6.3 Technical Notes

Detailed notes on the changes implemented in Red Hat Enterprise Linux 6.3

Edition 3


Legal Notice

Copyright © 2012 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version (http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/6.3_Technical_Notes/index.html).
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
All other trademarks are the property of their respective owners.


1801 Varsity Drive
RaleighNC 27606-2072 USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701

Abstract
The Red Hat Enterprise Linux 6.3 Technical Notes list and document the changes made to the Red Hat Enterprise Linux 6 operating system and its accompanying applications between Red Hat Enterprise Linux 6.2 and minor release Red Hat Enterprise Linux 6.3.

Preface
1. Important Kernel Changes to Note
2. Technology Previews
2.1. Storage and File Systems
2.2. Networking
2.3. Clustering and High Availability
2.4. Authentication
2.5. Security
2.6. Devices
2.7. Kernel
2.8. Virtualization
2.9. Resource Management
2.10. Tools
3. Known Issues
3.1. Installation
3.2. Entitlement
3.3. Deployment
3.4. Virtualization
3.5. Storage and File Systems
3.6. Networking
3.7. Clustering
3.8. Authentication
3.9. Devices
3.10. Kernel
3.11. Desktop
3.12. Tools
4. New Packages
4.1. RHEA-2012:0842 — new package: byzanz
4.2. RHEA-2012:0797 — new packages: crash-gcore-command
4.3. RHEA-2012:0831 — new package: device-mapper-persistent-data
4.4. RHEA-2012:0814 — new package: i2c-tools
4.5. RHEA-2012:0829 — new packages: ipset and libmnl
4.6. RHEA-2012:0840 — new packages: java-1.7.0-ibm
4.7. RHEA-2012:0981 — new packages: java-1.7.0-openjdk
4.8. RHEA-2012:0838 — new package: java-1.7.0-oracle
4.9. RHEA-2012:0825 — new package: ledmon
4.10. RHEA-2012:0812 — new package: libqb
4.11. RHEA-2012:0798 — new packages: libreoffice
4.12. RHEA-2012:0868 — new packages: libwacom
4.13. RHEA-2012:0890 — new package: numad
4.14. RHEA-2012:0826 — new package: ppc64-diag
4.15. RHEA-2012:0806 — new packages: scl-utils
4.16. RHEA-2012:0823 — new package: subscription-manager-migration-data
4.17. RHEA-2012:0853 — new packages: usbredir
4.18. RHEA-2012:0965 — new package: virt-p2v
5. Package Updates
5.1. 389-ds-base
5.2. abrt, libreport, btparser, and python-meh
5.3. alsa-utils
5.4. anaconda
5.5. atlas
5.6. audit
5.7. augeas
5.8. authconfig
5.9. autofs
5.10. bind
5.11. bind-dyndb-ldap
5.12. binutils
5.13. busybox
5.14. byacc
5.15. c-ares
5.16. certmonger
5.17. chkconfig
5.18. cifs-utils
5.19. cluster and gfs2-utils
5.20. cluster-glue
5.21. clustermon
5.22. conman
5.23. control-center
5.24. coolkey
5.25. coreutils
5.26. corosync
5.27. cpio
5.28. crash
5.29. crash-trace-command
5.30. createrepo
5.31. cryptsetup-luks
5.32. ctdb
5.33. cups
5.34. db4
5.35. device-mapper-multipath
5.36. dhcp
5.37. ding-libs
5.38. dmraid
5.39. dnsmasq
5.40. dracut
5.41. dropwatch
5.42. e2fsprogs
5.43. efibootmgr
5.44. expect
5.45. fcoe-target-utils
5.46. fcoe-utils
5.47. febootstrap
5.48. fence-agents
5.49. fence-virt
5.50. file
5.51. firstboot
5.52. flash-plugin
5.53. fontforge
5.54. fprintd
5.55. freeradius
5.56. gawk
5.57. gcc
5.58. gdb
5.59. ghostscript
5.60. glib2
5.61. glibc
5.62. gnome-desktop
5.63. gnome-keyring
5.64. gnome-power-manager
5.65. gnome-settings-daemon
5.66. gnome-system-monitor
5.67. grep
5.68. grub
5.69. grubby
5.70. gtk2
5.71. hivex
5.72. hsqldb
5.73. hwdata
5.74. icedtea-web
5.75. imsettings
5.76. indent
5.77. initscripts
5.78. iok
5.79. ipa
5.80. ipmitool
5.81. iproute
5.82. iprutils
5.83. iptraf
5.84. ipvsadm
5.85. irqbalance
5.86. iscsi-initiator-utils
5.87. java-1.6.0-openjdk
5.88. jss
5.89. kabi-whitelists
5.90. kdeartwork
5.91. kdebase-workspace
5.92. kdelibs
5.93. kernel
5.94. kexec-tools
5.95. keyutils
5.96. krb5
5.97. ksh
5.98. latencytop
5.99. libbonobo
5.100. libcgroup
5.101. liberation-fonts
5.102. libevent
5.103. libguestfs
5.104. libgweather
5.105. libhbaapi
5.106. libhbalinux
5.107. libibverbs-rocee and libmlx4-rocee
5.108. libselinux
5.109. libservicelog
5.110. libtar
5.111. libunistring
5.112. libusb1
5.113. libuser
5.114. libvirt
5.115. libvirt-cim
5.116. libvirt-qmf
5.117. libxklavier
5.118. lldpad
5.119. logrotate
5.120. lohit-kannada-fonts
5.121. lsof
5.122. lsvpd
5.123. ltrace
5.124. luci
5.125. lvm2
5.126. m2crypto
5.127. make
5.128. man
5.129. man-pages-fr
5.130. man-pages-overrides
5.131. matahari
5.132. mcelog
5.133. mdadm
5.134. metacity
5.135. microcode_ctl
5.136. mingw32-matahari
5.137. mingw32-qpid-cpp
5.138. mkbootdisk
5.139. mod_auth_kerb
5.140. mod_nss
5.141. module-init-tools
5.142. mysql
5.143. mysql-connector-java
5.144. nautilus
5.145. net-snmp
5.146. NetworkManager
5.147. NetworkManager-openswan
5.148. nfs-utils
5.149. nfs4-acl-tools
5.150. nmap
5.151. nss
5.152. nss, nss-util, and nspr
5.153. numactl
5.154. numpy
5.155. openldap
5.156. openssh
5.157. openswan
5.158. oprofile
5.159. pacemaker
5.160. PackageKit
5.161. pam_pkcs11
5.162. parted
5.163. pcre
5.164. pcsc-lite
5.165. perl
5.166. perl-Sys-Virt
5.167. php-pecl-apc
5.168. php-pecl-memcache
5.169. piranha
5.170. pki-core
5.171. policycoreutils
5.172. portreserve
5.173. postgresql-jdbc
5.174. ppc64-utils
5.175. procps
5.176. pykickstart
5.177. python-configshell
5.178. python-memcached
5.179. python-repoze-who
5.180. python-rhsm
5.181. python-rtslib
5.182. python-virtinst
5.183. qemu-kvm
5.184. ql2400-firmware
5.185. ql2500-firmware
5.186. qpid-cpp, python-qpid, and saslwrapper
5.187. qt
5.188. RDMA
5.189. readline
5.190. Red Hat Enterprise Linux Release Notes
5.191. redhat-release
5.192. redhat-rpm-config
5.193. resource-agents
5.194. rgmanager
5.195. rhn-client-tools and yum-rhn-plugin
5.196. ricci
5.197. rpcbind
5.198. rpm
5.199. rsync
5.200. rsyslog
5.201. rusers
5.202. s390utils
5.203. samba
5.204. sanlock
5.205. sblim-cim-client2
5.206. scsi-target-utils
5.207. SDL
5.208. seabios
5.209. sed
5.210. selinux-policy
5.211. servicelog
5.212. setroubleshoot
5.213. setup
5.214. slapi-nis
5.215. smartmontools
5.216. sos
5.217. spice-client
5.218. spice-gtk
5.219. spice-protocol
5.220. spice-server
5.221. spice-xpi
5.222. sssd
5.223. subscription-manager
5.224. subversion and neon
5.225. sudo
5.226. syslinux
5.227. sysstat
5.228. system-config-date-docs
5.229. system-config-kdump
5.230. system-config-keyboard
5.231. system-config-lvm
5.232. system-config-printer
5.233. systemtap
5.234. tar
5.235. tboot
5.236. tcpdump
5.237. tog-pegasus
5.238. tomcat6
5.239. trace-cmd
5.240. tsclient
5.241. tuned
5.242. udev
5.243. upstart
5.244. util-linux-ng
5.245. valgrind
5.246. vim
5.247. vios-proxy
5.248. virt-manager
5.249. virt-top and ocaml-libvirt
5.250. virt-v2v
5.251. virt-viewer
5.252. virt-who
5.253. virtio-win
5.254. vsftpd
5.255. wordnet
5.256. wpa_supplicant
5.257. xfig
5.258. xfsprogs
5.259. xinetd
5.260. xmlrpc-c
5.261. xorg-x11-drv-ati and mesa
5.262. xorg-x11-drv-intel
5.263. xorg-x11-drv-mga
5.264. xorg-x11-drv-wacom
5.265. xorg-x11-server
5.266. yaboot
5.267. yum
5.268. yum-utils
5.269. zsh
A. Revision History

Preface

The Red Hat Enterprise Linux 6.3 Technical Notes list and document the changes made to the Red Hat Enterprise Linux 6 operating system and its accompanying applications between minor release Red Hat Enterprise Linux 6.2 and minor release Red Hat Enterprise Linux 6.3.
For system administrators and others planning Red Hat Enterprise Linux 6.3 upgrades and deployments, the Technical Notes provide a single, organized record of the bugs fixed in, features added to, and Technology Previews included with this new release of Red Hat Enterprise Linux.
For auditors and compliance officers, the Red Hat Enterprise Linux 6.3 Technical Notes provide a single, organized source for change tracking and compliance testing.
For every user, the Red Hat Enterprise Linux 6.3 Technical Notes provide details of what has changed in this new release.

Note

The Package Manifest is available as a separate document.

Chapter 1. Important Kernel Changes to Note

This chapter provides system administrators with a summary of significant changes in the kernel shipped with Red Hat Enterprise Linux 6.3. These changes include added or updated procfs entries, sysfs default values, boot parameters, kernel configuration options, or any noticeable behavior changes. For more details on the features added and bugs fixed in the Red Hat Enterprise Linux 6.3 kernel, refer to the Kernel chapter in the 6.3 Release Notes, or Section 5.93.1, “ RHSA-2012:0862 — Moderate: Red Hat Enterprise Linux 6.3 kernel security, bug fix, and enhancement update ” in this book.
pci=use_crs
The pci=use_crs boot parameter no longer needs to be specified to force PCI resource allocations to correspond to a specific host bridge the device resides on. It is now the default behavior.
CONFIG_HPET_MMAP, hpet_mmap
The high-resolution timer's capacity to remap the HPET registers into the memory of a user process has been enabled via the CONFIG_HPET_MMAP option. Additionally, the hpet_mmap kernel parameter has been added.
pcie_p=nomsi
The pcie_p=nomsi kernel parameter has been added to allow users to disable MSI/MSI-X for PCI Express Native Hotplug (that is, the pciehp driver). When enabled all PCIe ports use INTx for hotplug services.
msi_irqs
A per-PCI device subdirectory has been added to sysfs: /sys/bus/pci/devices/<device>/msi_irqs. This subdirectory exports the set of MSI vectors allocated by a given PCI device, by creating a numbered subdirectory for each vector under msi_irqs. For each vector, various attributes can be exported. Currently the only attribute, named mode, tracks the operational mode of that vector (MSI versus MSI-X).
CONFIG_PCI_DEBUG
When the CONFIG_PCI_DEBUG=y option is configured, the -DDEBUG flag is automatically added to the EXTRA_CFLAGS compilation flags.
CONFIG_STRICT_DEVMEM
The CONFIG_STRICT_DEVMEM option is enabled by default for the PowerPC architecture. This option restricts access to the /dev/mem device. If this option is disabled, userspace access to all memory is allowed, including kernel and userspace memory, and accidental memory (write) access could potentially be harmful.
kdump/kexec configuration options
The following kernel configuration options were enabled for the kdump/kexec kernel dumping mechanism on IBM System z:
CONFIG_KEXEC_AUTO_RESERVE=y
CONFIG_CRASH_DUMP=y
CONFIG_PROC_VMCORE=y
KEXEC_AUTO_THRESHOLD
The default value for the KEXEC_AUTO_THRESHOLD option has been lowered to 2 GB.
/proc/mounts
The /proc/mounts file now shows the following mount options for CIFS under the dir_mode= parameter:
nostrictsync
noperm
backupuid
backupgid
dmesg_restrict
Writing to the /proc/sys/kernel/dmesg_restrict file is only allowed for a root user that has the CAP_SYS_ADMIN identifier set.
printk.always_kmsg_dump
A new kernel parameter, printk.always_kmsg_dump, has been added to save the final kernel messages to the reboot, halt, poweroff, and emergency_restart paths. For usage information, refer to the /usr/share/doc/kernel-doc-<version>/Documentation/kernel-parameters.txt file.
ulimit
The default hard ulimit on the number of files has been increased to 4096:
~]$ ulimit -Hn
4096
soft_panic
A watchdog module parameter, soft_panic, has been added. When soft_panic is set to 1, it causes softdog to invoke kernel panic instead of a reboot when the softdog timer expires. By invoking kernel panic, the system executes kdump, if kdump is configured. Kdump then generates a vmcore which provides additional information on the reasons of the failure.
perf examples
The /usr/share/doc/perf-<version>/examples.txt documentation file has been added to the perf package.
shm_rmid_forced
Support for the shm_rmid_forced sysctl option has been added. When set to 1, all shared memory objects not referenced in current ipc namespace (with no tasks attached to it) will be automatically forced to use IPC_RMID. For more information refer to /usr/share/doc/kernel-doc-<version>/Documentation/sysctl/kernel.txt file.
UV systems reduced boot time
A number of patches have been applied to the kernel in Red Hat Enterprise Linux 6.3 to improve overall performance and reduce boot time on extremely large UV systems (patches were tested on a system with 2048 cores and 16 TB of memory). Additionally, boot messages for the SGI UV2 platform were updated.
accept_local
The /proc/sys/net/ipv4/conf/*/accept_local sysctl setting has been added to allow a system to receive packets it sent itself. This is needed in order to work with certain load balancing solutions that load balance to themselves.
CONFIG_VGA_SWITCHEROO
The CONFIG_VGA_SWITCHEROO configuration option is now enabled by default to allow switching between two graphics cards.
O_DIRECT in FUSE
Support for the O_DIRECT flag for files in FUSE (File system in Userspace) has been added.
CONFIG_IP_MROUTE_MULTIPLE_TABLES
The CONFIG_IP_MROUTE_MULTIPLE_TABLES=y has been added to enable support for multiple independent multicast routing instances.
nfs.max_session_slots
The nfs.max_session_slots module/kernel boot parameter has been added. This parameter sets the maximum number of session slots that an NFS client attempts to negotiate with the server.
Default mount option for /proc
In Red Hat Enterprise Linux 6.3, the default mount option of /proc during boot up has been changed to:
~]# mount -t proc -o nosuid,noexec,nodev proc /proc
For third party modules which create devices via procfs, please remount procfs with the old option:
~]# mount -t proc /proc /proc

Chapter 2. Technology Previews

2.1. Storage and File Systems
2.2. Networking
2.3. Clustering and High Availability
2.4. Authentication
2.5. Security
2.6. Devices
2.7. Kernel
2.8. Virtualization
2.9. Resource Management
2.10. Tools
Technology Preview features are currently not supported under Red Hat Enterprise Linux subscription services, may not be functionally complete, and are generally not suitable for production use. However, these features are included as a customer convenience and to provide the feature with wider exposure.
Customers may find these features useful in a non-production environment. Customers are also free to provide feedback and functionality suggestions for a Technology Preview feature before it becomes fully supported. Errata will be provided for high-severity security issues.
During the development of a Technology Preview feature, additional components may become available to the public for testing. It is the intention of Red Hat to fully support Technology Preview features in a future release.

2.1. Storage and File Systems

LVM support for (non-clustered) thinly-provisioned snapshots
A new implementation of LVM copy-on-write (cow) snapshots is available in Red Hat Enterprise Linux 6.3 as a Technology Preview. The main advantage of this implementation, compared to the previous implementation of snapshots, is that it allows many virtual devices to be stored on the same data volume. This implementation also provides support for arbitrary depth of recursive snapshots (snapshots of snapshots of snapshots …).
This feature is for use on a single system. It is not available for multi-system access in cluster environments.
For more information, refer to the documentation of the -s/--snapshot option in the lvcreate man page.
Package: lvm2-2.02.95-10
LVM support for (non-clustered) thinly-provisioned LVs
Logical Volumes (LVs) can now be thinly provisioned to manage a storage pool of free space to be allocated to an arbitrary number of devices when needed by applications. This allows creation of devices that can be bound to a thinly provisioned pool for late allocation when an application actually writes to the pool. The thinly-provisioned pool can be expanded dynamically if and when needed for cost-effective allocation of storage space. In Red Hat Enterprise Linux 6.3, this feature is introduced as a Technology Preview. You must have the device-mapper-persistent-data package installed to try out this feature. For more information, refer to the lvcreate(8) man page.
Package: lvm2-2.02.95-10
Dynamic aggregation of LVM metadata via lvmetad
Most LVM commands require an accurate view of the LVM metadata stored on the disk devices on the system. With the current LVM design, if this information is not available, LVM must scan all the physical disk devices in the system. This requires a significant amount of I/O operations in systems that have a large number of disks.
The purpose of the lvmetad daemon is to eliminate the need for this scanning by dynamically aggregating metadata information each time the status of a device changes. These events are signaled to lvmetad by udev rules. If lvmetad is not running, LVM performs a scan as it normally would.
This feature is provided as a Technology Preview and is disabled by default in Red Hat Enterprise Linux 6.3. To enable it, refer to the use_lvmetad parameter in the /etc/lvm/lvm.conf file, and enable the lvmetad daemon by configuring the lvm2-lvmetad init script.
Package: lvm2-2.02.95-10
Parallel NFS
Parallel NFS (pNFS) is a part of the NFS v4.1 standard that allows clients to access storage devices directly and in parallel. The pNFS architecture eliminates the scalability and performance issues associated with NFS servers in deployment today.
pNFS supports 3 different storage protocols or layouts: files, objects and blocks. The Red Hat Enterprise Linux 6.3 NFS client supports the files layout protocol.
To automatically enable the pNFS functionality, create the /etc/modprobe.d/dist-nfsv41.conf file with the following line and reboot the system:
alias nfs-layouttype4-1 nfs_layout_nfsv41_files
Now when the -o minorversion=1 mount option is specified, and the server is pNFS-enabled, the pNFS client code is automatically enabled.
For more information on pNFS, refer to http://www.pnfs.com/.
Package: kernel-2.6.32-279
Open multicast ping (Omping), BZ#657370
Open Multicast Ping (Omping) is a tool to test the IP multicast functionality, primarily in the local network. This utility allows users to test IP multicast functionality and assists in the diagnosing if an issues is in the network configuration or elsewhere (that is, a bug). In Red Hat Enterprise Linux 6 Omping is provided as a Technology Preview.
Package: omping-0.0.4-1
System Information Gatherer and Reporter (SIGAR)
The System Information Gatherer and Reporter (SIGAR) is a library and command-line tool for accessing operating system and hardware level information across multiple platforms and programming languages. In Red Hat Enterprise Linux 6.3, SIGAR is considered a Technology Preview package.
Package: sigar-1.6.5-0.4.git58097d9
fsfreeze
Red Hat Enterprise Linux 6 includes fsfreeze as a Technology Preview. fsfreeze is a new command that halts access to a file system on a disk. fsfreeze is designed to be used with hardware RAID devices, assisting in the creation of volume snapshots. For more details on the fsfreeze utility, refer to the fsfreeze(8) man page.
Package: util-linux-ng-2.17.2-12.7
DIF/DIX support
DIF/DIX, is a new addition to the SCSI Standard and a Technology Preview in Red Hat Enterprise Linux 6. DIF/DIX increases the size of the commonly used 512-byte disk block from 512 to 520 bytes, adding the Data Integrity Field (DIF). The DIF stores a checksum value for the data block that is calculated by the Host Bus Adapter (HBA) when a write occurs. The storage device then confirms the checksum on receive, and stores both the data and the checksum. Conversely, when a read occurs, the checksum can be checked by the storage device, and by the receiving HBA.
The DIF/DIX hardware checksum feature must only be used with applications that exclusively issue O_DIRECT I/O. These applications may use the raw block device, or the XFS file system in O_DIRECT mode. (XFS is the only file system that does not fall back to buffered I/O when doing certain allocation operations.) Only applications designed for use with O_DIRECT I/O and DIF/DIX hardware should enable this feature.
For more information, refer to section Block Devices with DIF/DIX Enabled in the Storage Administration Guide.
Package: kernel-2.6.32-279
Filesystem in user space
Filesystem in Userspace (FUSE) allows for custom file systems to be developed and run in user space.
Package: fuse-2.8.3-4
Btrfs, BZ#614121
Btrfs is under development as a file system capable of addressing and managing more files, larger files, and larger volumes than the ext2, ext3, and ext4 file systems. Btrfs is designed to make the file system tolerant of errors, and to facilitate the detection and repair of errors when they occur. It uses checksums to ensure the validity of data and metadata, and maintains snapshots of the file system that can be used for backup or repair. The Btrfs Technology Preview is only available on AMD64 and Intel 64 architectures.

Btrfs is still experimental

Red Hat Enterprise Linux 6 includes Btrfs as a technology preview to allow you to experiment with this file system. You should not choose Btrfs for partitions that will contain valuable data or that are essential for the operation of important systems.
Package: btrfs-progs-0.19-12
LVM Application Programming Interface (API)
Red Hat Enterprise Linux 6 features the new LVM application programming interface (API) as a Technology Preview. This API is used to query and control certain aspects of LVM.
Package: lvm2-2.02.95-4
FS-Cache
FS-Cache in Red Hat Enterprise Linux 6 enables networked file systems (for example, NFS) to have a persistent cache of data on the client machine.
Package: cachefilesd-0.10.2-1

2.2. Networking

QFQ queuing discipline
In Red Hat Enterprise Linux 6.3, the tc utility has been updated to work with the Quick Fair Scheduler (QFQ) kernel features. Users can now take advantage of the new QFQ traffic queuing discipline from userspace. This feature is considered a Technology Preview.
Package: kernel-2.6.32-279
vios-proxy, BZ#721119
vios-proxy is a stream-socket proxy for providing connectivity between a client on a virtual guest and a server on a Hypervisor host. Communication occurs over virtio-serial links.
Package: vios-proxy-0.1-1
IPv6 support in IPVS
The IPv6 support in IPVS (IP Virtual Server) is considered a Technology Preview.
Package: kernel-2.6.32-279

2.3. Clustering and High Availability

Utilizing CPG API for inter-node locking
Rgmanager includes a feature which enables it to utilize Corosync's Closed Process Group (CPG) API for inter-node locking. This feature is automatically enabled when Corosync's RRP feature is enabled. Corosync's RRP feature is considered fully supported. However, when used with the rest of the High-Availability Add-Ons, it is considered a Technology Preview.
Package: rgmanager-3.0.12.1-12
Support for redundant ring for standalone Corosync, BZ#722469
Red Hat Enterprise Linux 6.3 includes support for redundant ring with autorecovery feature as a Technology Preview. Refer to Section 3.7, “Clustering” for a list of known issues associated with this Technology Preview.
Package: corosync-1.4.1-7
corosync-cpgtool, BZ#688260
The corosync-cpgtool now specifies both interfaces in a dual ring configuration. This feature is a Technology Preview.
Package: corosync-1.4.1-7
Disabling rgmanager in /etc/cluster.conf, BZ#723925
As a consequence of converting the /etc/cluster.conf configuration file to be used by pacemaker, rgmanager must be disabled. The risk of not doing this is high; after a successful conversion, it would be possible to start rgmanager and pacemaker on the same host, managing the same resources.
Consequently, Red Hat Enterprise Linux 6 includes a feature (as a Technology Preview) that forces the following requirements:
  • rgmanager must refuse to start if it sees the <rm disabled="1"> flag in /etc/cluster.conf.
  • rgmanager must stop any resources and exit if the <rm disabled="1"> flag appears in /etc/cluster.conf during a reconfiguration.
Package: rgmanager-3.0.12.1-12
libqb package
The libqb package provides a library with the primary purpose of providing high performance client server reusable features, such as high performance logging, tracing, inter-process communication, and polling. This package is introduced as a dependency of the pacemaker package, and is considered a Technology Preview in Red Hat Enterprise Linux 6.3.
Package: libqb-0.9.0-2
pacemaker, BZ#456895
Pacemaker, a scalable high-availability cluster resource manager, is included in Red Hat Enterprise Linux 6 as a Technology Preview. Pacemaker is not fully integrated with the Red Hat cluster stack.
Package: pacemaker-1.1.7-6

2.4. Authentication

Support for central management of SSH keys, BZ#803822
Previously, it was not possible to centrally manage host and user SSH public keys. Red Hat Enterprise Linux 6.3 includes SSH public key management for Identity Management servers as a Technology Preview. OpenSSH on Identity Management clients is automatically configured to use public keys which are stored on the Identity Management server. SSH host and user identities can now be managed centrally in Identity Management.
Package: sssd-1.8.0-32
SELinux user mapping, BZ#803821
Red Hat Enterprise Linux 6.3 introduces the ability to control the SELinux context of a user on a remote system. SELinux user map rules can be defined and, optionally, associated with HBAC rules. These maps define the context a user receives depending on the host they are logging into and the group membership. When a user logs into a remote host which is configured to use SSSD with the Identity Management backend, the user's SELinux context is automatically set according to mapping rules defined for that user. For more information, refer to http://freeipa.org/page/SELinux_user_mapping. This feature is considered a Technology Preview.
Package: sssd-1.8.0-32
SSSD support for automount map caching, BZ#761570
In Red Hat Enterprise Linux 6.3, SSSD includes a new Technology Preview feature: support for caching automount maps. This feature provides several advantages to environments that operate with autofs:
  • Cached automount maps make it easy for a client machine to perform mount operations even when the LDAP server is unreachable, but the NFS server remains reachable.
  • When the autofs daemon is configured to look up automount maps via SSSD, only a single file has to be configured: /etc/sssd/sssd.conf. Previously, the /etc/sysconfig/autofs file had to be configured to fetch autofs data.
  • Caching the automount maps results in faster performance on the client and lower traffic on the LDAP server.
Package: sssd-1.8.0-32

2.5. Security

TPM
TPM (Trusted Platform Module) hardware can create, store and use RSA keys securely (without ever being exposed in memory), verify a platform's software state using cryptographic hashes and more. The trousers and tpm-tools packages are considered a Technology Preview in Red Hat Enterprise Linux 6.3.
Packages: trousers-0.3.4-4, tpm-tools-1.3.4-2

2.6. Devices

SR-IOV on the be2net driver, BZ#602451
The SR-IOV functionality of the Emulex be2net driver is considered a Technology Preview in Red Hat Enterprise Linux 6.3. You must meet the following requirements to use the latest version of SR-IOV support:
  • You must run the latest Emulex firmware (revision 4.1.417.0 or later).
  • The server system BIOS must support the SR-IOV functionality and have virtualization support for Direct I/O VT-d.
  • You must use the GA version of Red Hat Enterprise Linux 6.3.
SR-IOV runs on all Emulex-branded and OEM variants of BE3-based hardware, which all require the be2net driver software.
Package: kernel-2.6.32-279
iSCSI and FCoE boot
iSCSI and FCoE boot support on Broadcom devices is not included in Red Hat Enterprise Linux 6.3. These two features, which are provided by the bnx2i and bnx2fc Broadcom drivers, remain a Technology Preview until further notice.
Package: kernel-2.6.32-279
mpt2sas lockless mode
The mpt2sas driver is fully supported. However, when used in the lockless mode, the driver is a Technology Preview.
Package: kernel-2.6.32-279

2.7. Kernel

Thin-provisioning and scalable snapshot capabilities
The dm-thinp targets, thin and thin-pool, provide a device mapper device with thin-provisioning and scalable snapshot capabilities. This feature is available as a Technology Preview.
Package: kernel-2.6.32-279
kdump/kexec kernel dumping mechanism for IBM System z
In Red Hat Enterprise Linux 6.3, the kdump/kexec kernel dumping mechanism is enabled for IBM System z systems as a Technology Preview, in addition to the IBM System z stand-alone and hypervisor dumping mechanism. The auto-reserve threshold is set at 4 GB; therefore, any IBM System z system with more than 4 GB of memory has the kexec/kdump mechanism enabled.
Sufficient memory must be available because kdump reserves approximately 128 MB as default. This is especially important when performing an upgrade to Red Hat Enterprise Linux 6.3. Sufficient disk space must also be available for storing the dump in case of a system crash. Kdump is limited to DASD or QETH networks as dump devices until kdump on SCSI disk is supported.
The following warning message may appear when kdump is initialized:
..no such file or directory
This message does not impact the dump functionality and can be ignored. You can configure or disable kdump via /etc/kdump.conf, system-config-kdump, or firstboot.
Kernel Media support
The following features are presented as Technology Previews:
  • The latest upstream video4linux
  • Digital video broadcasting
  • Primarily infrared remote control device support
  • Various webcam support fixes and improvements
Package: kernel-2.6.32-279
Remote audit logging
The audit package contains the user space utilities for storing and searching the audit records generated by the audit subsystem in the Linux 2.6 kernel. Within the audispd-plugins sub-package is a utility that allows for the transmission of audit events to a remote aggregating machine. This remote audit logging application, audisp-remote, is considered a Technology Preview in Red Hat Enterprise Linux 6.
Package: audispd-plugins-2.2-2
Linux (NameSpace) Container [LXC]
Linux containers provide a flexible approach to application runtime containment on bare-metal systems without the need to fully virtualize the workload. Red Hat Enterprise Linux 6 provides application level containers to separate and control the application resource usage policies via cgroups and namespaces. This release includes basic management of container life-cycle by allowing creation, editing and deletion of containers via the libvirt API and the virt-manager GUI. Linux Containers are a Technology Preview.
Packages: libvirt-0.9.10-21, virt-manager-0.9.0-14
Error Detection And Correction (EDAC) driver interface
The Error Detection And Correction (EDAC) driver interface for processors based on the Intel microarchitecture code named Nehalem is considered a Technology Preview in this release of Red Hat Enterprise Linux 6.
Package: edac-utils-0.9-14
Diagnostic pulse for the fence_ipmilan agent, BZ#655764
A diagnostic pulse can now be issued on the IPMI interface using the fence_ipmilan agent. This new Technology Preview is used to force a kernel dump of a host if the host is configured to do so. Note that this feature is not a substitute for the off operation in a production cluster.
Package: fence-agents-3.1.5-17

2.8. Virtualization

Performance monitoring in KVM guests, BZ#645365
KVM can now virtualize a performance monitoring unit (vPMU) to allow virtual machines to use performance monitoring. Additionally it supports Intel's architectural PMU which can be live-migrated across different host CPU versions, using the -cpu host flag.
With this feature, Red Hat virtualization customers are now able to utilize performance monitoring in KVM guests seamlessly. The virtual performance monitoring feature allows virtual machine users to identify sources of performance problems in their guests, using their preferred pre-existing profiling tools that work on the host as well as the guest. This is an addition to the existing ability to profile a KVM guest from the host.
This feature is a Technology Preview in Red Hat Enterprise Linux 6.3.
Package: kernel-2.6.32-279
Dynamic virtual CPU allocation
KVM in Red Hat Enterprise Linux 6.3 now supports dynamic virtual CPU allocation, also called vCPU hot plug, to dynamically manage capacity and react to unexpected load increases on their platforms during off-peak hours.
The virtual CPU hot-plugging feature gives system administrators the ability to dynamically adjust CPU resources in a guest. Because a guest no longer has to be taken offline to adjust the CPU resources, the availability of the guest is increased.
This feature is a Technology Preview in Red Hat Enterprise Linux 6.3. Currently, only the vCPU hot-add functionality works. The vCPU hot-unplug feature is not yet implemented.
Package: qemu-kvm-0.12.1.2-2.295
Virtio-SCSI capabilities
KVM Virtualization's storage stack has been improved with the addition of virtio-SCSI (a storage architecture for KVM based on SCSI) capabilities. Virtio-SCSI provides the ability to connect directly to SCSI LUNs and significantly improves scalability compared to virtio-blk. The advantage of virtio-SCSI is that it is capable of handling hundreds of devices compared to virtio-blk which can only handle 25 devices and exhausts PCI slots.
Virtio-SCSI is now capable of inheriting the feature set of the target device with the ability to:
  • attach a virtual hard drive or CD through the virtio-scsi controller,
  • pass-through a physical SCSI device from the host to the guest via the QEMU scsi-block device,
  • and allow the usage of hundreds of devices per guest; an improvement from the 32-device limit of virtio-blk.
This feature is a Technology Preview in Red Hat Enterprise Linux 6.3
Package: qemu-kvm-0.12.1.2-2.295
Support for in-guest S4/S3 states
KVM's power management features have been extended to include native support for S4 (suspend to disk) and S3 (suspend to RAM) states within the virtual machine, speeding up guest restoration from one of these low power states. In earlier implementations guests were saved or restored to/from a disk or memory that was external to the guest, which introduced latency.
Additionally, machines can be awakened from S3 with events from a remote keyboard through SPICE.
This feature is a Technology Preview and is disabled by default in Red Hat Enterprise Linux 6.3. To enable it, select the /usr/share/seabios/bios-pm.bin file for the VM bios instead of the default /usr/share/seabios/bios.bin file.
The native, in-guest S4 (suspend to disk) and S3 (suspend to RAM) power management features support the ability to perform suspend to disk and suspend to RAM functions in the guest (as opposed to the host), reducing the time needed to restore a guest by responding to simple keyboard gestures input. This also removes the need to maintain an external memory-state file. This capability is supported on Red Hat Enterprise Linux 6.3 guests and Windows guests running on any hypervisor capable of supporting S3 and S4.
Package: seabios-0.6.1.2-19
System monitoring via SNMP, BZ#642556
This feature provides KVM support for stable technology that is already used in data center with bare metal systems. SNMP is the standard for monitoring and is extremely well understood as well as computationally efficient. System monitoring via SNMP in Red Hat Enterprise Linux 6 allows the KVM hosts to send SNMP traps on events so that hypervisor events can be communicated to the user via standard SNMP protocol. This feature is provided through the addition of a new package: libvirt-snmp. This feature is introduced as a Technology Preview.
Package: libvirt-snmp-0.0.2-3
Wire speed requirement in KVM network drivers
Virtualization and cloud products that run networking work loads need to run wire speeds. Up until Red Hat Enterprise Linux 6.1, the only way to reach wire speed on a 10 GB Ethernet NIC with a lower CPU utilization was to use PCI device assignment (passthrough), which limits other features like memory overcommit and guest migration
The macvtap/vhost zero-copy capabilities allow the user to use those features when high performance is required. This feature improves performance for any Red Hat Enterprise Linux 6.x guest in the VEPA use case. This feature is introduced as a Technology Preview.
Package: qemu-kvm-0.12.1.2-2.295

