and allows PKI-CA Replica Installs when CRL exceeds the default maxber value.
- BZ#891980
- Previously, on new IPA server installations, the root CA certificate lifetime was only valid for 8 years and users had to renew the certificate after it expired, which caused some inconvenience. This issue was fixed in Dogtag and this update increases the FreeIPA root CA validity to 20 years.
- BZ#894131
- The "ipa-replica-install" command sometimes failed to add the idnsSOAserial attribute for a new zone and in some cases, zones were added, but with missing data and did not replicate back to the master. With this update, the idnsSOAserial attribute sets properly and synchronizes across all servers and zones are added correctly.
- BZ#894143
- The "ipa-replica-prepare" command failed when a reverse zone did not have SOA serial data and reported a traceback error, which was difficult to read, when the problem occurred. Now, the "ipa-replica-prepare" command functions properly and if SOA serial data is missing, returns a more concise error message.
- BZ#895298
- When either dirsrv or krb5kdc were down, the "service named restart" command in the ipa-upgradeconfig failed during the upgrade of the ipa packages. With this update, the "service named restart" command functions normally and installation no longer fails during upgrades.
- BZ#895561
- Previously, the IPA install on a server with no IPv4 address failed with a "Can't contact LDAP server" error. With this update, both the server and replica install correctly and error messages no longer occur.
- BZ#903758
- Users who upgraded from IPA version 2.2 to version 3.0 encountered certmonger errors and the update failed with the error message, "certmonger failed to start tracking certificate." With this update, IPA 2.2 properly upgrades to version 3.0 without any errors.
- BZ#905594
- Before, users were unable to install the ipa-server-trust-ad package on a 32-bit platform and when doing so received the error message "Unable to read consumer identity." This update provides fixes in the spec file, and the package now installs properly on 32-bit platforms.
Enhancements
- BZ#766007
- This update introduces SELinux User Mapping rules which can be used in Identity Management in conjunction with HBAC rules to define the users, groups and hosts to which the rules apply.
- BZ#766068
- Support for SSH public key management added to the IPA server and OpenSSH on IPA clients is automatically configured to use the public keys stored on the IPA server. Now, when a host enrolled in Identity Management connects to another enrolled host, the SSH public key is verified in the central Identity Management storage.
- BZ#766179
- The Cross Realm Kerberos Trust functionality provided by Identity Management is included as a Technology Preview. This feature allows users to create a trust relationship between an Identity Management and an Active Directory domain. Users from the Active Directory domain can access resources and services from the Identity Management domain with their AD credentials and data does not need to be synchronized between the Identity Management and Active Directory domain controllers.
- BZ#767379
- An automated solution to configure automount on clients for automount maps configured in the central Identity Management server was added. After an Identity Management client has been configured, administrators may use the provided ipa-client-automount script to configure client hosts to use automount maps configured in the Identity Management server.
- BZ#782981
- Users using the Identity Management Web UI were previously forced to log in to client machines enrolled in Identity Management in order to update a password that had expired or been reset. With this update, users are able to more conveniently change an expired or reset password from the Web UI itself.
- BZ#783166
- This update allows the ipa-client-install interface to accept prioritization of IPA servers that clients connect to. Previously, administrators could not configure a prioritized IPA server that SSSD should connect to before connecting to other servers which were potentially returned in a SRV DNS query. Now, when a new option "--fixed-primary" is passed to the "ipa-client-install" command, the discovered or user-provided server is configured as the first value in the ipa_server directive in the "/etc/sssd/sssd.conf" file. Thus, SSSD will always try to connect to this host first.
- BZ#783274
- This enchancement allows MAC address attributes for host entries in Identity Management and publishes them in the Identity Management NIS server. Users can utilize the "--macaddress" option to configure MAC addresses for an Identity Management host entry and, when NIS is enabled, MAC address can be read by an ethers map.
- BZ#786199
- Each ipa command line request previously required full and time-consuming Kerberos authentication, particularly when a series of commands were scripted. This update enhances the command line to take advantage of server-side sessions using a secure cookie, which provides a significant performance improvement due to avoidance of full Kerberos authentication for each ipa command. The session cookie is stored in the session keyring; refer to the keyctl(1) man page for more information about the key management facility.
- BZ#798363
- This update introduces Web UI and CLI "Create Password Policy" entry labels and specifies measurement units, for example, "seconds" for all configured policy fields. Previously, missing measurement units in the Identity Management Web UI or CLI "Create Password Policy" might have confused some users. Now, all missing measurement units are specified in configured policy fields.
- BZ#801931
- This update allows administrators to delegate write privileges to a selected zone only, whereas, when administrators wanted to delegate privileges to update the DNS zone to other Identity Management users, they had to allow write access to the entire DNS tree. Now, administrators can use the "dnszone-add-permission" command to create a system permission allowing its assignee to read and write only a selected DNS zone managed by Identity Management.
- BZ#804619
- Prior to this update, administrators could not configure a slave DNS server because it could not function properly unless an SOA serial number was changed every time a DNS record was changed. With this update, SOA serial numbers are automatically increased when a record in a DNS zone managed by Identity Management is updated. This feature takes advantage of and requires the persistent search data refresh mechanism, which is enabled by default in the Identity Management server install script. Administrators can now configure a slave DNS server for zones managed by Identity Management.
- BZ#805233
- This update prevents deletion of the last administrator, because administrators could accidentally delete the last user from the Identity Management Administrators group, which could only be repaired with direct LDAP modification by the Directory Manager. Now, Identity Management does not allow administrators to delete or disable the last member in the administrator group and Identity Management always has at least one active administrator.
- BZ#813402
- This enhancement warns users in the Identity Management Web UI when their password is about to expire. When the Identity Management user password is about to expire in a configurable number of days, the user is notified in the Identity Management Web UI about this and is offered a link to reset the password.
- BZ#821448
- The Identity Management Firefox browser configuration script now checks if the browser is configured to send Referrer header in HTTP requests for Identity Management. Previously, Firefox browsers which did not have the "network.http.sendRefererHeader" configuration option set to "True" would fail to connect to the Identity Management Web UI, even though they ran the configuration script. Presently, the configuration option is set correctly and the Firefox browser can connect to the Web UI.
- BZ#831010
- This enhancement allows Identity Management client installer to accept a fixed set of Identity Management servers and circumvent automatic server discovery via DNS SRV records. Some network environments may contain SRV records which are not suitable for Identity Management client and should not be used by the client at all. The "--fixed-primary" option of ipa-client-install can now be used to configure SSSD to not use DNS SRV records to auto-discover Identity Management servers and the client install script now accepts a fixed list of Identity Management servers which is then passed to SSSD.
- BZ#835643
- This update introduces an auto-renew of Identity Management Subsystem Certificates. The default validity period for a new Certificate Authority is 10 years and the CA issues a number of certificates for its subsystems (OCSP, audit log, and others). Subsystem certificates are normally valid for two years and if the certificates expire, the CA does not start up or does not function properly. Therefore, in Red Hat Enterprise Linux 6.4, Identity Management servers are capable of automatically renewing their subsystem certificates and the subsystem certificates are tracked by certmonger, which automatically attempts to renew the certificates before they expire.
7.90. iproute
Bug Fix
- BZ#811219
- Invoking the socket stat utility, ss, with the "-ul" arguments did not list open UDP sockets. Consequently, users could not list open or listening UPD sockets. A patch has been applied to the ss utility to list UDP sockets and now the utility correctly reports all open UDP sockets.
Enhancement
- BZ#821106
- The iproute packages were distributed without the libnetlink library for accessing the netlink service. Consequently, it was not possible for users to utilize the libnetlink library features. The libnetlink library is now included in the newly introduced "iproute-devel" subpackage. As a result, users can now utilize libnetlink features.
7.91. iprutils
Note
Bug Fixes
- BZ#826907
- Previously, showing disk details caused the iprconfig utility, which is used to configure Hardware RAID devices, to terminate unexpectedly. Now, disk details are shown properly and iprconfig no longer crashes.
- BZ#830982
- Previously, in some situations, iprconfig failed to change the IOA asymmetric access mode if the saved mode in the configuration file located in the "/etc/ipr/" directory was different than the current mode. With this update, iprconfig sets the mode correctly and a warning message is returned when this inconsistency is detected.
- BZ#869751
- Previously, iprutils showed the wrong disk platform location within the system location string when the "iprconfig -c show-details sgx" command was used. Now, the platform location for the hard disk is combined with the location of "secured easy setup" (SES) and the physical location slot number which prevents this error from occurring.
7.92. iptables
Bug Fixes
- BZ#800208
- The sysctl values for certain netfilter kernel modules, such as nf_conntrack and xt_conntrack, were not restored after a firewall restart. Consequently, the firewall did not always perform as expected after a restart. This update allows iptables to load sysctl settings on start if specified by the user in the /etc/sysctl.conf file. Users can now define sysctl settings to load on start and restart.
- BZ#809108
- The iptables(8) and ip6tables(8) man pages were previously missing information about the AUDIT target module, which allows creating audit records of the packet flow. This update adds the missing description of the audit support to these man pages.
- BZ#821441
- The iptables and ip6tables commands did not correctly handle calculation of the maximum length of iptables chains. Consequently, when assigning a firewall rule to an iptables chain with a name longer than 28 characters, the iptables or ip6tables command terminated with a buffer overflow and the rule was not assigned. This update corrects the related code so that iptables and ip6tables now handle names of iptable chains correctly and a firewall rule is assigned in the described scenario as expected.
- BZ#836286
- The iptables init script calls the /sbin/restorecon binary when saving firewall rules so that the iptables packages depend on the policycoreutils packages. However, the iptables packages previously did not require the policycoreutils as a dependency. Consequently, the "/etc/init.d/iptables save" command failed if the policycoreutils packages were not installed on the system. This update modifies the iptables spec file to require the policycoreutils packages as its prerequisite and thus prevents this problem from occurring.
Enhancements
- BZ#747068
- The iptables packages has been modified to support the update-alternatives mechanism to allow easier delivery of new iptables versions for the MRG Realtime kernel.
- BZ#808272
- Fallback mode has been added for the iptables and ip6tables services. A fallback firewall configuration can be stored in the /etc/sysconfig/iptables.fallback and /etc/sysconfig/ip6tables.fallback files in the iptables-save file format. The firewall rules from the fallback file are used if the service fails to apply the firewall rules from the /etc/sysconfig/iptables file (or the /etc/sysconfig/ip6tables file in case of ip6tables).
7.93. irqbalance
Note
Bug Fixes
- BZ#813078
- The irqbalance(1) man page did not contain documentation for the IRQBALANCE_BANNED_CPUS environment variable. This update adds the extensive documentation to this man page.
- BZ#843379
- The irqbalance daemon assigns each interrupt source in the system to a "class", which represents the type of the device (for example Networking, Storage or Media). Previously, irqbalance used the IRQ handler names from the /proc/interrupts file to decide the source class, which caused irqbalance to not recognize network interrupts correctly. As a consequence, systems that use NIC biosdevnames did not have their hardware interrupts distributed and pinned as expected. With this update, the device classification mechanism has been improved, which ensures a better interrupts distribution.
- BZ#860627
- Previously, the irqbalance init script started the irqbalance daemon with the "--foreground" option, which caused irqbalance to become unresponsive. With this update, the "--foreground" option has been removed from the init script and irqbalance now starts as expected.
7.94. irssi
Bug Fix
- BZ#639258
- Prior to this update, when the user attempted to use the "/unload" command to unload a static module, Irssi incorrectly marked this module as unavailable, rendering the user unable to load this module again without restarting the client. This update adapts the underlying source code to ensure that only dynamic modules can be unloaded.
- BZ#845047
- The previous version of the irssi(1) manual page documented "--usage" as a valid command line option. This was incorrect, because Irssi no longer supports this option and an attempt to use it causes it to fail with an error. With this update, the manual page has been corrected and no longer documents unsupported command line options.
7.95. iscsi-initiator-utils
Note
Bug Fixes
- BZ#826300
- The iSCSI user-space driver, iscsiuio, has been upgraded to upstream version 0.7.6.1, which provides a number of bug fixes and enhancements over the previous version. In particular, VLAN and routing support.
- BZ#811428
- The "iscsiadm --version" command was missing the main version number, the leading "6.". This update corrects the version number value and "iscsiadm --version" now shows the main version number correctly.
- BZ#854776
- For some bnx2i cards, the network interface must be active for the iSCSI interface to report a valid MAC address. This sometimes lead to a failure to connect to an iSCSI target and consequently, iSCSI root setups failing to boot. This update changes iscsistart to put the network interface associated with the iSCSI context into an active state. As a result, iSCSI boot with bnx2i cards now works correctly.
- BZ#868305
- Due to a regression in the iscsiuio 0.7.4.3 update, iSCSI discovery and login failed on certain hardware. This has been corrected as part of the iscsiuio 0.7.6.1 update. As a result, iSCSI is functional again.
7.96. jss
Bug Fix
- BZ#797352
- Previously, some JSS calls to certain NSS functions were to be replaced with calls to the JCA interface. The original JSS calls were therefore deprecated and as such caused warnings to be reported during refactoring. However, the deprecated calls have not been fully replaced with their JCA-based implementation in JSS 4.2. With this update, the calls are now no longer deprecated and the warnings now longer occur.
Enhancement
- BZ#804838
- This update adds support for Elliptic Curve Cryptography (ECC) key archival in JSS. It provides new methods, such as getCurve(), Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid() and getECCurveBytesByX509PublicKeyBytes().
7.97. kabi-whitelists
Enhancements
- BZ#826795
- The "blk_queue_physical_block_size", "close_bdev_exclusive", "filemap_fdatawrite_range", "get_sb_nodev", "kill_anon_super", "open_bdev_exclusive", "jiffies_to_timespec", "kernel_getsockopt", "kernel_setsockopt", "radix_tree_delete", "pagevec_lookup", "recalc_sigpending", "path_put", and "simple_write_end" symbols have been added to the kernel application binary interface (ABI) whitelists.
- BZ#831247
- The "unlock_rename", "vfs_rename", "path_put", "default_llseek", "d_find_alias", "d_invalidate", "file_fsync", "strspn", "vfs_writev", "path_get", "nobh_truncate_page", "nobh_write_begin", "nobh_write_end", "nobh_writepage", "____pagevec_lru_add", "add_to_page_cache_locked", and "filemap_flush" symbols have been added to the kernel ABI whitelists.
- BZ#902825
- The "__generic_file_aio_write", "blk_queue_resize_tags", and "blk_queue_segment_boundary" symbols have been added to the kernel ABI whitelists.
- BZ#849732
- The following symbols have been added to the kernel ABI whitelists: "__alloc_pages", "__bitmap_weight", "__down_failed", "__free_pages", "__init_rwsem", "__init_waitqueue_head", "__kmalloc", "__memcpy", "__put_cred", "__raw_local_save_flags", "__stack_chk_fail", "__tasklet_schedule", "__tracepoint_kmalloc", "__up_wakeup", "__vmalloc", "__wake_up", "_cond_resched", "_spin_lock", "_spin_lock_irqsave", "_spin_unlock_irqrestore", "add_disk", "alloc_disk", "alloc_pages_current", "allow_signal", "autoremove_wake_function", "bio_endio", "bio_init", "bio_put", "blk_alloc_queue", "blk_cleanup_queue", "blk_queue_hardsect_size", "blk_queue_logical_block_size", "blk_queue_make_request", "blkdev_put", "complete", "complete_and_exit", "cond_resched", "contig_page_data", "copy_from_user", "copy_to_user", "cpu_present_map", "cpu_present_mask", "create_proc_entry", "daemonize", "del_gendisk", "do_gettimeofday", "down", "down_read", "down_read_trylock", "down_write", "down_write_trylock", "dump_stack", "filp_close", "filp_open", "finish_wait", "get_user_pages", "init_waitqueue_head", "jiffies", "jiffies_to_msecs", "jiffies_to_timeval", "kernel_thread", "kfree", "kmem_cache_alloc", "kmem_cache_alloc_notrace", "kmem_cache_create", "kmem_cache_destroy", "kmem_cache_free", "malloc_sizes", "mcount", "mem_map", "mem_section", "memcpy", "memset", "mod_timer", "msecs_to_jiffies", "msleep", "msleep_interruptible", "open_by_devnum", "override_creds", "panic", "per_cpu__current_task", "per_cpu__kernel_stack", "prepare_creds", "prepare_to_wait", "printk", "proc_mkdir", "put_disk", "put_page", "pv_irq_ops", "register_blkdev", "remove_proc_entry", "revert_creds", "schedule", "schedule_timeout", "send_sig", "set_user_nice", "sigprocmask", "slab_buffer_size", "snprintf", "sprintf", "strchr", "strcpy", "strncmp", "strncpy", "strnicmp", "strspn", "strstr", "submit_bio", "tasklet_init", "unregister_blkdev", "up", "up_read", "up_write", "vfree", "vfs_writev", "vscnprintf", and "wait_for_completion".
- BZ#864893
- The following symbols have been added to the kernel ABI whitelists: "blkdev_get", "send_sig_info", "__task_pid_nr_ns", "register_shrinker", "set_page_dirty_lock", "current_umask", "balance_dirty_pages_ratelimited_nr", "dentry_open", "generic_file_llseek_unlocked", "posix_acl_alloc", "posix_acl_from_xattr", "posix_acl_to_xattr", "posix_acl_valid", "read_cache_pages", "cancel_dirty_page", "clear_page", "grab_cache_page_nowait", "inode_init_always", "memparse", "put_unused_fd", "radix_tree_tag_set", "congestion_wait", "shrink_dcache_sb", "fd_install", "blk_make_request", "lookup_bdev", "__register_binfmt", "unregister_binfmt", "vm_stat", "kill_pid", and "kobject_get".
- BZ#869353
- A kernel checker tool (KSC) has been added to the kabi-whitelists packages.
7.98. kdebase
Bug Fixes
- BZ#608007
- Prior to this update, the Konsole context menu item "Show menu bar" was always checked in new windows even if this menu item was disabled before. This update modifies the underlying code to handle the menu item "Show menu bar" as expected.
- BZ#729307
- Prior to this update, users could not define a default size for xterm windows when using the Konsole terminal in KDE. This update modifies the underlying code and adds the functionality to define a default size.
7.99. kdebase-workspace
Bug Fix
- BZ#749460
- Prior to this update, the task manager did not honor the order of manually arranged items. As a consequence, manually arranged taskbar entries were randomly rearranged when the user switched desktops. This update modifies the underlying code to make manually arranged items more persistent.
7.100. kdelibs3
Bug Fixes
- BZ#681901
- Prior to this update, the kdelibs3 libraries caused a conflict for the subversion version control tool. As a consequence, subvervision was not correctly built if the kdelibs3 libraries were installed. This update modifies the underlying code to avoid this conflict. Now, subversion builds as expected with kdelibs3.
- BZ#734447
- kdelibs3 provided its own set of trusted Certificate Authority (CA) certificates. This update makes kdelibs3 use the system set from the ca-certificates package, instead of its own copy.