2.9. Resource Management

numad package
The numad package provides a daemon for NUMA (Non-Uniform Memory Architecture) systems that monitors NUMA characteristics. As an alternative to manual static CPU pining and memory assignment, numad provides dynamic adjustment to minimize memory latency on an ongoing basis. The package also provides an interface that can be used to query the numad daemon for the best manual placement of an application. The numad package is introduced as a Technology Preview.
Package: numad-0.5-4.20120522git

2.10. Tools

OpenJDK 7
Red Hat Enterprise Linux 6.3 introduces OpenJDK 7 as a Technology Preview, as an alternative to the fully-supported OpenJDK 6.
Package: java-1.7.0-openjdk-1.7.0.3-2.1

Chapter 3. Known Issues

3.1. Installation
3.2. Entitlement
3.3. Deployment
3.4. Virtualization
3.5. Storage and File Systems
3.6. Networking
3.7. Clustering
3.8. Authentication
3.9. Devices
3.10. Kernel
3.11. Desktop
3.12. Tools

3.1. Installation

anaconda component
Setting the qla4xxx parameter ql4xdisablesysfsboot to 1 may cause boot from SAN failures.
anaconda component
Installing Red Hat Enterprise Linux 6.3 using the text user interface on a system which already has a Red Hat Enterprise Linux system installed on the disk, and going back to the initial Anaconda installation page (using the Back button) may cause a traceback error.
dracut component
Installations to a network root device, such as an iSCSI device, do not function properly when using DHCP, preventing the installed system from rebooting. To work around this issue, when installing to an iSCSI root device, you must select the Anaconda installer option Bind targets to network interfaces; do not leave it unselected, as is the default. Additionally, you must use static IP addresses if using a network root device.
To work around this issue when installing via kickstart, add the --iface= option to the iSCSI command, for example:
iscsi --ipaddr 10.34.39.46 --port 3260 --target iqn.2009-02.com.kvm:iscsibind --iface=eth0
anaconda component
Red Hat Enterprise Linux 6.3 fails to boot when installed without LVM and booted from a Storage Area Network (SAN). To work around this issue, ensure that the /boot partition is using the first partition of multipath, or use LVM (which is the default behavior).
anaconda component
To automatically create an appropriate partition table on disks that are uninitialized or contain unrecognized formatting, use the zerombr kickstart command. The --initlabel option of the clearpart command is not intended to serve this purpose.
anaconda component, BZ#676025
Users performing an upgrade using the Anaconda's text mode interface who do not have a boot loader already installed on the system, or who have a non-GRUB boot loader, need to select Skip Boot Loader Configuration during the installation process. Boot loader configuration will need to be completed manually after installation. This problem does not affect users running Anaconda in the graphical mode (graphical mode also includes VNC connectivity mode).
anaconda component
In Red Hat Enterprise Linux 6.3, Anaconda allows installation to disks of size 2.2 TB and larger, but the installed system may not boot properly. Disks of size 2.2 TB and larger may be used during the installation process, but only as data disks (that is, should not be used as bootable disks).
anaconda component
On s390x systems, you cannot use automatic partitioning and encryption. If you want to use storage encryption, you must perform custom partitioning. Do not place the /boot volume on an encrypted volume.
anaconda component
The order of device names assigned to USB attached storage devices is not guaranteed. Certain USB attached storage devices may take longer to initialize than others, which can result in the device receiving a different name than you expect (for example, sdc instead of sda).
During installation, verify the storage device size, name, and type when configuring partitions and file systems.
kernel component
Recent Red Hat Enterprise Linux 6 releases use a new naming scheme for network interfaces on some machines. As a result, the installer may use different names during an upgrade in certain scenarios (typically em1 is used instead of eth0 on new Dell machines). However, the previously used network interface names are preserved on the system and the upgraded system will still use the previously used interfaces. This is not the case for Yum upgrades.
anaconda component
The kdump default on feature currently depends on Anaconda to insert the crashkernel= parameter to the kernel parameter list in the boot loader's configuration file.
firstaidkit component
The firstaidkit-plugin-grub package has been removed from Red Hat Enterprise Linux 6.2. As a consequence, in rare cases, the system upgrade operation may fail with unresolved dependencies if the plug-in has been installed in a previous version of Red Hat Enterprise Linux. To avoid this problem, the firstaidkit-plugin-grub package should be removed before upgrading the system. However, in most cases, the system upgrade completes as expected.
anaconda component, BZ#623261
In some circumstances, disks that contain a whole disk format (for example, an LVM Physical Volume populating a whole disk) are not cleared correctly using the clearpart --initlabel kickstart command. Adding the --all switch—as in clearpart --initlabel --all—ensures disks are cleared correctly.
squashfs-tools component
During the installation on POWER systems, error messages similar to the following may be returned to sys.log:
attempt to access beyond end of device
loop0: rw=0, want=248626, limit=248624
These errors do not prevent installation and only occur during the initial setup. The file system created by the installer will function correctly.
anaconda component
When installing on the IBM System z architecture, if the installation is being performed over SSH, avoid resizing the terminal window containing the SSH session. If the terminal window is resized during the installation, the installer will exit and the installation will terminate.
yaboot component, BZ#613929
The kernel image provided on the CD/DVD is too large for Open Firmware. Consequently, on the POWER architecture, directly booting the kernel image over a network from the CD/DVD is not possible. Instead, use yaboot to boot from a network.
anaconda component
The Anaconda partition editing interface includes a button labeled Resize. This feature is intended for users wishing to shrink an existing file system and an underlying volume to make room for an installation of a new system. Users performing manual partitioning cannot use the Resize button to change sizes of partitions as they create them. If you determine a partition needs to be larger than you initially created it, you must delete the first one in the partitioning editor and create a new one with the larger size.
system-config-kickstart component
Channel IDs (read, write, data) for network devices are required for defining and configuring network devices on IBM S/390 systems. However, system-config-kickstart—the graphical user interface for generating a kickstart configuration—cannot define channel IDs for a network device. To work around this issue, manually edit the kickstart configuration that system-config-kickstart generates to include the desired network devices.

3.2. Entitlement

subscription manager component
When registering a system with firstboot, the RHN Classic option is checked by default in the Subscription part.
subscription manager component, BZ#811771
Subscription Manager now disables gpgcheck for any repositories it manages which have an empty gpgkey. To re-enable the repository, upload the GPG keys, and ensure that the correct URL is added to your custom content definition.

3.3. Deployment

cpuspeed component, BZ#626893
Some HP Proliant servers may report incorrect CPU frequency values in /proc/cpuinfo or /sys/device/system/cpu/*/cpufreq. This is due to the firmware manipulating the CPU frequency without providing any notification to the operating system. To avoid this ensure that the HP Power Regulator option in the BIOS is set to OS Control. An alternative available on more recent systems is to set Collaborative Power Control to Enabled.
releng component, BZ#644778
Some packages in the Optional repositories on RHN have multilib file conflicts. Consequently, these packages cannot have both the primary architecture (for example, x86_64) and secondary architecture (for example, i686) copies of the package installed on the same machine simultaneously. To work around this issue, install only one copy of the conflicting package.
grub component, BZ#695951
On certain UEFI-based systems, you may need to type BOOTX64 rather than bootx64 to boot the installer due to case sensitivity issues.
grub component, BZ#698708
When rebuilding the grub package on the x86_64 architecture, the glibc-static.i686 package must be used. Using the glibc-static.x86_64 package will not meet the build requirements.

3.4. Virtualization

virt-p2v component, BZ#816930
Converting a physical server running either Red Hat Enterprise Linux 4 or Red Hat Enterprise Linux 5 which has its file system root on an MD device is not supported. Converting such a guest results in a guest which fails to boot. Note that conversion of a Red Hat Enterprise Linux 6 server which has its root on an MD device is supported.
virt-p2v component, BZ#808820
When converting a physical host with a multipath storage, Virt-P2V presents all available paths for conversion. Only a single path must be selected. This must be a currently active path.
vdsm component, BZ#826921
The following parameter has been deprecated in the /etc/vdsm/vdsm.conf file:
[irs]
nfs_mount_options = soft,nosharecache,vers=3
This parameter will continue to be supported in versions 3.x, but will be removed in version 4.0 of NFS. Customers using this parameter should upgrade their domains to V2 and greater and set the parameters from the GUI.
vdsm component, BZ#749479
When adding a bond to an existing network, its world-visible MAC address may change. If the DHCP server is not aware that the new MAC address belongs to the same host as the old one, it may assign the host a different IP address, that is unknown to the DNS server nor to Red Hat Enterprise Virtualization Manager. As a result, Red Hat Enterprise Virtualization Manager VDSM connectivity is broken.
To work around this issue, configure your DHCP server to assign the same IP for all the MAC addresses of slave NICs. Alternatively, when editing a management network, do not check connectivity, and make sure that Red Hat Enterprise Virtualization Manager / DNS use the newly-assigned IP address for the node.
vdsm component
Vdsm uses cgroups if they are available on the host. If the cgconfig service is turned off, turn it on with the chkconfig cgconfig on command and reboot. If you prefer not to reboot your system, restarting the libvirt service and vdsm should be sufficient.
ovirt-node component, BZ#747102
Upgrades from Beta to the GA version will result in an incorrect partitioning of the host. The GA version must be installed clean. UEFI machines must be set to legacy boot options for RHEV-H to boot successfully after installation.
kernel component
When a system boots from SAN, it starts the libvirtd service, which enables IP forwarding. The service causes a driver reset on both Ethernet ports which causes a loss of all paths to an OS disk. Under this condition, the system cannot load firmware files from the OS disk to initialize Ethernet ports, eventually never recovers paths to the OS disk, and fails to boot from SAN. To work around this issue add the bnx2x.disable_tpa=1 option to the kernel command line of the GRUB menu, or do not install virtualization related software and manually enable IP forwarding when needed.
vdsm component
If the /root/.ssh/ directory is missing from a host when it is added to a Red Hat Enterprise Virtualization Manager data center, the directory is created with a wrong SELinux context, and SSH'ing into the host is denied. To work around this issue, manually create the /root/.ssh directory with the correct SELinux context:
~]# mkdir /root/.ssh
~]# chmod 0700 /root/.ssh
~]# restorecon /root/.ssh
vdsm component
VDSM now configures libvirt so that connection to its local read-write UNIX domain socket is password-protected by SASL. The intention is to protect virtual machines from human errors of local host administrators. All operations that may change the state of virtual machines on a Red Hat Enterprise Virtualization-controlled host must be performed from Red Hat Enterprise Virtualization Manager.
libvirt component
In earlier versions of Red Hat Enterprise Linux, libvirt permitted PCI devices to be insecurely assigned to guests. In Red Hat Enterprise Linux 6, assignment of insecure devices is disabled by default by libvirt. However, this may cause assignment of previously working devices to start failing. To enable the old, insecure setting, edit the /etc/libvirt/qemu.conf file, set the relaxed_acs_check = 1 parameter, and restart libvirtd (service libvirtd restart). Note that this action will re-open possible security issues.
virtio-win component, BZ#615928
The balloon service on Windows 7 guests can only be started by the Administrator user.
libvirt component, BZ#622649
libvirt uses transient iptables rules for managing NAT or bridging to virtual machine guests. Any external command that reloads the iptables state (such as running system-config-firewall) will overwrite the entries needed by libvirt. Consequently, after running any command or tool that changes the state of iptables, guests may lose access to the network. To work around this issue, use the service libvirt reload command to restore libvirt's additional iptables rules.
virtio-win component, BZ#612801
A Windows virtual machine must be restarted after the installation of the kernel Windows driver framework. If the virtual machine is not restarted, it may crash when a memory balloon operation is performed.
qemu-kvm component, BZ#720597
Installation of Windows 7 Ultimate x86 (32-bit) Service Pack 1 on a guest with more than 4GB of RAM and more than one CPU from a DVD medium often crashes during the final steps of the installation process due to a system hang. To work around this issue, use the Windows Update utility to install the Service Pack.
qemu-kvm component, BZ#612788
A dual function Intel 82576 Gigabit Ethernet Controller interface (codename: Kawela, PCI Vendor/Device ID: 8086:10c9) cannot have both physical functions (PF's) device-assigned to a Windows 2008 guest. Either physical function can be device assigned to a Windows 2008 guest (PCI function 0 or function 1), but not both.
virt-v2v component, BZ#618091
The virt-v2v utility is able to convert guests running on an ESX server. However, if an ESX guest has a disk with a snapshot, the snapshot must be on the same datastore as the underlying disk storage. If the snapshot and the underlying storage are on different datastores, virt-v2v will report a 404 error while trying to retrieve the storage.
virt-v2v component, BZ#678232
The VMware Tools application on Microsoft Windows is unable to disable itself when it detects that it is no longer running on a VMware platform. Consequently, converting a Microsoft Windows guest from VMware ESX, which has VMware Tools installed, will result in errors. These errors usually manifest as error messages on start-up, and a "Stop Error" (also known as a BSOD) when shutting down the guest. To work around this issue, uninstall VMware Tools on Microsoft Windows guests prior to conversion.

3.5. Storage and File Systems

lvm2 component, BZ#832392
When issue_discards=1 is configured in the /etc/lvm/lvm.conf file, moving physical volumes via the pvmove command results in data loss. To work around this issue, ensure that issue_discards=0 is set in your lvm.conf file before moving any physical volumes.
lvm2 component, BZ#832033
When using the lvmetad daemon (currently a Technology Preview), avoid passing the --test argument to commands. The use of the --test argument may lead to inconsistencies in the cache that lvmetad maintains. This issue will be fixed in a future release. If the --test argument has been used, fix any problems by restarting the lvmetad daemon.
lvm2 component, BZ#820229
It is not possible to rename thin logical volumes using tools provided in the current LVM2 release. The rename operation returns the following error:
lvrename Cannot rename <volume_name>: name format not recognized for internal LV <pool_name>
This issue will be fixed in the next LVM2 release.
device-mapper-multipath component
Multipath's queue_without_daemon yes default option queues I/O even though all iSCSI links have been disconnected when the system is shut down, which causes LVM to become unresponsive when scanning all block devices. As a result, the system cannot be shut down. To work around this issue, add the following line into the defaults section of /etc/multipath.conf:
queue_without_daemon no
initscripts component
Running the file system check (using fsck) on a NFS mounted file system fails, and causes the system to fail to boot and drop into a shell. To work around this issue, disable fsck on any /boot partitions by setting the sixth value of a /boot entry in /etc/fstab to 0.
kernel component, BZ#606260
The NFSv4 server in Red Hat Enterprise Linux 6 currently allows clients to mount using UDP and advertises NFSv4 over UDP with rpcbind. However, this configuration is not supported by Red Hat and violates the RFC 3530 standard.
lvm2 component
The dracut utility currently only supports one FiberChannel over Ethernet (FCoE) connection to be used to boot from the root device. Consequently, booting from a root device that spans multiple FCoE devices (for example, using RAID, LVM or similar techniques) is not possible.
lvm2 component
The pvmove command cannot currently be used to move mirror devices. However, it is possible to move mirror devices by issuing a sequence of two commands. For mirror images, add a new image on the destination PV and then remove the mirror image on the source PV:
~]$ lvconvert -m +1 <vg/lv> <new PV>
~]$ lvconvert -m -1 <vg/lv> <old PV>
Mirror logs can be handled in a similar fashion:
~]$ lvconvert --mirrorlog core <vg/lv>
~]$ lvconvert --mirrorlog disk <vg/lv> <new PV>
or
~]$ lvconvert --mirrorlog mirrored <vg/lv> <new PV>
~]$ lvconvert --mirrorlog disk <vg/lv> <old PV>

3.6. Networking

kernel component
Some e1000e NICs may not get an IPv4 address assigned after the system is rebooted. To work around this issue, add the following line to the /etc/sysconfig/network-scripts/ifcfg-eth<X> file:
LINKDELAY=10
NetworkManager component, BZ#758076
If a Certificate Authority (CA) certificate is not selected when configuring an 802.1x or WPA-Enterprise connection, a dialog appears indicating that a missing CA certificate is a security risk. This dialog presents two options: ignore the missing CA certificate and proceed with the insecure connection, or choose a CA certificate. If the user elects to choose a CA certificate, this dialog disappears and the user may select the CA certificate in the original configuration dialog.
samba component
Current Samba versions shipped with Red Hat Enterprise Linux 6.3 are not able to fully control the user and group database when using the ldapsam_compat back end. This back end was never designed to run a production LDAP and Samba environment for a long period of time. The ldapsam_compat back end was created as a tool to ease migration from historical Samba releases (version 2.2.x) to Samba version 3 and greater using the new ldapsam back end and the new LDAP schema. The ldapsam_compat back end lack various important LDAP attributes and object classes in order to fully provide full user and group management. In particular, it cannot allocate user and group IDs. In the Red Hat Enterprise Linux Reference Guide, it is pointed out that this back end is likely to be deprecated in future releases. Refer to Samba's documentation for instructions on how to migrate existing setups to the new LDAP schema.
When you are not able to upgrade to the new LDAP schema (though upgrading is strongly recommended and is the preferred solution), you may work around this issue by keeping a dedicated machine running an older version of Samba (v2.2.x) for the purpose of user account management. Alternatively, you can create user accounts with standard LDIF files. The important part is the assignment of user and group IDs. In that case, the old Samba 2.2 algorithmic mapping from Windows RIDs to Unix IDs is the following: user RID = UID * 2 + 1000, while for groups it is: group RID = GID * 2 + 1001. With these workarounds, users can continue using the ldapsam_compat back end with their existing LDAP setup even when all the above restrictions apply.
kernel component, BZ#816888
Running the QFQ queuing discipline in a virtual guest eventually results in kernel panic.
kernel component
Because RHEL6.3 defaults to using Strict Reverse Path filtering, packets are dropped by default when the route for outbound traffic differs from the route of incoming traffic. This is in line with current recommended practice in RFC3704. For more information about this issue please refer to /usr/share/doc/kernel-doc-<version>/Documentation/networking/ip-sysctl.txt and https://access.redhat.com/knowledge/solutions/53031.
perftest component
The rdma_bw and rdma_lat utilities (provided by the perftest package) are now deprecated and will be removed from the perftest package in a future update. Users should use the following utilities instead: ib_write_bw, ib_write_lat, ib_read_bw, and ib_read_lat.

3.7. Clustering

corosync component, BZ#722469
A double ring failure results in the spinning of the corosync process. Also, because DLM relies on SCTP, which is non-functional, many features of the cluster software that rely on DLM do not work properly.
luci component, BZ#615898
luci will not function with Red Hat Enterprise Linux 5 clusters unless each cluster node has ricci version 0.12.2-14.

3.8. Authentication

Identity Management component
When using the Identity Management WebUI in the Internet Explorer browser, you may encounter the following issues:
  • While the browser window is not maximized or many users are logged into the WebUI, scrolling down a page to select a user may not work properly. As soon as the user's checkbox is selected, the scroll bar jumps back up without selecting the user. This error also occurs when a permission is added to a privilege. (BZ#831299)
  • When attempting to edit a service, the edit page for that service may occasionally be blank, or show only labels for Principal or Service without showing their values. When adding a service, under certain conditions, the drop-down menu lists the available services and hosts but users are unable to select any of the entries. (BZ#831227)
  • When adding a permission of type subtree, the text area to specify the subtree is too small and non-resizable making it difficult to enter long subtree entries. (BZ#830817 )
  • When adding a delegation, its attributes are separated by disproportionately large vertical spaces. (BZ#829899)
  • When adding a member, the edge of the displayed window suggests it can be resized. However, resizing of the window does not work. When adding a Sudo Command to a Sudo Command group, the first group overlays with the column title. (BZ#829746)
  • Adding a new DNS zone causes the window to be incorrectly rendered as text on the existing page. (BZ#827583)
Identity Management component, BZ#826973
When Identity Management is installed with its CA certificate signed by an external CA, the installation is processed in 2 stages. In the first stage, a CSR is generated to be signed by an external CA. The second stage of the installation then accepts a file with the new signed certificate for the Identity Management CA and a certificate of the external CA. During the second stage of the installation, a signed Identity Management CA certificate subject is validated. However, there is a bug in the certificate subject validation procedure and its default value (O=$REALM, where $REALM is the realm of the new Identity Management installation) is never pulled. Consequently, the second stage of the installation process always fails unless the --subject option is specified. To work around this issue, add the following option for the second stage of the installation: --subject "O=$REALM" where $REALM is the realm of the new Identity Management installation. If a custom subject was used for the first stage of the installation, use its value instead. Using this work around, the certificate subject validation procedure succeeds and the installation continues as expected.
Identity Management component, BZ#822350
When a user is migrated from a remote LDAP, the user's entry in the Directory Server does not contain Kerberos credentials needed for a Kerberos login. When the user visits the password migration page, Kerberos credentials are generated for the user and logging in via Kerberos authentication works as expected. However, Identity Management does not generate the credentials correctly when the migrated password does not follow the password policy set on the Identity Management server. Consequently, when the password migration is done and a user tries to log in via Kerberos authentication, the user is prompted to change the password as it does not follow the password policy, but the password change is never successful and the user is not able to use Kerberos authentication. To work around this issue, an administrator can reset the password of a migrated user with the ipa passwd command. When reset, user's Kerberos credentials in the Directory Server are properly generated and the user is able to log in using Kerberos authentication.
Identity Management component
In the Identity Management webUI, deleting a DNS record may, under come circumstances, leave it visible on the page showing DNS records. This is only a display issue and does not affect functionality of DNS records in any way.
Identity Management component, BZ#783502
The Identity Management permission plug-in does not verify that the set of attributes specified for a new permission is relevant to the target object type that the permission allows access to. This means a user is able to create a permission which allows access to attributes that will never be present in the target object type because such attributes are not allowed in its object classes. You must ensure that the chosen set of attributes for which a new permission grants access to is relevant to the chosen target object type.
Identity Management component, BZ#790513
The ipa-client package does not install the policycoreutils package as its dependency, which may cause install/uninstall issues when using the ipa-client-install setup script. To work around this issue, install the policycoreutils package manually:
~]# yum install policycoreutils
Identity Management component, BZ#813376
Updating the Identity Management LDAP configuration via the ipa-ldap-updater fails with a traceback error when executed by a non-root user due to the SASL EXTERNAL bind requiring root privileges. To work around this issue, run the aforementioned command as the root user.
Identity Management component, BZ#794882
With netgroups, when adding a host as a member that Identity Management does not have stored as a host already, that host is considered to be an external host. This host can be controlled with netgroups, but Identity Management has no knowledge of it. Currently, there is no way to use the netgroup-find option to search for external hosts.
Also, note that when a host is added to a netgroup as an external host, rather than being added in Identity Management as an external host, that host is not automatically converted within the netgroup rule.
Identity Management component, BZ#786629
Because a permission does not provide write access to an entry, delegation does not work as expected. The 389 Directory Server (389-ds) distinguishes access between entries and attributes. For example, an entry can be granted add or delete access, whereas an attribute can be granted read, search, and write access. To grant write access to an entry, the list of writable attributes needs to be provided. The filter, subtree, and other options are used to target those entries which are writable. Attributes define which part(s) of those entries are writable. As a result, the list of attributes will be writable to members of the permission.
sssd component, BZ#808063
The manpage entry for the ldap_disable_paging option in the sssd-ldap man page does not indicate that it accepts the boolean values True or False, and defaulting to False if it is not explicitly specified.
Identity Management component, BZ#812127
Identity Management relies on the LDAP schema to know what type of data to expect in a given attribute. If, in certain situations (such as replication), data that does not meet those expectations is inserted into an attribute, Identity Management will not be able to handle the entry, and LDAP tools have do be used to manually clean up that entry.
Identity Management component, BZ#812122
Identity Management sudo commands are not case sensitive. For example, executing the following commands will result in the latter one failing due to the case insensitivity:
~]$ ipa sudocmd-add /usr/bin/X
⋮
~]$ ipa sudocmd-add /usr/bin/x
ipa: ERROR: sudo command with name "/usr/bin/x" already exists
Identity Management component
Identity Management and the mod_ssl module should not be installed on the same system, otherwise Identity Management is unable to issue certificates because mod_ssl holds the mod_proxy hooks. To work around this issue, uninstall mod_ssl.
Identity Management component
When an Identity Management server is installed with a custom hostname that is not resolvable, the ipa-server-install command should add a record to the static hostname lookup table in /etc/hosts and enable further configuration of Identity Management integrated services. However, a record is not added to /etc/hosts when an IP address is passed as an CLI option and not interactively. Consequently, Identity Management installation fails because integrated services that are being configured expect the Identity Management server hostname to be resolvable. To work around this issue, complete one of the following:
  • Run the ipa-server-install without the --ip-address option and pass the IP address interactively.
  • Add a record to /etc/hosts before the installation is started. The record should contain the Identity Management server IP address and its full hostname (the hosts(5) man page specifies the record format).
As a result, the Identity Management server can be installed with a custom hostname that is not resolvable.
sssd component, BZ#750922
Upgrading SSSD from the version provided in Red Hat Enterprise Linux 6.1 to the version shipped with Red Hat Enterprise Linux 6.2 may fail due to a bug in the dependent library libldb. This failure occurs when the SSSD cache contains internal entries whose distinguished name contains the \, character sequence. The most likely example of this is for an invalid memberUID entry to appear in an LDAP group of the form:
memberUID: user1,user2
memberUID is a multi-valued attribute and should not have multiple users in the same attribute.
If the upgrade issue occurs, identifiable by the following debug log message:
(Wed Nov  2 15:18:21 2011) [sssd] [ldb] (0): A transaction is still active in
ldb context [0xaa0460] on /var/lib/sss/db/cache_<DOMAIN>.ldb
remove the /var/lib/sss/db/cache_<DOMAIN>.ldb file and restart SSSD.

Removing the /var/lib/sss/db/cache_<DOMAIN>.ldb file

Removing the /var/lib/sss/db/cache_<DOMAIN>.ldb file purges the cache of all entries (including cached credentials).
sssd component, BZ#751314
When a group contains certain incorrect multi-valued memberUID values, SSSD fails to sanitize the values properly. The memberUID value should only contain one username. As a result, SSSD creates incorrect users, using the broken memberUID values as their usernames. This, for example, causes problems during cache indexing.
Identity Management component, BZ#750596
Two Identity Management servers, both with a CA (Certificate Authority) installed, use two replication replication agreements. One is for user, group, host, and other related data. Another replication agreement is established between the CA instances installed on the servers. If the CA replication agreement is broken, the Identity Management data is still shared between the two servers, however, because there is no replication agreement between the two CAs, issuing a certificate on one server will cause the other server to not recognize that certificate, and vice versa.
Identity Management component
The Identity Management (ipa) package cannot be build with a 6ComputeNode subscription.
Identity Management component
On the configuration page of the Identity Management WebUI, if the User search field is left blank, and the search button is clicked, an internal error is returned.
sssd component, BZ#741264
Active Directory performs certain LDAP referral-chasing that is incompatible with the referral mechanism included in the openldap libraries. Notably, Active Directory sometimes attempts to return a referral on an LDAP bind attempt, which used to cause a hang, and is now denied by the openldap libraries. As a result, SSSD may suffer from performance issues and occasional failures resulting in missing information.
To work around this issue, disable referral-chasing by setting the following parameter in the [domain/DOMAINNAME] section of the /etc/sssd/sssd.conf file:
ldap_referrals = false

3.9. Devices

ipmitool component
Not specifying the -N option when setting retransmission intervals of IPMI messages over the LAN or LANplus interface may cause various error messages to be returned. For example:
~]# ipmitool -I lanplus -H $HOST -U root -P $PASS sensor list
Unable to renew SDR reservation
Close Session command failed: Reservation cancelled or invalid

~]# ipmitool -I lanplus -H $HOST -U root -P $PASS delloem powermonitor
Error getting power management information, return code c1
Close Session command failed: Invalid command
ipmitool component
The ipmitool may crash in certain cases. For example, when an incorrect password is used, a segmentation fault occurs:
~]# ipmitool -I lanplus -H $HOST -U root -P wrongpass delloem powermonitor
Error: Unable to establish IPMI v2 / RMCP+ session
Segmentation fault (core dumped)
kernel component,
Unloading the be2net driver with a Virtual Function (VF) attached to a virtual guest results in kernel panic.
kernel component
The Brocade BFA Fibre Channel and FCoE driver does not currently support dynamic recognition of Logical Unit addition or removal using the sg3_utils utilities (for example, the sg_scan command) or similar functionality. Please consult Brocade directly for a Brocade equivalent of this functionality.
kernel component
iSCSI and FCoE boot support on Broadcom devices is not included in Red Hat Enterprise Linux 6.3. These two features, which are provided by the bnx2i and bnx2fc Broadcom drivers, remain a Technology Preview until further notice.
kexec-tools component
Starting with Red Hat Enterprise Linux 6.0 and later, kexec kdump supports dumping core to the Brtfs file system. However, note that because the findfs utility in busybox does not support Btrfs yet, UUID/LABEL resolving is not functional. Avoid using the UUID/LABEL syntax when dumping core to Btrfs file systems.
busybox component
When running kdump in a busybox environment and dumping to a Btrfs file system, you may receive the following error message:
/etc/kdump.conf: Unsupported type btrfs
However, Btrfs is supported as a kdump target. To work around this issue, install the btrfs-progs package, verify that the /sbin/btrfsck file exists, and retry.
trace-cmd component
The trace-cmd service does start on 64-bit PowerPC and IBM System z systems because the sys_enter and sys_exit events do not get enabled on the aforementioned systems.
trace-cmd component
trace-cmd's subcommand, report, does not work on IBM System z systems. This is due to the fact that the CONFIG_FTRACE_SYSCALLS parameter is not set on IBM System z systems.
tuned component
Red Hat Enterprise Linux 6.1 and later enter processor power-saving states more aggressively. This may result in a small performance penalty on certain workloads. This functionality may be disabled at boot time by passing the intel_idle.max_cstate=0 parameter, or at run time by using the cpu_dma_latency pm_qos interface.
libfprint component
Red Hat Enterprise Linux 6 only has support for the first revision of the UPEK Touchstrip fingerprint reader (USB ID 147e:2016). Attempting to use a second revision device may cause the fingerprint reader daemon to crash. The following command returns the version of the device being used in an individual machine:
~]$ lsusb -v -d 147e:2016 | grep bcdDevice
kernel component
The Emulex Fibre Channel/Fibre Channel-over-Ethernet (FCoE) driver in Red Hat Enterprise Linux 6 does not support DH-CHAP authentication. DH-CHAP authentication provides secure access between hosts and mass storage in Fibre-Channel and FCoE SANs in compliance with the FC-SP specification. Note, however that the Emulex driver (lpfc) does support DH-CHAP authentication on Red Hat Enterprise Linux 5, from version 5.4. Future Red Hat Enterprise Linux 6 releases may include DH-CHAP authentication.
kernel component
The recommended minimum HBA firmware revision for use with the mpt2sas driver is "Phase 5 firmware" (that is, with version number in the form 05.xx.xx.xx). Note that following this recommendation is especially important on complex SAS configurations involving multiple SAS expanders.