7.101. kdelibs
Bug Fixes
- BZ#587016
- Prior to this update, the KDE Print dialog did not remember previous settings, nor did it allow the user to save the settings. Consequent to this, when printing several documents, users were forced to manually change settings for each printed document. With this update, the KDE Print dialog retains previous settings as expected.
- BZ#682611
- When the system was configured to use the Traditional Chinese language (the zh_TW locale), Konqueror incorrectly used a Chinese (zh_CN) version of its splash page. This update ensures that Konqueror uses the correct locale.
- BZ#734734
- Previously, clicking the system tray to display hidden icons could cause the Plasma Workspaces to consume an excessive amount of CPU time. This update applies a patch that fixes this error.
- BZ#754161
- When using Konqueror to recursively copy files and directories, if one of the subdirectories was not accessible, no warning or error message was reported to the user. This update ensures that Konqueror displays a proper warning message in this scenario.
- BZ#826114
- Prior to this update, an attempt to add "Terminal Emulator" to the Main Toolbar caused Konqueror to terminate unexpectedly with a segmentation fault. With this update, the underlying source code has been corrected to prevent this error so that users can now use this functionality as expected.
- CVE-2012-4512
- A heap-based buffer overflow flaw was found in the way the CSS (Cascading Style Sheets) parser in kdelibs parsed the location of the source for font faces. A web page containing malicious content could cause an application using kdelibs (such as Konqueror) to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
- CVE-2012-4513
- A heap-based buffer over-read flaw was found in the way kdelibs calculated canvas dimensions for large images. A web page containing malicious content could cause an application using kdelibs to crash or disclose portions of its memory.
7.102. kdepim
Bug Fix
- BZ#811125
- Prior to this update, the cyrus-sasl-plain package was not a dependency of the kdepim package. As a consequence, Kmail failed to send mail. This update modifies the underlying code to include the cyrus-sasl-plain dependency.
7.103. kernel
Security Fixes
- CVE-2014-2523, Important
- A flaw was found in the way the Linux kernel's netfilter connection tracking implementation for Datagram Congestion Control Protocol (DCCP) packets used the skb_header_pointer() function. A remote attacker could use this flaw to send a specially crafted DCCP packet to crash the system or, potentially, escalate their privileges on the system.
- CVE-2013-6383, Moderate
- A flaw was found in the way the Linux kernel's Adaptec RAID controller (aacraid) checked permissions of compat IOCTLs. A local attacker could use this flaw to bypass intended security restrictions.
- CVE-2014-0077, Moderate
- A flaw was found in the way the handle_rx() function handled large network packets when mergeable buffers were disabled. A privileged guest user could use this flaw to crash the host or corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.
Bug Fixes
- BZ#1078512
- The memory page allocation mechanism of the mlx4 driver used exclusively "order 2" allocations when allocating memory for incoming frames. This led to a high memory page allocation failure rate on systems with high memory fragmentation. With this update, the mlx4 driver firstly attempts to perform "order 3" allocations and then continues with lower order allocations up to "order 0" if the memory is too fragmented. As a result, performance of mlx4 cards is now significantly higher and mlx4 no longer generates memory page allocation failures when the system is under memory pressure.
- BZ#1091161
- Due to a ndlp list corruption bug in the lpfc driver, systems with Emulex LPe16002B-M6 PCIe 2-port 16Gb Fibre Channel Adapters could trigger a kernel panic during I/O operations. A series of patches has been backported to address this problem so the kernel no longer panics during I/O operations on the aforementioned systems.
- BZ#1064912
- Previously, the GFS2 kernel module leaked memory in the gfs2_bufdata slab cache and allowed a use-after-free race condition to be triggered in the gfs2_remove_from_journal() function. As a consequence after unmounting the GFS2 file system, the GFS2 slab cache could still contain some objects, which subsequently could, under certain circumstances, result in a kernel panic. A series of patches has been applied to the GFS2 kernel module, ensuring that all objects are freed from the slab cache properly and the kernel panic is avoided.
- BZ#1078492
- Due to a regression bug in the mlx4 driver, Mellanox mlx4 adapters could become unresponsive on heavy load along with IOMMU allocation errors being logged to the systems logs. A patch has been applied to the mlx4 driver so that the driver now calculates the last memory page fragment when allocating memory in the Rx path.
- BZ#1086845
- A system could enter a deadlock situation when the Real-Time (RT) scheduler was moving RT tasks between CPUs and the wakeup_kswapd() function was called on multiple CPUs, resulting in a kernel panic. This problem has been fixed by removing a problematic memory allocation and therefore calling the wakeup_kswapd() function from a deadlock-safe context.
- BZ#1079868
- Due to a bug in the hrtimers subsystem, the clock_was_set() function called an inter-processor interrupt (IPI) from soft IRQ context and waited to its completion, which could result in a deadlock situation. A patch has been applied to fix this problem by moving the clock_was_set() function call to the working context. Also during the resume process, the hrtimers_resume() function reprogrammed kernel timers only for the current CPU because it assumed that all other CPUs are offline. However, this assumption was incorrect in certain scenarios, such as when resuming a Xen guest with some non-boot CPUs being only stopped with IRQs disabled. As a consequence, kernel timers were not corrected on other than the boot CPU even though those CPUs were online. To resolve this problem, hrtimers_resume() has been modified to trigger an early soft IRQ to correctly reprogram kernel timers on all CPUs that are online.
- BZ#1094621
- When processing a directory with a huge amount of files (over five hundred thousand) on a GFS2 file system, the respective task could become unresponsive and memory allocation failures could occur. This happened because the GFS2 was updating atime in a memory reclamation path, resulting in occasional failures under memory pressure. To handle atime updates effectively, this update introduces a new super block operation, dirty_inode(). GFS2 now processes large directories as expected without any memory allocation failures or hanging tasks.
- BZ#1092352
- Prior to this update, a guest-provided value was used as the head length of the socket buffer allocated on the host. If the host was under heavy memory load and the guest-provided value was too large, the allocation could have failed, resulting in stalls and packet drops in the guest's Tx path. With this update, the guest-provided value has been limited to a reasonable size so that socket buffer allocations on the host succeed regardless of the memory load on the host, and guests can send packets without experiencing packet drops or stalls.
Security Fixes
- CVE-2014-0101, Important
- A flaw was found in the way the Linux kernel processed an authenticated COOKIE_ECHO chunk during the initialization of an SCTP connection. A remote attacker could use this flaw to crash the system by initiating a specially crafted SCTP handshake in order to trigger a NULL pointer dereference on the system.
Bug Fixes
- BZ#1077872
- Previously, the vmw_pwscsi driver could attempt to complete a command to the SCSI mid-layer after reporting a successful abort of the command. This led to a double completion bug and a subsequent kernel panic. This update ensures that the pvscsi_abort() function returns SUCCESS only after the abort is completed, preventing the driver from invalid attempts to complete the command.
- BZ#1028593
- A bug in the kernel's file system code allowed the d_splice_alias() function to create a new dentry for a directory with an already-existing non-DISCONNECTED dentry. As a consequence, a thread accessing the directory could attempt to take the i_mutex on that directory twice, resulting in a deadlock situation. To resolve this problem, d_splice_alias() has been modified so that in the problematic cases, it reuses an existing dentry instead of creating a new dentry.
- BZ#1063198
- Recent changes in the d_splice_alias() function introduced a bug that allowed d_splice_alias() to return a dentry from a different directory than was the directory being looked up. As a consequence in cluster environment, a kernel panic could be triggered when a directory was being removed while a concurrent cross-directory operation was performed on this directory on another cluster node. This update avoids the kernel panic in this situation by correcting the search logic in the d_splice_alias() function so that the function can no longer return a dentry from an incorrect directory.
- BZ#1078873
- The Red Hat GFS2 file system previously limited a number of ACL entries per inode to 25. However, this number was insufficient in some cases, causing the setfacl command to fail. This update increases this limit to maximum of 300 ACL entries for the 4 KB block size. If the block size is smaller, this value is adjusted accordingly.
- BZ#1078640
- A bug in the megaraid_sas driver could cause the driver to read the hardware status values incorrectly. As a consequence, the RAID card was disabled during the system boot and the system could fail to boot. With this update, the megaraid_sas driver has been corrected so that the RAID card is now enabled on system boot as expected.
- BZ#1017904
- Previously, the kernel did not support unsharing for PID name spaces. With this update, a series of patches has been applied to the relevant kernel code to support the unshare() system call for PID name spaces.
- BZ#1075553
- When allocating kernel memory, the SCSI device handlers called the sizeof() function with a structure name as its argument. However, the modified files were using an incorrect structure name, which resulted in an insufficient amount of memory being allocated and subsequent memory corruption. This update modifies the relevant sizeof() function calls to rather use a pointer to the structure instead of the structure name so that the memory is now always allocated correctly.
- BZ#1085307
- Previously, GFS2 marked files that were written to for in-core data flushing only if the file size was actually increased. When the gfs2_fsync() function was called on a file that was not marked for in-core data flushing, any metadata or journaled data was not synchronized to the disk. This could, under certain circumstances, cause writes to files that were open for synchronous I/O to return before the data was written to the disk, allowing the data to be lost during a crash. A patch has been applied to mark files correctly whenever metadata has been updated during a write, ensuring that all in-core data are written to the disk with synchronous I/O operations.
- BZ#1086590
- Due to a bug in the GFS2 resource group code, the GFS2 block allocator did not switch from using blocking locks to non-blocking locks after the selected reservation group was found unsatisfactory for the allocation request with a block reservation. As a consequence, the block allocator used only blocking locks for all resource groups since that point, greatly reducing performance of the file system unless it was periodically remounted. This update ensures that the GFS2 block allocator overrides the non-blocking lock only for the appropriate resource group, and the file system performs as expected without any intervention.