3.10. Kernel

kernel component
When using Chelsio's iSCSI HBAs for an iSCSI root partition, the first boot after install fails. This occurs because Chelsio's iSCSI HBA is not properly detected. To work around this issue, users must add the iscsi_firmware parameter to grub's kernel command line. This will signal to dracut to boot from the iSCSI HBA.
kernel component
In Red Hat Enterprise Linux 6.3, three module parameters (num_lro, rss_mask, and rss_xor) that were supported by older versions of the mlx4_en driver have become obsolete and are no longer used. If you supply these parameters, the Red Hat Enterprise Linux 6.3 driver will ignore them and log a warning.
kernel component
Due to a race condition, in certain cases, writes to RAID4/5/6 while the array is reconstructing could hang the system.
kernel component
The installation of Red Hat Enterprise Linux 6.3 i386 may occasionally fail. To work around this issue, add the following parameter to the kernel command line:
vmalloc=256MB
kernel component
If a device reports an error, while it is opened (via the open(2) system call), then the device is closed (via the close(2) system call), and the /dev/disk/by-id link for the device may be removed. When the problem on the device that caused the error is resolved, the by-id link is not re-created. To work around this issue, run the following command:
~]# echo 'change' > /sys/class/block/sdX/uevent
kernel component
Platforms with BIOS/UEFI that that are unaware of PCI-e SR-IOV capabilities may fail to enable virtual functions
kernel component
When an HBA that uses the mpt2sas driver is connected to a storage using an SAS switch LSI SAS 6160, the driver may become unresponsive during Controller Fail Drive Fail (CFDF) testing. This is due to faulty firmware that is present on the switch. To fix this issue, use a newer version (14.00.00.00 or later) of firmware for the LSI SAS 6160 switch.
kernel component, BZ#690523
If appropriate SCSI device handlers (scsi_dh modules) are not available when the storage driver (for example, lpfc) is first loaded, I/O operations may be issued to SCSI multipath devices that are not ready for those I/O operations. This can result in significant delays during system boot and excessive I/O error messages in the kernel log.
Provided the storage driver is loaded before multipathd is started (which is the default behavior), users can work around this issue by making sure the appropriate SCSI device handlers (scsi_dh modules) are available by specifying one of the following kernel command line parameters which dracut consumes:
  • rdloaddriver=scsi_dh_emc
    
  • rdloaddriver=scsi_dh_rdac,scsi_dh_hp_sw
    
  • rdloaddriver=scsi_dh_emc,scsi_dh_rdac,scsi_dh_alua
    
Note that the order of the listed scsi_dh modules does not matter.
Specifying one of the above parameters causes the scsi_dh module(s) to load before the storage driver is loaded or multipath is started.
kernel component, BZ#745713
In some cases, Red Hat Enterprise Linux 6 guests running fully-virtualized under Red Hat Enterprise Linux 5 experience a time drift or fail to boot. In other cases, drifting may start after migration of the virtual machine to a host with different speed. This is due to limitations in the Red Hat Enterprise Linux 5 Xen hypervisor. To work around this, add the nohpet parameter or, alternatively, the clocksource=jiffies parameter to the kernel command line of the guest. Or, if running under Red Hat Enterprise Linux 5.7 or newer, locate the guest configuration file for the guest and add the hpet=0 parameter in it.
kernel component
On some systems, Xen full-virt guests may print the following message when booting:
WARNING: BIOS bug: CPU MTRRs don't cover all of memory, losing <number>MB of RAM
It is possible to avoid the memory trimming by using the disable_mtrr_trim kernel command line option.
kernel component
The perf record command becomes unresponsive when specifying a tracepoint event and a hardware event at the same time.
kernel component
On 64-bit PowerPC, the following command may cause kernel panic:
~]# ./perf record -agT -e sched:sched_switch -F 100 -- sleep 3
kernel component
Applications are increasingly using more than 1024 file descriptors. It is not recommended to increase the default soft limit of file descriptors because it may break applications that use the select() call. However, it is safe to increase the default hard limit; that way, applications requiring a large amount of file descriptors can increase their soft limit without needing root privileges and without any user intervention.
kernel component, BZ#770545
In Red Hat Enterprise Linux 6.2 and Red Hat Enterprise Linux 6.3, the default value for sysctl vm.zone_reclaim_mode is now 0, whereas in Red Hat Enterprise Linux 6.1 it was 1.
kernel component
Using Alsa with an HDA Intel sound card and the Conexant CX20585 codec causes sound and recording failures. To work around this issue, add the following line to the /etc/modprobe.d/dist-alsa.conf file:
options snd-hda-intel model=thinkpad
kernel component
In network only use of Brocade Converged Network Adapters (CNAs), switches that are not properly configured to work with Brocade FCoE functionality can cause a continuous linkup/linkdown condition. This causes continuous messages on the host console:
bfa xxxx:xx:xx.x: Base port (WWN = xx:xx:xx:xx:xx:xx:xx:xx) lost fabric connectivity
To work around this issue, unload the Brocade bfa driver.
kernel component
The lpfc driver is deprecating the sysfs mbox interface as it is no longer used by the Emulex tools. Reads and writes are now stubbed out and only return the -EPERM (Operation not permitted) symbol.
kernel component
In Red Hat Enterprise Linux 6, a legacy bug in the PowerEdge Expandable RAID Controller 5 (PERC5) which causes the kdump kernel to fail to scan for scsi devices. It is usually triggered when a large amounts of I/O operations are pending on the controller in the first kernel before performing a kdump.
kernel component, BZ#679262
In Red Hat Enterprise Linux 6.2 and later, due to security concerns, addresses in /proc/kallsyms and /proc/modules show all zeros when accessed by a non-root user.
kernel component
Superfluous information is displayed on the console due to a correctable machine check error occurring. This information can be safely ignored by the user. Machine check error reporting can be disabled by using the nomce kernel boot option, which disables machine check error reporting, or the mce=ignore_ce kernel boot option, which disables correctable machine check error reporting.
kernel component
The order in which PCI devices are scanned may change from one major Red Hat Enterprise Linux release to another. This may result in device names changing, for example, when upgrading from Red Hat Enterprise Linux 5 to 6. You must confirm that a device you refer to during installation, is the intended device.
One way to assure the correctness of device names is to, in some configurations, determine the mapping from the controller name to the controller's PCI address in the older release, and then compare this to the mapping in the newer release, to ensure that the device name is as expected.
The following is an example from /var/log/messages:
kernel: cciss0: <0x3230> at PCI 0000:1f:00.0 IRQ 71 using DAC
…
kernel: cciss1: <0x3230> at PCI 0000:02:00.0 IRQ 75 using DAC
If the device name is incorrect, add the pci=bfsort parameter to the kernel command line, and check again.
kernel component
Enabling CHAP (Challenge-Handshake Authentication Protocol) on an iSCSI target for the be2iscsi driver results in kernel panic. To work around this issue, disable CHAP on the iSCSI target.
kernel component
Newer VPD (Vital Product Data) blocks can exceed the size the tg3 driver normally handles. As a result, some of the routines that operate on the VPD blocks may fail. For example, the nvram test fails when running the ethtool –t command on BCM5719 and BCM5720 Ethernet Controllers.
kernel component
Running the ethtool -t command on BCM5720 Ethernet controllers causes a loopback test failure because the tg3 driver does not wait long enough for a link.
kernel component
The tg3 driver in Red Hat Enterprise Linux 6.2 does not include support for Jumbo frames and TSO (TCP Segmentation Offloading) on BCM5719 Ethernet controllers. As a result, the following error message is returned when attempting to configure, for example, Jumbo frames:
SIOCSIFMTU: Invalid argument
kernel component
The default interrupt configuration for the Emulex LPFC FC/FCoE driver has changed from INT-X to MSI-X. This is reflected by the lpfc_use_msi module parameter (in /sys/class/scsi_host/host#/lpfc_use_msi) being set to 2 by default, instead of the previous 0.
Two issues provide motivation for this change: SR-IOV capability only works with the MSI-X interrupt mode, and certain recent platforms only support MSI or MSI-X.
However, the change to the LPFC default interrupt mode can bring out host problems where MSI/MSI-X support is not fully functional. Other host problems can exist when running in the INT-X mode.
If any of the following symptoms occur after upgrading to, or installing Red Hat Enterprise Linux 6.2 with an Emulex LPFC adapter in the system, change the value of the lpfc module parameter, lpfc_use_msi, to 0:
  • The initialization or attachment of the lpfc adapter may fail with mailbox errors. As a result, the lpfc adapter is not configured on the system. The following message appear in /var/log/messages:
    lpfc 0000:04:08.0: 0:0:0443 Adapter failed to set maximum DMA length mbxStatus x0
    lpfc 0000:04:08.0: 0:0446 Adapter failed to init (255), mbxCmd x9 CFG_RING, mbxStatus x0, ring 0
    lpfc 0000:04:08.0: 0:1477 Failed to set up hba
    ACPI: PCI interrupt for device 0000:04:08.0 disabled
    
  • While the lpfc adapter is operating, it may fail with mailbox errors, resulting in the inability to access certain devices. The following message appear in /var/log/messages:
    lpfc 0000:0d:00.0: 0:0310 Mailbox command x5 timeout Data: x0 x700 xffff81039ddd0a00
    lpfc 0000:0d:00.0: 0:0345 Resetting board due to mailbox timeout
    lpfc 0000:0d:00.0: 0:(0):2530 Mailbox command x23 cannot issue Data: xd00 x2
    
  • Performing a warm reboot causes any subsequent boots to halt or stop because the BIOS is detecting the lpfc adapter. The system BIOS logs the following messages:
    Installing Emulex BIOS ......
    Bringing the Link up, Please wait...
    Bringing the Link up, Please wait...
    
kernel component
The minimum firmware version for NIC adapters managed by netxen_nic is 4.0.550. This includes the boot firmware which is flashed in option ROM on the adapter itself.
kernel component, BZ#683012
High stress on 64-bit IBM POWER series machines prevents kdump from successfully capturing the vmcore. As a result, the second kernel is not loaded, and the system becomes unresponsive.
kernel component
Triggering kdump to capture a vmcore through the network using the Intel 82575EB ethernet device in a 32 bit environment causes the networking driver to not function properly in the kdump kernel, and prevent the vmcore from being captured.
kernel component
Memory Type Range Register (MTRR) setup on some hyperthreaded machines may be incorrect following a suspend/resume cycle. This can cause graphics performance (specifically, scrolling) to slow considerably after a suspend/resume cycle.
To work around this issue, disable and then re-enable the hyperthreaded sibling CPUs around suspend/resume, for example:
#!/bin/sh
# Disable hyper-threading processor cores on suspend and hibernate, re-enable
# on resume.
# This file goes into /etc/pm/sleep.d/

case $1 in
        hibernate|suspend)
                echo 0 > /sys/devices/system/cpu/cpu1/online
                echo 0 > /sys/devices/system/cpu/cpu3/online
                ;;

        thaw|resume)
                echo 1 > /sys/devices/system/cpu/cpu1/online
                echo 1 > /sys/devices/system/cpu/cpu3/online
                ;;
esac
kernel component
In Red Hat Enterprise Linux 6.2, nmi_watchdog registers with the perf subsystem. Consequently, during boot, the perf subsystem grabs control of the performance counter registers, blocking OProfile from working. To resolve this, either boot with the nmi_watchdog=0 kernel parameter set, or run the following command to disable it at run time:
echo 0 > /proc/sys/kernel/nmi_watchdog
To re-enable nmi-watchdog, use the following command
echo 1 > /proc/sys/kernel/nmi_watchdog
kernel component, BZ#603911
Due to the way ftrace works when modifying the code during start-up, the NMI watchdog causes too much noise and ftrace can not find a quiet period to instrument the code. Consequently, machines with more than 512 CPUs will encounter issues with the NMI watchdog. Such issues will return error messages similar to BUG: NMI Watchdog detected LOCKUP and have either ftrace_modify_code or ipi_handler in the backtrace. To work around this issue, disable NMI watchdog by setting the nmi_watchdog=0 kernel parameter, or using the following command at run time:
echo 0 > /proc/sys/kernel/nmi_watchdog
kernel component
On 64-bit POWER systems the EHEA NIC driver will fail when attempting to dump a vmcore via NFS. To work around this issue, utilize other kdump facilities, for example dumping to the local file system, or dumping over SSH.
kernel component, BZ#587909
A BIOS emulated floppy disk might cause the installation or kernel boot process to hang. To avoid this, disable emulated floppy disk support in the BIOS.
kernel component
The preferred method to enable nmi_watchdog on 32-bit x86 systems is to use either nmi_watchdog=2 or nmi_watchdog=lapic parameters. The parameter nmi_watchdog=1 is not supported.
kernel component
The kernel parameter, pci=noioapicquirk, is required when installing the 32-bit variant of Red Hat Enterprise Linux 6 on HP xw9300 workstations. Note that the parameter change is not required when installing the 64-bit variant.

3.11. Desktop

libwacom component
The Lenovo X220 Tablet Touchscreen is not supported in the kernel shipped with Red Hat Enterprise Linux 6.3.
wacomcpl package, BZ#769466
The wacomcpl package has been deprecated and has been removed from the package set. The wacomcpl package provided graphical configuration of Wacom tablet settings. This functionality is now integrated into the GNOME Control Center.
gnome-settings-daemon component, BZ#826128
On some tablets, using the NVIDIA Graphics drivers to configure Twinview causes the tablet motions to be incorrectly mapped to the laptop screen instead of the tablet itself. Using the stylus on the tablet moves the cursor on the laptop screen.
acroread component
Running a AMD64 system without the sssd-client.i686 package installed, which uses SSSD for getting information about users, causes acroread to fail to start. To work around this issue, manually install the sssd-client.i686 package.
kernel component, BZ#681257
With newer kernels, such as the kernel shipped in Red Hat Enterprise Linux 6.1, Nouveau has corrected the Transition Minimized Differential Signaling (TMDS) bandwidth limits for pre-G80 NVIDIA chipsets. Consequently, the resolution auto-detected by X for some monitors may differ from that used in Red Hat Enterprise Linux 6.0.
fprintd component
When enabled, fingerprint authentication is the default authentication method to unlock a workstation, even if the fingerprint reader device is not accessible. However, after a 30 second wait, password authentication will become available.
evolution component
Evolution's IMAP backend only refreshes folder contents under the following circumstances: when the user switches into or out of a folder, when the auto-refresh period expires, or when the user manually refreshes a folder (that is, using the menu item FolderRefresh). Consequently, when replying to a message in the Sent folder, the new message does not immediately appear in the Sent folder. To see the message, force a refresh using one of the methods describe above.
anaconda component
The clock applet in the GNOME panel has a default location of Boston, USA. Additional locations are added via the applet's preferences dialog. Additionally, to change the default location, left-click the applet, hover over the desired location in the Locations section, and click the Set... button that appears.
xorg-x11-server component, BZ#623169
In some multi-monitor configurations (for example, dual monitors with both rotated), the cursor confinement code produces incorrect results. For example, the cursor may be permitted to disappear off the screen when it should not, or be prevented from entering some areas where it should be allowed to go. Currently, the only workaround for this issue is to disable monitor rotation.

3.12. Tools

matahari component
The Matahari agent framework (matahari-*) packages are deprecated starting with the Red Hat Enterprise Linux 6.3 release. Focus for remote systems management has shifted towards the use of the CIM infrastructure. This infrastructure relies on an already existing standard which provides a greater degree of interoperability for all users. It is strongly recommended that users discontinue the use of the matahari packages and other packages which depend on the Matahari infrastructure (specifically, libvirt-qmf and fence-virtd-libvirt-qpid). It is recommended that users uninstall Matahari from their systems to remove any possibility of security issues being exposed.
Users who choose to continue to use the Matahari agents should note the following:
  • The matahari packages are not installed by default starting with Red Hat Enterprise Linux 6.3 and are not enabled by default to start on boot when they are installed. Manual action is needed to both install and enable the matahari services.
  • The default configuration for qpid (the transport agent used by Matahari) does not enable access control lists (ACLs) or SSL. Without ACLs/SSL, the Matahari infrastructure is not secure. Configuring Matahari without ACLs/SSL is not recommended and may reduce your system's security.
  • The matahari-services agent is specifically designed to allow remote manipulation of services (start, stop). Granting a user access to Matahari services is equivalent to providing a remote user with root access. Using Matahari agents should be treated as equivalent to providing remote root SSH access to a host.
  • By default in Red Hat Enterprise Linux, the Matahari broker (qpidd running on port 49000) does not require authentication. However, the Matahari broker is not remotely accessible unless the firewall is disabled, or a rule is added to make it accessible. Given the capabilities exposed by Matahari agents, if Matahari is enabled, system administrators should be extremely cautious with the options that affect remote access to Matahari.
Note that Matahari will not be shipped in future releases of Red Hat Enterprise Linux (including Red Hat Enterprise Linux 7), and may be considered for formal removal in a future release of Red Hat Enterprise Linux 6.
libreport component
An error in the default libreport configuration causes the following warning message to appear during problem reporting:
/bin/sh: line 4: reporter-bugzilla: command not found
This warning message has no effect on the functionality of libreport. To prevent the warning message from being displayed, replace the following lines in the /etc/libreport/events.d/ccpp_event.conf file:
abrt-action-analyze-backtrace &&
(
    bug_id=$(reporter-bugzilla -h `cat duphash`) &&
    if test -n "$bug_id"; then
        abrt-bodhi -r -b $bug_id
    fi
)
with:
abrt-action-analyze-backtrace
irqbalance component, BZ#813078
The irqbalance(1) man page does not contain documentation for the IRQBALANCE_BANNED_CPUS and IRQBALANCE_BANNED_INTERRUPTS environment variables. The following documentation will be added to this man page in a future release:
IRQBALANCE_BANNED_CPUS
Provides a mask of cpus which irqbalance should ignore and never assign interrupts to. This is a hex mask without the leading '0x', on systems with large numbers of processors each group of eight hex digits is sepearated ba a comma ','. i.e. `export IRQBALANCE_BANNED_CPUS=fc0` would prevent irqbalance from assigning irqs to the 7th-12th cpus (cpu6-cpu11) or `export IRQBALANCE_BANNED_CPUS=ff000000,00000001` would prevent irqbalance from assigning irqs to the 1st (cpu0) and 57th-64th cpus (cpu56-cpu63).
IRQBALANCE_BANNED_INTERRUPTS
Space seperated list of integer irq's which irqbalance should ignore and never change the affinity of.  i.e.

export IRQBALANCE_BANNED_INTERRUPTS="205 217 225"
rsyslog component
rsyslog does not reload its configuration after a SIGHUP signal is issued. To reload the configuration, the rsyslog daemon needs to be restarted:
~]# service rsyslog restart
parted component
The parted utility in Red Hat Enterprise Linux 6 cannot handle Extended Address Volumes (EAV) Direct Access Storage Devices (DASD) that have more than 65535 cylinders. Consequently, EAV DASD drives cannot be partitioned using parted, and installation on EAV DASD drives will fail. To work around this issue, complete the installation on a non EAV DASD drive, then add the EAV device after the installation using the tools provided in the s390-utils package.

Chapter 4. New Packages

4.1. RHEA-2012:0842 — new package: byzanz
4.2. RHEA-2012:0797 — new packages: crash-gcore-command
4.3. RHEA-2012:0831 — new package: device-mapper-persistent-data
4.4. RHEA-2012:0814 — new package: i2c-tools
4.5. RHEA-2012:0829 — new packages: ipset and libmnl
4.6. RHEA-2012:0840 — new packages: java-1.7.0-ibm
4.7. RHEA-2012:0981 — new packages: java-1.7.0-openjdk
4.8. RHEA-2012:0838 — new package: java-1.7.0-oracle
4.9. RHEA-2012:0825 — new package: ledmon
4.10. RHEA-2012:0812 — new package: libqb
4.11. RHEA-2012:0798 — new packages: libreoffice
4.12. RHEA-2012:0868 — new packages: libwacom
4.13. RHEA-2012:0890 — new package: numad
4.14. RHEA-2012:0826 — new package: ppc64-diag
4.15. RHEA-2012:0806 — new packages: scl-utils
4.16. RHEA-2012:0823 — new package: subscription-manager-migration-data
4.17. RHEA-2012:0853 — new packages: usbredir
4.18. RHEA-2012:0965 — new package: virt-p2v
A new byzanz package is now available for Red Hat Enterprise Linux 6.
The byzanz package contains an easy-to-use desktop recorder that can record to GIF images, Ogg Theora video (optionally with sound), and other formats. A GNOME panel applet and a command-line recording tool are also included in the package.
This enhancement update adds the byzanz package to Red Hat Enterprise Linux 6. (BZ#623262)
All users who require byzanz are advised to install this new package.
New crash-gcore-command packages are now available for Red Hat Enterprise Linux 6.
The crash-gcore-command extension module is used to dynamically add a gcore command to a running crash utility session on a kernel dumpfile. The command will create a core dump file for a specified user task program that was running when a kernel crashed. The resultant core dump file may then be used with gdb.
This enhancement update adds the crash-gcore-command packages to Red Hat Enterprise Linux 6. (BZ#692799)
All users who require the crash-gcore-command should install these new packages.
A new device-mapper-persistent-data package is now available for Red Hat Enterprise Linux 6.
The device-mapper-persistent-data package provides device-mapper thin provisioning (thinp) tools.
This enhancement update adds the device-mapper-persistent-data package to Red Hat Enterprise Linux 6 as a Technology Preview. (BZ#760614)
More information about Red Hat Technology Previews is available here:
All users who require device-mapper-persistent-data should install this new package, which adds this enhancement.
A new i2c-tools package is now available for Red Hat Enterprise Linux 6.
The i2c-tools package contains a set of I2C tools for Linux: a bus probing tool, a chip dumper, register-level SMBus access helpers, EEPROM (Electrically Erasable Programmable Read-Only Memory) decoding scripts, EEPROM programming tools, and a python module for SMBus access.

Note

EEPROM decoding scripts can render your system unusable. Make sure to use these tools wisely.
This enhancement update adds the i2c-tools package to Red Hat Enterprise Linux 6. (BZ#773267)
All users who require i2c-tools should install this new package.
New ipset and libmnl packages are now available for Red Hat Enterprise Linux 6.
The ipset packages provide IP sets, a framework inside the Linux 2.4.x and 2.6.x kernel, which can be administered by the ipset utility. Depending on the type, an IP set can currently store IP addresses, TCP/UDP port numbers or IP addresses with MAC addresses in a way that ensures high speed when matching an entry against a set.
The libmnl packages required by the ipset packages provide a minimalistic user-space library oriented to Netlink developers. The library provides functions to make socket handling, message building, validating, parsing, and sequence tracking easier.
This enhancement update adds the ipset and libmnl packages to Red Hat Enterprise Linux 6. (BZ#477115, BZ#789346)
All users who require ipset and libmnl are advised to install these new packages.
New java-1.7.0-ibm packages are now available for Red Hat Enterprise Linux 6.
The java-1.7.0-ibm packages provide the IBM Java 7 Runtime Environment and the IBM Java 7 Software Development Kit.
This update adds the java-1.7.0-ibm packages to Red Hat Enterprise Linux 6. (BZ#693783)
Note: Before applying this update, make sure that any previous IBM Java packages have been removed.
All users who require java-1.7.0-ibm should install these new packages.
New java-1.7.0-openjdk packages that provide OpenJDK 7 are now available as a Technology Preview for Red Hat Enterprise Linux 6.
The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit.
This enhancement update adds new java-1.7.0-openjdk package to Red Hat Enterprise Linux 6 as a Technology Preview. (BZ#803726)
More information about Red Hat Technology Previews is available here:
These packages do not replace the previous version of the OpenJDK (java-1.6.0-openjdk) if present. Users can safely install OpenJDK 7 in addition to OpenJDK 6. The system default version of Java can be configured using the 'alternatives' tool.
All users who want to use the java-1.7.0-openjdk Technology Preview should install these newly-released packages, which add this enhancement.
New java-1.7.0-oracle package is now available for Red Hat Enterprise Linux 6.
The java-1.7.0-oracle package provides the Oracle Java 7 Runtime Environment and the Oracle Java 7 Software Development Kit.
This update adds the java-1.7.0-oracle packages to Red Hat Enterprise Linux 6. (BZ#720928)

Note

Before applying this update, make sure that any previous Oracle Java packages have been removed.
All users who require java-1.7.0-oracle should install these new packages.
A new ledmon package is now available for Red Hat Enterprise Linux 6.
The ledmon and ledctl utilities are user space applications designed to control LEDs associated with each slot in an enclosure or a drive bay. There are two types of systems: 2-LED system (Activity LED, Status LED) and 3-LED system (Activity LED, Locate LED, Fail LED). Users must have root privileges to use this application.
This enhancement update adds the ledmon package to Red Hat Enterprise Linux 6. (BZ#750379)
All users who require ledmon are advised to install this new package.
A new libqb package is now available for Red Hat Enterprise Linux 6.
The libqb package provides a library with the primary purpose of providing high performance client server reusable features, such as high performance logging, tracing, inter-process communication, and polling.
This enhancement update adds the libqb package to Red Hat Enterprise Linux 6. This package is introduced as a dependency of the pacemaker package, and is considered a Technology Preview in Red Hat Enterprise Linux 6.3. (BZ#782240)
All users who require libqb are advised to install this new package.
New libreoffice packages are now available for Red Hat Enterprise Linux 6.
LibreOffice is an Open Source, community-developed, office productivity suite. It includes the key desktop applications, such as a word processor, spreadsheet, presentation manager, formula editor and drawing program. LibreOffice replaces OpenOffice.org and provides a similar but enhanced and extended Office Suite.
This enhancement update adds the libreoffice packages to Red Hat Enterprise Linux 6. (BZ#747431)
All users who require libreoffice are advised to install these new packages.
New libwacom packages are now available for Red Hat Enterprise Linux 6.
The libwacom packages contain a library that provides access to a tablet model database. The libwacom packages expose the contents of this database to applications, allowing for tablet-specific user interfaces. The libwacom packages allow the GNOME tools to automatically configure screen mappings, calibrations, and provide device-specific configurations.
This enhancement update adds the libwacom packages to Red Hat Enterprise Linux 6. (BZ#786100)
All users who require libwacom should install these new packages.
A new numad package is now available as a Technology Preview for Red Hat Enterprise Linux 6.
The numad package provides a daemon for NUMA (Non-Uniform Memory Architecture) systems, that monitors NUMA characteristics. As an alternative to manual static CPU pining and memory assignment, numad provides dynamic adjustment to minimize memory latency on an ongoing basis. The package also provides an interface that can be used to query the numad daemon for the best manual placement of an application.
This enhancement update adds the numad package to Red Hat Enterprise Linux 6 as a Technology preview. (BZ#758416, BZ#824067)
More information about Red Hat Technology Previews is available here:
All users who want to use the numad Technology Preview should install this newly-released package, which adds this enhancement.
A new ppc64-diag package is now available for Red Hat Enterprise Linux 6.
The ppc64-diag package provides platform diagnostics for Linux for 64-bit PowerPC architectures.
This enhancement update adds the ppc64-diag package to Red Hat Enterprise Linux 6. (BZ#632735)
All users who require ppc64-diag are advised to install this newly released package.
New scl-utils packages are now available for Red Hat Enterprise Linux 6.
The scl-utils packages provide a runtime utility and RPM packaging macros for packaging Software Collections. Software Collections allow users to concurrently install multiple versions of the same RPM packages on the system. Using the scl utility, users may enable specific versions of RPMs, which are installed into the /opt directory.
This enhancement update adds the scl-utils packages to Red Hat Enterprise Linux 6. (BZ#713147)
All users who require scl-utils should install these new packages.
A new subscription-manager-migration-data package is now available for Red Hat Enterprise Linux 6.
The new Subscription Management tooling allows users to understand the specific products, which have been installed on their machines, and the specific subscriptions, which their machines consume.
This enhancement update adds the subscription-manager-migration-data package to Red Hat Enterprise Linux 6. The package allows for migrations from Red Hat Network Classic Hosted to hosted certificate-based subscription management. (BZ#773030)
All users who require subscription-manager-migration-data are advised to install this new package.
New usbredir packages are now available for Red Hat Enterprise Linux 6.
The usbredir packages provide a protocol for redirection of USB traffic from a single USB device to a different virtual machine then the one to which the USB device is attached. The usbredir package contains a number of libraries to help implement support for usbredir.
This enhancement update adds the usbredir package to Red Hat Enterprise Linux 6. (BZ#758098)
Users who wish to use the new USB redirection for Spice are advised to install these new packages.
A new virt-p2v package is now available for Red Hat Enterprise Linux 6.
Virt-P2V is a tool for conversion of a physical server to a virtual guest.
This enhancement update adds the virt-p2v package to Red Hat Enterprise Linux 6, which contains a bootable ISO image for Virt-P2V conversion. The ISO image is also available on Red Hat Network in the Downloads section of the following channels:
  • RHEL AUS Server (v. 6.2 for 64-bit x86_64)
  • RHEL EUS Server (v. 6.2.z for 64-bit x86_64)
  • Red Hat Enterprise Linux Client (v. 6 for 64-bit x86_64)
  • Red Hat Enterprise Linux Compute Node (v. 6 for x86_64)
  • Red Hat Enterprise Linux Server (v. 6 for 64-bit x86_64)
  • Red Hat Enterprise Linux Workstation (v. 6 for x86_64)
The bootable image is needed to use the tool as the disks must be unmounted and not in use at the time of conversion. It allows you to convert servers running Microsoft Windows or Red Hat Enterprise Linux into virtual guests on Red Hat Enterprise Virtualization or libvirt hosts. For further information, refer to the V2V Guide. (BZ#807445)
All users who require virt-p2v should install this new package.

Chapter 5. Package Updates

5.1. 389-ds-base
5.2. abrt, libreport, btparser, and python-meh
5.3. alsa-utils
5.4. anaconda
5.5. atlas
5.6. audit
5.7. augeas
5.8. authconfig
5.9. autofs
5.10. bind
5.11. bind-dyndb-ldap
5.12. binutils
5.13. busybox
5.14. byacc
5.15. c-ares
5.16. certmonger
5.17. chkconfig
5.18. cifs-utils
5.19. cluster and gfs2-utils
5.20. cluster-glue
5.21. clustermon
5.22. conman
5.23. control-center
5.24. coolkey
5.25. coreutils
5.26. corosync
5.27. cpio
5.28. crash
5.29. crash-trace-command
5.30. createrepo
5.31. cryptsetup-luks
5.32. ctdb
5.33. cups
5.34. db4
5.35. device-mapper-multipath
5.36. dhcp
5.37. ding-libs
5.38. dmraid
5.39. dnsmasq
5.40. dracut
5.41. dropwatch
5.42. e2fsprogs
5.43. efibootmgr
5.44. expect
5.45. fcoe-target-utils
5.46. fcoe-utils
5.47. febootstrap
5.48. fence-agents
5.49. fence-virt
5.50. file
5.51. firstboot
5.52. flash-plugin
5.53. fontforge
5.54. fprintd
5.55. freeradius
5.56. gawk
5.57. gcc
5.58. gdb
5.59. ghostscript
5.60. glib2
5.61. glibc
5.62. gnome-desktop
5.63. gnome-keyring
5.64. gnome-power-manager
5.65. gnome-settings-daemon
5.66. gnome-system-monitor
5.67. grep
5.68. grub
5.69. grubby
5.70. gtk2
5.71. hivex
5.72. hsqldb
5.73. hwdata
5.74. icedtea-web
5.75. imsettings
5.76. indent
5.77. initscripts
5.78. iok
5.79. ipa
5.80. ipmitool
5.81. iproute
5.82. iprutils
5.83. iptraf
5.84. ipvsadm
5.85. irqbalance
5.86. iscsi-initiator-utils
5.87. java-1.6.0-openjdk
5.88. jss
5.89. kabi-whitelists
5.90. kdeartwork
5.91. kdebase-workspace
5.92. kdelibs
5.93. kernel
5.94. kexec-tools
5.95. keyutils
5.96. krb5
5.97. ksh
5.98. latencytop
5.99. libbonobo
5.100. libcgroup
5.101. liberation-fonts
5.102. libevent
5.103. libguestfs
5.104. libgweather
5.105. libhbaapi
5.106. libhbalinux
5.107. libibverbs-rocee and libmlx4-rocee
5.108. libselinux
5.109. libservicelog
5.110. libtar
5.111. libunistring
5.112. libusb1
5.113. libuser
5.114. libvirt
5.115. libvirt-cim
5.116. libvirt-qmf
5.117. libxklavier
5.118. lldpad
5.119. logrotate
5.120. lohit-kannada-fonts
5.121. lsof
5.122. lsvpd
5.123. ltrace
5.124. luci
5.125. lvm2
5.126. m2crypto
5.127. make
5.128. man
5.129. man-pages-fr
5.130. man-pages-overrides
5.131. matahari
5.132. mcelog
5.133. mdadm
5.134. metacity
5.135. microcode_ctl
5.136. mingw32-matahari
5.137. mingw32-qpid-cpp
5.138. mkbootdisk
5.139. mod_auth_kerb
5.140. mod_nss
5.141. module-init-tools
5.142. mysql
5.143. mysql-connector-java
5.144. nautilus
5.145. net-snmp
5.146. NetworkManager
5.147. NetworkManager-openswan
5.148. nfs-utils
5.149. nfs4-acl-tools
5.150. nmap
5.151. nss
5.152. nss, nss-util, and nspr
5.153. numactl
5.154. numpy
5.155. openldap
5.156. openssh
5.157. openswan
5.158. oprofile
5.159. pacemaker
5.160. PackageKit
5.161. pam_pkcs11
5.162. parted
5.163. pcre
5.164. pcsc-lite
5.165. perl
5.166. perl-Sys-Virt
5.167. php-pecl-apc
5.168. php-pecl-memcache
5.169. piranha
5.170. pki-core
5.171. policycoreutils
5.172. portreserve
5.173. postgresql-jdbc
5.174. ppc64-utils
5.175. procps
5.176. pykickstart
5.177. python-configshell
5.178. python-memcached
5.179. python-repoze-who
5.180. python-rhsm
5.181. python-rtslib
5.182. python-virtinst
5.183. qemu-kvm
5.184. ql2400-firmware
5.185. ql2500-firmware
5.186. qpid-cpp, python-qpid, and saslwrapper
5.187. qt
5.188. RDMA
5.189. readline
5.190. Red Hat Enterprise Linux Release Notes
5.191. redhat-release
5.192. redhat-rpm-config
5.193. resource-agents
5.194. rgmanager
5.195. rhn-client-tools and yum-rhn-plugin
5.196. ricci
5.197. rpcbind
5.198. rpm
5.199. rsync
5.200. rsyslog
5.201. rusers
5.202. s390utils
5.203. samba
5.204. sanlock
5.205. sblim-cim-client2
5.206. scsi-target-utils
5.207. SDL
5.208. seabios
5.209. sed
5.210. selinux-policy
5.211. servicelog
5.212. setroubleshoot
5.213. setup
5.214. slapi-nis
5.215. smartmontools
5.216. sos
5.217. spice-client
5.218. spice-gtk
5.219. spice-protocol
5.220. spice-server
5.221. spice-xpi
5.222. sssd
5.223. subscription-manager
5.224. subversion and neon
5.225. sudo
5.226. syslinux
5.227. sysstat
5.228. system-config-date-docs
5.229. system-config-kdump
5.230. system-config-keyboard
5.231. system-config-lvm
5.232. system-config-printer
5.233. systemtap
5.234. tar
5.235. tboot
5.236. tcpdump
5.237. tog-pegasus
5.238. tomcat6
5.239. trace-cmd
5.240. tsclient
5.241. tuned
5.242. udev
5.243. upstart
5.244. util-linux-ng
5.245. valgrind
5.246. vim
5.247. vios-proxy
5.248. virt-manager
5.249. virt-top and ocaml-libvirt
5.250. virt-v2v
5.251. virt-viewer
5.252. virt-who
5.253. virtio-win
5.254. vsftpd
5.255. wordnet
5.256. wpa_supplicant
5.257. xfig
5.258. xfsprogs
5.259. xinetd
5.260. xmlrpc-c
5.261. xorg-x11-drv-ati and mesa
5.262. xorg-x11-drv-intel
5.263. xorg-x11-drv-mga
5.264. xorg-x11-drv-wacom
5.265. xorg-x11-server
5.266. yaboot
5.267. yum
5.268. yum-utils
5.269. zsh

5.1. 389-ds-base

Updated 389-ds-base packages that fix two security issues are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with the descriptions below.
The 389 Directory Server is an LDAPv3 compliant server. The 389-ds-base packages include the Lightweight Directory Access Protocol (LDAP) server and command line utilities for server administration.
Security Fixes
CVE-2012-2678
A flaw was found in the way 389 Directory Server handled password changes. If an LDAP user has changed their password, and the directory server has not been restarted since that change, an attacker able to bind to the directory server could obtain the plain text version of that user's password via the "unhashed#user#password" attribute.
CVE-2012-2746
It was found that when the password for an LDAP user was changed, and audit logging was enabled (it is disabled by default), the new password was written to the audit log in plain text form. This update introduces a new configuration parameter, "nsslapd-auditlog-logging-hide-unhashed-pw", which when set to "on" (the default option), prevents 389 Directory Server from writing plain text passwords to the audit log. This option can be configured in /etc/dirsrv/slapd-ID/dse.ldif.
All users of 389-ds-base are advised to upgrade to these updated packages, which resolve these issues. After installing this update, the 389 server service will be restarted automatically.
Updated 389-ds-base packages that fix one security issue, several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link associated with the description below.
The 389-ds-base packages provide 389 Directory Server, which is an LDAPv3 (Lightweight Directory Access Protocol version 3) compliant server, and command-line utilities for server administration.

Upgrade to an upstream version

The 389-ds-base package has been upgraded to upstream version 389-ds-base-1.2.10, which provides a number of bug fixes and enhancements over the previous version. (BZ#766989)
Security Fix
CVE-2012-0833
A flaw was found in the way the 389 Directory Server daemon (ns-slapd) handled access control instructions (ACIs) using certificate groups. If an LDAP user that had a certificate group defined attempted to bind to the directory server, it would cause ns-slapd to enter an infinite loop and consume an excessive amount of CPU time.
Red Hat would like to thank Graham Leggett for reporting this issue.
Bug Fixes
BZ#743979
Previously, 389 Directory Server used the Netscape Portable Runtime (NSPR) implementation of the read/write locking mechanism. Consequently, the server sometimes stopped responding to requests under heavy loads. This update replaces the original locking mechanism with the POSIX (Portable Operating System Interface) read/write locking mechanism. The server is now always responsive under heavy loads.
BZ#745201
Previously, Distinguished Names (DNs) were not included in access log records of LDAP compare operations. Consequently, this information was missing in the access logs. This update modifies the underlying source code so that DNs are logged and can be found in the access logs.
BZ#752577
Previously, when 389 Directory Server was under heavy load and operating in a congested network, problems with client connections sometimes occurred. When there was a connection problem while the server was sending Simple Paged Result (SPR) search results to the client, the LDAP server called a cleanup routine incorrectly. Consequently, a memory leak occurred and the server terminated unexpectedly. This update fixes the underlying source code to ensure that cleanup tasks are run correctly and no memory leaks occur. As a result, the server does not terminate or become unresponsive under heavy loads while servicing SPR requests.
BZ#757897
Previously, certain operations with the Change Sequence Number (CSN) were not performed efficiently by the server. Consequently, the ns-slapd daemon consumed up to 100% of CPU time when performing a large number of CSN operations during content replication. With this update, the underlying source code has been modified to perform the CSN operations efficiently. As a result, large numbers of CSN operations can be performed during content replications without any performance issues.
BZ#757898
Previously, allocated memory was not correctly released in the underlying code for the SASL GSSAPI authentication method when checking the Simple Authentication and Security Layer (SASL) identity mappings. This problem could cause memory leaks when processing SASL bind requests, which eventually caused the LDAP server to terminate unexpectedly with a segmentation fault. This update adds function calls that are needed to free allocated memory correctly. Memory leaks no longer occur and the LDAP server no longer crashes in this scenario.
BZ#759301
Previously, 389 Directory Server did not handle the Entry USN (Update Sequence Number) index correctly. Consequently, the index sometimes became out of sync with the main database and search operations on USN entries returned incorrect results. This update modifies the underlying source code of the Entry USN plug-in. As a result, the Entry USN index is now handled by the server correctly.
BZ#772777
Previously, search filter attributes were normalized and substring regular expressions were compiled repeatedly for every entry in the search result set. Consequently, using search filters with many attributes and substring subfilters resulted in poor search performance. This update ensures that search filters are pre-compiled and pre-normalized before being applied. These changes result in better search performance when applying search filters with many attributes and substring subfilters.
BZ#772778
Previously, the number of ACIs (Access Control Information records) to be cached was limited to 200. Consequently, evaluating a Directory Server entry against more than 200 ACIs failed with the following error message:
acl_TestRights - cache overflown
This update increases the default ACI cache limit to 2000 and allows it to be configurable by means of the new parameter nsslapd-aclpb-max-selected-acls in the configuration file entry "cn=ACL Plugin,cn=plugins,cn=config". As a result, the aforementioned error message is not displayed unless the new limit is exceeded, and it is now possible to change the limit when needed.
BZ#772779
Previously, the restore command contained a code path leading to an infinite loop. Consequently, 389 Directory Server sometimes became unresponsive when performing a restore from a database backup. This update removes the infinite loop code path from the underlying source code. As a result, the server does not stop responding when performing a database restore.
BZ#781485
Previously, performing the ldapmodify operation to modify RUV (Replica Update Vector) entries was allowed. Consequently, 389 Directory Server became unresponsive when performing such operations. This update disallows direct modification of RUV entries. As a result, the server does not stop responding when performing such operations, and returns an error message advising usage of the CLEANRUV operation instead.
BZ#781495
Previously, to identify restart events of 389 Directory Server, the logconv.pl script searched server logs for the "conn=0 fd=" string. Consequently, the script reported a wrong number of server restarts. This update modifies the script to search for the "conn=1 fd=" string instead. As a result, the correct number of server restarts is now returned.
BZ#781500
When reloading a database from an LDIF (LDAP Data Interchange Format) file that contained an RUV element with an obsolete or decommissioned replication master, the changelog was invalidated. As a consequence, 389 Directory Server emitted error messages and required re-initialization. This update ensures that the user is properly informed about obsolete or decommissioned replication masters, and that such masters are deleted from the RUV entries. Database is now reloaded as expected in this scenario.
BZ#781516
Previously, when a non-leaf node became a tombstone entry, its child entries lost the parent-child relationships. Consequently, non-leaf tombstone entries could have been reaped prior to their child tombstone entries. This update fixes the underlying source code so that parent-child relationships are maintained even when a non-leaf entry is deleted. As a result, tombstones are now reaped correctly in the bottom-up order.
BZ#781529
Previously, no validation of managed entry attributes against the managed entry template was performed before updating 389 Directory Server's managed entries. Consequently, managed entries could have been updated after updating an original entry attribute that was not contained in the managed entry template. This update adds a check that compares modified attributes with managed entry template attributes. As a result, the managed entries are not updated unless the modified attributes of the original entry are contained in the managed entry template.
BZ#781533
Previously, 389 Directory Server did not shut down before all running tasks had been completed. Consequently, it sometimes took a long time for the Directory Server to shut down when a long-running task was being carried out. This update enhances the underlying source code with a check for server shutdown requests during performance of long-running tasks. As a result, the server shuts down in a standard amount of time even when a long-running task is being processed.
BZ#781537
Previously, 389 Directory Server expected the value of the authzid attribute to be fully BER (Basic Encoding Rules) encoded. Consequently, the following error was returned when performing the ldapsearch command with proxy authorization:
unable to parse proxied authorization control (2 (protocol error))
This update modifies the underlying source code so that full BER encoding of the provided authzid value is not required. As a consequence, no error is returned in the scenario described above.
BZ#781538
Previously, the buffer for matching rule OIDs (Object Identifiers) had a fixed size of 1024 characters. Consequently, matching rule OIDs got truncated when their total length exceeded 1024 characters. This update modifies the underlying source code to use a dynamically allocated buffer instead of the one with a fixed size. As a result, any number of matching rule OIDs can be handled without being truncated.
BZ#781539
Previously, executing the ldapsearch command on the "cn=config" object returned all attributes of the object, including attributes with empty values. This update ensures that attributes with empty values are not saved into "cn=config", and enhances the ldapsearch command with a check for empty attributes. As a result, only attributes that have a value are returned in the aforementioned scenario.
BZ#781541
Previously, log records of operations performed using a proxy user contained the main user as the one who performed the operation. This update ensures that the proxy user is logged in log records of the search, add, mod, del, and modrdn operations.
BZ#784343
Previously, the database upgrade scripts checked if the server was offline by checking for the presence of .pid files. In some cases, however, the files remain present even if the associated processes have already been terminated. Consequently, the upgrade scripts sometimes assumed that the Directory Server was online and did not proceed with the database upgrade even if the server was actually offline. This update adds an explicit test to check if the processes referenced in the .pid files are really running. As a result, the upgrade scripts now work as expected.
BZ#784344
Previously, the repl-monitor command used only the subdomain part of hostnames for host identification. Consequently, hostnames with the identical subdomain part (for example: "ldap.domain1", "ldap.domain2") were identified as a single host, and inaccurate output was produced. This update ensures that the entire hostname is used for host identification. As a result, all hostnames are identified as separate and output of the repl-monitor command is accurate.
BZ#788140
Previously, the server used unnormalized DN strings to perform internal search and modify operations while the code for modify operations expected normalized DN strings. Consequently, error messages like the following one were logged when performing replication with domain names specified in unnormalized format:
NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for 
replica dc=example,dc=com: 32
This update ensures that DN strings are normalized before being used in modify operations. As a result, replication does not produce the error messages in the aforementioned scenario.
BZ#788722
Previously, the 389-ds-base/ldap/servers/snmp/ directory contained .mib files without copyright headers. Consequently, the files could not be included in certain Linux distributions due to copyright reasons. This update merges information from all such files into the redhat-directory.mib file, which contains the required copyright information, and ensures that it is the only file in the directory. As a result, no copyright issues block 389 Directory Server from being included in any Linux distribution.
BZ#788724
Previously, the underlying source code for extensible search filters used strcmp routines for value comparison. Consequently, using extensible search filters with binary data returned incorrect results. This update modifies the underlying source code to use binary-aware functions. As a result, extensible search filters work with binary data correctly.
BZ#788725
Previously, value normalization of the search filter did not respect the used filter type and matching rules. Consequently, when using different values than the default comparison type for the searched attribute syntax, search attempts returned incorrect results. This update modifies the underlying source code to use normalization sensitive to matching rules on filter attributes and values. As a result, search results in accordance with the matching rules are returned.
BZ#788729
Previously on the Directory Server, tombstones of child entries in a database were handled incorrectly. Therefore, if the database contained deleted entries that were converted to tombstones, an attempt to reindex the entryrdn index failed with the following error message:
_entryrdn_insert_key: Getting "nsuniqueid=ca681083-69f011e0-8115a0d5-f42e0a24,ou=People,dc=example,dc=com" failed
With this update, 389 Directory Server handles tombstones of child entries correctly, and the entryrdn index can now be reindexed successfully with no errors.
BZ#788731
Previously, RUV tombstone entries were indexed incorrectly by the entryrdn index. Consequently, attempts to search for such entries were not successful. This update ensures correct indexing of RUV tombstone entries in the entryrdn index and search attempts for such entries are now successful.
BZ#788741
Previously, the DNA (Distributed Numeric Assignment) plug-in used too short timeout for requests to replicate a range of UIDs. Consequently, using replication with DNA to add users sometimes failed on networks with high latency, returning the following error message:
Operations error: Allocation of a new value for range cn=posix ids,cn=distributed 
numeric assignment plugin,cn=plugins,cn=config failed
With this update, the default timeout for such replication requests has been set to 10 minutes. As a result, no errors are returned when using replication with DNA to add users, and the operation succeeds.
BZ#788745
Previously, change sequence numbers (CSNs) in RUV were not refreshed when a replication role was changed. Consequently, data on the server became inconsistent. This update ensures that CSNs are refreshed when a replication role is changed. As a result, data inconsistency is no longer observed in the previously mentioned cases.
BZ#788749
Previously, errors in schema files were not reported clearly in log files. Consequently, the messages could be incorrectly interpreted as reporting an error in the dse.ldif file. This update modifies the error messages so that they include the name of and path to the file where the error was found.
BZ#788750
Previously, the server used an outdated version of the nisDomain schema after an upgrade. Consequently, restarting 389 Directory Server after an upgrade produced the following error message:
attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not 
compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.26] for the attribute [nisDomain]
This update ensures that the server uses the latest version of the nisDomain schema. As a result, restarting the server after an upgrade does not show any errors.
BZ#788751
389 Directory Server previously did not properly release allocated memory after finishing normalization operations. This caused memory leaks to occur during server's runtime. This update fixes the underlying code to release allocated memory properly so that memory leaks no longer occur under these circumstances
BZ#788753
Previously, the "connection" attribute was not included in the cn=monitor schema, which caused the access control information (ACI) handling code to ignore the ACI. Consequently, requesting the connection attribute when performing anonymous search on cn=monitor returned the connection attribute, even though it was denied by the default ACI. This update ensures that the ACI is processed even if the attribute is not in the schema. As a result, the connection attribute is not displayed if the ACI denies it.
BZ#788754
Previously, several memory leak errors sometimes occurred during the server's runtime. This update fixes all the memory leak errors so that none of them occur anymore.
BZ#788755
Previously, IPv4-mapped IPv6 addresses were treated as independent addresses by 389 Directory Server. Consequently, errors were reported during server startup when such addresses conflicted with standard IPv4 addresses. This update ensures that the IPv4 part of every IPv4-mapped IPv6 address is compared with existing IPv4 addresses. As a result, the server starts with no errors even when IPv4-mapped IPv6 addresses conflict with standard IPv4 addresses.
BZ#788756
Previously, the 389-ds-base man pages contained several typos and factual errors. This update corrects the man pages so that they contain correct information and no typos.
BZ#790491
Previously, a NULL pointer dereference sometimes occurred when initializing a Directory Server replica. Consequently, the server terminated unexpectedly with a segmentation fault. This update enhances the underlying source code for replica initialization with a check for the NULL value. As a result, replica initialization always finishes successfully.
BZ#796770
Previously, a double free error sometimes occurred during operations with orphaned tombstone entries. Consequently, when an orphaned tombstone entry was passed to the tombstone_to_glue function, the Directory Server terminated unexpectedly. This update fixes the logic for getting ancestor tombstone entries and eliminates the chance to convert a tombstone entry into an orphaned entry. As a result, unexpected server termination no longer occurs in the aforementioned scenario.
BZ#800215
Previously, an internal loop was incorrectly handled in code of the ldapcompare command. Consequently, performing concurrent comparison operations on virtual attributes caused the Directory Server to become unresponsive. This update fixes the internal loop issue. As a result, the server performs concurrent comparison operations without any issues.
BZ#803930
Previously, when upgrading 389 Directory Server, server startup had been initiated before the actual upgrade procedure finished. Consequently, the startup failed with the following error message:
ldif2dbm - _get_and_add_parent_rdns: Failed to convert DN cn=TESTRELM.COM to RDN
This update ensures that the server does not start before the upgrade procedure finishes. As a result, the server boots up successfully after the upgrade.
BZ#811291
Previously, the code of the range read operation did not correctly handle situations when an entry was deleted while a ranged search operation was being performed. Consequently, performing delete and ranged search operations concurrently under heavy loads caused the Directory Server to terminate unexpectedly. This update fixes the underlying source code to handle such situations correctly. As a result, the server does not terminate before performing delete and ranged search operations concurrently under heavy loads.
BZ#813964
When performing delete and search operations against 389 Directory Server under high load, the DB_MULTIPLE_NEXT pointer to the stack buffer could have been set to an invalid value. As a consequence, pointer's dereference lead to an attempt to access memory that was not allocated for the stack buffer. This caused the server to terminate unexpectedly with a segmentation fault. With this update, the DB_MULTIPLE_NEXT pointer is now properly tested. If the pointer's value is invalid, the page or value is considered deleted and the stack buffer is reloaded. As a result, the segmentation fault no longer occurs in this scenario.
BZ#815991
The ldap_initialize() function is not thread-safe. Consequently, 389 Directory Server terminated unexpectedly during startup when using replication with many replication agreements. This update ensures that calls of the ldap_initialize() function are protected by a mutual exclusion. As a result, when using replication with many replication agreements, the server starts up correctly.
BZ#819643
Due to an error in the underlying source code, an attempt to rename an RDN (Relative Distinguished Name) string failed if the new string sequence was the same except of using the different lower/upper case of some letters. This update fixes the code so that it is possible to rename RDNs to the same string sequence with case difference.
BZ#821542
Previously, the letter case information was ignored when renaming DN strings. Consequently, if the new string sequence differed only in the case of some letters, a DN string was only converted to lowercase and the case information lost. This update modifies the underlying code so that it is now possible to rename RDNs to the same string sequence with case difference.
BZ#822700
Previously, the code for ACI handling did not reject incorrectly specified DNs. Consequently, incorrectly specified DNs in an ACI caused 389 Directory Server to terminate unexpectedly during startup or after an online import. This update ensures that the underlying source code for ACI handling rejects incorrectly specified DNs. As a result, the server does not terminate in this scenario.
BZ#824014
Previously, the code handling the entryusn attribute modified cache entries directly. Consequently under heavy loads, the server terminated unexpectedly when performing delete and search operations using the entryusn and memberof attributes with referential integrity enabled. This update ensures that the entries are never modified in the cache directly. As a result, the server performs searches in the previously described conditions without terminating unexpectedly.
Enhancements
BZ#683241
Previously, post-operation plug-ins were executed after initial operation results had been returned to the LDAP client. Consequently, some results of the initial operation might not have been immediately available. This update introduces the "betxnpreoperation" and "betxnpostoperation" plug-in types. Plug-ins of these types run inside the regular transaction of initial operations. As a result, when these plug-in types are used, operations triggered by the initial operation complete before completion of the initial operation.
BZ#766322
Previously, there was no easy way to determine what default search base an LDAP client should use. Consequently, LDAP clients with no search base configured attempted to search against 389 Directory Server. This update adds a new attribute, defaultNamingContext, to the root DSE (Directory Server Entry). As a result, clients can query the root DSE for the value of the defaultNamingContext attribute and use the returned value as a search base.
BZ#768086
This update introduces the nsslapd-minssf-exclude-rootdse configuration attribute, with possible values "on" and "off". If its value is "off", which is the default, the server allows clients to access the root DSE even if the Security Strenght Factor (SSF) value is less than the nsslapd-minssf attribute value. As a result, it is possible to allow access to the root DSE without using SSL/TLS even if the rest of the server requires SSL/TLS.
BZ#768091
Previously, the delete operation was not allowed for Managed Entry Config entries. Consequently, attempts to delete such entries were rejected with the following error message:
ldap_delete: Server is unwilling to perform (53)
additional info: Not a valid operation.
This update modifies the underlying source code so that deletion of Managed Entry Config entries is allowed and can be performed successfully.
BZ#781501
Previously, extended user account information was not available to LDAP clients from 389 Directory Server. This update adds support for Account Usable Request Control, which enables LDAP clients to get the extended user account information.
BZ#788760
Previously, the logconv.pl script was only able to produce a summary of operations for a file or for a requested period. This update introduces the -m option for generation of per-second statistics, and the -M option for generation of per-minute statistics. The statistics are generated in CSV format suitable for further post-processing.
BZ#790433
Previously, all newly created entries had to be added to groups manually. This update adds a new plug-in which ensures automatic adding of each new entry to a group if it matches certain criteria.
Users of 389-ds-base should upgrade to these updated packages, which resolve these issues and add these enhancements.

5.2. abrt, libreport, btparser, and python-meh

Updated abrt, libreport, btparser, and python-meh packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
ABRT is a tool to help users to detect defects in applications and to create a problem report with all the information needed by a maintainer to fix it. It uses a plug-in system to extend its functionality. libreport provides an API for reporting different problems in applications to different bug targets like Bugzilla, ftp, and trac.
The btparser utility is a backtrace parser and analyzer library, which works with backtraces produced by the GNU Project Debugger. It can parse a text file with a backtrace to a tree of C structures, allowing to analyze the threads and frames of the backtrace and process them.
The python-meh package provides a python library for handling exceptions.

Upgrade to an upstream version

The abrt package has been upgraded to upstream version 2.0.8-1, which provides a number of bug fixes over the previous version. (BZ#759375)
The libreport package has been upgraded to upstream version 2.0.9-1, which provides a number of bug fixes over the previous version. (BZ#759377)
The btparser package has been upgraded to upstream version 0.16-1, which provides a number of bug fixes over the previous version. (BZ#768377)
Security Fixes
CVE-2012-1106
If the C handler plug-in in ABRT was enabled (the abrt-addon-ccpp package installed and the abrt-ccpp service running), and the sysctl fs.suid_dumpable option was set to "2" (it is "0" by default), core dumps of set user ID (setuid) programs were created with insecure group ID permissions. This could allow local, unprivileged users to obtain sensitive information from the core dump files of setuid processes they would otherwise not be able to access.
CVE-2011-4088
ABRT did not allow users to easily search the collected crash information for sensitive data prior to submitting it. This could lead to users unintentionally exposing sensitive information via the submitted crash reports. This update adds functionality to search across all the collected data. Note that this fix does not apply to the default configuration, where reports are sent to Red Hat Customer Support. It only takes effect for users sending information to Red Hat Bugzilla.
Red Hat would like to thank Jan Iven for reporting CVE-2011-4088.
Bug Fixes
BZ#809587, BZ#745976
When the ABRT GUI was used to report a bug using the menu button Report problem with ABRT, an empty bug was created. This update removes this button as it was only used for testing purposes.
BZ#800828
When a new dump directory was saved to /var/spool/abrt-upload/ via the reporter-upload utility, the ABRT daemon copied the dump directory to /var/spool/abrt/ and incremented the crash count which was already incremented before. Due to the crash count being incremented twice, the dump directory was marked as a duplicate of itself and removed. With this update, the crash count is no longer incremented for remotely uploaded dump directories, thus fixing the issue.
BZ#747624
The /usr/bin/abrt-cli utility was missing a man page. This update adds the abrt-cli(1) man page.
BZ#796216
Analyzing lines of a kernel oops caused the line variable to be freed twice. This update fixes this bug, and kernel oopses are now properly analyzed.
BZ#770357
Prior to this update, ABRT email notification via the mailx plug-in did not function properly due to a missing default configuration file for the mailx plug-in. This update adds a default configuration file for the mailx plug-in: /etc/libreport/plugins/mailx.conf.
BZ#799352
Starting the ABRT daemon resulted in an error if dbus was not installed on the system. This update removes the dbus dependency and the ABRT daemon can now be started even if dbus is not installed on the system.
BZ#727494
The previous version of ABRT silently allowed users to report the same problem to Bugzilla multiple times. This behavior is now changed and users are warned if the report was already submitted. The max allowed size of email attachments and local logs was increased to 1 MB. This fixes the problem where longer reports were being lost when sent via email or stored locally using the logger plug-in.
BZ#746727
This update fixes a bug which caused the /tmp/anaconda-tb-* files to be sometimes recognized as a binary file and sometimes as a text file.
BZ#771597
ABRT 2.x has added various new daemons. However, not all of the added daemons were properly enabled during the transition from ABRT 1.x. With this update, all daemons are correctly started and updating from ABRT 1.x to ABRT 2.x works as expected.
BZ#751068
The abrt-cli package previously depended on the abrt-addon-python package. This prevented users from removing the abrt-addon-python package via Yum as the abrt-cli would be removed as well. With this update, a new virtual abrt-tui package has been added that pulls all the required packages in order to use ABRT on the command line, thus, resolving the aforementioned issue.
BZ#749100
Previously, some strings in the ABRT tools were not marked as translatable. This update fixes this issue.
BZ#773242
When ABRT attempted to move data, a misleading message was returned to the user informing that a copy of the dump was created. This update improves this message so that it is clear that ABRT does not copy data but moves it.
BZ#811147
When a backtrace contains a frame with text consisting of function arguments that was too long, the backtrace printer in GDB truncates the arguments. The backtrace parser could not handle the truncated arguments and did not format them properly. With this update, the backtrace parser detects the truncated strings, indicating the function arguments were truncated. The parser state then adapts to this situation and correctly parses the backtrace.
BZ#823411
A change in the Bugzilla API prevented the ABRT bugzilla plug-in from working correctly. This update resolves this issue by modifying the source code to work with the new Bugzilla API.
BZ#758366
This update fixes a typographical error in the commentary of various ABRT configuration files.
BZ#625485
The previous version of ABRT generated an invalid XML log file. This update fixes this and every non-ASCII character is now escaped.
BZ#788577
Unlike ABRT, python-meh was not including a list of environment variables in its problem reports. A list of environment variables is useful information for assignees of the created bug. With this update, code producing a list of environment variables and passing it to libreport was added to python-meh, and problem reports generated by python-meh now include lists of environment variables.
All users of abrt, libreport, btparser, and python-meh are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

5.3. alsa-utils

Updated alsa-utils packages that fix one bug and add one enhancement are now available for Red Hat Enterprise Linux 6.
The alsa-utils packages provide command-line utilities for the Advanced Linux Sound Architecture (ALSA).

Bug Fix

BZ#674199
Prior to this update, the alsactl tool tried to initialize all sound cards if the /etc/asound.state file was not present. As a consequence, SElinux could deny access to non-existent devices. This update modifies the underlying code so that alsactl is called only once from udev.

Enhancement

BZ#650113
With this update, the alsa-delay and alsaloop utilities have been added to alsa-utils to manage the system audio delay.
All users of alsa-utils are advised to upgrade to these updated packages, which fix this bug and add this enhancement.

5.4. anaconda

Updated anaconda packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The anaconda package contains portions of the Anaconda installation program that can be run by the user for reconfiguration and advanced installation options.
Bug Fixes
BZ#690058
Prior to this update, the noprobe argument in a kickstart file was not passed to the last known codepath. Consequently, the noprobe request was not properly honored by Anaconda. This update improves the code so that the argument is passed to the last known codepath. As a result, device drivers are loaded according to the device command in the kickstart file.
BZ#691794
Previously, an improper device file that provided access to an array as a whole was used to initialize the boot loader in a Device Mapper Multipath (DM-Multipath) environment. Consequently, the system was not bootable. Anaconda has been modified to enumerate all drives in an array and initialize the boot loader on each of them. As a result, the system now boots as expected.
BZ#723404
When performing a minimal installation from media without the use of a network, network devices did not have a working default network configuration. Consequently, bringing a network device up after reboot using the ifup command failed. This update sets the value of BOOTPROTO to dhcp in default network device configuration files. As a result, network devices can be activated successfully using the ifup command after reboot in the scenario described.
BZ#727136
When Anaconda places a PowerPC Reference Platform (PReP) boot partition on a different drive to the root partition, the system cannot boot. This update forces the PReP boot partition to be on the same drive as the root partition. As a result, the system boots as expected.
BZ#734128
Due to a regression, when installing on systems with pre-existing mirrored Logical Volumes (LV), the installer failed to properly detect the Logical Volume Management configuration containing mirrored logical volumes. Consequently, a mirrored logical volume created before installation was not shown and could not be used in kickstart. The code to handle mirrored logical volumes has been updated to make use of the udev information that changed due to a previous bug fix. As a result, mirrored logical volumes are correctly detected by the installer.
BZ#736457
On IBM System z architectures, z/VM guests with only one CPU allocated failed to read the Conversational Monitor System (CMS) configuration file used by the installation environment. Consequently, users of z/VM guests with a single CPU had to either pass all installation environment configuration values on the kernel boot line or supply the information at the interactive prompts as the installation environment booted up. This update improves the code to detect the number of guests after mounting the /proc file. As a result, guests with one CPU can bring the boot device online so the CMS configuration file can be read and automated installations proceed as expected.
BZ#738577
The repo commands in kickstart generated by Anaconda contained base installation repository information but they should contain only additional repositories added either by the repo kickstart command or in the graphical user interface (GUI). Consequently, in media installations, the repo command generated for installation caused a failure when the kickstart file was used. With this update, Anaconda now generates repo commands only for additional repositories. As a result, kickstart will not fail for media installations.
BZ#740870
Manual installation on to BIOS RAID devices of level 0 or level 1 produced an Intel Media Storage Manager (IMSM) metadata read error in the installer. Consequently, users were not able to install to such devices. With this update, Anaconda properly detects BIOS RAID level 0 and level 1 IMSM metadata. As a result, users are able to install to these devices.
BZ#746495
The LiveCD environment was missing a legacy symlink to the devkit-disks utility. Consequently, the call that modified automounter behavior was never properly executed. The code has been updated to call the proper non-legacy binary. As a result, USB devices used during installation are no longer automounted.
BZ#747219
The console tty1 was put under control of Anaconda, but was not returned when Anaconda exited. Consequently, init did not have permission to modify tty1's settings to enable Ctrl+C functionality when Anaconda exited, which resulted in Ctrl+C not working when the installer prompted the user to press the Ctrl+C or Ctrl+Alt+Delete key combination after Anaconda terminated unexpectedly. A code returning tty1 control back to init was added to Anaconda. As a result, Ctrl+C now works as expected if the user is prompted to press it when Anaconda crashes.
BZ#750126
The Bash version used in the buildinstall script had a bug that influenced parsing of the =~ operator. This operator is used to check for the architecture when including files. Consequently, some binaries which provide the grub command were present on x86_64 versions of the installer, but were missing from i686 media. The Bash code has been modified to prevent this bug. As a result, the binaries are now also present on i686 media and users can now use the grub command from installation media as expected.
BZ#750417
Due to bad ordering in the unmounting sequence, the dynamic linker failed to link libraries, which caused the mdadm utility not to work and exit with the status code of 127. This update fixes the ordering in the unmounting sequence and as a result, the dynamic linker and mdadm now work correctly.
BZ#750710
There was no check to see if the file descriptors passed as stdout and stderr were distinct. Consequently, if the stdout and stderr descriptors were the same, using them both for writing resulted in overwriting and the log file not containing all of the lines expected. With this update, if the stdout and stderr descriptors are the same then only one of them is used for both stdin and stderr. As a result, the log file contains all lines from both stdout and stderr.
BZ#753108
When installing on a system with more than one disk with a PowerPC Reference Platform (PReP) partition present, the PReP partitions that should be left untouched were updated. This update corrects the problem so that PReP partitions other than the one used during installation are left untouched. As a result, old PReP partitions do not get updated.
BZ#754031
The kernel command line /proc/cmdline ends with \n but the installer only checked for \0. Consequently, the devel argument was not detected when it was the last argument on the command line and the installation failed. This update improves the code to also check for \n. As a result, the devel argument is correctly parsed and installation proceeds as expected.
BZ#756608
Network installations on IBM System z check the nameserver address provided using the ping command. Environments restricting ICMP ECHO packets will cause this test to fail, halting the installation and asking the user whether or not the provided nameserver address is valid. Consequently, automated installations using kickstart will stop if this test fails. With this update, in the event that the ping test fails, the nslookup command is used to validate the provided nameserver address. If the nslookup test succeeds then kickstart will continue with the installation. As a result, automated network installations on IBM System z in non-interactive mode will complete as expected in the scenario described.
BZ#760250
When configuring a system with multiple active network interfaces and the ksdevice = link command was present, the link specification was not used consistently for device activation and device configuration. Consequently, other network devices having link status were sometimes misconfigured using the settings targeted to the device activated by the installer. With this update, the code has been improved and now refers to the same device with link specification both in case of device activation and device configuration. As a result, when multiple devices with link status are present during installation, ksdevice = link specification of the device to be activated and used by the installer does not cause misconfiguration of another device having link status.
BZ#766902
When configuring the network using the Anaconda GUI hostname screen, the keyboard shortcut for the Configure Network button was missing. This update adds the C keyboard shortcut. Network configuration can now be invoked using the Alt+C keyboard shortcut.
BZ#767727
The Ext2FS class in Anaconda has a maximum file size attribute correctly set to 8 TB, but Ext3FS and Ext4FS inherited this value without overriding it. Consequently, when attempting to create an ext3 or ext4 file system of a size greater than 8Tb the installer would not allow it. With this update, the installer's upper bound for new ext3 and ext4 filesystem size has been adjusted from 8Tb to 16TB. As a result, the installer now allows creation of ext3 and ext4 filesystems up to 16TB.
BZ#769145
The Anaconda dhcptimeout boot option was not working. NetworkManager used a DHCP transaction timeout of 45 seconds without the possibility of configuring a different value. Consequently, in certain cases NetworkManager failed to obtain a network address. NetworkManager has been extended to read the timeout parameter from a DHCP configuration file and use that instead of the default value. Anaconda has been updated to write out the dhcptimeout value to the interface configuration file used for installation. As a result, the boot option dhcptimeout works and NetworkManager now waits to obtain an address for the duration of the DHCP transaction period as specified in the DHCP client configuration file.
BZ#783245
Prior to this update, USB3 modules were not in the Anaconda install image. Consequently, USB3 devices were not detected by Anaconda during installation. This update adds the USB3 modules to the install image and USB3 devices are now detected during installation.
BZ#783841
When the kickstart clearpart command or the installer's automatic partitioning options to clear old data from the system's disks were used with complex storage devices such as logical volumes and software RAID, LVM tools caused the installation process to become unresponsive due to a deadlock. Consequently, the installer failed when trying to remove old metadata from complex storage devices. This update changes the LVM commands in the udev rules packaged with the installer to use a less restrictive method of locking and the installer was changed to explicitly remove partitions from a disk instead of simply creating a new partition table on top of the old contents when it initializes a disk. As a result, LVM no longer hangs in the scenario described.
BZ#785400
The /usr/lib/anaconda/textw/netconfig_text.py file tried to import a module from the wrong location. Consequently, Anaconda failed to start and the following error message was generated:
No module named textw.netconfig_text
The code has been corrected and the error no longer occurs in the scenario described.
BZ#788537
Prior to this update, kickstart repository entries did not use the global proxy setting. Consequently, on networks restricted to use a proxy installation would terminate unexpectedly when attempting to connect to additional repository entries in a kickstart file if no proxy had been explicitly specified. This update changes the code to use the global proxy if an additional repository has no proxy set for it. As a result, the global proxy setting will be used and installation will proceed as expected in the scenario described.
BZ#800388
The kickstart pre and post installation scripts had no information about the proxy being used by Anaconda. As a consequence, programs such as wget and curl would not work properly in a pre-installation and post-installation script on networks restricted to using a proxy. This update sets the PROXY, PROXY_USER, PROXY_PASSWORD environmental variables. As a result, pre and post installation scripts now have access to the proxy setting used by Anaconda.
BZ#802397
Using the --onbiosdisk=NUMBER option for the kickstart part command sometimes caused installation failures as Anaconda was not able to find the disk that matches the specified BIOS disk number. Users wishing to use BIOS disk numbering to control kickstart installations were not able to successfully install Red Hat Enterprise Linux. This update adjusts the comparison in Anaconda that matches the BIOS disk number to determine the Linux device name. As a result, users wishing to use BIOS disk numbering to control kickstart installations will now be able to successfully install Red Hat Enterprise Linux.
BZ#805910
Due to a regression, when running the system in Rescue mode with no or only uninitialized disks, the Anaconda storage subsystem did not check for the presence of a GUI before presenting the user with a list of options. Consequently, when the user selected continue the installer terminated unexpectedly with a traceback. This update adds a check for presence of the GUI and falls back to a TUI if there is none. As a result, the user is informed about the lack of usable disks in the scenario described.
BZ#823810
When using Anaconda with Qlogic qla4xxx devices in firmware boot mode and with iSCSI targets set up in BIOS (either enabled or disabled), the devices were exposed as iSCSI devices. But in this mode the devices cannot be handled with the iscsiadm and libiscsi tools used by the installer. Consequently, installation failed with a traceback during examination of storage devices by the installer. This update changes the installer to not try to manage iSCSI devices set up with qla4xxx firmware with iscsiadm or libiscsi. As a result, installation in an environment with iSCSI targets set up by qla4xxx devices in firmware mode finishes successfully.