Security Fixes
- CVE-2013-4387, Important
- A flaw was found in the way the Linux kernel's IPv6 implementation handled certain UDP packets when the UDP Fragmentation Offload (UFO) feature was enabled. A remote attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system.
- CVE-2013-4470, Important
- A flaw was found in the way the Linux kernel's TCP/IP protocol suite implementation handled sending of certain UDP packets over sockets that used the UDP_CORK option when the UDP Fragmentation Offload (UFO) feature was enabled on the output device. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges on the system.
- CVE-2013-6367, Important
- A divide-by-zero flaw was found in the apic_get_tmcct() function in KVM's Local Advanced Programmable Interrupt Controller (LAPIC) implementation. A privileged guest user could use this flaw to crash the host.
- CVE-2013-6368, Important
- A memory corruption flaw was discovered in the way KVM handled virtual APIC accesses that crossed a page boundary. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system.
- CVE-2013-6381, Important
- A buffer overflow flaw was found in the way the qeth_snmp_command() function in the Linux kernel's QETH network device driver implementation handled SNMP IOCTL requests with an out-of-bounds length. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system.
- CVE-2013-4591, Moderate
- It was found that the fix for CVE-2012-2375 released via RHSA-2012:1580 accidentally removed a check for small-sized result buffers. A local, unprivileged user with access to an NFSv4 mount with ACL support could use this flaw to crash the system or, potentially, escalate their privileges on the system.
- CVE-2013-2851, Low
- A format string flaw was found in the Linux kernel's block layer. A privileged, local user could potentially use this flaw to escalate their privileges to kernel level (ring0).
Bug Fixes
- BZ#1063353
- Previously, the sysfs_dev_char_kobj variable was freed on shutdown, but the variable could be used later by the USB stack, and possibly other code, which could cause the system to terminate unexpectedly. The underlying source code has been modified to prevent "kobjects" in the device_shutdown() function from being removed, as the /sys/dev/block/ and /sys/dev/char/ directories must be kept because of the symbolic links pointing to the devices. As a result, the system no longer crashes in the described scenario.
- BZ#1062112
- Previously, when hot adding memory to the system, the memory management subsystem always performed unconditional page-block scans for all memory sections being set online. The total duration of the hot add operation depends on both, the size of memory that the system already has and the size of memory that is being added. Therefore, the hot add operation took an excessive amount of time to complete if a large amount of memory was added or if the target node already had a considerable amount of memory. This update optimizes the code so that page-block scans are performed only when necessary, which greatly reduces the duration of the hot add operation.
- BZ#1058417
- When performing read operations on an XFS file system, failed buffer readahead can leave the buffer in the cache memory marked with an error. This could lead to incorrect detection of stale errors during completion of an I/O operation because most callers do not zero out the b_error field of the buffer on a subsequent read. To avoid this problem and ensure correct I/O error detection, the b_error field of the used buffer is now zeroed out before submitting an I/O operation on a file.
- BZ#1060490
- When transferring a large amount of data over the peer-to-peer (PPP) link, a rare race condition between the throttle() and unthrottle() functions in the tty driver could be triggered. As a consequence, the tty driver became unresponsive, remaining in the throttled state, which resulted in the traffic being stalled. Also, if the PPP link was heavily loaded, another race condition in the tty driver could has been triggered. This race allowed an unsafe update of the available buffer space, which could also result in the stalled traffic. A series of patches addressing both race conditions has been applied to the tty driver; if the first race is triggered, the driver loops and forces re-evaluation of the respective test condition, which ensures uninterrupted traffic flow in the described situation. The second race is now completely avoided due to a well-placed read lock, and the update of the available buffer space proceeds correctly.
- BZ#1059990
- Due to a bug in the SELinux socket receive hook, network traffic was not dropped upon receiving a peer:recv access control denial on some configurations. A broken labeled networking check in the SELinux socket receive hook has been corrected, and network traffic is now properly dropped in the described case.
- BZ#1059382
- Due to a bug in ext4 metadata allocation code, the number of metadata blocks needed to complete a file system operation could be calculated incorrectly. Consequently, when performing file system operations on a nearly full ext4 file system, unexpected allocation failures could occur at writeback time, leading to possible data loss and file system inconsistency. A series of patches has been applied, fixing metadata allocation estimation problems and introducing a reserved space concept that ensures correct allocation of metadata in specific situations, such as the aforementioned scenario.
- BZ#1055363
- Previously, certain SELinux functions did not correctly handle the TCP synchronize-acknowledgment (SYN-ACK) packets when processing IPv4 labeled traffic over an INET socket. The initial SYN-ACK packets were labeled incorrectly by SELinux, and as a result, the access control decision was made using the server socket's label instead of the new connection's label. In addition, SELinux was not properly inspecting outbound labeled IPsec traffic, which led to similar problems with incorrect access control decisions. A series of patches that addresses these problems has been applied to SELinux. The initial SYN-ACK packets are now labeled correctly and SELinux processes all SYN-ACK packets as expected.
- BZ#1041143
- A bug in the mlx4 driver could trigger a race between the "blue flame" feature's traffic flow and the stamping mechanism in the Tx ring flow when processing Work Queue Elements (WQEs) in the Tx ring. Consequently, the related queue pair (QP) of the mlx4 Ethernet card entered an error state and the traffic on the related Tx ring was blocked. A patch has been applied to the mlx4 driver so that the driver does not stamp the last completed WQE in the Tx ring, and thus avoids the aforementioned race.
- BZ#1058419
- Previously, the e752x_edac module incorrectly handled the pci_dev usage count, which could reach zero and deallocate a PCI device structure. As a consequence, a kernel panic could occur when the module was loaded multiple times on some systems. This update fixes the usage count that is triggered by loading and unloading of the module repeatedly, and a kernel panic no longer occurs.
- BZ#1048098
- Previously, task management commands in the lpfc driver had a fixed timeout value of 60 seconds, which could pose a problem for error handling. The lpfc driver has been upgraded to version 8.3.7.21.2p in order to include a fix of this problem. The timeout of the task management commands is now adjustable in range from 5 to 180 seconds, and by default, it is set to 60 seconds.
- BZ#1046042
- Inefficient usage of Big Kernel Locks (BKLs) in the ptrace() system call could lead to BKL contention on certain systems that widely utilize ptrace(), such as User-mode Linux (UML) systems, resulting in degraded performance on these systems. This update removes the relevant BKLs from the ptrace() system call, thus resolving any related performance issues.
- BZ#1038122
- An improper function call in a previous kernel patch backport caused the PID namespace nesting to malfunction. This could adversely affect the proper functioning of other components, such as the Linux Container (LXC) driver, that rely on nested PID namespace usage. A patch has been applied to correct this problem so that nested PID namespaces can be used as expected.
- BZ#1056143
- Previously, GFS2 marked files that were written to for in-core data flushing only if the file size was actually increased. When the gfs2_fsync() function was called on a file that was not marked for in-core data flushing, any metadata or journaled data was not synchronized to the disk. This could, under certain circumstances, cause writes to files that were open for synchronous I/O to return before the data was written to the disk, allowing the data to be lost during a crash. A patch has been applied to mark files correctly whenever metadata has been updated during a write, ensuring that all in-core data are written to the disk with synchronous I/O operations.
Bug Fixes
- BZ#962894
- When extending memory, the hot-add operation could fail while the machine was under memory pressure, causing a kernel panic. A patch has been applied to improve the memory hot-add operation and this problem can now occur only in extremely rare occasions.
- BZ#1030168
- A bug in the netpoll transmit (Tx) code path that is used for netconsole logging could lead to various problems with bonding devices, for example, an invalid Tx queue index could have been used. To avoid these problems, an upstream patch has been backported to allow netpoll calling the external netdev_pick_tx() function from the netpoll_send_skb_on_dev() function.
- BZ#1014968
- The igb driver previously used a 16-bit mask when writing values of the flow control high-water mark to hardware registers on a network device. Consequently, the values were truncated on some network device, disrupting the flow control. A patch has been applied to the igb driver so that it now uses 32-bit mask as expected.
- BZ#1006167
- Previously, mounting a GFS2 file system in spectator mode on a cluster node was not possible if no other cluster node had already mounted this GFS2 file system. In such a case, a "file system consistency error" occurred and the GFS2 file system was withdrawn. A patch has been applied to allow the first cluster node mounting a GFS2 file system in spectator mode if all the file system journals are clean.
- BZ#1006388
- Due to a bug in the transmit path of the bonding driver, a buffer for the bonding device queue mapping could become corrupted. As a consequence, a kernel panic could occur or the system could become unresponsive in certain environments, such as is running a KVM guest in the Red Hat Enterprise Virtualization (RHEV) hypervisor with netconsole enabled and a bonding device over a network bridge configured. A patch has been applied to save the bonding device queue mapping buffer properly, and buffer corruption in this scenario is now prevented.
- BZ#1006664
- A bug in the kernel's super block code allowed a race between the get_active_super() and umount() functions that could lead to a use-after-free issue, resulting in a kernel oops. An upstream patch has been backported to fix this problem so that get_active_super() repeats attempts to obtain the active super block until it succeeds. The aforementioned race no longer occurs.
- BZ#1008508
- A kernel panic could occur during path failover on systems using multiple iSCSI, FC or SRP paths to connect an iSCSI initiator and an iSCSI target. This happened because a race condition in the SCSI driver allowed removing a SCSI device from the system before processing its run queue, which led to a NULL pointer dereference. The SCSI driver has been modified and the race is now avoided by holding a reference to a SCSI device run queue while it is active.