Note

The firmware boot mode is turned on and off by the qla4xxx.ql4xdisablesysfsboot boot option. With this update, it is enabled by default.
Enhancements
BZ#500273
There was no support for binding of iSCSI connections to network interfaces, which is required for installations using multiple iSCSI connections to a target on a single subnet for Device Mapper Multipath (DM-Multipath) connectivity. Consequently, DM-Multipath connectivity could not be used on a single subnet as all devices used the default network interface. With this update, the Bind targets to network interfaces option has been added to the Advanced Storage Options dialog box. When turned on, targets discovered specifically for all active network interfaces are available for selection and login. For kickstart installations a new iscsi --iface option can be used to specify network interface to which a target should be bound. Once interface binding is used, all iSCSI connections have to be bound, that is to say the --iface option has to be specified for all iscsi commands in kickstart. Network devices required for iSCSI connections can be activated either using kickstart network command with the --activate option or in the graphical user interface (GUI) using the Configure Network button from the Advanced Storage Options dialog (Connect Automatically has to be checked when configuring the device so that the device is also activated in the installer). As a result, it is now possible to configure and use DM-Multipath connectivity for iSCSI devices using different network interfaces on a single subnet during installation.
BZ#625697
The curl command line tool was not in the install image file. Consequently, curl could not be used in the %pre section of kickstart. This update adds curl to the install image and curl can be used in the %pre section of kickstart.
BZ#660686
Support for installation using IP over InfiniBand (IPoIB) interfaces has been added. As a result, it is possible to install systems connected directly to an InfiniBand network using IPoIB network interfaces.
BZ#663647
Two new options were added to the kickstart volgroup command to specify initially unused space in megabytes or as a percentage of the total volume group size. These options are only valid for volume groups being created during installation. As a result, users can effectively reserve space in a new volume group for snapshots while still using the --grow option for logical volumes within the same volume group.
BZ#671230
The GPT disk label is now used for disks of size 2.2 TB and larger. As a result, Anaconda now allows installation to disks of size 2.2 TB and larger, but the installed system will not always boot properly on non-EFI systems. Disks of size 2.2 TB and larger may be used during the installation process, but only as data disks; they should not be used as bootable disks.
BZ#705328
When an interface configuration file is created by a configuration application such as Anaconda, NetworkManager generates the Universally Unique IDentifier (UUID) by hashing the existing configuration file name. Consequently, the same UUID was generated on multiple installed systems for a given network device name. With this update, a random UUID is generated by Anaconda for NetworkManager so that it does not have to generate the connection UUID by hashing the configuration file name. As a result, each network connection of all installed systems has different UUID.
BZ#735791
When IPv6 support is set to be disabled by the installer using the noipv6 boot option, or the network --nopipv6 kickstart command, or by using the Configure TCP/IP screen of the loader Text User Interface (TUI), and no network device is configured for IPv6 during installation, the IPv6 kernel modules on the installed system will now be disabled.
BZ#735857
The ability to configure a VLAN discovery option for Fibre Channel over Ethernet (FCoE) devices added during installation using Anaconda's graphical user interface was required. All FCoE devices created in Anaconda installer were configured to perform VLAN discovery using the fcoemon daemon by setting the AUTO_VLAN value of its configuration file to yes. A new Use auto vlan checkbox was added to the Advanced Storage Options dialog, which is invoked by the Add Advanced Target button in Advanced Storage Devices screen. As a result, when adding FCoE device in Anaconda, it is now possible to configure the VLAN discovery option of the device using Use auto vlan checkbox in Advanced Storage Options dialog. The value of AUTO_VLAN option of FCoE device configuration file /etc/fcoe/cfg-device is set accordingly.
BZ#737097
The lsscsi and sg3_utils were not present in the install image. Consequently, maintenance of Data Integrity Field (DIF) disks was not possible. This update adds the lsscsi and sg3_utils to the install image and now utilities to maintain DIF disks can be used during the installation.
BZ#743784
Anaconda creates FCoE configuration files under the /etc/fcoe/ directory using biosdevname, which is the new style interface naming scheme, for all the available Ethernet interfaces for FCoE BFS. However, it did not add the ifname kernel command line argument for FCoE interface that stays offline after discovering FCoE targets during installation. Because of this, during subsequent reboot the system tried to find the old style ethX interface name in /etc/fcoe/, which does not match the file created by Anaconda using biosdevname. Therefore, due to the missing FCoE config file, FCoE interface is never created on this interface. Consequently, during FCoE BFS installation, when an Ethernet interface went offline after discovering the targets, FCoE links did not come up after reboot. This update adds dracut ip parameters for all FCoE interfaces including those that went offline during installation. As a result, FCoE interfaces disconnected during installation will be activated after reboot.
BZ#744129
Installations with the swap --recommended command in kickstart created a swap file of size 2 GB plus the installed RAM size regardless of the amount of RAM installed. Consequently, machines with a large amount of RAM had huge swap files prolonging the time before the oom_kill syscall was invoked even in malfunctioning cases. In this update, swap size calculations for swap --recommended were changed to meet the values recommended in the documentation https://access.redhat.com/knowledge/solutions/15244 and the --same-as-ram option was added for the swap kickstart command and as the default in GUI/TUI installations. As a result, machines with a lot of RAM have a reasonable swap size now if swap --recommended is used. However, hibernation might not work with this configuration. If users want to use hibernation they should use swap --same-as-ram.
BZ#755147
If there are multiple Ethernet interfaces configured for FCoE boot, by default, only the primary interface is turned on and the other interfaces are not configured. This update sets the value ONBOOT=yes in the ifcfg configuration file during installation for all network interfaces used by FCoE. As a result, all network devices used for installation to FCoE storage devices are activated automatically after reboot.
BZ#770486
This update adds the Netcat (nc) networking utility to the install environment. Users can now use the nc program in Rescue mode.
BZ#773545
The virt-what shell script has been added to the install image. Users can now use the virt-what tool in kickstart.
BZ#784327
Firmware files were loaded only from RPM files in $prefix/lib/firmware paths on a Driver Update Disk (DUD). This update adds the $prefix/lib/firmware/updates directory to the path to be searched for firmware. RPM files containing firmware updates can now have firmware files in %prefix/lib/firmware/updates.
Users of anaconda should upgrade to these updated packages, which resolve these issues and add these enhancements.

5.5. atlas

Updated atlas packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The ATLAS (Automatically Tuned Linear Algebra Software) project is a research effort focusing on applying empirical techniques providing portable performance. The atlas packages provide C and Fortran77 interfaces to a portably efficient BLAS (Basic Linear Algebra Subprograms) implementation and routines from LAPACK (Linear Algebra PACKKage).

Bug Fix

BZ#723350
Previously, binary files from the base atlas package contained illegal instructions from an incompatible instruction set (3DNow!). As a consequence, an "Illegal instruction" error was displayed. This update disables usage of the instruction set.
All users of atlas are advised to upgrade to these updated packages, which fix this bug.

5.6. audit

Updated audit packages that fix multiple bugs and add several enhancements are now available for Red Hat Enterprise Linux 6.
The audit packages contain the user space utilities for storing and searching the audit records which have been generated by the audit subsystem in the Linux 2.6 kernel.
The audit packages have been upgraded to upstream version 2.2, which provides a number of bug fixes and enhancements over the previous version. The version 2.2 packages introduce the following enhancements:
  • The "auditctl" command now allows shell-escaped file names for better handling of file names with spaces in them.
  • There is a new utility, auvirt, that extracts a report about the virtualization events.
  • The auditd.conf configuration option, "tcp_max_per_addr", now allows up to 1024 concurrent connections from the same IP address. While this is not recommended for normal use, it helps in situations where a number of client systems are behind a NAT, which causes them to appear to have the same IP address.
Bug Fixes
BZ#803349
Previously, not enough information was parsed to determine whether audit records are part of the same event if the server's node name was longer than approximately 80 characters. With this update, the problem has been fixed.
BZ#797848
This update fixes a typo in the audit.rules(7) man page.

Enhancements

BZ#658630
Prior to this update, if the audit rules had a typo or the command was not supported by the Linux kernel, either an error was triggered and you were able to stop processing the rules or, as the other option, you were able to ignore any errors in which case it completed everything it could but returned success. This update introduces the "-c" option to auditctl which works like the ignore option, but instead of returning success, the "-c" option returns failure if any rule triggers an error. Note that like the ignore option, the "-c" option continues to process all audit rules.
BZ#766920
This release adds support for a new kernel auditing feature that allows for inter-field comparisons. For each audit event, the Linux kernel collects information about what is causing the event. Now, you can use the "-C" option to compare: "auid", "uid", "euid", "suid", "fsuid", or "obj_uid"; and "gid", "egid", "sgid", "fsgid", or "obj_gid". The two groups cannot be mixed. Comparisons can use either the equal or not equal operators. Note that for this enhancement to work, the system must boot the Linux 2.6.32-244 kernel or later.
All audit users are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

5.7. augeas

Updated augeas packages that fix three bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
Augeas is a configuration editing tool. Augeas parses configuration files in their native formats and transforms them into a tree. Configuration changes are made by manipulating this tree and saving it back into native configuration files.

Bug Fixes

BZ#759311
Previously, the "--autosave" option did not work correctly when using Augeas in batch mode, which caused that configuration changes were not saved. As a consequence, configuration changes could be saved only in interactive mode. This update ensures that the "--autosave" option functions in batch mode as expected.
BZ#781690
Prior to this update, when parsing GRUB configuration files, Augeas did not parse the "--encrypted" option of the "password" command correctly. Instead, it parsed the "--encrypted" part as the password, and the password hash as a second "menu.lst" filename. This update ensures that the "--encrypted" option of the password command is parsed correctly when parsing GRUB configuration files.
BZ#820864
Previously, Augeas was not able to parse the /etc/fstab file containing mount options with an equals sign but no value. This update fixes the fstab lens so that it can handle such mount options. As a result, Augeas can now parse an /etc/fstab file containing mount options with an equals sign but no value correctly.

Enhancements

BZ#628507
Previously, the finite-automata-DOT graph tool (fadot) did not support the -h option. Consequently, when fadot was launched with the -h option the "Unknown option" message was displayed. This update adds support for the -h option and ensures that a help message is displayed when fadot is launched with the option.
BZ#808662
Previously, Augeas did not have a lens to parse the /etc/mdadm.conf file. Consequently, the tool for conversion of physical servers to virtual guests, Virt-P2V, could not convert physical hosts on MD devices. This update adds a new lens to parse the /etc/mdadm.conf file, enabling Virt-P2V to convert physical hosts on MD devices as expected.
All users of Augeas are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

5.8. authconfig

Updated authconfig packages that fix multiple bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
The authconfig packages provide a command line utility and a GUI application that can configure a workstation to be a client for certain network user information and authentication schemes, and other user information and authentication related options.

Bug Fixes

BZ#689717
Prior to this update, SSSD configuration files failed to parse if the files were not correctly formatted. As a consequence, the authconfig utility could abort unexpectedly. With this update, the error is correctly handled, the configuration file is backed up, and a new file is created.
BZ#708850
Prior to this update, the man page "authconfig(8)" referred to non-existing obsolete configuration files. This update modifies the man page to point to configuration files that are currently modified by authconfig.
BZ#749700
Prior to this update, a deprecated "krb_kdcip" option was set instead of the "krb5_server" option when the SSSD configuration was updated. This update modifies the SSSD configuration setting to use the "krb5_server" option to set the Kerberos KDC server address.
BZ#755975
Prior to this update, the authconfig command always returned the exit value "1" when the "--savebackup" option was used, due to handling of nonexisting configuration files on the system. With this update, the exit value is "0" if the configuration backup succeeds even if some configuration files which can be handled by authconfig, are not present on the system.

Enhancements

BZ#731094
Prior to this update, the authconfig utility did not support the SSSD configuration with the IPA backend. This update allows to join an IPAv2 domain with the system via the ipa-client-install command.
BZ#804615
With this update, the nss_sss module is also used in the "services" entry of the nsswitch.conf file when configuring this file.
All users of authconfig are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

5.9. autofs

Updated autofs packages that fix several bugs and add an enhancement are now available for Red Hat Enterprise Linux 6.
The autofs utility controls the operation of the automount daemon. The automount daemon automatically mounts file systems when you use them, and unmounts them when they are not busy.

Bug Fixes

BZ#772946
A recent change to correct a problem with included map entry removal introduced a new problem with included map key look-up. The condition used in the previous patch was too broad and the map key lookup mechanism failed to find keys in an included multi-mount map entry. The condition has been modified so that keys in multi-mount map entries are now found correctly.
BZ#772356
A function that checks validity of a mount location was meant to check only for a small subset of map location errors. A recent improvement modification in error reporting inverted a logic test in this validating function. Consequently, the scope of the test was widened, which caused automount to report false-positive failures. With this update, the faulty logic test has been fixed and false-positive failures no longer occur.
BZ#790674
Previously, autofs submounts incorrectly handled shutdown synchronization and lock restrictions. As a consequence, automount could become unresponsive when submounts expired. With this update, the submount shuts down only after passing through the state ST_SHUTDOWN, ST_SHUTDOWN_PENDING, or ST_SHUTDOWN_FORCE, or when the state changes to ST_READY.
BZ#753964
Prior to this update, two IPv6 compatibility functions were erroneously not included in the autofs interface to the libtirpc library. This prevented the autofs IPv6 RPC code from working. With this update, the libtirpc interface code for autofs has been fixed.
BZ#782169
When using the legacy auto.net script for the hosts map, an error in the script for handling multiple occurrences of exports prevented the script from returning any of the exported paths. This bug has been fixed by modifying the script to select only a unique list of exports, thus eliminating duplicate exports.
BZ#787595
Due to changes to the mount.nfs utility to take advantage of the support for NFS mount options in the kernel, the RPC processing had moved from mount.nfs to the kernel. However, the kernel RPC had to wait for RPC requests to servers that were not available to time out, resulting in very slow interactive response when attempting an automount to a server that was not available. This update changes the autofs RPC code to detect this situation early and provide proper error messages as soon as possible.
BZ#760945
Previously, although the /net/ and /misc/ directories are exclusively used by the default /etc/auto.master utility, they were not specified in the autofs RPM package. As a result, the rpm utility reported them as not owned by any package. This update adds both these directories to the autofs spec file.
BZ#745527
Previously, the autofs init.d script failed to return proper usage messages if called with no arguments, or incorrect arguments. This bug has been fixed and the script now prints the usage information as expected.

Enhancement

BZ#683523
Initial support for the System Security Services Daemon (SSSD) as a map source has been added to the autofs package.
All autofs users are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

5.10. bind

Updated bind packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.

Upgrade to an upstream version

The bind package has been upgraded to upstream version 9.8.2rc1 which provides a number of bug fixes and enhancements over the previous version. Refer to /usr/share/doc/bind-9.8.2/README for a detailed list of enhancements. (BZ#745284, BZ#755618, BZ#797972)
Bug Fixes
BZ#734458
When /etc/resolv.conf contained nameservers with disabled recursion, nslookup failed to resolve certain host names. With this update, a patch has been applied and nslookup now works as expected in the scenario described.
BZ#739406
Prior to this update, errors arising on automatic update of DNSSEC trust anchors were handled incorrectly. Consequently, the named daemon could become unresponsive on shutdown. With this update, the error handling has been improved and named exits on shutdown gracefully.
BZ#739410
The multi-threaded named daemon uses the atomic operations feature to speed-up access to shared data. This feature did not work correctly on 32-bit and 64-bit PowerPC architectures. Therefore, named sometimes became unresponsive on these architectures. This update disables the atomic operations feature on 32-bit and 64-bit PowerPC architectures, which ensures that named is now more stable and reliable and no longer hangs.
BZ#746694
Prior to this update, a race condition could occur on validation of DNSSEC-signed NXDOMAIN responses and named could terminate unexpectedly. With this update, the underlying code has been fixed and the race condition no longer occurs.
BZ#759502
The named daemon, configured as the master server, sometimes failed to transfer an uncompressible zone. The following error message was logged:
transfer of './IN': sending zone data: ran out of space
The code which handles zone transfers has been fixed and this error no longer occurs in the scenario described.
BZ#759503
During a DNS zone transfer, named sometimes terminated unexpectedly with an assertion failure. With this update, a patch has been applied to make the code more robust, and named no longer crashes in the scenario described.
BZ#768798
Previously, the rndc.key file was generated during package installation by the rndc-confgen -a command, but this feature was removed in Red Hat Enterprise Linux 6.1 because users reported that installation of bind package sometimes hung due to lack of entropy in /dev/random. The named initscript now generates rndc.key during the service startup if it does not exist.
BZ#786362
After the rndc reload command was executed, named failed to update DNSSEC trust anchors and emitted the following message to the log:
managed-keys-zone ./IN: Failed to create fetch for DNSKEY update
This issue was fixed in the 9.8.2rc1 upstream version.
BZ#789886
Due to an error in the bind spec file, the bind-chroot subpackage did not create a /dev/null device. In addition, some empty directories were left behind after uninstalling bind. With this update, the bind-chroot packaging errors have been fixed.
BZ#795414
The dynamic-db plug-ins were loaded too early which caused the configuration in the named.conf file to override the configuration supplied by the plug-in. Consequently, named sometimes failed to start. With this update the named.conf is parsed before plug-in initialization and named now starts as expected.
BZ#812900
Previously, when the /var/named directory was mounted the /etc/init.d/named initscript did not distinguish between situations when chroot configuration was enabled and when chroot was not enabled. Consequently, when stopping the named service the /var/named directory was always unmounted. The initscript has been fixed and now unmounts /var/named only when chroot configuration is enabled. As a result, /var/named stays mounted after the named service is stopped when chroot configuration is not enabled.
BZ#816164
Previously, the nslookup utility did not return a non-zero exit code when it failed to get an answer. Consequently, it was impossible to determine if an nslookup run was successful or not from the error code. The nslookup utility has been fixed and now it returns "1" as the exit code when fails to get answer.
Enhancements
BZ#735438
By default BIND returns resource records in round-robin order. The rrset-order option now supports fixed ordering. When this option is set, the resource records for each domain name are always returned in the order they are loaded from the zone file.
BZ#788870
Previously, named logged too many messages relating to external DNS queries. The severity of these error messages has been decreased from notice to debug so that the system log is not flooded with mostly unnecessary information.
BZ#790682
The named daemon now uses portreserve to reserve the Remote Name Daemon Control (RNDC) port to avoid conflicts with other services.
All users of bind are advised to upgrade to these updated packages, which fix these bugs and provide these enhancements.

5.11. bind-dyndb-ldap

An updated bind-dyndb-ldap package which provides a number of bug fixes and enhancements is now available for Red Hat Enterprise Linux 6.
The dynamic LDAP back end is a plug-in for BIND that provides back-end capabilities to LDAP databases. It features support for dynamic updates and internal caching that help to reduce the load on LDAP servers.

Upgrade to an upstream version

The bind-dyndb-ldap package has been upgraded to upstream version 1.1.0b2, which provides a number of bug fixes and enhancements over the previous version (BZ#767486).
Bug Fixes
BZ#751776
The bind-dyndb-ldap plug-in refused to load an entire zone when it contained an invalid Resource Record (RR) with the same Fully Qualified Domain Name (FQDN) as the zone name (for example an MX record). With this update, the code for parsing Resource Records has been improved. If an invalid RR is encountered, an error message Failed to parse RR entry is logged and the zone continues to load successfully.
BZ#767489
When the first connection to an LDAP server failed, the bind-dyndb-ldap plug-in did not try to connect again. Consequently, users had to execute the "rndc reload" command to make the plug-in work. With this update, the plug-in periodically retries to connect to an LDAP server. As a result, user intervention is no longer required and the plug-in works as expected.
BZ#767492
When the zone_refresh period timed out and a zone was removed from the LDAP server, the plug-in continued to serve the removed zone. With this update, the plug-in no longer serves zones which have been deleted from LDAP when the zone_refresh parameter is set.
BZ#789356
When the named daemon received the rndc reload command or a SIGHUP signal and the plug-in failed to connect to an LDAP server, the plug-in caused named to terminate unexpectedly when it received a query which belonged to a zone previously handled by the plug-in. This has been fixed, the plug-in no longer serves its zones when connection to LDAP fails during reload and no longer crashes in the scenario described.
BZ#796206
The plug-in terminated unexpectedly when named lost connection to an LDAP server for some time, then reconnected successfully, and some zones previously present had been removed from the LDAP server. The bug has been fixed and the plug-in no longer crashes in the scenario described.
BZ#805871
Certain string lengths were incorrectly set in the plug-in. Consequently, the Start of Authority (SOA) serial number and expiry time were incorrectly set for the forward zone during ipa-server installation. With this update, the code has been improved and the SOA serial number and expiry time are set as expected.
BZ#811074
When a Domain Name System (DNS) zone was managed by a bind-dyndb-ldap plugin and a sub-domain was delegated to another DNS server, the plug-in did not put A or AAAA glue records in the additional section of a DNS answer. Consequently, the delegated sub-domain was not accessible by other DNS servers. With this update, the plug-in has been fixed and now returns A or AAAA glue records of a delegated sub-domain in the additional section. As a result, delegated zones are correctly resolvable in the scenario described.
BZ#818933
Previously, the bind-dyndb-ldap plug-in did not escape non-ASCII characters in incoming DNS queries correctly. Consequently, the plug-in failed to send answers for queries which contained non-ASCII characters such as ,. The plug-in has been fixed and now correctly returns answers for queries with non-ASCII characters.
Enhancements
BZ#733371
The bind-dyndb-ldap plug-in now supports two new attributes, idnsAllowQuery and idnsAllowTransfer, which can be used to set ACLs for queries or transfers. Refer to /usr/share/doc/bind-dyndb-ldap/README for information on the attributes.
BZ#754433
The plug-in now supports the new zone attributes idnsForwarders and idnsForwardPolicy which can be used to configure forwarding. Refer to /usr/share/doc/bind-dyndb-ldap/README for a detailed description.
BZ#766233
The plug-in now supports zone transfers.
BZ#767494
The plug-in has a new option called sync_ptr that can be used to keep A and AAAA records and their PTR records synchronized. Refer to /usr/share/doc/bind-dyndb-ldap/README for a detailed description.
BZ#795406
It was not possible to store configuration for the plug-in in LDAP and configuration was only taken from the named.conf file. With this update, configuration information can be obtained from idnsConfigObject in LDAP. Note that options set in named.conf have lower priority than options set in LDAP. The priority will change in future updates. Refer to the README file for more details.
Users of bind-dyndb-ldap package should upgrade to this updated package, which fixes these bugs and adds these enhancements.

5.12. binutils

Updated binutils packages that fix two bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
The binutils packages contain a collection of binary utilities, including "ar" (for creating, modifying and extracting from archives), "as" (a family of GNU assemblers), "gprof" (for displaying call graph profile data), "ld" (the GNU linker), "nm" (for listing symbols from object files), "objcopy" (for copying and translating object files), "objdump" (for displaying information from object files), "ranlib" (for generating an index for the contents of an archive), "readelf" (for displaying detailed information about binary files), "size" (for listing the section sizes of an object or archive file), "strings" (for listing printable strings from files), "strip" (for discarding symbols), and "addr2line" (for converting addresses to file and line).

Bug Fixes

BZ#676194
Previously, the GNU linker could terminate unexpectedly with a segmentation fault when attempting to link together object files of different architectures (for example, an object file of 32-bit Intel P6 with an object file of Intel 64). This update modifies binutils so that the linker now generates an error message and refuses to link object files in the scenario described.
BZ#809616
When generating build-ID hashes, the GNU linker previously allocated memory for BSS sections. Consequently, the linker could use more memory than was necessary. This update modifies the linker to skip BSS sections and thus avoid unnecessary memory usage when generating build-ID hashes.

Enhancements

BZ#739444
With this update, backported patches have been included to support new AMD processors. Also, a duplicate entry for the bextr instruction has been removed from the disassembler's table.
BZ#739144
The GNU linker has been modified in order to improve performance of Table of Contents (TOC) addressability and Procedure Linkage Table (PLT) call stubs on the PowerPC and PowerPC 64 architectures.
All users of binutils are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

5.13. busybox

Updated busybox packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
BusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries.
Security Fixes
CVE-2006-1168
A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially-crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox.
CVE-2011-2716
The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially-crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. Note: udhcpc is not used on Red Hat Enterprise Linux by default, and no DHCP client script is provided with the busybox packages.

Bug Fixes

BZ#751927
Prior to this update, the "findfs" command did not recognize Btrfs partitions. As a consequence, an error message could occur when dumping a core file. This update adds support for recognizing such partitions so the problem no longer occurs.
BZ#752134
If the "grep" command was used with the "-F" and "-i" options at the same time, the "-i" option was ignored. As a consequence, the "grep -iF" command incorrectly performed a case-sensitive search instead of an insensitive search. A patch has been applied to ensure that the combination of the "-F" and "-i" options works as expected.
BZ#782018
Prior to this update, the msh shell did not support the "set -o pipefail" command. This update adds support for this command.
BZ#809092
Previously, the msh shell could terminate unexpectedly with a segmentation fault when attempting to execute an empty command as a result of variable substitution (for example msh -c '$nonexistent_variable'). With this update, msh has been modified to correctly interpret such commands and no longer crashes in this scenario.
BZ#752132
Previously, the msh shell incorrectly executed empty loops. As a consequence, msh never exited such a loop even if the loop condition was false, which could cause scripts using the loop to become unresponsive. With this update, msh has been modified to execute and exit empty loops correctly, so that hangs no longer occur.
All users of busybox are advised to upgrade to these updated packages, which contain backported patches to fix these issues.

5.14. byacc

An updated byacc package that fixes one bug is now available for Red Hat Enterprise Linux 6.
Berkeley Yacc (byacc) is a public domain look-ahead left-to-right (LALR) parser generator used by many programs during their build process.

Bug Fix

BZ#743343
Byacc's maximum stack depth was reduced from 10000 to 500 between byacc releases. If deep enough else-if structures were present in source code being compiled with byacc, this could lead to out-of-memory conditions, resulting in YACC Stack Overflow and build failure. This updated release restores the maximum stack depth to its original value, 10000. Note: the underlying LR algorithm still imposes a hard limit on the number of parsable else-if statements. Restoring the maximum stack depth to its original value means source code with deep else-if structures that previously compiled against byacc will again do so.
All byacc users should upgrade to this updated package, which fixes this bug.

5.15. c-ares

Updated c-ares packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The c-ares C library defines asynchronous DNS (Domain Name System) requests and provides name resolving API.

Bug Fixes

BZ#730695
Previously, when searching for AF_UNSPEC or AF_INET6 address families, the c-ares library fell back to the AF_INET family if no AF_INET6 addresses were found. Consequently, IPv4 addresses were returned even if only IPv6 addresses were requested. With this update, c-ares performs the fallback only when searching for AF_UNSPEC addresses.
BZ#730693
The ares_parse_a_reply() function leaked memory when the user attempted to parse an invalid reply. With this update, the allocated memory is freed properly and the memory leak no longer occurs.
BZ#713133
A switch statement inside the ares_malloc_data() public function was missing a terminating break statement. This could result in unpredictable behavior and sometimes the application terminated unexpectedly. This update adds the missing switch statement and the ares_malloc_data() function now works as intended.
BZ#695426
When parsing SeRVice (SRV) record queries, c-ares was accessing memory incorrectly on architectures that require data to be aligned in memory. This caused the program to terminate unexpectedly with the SIGBUS signal. With this update, c-ares has been modified to access the memory correctly in the scenario described.
BZ#640944
Previously, the ares_gethostbyname manual page did not document the ARES_ENODATA error code as a valid and expected error code. With this update, the manual page has been modified accordingly.
All users of c-ares are advised to upgrade to these updated packages, which fix these bugs.

5.16. certmonger

Updated certmonger packages that fix multiple bugs and add multiple enhancements are now available for Red Hat Enterprise Linux 6.
The certmonger daemon monitors certificates which have been registered with it, and as a certificate's not-valid-after date approaches, the daemon can optionally attempt to obtain a fresh certificate from a supported CA.
The certmonger packages have been upgraded to upstream version 0.56, which provides a number of bug fixes and enhancements over the previous version. (BZ#789153)

Bug Fixes

BZ#765599
Prior to this update, one of the examples provided in the getting-started.txt file did not work as expected if the daemon was prevented from accessing files in user-specified locations, for example by the SELinux policy. With this update, this problem is now documented in the getting-started.txt file.
BZ#765600
Prior to this update, the certmonger daemon was not configured to start by default when the package was installed. This update enables the certmonger service by default.
BZ#796542
Prior to this update, the "getcert" command could under certain circumstances, display the misleading error message "invalid option" when an option that required an argument was used and the argument was not specified. This update modifies the error code so that the correct message is now sent.

Enhancement

BZ#766167
Prior to this update, newly added certificates were not automatically visible. To see these certificates, servers had to be manually restarted. This update adds the emission of D-Bus signals over the message bus to allow applications to perform the actions they need to use a new certificate. Also, the new "-C" option was added to invoke a user-specified command.
All users of certmonger are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

5.17. chkconfig

Updated chkconfig packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.
The basic system utility chkconfig updates and queries runlevel information for system services.

Bug Fixes

BZ#696305
When installing multiple Linux Standard Base (LSB) services which only had LSB headers, the stop priority of the related LSB init scripts could have been miscalculated and set to "-1". With this update, the LSB init script ordering mechanism has been fixed, and the stop priority of the LSB init scripts is now set correctly.
BZ#706854
When an LSB init script requiring the "$local_fs" facility was installed with the "install_initd" command, the installation of the script could fail under certain circumstances. With this update, the underlying code has been modified to ignore this requirement because the "$local_fs" facility is always implicitly provided. LSB init scripts with requirements on "$local_fs" are now installed correctly.
BZ#771454
If an LSB init script contained "Required-Start" dependencies, but the LSB service installed was not configured to start in any runlevel, the dependencies could have been applied incorrectly. Consequently, the installation of the LSB service failed silently. With this update, chkconfig no longer strictly enforces "Required-Start" dependencies for installation if the service is not configured to start in any runlevel. LSB services are now installed as expected in this scenario.
BZ#771741
Previously, chkconfig did not handle dependencies between LSB init scripts correctly. Therefore, if an LSB service was enabled, LSB services that were depending on it could have been set up incorrectly. With this update, chkconfig has been modified to determine dependencies properly, and dependent LSB services are now set up as expected in this scenario.
All users of chkconfig are advised to upgrade to these updated packages, which fix these bugs.

5.18. cifs-utils

An updated cifs-utils package that fixes one security issue, multiple bugs, and adds various enhancements is now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The cifs-utils package contains tools for mounting and managing shares on Linux using the SMB/CIFS protocol. The CIFS shares can be used as standard Linux file systems.
Security Fix
CVE-2012-1586
A file existence disclosure flaw was found in mount.cifs. If the tool was installed with the setuid bit set, a local attacker could use this flaw to determine the existence of files or directories in directories not accessible to the attacker.

Note

mount.cifs from the cifs-utils package distributed by Red Hat does not have the setuid bit set. We recommend that administrators do not manually set the setuid bit for mount.cifs.

Bug Fixes

BZ#769923
The cifs.mount(8) manual page was previously missing documentation for several mount options. With this update, the missing entries have been added to the manual page.
BZ#770004
Previously, the mount.cifs utility did not properly update the "/etc/mtab" system information file when remounting an existing CIFS mount. Consequently, mount.cifs created a duplicate entry of the existing mount entry. This update adds the del_mtab() function to cifs.mount, which ensures that the old mount entry is removed from "/etc/mtab" before adding the updated mount entry.
BZ#796463
The mount.cifs utility did not properly convert user and group names to numeric UIDs and GIDs. Therefore, when the "uid", "gid" or "cruid" mount options were specified with user or group names, CIFS shares were mounted with default values. This caused shares to be inaccessible to the intended users because UID and GID is set to "0" by default. With this update, user and group names are properly converted so that CIFS shares are now mounted with specified user and group ownership as expected.
BZ#805490
The cifs.upcall utility did not respect the "domain_realm" section in the "krb5.conf" file and worked only with the default domain. Consequently, an attempt to mount a CIFS share from a different than the default domain failed with the following error message:
mount error(126): Required key not available
This update modifies the underlying code so that cifs.upcall handles multiple Kerberos domains correctly and CIFS shares can now be mounted as expected in a multi-domain environment.

Enhancements

BZ#748756
The cifs.upcall utility previously always used the "/etc/krb5.conf" file regardless of whether the user had specified a custom Kerberos configuration file. This update adds the "--krb5conf" option to cifs.upcall allowing the administrator to specify an alternate krb5.conf file. For more information on this option, refer to the cifs.upcall(8) manual page.
BZ#748757
The cifs.upcall utility did not optimally determine the correct service principal name (SPN) used for Kerberos authentication, which occasionally caused krb5 authentication to fail when mounting a server's unqualified domain name. This update improves cifs.upcall so that the method used to determine the SPN is now more versatile.
BZ#806337
This update adds the "backupuid" and "backupgid" mount options to the mount.cifs utility. When specified, these options grant a user or a group the right to access files with the backup intent. For more information on these options, refer to the mount.cifs(8) manual page.
All users of cifs-utils are advised to upgrade to this updated package, which contains backported patches to fix these issues and add these enhancements.