- BZ#1009251
- When a driver does not support namespace, the user must use the VLAN splinter feature from Open vSwitch to support VLANs and TCP traffic. However,when using the be2net driver and the VLAN splinter feature was enabled, the floating IP traffic could fail. This bug has been fixed and incompatibilities no longer occur, when using the VLAN splinter feature with the be2net driver.
- BZ#1019614
- When removing neigh entries, the list_del() function removed the neigh entry from the associated struct ipoib_path, while the ipoib_neigh_free() function removed the neigh entry from the device's neigh entry lookup table. Both of these operations were protected by a spinlock. However, the table was also protected by RCU kernel locking, and thus the spinlock was not held when performing read operations. Consequently, a race condition occurred, in which a thread could successfully look up a neigh entry that has already been deleted from the list of neighbor characters, but the previous deletion had marked the entry as "poisoned", and list_del() on the object caused a kernel panic. The list_del() function has been into ipoib_neigh_free(), so that deletion happens only once, after the entry has been successfully removed from the lookup table, thus fixing the bug.
- BZ#1010451
- If the arp_interval and arp_validate bonding options were not enabled on the configured bond device in the correct order, the bond device did not process ARP replies, which led to link failures and changes of the active slave device. A series of patches has been applied to modify an internal bond ARP hook based on the values of arp_validate and arp_interval. Therefore, the ARP hook is registered even if arp_interval is set after arp_validate has already been enabled, and ARP replies are processed as expected.
- BZ#1018966
- When GFS2 files were unlinked, sometimes they were not deleted completely. This could happen because when multiple nodes in a cluster accessed the same deleted file, the node responsible for freeing the "unlinked" blocks could not have been determined properly. Consequently, many deleted dinode blocks that should have been freed were often left in an "unlinked" state. With this update, the responsibility handover for deleting unlinked dinodes is accomplished through a mechanism known as the "iopen" glock. The "iopen" glocks are no longer cached by nodes after the point where it becomes impossible to free the dinode blocks. As a result, the dinode blocks for unlinked dinodes are now freed properly by the last process to close the file.
- BZ#1017905
- When the Audit subsystem was under heavy load, it could loop infinitely in the audit_log_start() function instead of failing over to the error recovery code. This could cause soft lockups in the kernel. With this update, the timeout condition in the audit_log_start() function has been modified to properly fail over when necessary.
- BZ#1018965
- Due to a race condition in the kernel's key management code, any process searching for a key in a keyring could dereference a NULL pointer while that key was instantiated as negative. This led to a kernel panic. A patch to fix this bug has been provided so that the kernel now handles the aforementioned situation properly without triggering the race.
- BZ#1016108
- The crypto_larval_lookup() function could return a larval, an in-between state when a cryptographic algorithm is being registered, even if it did not create one. This could cause a larval to be terminated twice, and result in a kernel panic. This occurred for example when the NFS service was running in FIPS mode, and attempted to use the MD5 hashing algorithm even though FIPS mode has this algorithm blacklisted. A condition has been added to the crypto_larval_lookup() function to check whether a larval was created before returning it.
- BZ#1012049
- Previously, the tcp_ioctl() function tried to take into account if a TCP socket has received a packet with a FIN flag in order to report the correct number of bytes in the receive queue. However, in certain cases, the reported number of bytes in the receive queue was incorrect. This bug has been fixed by using an improved way to detect if a TCP packet with a FIN flag has been received.
- BZ#988807
- Previously, on systems with RAID10 arrays defined, stack memory could become corrupted due to an insufficient amount of memory being allocated for a dynamically sized kernel data structure, leading to a kernel panic. This bug has been fixed and RAID10 arrays can now safely run without the risk of causing a kernel panic.
- BZ#1009756
- Due to the way the VFS code resolves dentry lookups, a race between multiple threads could have been triggered if the threads performed lookups on the same FUSE dentry subtree that contained an invalid (or stale) dentry or inode. As a consequence, the threads could fail with an ENOENT error instead of properly resolving a new dentry or inode. This update applies a series of patches to the FUSE code that addresses this problem and the aforementioned race can no longer occur.
- BZ#1004661
- Previously, the Hyper-V utility services negotiated the highest version of the Key-Value Pair (KVP) protocol that a Windows Server 2012 R2 host advertised but the host implemented a KVP protocol version that was not compatible with prior versions of the KVP protocol. Consequently, the IP injection functionality did not work on the latest Windows Server 2012 R2 host. This update explicitly specifies the KVP protocol version that the guest can support.
- BZ#1012495
- When a userspace process was reading the /proc/$PID/pagemap file, a memory leak could occur. An upstream patch has been provided to fix this bug, and memory usage before and after the mm_leak call is now the same.
- BZ#1020994
- Previously, when a CPU was brought offline, a race window occurred. During the race window, if an inter processor interrupt (IPI) was received, it got lost. As a consequence, the system became unresponsive. To fix this bug, a check has been added to the __cpu_disable() function, which executes the enqueued but not yet received IPIs before the CPU is marked offline.
- BZ#1023350
- Previously, when the user added an IPv6 route for local delivery, the route did not work and packets could not be sent. A patch has been applied to limit the neighbor entry creation only for input flow, thus fixing this bug. As a result, IPv6 routes for local delivery now work as expected.
- BZ#1014687, BZ#1025736
- The qla2xxx driver did not use any locking mechanism when passing information between its ISR and mailbox routines. Under certain conditions, this led to multiple mailbox command completions being signaled, which, in turn, led to a false mailbox timeout error for the subsequently issued mailbox command. This bug has been fixed and a mailbox timeout error no longer occurs in this scenario.
Enhancements
- BZ#1011168
- With this update, the missing values for the PG_buddy variable have been added to the kexec system call in order to increase dump performance relating to the buddy system for filtering free pages.
- BZ#990483
- Support for the fallocate method has been added to Filesystem in Userspace (FUSE). This method allows the caller to preallocate and deallocate blocks of a file.
Security Fixes
- CVE-2013-4162, Moderate
- A flaw was found in the way the Linux kernel's TCP/IP protocol suite implementation handled IPv6 sockets that used the UDP_CORK option. A local, unprivileged user could use this flaw to cause a denial of service.
- CVE-2013-4299, Moderate
- An information leak flaw was found in the way Linux kernel's device mapper subsystem, under certain conditions, interpreted data written to snapshot block devices. An attacker could use this flaw to read data from disk blocks in free space, which are normally inaccessible.
Bug Fixes
- BZ#987261
- Due to a bug in the NFS code, kernel size-192 and size-256 slab caches could leak memory. This could eventually result in an OOM issue when the most of available memory was used by the respective slab cache. A patch has been applied to fix this problem and the respective attributes in the NFS code are now freed properly.
- BZ#987262
- NFS previously allowed extending an NFS file write to cover a full page only if the file had not set a byte-range lock. However, extending the write to cover the entire page is sometimes desirable in order to avoid fragmentation inefficiencies. For example, a noticeable performance decrease was reported if a series of small non-contiguous writes was performed on the file. A patch has been applied to the NFS code that allows NFS extending a file write to a full page write if the whole file is locked for writing or if the client holds a write delegation.
- BZ#988228
- A change in the ipmi_si driver handling caused an extensively long delay while booting Red Hat Enterprise Linux 6.4 on SIG UV platforms. The driver was loaded as a kernel module on previous versions of Red Hat Enterprise Linux 6 while it is now built within the kernel. However, SIG UV does not use, and thus does not support the ipmi_si driver. A patch has been applied and the kernel now does not initialize the ipmi_si driver when booting on SIG UV.
- BZ#988384
- The GFS2 did not reserve journal space for a quota change block while growing the size of a file. Consequently, a fatal assertion causing a withdraw of the GFS2 file system could have been triggered when the free blocks were allocated from the secondary bitmap. With this update, GFS2 reserves additional blocks in the journal for the quota change so the file growing transaction can now complete successfully in this situation.
- BZ#988708
- A dentry leak occurred in the FUSE code when, after a negative lookup, a negative dentry was neither dropped nor was the reference counter of the dentry decremented. This triggered a BUG() macro when unmounting a FUSE subtree containing the dentry, resulting in a kernel panic. A series of patches related to this problem has been applied to the FUSE code and negative dentries are now properly dropped so that triggering the BUG() macro is now avoided.
- BZ#991346
- The fnic driver previously allowed I/O requests with the number of SGL descriptors greater than is supported by Cisco UCS Palo adapters. Consequently, the adapter returned any I/O request with more than 256 SGL descriptors with an error indicating invalid SGLs. A patch has been applied to limit the maximum number of supported SGLs in the fnic driver to 256 and the problem no longer occurs.
- BZ#993544
- An NFS server could terminate unexpectedly due to a NULL pointer dereference caused by a rare race condition in the lockd daemon. An applied patch fixes this problem by protecting the relevant code with spin locks, and thus avoiding the race in lockd.
- BZ#993547
- The kernel interface to ACPI had implemented error messaging incorrectly. The following error message was displayed when the system had a valid ACPI Error Record Serialization Table (ERST) and the pstore.backend kernel parameter had been used to disable use of ERST by the pstore interface:
ERST: Could not register with persistent store
However, the same message was also used to indicate errors precluding registration. A series of patches modifies the relevant ACPI code so that ACPI now properly distinguish between different cases and accordingly prints unique and informative messages. - BZ#994140
- Due a bug in the memory mapping code, the fadvise64() system call sometimes did not flush all the relevant pages of the given file from cache memory. A patch addresses this problem by adding a test condition that verifies whether all the requested pages were flushed and retries with an attempt to empty the LRU pagevecs in the case of test failure.
- BZ#994866
- A previous patch to the CIFS code caused a regression of a problem where under certain conditions, a mount attempt of a CIFS DFS share fails with a "mount error(6): No such device or address" error message. This happened because the return code variable was not properly reset after a previous unsuccessful mount attempt. A backported patch has been applied to properly reset the variable and CIFS DFS shares can now be mounted as expected.
- BZ#994867
- Previously, systems running heavily-loaded NFS servers could experience poor performance of the NFS READDIR operations on large directories that were undergoing concurrent modifications, especially over higher latency connections. This happened because the NFS code performed certain dentry operations inefficiently and revalidated directory attributes too often. This update applies a series of patches that address the problem as follows; needed dentries can be accessed from dcache after the READDIR operation, and directory attributes are revalidated only at the beginning of the directory or if the cached attributes expire.
- BZ#995334
- A previous change in the bridge multicast code allowed sending general multicast queries in order to achieve faster convergence on startup. To prevent interference with multicast routers, send packets contained a zero source IP address. However, these packets interfered with certain multicast-aware switches, which resulted in the system being flooded with the IGMP membership queries with zero source IP address. A series of patches addresses this problem by disabling multicast queries by default and implementing multicast querier that allows to toggle up sending of general multicast queries if needed.
- BZ#995458
- When a slave device started up, the current_arp_slave parameter was unset but the active flags on the slave were not marked inactive. Consequently, more than one slave device with active flags in active-backup mode could be present on the system. A patch has been applied to fix this problem by marking the active flags inactive for a slave device before the current_arp_slave parameter is unset.
- BZ#996014
- An infinite loop bug in the NFSv4 code caused an NFSv4 mount process to hang on a busy loop of the LOOKUP_ROOT operation when attempting to mount an NFSv4 file system and the first iteration on this operation failed. A patch has been applied that allows to exit the LOOKUP_ROOT operation properly and a mount attempt now either succeeds or fails in this situation.
- BZ#996424
- An NFS client previously did not wait for completing of unfinished I/O operations before sending the LOCKU and RELEASE_LOCKOWNER operations to the NFS server in order to release byte range locks on files. Consequently, if the server processed the LOCKU and RELEASE_LOCKOWNER operations before some of the related READ operations, it released all locking states associated with the requested lock owner, and the READs returned the NFS4ERR_BAD_STATEID error code. This resulted in the "Lock reclaim failed!" error messages being generated in the system log and the NFS client had to recover from the error. A series of patches has been applied ensuring that an NFS client waits for all outstanding I/O operations to complete before releasing the locks.
- BZ#997746
- A previous patch to the bridge multicast code introduced a bug allowing reinitialization of an active timer for a multicast group whenever an IPv6 multicast query was received. A patch has been applied to the bridge multicast code so that a bridge multicast timer is no longer reinitialized when it is active.
- BZ#997916
- An use-after-free issue in the PPS (Pulse-per-second) driver could cause the kernel to crash when unregistering the PPS source. A patch has been applied to resolve this problem so the respective char device is now removed from the system prior to its deallocating. The patch also prevents deallocating a PPS device with open file descriptors.
- BZ#999328
- Previously, power-limit notification interrupts were enabled by default on the system. This could lead to degradation of system performance or even render the system unusable on certain platforms, such as Dell PowerEdge servers. A patch has been applied to disable power-limit notification interrupts by default and a new kernel command line parameter "int_pln_enable" has been added to allow users observing these events using the existing system counters. Power-limit notification messages are also no longer displayed on the console. The affected platforms no longer suffer from degraded system performance due to this problem.
- BZ#1000314
- A bug in the autofs4 mount expiration code could cause the autofs4 module to falsely report a busy tree of NFS mounts as "not in use". Consequently, automount attempted to unmount the tree and failed with a "failed to umount offset" error, leaving the mount tree to appear as empty directories. A patch has been applied to remove an incorrectly used autofs dentry mount check and the aforementioned problem no longer occurs.
- BZ#1001954
- An insufficiently designed calculation in the CPU accelerator could cause an arithmetic overflow in the set_cyc2ns_scale() function if the system uptime exceeded 208 days prior to using kexec to boot into a new kernel. This overflow led to a kernel panic on the systems using the Time Stamp Counter (TSC) clock source, primarily the systems using Intel Xeon E5 processors that do not reset TSC on soft power cycles. A patch has been applied to modify the calculation so that this arithmetic overflow and kernel panic can no longer occur under these circumstances.
- BZ#1001963
- Due to a bug in firmware, systems using the LSI MegaRAID controller failed to initialize this device in the kdump kernel if the "intel_iommu=on" and "iommu=pt"kernel parameters were specified in the first kernel. As a workaround until a firmware fix is available, a patch to the megaraid_sas driver has been applied so if the firmware is not in the ready state upon the first attempt to initialize the controller, the driver resets the controller and retries for firmware transition to the ready state.
- BZ#1002184
- Due to a bug in the SCTP code, a NULL pointer dereference could occur when freeing an SCTP association that was hashed, resulting in a kernel panic. A patch addresses this problem by trying to unhash SCTP associations before freeing them and the problem no longer occurs.
- BZ#1003765
- The RAID1 and RAD10 code previously called the raise_barrier() and lower_barrier() functions instead of the freeze_array() and unfreeze_array() functions that are safe being called from within the management thread. As a consequence, a deadlock situation could occur if an MD array contained a spare disk, rendering the respective kernel thread unresponsive. Furthermore, if a shutdown sequence was initiated after this problem had occurred, the shutdown sequence became unresponsive and any in-cache file system data that were not synchronized to the disk were lost. A patch correcting this problem has been applied and the RAID1 and RAID10 code now uses management-thread safe functions as expected.
- BZ#1003931
- A function in the RPC code responsible for verifying whether the cached credentials matches the current process did not perform the check correctly. The code checked only whether the groups in the current process credentials appear in the same order as in the cached credential but did not ensure that no other groups are present in the cached credentials. As a consequence, when accessing files in NFS mounts, a process with the same UID and GID as the original process but with a non-matching group list could have been granted an unauthorized access to a file, or under certain circumstances, the process could have been wrongly prevented from accessing the file. The incorrect test condition has been fixed and the problem can no longer occur.
- BZ#1004657
- The xen-netback and xen-netfront drivers cannot handle packets with size greater than 64 KB including headers. The xen-netfront driver previously did not account for any headers when determining the maximum size of GSO (Generic Segmentation Offload). Consequently, Xen DomU guest operations could have caused a network DoS issue on DomU when sending packets larger than 64 KB. This update adds a patch that corrects calculation of the GSO maximum size and the problem no longer occurs.
- BZ#1006932
- A bug in the real-time (RT) scheduler could cause a RT priority process to stop running due to an invalid attribute of the run queue. When a CPU became affected by this bug, the migration kernel thread stopped running on the CPU, and subsequently every other process that was migrated to the affected CPU by the system stopped running as well. A patch has been applied to the RT scheduler and RT priority processes are no longer affected this problem.
- BZ#1006956
- A patch included in kernel version 2.6.32-358.9.1.el6, to fix handling of revoked NFSv4 delegations, introduced a regression bug to the NFSv4 code. This regression in the NFSv4 exception and asynchronous error handling allowed, under certain circumstances, passing a NULL inode to an NFSv4 delegation-related function, which resulted in a kernel panic. The NFSv4 exception and asynchronous error handling has been fixed so that a NULL inode can no longer be passed in this situation.
Security Fixes
- CVE-2013-2206, Important
- A flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation handled duplicate cookies. If a local user queried SCTP connection information at the same time a remote attacker has initialized a crafted SCTP connection to the system, it could trigger a NULL pointer dereference, causing the system to crash.
- CVE-2013-2224, Important
- It was found that the fix for CVE-2012-3552 released via RHSA-2012:1304 introduced an invalid free flaw in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to corrupt kernel memory via crafted sendmsg() calls, allowing them to cause a denial of service or, potentially, escalate their privileges on the system.
- CVE-2013-2146, Moderate
- A flaw was found in the Linux kernel's Performance Events implementation. On systems with certain Intel processors, a local, unprivileged user could use this flaw to cause a denial of service by leveraging the perf subsystem to write into the reserved bits of the OFFCORE_RSP_0 and OFFCORE_RSP_1 model-specific registers.
- CVE-2013-2232, Moderate
- An invalid pointer dereference flaw was found in the Linux kernel'sTCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system by using sendmsg() with an IPv6 socket connected to an IPv4 destination.
- CVE-2012-6544, Low
- Information leak flaws in the Linux kernel's Bluetooth implementation could allow a local, unprivileged user to leak kernel memory to user-space.
- CVE-2013-2237, Low
- An information leak flaw in the Linux kernel could allow a privileged, local user to leak kernel memory to user-space.
Bug Fixes
- BZ#956054
- The kernel could rarely terminate instead of creating a dump file when a multi-threaded process using FPU aborted. This happened because the kernel did not wait until all threads became inactive and attempted to dump the FPU state of active threads into memory which triggered a BUG_ON() routine. A patch addressing this problem has been applied and the kernel now waits for the threads to become inactive before dumping their FPU state into memory.
- BZ#959930
- Due to the way the CPU time was calculated, an integer multiplication overflow bug could occur after several days of running CPU bound processes that were using hundreds of kernel threads. As a consequence, the kernel stopped updating the CPU time and provided an incorrect CPU time instead. This could confuse users and lead to various application problems. This update applies a patch fixing this problem by decreasing the precision of calculations when the stime and rtime values become too large. Also, a bug allowing stime values to be sometimes erroneously calculated as utime values has been fixed.