5.19. cluster and gfs2-utils

Updated cluster and gfs2-utils packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The cluster and gfs2-utils packages contain the core clustering libraries for Red Hat High Availability as well as utilities to maintain GFS2 file systems for users of Red Hat Resilient Storage.
Bug Fixes
BZ#759603
A race condition existed when a node lost contact with the quorum device at the same time as the token timeout period expired. The nodes raced to fence, which could lead to a cluster failure. To prevent the race condition from occurring, the cman and qdiskd interaction timer has been improved.
BZ#750314
Previously, a cluster partition and merge during startup fencing was not detected correctly. As a consequence, the DLM (Distributed Lock Manager) lockspace operations could become unresponsive. With this update, the partition and merge event is now detected and handled properly. DLM lockspace operations no longer become unresponsive in the described scenario.
BZ#745538
Multiple ping command examples on the qdisk(5) manual page did not include the -w option. If the ping command is run without the option, the action can timeout. With this update, the -w option has been added to those ping commands.
BZ#745161
Due to a bug in libgfs2, sentinel directory entries were counted as if they were real entries. As a consequence, the mkfs.gfs2 utility created file systems which did not pass the fsck check when a large number of journal metadata blocks were required (for example, a file system with block size of 512, and 9 or more journals). With this update, incrementing the count of the directory entry is now avoided when dealing with sentinel entries. GFS2 file systems created with large numbers of journal metadata blocks now pass the fsck check cleanly.
BZ#806002
When a node fails and gets fenced, the node is usually rebooted and joins the cluster with a fresh state. However, if a block occurs during the rejoin operation, the node cannot rejoin the cluster and the attempt fails during boot. Previously, in such a case, the cman init script did not revert actions that had happened during startup and some daemons could be erroneously left running on a node. The underlying source code has been modified so that the cman init script now performs a full rollback when errors are encountered. No daemons are left running unnecessarily in this scenario.
BZ#804938
The RELAX NG schema used to validate the cluster.conf file previously did not recognize the totem.miss_count_const constant as a valid option. As a consequence, users were not able to validate cluster.conf when this option was in use. This option is now recognized correctly by the RELAX NG schema, and the cluster.conf file can be validated as expected.
BZ#819787
The cmannotifyd daemon is often started after the cman utility, which means that cmannotifyd does not receive or dispatch any notifications on the current cluster status at startup. This update modifies the cman connection loop to generate a notification that the configuration and membership have changed.
BZ#749864
Incorrect use of the free() function in the gfs2_edit code could lead to memory leaks and so cause various problems. For example, when the user executed the gfs2_edit savemeta command, the gfs2_edit utility could become unresponsive or even terminate unexpectedly. This update applies multiple upstream patches so that the free() function is now used correctly and memory leaks no longer occur. With this update, save statistics for the gfs2_edit savemeta command are now reported more often so that users know that the process is still running when saving a large dinode with a huge amount of metadata.
BZ#742595
Previously, the gfs2_grow utility failed to expand a GFS file system if the file system contained only one resource group. This was due to the old code being based on GFS1 (which had different fields) that calculated distances between resource groups and did not work with only one resource group. This update adds the rgrp_size() function in libgfs2, which calculates the size of the resource group instead of determining its distance from the previous resource group. A file system with only one resource group can now be expanded successfully.
BZ#742293
Previously, the gfs2_edit utility printed unclear error messages when the underlying device did not contain a valid GFS2 file system, which could be confusing. With this update, users are provided with additional information in the aforementioned scenario.
BZ#769400
Previously, the mkfs utility provided users with insufficient error messages when creating a GFS2 file system. The messages also contained absolute build paths and source code references, which was unwanted. A patch has been applied to provide users with comprehensive error messages in the described scenario.
BZ#753300
The gfs_controld daemon ignored an error returned by the dlm_controld daemon for the dlmc_fs_register() function while mounting a file system. This resulted in a successful mount, but recovery of a GFS file system could not be coordinated using Distributed Lock Manager (DLM). With this update, mounting a file system is not successful under these circumstances and an error message is returned instead.
Enhancements
BZ#675723, BZ#803510
The gfs2_convert utility can be used on a GFS1 file system to convert a file system from GFS1 to GFS2. However, the gfs2_convert utility required the user to run the gfs_fsck utility prior to conversion, but because this tool is not included in Red Hat Enterprise Linux 6, users had to use Red Hat Enterprise Linux 5 to run this utility. With this update, the gfs2_fsck utility now allows users to perform a complete GFS1 to GFS2 conversion on Red Hat Enterprise Linux 6 systems.
BZ#678372
Cluster tuning using the qdiskd daemon and the device-mapper-multipath utility is a very complex operation, and it was previously easy to misconfigure qdiskd in this setup, which could consequently lead to a cluster nodes failure. Input and output operations of the qdiskd daemon have been improved to automatically detect multipath-related timeouts without requiring manual configuration. Users can now easily deploy qdiskd with device-mapper-multipath.
BZ#733298, BZ#740552
Previously, the cman utility was not able to configure Redundant Ring Protocol (RRP) correctly in corosync, resulting in RRP deployments not working propely. With this update, cman has been improved to configure RRP properly and to perform extra sanity checks on user configurations. It is now easier to deploy a cluster with RRP and the user is provided with more extensive error reports.
BZ#745150
With this update, Red Hat Enterprise Linux High Availability has been validated against the VMware vSphere 5.0 release.
BZ#749228
With this update, the fence_scsi fencing agent has been validated for use in a two-node cluster with High Availability LVM (HA-LVM).
All users of cluster and gfs2-utils are advised to upgrade to these updated package, which fix these bugs and add these enhancements.

5.20. cluster-glue

Updated cluster-glue packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The cluster-glue packages contain a collection of common tools that are useful for writing cluster managers such as Pacemaker.

Bug Fixes

BZ#758127
Previously, the environment variable "LRMD_MAX_CHILDREN" from the program /etc/sysconfig/pacemaker was not properly evaluated. As a result, the "max_child_count" variable in the Local Resource Management Daemon (lrmd) was not modified. With this update, the bug has been fixed so that the environment variable "LRMD_MAX_CHILDREN" is evaluated as expected.
BZ#786746
Previously, if Pacemaker attempted to cancel a recurring operation while the operation was executed, the Local Resource Management Daemon (lrmd) did not cancel the operation correctly. As a result the operation was not removed from the repeat list. With this update, a canceled operation is now marked to be removed from the repeat operation list if it is canceled during the execution so that recurring canceled operations are never executed again.
All cluster-glue users are advised to upgrade to these updated packages, which fix these bugs.

5.21. clustermon

Updated clustermon packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The clustermon packages are used for remote cluster management. The modclusterd service provides an abstraction of cluster status used by conga and by the Simple Network Management (SNMP) and Common Information Model (CIM) modules of clustermon.

Bug Fixes

BZ#742431
Prior to this update, under certain circumstances, outgoing queues in inter-node communication of the modclusterd service could grow over time. To prevent this behavior, the inter-node communication is now better balanced and queues are restricted in size. Forced queue interventions are logged in the /var/log/clumond.log file.
BZ#794907
When the clustermon utility was used to get the cluster schema from the server, the schema was returned in an invalid format, preventing further processing. This bug has been fixed and clustermon now provides an exact copy of the schema in the described scenario.
All users of clustermon are advised to upgrade to these updated packages, which fix these bugs.

5.22. conman

An updated conman package that adds one enhancement is now available for Red Hat Enterprise Linux 6.
ConMan is a serial console management program designed to support a large number of console devices and simultaneous users. ConMan currently supports local serial devices and remote terminal servers.

Enhancement

BZ#738967
Users are now able to configure the maximum number of open files. This allows the conman daemon to easily manage a large number of nodes.
All users of conman are advised to upgrade to this updated package, which adds this enhancement.

5.23. control-center

Updated control-center packages that fix one bug and add various enhancements are now available for Red Hat Enterprise Linux 6.
The control-center packages contain various configuration utilities for the GNOME desktop. These utilities allow the user to configure accessibility options, desktop fonts, keyboard and mouse properties, sound setup, desktop theme and background, user interface properties, screen resolution, and other settings.

Bug Fix

BZ#771600
Previous versions of the control-center package contained gnome-at-mobility, a script that requires a software component that is not distributed with Red Hat Enterprise Linux 6 nor is present in any of the available channels. With this update, the non-functional gnome-at-mobility script has been removed and is no longer distributed as part of the control-center package.

Enhancements

BZ#524942
The background configuration tool now uses the XDG Base Directory Specification to determine where to store its data file. By default, this file is located at ~/.config/gnome-control-center/backgrounds.xml. Users can change the ~/.config/ prefix by setting the XDG_DATA_HOME environment variable, or set the GNOMECC_USE_OLD_BG_PATH environment variable to 1 to restore the old behavior and use the ~/.gnome2/backgrounds.xml file.
BZ#632680
The control-center-extra package now includes a GNOME Control Center shell. This shell provides a user interface for launching the various Control Center utilities.
BZ#769465, BZ#801363
The GNOME Control Center now provides a configuration utility for Wacom graphics tablets, which replaces the wacompl utility.
All users of control-center are advised to upgrade to these updated packages, which fix this bug and add these enhancements.

5.24. coolkey

Updated coolkey packages that resolve two issues are now available for Red Hat Enterprise Linux 6.
Coolkey is a smart card support library for the CoolKey, CAC, and PIV smart cards.

Bug Fixes

BZ#700907
Prior to this update, Coolkey did not recognize Spice virtualized CAC cards unless the card contained at least 3 certificates. This update fixes this issue so that cards with one or two certificates are recognized by Coolkey as expected. Note that this issue may also have affected some non-virtualized CAC cards.
BZ#713132
Under certain error conditions, Coolkey could leak memory data because a variable buffer was not being freed properly. With this update, the aforementioned buffer is properly freed, and memory leaks no longer occur.
All users of coolkey are advised to upgrade to these updated packages, which resolve these issues.

5.25. coreutils

Updated coreutils packages that fix several bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
The coreutils packages contain the core GNU utilities. These packages combine the old GNU fileutils, sh-utils, and textutils packages.

Bug Fixes

BZ#772172
The "pr -c [filename]" and "pr -v [filename]" commands, which serve to show control and non-printing characters, cause the pr utility to terminate with a segmentation fault in multibyte locales. With this update, the underlying code has been modified and the pr utility now works as expected.
BZ#771843
The "-Z" option of the ls command did not explain sufficiently that only the last format option is taken into consideration and the user did not understand why the "ls -Zl" and "ls -lZ" command returned a different output. With this update, the ls info documentation has been improved.
BZ#769874
The "tail --follow" command uses the inotify API to follow the changes in a file. However, inotify does not work on remote file systems and the tail utility should fall back to polling for files on such file systems. The remote file systems GPFS and FhGFS were missing from the remote file system list and therefore "tail --follow" did not display the updates to the file on these file systems. These file systems have been added to the remote file system list and the problem no longer occurs.
BZ#751974
If SELinux was enabled, the "ls -l" command leaked one string for each non-empty directory name specified on the command line. With this update, such strings are freed from the memory and the problem no longer occurs.
BZ#754057
The su utility could remain unresponsive if it ran a process that ignored the SIG_CHLD signal. This happened because the su utility uses the waitpid() function to wait for a child process. The loop mechanism with the waitpid() function waited for the process to be in the stopped status. However, a process masking the SIG_CHLD signal will never be in that status. With this update, the loop mechanism was improved to handle this situation correctly and the problem no longer occurs.
BZ#804604
In a non-interactive tcsh shell, the colorls.csh script returned the following error: tput: No value for $TERM and no -T specified
This happened because the tcsh shell did not short-circuit the evaluation of the logical AND in a colorls.csh expression. With this update, checking for an interactive shell has been modified and the script no longer returns the error message.

Enhancements

BZ#766461
In the default listing, the df utility showed long file system names including UUID. Consequently, the columns following the file system names were pushed to the right and made the df output hard to read. As long UUID system names are becoming more common, df now prints the referent when a long name refers to a symlink, and no file systems are specified.
BZ#691466
The user could not use octal digit mode when cleaning special set-user-id and set-group-id bits on a directory with the chmod tool. This is an upstream change, however as it was possible in all the previous Red Hat Enterprise Linux releases, it is necessary to provide backwards compatibility. Therefore, the chmod tool now again allows the user to clear the special bits on the directories using octal digit mode if the octal digit mode is at least 5 digits long.
All users of coreutils are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

5.26. corosync

Updated corosync packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
The corosync packages provide the Corosync Cluster Engine and the C language APIs for Red Hat Enterprise Linux cluster software.

Bug Fixes

BZ#741455
The mainconfig module passed an incorrect string pointer to the function that opens the corosync log file. If the path to the file (in cluster.conf) contained a non-existing directory, an incorrect error message was returned stating that there was a configuration file error. The correct error message is now returned informing the user that the log file cannot be created.
BZ#797192
The coroipcc library did not delete temporary buffers used for Inter-Process Communication (IPC) connections that are stored in the /dev/shm shared-memory file system. The /dev/shm memory resources became fully used and caused a Denial of Service event. The library has been modified so that applications delete temporary buffers if the buffers were not deleted by the corosync server. The /dev/shm system is now no longer cluttered with needless data.
BZ#758209
The range condition for the update_aru() function could cause incorrect checking of message IDs. The corosync utility entered the "FAILED TO RECEIVE" state and failed to receive multicast packets. The range value in the update_aru() function is no longer checked and the check is now performed using the fail_to_recv_const constant.
BZ#752159
If the corosync-notifyd daemon was running for a long time, the corosync process consumed an excessive amount of memory. This happened because the corosync-notifyd daemon failed to indicate that the no-longer used corosync objects were removed, resulting in memory leaks. The corosync-notifyd daemon has been fixed and the corosync memory usage no longer increases if corosync-notifyd is running for long periods of time.
BZ#743813
When a large cluster was booted or multiple corosync instances started at the same time, the CPG (Closed Process Group) events were not sent to the user. Therefore, nodes were incorrectly detected as no longer available, or as leaving and re-joining the cluster. The CPG service now checks the exit code in such scenarios properly and the CPG events are sent to users as expected.
BZ#743815
The OpenAIS EVT (Eventing) service sometimes caused deadlocks in corosync between the timer and serialize locks. The order of locking has been modified and the bug has been fixed.
BZ#743812
When corosync became overloaded, IPC messages could be lost without any notification. This happened because some services did not handle the error code returned by the totem_mcast() function. Applications that use IPC now handle the inability to send IPC messages properly and try sending the messages again.
BZ#747628
If both the corosync and cman RPM packages were installed on one system, the RPM verification process failed. This happened because both packages own the same directory but apply different rights to it. Now, the RPM packages have the same rights and the RPM verification no longer fails.
BZ#752951
corosync consumed excessive memory because the getaddrinfo() function leaked memory. The memory is now freed using the freeadrrinfo() function and getaddrinfo() no longer leaks memory.
BZ#773720
It was not possible to activate or deactivate debug logs at runtime due to memory corruption in the objdb structure. The debug logging can now be activated or deactivated on runtime, for example by the "corosync-objctl -w logging.debug=off" command.

Enhancement

BZ#743810
Each IPC connection uses 48 K in the stack. Previously, multi-threading applications with reduced stack size did not work correctly, which resulted in excessive memory usage. Temporary memory resources in a heap are now allocated to the IPC connections so that multi-threading applications no longer need to justify IPC connections' stack size.
All users of corosync are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

5.27. cpio

An updated cpio package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The cpio package provides the GNU cpio file archiver utility. GNU cpio can be used to copy and extract files into or from cpio and Tar archives.

Bug Fix

BZ#746209
Prior to this update,the options --to-stdout and --no-absolute-filenames were not listed in the cpio (1) manual page. This update includes the missing options and corrects several misprints.
All users of cpio are advised to upgrade to this updated package, which fixes this bug.

5.28. crash

Updated crash packages that fix several bugs and add multiple enhancements are now available for Red Hat Enterprise Linux 6.
The crash package provides a self-contained tool that can be used to investigate live systems, and kernel core dumps created from the netdump, diskdump, kdump, and Xen/KVM "virsh dump" facilities from Red Hat Enterprise Linux.
The crash package has been upgraded to upstream version 6.0.4, which provides a number of bug fixes and enhancements over the previous version. (BZ#767257)

Bug Fixes

BZ#754291
If the kernel was configured with the Completely Fair Scheduler (CFS) Group Scheduling feature enabled (CONFIG_FAIR_GROUP_SCHED=y), the "runq" command of the crash utility did not display all tasks in CPU run queues. This update modifies the crash utility so that all tasks in run queues are now displayed as expected. Also, the "-d" option has been added to the "runq" command, which provides debugging information same as the /proc/sched_debug file.
BZ#768189
The "bt" command previously did not handle recursive non-maskable interrupts (NMIs) correctly on the Intel 64 and AMD64 architectures. As a consequence, the "bt" command could, under certain circumstances, display a task backtrace in an infinite loop. With this update, the crash utility has been modified to recognize a recursion in the NMI handler and prevent the infinite displaying of a backtrace.
BZ#782837
Under certain circumstances, the number of the "elf_prstatus" entries in the header of the compressed kdump core file could differ from the number of CPUs running when the system crashed. If such a core file was analyzed by the crash utility, crash terminated unexpectedly with a segmentation fault while displaying task backtraces. This update modifies the code so that the "bt" command now displays a backtrace as expected in this scenario.
BZ#797229
Recent changes in the code caused the crash utility to incorrectly recognize compressed kdump dump files for the 64-bit PowerPC architecture as dump files for the 32-bit PowerPC architecture. This caused the crash utility to fail during initialization. This update fixes the problem and the crash utility now recognizes and analyzes the compressed kdump dump files for the 32-bit and 64-bit PowerPC architectures as expected.
BZ#817247
The crash utility did not correctly handle situations when a user page was either swapped out or was not mapped on the IBM System z architecture. As a consequence, the "vm -p" command failed and either a read error occurred or an offset va1lue of a swap device was set incorrectly. With this update, crash displays the correct offset value of the swap device or correctly indicates that the user page is not mapped.
BZ#817248
The crash utility did not correctly handle situations when the "bt -t" and "bt -T" commands were run on an active task on a live system on the IBM System z architecture. Consequently, the commands failed with the "bt: invalid/stale stack pointer for this task: 0" error message. This update modifies the source code so that the "bt -t" and "bt -T" commands execute as expected.

Enhancements

BZ#736884
With this update, crash now supports the "sadump" dump file format created by the Fujitsu Stand Alone Dump facility.
BZ#738865
The crash utility has been modified to fully support the "ELF kdump" and "compressed kdump" dump file formats for IBM System z.
BZ#739096
The makedumpfile facility can be used to filter out specific kernel data when creating a dump file, which can cause the crash utility to behave unpredictably. With this update, the crash utility now displays an early warning message if any part of the kernel has been erased or filtered out by makedumpfile.
All users of crash are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

5.29. crash-trace-command

An updated crash-trace-command package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The crash-trace-command package provides a trace extension module for the crash utility, allowing it to read ftrace data from a core dump file.

Bug Fix

BZ#729018
Previously, the "trace.so" binary in the crash-trace-command package was compiled by the GCC compiler without the "-g" option. Therefore, no debugging information was included in its associated "trace.so.debug" file. This could affect a crash analysis performed by the Automatic Bug Reporting Tool (ABRT) and its retrace server. Also, proper debugging of crashes using the GDB utility was not possible under these circumstances. This update modifies the Makefile of crash-trace-command to compile the "trace.so" binary with the "RPM_OPT_FLAGS" flag, which ensures that the GCC's "-g" option is used during the compilation. Debugging and a crash analysis can now be performed as expected.
All users of crash-trace-command are advised to upgrade to this updated package, which fixes this bug.

5.30. createrepo

An updated createrepo package that fixes one bug is now available for Red Hat Enterprise Linux 6.
This package contains scripts that generate a common metadata repository from a directory of RPM packages.

Bug Fix

BZ#623105
Prior to this update, the shebang line of the modifyrepo.py script contained "#!/usr/bin/env python", so the system path was used to locate the Python executable. When another version of Python was installed on the system, and "/usr/local/python" was specified in the PATH environment variable, scripts did not work due to Python compatibility problems. With this update, the shebang line is modified to "#!/usr/bin/python", so that the system version of Python is always used.
All users of createrepo are advised to upgrade to this updated package, which fixes this bug.

5.31. cryptsetup-luks

Updated cryptsetup-luks packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The cryptsetup-luks packages provide a utility which allows users to set up encrypted devices with the Device Mapper and the dm-crypt target.

Bug Fix

BZ#746648
For some configurations, the cryptsetup utility incorrectly translated major:minor device pairs to device names in the /dev/ directory (for example, on HP Smart Array devices). With this update, the underlying source code has been modified to address this issue, and the cryptsetup utility now works as expected. (BZ#755478) * If a device argument for the "cryptsetup status" command included a /dev/mapper/ prefix, the prefix was duplicated in the command's output. The output was fixed and no longer includes duplicated strings.
All users of cryptsetup-luks are advised to upgrade to these updated packages, which fix these bugs.

5.32. ctdb

Updated ctdb packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The ctdb packages provide a clustered database based on Samba's Trivial Database (TDB) used to store temporary data.

Bug Fix

BZ#794888
Prior to this update, the ctdb working directory, all subdirectories and the files within were created with incorrect SELinux contexts when the ctdb service was started. This update uses the post-install script to create the ctdb directory, and the command "/sbin/restorecon -R /var/ctdb" sets now the right SELinux context.
All users of ctdb are advised to upgrade to these updated packages, which fix this bug.

5.33. cups

Updated cups packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.
The Common UNIX Printing System (CUPS) provides a portable printing layer for Linux, UNIX, and similar operating systems.

Bug Fixes

BZ#738410
Prior to this update, the textonly filter did not always correctly generate output when a single copy was requested. The textonly filter generates output for a single or multiple copies by spooling the output for one copy into a temporary file, then sending the content of that temporary file as many times as required. However, if the filter was used for the MIME-type conversion rather than as a PostScript Printer Description (PPD) filter, and a single copy was requested, the temporary file was not created and the program failed with the "No such file or directory" message. With this update, the textonly filter has been modified to create a temporary file regardless of the number of copies specified. The data is now sent to the printer as expected.
BZ#738914, BZ#740093
Previously, empty jobs could be created using the "lp" command either by submitting an empty file to print (for example by executing "lp /dev/null") or by providing an empty file as standard input. In this way, a job was created but was never processed. With this update, creation of empty print jobs is not allowed, and the user is now informed that no file is in the request.
BZ#806818
The German translation for the search page template of the web interface contained an error that prevented the search feature from functioning correctly: attempting to search for a printer in the CUPS web interface failed, and an error message was displayed in the browser. The bug in the search template has been fixed, and the search feature in the German locale now works as expected in this scenario.
All users of cups are advised to upgrade to these updated packages, which fix these bugs.

5.34. db4

An updated db4 package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The Berkeley Database (Berkeley DB) is a programmatic toolkit that provides embedded database support for both traditional and client/server applications. The Berkeley DB includes B+tree, Extended Linear Hashing, Fixed and Variable-length record access methods, transactions, locking, logging, shared memory caching, and database recovery. The Berkeley DB supports C, C++, Java, and Perl APIs. It is used by many applications, including Python and Perl, so this should be installed on all systems.

Bug Fix

BZ#784662
The db4 spec file incorrectly stated that the "License" is simply "BSD", whereas it is in fact licensed under both the BSD and Sleepycat licenses, the latter of which differs from the Berkeley Software Distribution (BSD) license by including a redistribution clause. This update corrects the spec file so it correctly states that the db4 software is provided under the "Sleepycat and BSD" license.
Users of db4 are advised to upgrade to this updated package which fixes this bug.

5.35. device-mapper-multipath

Updated device-mapper-multipath packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The device-mapper-multipath packages provide tools to manage multipath devices using the device-mapper multipath kernel module.
Bug Fixes
BZ#812832
The multipathd daemon was not correctly stopping waiter threads during shutdown. The waiter threads could access freed memory and cause the daemon to terminate unexpectedly during shutdown. With this update, the mutlipathd daemon now correctly stops the waiter threads before they can access any freed memory and no longer crashes during shutdown.
BZ#662433
When Device Mapper Multipath was stopped, multipathd did not disable the queue_if_no_path option on multipath devices by default. When multipathd was stopped during shutdown, I/O of the device was added to the queue if all paths to a device were lost, and the shutdown process became unresponsive. With this update, multipathd now sets the queue_without_daemon option to no by default. As a result, all multipath devices stop queueing when multipathd is stopped and multipath now shuts down as expected.
BZ#752989
Device Mapper Multipath uses regular expressions in built-in device configurations to determine a multipath device so as to apply the correct configuration to the device. Previously, some regular expressions for resolving the device vendor name and product ID were not specific enough. As a consequence, some devices could be matched with incorrect device configurations. With this update, the product and vendor regular expressions have been modified so that all multipath devices are now configured properly.
BZ#754586
After renaming a device, there was a race condition between multipathd and udev to rename the new multipath device nodes. If udev renamed the device node first, multipathd removed the device created by udev and failed to create the new device node. With this update, multipathd immediately creates the new device nodes, and the race condition no longer occurs. As a result, the renamed device is now available as expected.
BZ#769527
Previously, the flush_on_last_dev handling code did not implement handling of the queue feature properly. Consequently, even though the flush_on_last_del feature was activated, multipathd re-enabled queueing on multipath devices that could not be removed immediately after the last path device was deleted. With this update, the code has been fixed and when the user sets flush_on_last_del, their multipath devices correctly disable queueing, even if the devices cannot be closed immediately.
BZ#796384
Previously, Device Mapper Multipath used a fixed-size buffer to read the Virtual Device Identification page [0x83]. The buffer size was sometimes insufficient to accommodate the data sent by devices and the ALUA (Asymmetric Logical Unit Access) prioritizer failed. Device Mapper Multipath now dynamically allocates a buffer large enough for the Virtual Device Identification page and the ALUA prioritizer no longer fails in the scenario described.
BZ#744210
Previously, multipathd did not set the max_fds option by default, which sets the maximum number of file descriptors that multipathd can open. Also, the user_friendly_names setting could only be configured in the defaults section of /etc/multipath.conf. The user had to set max_fds manually and override the default user_friendly_names value in their device-specific configurations. With this update, multipath now sets max_fds to the system maximum by default, and user_friendly_names can be configured in the devices section of multipath.conf. Users no longer need to set max_fds for large setups, and they are able to select user_friendly_names per device type.
BZ#744756
Previously, to modify a built-in configuration, the vendor and product strings of the user's configuration had to be identical to the vendor and product strings of the built-in configuration. The vendor and product strings are regular expressions, and the user did not always know the correct vendor and product strings needed to modify a built-in configuration. With this update, the hwtable_regex_match option was added to the defaults section of multipath.conf. If it is set to yes, Multipath uses regular-expression matching to determine if the user's vendor and product strings match the built-in device configuration strings: the user can use the actual vendor and product information from their hardware in their device configuration, and it will modify the default configuration for that device. The option is set to no by default.
BZ#750132
Previously, multipathd was using a deprecated Out-of-Memory (OOM) adjustment interface. Consequently, the daemon was not protected from the OOM killer properly; the OOM killer could kill the daemon when memory was low and the user was unable to restore failed paths. With this update, multipathd now uses the new Out-of-Memory adjustment interface and can no longer be killed by the Out-of-Memory killer.
BZ#702222
The multipath.conf file now contains a comment which informs the user that the configuration must be reloaded for any changes to take effect.
BZ#751938
The multipathd daemon incorrectly exited with code 1 when multipath -h (print usage) was run. With this update, the underlying code has been modified and multipathd now returns code 0 as expected in the scenario described.
BZ#751039
Some multipathd threads did not check if multipathd was shutting down before they started their execution. Consequently, the multipathd daemon could terminate unexpectedly with a segmentation fault on shutdown. With this update, the multipathd threads now check if multipathd is shutting down before triggering their execution, and multipathd no longer terminates with a segmentation fault on shutdown.
BZ#467709
The multipathd daemon did not have a failover method to handle switching of path groups when multiple nodes were using the same storage. Consequently, if one node lost access to the preferred paths to a logical unit, while the preferred path of the other node was preserved, multipathd could end up switching back and forth between path groups. This update adds the followover failback method to device-mapper-multipath. If the followover failback method is set, multipathd does not fail back to the preferred path group, unless it just came back online. When multiple nodes are using the same storage, a path failing on one machine now no longer causes the path groups to continually switch back and forth.
Enhancements
BZ#737051
The NetApp brand name has been added to the documentation about the RDAC (Redundant Disk Array Controller) checker and prioritizer.
BZ#788963
The built-in device configuration for Fujitsu ETERNUS has been added.
BZ#760852
If the multipath checker configuration was set to tur, the checks were not performed asynchronously. If a device failed and the checker was waiting for the SCSI layer to fail back, the checks on other paths were kept waiting. The checker has been rewritten so as to check the paths asynchronously, and the path checking on other paths continues as expected.
BZ#799908
A built-in configuration for IBM XIV Storage System has been added.
BZ#799842
The NetApp LUN built-in configuration now uses the tur path checker by default. Also flush_on_last_del has been enabled, dev_loss_tmo has been set to infinity, fast_io_fail_tmo has been set to 5, and pg_init_retries has been set to 50.
Users of device-mapper-multipath should upgrade to these updated packages, which fix these bugs and add these enhancements.

5.36. dhcp

Updated dhcp packages that fix several bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
The dhcp package provides software to support the Dynamic Host Configuration Protocol (DHCP) and DHCPv6 protocol. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to obtain their own network configuration information, including an IP address, a subnet mask, and a broadcast address.

Bug Fixes

BZ#656339
Previously, when dhclient was unsuccessful in obtaining or renewing an address, it restored the resolv.conf file from backup even when there were other dhclient processes running. Consequently, network traffic could be unnecessarily interrupted. The bug in dhclient-script has been fixed and dhclient now restores resolv.conf from backup only if there are no other dhclient processes running.
BZ#747017
A bug caused an infinite loop in a dhcpd process when dhcpd tried to parse the slp-service-scope option in dhcpd.conf. As a consequence, dhcpd entered an infinite loop on startup consuming 100% of the CPU cycles. This update improves the code and the problem no longer occurs.
BZ#752116
Previously, the DHCPv4 client did not check whether the address received in a DHCPACK message was already in use. As a consequence, it was possible that after a reboot two clients could have the same, conflicting, IP address. With this update, the bug has been fixed and DHCPv4 client now performs duplicate address detection (DAD) and sends a DHCPDECLINE message if the address received in DHCPACK is already in use, as per RFC 2131.
BZ#756759
When dhclient is invoked with the "-1" command-line option, it should try to get a lease once and on failure exit with status code 2. Previously, when dhclient was invoked with the "-1" command-line option, and then issued a DHCPDECLINE message, it continued in trying to obtain a lease. With this update, the dhclient code has been fixed. As a result, dhclient stops trying to obtain a lease and exits after sending DHCPDECLINE when started with the "-1" option.
BZ#789719
Previously, dhclient kept sending DHCPDISCOVER messages in an infinite loop when started with the "-timeout" option having a value of 3 or less (seconds). With this update, the problem has been fixed and the "-timeout" option works as expected with all values.

Enhancements

BZ#790686
The DHCP server daemon now uses portreserve for reserving ports 647 and 847 to prevent other programs from occupying them.
BZ#798735
All DHCPv6 options defined in RFC5970, except for the Boot File Parameters Option, were implemented. This allows the DHCPv6 server to pass boot file URLs back to IPv6-based netbooting clients (UEFI) based on the system's architecture.
Users are advised to upgrade to these updated dhcp packages, which fix these bugs and add these enhancements.

5.37. ding-libs

Updated ding-libs packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The ding-libs packages contain a set of libraries used by the System Security Services Daemon (SSSD) and other projects and provide functions to manipulate filesystem pathnames (libpath_utils), a hash table to manage storage and access time properties (libdhash), a data type to collect data in a hierarchical structure (libcollection), a dynamically growing, reference-counted array (libref_array), and a library to process configuration files in initialization format (INI) into a library collection data structure (libini_config).
Bug Fixes
BZ#736074
Prior to this update, memory could become corrupted if the initial table size exceeded 1024 buckets. This update modifies libdhash so that large initial table sizes now correctly allocate memory.
BZ#801393
Prior to this update, buffers were filled and one character above the allocated size would be set to the null terminator if the combination of two strings,concatenated by the function path_concat(), exceeded the size of the destination buffer. This update modifies the underlying code so that the null terminator is no longer added after the end of the buffer.
All users of ding-libs are advised to upgrade to these updated packages, which fix these bugs.

5.38. dmraid

Updated dmraid packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.
The dmraid packages provide the ATARAID/DDF1 activation tool. The tool supports RAID device discovery and RAID set activation. It also displays properties for ATARAID/DDF1-formatted RAID sets on Linux kernels using the device-mapper utility.

Bug Fixes

BZ#729971
Prior to this update, a grub installation failed silently on a dmraid mirror because the device geometry of RAID sets was not set properly. Consequently, the set partition's MBR failed to be created and the partition failed to boot. With this update, the underlying code has been modified and the geometry on dmraid devices is set up correctly.
BZ#729032
The dmraid binary was compiled without gcc's -g option and the debuginfo file did not contain the ".debug_info" section. Consequently, it was not possible to generate debugging information and debug dmraid properly. With this update, the binary has been compiled with the proper debugging options and the problem no longer occurs.
BZ#701501
When the dmraid tool was accessing a 4 KB sector or smaller, it returned a misleading error message. With this update, the library function that checks the device size has been modified and the error message is no longer displayed under these circumstances.
All users of dmraid are advised to upgrade to these updated packages, which fix these bug.

5.39. dnsmasq

Updated dnsmasq packages that add an enhancement are now available for Red Hat Enterprise Linux 6.
The dnsmasq package contains Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.