- BZ#963557
- Due to several bugs in the ext4 code, data integrity system calls did not always properly persist data on the disk. Therefore, the unsynchronized data in the ext4 file system could have been lost after the system's unexpected termination. A series of patches has been applied to the ext4 code to address this problem, including a fix that ensures proper usage of data barriers in the code responsible for file synchronization. Data loss no longer occurs in the described situation.
- BZ#974597
- A previous patch that modified dcache and autofs code caused a regression. Due to this regression, unmounting a large number of expired automounts on a system under heavy NFS load caused soft lockups, rendering the system unresponsive. If a "soft lockup" watchdog was configured, the machine rebooted. To fix the regression, the erroneous patch has been reverted and the system now handle the aforementioned scenario properly without any soft lockups.
- BZ#975576
- A system could become unresponsive due to an attempt to shut down an XFS file system that was waiting for log I/O completion. A patch to the XFS code has been applied that allows for the shutdown method to be called from different contexts so XFS log items can be deleted properly even outside the AIL, which fixes this problem.
- BZ#975578
- XFS file systems were occasionally shut down with the "xfs_trans_ail_delete_bulk: attempting to delete a log item that is not in the AIL" error message. This happened because the EFI/EFD handling logic was incorrect and the EFI log item could have been freed before it was placed in the AIL and committed. A patch has been applied to the XFS code fixing the EFI/EFD handling logic and ensuring that the EFI log items are never freed before the EFD log items are processed. The aforementioned error no longer occurs on an XFS shutdown.
- BZ#977668
- A race condition between the read_swap_cache_async() and get_swap_page() functions in the memory management (mm) code could lead to a deadlock situation. The deadlock could occur only on systems that deployed swap partitions on devices supporting block DISCARD and TRIM operations if kernel preemption was disabled (the !CONFIG_PREEMPT parameter). If the read_swap_cache_async() function was given a SWAP_HAS_CACHE entry that did not have a page in the swap cache yet, a DISCARD operation was performed in the scan_swap_map() function. Consequently, completion of an I/O operation was scheduled on the same CPU's working queue the read_swap_cache_async() was running on. This caused the thread in read_swap_cache_async() to loop indefinitely around its "-EEXIST" case, rendering the system unresponsive. The problem has been fixed by adding an explicit cond_resched() call to read_swap_cache_async(), which allows other tasks to run on the affected CPU, and thus avoiding the deadlock.
- BZ#977680, BZ#989923
- A previous change in the port auto-selection code allowed sharing ports with no conflicts extending its usage. Consequently, when binding a socket with the SO_REUSEADDR socket option enabled, the bind(2) function could allocate an ephemeral port that was already used. A subsequent connection attempt failed in such a case with the EADDRNOTAVAIL error code. This update applies a patch that modifies the port auto-selection code so that bind(2) now selects a non-conflict port even with the SO_REUSEADDR option enabled.
- BZ#979293
- Cyclic adding and removing of the st kernel module could previously cause a system to become unresponsive. This was caused by a disk queue reference count bug in the SCSI tape driver. An upstream patch addressing this bug has been backported to the SCSI tape driver and the system now responds as expected in this situation.
- BZ#979912
- On KVM guests with the KVM clock (kvmclock) as a clock source and with some VCPUs pinned, certain VCPUs could experience significant sleep delays (elapsed time was greater 20 seconds). This resulted in unexpected delays by sleeping functions and inaccurate measurement for low latency events. The problem happened because a kvmclock update was isolated to a certain VCPU so the NTP frequency correction applied only to that single VCPU. This problem has been resolved by a patch allowing kvmclock updates to all VCPUs on the KVM guest. VCPU sleep time now does not exceed the expected amount and no longer causes the aforementioned problems.
- BZ#981177
- When using applications that intensively utilized memory mapping, customers experienced significant application latency, which led to serious performance degradation. A series of patches has been applied to fix the problem. Among other, the patches modifies the memory mapping code to allow block devices to require stable page writes, enforce stable page writes only if required by a backing device, and optionally snapshot page content to provide stable pages during write. As a result, application latency has been improved by a considerable amount and applications with high demand of memory mapping now perform as expected.
- BZ#982116
- The bnx2x driver could have previously reported an occasional MDC/MDIO timeout error along with the loss of the link connection. This could happen in environments using an older boot code because the MDIO clock was set in the beginning of each boot code sequence instead of per CL45 command. To avoid this problem, the bnx2x driver now sets the MDIO clock per CL45 command. Additionally, the MDIO clock is now implemented per EMAC register instead of per port number, which prevents ports from using different EMAC addresses for different PHY accesses. Also, a boot code or Management Firmware (MFW) upgrade is required to prevent the boot code (firmware) from taking over link ownership if the driver's pulse is delayed. The BCM57711 card requires boot code version 6.2.24 or later, and the BCM57712/578xx cards require MFW version 7.4.22 or later.
- BZ#982472
- If the Audit queue is too long, the kernel schedules the kauditd daemon to alleviate the load on the Audit queue. Previously, if the current Audit process had any pending signals in such a situation, it entered a busy-wait loop for the duration of an Audit backlog timeout because the wait_for_auditd() function was called as an interruptible task. This could lead to system lockup in non-preemptive uniprocessor systems. This update fixes the problem by setting wait_for_auditd() as uninterruptible.
- BZ#982496
- A possible race in the tty layer could result in a kernel panic after triggering the BUG_ON() macro. As a workaround, the BUG_ON() macro has been replaced by the WARN_ON() macro, which allows for avoiding the kernel panic and investigating the race problem further.
- BZ#982571
- A recent change in the memory mapping code introduced a new optional next-fit algorithm for allocating VMAs to map processed files to the address space. This change, however, broke behavior of a certain internal function which then always followed the next-fit VMA allocation scheme instead of the first-fit VMA allocation scheme. Consequently, when the first-fit VMA allocation scheme was in use, this bug caused linear address space fragmentation and could lead to early "-ENOMEM" failures for mmap() requests. This patch restores the original first-fit behavior to the function so the aforementioned problems no longer occur.
- BZ#982697
- When using certain HP hardware with UHCI HDC support and the uhci-hdc driver performed the auto-stop operation, the kernel emitted the "kernel: uhci_hcd 0000:01:00.4: Controller not stopped yet!" warning messages. This happened because HP's virtual UHCI host controller takes extremely long time to suspend (several hundred microseconds) even with no attached USB device and the driver was not adjusted to handle this situation. To avoid this problem, the uhci-hdc driver has been modified to not run the auto-stop operation until the controller is suspended.
- BZ#982703
- A previously released erratum, RHSA-2013:0911, included a patch that added support for memory configurations greater than 1 TB of RAM on AMD systems, and a patch that fixed a kernel panic preventing installation of Red Hat Enterprise Linux on such systems. However, these patches broke booting of Red Hat Enterprise Linux 6.4 on the SGI UV platform, and therefore they have been reverted with this update. Red Hat Enterprise Linux 6.4 now boots on SGI UV as expected.
- BZ#982758
- Due to a bug in descriptor handling, the ioat driver did not correctly process pending descriptors on systems with the Intel Xeon Processor E5 family. Consequently, the CPU was utilized excessively on these systems. A patch has been applied to the ioat driver so the driver now determines pending descriptors correctly and CPU usage is normal again for the described processor family.
- BZ#990464
- A bug in the network bridge code allowed an internal function to call code which was not atomic-safe while holding a spin lock. Consequently, a "BUG: scheduling while atomic" error has been triggered and a call trace logged by the kernel. This update applies a patch that orders the function properly so the function no longer holds a spin lock while calling code which is not atomic-safe. The aforementioned error with a call trace no longer occurs in this case.
- BZ#990470
- A race condition in the abort task and SPP device task management path of the isci driver could, under certain circumstances, cause the driver to fail cleaning up timed-out I/O requests that were pending on an SAS disk device. As a consequence, the kernel removed such a device from the system. A patch applied to the isci driver fixes this problem by sending the task management function request to the SAS drive anytime the abort function is entered and the task has not completed. The driver now cleans up timed-out I/O requests as expected in this situation.
Security Fixes
- CVE-2013-2128, Moderate
- A flaw was found in the tcp_read_sock() function in the Linux kernel's IPv4 TCP/IP protocol suite implementation in the way socket buffers (skb) were handled. A local, unprivileged user could trigger this issue via a call to splice(), leading to a denial of service.
- CVE-2012-6548, CVE-2013-2634, CVE-2013-2635, CVE-2013-3222, CVE-2013-3224, CVE-2013-3225, Low
- Information leak flaws in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space.
- CVE-2013-0914, Low
- An information leak was found in the Linux kernel's POSIX signals implementation. A local, unprivileged user could use this flaw to bypass the Address Space Layout Randomization (ASLR) security feature.
- CVE-2013-1848, Low
- A format string flaw was found in the ext3_msg() function in the Linux kernel's ext3 file system implementation. A local user who is able to mount an ext3 file system could use this flaw to cause a denial of service or, potentially, escalate their privileges.
- CVE-2013-2852, Low
- A format string flaw was found in the b43_do_request_fw() function in the Linux kernel's b43 driver implementation. A local user who is able to specify the "fwpostfix" b43 module parameter could use this flaw to cause a denial of service or, potentially, escalate their privileges.
- CVE-2013-3301, Low
- A NULL pointer dereference flaw was found in the Linux kernel's ftrace and function tracer implementations. A local user who has the CAP_SYS_ADMIN capability could use this flaw to cause a denial of service.
Bug Fixes
- BZ#924847
- An error in backporting the block reservation feature from upstream resulted in a missing allocation of a reservation structure when an allocation is required during the rename system call. Renaming a file system object (for example, file or directory) requires a block allocation for the destination directory. If the destination directory had not had a reservation structure allocated, a NULL pointer dereference occurred, leading to a kernel panic. With this update, a reservation structure is allocated before the rename operation, and a kernel panic no longer occurs in this scenario. This patch also ensures that the inode's multi-block reservation is not deleted when a file is closed while changing the inode's size.