Enhancement

BZ#794792
A new subpackage, dnsmasq-utils, has been added. The dnsmasq-utils subpackage contains the dhcp_lease_time and dhcp_release utilities, which serve to query and remove DHCP server leases using the standard DHCP protocol.
All dnsmasq users are advised to upgrade to these updated packages, which add this enhancement.

5.40. dracut

Updated dracut packages that fix multiple bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
The dracut packages include an event-driven initramfs generator infrastructure based on udev. The virtual file system, initramfs, is loaded together with the kernel at boot time and initializes the system, so it can read and boot from the root partition.

Bug Fixes

BZ#788119
Previously, if a dracut module did not contain an "install" file, dracut could not execute the "installkernel" command. Consequently, the dracut fips-aesni module could not be included in the initramfs image. Now, "installkernel" can be correctly executed in the described scenario, thus fixing this bug.
BZ#761584
Previously, dracut failed to start up a degraded RAID array, resulting in a non-booting system. With this update, dracut uses the rd_retry kernel command-line parameter value and after rd_retry/2 seconds attempts to force the array to start, thus fixing this bug.
BZ#747840
During boot-up, dracut called the "udevadm settle" command several times. As a result, inconsequential messages about the command timeout were sometimes returned, creating clutter in the console output. This update fixes the bug and the messages are no longer returned in the described scenario.
BZ#735529
Occasionally, dracut attempted to assemble an array before all disks were available. As a result, dracut started the array in degraded mode or failed altogether. This bug has been fixed and dracut now forces degraded arrays to start only after a period of time controlled by the rd_retry kernel command-line parameter.
BZ#714039
The dracut package depended on the vconfig package although vconfig is not used by dracut. This update removes the dependency on vconfig.
BZ#794863
Previously, if a network interface was brought up, dracut waited for two seconds to detect that the link was up. For certain network cards, two seconds is not long enough. Consequently, the network was not properly set up and the system could not boot. Now, dracut waits for ten seconds, thus fixing this bug.
BZ#752584
Dracut did not set the broadcast address for network interfaces it started up, resulting in a 0.0.0.0 broadcast address. This bug has been fixed and the default broadcast address is now set properly on startup.
BZ#703164
The FILES section of the dracut man page has been amended to fix inaccurate content.
BZ#752073
If the user adds multiple "console=[tty]" parameters on the kernel command line, the last parameter specifies the primary console. Previously, dracut failed to initialize this console and instead initialized /dev/tty0 unconditionally. This bug has been fixed and dracut now initializes the correct console in the described scenario.
BZ#788618
When no user name and password were specified in an iSCSI interface, dracut reused the login information from a previous iSCSI parameter. Consequently, the authentication failed and the system did not boot up. This update fixes the bug.

Enhancements

BZ#722879
Previously, it was not possible to exclude a kernel driver from the initramfs image to reduce its size. This update introduces the "--omit-driver" option to provide this functionality.
BZ#752005
The "lsinitrd" command has been enhanced to support initramfs images compressed by the LZMA algorithm.
Users of dracut are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

5.41. dropwatch

An updated dropwatch package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The dropwatch package contains a utility that provides packet monitoring services.

Bug Fix

BZ#684713
Previously, the dropwatch utility could terminate unexpectedly with a segmentation fault. The failure was caused by a double-free error which occurred while issuing the start and stop messages. This update removes the freeing function calls from the underlying code, which prevents the dropwatch utility from crashing.
All users of dropwatch are advised to upgrade to this updated package, which fixes this bug.

5.42. e2fsprogs

Updated e2fsprogs packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The e2fsprogs packages provide a number of utilities for creating, checking, modifying, and correcting any inconsistencies in second (ext2), third (ext3), and fourth (ext4) extended file systems.

Bug Fixes

BZ#786021
Prior to this update, checksums for backup group descriptors appeared to be wrong when the "e2fsck -b" option read these group descriptors and cleared UNINIT flags to ensure that all inodes were scanned. As a consequence, warning messages were sent during the process. This update recomputes checksums after the flags are changed. Now, "e2fsck -b" completes without these checksum warnings.
BZ#795846
Prior to this update, e2fsck could discard valid inodes when using the "-E discard" option. As a consequence, the file system could become corrupted. This update modifies the underlying code so that disk regions containing valid inodes are no longer discarded.
All users of e2fsprogs are advised to upgrade to these updated packages, which fix these bugs.

5.43. efibootmgr

An updated efibootmgr package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The efibootmgr utility is responsible for the boot loader installation on Unified Extensible Firmware Interface (UEFI) systems.

Bug Fix

BZ#715216
In a Coverity Scan analysis, an allocation, which was not checked for errors, was discovered. With this update, the allocation is now checked for errors, thus the bug is fixed.
All users of efibootmgr are advised to upgrade to this updated package, which fixes this bug.

5.44. expect

An updated expect package that fixes multiple bugs is now available for Red Hat Enterprise Linux 6.
The "expect" package contains a tool for automating and testing interactive command line programs and Tk applications. Tcl is a portable and widely used scripting language, while Tk is a graphical toolkit that eases development of text-based and GUI applications.

Bug Fixes

BZ#674866
Prior to this update, the expect(1) manual page was not formatted properly. As a result, the content of the manual page was not readable. The formatting has been corrected to ensure easy readability.
BZ#735962
Prior to this update, the passmass script did not call the "su" binary with the full path (/bin/su). The passmass script has been modified to call "/bin/su" rather than "su", which is more secure.
BZ#742911
Due to incorrect characters matching, applications created by the autoexpect utility could terminate unexpectedly with a segmentation fault. With this update, the number of characters is matched correctly and applications created by autoexpect run successfully.
BZ#782859
Previously, the expect-devel subpackage contained a symbolic link to the expect library, which led to an unnecessary dependency. With this update, the link is located in the expect package.
All users of expect are advised to upgrade to this updated package, which fixes these bugs.

5.45. fcoe-target-utils

Updated fcoe-target-utils packages that fix three bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
The fcoe-target-utils packages provide a command line interface for configuring FCoE LUNs (Fibre Channel over Ethernet Logical Unit Numbers) and backstores.

Bug Fixes

BZ#752699
Prior to this update, starting targetadmin without the fcoe-target utility could cause the following output:
OSError: [Errno 2] No such file or directory: '/sys/kernel/config/target
This update modifies the underlying code so that now a warning message is displayed if targetcli is invoked without running the fcoe-target service.
BZ#813664
Prior to this update, fcoe-target-utils used the executable name "targetadmin" which did not reflect the current name in the upstream version. This update changes the name to "targetcli", to match the upstream version.
BZ#815981
Prior to this update, the configuration state was saved to "tcm_start.sh", and the fcoe-target init script restored the state from this file when the fcoe-target service was started. For increased reliability, this update uses a new method to save and restore fcoe-target configuration; it is now saved to "/etc/target/saveconfig.json".

Enhancement

BZ#750277
Prior to this update, the fcoe-target-utils packages for the Fibre Channel over Ethernet (FCoE) target mode were available only as technical preview. With this update, the fcoe-target-utils packages are fully supported in Red Hat Enterprise Linux 6.
All users of fcoe-target-utils are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

5.46. fcoe-utils

Updated fcoe-utils packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The fcoe-utils package allows users to use Fibre Channel over Ethernet (FCoE). The package contains the fcoeadm command-line tool for configuring FCoE interfaces, and the fcoemon service to configure DCB (Data Center Bridging) Ethernet QoS filters.
The fcoe-utils package has been upgraded to upstream version 1.0.22, which provides a number of bug fixes and enhancements over the previous version, including bash-completion enhancements and changing of the default FCoE interface names from 'device.vlan-fcoe' to 'device.vlan'. The -f (--fipvlan) option can be used to apply the previous behavior. (BZ#788511)

Bug Fix

BZ#804936
The "service fcoe status" command returned an incorrect return value when the fcoe service was running. With this update, the underlying code has been modified and fcoe now returns the correct code under these circumstances.
All users of fcoe-utils are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

5.47. febootstrap

Updated febootstrap packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The febootstrap packages provide a tool to create a basic Red Hat Enterprise Linux or Fedora filesystem, and builds initramfs (initrd.img) or filesystem images.
The febootstrap packages have been upgraded to upstream version 3.12, which provides a number of bug fixes and enhancements over the previous version. (BZ#719877)
All febootstrap users are advised upgrade to these updated packages, which fix these bugs and add these enhancements.

5.48. fence-agents

Updated fence-agents packages that fix various bugs and add an enhancement are now available for Red Hat Enterprise Linux 6.
The fence-agents package contains a collection of scripts to handle remote power management for cluster devices. They allow failed or unreachable cluster nodes to be forcibly restarted and removed from the cluster.
Bug Fixes
BZ#769681
The fence_rhevm fencing agent uses the Red Hat Enterprise Virtualization API to check the power status ("on" or "off") of a virtual machine. In addition to the "up" and "down" states, the API includes number of other states. Previously, only if the machine was in the "up" state, the "on" power status was returned. The "off" status was returned for all other states even if the machine was running. This allowed for successful fencing before the machine was really powered off. With this update, the fence_rhevm agent detects the power status of a cluster node more conservatively, and the "off" status is returned only if the machine is actually powered off, that is in the "down" state.
BZ#772597
Previously, the fence_soap_vmware fence agent was not able to work with more than one hundred machines in a cluster. Consequently, fencing a cluster node running in a virtual machine on VMWare with the fence_soap_vmware fence agent failed with the "KeyError: 'config.uuid'" error message. With this update, the underlying code has been fixed to support fencing on such clusters.
BZ#740484
Previously, the fence_ipmilan agent failed to handle passwd_script argument values that contained space characters. Consequently, it was impossible to use a password script that required additional parameters. This update ensures that fence_ipmilan accepts and properly parses values for the passwd_script argument with spaces.
BZ#771211
Previously, the fence_vmware_soap fence agent did not expose the proper virtual machine path for fencing. With this update, fence_vmware_soap has been fixed to support this virtual machine identification.
BZ#714841
Previously, certain fence agents did not generate correct metadata output. As a result, it was not possible to use the metadata for automatic generation of manual pages and user interfaces. With this update, all fence agents generate their metadata as expected.
BZ#771936
Possible buffer overflow and null dereference defects were found by automatic tools. With this update, these problems have been fixed.
BZ#785091
Fence agents that use an identity file for SSH terminated unexpectedly when a password was expected but was not provided. This bug has been fixed and proper error messages are returned in the described scenario.
BZ#787706
The fence_ipmilan fence agent did not respect the power_wait option and did not wait after sending the power-off signal to a device. Consequently, the device could terminate its shutdown sequence. This bug has been fixed and fence_ipmilan now waits before shutting down a machine as expected.
BZ#741339
The fence_scsi agent creates the fence_scsi.dev file that contains a list of devices that the node registered with during an unfence operation. This file was unlinked for every unfence action. Consequently, if multiple fence device entries were used in the cluster.conf file, fence_scsi.dev only contained the devices that the node registered with during the most recent unfence action. Now, instead of the unlink call, if the device currently being registered does not exists in fence_scsi.dev, it is added to the file.
BZ#804169
If the "delay" option was set to more than 5 seconds while a fence device was connected via the telnet_ssl utility, the connection timed out and the fence device failed. Now, the "delay" option is applied before the connection is opened, thus fixing this bug.
BZ#806883
Previously, XML metadata returned by a fence agent incorrectly listed all attributes as "unique". This update fixes this problem and the attributes are now marked as unique only when this information is valid.
BZ#806912
This update fixes a typographical error in an error message in the fence_ipmilan agent.
BZ#806897
Prior to this update, the fence agent for IPMI (Intelligent Platform Management Interface) could return an invalid return code when the "-M cycle" option was used. This invalid return code could cause invalid interpretation of a fence action, eventually causing the cluster to become unresponsive. This bug has been fixed and only predefined return codes are now returned in the described scenario.
BZ#804805
Previously, the fence_brocade fence agent did not distinguish the "action" option from the standard "option" option. Consequently, the "action" option was ignored and the node was always fenced. This bug has been fixed and both options are now properly recognized and acted upon.
Enhancement
BZ#742003
This updates adds the feature to access Fujitsu RSB fencing device using secure shell.
Users of fence-agents are advised to upgrade to these updated packages, which fix these bugs and add this enhancements.

5.49. fence-virt

Updated fence-virt packages that fix four bugs are now available for Red Hat Enterprise Linux 6.
The fence-virt packages provide a fencing agent for virtual machines as well as a host agent which processes fencing requests.

Bug Fixes

BZ#753974
Prior to this update, the libvirt-qpid plug-in did not handle exceptions correctly. As a consequence, the fence_virtd daemon could unexpectedly terminate with a segmentation fault if the connection to the specified qpid daemon failed. This update modifies the exception handling. Now, the fencing operation works as expected.
BZ#758392
Prior to this update, the hashing utility sha_verify did not handle errors correctly when a key file could not be read. As a consequence, the fence_virtd daemon could unexpectedly terminate with a segmentation fault when receiving a fencing request if fence_virtd failed to read the specified key file during startup. This update modifies the error handling if a key file cannot be read. Now, fence_virtd no longer terminates under these conditions.
BZ#761215
Prior to this update, the XML example for serial mode in the fence_virt.conf(5) man page contained an incorrect closing tag. This update corrects this tag.
BZ#806949
Prior to this update, the libvirt-qpid plug-in was linked directly against the qpid libraries instead of only the qmfv2 library. As a consequence, newer versions of the qpid libraries could not be used with the libvirt-qpid plug-in. This update no longer links against the qpid libraries directly. Now, also newer qpid libraries can be used with libvirt-qpid.
BZ#809101
Prior to this update, the fence_virtd.conf manpage and the fence_virtd.conf generator incorrectly stated that by default, fence_virtd listened on all network interfaces. Both have been amended to state that by default, fence_virtd listens on the default network interface.
All users of fence-virt are advised to upgrade to these updated packages, which fix these bugs.

5.50. file

Updated file packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.
The file command is used to identify a particular file according to the type of data contained in the file. The command can identify various file types, including ELF binaries, system libraries, RPM packages, and different graphics formats.

Bug Fixes

BZ#688136
Previously, the file utility contained "magic" patterns that incorrectly detected files according to one byte only. Unicode text files starting with that particular byte could be therefore incorrectly recognized as DOS executable files. This update removes the problematic patterns. Patterns that match less than 16 bits are no longer accepted, and the utility no longer detects Unicode files as DOS executables.
BZ#709846
Previously, the "magic" pattern for detection of Dell BIOS headers was outdated. As a consequence, the file utility did not detect newer BIOS formats. The "magic" pattern has been updated, and the file utility now detects new formats of Dell BIOS properly.
BZ#719583
Previously, users were allowed to add new "magic" files only into the home directory. As a consequence, users were not able to configure "magic" patterns for certain special file formats system-wide. With this update, a backported patch provides a way to read "magic" patterns from the /etc/magic file.
BZ#733229
Previously, "magic" patterns for Python were insufficient. The file utility was therefore unable to detect a Python script according to the Python function definition. With this update, detection of Python is improved, and Python scripts are properly recognized.
BZ#747999
Previously, the file utility did not contain a "magic" pattern for detection of files compressed using the LZMA algorithm. As a consequence, the file utility was unable to detect these files. This update adds the missing "magic" pattern, and LZMA compressed files are now detected as expected.
BZ#758109
Previously, the file utility did not contain a "magic" pattern to detect the swap signature on Itanium microprocessors. As a consequence, the file utility was unable to detect the signature. This update adds the missing "magic" pattern, and the swap signature on Itanium microprocessors is detected as expected.
BZ#760083
Previously, the file utility did not parse the name of an RPM package from the RPM file. As a consequence, the utility did not print the name of the RPM package. This update adds a "magic" pattern for RPM package name parsing, and the name is now printed as expected.
All users of file are advised to upgrade to these updated packages, which fix these bugs.

5.51. firstboot

Updated firstboot packages that add two enhancements are now available for Red Hat Enterprise Linux 6.
The firstboot utility runs after installation and guides the user through a series of steps that allows for easier configuration of the machine.

Enhancements

BZ#704187
Prior to this update, the firstboot utility did not allow users to change the timezone. This update adds the timezone module to firstboot so that users can now change the timezone in the reconfiguration mode.
BZ#753658
Prior to this update, the firstboot service did not provide a status option. This update adds the "firstboot service status" option to show if firstboot is scheduled to run on the next boot or not.
All users of firstboot are advised to upgrade to these updated packages, which add these enhancements.

5.52. flash-plugin

Updated Adobe Flash Player packages that add various enhancements are now available for Red Hat Enterprise Linux 6.
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in.
The Adobe Flash Player web browser plug-in has been upgraded to upstream version 11.2.202.236, which provides a number of enhancements over the previous version. (BZ#800030)
All users of Adobe Flash Player are advised to upgrade these updated packages, which add these enhancements.

5.53. fontforge

Updated fontforge packages that fix one bug are now available for Red Hat Enterprise Linux 6.
FontForge is a font editor for outline and bitmap fonts. FontForge supports a range of font formats, including PostScript, TrueType, OpenType and CID-keyed fonts.

Bug Fix

BZ#676607
Previously, the "configure.in" file did not include information on how to handle 64-bit PowerPC architectures. Attempting to install the fontforge-devel multilib PowerPC and 64-PowerPC RPM packages on the same 64-bit PowerPC machine led to conflicts between those packages. This update modifies the "configure.in" file, so that fontforge-devel multilib RPM packages are allowed to be installed on the same machine. The conflicts no longer occur in the described scenario.
All users of fontforge are advised to upgrade to these updated packages, which fix this bug.

5.54. fprintd

Updated fprintd packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The fprintd packages contains a D-Bus service to access fingerprint readers.

Bug Fix

BZ#665837
Previously, if no USB support was available on a machine (for example, virtual machines on a hypervisor that disabled USB support for guests), the fprintd daemon received the SIGABRT signal, and therefore terminated abnormally. Such crashes did not cause any system failure; however, the Automatic Bug Reporting Tool (ABRT) was alerted every time. With this update, the underlying code has been modified so that the fprintd daemon now exits gracefully on machines with no USB support.
All users of fprintd are advised to upgrade to these updated packages, which fix this bug.

5.55. freeradius

Updated freeradius packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
FreeRADIUS is an open-source Remote Authentication Dial In User Service (RADIUS) server which allows RADIUS clients to perform authentication against the RADIUS server. The RADIUS server may optionally perform accounting of its operations using the RADIUS protocol.
The freeradius packages have been upgraded to upstream version 2.1.12, which provides a number of bug fixes and enhancements over the previous version. (BZ#736878)

Bug Fixes

BZ#787116
The radtest command-line argument to request the PPP hint option was not parsed correctly. Consequently, radclient did not add the PPP hint to the request packet and the test failed. This update corrects the problem and radtest now functions as expected.
BZ#705723
After log rotation, the freeradius logrotate script failed to reload the radiusd daemon after a log rotation and log messages were lost. This update has added a command to the freeradius logrotate script to reload the radiusd daemon and the radiusd daemon reinitializes and reopens its log files after log rotation as expected.
BZ#712803
The radtest argument with the eap-md5 option failed because it passed the IP family argument when invoking the radeapclient utility and the radeapclient utility did not recognize the IP family. The radeapclient now recognizes the IP family argument and radtest now works with eap-md5 as expected.
BZ#700870
Previously, freeradius was compiled without the "--with-udpfromto" option. Consequently, with a multihomed server and explicitly specifying the IP address, freeradius sent the reply from the wrong IP address. With this update, freeradius has been built with the --with-udpfromto configuration option and the RADIUS reply is always sourced from the IP the request was sent to.
BZ#753764
The password expiration field for local passwords was not checked by the unix module and the debug information was erroneous. Consequently, a user with an expired password in the local password file was authenticated despite having an expired password. With this update, check of the password expiration has been modified. A user with an expired local password is denied access and correct debugging information is written to the log file.
BZ#690756
Due to invalid syntax in the PostgreSQL admin schema file, the FreeRADIUS PostgreSQL tables failed to be created. With this update, the syntax has been adjusted and the tables are created as expected.
BZ#782905
When FreeRADIUS received a request, it sometimes failed with the following message:
WARNING: Internal sanity check failed in event handler for request 6
This bug was fixed by upgrading to upstream version 2.1.12.
BZ#810605
FreeRADIUS has a thread pool that will dynamically grow based on load. If multiple threads using the rlm_perl() function are spawned in quick succession, freeradius sometimes terminated unexpectedly with a segmentation fault due to parallel calls to the rlm_perl_clone() function. With this update, mutex for the threads has been added and the problem no longer occurs.
All users of freeradius are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

5.56. gawk

An updated gawk package that fixes three bugs is now available for Red Hat Enterprise Linux 6.
The gawk package contains the GNU version of awk, a text processing utility. AWK interprets a special-purpose programming language to do quick and easy text pattern matching and reformatting jobs.

Bug Fixes

BZ#648906
Prior to this update, the gawk utility could, under certain circumstances, interpret some run-time variables as internal zero-length variable prototypes. When gawk tried to free such run-time variables, it actually freed the internal prototypes, that were allocated just once due to memory savings. As a consequence, gawk sometimes failed and the error message "awk: double free or corruption" was displayed. With this update the problem has been corrected and the error no longer occurs.
BZ#740673
Prior to this update, the gawk utility did not copy variables from the command line arguments. As a consequence, the variables were not accessible as intended. This update modifies the underlying code so that gawk makes copies of those variables.
BZ#743242
Prior to this update, the Yacc interpreter encountered problems handling larger stacks. As a consequence, the Yacc interpreter could fail with a stack overflow error when interpreting the AWK code. This update enlarges the stack and Yacc can now handle these AWK programs.
All users of gawk are advised to upgrade to this updated package, which fixes these bugs.

5.57. gcc

Updated gcc packages that fix various bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
The gcc packages include C, C++, Java, Fortran, Objective C, Objective C++, and Ada 95 GNU compilers, along with related support libraries.

Bug Fixes

BZ#751767
The gfortran compiler could fail to compile the code with an internal compiler error. This happened because the gfc_type_for_size() function from the trans-types.c library did not return the correct data type if the demanded bit precision was less than the built-in bit precision size of the corresponding type. With this update, the function returns the corresponding wider type if no suitable narrower type has been found and the code is compiled correctly.
BZ#756138
The G++ compiler terminated unexpectedly with a segmentation fault and returned an internal compiler error when compiling with the -O2 or -O3 optimization option. This happened because the compiler tried to cancel the same loop twice in the remove_path() function. With this update, the loop is canceled only once and the segmentation fault no longer occurs in this scenario.
BZ#756651
Previously, GCC could generate incorrect code if combining instructions when splitting a two-set pattern. This was due to an error in the way the split patterns were handled while combining the instructions. With this update, the code handling instruction combining has been fixed and the problem no longer occurs.
BZ#767604
Previously, GCC could terminate unexpectedly with an internal compiler error, which was triggered by aggressive loop peeling enabled by the "-mtune=z10" setting when moving registers. With this update, the registers are determined from the instruction patterns correctly and the compilation succeeds in this scenario.
BZ#799491
Typing into Web Console in Firefox caused Firefox to terminate unexpectedly. This happened because the compiler incorrectly cloned one of the functions called under these circumstances. With this update, the function is no longer cloned and the problem no longer occurs.

Enhancement

BZ#739443
Previously, the GCC compiler did not contain the header with functions for converting the half-float type. This update adds the header and also fixes GCC so that it works correctly with the "-march=native" option on AMD FX processor microarchitectures.
All users of gcc are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

5.58. gdb

Updated gdb packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.
The GNU Debugger (GDB) is the standard debugger for Linux. With GDB, users can debug programs written in C, C++, and other languages by executing them in a controlled fashion and printing out their data.

Bug Fixes

BZ#739685
To load a core file, GDB requires the binaries that were used to produce the core file. GDB uses a built-in detection to load the matching binaries automatically. However, you can specify arbitrary binaries manually and override the detection. Previously, loading other binaries that did not match the invoked core file could cause GDB to terminate unexpectedly. With this update, the underlying code has been modified and GDB no longer crashes under these circumstances.
BZ#750341
Previously, GDB could terminate unexpectedly when loading symbols for a C++ program compiled with early GCC compilers due to errors in the cp_scan_for_anonymous_namespaces() function. With this update, an upstream patch that fixes this bug has been adopted and GDB now loads any known executables without crashing.
BZ#781571
If GDB failed to find the associated debuginfo rpm symbol files, GDB displayed the following message suggesting installation of the symbol files using the yum utility:
Missing separate debuginfo for the main executable file Try: yum --disablerepo='*' --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/47/830504b69d8312361b1ed465ba86c9e815b800
However, the suggested "--enablerepo='*-debuginfo'" option failed to work with RHN (Red Hat Network) debug repositories. This update corrects the option in the message to "--enablerepo='*-debug*'" and the suggested command works as expected.
BZ#806920
On PowerPC platforms, DWARF information created by the IBM XL Fortran compiler does not contain the DW_AT_type attribute for DW_TAG_subrange_type; however, DW_TAG_subrange_type in the DWARF information generated by GCC always contains the DW_AT_type attribute. Previously, GDB could interpret arrays from IBM XL Fortran compiler incorrectly as it was missing the DW_AT_type attribute, even though this is in accordance with the DWARF standard. This updated GDB now correctly provides a stub index type if DW_AT_type is missing for any DW_TAG_subrange_type, and processes debug info from both IBM XL Fortran and GCC compilers correctly.
All users of gdb are advised to upgrade to these updated packages, which fix these bugs.

5.59. ghostscript

Updated ghostscript packages that fix three bugs are now available for Red Hat Enterprise Linux 6.
The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common, bitmap formats so that the code can be displayed or printed.

Bug Fixes

BZ#643105
Prior to this update, the gdevcups driver, which produces CUPS Raster output, handled memory allocations incorrectly. This could cause the ghostscript program to terminate unexpectedly in some situations. This update applies backported fixes for handling the memory allocations to this version of ghostscript and the crash no longer occurs.
BZ#695766
Prior to this update, certain input files containing CID Type2 fonts were rendered with incorrect character spacing. This update modifies the code so that all input files with CID Type2 fonts are rendered correctly.
BZ#697488
Prior to this update, the page orientation was incorrect when pages in the landscape orientation were converted to the PXL raster format. This update matches landscape-page sizes as well as portrait-page sizes, and sets the orientation parameter correctly when a match is found.
All users of ghostscript are advised to upgrade to these updated packages, which fix these bugs.

5.60. glib2

Updated glib2 packages that fix one bug are now available for Red Hat Enterprise Linux 6.
GLib is a low-level core library that forms the basis for projects such as GTK+ and GNOME. It provides data structure handling for C, portability wrappers, and interfaces for such runtime functionality as an event loop, threads, dynamic loading, and an object system.

Bug Fix

BZ#782194
Prior to this upate, the gtester-report script was not marked as executable in the glib2-devel package. As a consequence, the gtester-report did not run with the default permissions. This update changes the glib2-devel package definition so that this script is now executable.
All users are advised to upgrade to these updated packages, which fix this bug.

5.61. glibc

Updated glibc packages that fix multiple bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
The glibc packages provide the standard C and standard math libraries used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.
Bug Fixes
BZ#808545
Previously, if the nscd daemon received a CNAME (Canonical Name) record as a response to a DNS (Domain Name System) query, the cached DNS entry adopted the TTL (Time to Live) value of the underlying A or AAAA response. This caused the nscd daemon to wait an unexpectedly long time before reloading the DNS entry. With this update, nscd uses the shortest TTL from the response as the TTL for the entire record. DNS entries are now reloaded as expected in this scenario.
BZ#789238
Previously, locking of the main malloc arena was incorrect in the retry path. This could result in a deadlock if an sbrk request failed. With this update, locking of the main arena in the retry path has been fixed. This problem was exposed by a bug fix provided in the RHSA-2012:0058 update.
BZ#688720
glibc had incorrect information for numeric separators and groupings for French, Spanish, and German locales. Therefore, applications utilizing glibc's locale support printed numbers with the incorrect separators and groupings when those locales were in use. With this update, the separator and grouping information has been fixed.
BZ#781646
On some processors, when calling the memcpy() function, the optimized function variant was used. However, the optimized function variant copies the buffer backwards. As a result, if the source and target buffers were overlapping, the program behaved in an unexpected way. While such calling is a violation of ANSI/ISO standards and therefore considered an error, this update restores the prior memcpy() behavior and such programs now use the non-optimized variant of the function to allow applications to behave as before.
BZ#782585
Previously, the dynamic loader generated an incorrect ordering for initialization, which did not adhere to the ELF specification. This could result in incorrect ordering of DSO (Dynamic Shared Object) constructors and destructors. With this update, the dependency resolution has been fixed.
BZ#739971
The RHBA-2011:1179 glibc update introduced a regression, causing glibc to incorrectly parse groups with more than 126 members. Consequently, applications, such as id, failed to list all the groups a particular user was a member of. With this update, group parsing has been fixed.
BZ#740506
Due to a race condition within its malloc() routines, glibc incorrectly allocated too much memory. This could cause a multi-threaded application to allocate more memory to the threads than expected. With this update, the race condition has been fixed, and malloc's behavior is now consistent with the documentation regarding the MALLOC_ARENA_TEST and MALLOC_ARENA_MAX environment variables.
BZ#795498
Previously, glibc looked for an error condition in the incorrect location and therefore failed to process a second response buffer in the gaih_getanswer() function. As a consequence, the getaddrinfo() function could not properly return all addresses. This update fixes an incorrect error test condition in gaih_getanswer() so that glibc now correctly parses the second response buffer. The getaddrinfo() function now correctly returns all addresses.
BZ#750531
Previously, compiling code that was using the htons() function with the -O2 and -Wconversion parameters caused bogus warnings similar to the following:
warning: conversion to \u2018short unsigned int\u2019 from \u2018int\u2019 may alter its value
This update fixes types in multiple macros and the warning is no longer returned under these circumstances.
BZ#696472
Previously, glibc did not properly detect Intel Core i3, i5, and i7 processors. As a result, glibc sometimes used incorrect implementations of several functions resulting in poor performance. This update fixes the detection process and the library provides proper function implementation to the processors.
BZ#771342
Previously, glibc did not initialize the robust futex list after a fork() call. As a result, shared robust mutex locks were not cleaned up after the child process exited. This update ensures that the robust futex list is correctly initialized after a fork system call.
BZ#754628
When a process corrupted its heap, the malloc() function could enter a deadlock while creating an error message string. As a result, the process could become unresponsive. With this update, the process uses the mmap() function to allocate memory for the error message instead of the malloc() function. The malloc() deadlock therefore no longer occurs and the process with a corrupted heap now aborts gracefully.
BZ#788959, BZ#797094, BZ#809602
Previously, glibc unconditionally used alloca() to allocate buffers in various routines. If such allocations applied large internal memory requests, stack overflows could occur and the application could terminate unexpectedly. This update applies several upstream patches so that glibc now uses malloc() for these allocations and the problem no longer occurs.
BZ#789209
Previously, glibc used an incorrect symbol for the Ukrainian currency. With this update, the symbol has been fixed.
BZ#752123
Previously, it was not possible to install the 32-bit glibc-utils package on 64-bit systems and the package was therefore missing on 64-bit Intel architectures. This update modifies the spec file so as to move the respective files and avoid conflicts. As a result, the package is now installed on these 64-bit systems as expected.
BZ#657572, BZ#785984
Previously, glibc added unneccessary spaces to abbreviated month names in the Finish and Chinese locales. With this update, the underlying code has been modified and the spaces are no longer added in the abbreviated month names in the locales.
BZ#767746
Previously, glibc returned incorrect error codes from the pthread_create() function. Consequently, some programs incorrectly issued an error for a transient failure, such as a temporary out-of-memory condition. This update ensures that glibc returns the correct error code when memory allocation fails in the pthread_create() function.
BZ#752122
Previously, glibc's dynamic loader incorrectly detected Advanced Vector Extensions (AVX) capabilities and could terminate unexpectedtly with a segmentation fault. This update fixes the AVX detection and the problem no longer occurs.
BZ#766513
Previously, an error string in glibc's getopt routines changed and, as the respective Japanese translation was not adapted, the system failed to find the Japanese version of the message. As a result, the error message was displayed in English even if the system locale was set to Japanese. This update fixes the Japanese translation of the error string and the problem no longer occurs.
BZ#751750
Previously, glibc's locking in the IO_flush_all_lockp() function was incorrect. This resulted in a race condition with occasional deadlocks when calling the fork() function in multi-threaded applications. This update fixes the locking and avoids the race condition.
BZ#784402
Previously, the nscd daemon cached all transient results even if they were negative. This could result in erroneous nscd results. This update ensures that negative results of transient errors are not cached.
BZ#804630
When the resolv.conf file contained only nameservers with IPv6 and options rotate was set, the search domain was always appended. However, this is not desired in the case of fully qualified domain names (FQDN) and if an FQDN was used, the resolution failed. With this update, the underlying code has been modified and if more than one IPv6 nameserver is defined in resolv.conf, the FQDN is resolved correctly. Refer to bug 771204 for further information about this problem.
BZ#789189
Previously, when parsing the resolv.conf file, glibc did not handle the parsing of spaces in nameserver entries correctly. Consequently, correct DNS lookups failed. This update fixes the space parsing and the problem no longer occurs.
BZ#804689
The getaddrinfo() call could return an incorrect value. This happened because the query for getaddrinfo was more complex than necessary and getaddrinfo failed to handle the additional information returned by the query correctly. With this update, the query no longer returns the addition information and the problem is fixed.
Enhancements
BZ#697421, BZ#749188
Previously, glibc did not support the ISO-10646-UCS-2 character set for the following locales: az_AZ, as_IN, and tt_RU. This update adds support for the character set and the locales.
Users of glibc are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

5.62. gnome-desktop

An updated gnome-desktop package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The gnome-desktop package contains an internal library (libgnomedesktop) used to implement some portions of the GNOME desktop, and also some data files and other shared components of the GNOME user environment.

Bug Fix

BZ#639732
Previously, due to an object not being destroyed, the Nautilus file manager could consume an excessive amount of memory. Consequently, constantly growing resident memory would slow down the system. The source code has been modified to prevent memory leaks from occurring and Nautilus now consumes a reasonable amount of memory.
All users of gnome-desktop are advised to upgrade to this updated package, which fixes this bug.

5.63. gnome-keyring

Updated gnome-keyring packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The gnome-keyring session daemon manages passwords and other types of secrets for the user, storing them encrypted with a main password. Applications can use the gnome-keyring library to integrate with the keyring.