- BZ#927308
- When an inconsistency is detected in a GFS2 file system after an I/O operation, the kernel performs the withdraw operation on the local node. However, the kernel previously did not wait for an acknowledgement from the GFS control daemon (gfs_controld) before proceeding with the withdraw operation. Therefore, if a failure isolating the GFS2 file system from a data storage occurred, the kernel was not aware of this problem and an I/O operation to the shared block device may have been performed after the withdraw operation was logged as successful. This could lead to corruption of the file system or prevent the node from journal recovery. This patch modifies the GFS2 code so the withdraw operation no longer proceeds without the acknowledgement from gfs_controld, and the GFS2 file system can no longer become corrupted after performing the withdraw operation.
- BZ#927317
- The GFS2 discard code did not calculate the sector offset correctly for block devices with the sector size of 4 KB, which led to loss of data and metadata on these devices. A patch correcting this problem has been applied so the discard and FITRIM requests now work as expected for the block devices with the 4 KB sector size.
- BZ#956296
- The virtual file system (VFS) code had a race condition between the unlink and link system calls that allowed creating hard links to deleted (unlinked) files. This could, under certain circumstances, cause inode corruption that eventually resulted in a file system shutdown. The problem was observed in Red Hat Storage during rsync operations on replicated Gluster volumes that resulted in an XFS shutdown. A testing condition has been added to the VFS code, preventing hard links to deleted files from being created.
- BZ#956979
- The sunrpc code paths that wake up an RPC task are highly optimized for speed so the code avoids using any locking mechanism but requires precise operation ordering. Multiple bugs were found related to operation ordering, which resulted in a kernel crash involving either a BUG_ON() assertion or an incorrect use of a data structure in the sunrpc layer. These problems have been fixed by properly ordering operations related to the RPC_TASK_QUEUED and RPC_TASK_RUNNING bits in the wake-up code paths of the sunrpc layer.
- BZ#958684
- A previous update introduced a new failure mode to the blk_get_request() function returning the -ENODEV error code when a block device queue is being destroyed. However, the change did not include a NULL pointer check for all callers of the function. Consequently, the kernel could dereference a NULL pointer when removing a block device from the system, which resulted in a kernel panic. This update applies a patch that adds these missing NULL pointer checks. Also, some callers of the blk_get_request() function could previously return the -ENOMEM error code instead of -ENODEV, which would lead to incorrect call chain propagation. This update applies a patch ensuring that correct return codes are propagated.
- BZ#962368
- A rare race condition between the "devloss" timeout and discovery state machine could trigger a bug in the lpfc driver that nested two levels of spin locks in reverse order. The reverse order of spin locks led to a deadlock situation and the system became unresponsive. With this update, a patch addressing the deadlock problem has been applied and the system no longer hangs in this situation.
- BZ#962370
- When attempting to deploy a virtual machine on a hypervisor with multiple NICs and macvtap devices, a kernel panic could occur. This happened because the macvtap driver did not gracefully handle a situation when the macvlan_port.vlans list was empty and returned a NULL pointer. This update applies a series of patches which fix this problem using a read-copy-update (RCU) mechanism and by preventing the driver from returning a NULL pointer if the list is empty. The kernel no longer panics in this scenario.
- BZ#962372
- Certain CPUs contain on-chip virtual-machine control structure (VMCS) caches that are used to keep active VMCSs managed by the KVM module. These VMCSs contain runtime information of the guest machines operated by KVM. These CPUs require support of the VMCLEAR instruction that allows flushing the cache's content into memory. The kernel previously did not use the VMCLEAR instruction in Kdump. As a consequence, when dumping a core of the QEMU KVM host, the respective CPUs did not flush VMCSs to the memory and the guests' runtime information was not included in the core dump. This problem has been addressed by a series of patches that implement support of using the VMCLEAR instruction in Kdump. The kernel is now performs the VMCLEAR operation in Kdump if it is required by a CPU so the vmcore file of the QEMU KVM host contains all VMCSs information as expected.
- BZ#963564
- When a network interface (NIC) is running in promiscuous (PROMISC) mode, the NIC may receive and process VLAN tagged frames even though no VLAN is attached to the NIC. However, some network drivers, such as bnx2, igb, tg3, and e1000e did not handle processing of packets with VLAN tagged frames in PROMISC mode correctly if the frames had no VLAN group assigned. The drivers processed the packets with incorrect routines and various problems could occur; for example, a DHCPv6 server connected to a VLAN could assign an IPv6 address from the VLAN pool to a NIC with no VLAN interface. To handle the VLAN tagged frames without a VLAN group properly, the frames have to be processed by the VLAN code so the aforementioned drivers have been modified to restrain from performing a NULL value test of the packet's VLAN group field when the NIC is in PROMISC mode. This update also includes a patch fixing a bug where the bnx2x driver did not strip a VLAN header from the frame if no VLAN was configured on the NIC, and another patch that implements some register changes in order to enable receiving and transmitting of VLAN packets on a NIC even if no VLAN is registered with the card.
- BZ#964046
- Due to a bug in the NFSv4 nfsd code, a NULL pointer could have been dereferenced when nfsd was looking up a path to the NFSv4 recovery directory for the fsync operation, which resulted in a kernel panic. This update applies a patch that modifies the NFSv4 nfsd code to open a file descriptor for fsync in the NFSv4 recovery directory instead of looking up the path. The kernel no longer panics in this situation.
- BZ#966432
- When adding a virtual PCI device, such as virtio disk, virtio net, e1000 or rtl8139, to a KVM guest, the kacpid thread reprograms the hot plug parameters of all devices on the PCI bus to which the new device is being added. When reprogramming the hot plug parameters of a VGA or QXL graphics device, the graphics device emulation requests flushing of the guest's shadow page tables. Previously, if the guest had a huge and complex set of shadow page tables, the flushing operation took a significant amount of time and the guest could appear to be unresponsive for several minutes. This resulted in exceeding the threshold of the "soft lockup" watchdog and the "BUG: soft lockup" events were logged by both, the guest and host kernel. This update applies a series of patches that deal with this problem. The KVM's Memory Management Unit (MMU) now avoids creating multiple page table roots in connection with processors that support Extended Page Tables (EPT). This prevents the guest's shadow page tables from becoming too complex on machines with EPT support. MMU now also flushes only large memory mappings, which alleviates the situation on machines where the processor does not support EPT. Additionally, a free memory accounting race that could prevent KVM MMU from freeing memory pages has been fixed.
- BZ#968557
- A race condition could occur in the uhci-hcd kernel module if the IRQ line was shared with other devices. The race condition allowed the IRQ handler routine to be called before the data structures were fully initialized, which caused the system to become unresponsive. This update applies a patch that fixes the problem by adding a test condition to the IRQ handler routine; if the data structure initialization is still in progress, the handler routine finishes immediately.
- BZ#969306
- When setting up a bonding device, a certain flag was used to distinguish between TLB and ALB modes. However, usage of this flag in ALB mode allowed enslaving NICs before the bond was activated. This resulted in enslaved NICs not having unique MAC addresses as required, and consequent loss of "reply" packets sent to the slaves. This patch modifies the function responsible for the setup of the slave's MAC address so the flag is no longer needed to discriminate ALB mode from TLB and the flag was removed. The described problem no longer occur in this situation.
- BZ#969326
- When booting the normal kernel on certain servers, such as HP ProLiant DL980 G7, some interrupts may have been lost which resulted in the system being unresponsive or rarely even in data loss. This happened because the kernel did not set correct destination mode during the boot; the kernel booted in "logical cluster mode" that is default while this system supported only "x2apic physical mode". This update applies a series of patches addressing the problem. The underlying APIC code has been modified so the x2apic probing code now checks the Fixed ACPI Description Table (FADT) and installs the x2apic "physical" driver as expected. Also, the APIC code has been simplified and the code now uses probe routines to select destination APIC mode and install the correct APIC drivers.
- BZ#972586
- A bug in the OProfile tool led to a NULL pointer dereference while unloading the OProfile kernel module, which resulted in a kernel panic. The problem was triggered if the kernel was running with the nolapic parameter set and OProfile was configured to use the NMI timer interrupt. The problem has been fixed by correctly setting the NMI timer when initializing OProfile.
- BZ#973198
- Previously, when booting a Red Hat Enterprise Linux 6.4 system and the ACPI Static Resource Affinity Table (SRAT) had a hot-pluggable bit enabled, the kernel considered the SRAT table incorrect and NUMA was not configured. This led to a general protection fault and a kernel panic occurring on the system. The problem has been fixed by using an SMBIOS check in the code in order to avoid the SRAT code table consistency checks. NUMA is now configured as expected and the kernel no longer panics in this situation.
- BZ#973555
- A bug in the PCI driver allowed to use a pointer to the Virtual Function (VF) device entry that was already freed. Consequently, when hot-removing an I/O unit with enabled SR-IOV devices, a kernel panic occurred. This update modifies the PCI driver so a valid pointer to the Physical Function (PF) device entry is used and the kernel no longer panics in this situation.
- BZ#975086
- The kernel previously did not handle situation where the system needed to fall back from non-flat Advanced Programmable Interrupt Controller (APIC) mode to flat APIC mode. Consequently, a NULL pointer was dereferenced and a kernel panic occurred. This update adds the flat_probe() function to the APIC driver, which allows the kernel using flat APIC mode as a fall-back option. The kernel no longer panics in this situation.
Security Fixes