Bug Fixes

BZ#708919, BZ#745695
Previously, the mechanism for locking threads was missing. Due to this, gnome-keyring could have, under certain circumstances, terminated unexpectedly on multiple key requests from the integrated ssh-agent. With this update, the missing mechanism has been integrated into gnome-keyring so that gnome-keyring now works as expected.
All users of gnome-keyring are advised to upgrade to these updated packages, which fix these bugs.

5.64. gnome-power-manager

Updated gnome-power-manager packages that fix one bug are now available for Red Hat Enterprise Linux 6.
GNOME Power Manager uses the information and facilities provided by UPower displaying icons and handling user callbacks in an interactive GNOME session.

Bug Fix

BZ#676866
After resuming the system or re-enabling the display, an icon could appear in the notification area with an erroneous tooltip that read "Session active, not inhibited, screen idle. If you see this test, your display server is broken and you should notify your distributor." and included a URL to an external web page. This error message was incorrect, had no effect on the system and could be safely ignored. In addition, linking to an external URL from the notification and status area is unwanted. To prevent this, the icon is no longer used for debugging idle problems.
All users of gnome-power-manager are advised to upgrade to these updated packages, which fix this bug.

5.65. gnome-settings-daemon

An updated gnome-settings-daemon package that fixes several bugs and adds various enhancements is now available for Red Hat Enterprise Linux 6.
The gnome-settings-daemon package contains a daemon to share settings from GNOME with other applications. It also handles global key bindings, as well as a number of desktop-wide settings.

Bug Fixes

BZ#693843
Previously, the selected keyboard layout on certain machines reverted to the "US" layout every time the user logged in. With this update, the bug has been fixed so that the selected keyboard layout is not reverted anymore.
BZ#805036
Previously, the automatic mapping of the screen tablet did not work with the NVIDIA driver. With this update, support for the NV-CONTROL extension has been added so that the automatic mapping of the screen tablet now works as expected.
BZ#805042
Previously, the button mapping to actions did not work in the Wacom graphics tablet plug-in. As a result, the Map Buttons did not display in the GUI and activating buttons on the Wacom graphics tablet had no effect. With this update, these problems have been fixed.

Enhancements

BZ#769464
With this update, Wacom graphics tablets are now supported with gnome-settings-daemon.
BZ#816646
This update modifies the way gnome-settings-daemon stores settings in GConf. Previously, the settings were stored stored per user and per device. With this update, the settings are now stored per user, per device, and per machine.
All users of gnome-settings-daemon are advised to upgrade to this updated package, which fixes these bugs and adds these enhancements.

5.66. gnome-system-monitor

An updated gnome-system-monitor package that fixes two bugs is now available for Red Hat Enterprise Linux 6.
The gnome-system-monitor utility allows users to graphically view and manipulate the running processes on the system, and provides an overview of available resources such as CPU and memory.

Bug Fixes

BZ#682011
Prior to this update, the gnome-system-monitor failed to correctly parse the contents of the /proc/cpuinfo file if it included an informational entry about the machine model on 64-bit PowerPC architectures. As a consequence, a false "Unknown CPU model" processor was incorrectly reported by the application. This update changes the parsing code to discard such information when it does not identify an additional processor.
BZ#692956
Prior to this update, the gnome-system-monitor parser code expected a certain string to identify the CPU speed which is not used for all architectures. As a consequence, the gnome-system-monitor could fail to correctly parse the processor speed from /proc/cpuinfo when a different string was used, for example on 64-bit PowerPC. This update changes the parsing code to support different string types used on such architectures.
All users of gnome-system-monitor are advised to upgrade to this updated package, which fixes these bugs.

5.67. grep

An updated grep package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The grep utility searches through textual input for lines which contain a match to a specified pattern and then prints the matching lines. GNU grep utilities include grep, egrep and fgrep.

Bug Fix

BZ#741452
Previously, the grep utility was not able to handle the EPIPE error. If a SIGPIPE signal was blocked by the shell, grep kept continuously printing error messages. An upstream patch has been applied to address this problem, so that grep exits on the first EPIPE error and prints only one error message.
All users of grep are advised to upgrade to this updated package, which fixes this bug.

5.68. grub

Updated grub packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The GRUB utility is responsible for booting the operating system kernel.

Bug Fix

BZ#670266
Due to an error in the underlying source code, previous versions of GRUB sometimes failed to boot in Unified Extensible Firmware Interface (UEFI) mode when booting from the network on systems with multiple Pre-boot Execution Environment (PXE) network interface cards (NICs). This update ensures that GRUB attempts to identify and use an active interface that has already successfully acquired an address via Dynamic Host Configuration Protocol (DHCP) instead of using the one suggested by the system. As a result, booting from the network in UEFI mode now works as expected on systems with multiple NICs.
All users of GRUB are advised to upgrade to these updated packages, which fix this bug.

5.69. grubby

Updated grubby packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The grubby packages provide grubby, a command line tool for displaying and editing of GRUB (GRand Unified Bootloader) configuration files.

Bug Fix

BZ#696960
Previously, when grubby was executed with the "--args=[arguments] --update-kernel=ALL" options to update command line arguments for all kernels whose boot configuration was stored in the edited configuration file, it updated only arguments for the first kernel in the file. As a result, arguments for the other kernels were not updated. This update ensures that arguments for all kernels in a configuration file are updated when grubby is launched with the aforementioned options.
All users of grubby are advised to upgrade to these updated packages, which fix this bug.

5.70. gtk2

Updated gtk2 packages that fix three bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
GTK+ is a multi-platform toolkit for creating graphical user interfaces.

Bug Fixes

BZ#697437
Previously, the "Open Files" dialog box failed to show the "Size" column if it was previously used in "Search" mode. This update fixes the bug by ensuring that the "Size" column is always displayed accordingly to the "Show Size Column" context menu option.
BZ#750756
Previously, copying text from selectable labels, such as those displayed in message dialog boxes, using the Ctrl+Insert key combination did not work. This update adds the Ctrl+Insert key combination that copies selected text to clipboard when activated.
BZ#801620
Previously, certain GTK applications, such as virt-viewer, failed to properly initialize key bindings associated with menu items. This was due to a bug in the way properties associated with the menu items were parsed by the library. This update fixes the bug, rendering the menu items accessible again by key bindings for applications that use this feature.

Enhancement

BZ#689188
Previously, the "Open Files" dialog box could appear with an abnormal width when the "file type" filter contained a very long string (as observed with certain image hosting websites), making the dialog unusable. With this update, the dialog box splits the filter string into multiple lines of text, so that the dialog keeps a reasonable width.
All users of gtk2 are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

5.71. hivex

Updated hivex packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
Hive files are undocumented binary files that Windows uses to store the Windows Registry on the disk. Hivex is a library that can read and write to these files.
The hivex packages have been upgraded to upstream version 1.3.3, which provides a number of bug fixes and enhancements over the previous version. (BZ#734208)
All hivex users are advised to upgrade to these updated hivex packages, which fix these bugs and add these enhancements.

5.72. hsqldb

Updated hsqldb packages that add an enhancement are now available for Red Hat Enterprise Linux 6.
HSQLDB is a relational database engine written in Java, with a JDBC driver, supporting a subset of ANSI-92 SQL. It offers a small (about 100k), fast database engine which offers both in-memory and disk-based tables. Embedded and server modes are available. Additionally, it includes tools such as a minimal web server, in-memory query and management tools (which can be run as applets or servlets), and a number of demonstration examples.

Enhancement

BZ#816735
HSQLdb has been updated to add stubs for JDBC 4.1
Users of hsqldb are advised to upgrade to these updated packages, which add this enhancement.

5.73. hwdata

An updated hwdata package that adds two enhancements is now available for Red Hat Enterprise Linux 6.
The hwdata package contains tools for accessing and displaying hardware identification and configuration data.

Enhancements

BZ#737467
With this update, the monitor database has been updated with information about the Acer 76ie monitor. Also, several duplicate monitor entries have been removed from the database.
BZ#760014
The pci.ids database has been updated with information about the Atheros wireless network adapter, Killer Wireless-N 1103.
All users of hwdata are advised to upgrade to this updated package, which adds these enhancements.

5.74. icedtea-web

Updated icedtea-web packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
IcedTea-Web provides a Java web browser plug-in, a Java Web Start implementation, and the IcedTea Web Control Panel.
The icedtea-web packages have been upgraded to upstream version 1.2, which provides a number of bug fixes and enhancements over the previous version. (BZ#756843)
Note: This update is not compatible with Firefox 3.6 and earlier. If you are using such a Firefox version, upgrade to a later supported version before applying this update.
All users of icedtea-web are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

5.75. imsettings

Updated imsettings packages that fix one bug are now available for Red Hat Enterprise Linux 6.
IMSettings provides command line tools and a library to configure and control input-methods settings. Users normally access it through the "im-chooser" GUI tool.

Bug Fix

BZ#713433
Prior to this update, the IMSettings daemon unexpectedly invalidated the previous pointer after obtaining a new pointer. This update modifies IMSettings so that the code is updated after all transactions are finished.
All users of imsettings are advised to upgrade to these updated packages, which fix this bug.

5.76. indent

An updated indent package that fixes two bugs is now available for Red Hat Enterprise Linux 6.
The indent package provides a utility to convert from one C writing style to a different one. Indent understands correct C syntax and can handle incorrect C syntax.

Bug Fixes

BZ#733265
Prior to this update, suffixes were incorrectly separated when running the indent utility on code with decimal float constants. As a consequence, indent could encounter a compilation syntax error. This update modifies indent to understand decimal float suffixes as proposed by the N1312 draft of ISO/IEC WDTR24732. Now, indent handles decimal float constants as expected.
BZ#784304
Prior to this update, the internal test-suite did not signal test failure by exit code if indent failed to pass the test. This update adds an exit call with non-zero value to signal failure.
All users of indent are advised to upgrade to this updated package, which fixes these bugs.

5.77. initscripts

Updated initscripts packages that fix multiple bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
The initscripts package contains system scripts to boot your system, change runlevels, activate and deactivate most network interfaces, and shut the system down cleanly.
Bug Fixes
BZ#781493
The previous version of initscripts did not support IPv6 routing in the same way as IPv4 routing. IPv6 addressing and routing could be achieved only by specifying the ip commands explicitly with the -6 flag in the /etc/sysconfig/network-scripts/rule-DEVICE_NAME configuration file where DEVICE_NAME is the name of the respective network interface. With this update, the related network scripts have been modified to provide support for IPv6-based policy routing and IPv6 routing is now configured separately in the /etc/sysconfig/network-scripts/rule6-DEVICE_NAME configuration file.
BZ#786404
During the first boot after system installation, the kernel entropy was relatively low to generate high-quality keys for sshd. With this update, the entropy created by the disk activity during system installation is saved in the /var/lib/random-seed file and used for key generation. This provides enough randomness and allows generation of keys based on sufficient entropy.
BZ#582002
In emergency mode, every read request from the /dev/tty device ended with an error and consequently, it was not possible to read from the /dev/tty device. This happened because, when activating single-user mode, the rc.sysinit script called the sulogin application directly. However, sulogin needs to be the console owner to operate correctly. With this update, rc.sysinit starts the rcS-emergency job, which then runs sulogin with the correct console setting.
BZ#588993
The ifconfig utility was not able to handle 20-byte MAC addresses in InfiniBand environments and reported that the provided addresses were too long. With this update, the respective ifconfig commands have been changed to aliases to the respective ip commands and ifconfig now handles 20-byte MAC addresses correctly.
BZ#746045
Due to a logic error, the sysfs() call did not remove the arp_ip_target correctly. As a consequence, the following error was reported when attempting to shut down a bonding device:
ifdown-eth: line 64: echo: write error: Invalid argument
This update modifies the script so that the error no longer occurs and arp_ip_target is now removed correctly.
BZ#746808
The serial.conf file now contains improved comments on how to create an /etc/init/tty<device>.conf file that corresponds to the active serial device.
BZ#802119
The network service showed error messages on service startup similar to the following:
Error: either "dev" is duplicate, or "20" is a garbage.
This was due to incorrect splitting of the parsed arguments. With this update, the arguments are processed correctly and the problem no longer occurs.
BZ#754984
The halt initscript did not contain support for the apcupsd daemon, the daemon for power mangement and controlling of APC's UPS (Uninterruptible Power Supply) supplies. Consequently, the supplies were not turned off on power failure. This update adds the support to the script and the UPS models are now turned off in power-failure situations as expected.
BZ#755175
In the previous version of initscripts, the comments with descriptions of variables kernel.msgmnb and kernel.msgmax were incorrect. With this update, the comments have been fixed and the variables are now described correctly.
BZ#787107
Due to an incorrect logic operator, the following error was returned on network service shutdown as the shutdown process failed:
69: echo: write error: Invalid argument
With this update, the code of the shutdown initscript has been modified and the error is no longer returned on network service shutdown.
BZ#760018
The system could remain unresponsive for some time during shutdown. This happened because initscript did not check if there were any CIFS (Common Internet File System) share mounts and failed to unmount any mounted CIFS shares before shutdown. With this update, a CIFS shares check has been added and the shares are stopped prior to shutdown.
BZ#721010
The ifup-aliases script was using the ifconfig tool when starting IP alias devices. Consequently, the ifup execution was gradually slowing down significatly with the increasing number of the devices on the NIC (Network Interface Card) device. With this update, IP aliases now use the ip tool instead of ifconfig and the performance of the ifup-aliases script remains constant in the scenario described.
BZ#765835
Prior to this update, the netconsole script could not discover and resolve the MAC address of a router specified in the /etc/sysconfig/netconsole file. This happened because the address was resolved as two identical addresses and the script failed. This update modifies the netconsole script so that it handles the MAC address correctly and the device is discovered as expected.
BZ#757637
In the Malay (ms_MY) locale, some services did not work properly. This happened due to a typographical mistake in the ms.po file. This update fixes the mistake and services in the ms_MY locale run as expected.
BZ#749610
The primary option for bonding in the ifup-eth tool had a timing issue when bonding NIC devices. Consequently, the bonding was configured, but it was the active interface that was enslaved first. With this update, the timing of bonding with the primary option has been corrected and the device defined in the primary option is enslaved first as expected.
Enhancement
BZ#704919
Users can now set the NIS (Network Information Service) domain name by configuring the NISDOMAIN parameter in the /etc/sysconfig/network file, or other relevant configuration files.
Users of initscripts should upgrade to these updated packages, which fix these bugs and add this enhancement.

5.78. iok

An updated iok package that fixes multiple bugs is now available for Red Hat Enterprise Linux 6.
The iok package contains an Indic on-screen virtual keyboard that supports the Assamese, Bengali, Gujarati, Hindi, Kannada, Marathi, Malayalam, Punjabi, Oriya, Sindhi, Tamil and Telugu languages. Currently, iok works with Inscript and xkb keymaps for Indian languages, and is able to parse and display non-Inscript keymaps as well.
The iok package has been upgraded to upstream version 1.3.13, which provides a number of bug fixes over the previous version.
Bug Fixes
BZ#736992
Due to xkb keymaps being rewritten in a recent update of the xkeyboard-config package, the iok's language list contained incorrect xkb keymap names when selecting the Hindi X Keyboard Extension (XKB). To fix this problem, the iok's xkb parser has been rewritten.
BZ#752667
Previously, iok looked for files with the ".mim" suffix in the "~/.m17n" directory instead of the "~/.m17n.d" directory. This update modifies the directory path to the correct "~/.m17n.d" so that the user-defined keymap files are saved in the correct directory.
BZ#752668
Previously, when using the on-screen keyboard, mouse clicks on various characters worked as expected. However, finger inputs failed because the first selected character was selected regardless of what characters the user selected next. With this update, users can use the drag-and-drop feature when running iok in advanced mode (the "iok -a" command), which allows users to drag the first key button over the second button. The drag-and-drop feature is not available in iok's default mode.
BZ#798592
Due to a small size of the xkb name array, if the user selected the xkb-Malayalam keymap (enhanced Indian Script with the Rupee sign), and then pressed the "To English" button, the iok utility could terminate unexpectedly. With this update, the size of the xkb name array has been increased so that the utility no longer crashes in the described scenario.
All users of iok are advised to upgrade to this updated package, which fixes these bugs.

5.79. ipa

Updated ipa packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
Red Hat Identity Management is a centralized authentication, identity management and authorization solution for both traditional and cloud-based enterprise environments. It integrates components of the Red Hat Directory Server, MIT Kerberos, Red Hat Certificate System, NTP, and DNS. It provides web browser and command-line interfaces. Its administration tools allow an administrator to quickly install, set up, and administer a group of domain controllers to meet the authentication and identity management requirements of large-scale Linux and UNIX deployments.

Upgrade to an upstream version

The ipa package has been upgraded to upstream version 2.2.0, which provides a number of bug fixes and enhancements over the previous version. (BZ#736865)
Bug Fixes
BZ#810900
The Identity Management password policy plug-in for the Directory Server did not properly sort the history of user passwords when it was checking the sanity of a password change. Due to this bug, the user password history was sorted randomly, and, consequently, a random password was removed rather than the oldest password when the list overflowed. As a result, users could bypass the password policy requirement for password repetition. User passwords are now sorted correctly in the Identity Management password plug-in for the Directory Server, and the password policy requirement for password repetition is properly enforced.
BZ#805478
Due to a bug in the Identity Management permission plug-in, an attempt to rename a permission always resulted in an error. Consequently, users had to remove the permission and create a new permission with a new name when attempting to rename a permission. With this update, the underlying source code has been modified to address this issue, and users are now able to rename permissions.
BZ#701677
Previously, the DNS plug-in did not allow users to set a query or a transfer policy for a zone managed by Identity Management. Therefore, users could not control who could query or transfer zones in the same way they do with zones stored in plain text files. With this update, users can set ACLs for every zone managed by Identity Management; thus, users can control who can query their zones or run zone transfers.
BZ#773759
Non-admin users with an appropriate permission can change passwords of other users. However, the target group of this permission was previously not limited. Consequently, a non-admin user with the permission to change passwords could change the password of the admin user and acquire access to the admin account. With this update, the permission was changed to allow password changes for non-admin users only.
BZ#751173
When the ipa passwd CLI command was used to change user's password, it returned the following error message when the password change failed:
ipa: ERROR: Constraint violation: Password Fails to meet minimum strength criteria
User password changes are a subject of a configured password policy. Without a proper error message, it may be difficult to investigate why the password change failed (password complexity, too soon to change password, etc.) and amend the situation. The Directory Server plug-in that is used to change passwords now returns a proper error message if the ipa passwd command fails.
BZ#751597
When an Identity Management server is installed with a custom hostname which is not properly resolvable in DNS, an IP address for the custom hostname is requested from the user. Next, a host record is added to the /etc/hosts file so that the custom hostname is resolvable and the installation can continue. However, previously, the record was not added when the IP address was passed using the --ip-address option. As a result, installation failed because subsequent steps could not resolve the machine's IP address. With this update, a host record is added to /etc/hosts even when the IP address is passed via the --ip-address option, and the installation process continues as expected.
BZ#751769
Identity Management could not be installed on a server with a custom LDAP server instance even though the LDAP server instance runs on a custom port and therefore does not conflict with Identity Management. As a result, users could not deploy custom LDAP instances on a system with Identity Management. With this update, Identity Management no longer enforces that no LDAP instances exist. Instead, it checks that reserved LDAP ports (389 and 636) are free. Users can combine an Identity Management server with custom LDAP server instances as long as they run on custom ports.
BZ#753484
When the Kerberos single sign-on to the Identity Management Web UI failed, the Web UI did not fall back to the login and password authentication. Workstations outside of the Identity Management Kerberos realm, or with incompatible browsers, could not access the Web UI unless a fallback from Kerberos authentication to login and password authentication was configured on the Identity Management web server. The Web UI is now able to fall back to form based authentication when Kerberos authentication cannot be used.
BZ#754973
The force-sync, re-initialize, and del sub-commands of the ipa-replica-manage command failed when used against a winsync agreement on an Active Directory machine, limiting the user's ability to control winsync replication agreements. With this update, the ipa-replica-manage was fixed to manage both standard replication agreement and winsync agreements in a more robust way.
BZ#757681
The Identity Management installer did not process the host IP address properly when the --no-host-dns option was passed. When a hostname was not resolvable and the --no-host-dns option was used, the ipa-replica-install utility failed during the installation and did not amend the hostname resolution in the same way as the ipa-server-install utility does. With this update, ipa-server-install and ipa-replica-install now share host IP address processing, and both add a record to the /etc/hosts file when the server or replica hostname is not resolvable.
BZ#759100
The Identity Management server installation script did not properly handle situations when a server had 2 IP addresses assigned, and failed to proceed with the installation. This update fixes the installation script, and installing the Identity Management server in a dual-NIC configuration works as expected.
BZ#750828
When Identity Management is installed with the --external-ca option, the installation is divided in two stages. The second stage of the installation process reads configuration options from a file stored by the first stage. Previously, the installer did not properly store a value with the DNS forwarder IP address, which was then misread by the second stage of the installation process, and name server configuration in the second stage of the installation failed. With this update, the forwarder option is correctly stored, and installation works as expected.
BZ#772043
Prior to this update, the Identity Management netgroup plug-in did not validate netgroup names. Consequently, a netgroup with an invalid name could be stored in an LDAP server which could then crash when the invalid value was processed by the NIS plug-in. The Identity Management netgroup plug-in now enforces stricter validation of netgroup names.
BZ#772150
Certain Identity Management replica agreements ignored a list of attributes that should have been excluded from replication. Identity Management attributes that are generated locally on each master by the LDAP server plug-in (in this case, the memberOf attribute) were being replicated. This forced all Identity Management replicas' LDAP servers to re-process the memberOf data and increase the load on the LDAP servers. When many entries were added to a replica in a short period of time, or when a replica was being re-initialized from another master, all replicas were flooded with memberOf changes, which caused high load on all replica machines and caused performance issues. New replica agreements, added by the ipa-replica-install utility, no longer ignore lists of attributes excluded from replication. Re-initialization or a high number of added entries in an Identity Management LDAP server no longer causes performance issues caused by memberOf processing. Old replica agreements have also been updated to contain the correct list of attributes excluded from replication.
BZ#784025
The ipa automountmap-add-indirect command creates a new map and adds a key to the parent map (auto.master by default) which references the new indirect map. Because map nesting is only allowed in the auto.master map, a submount map referenced in other maps needs to follow a standard submount format (that is, <key> <origin> <mapname>) so that the referenced map is correctly loaded from LDAP. However, the automountmap-add-indirect sub-command did not follow this distinction and the <origin> and <mapname> attributes were not filled correctly. Therefore, submount maps referenced in a non-auto.master map were not recognized as automount maps by the autofs client software, and were not mounted. Submount maps referenced in a map that is not an auto.master map now follow a standard submount format, with the correct <key>, <origin> (-fstype=autofs), and <mapname> (ldap:$MAP_NAME). autofs client software is now able to correctly process submount maps both in auto.master and in other maps, and mount them.
BZ#785756
Prior to this update, the Identity Management user plug-in used a hard-coded default value for user's home directory instead of using the value that was configured. When an administrator changed the default user home directory in the Identity Management config plug-in from the default value to a custom value, this value was not honored when a user was added. This update fixes this bug, and when a new user is created without a custom home directory specified via a special option, the default configured home directory is used.
BZ#797274
The Identity Management certificate template did not include a subjectKeyIdentifier field even though it is marked with the SHOULD keyword in the RFC 3280 document. Because of this, certain applications processing these certificates could report errors. With this update, the certificate template for both current and new IPA server installations now contain the subjectKeyIdentifier field.
BZ#797562
Identity Management host and DNS plug-ins did not properly process hostnames or DNS zone names with a trailing dot. Consequently, the created host record FQDN attribute contained two values instead of one normalized value. This may have caused issues in further host record processing. With this update, all hostnames are normalized using a format without a trailing dot. The Identity Management DNS plug-in now accepts DNS zone names in both formats — with and without a trailing dot.
BZ#797565
Previously, CSVs were split in both CLI and server part of Identity Management processing. As a result, values which contained escaped comma characters were incorrectly split for the second time. With this update, CSV processing is done only in the client interface. Identity Management RPC interfaces (both XML-RPC and JSON-RPC) no longer process CSVs. Comma escaping was also replaced with quoting.
BZ#797566
The Identity Management server uninstall process removed system users that were added as a part of an Identity Management installation. This included dirsrv or pkiuser users, which the Directory Server uses to run its instances. These users also own log files produced by the Directory Server. If an Identity Management server was installed again, and the newly added system users' UIDs changed, the Directory Server could fail to start because the Directory Server instance was not permitted to write to the log files owned by the old system users with different UIDs. With this update, system users generated by an Identity Management server installation are no longer removed during the uninstall process.
BZ#747693
Identity Management plug-ins for LDAP ACI management (permission, selfservice, and delegation plug-ins) did not process their options in a robust way and had a relaxed validation of passed values. ACI management plug-ins could return Internal Errors when empty options or the --raw option were passed. An Internal Error was also returned when an invalid attribute was passed to the ACI attribute list option. Option processing is now more robust and more strict in validation. Proper errors are now returned when invalid or empty option values are passed.
BZ#746805
Objects which have an enabled/disabled state (that is, user accounts, sudo rules, HBAC rules, SELinux policies) were not distinguished in related search pages in the Web UI. Lines containing disabled objects are now grayed out in the search pages, and enabled columns have a different icon for each state.
BZ#802912
An Identity Management certificate did not read a custom user certificate subject base when validating a new certificate issuer. When an Identity Management server is installed with a custom subject base, and does not use the default subject base, issuing new certificates in the Identity Management Certificate Authority may return invalid issuer errors. With this update, a custom user certificate subject base is always read before the certificate issuer is validated, and the aforementioned errors are no longer returned when certificates are issued.
BZ#803050
Clicking Cancel in an error dialog in the Web UI when an unexpected error, such as an internal server error, was received made the Web UI unusable because the error message replaced the page content. With this update, error messages have their own containers, which fixes the aforementioned issue.
BZ#803836
Identity Management did not configure its Directory Server instance to always keep its RootDSE available anonymously and decrypted. As a consequence, when a user changed the nsslapd-minssf attribute in the Directory Server instance configuration to increase security demands on the connection to the instance, some applications (for example, SSSD) may have stopped working as they could no longer read RootDSE anonymously. To fix this issue, Identity Management now sets the nsslapd-minssf-exclude-rootdse option in the Directory Server instance configuration. Users and applications can access RootDSE in an Identity Management Directory Server instance anonymously even when the instance is configured with increased security demands on incoming connections.
BZ#807366
Previously, the Netgroup page in the Web UI did not have input fields for specifying all options. With this update, the entire Netgroup page has been redesigned to add this functionality.
BZ#688765
Identity Management DNS plug-in did not validate the contents of DNS records. Some DNS record types (for example, MX, LOC, or SRV) have a complex data structure which needs to be stored, otherwise the record is not resolvable. Relaxed DNS plug-in validation let users create invalid records which then could not be resolved even though they were stored in LDAP. With this update, every DNS record type (except the experimental A6 DNS record type) is now validated with respect to a relevant RFC document. The validation covers most common user errors and also provides the user with guidance on why the entered record is invalid. Users are also able to create more complex DNS records without detailed knowledge of their structure as the improved DNS plug-in interface provides guidance when creating DNS records. Also, the DNS plug-in does not let users enter invalid records any more.

Enhancements

Note

For a list of major features that were added by this update, refer to Red Hat Enterprise Linux 6.3 Release Notes.
BZ#759501
When the number of failed login attempts exceeds the maximum that is configured, the account is locked. However, an investigation of the lock-out status of a particular user was difficult as the number of failed login attempts was not replicated. Identity Management now includes a new ipa user-status command that provides the number of failed login attempts on all configured replicas along with the time of the last successful or failed login attempt.
BZ#766181
When a new user is added, a User Private Group (UPG) is created and assigned as that user's primary group by default. However, there may be use cases when an administrator wants to use a common group assigned as a primary group for all users. The Directory Server plug-in that handles the creation of UPGs can now be disabled with a new utility — ipa-managed-entries. This utility lets administrators disable automatic creation of UPGs, and allows all new users to share a common group as their primary group.
BZ#767725
When an Identity Management server is configured with DNS support, DNS zone dynamic update policy allows Identity Management clients to update a relevant DNS forward record if the client IP address changes. However, for security reasons, clients cannot be allowed to update their reverse records because they would be able to change any record in the reverse zone. With this update, an Identity Management DNS zone can be configured to allow automatic updates of client reverse records when the forward record is updated with the new IP address. As a result, both forward and reverse records for a client machine can be updated when the client IP address changes.
BZ#772044
The Identity Management host plug-in did not allow storing of machine MAC addresses. Administrators could not assign MAC addresses to host entries in Identity Management. With this update, a new attribute for MAC addresses was added to the Identity Management host plug-in. Administrators can now assign a MAC address to a host entry. The value can then be read from the Identity Management LDAP server with, for example, the following command:
~]$ getent ethers <hostname>
BZ#772301
When a forward DNS record was created, no corresponding reverse record was created even when both the forward and the reverse zone were managed by Identity Management. Users always had to create both the forward and the reverse records manually. With this update, both CLI and Web UI now have the option to automatically create a reverse record when an IPv4 or IPv6 forward record is created.
BZ#807361
Prior to this update, all DNS records in an Identity Management Directory Server instance were publicly accessible. With a publicly accessible DNS tree in the Directory Server instance, anyone with access to the server could acquire all DNS data. This operation is normally restricted with access control rules. It is a common security practice to keep this information restricted to only a selected group of users. Therefore, with this update, the entire LDAP tree with DNS records is now accessible only to the LDAP driver which feeds the data to the name server, admin users, or users with a new permission called Read DNS Entries. As a result, only permitted users can now access all DNS records in Identity Management Directory Server instances.
BZ#753483
The Identity Management server did not allow the creation of DNS zones with conditional forwarding, which lets the name server forward all zone requests to a custom forwarder. With this update, the Identity Management DNS plug-in allows users to create a DNS zone and set a conditional forwarder and a forwarding policy for that zone.
BZ#803822
Support for SSH public key management was added to Identity Management server; OpenSSH on Identity Management clients is automatically configured to use the public keys stored on the Identity Management server. This feature is a Technology Preview.
BZ#745968
The DNS page in the Web UI did not allow navigation from A or AAAA records to the related PTR records. This update adds a link which points to a related PTR record if it exists.
Users are advised to upgrade to these updated ipa packages, which fix these bugs and add these enhancements.

5.80. ipmitool

An updated ipmitool package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The ipmitool package contains a command line utility for interfacing with devices that support the Intelligent Platform Management Interface (IPMI) specification. IPMI is an open standard for machine health, inventory, and remote power control.

Bug Fix

BZ#828678
In the previous ipmitool package update, new options "-R" and "-N" were added to adjust the retransmission rate of outgoing IPMI requests over lan and lanplus interfaces. Implementation of these options set wrong default value of the retransmission timeout and outgoing request timed out prematurely. In addition, in some corner cases, ipmitool could have terminated unexpectedly with a segmentation fault when the timeout occurred. This update fixes the default timeout value and ipmitool without the "-N" option retransmits outgoing IPMI requests like in previous versions.
All users of ipmitool are advised to upgrade to this updated package, which fixes this bug.
Updated ipmitool packages that fix two bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
The ipmitool packages contain a command line utility for interfacing with devices that support the Intelligent Platform Management Interface (IPMI) specification. IPMI is an open standard for machine health, inventory, and remote power control.

Bug Fixes

BZ#715615
Previously, the exit code of the "ipmitool -o list" command was set incorrectly so that the command always returned 1. This update modifies ipmitool to return the exit code 0 as expected.
BZ#725993
The "ipmitool sol payload" and "ipmitool sel" commands previously accepted incorrect argument values, which caused the ipmitool utility to terminate unexpectedly with a segmentation fault. With this update, argument values of these commands are now validated, and ipmitool no longer crashes but generates an error message when used with incorrect arguments.

Enhancements

BZ#748073
Previously, ipmitool could not be used to set retransmission intervals of IPMI messages over the LAN or lanplus interface. This update introduces new options, "-R" and "-N", which can be used to specify number of retransmissions and delay between them (in seconds) when transferring IPMI messages using the LAN or lanplus interfaces.
BZ#739358
The "ipmitool delloem" command has been updated to the latest upstream version, which includes the new "vFlash" command allowing to show information about extended SD cards. This patch also updates documentation of the "ipmitool delloem" commands, improves error descriptions and adds support for new hardware.
All users of ipmitool are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

5.81. iproute

An updated iproute package that fixes two bugs and adds three enhancements is now available for Red Hat Enterprise Linux 6.
The iproute package contains networking utilities (ip and rtmon, for example), which are designed to use the advanced networking capabilities of the Linux kernel.

Bug Fixes

BZ#730627
The ip6tunnel mode command passed a zeroed parameter structure to the kernel, which attempted to change all tunnel parameters to zero and failed. Consequently, users could not change ip6tunnel parameters. With this update, the ip6tunnel code has been changed so that it updates only the changed parameters. As a result, it is now possible for users to adjust ip6tunnel parameters as expected.
BZ#736106
The lnstat utility used an incorrect file descriptor for its dump output. Consequently, the lnstat utility printed its dump output to stderr rather than to stdout. The code has been fixed and lnstat now prints its dump output to stdout.

Enhancements

BZ#748767
The tc utility (a traffic control tool) has been enhanced to allow users to work with the Multi-queue priority (MQPRIO) Queueing Discipline (qdiscs) scheduler. With MQPRIO qdiscs, QOS can be offloaded from NICs that support external QOS schedulers. As a result, it is now possible for users to monitor traffic classes, gather statistics, set socket-buffer (SKB) priority and socket-priority-to-traffic-class mapping.
BZ#788120
The tc utility has been updated to work with Quick Fair Queueing (QFQ) kernel features. Users can now take advantage of the new QFQ-traffic scheduler from user space.
BZ#812779
This update adds support for multiple multicast routing tables.
Users are advised to upgrade to this updated iproute package, which fixes these bugs and adds these enhancements.

5.82. iprutils

Updated iprutils packages that fix multiple bugs add various enhancements is now available for Red Hat Enterprise Linux 6.
The iprutils package provides utilities to manage and configure SCSI devices that are supported by the IBM Power RAID SCSI storage device driver.
The iprutils package has been upgraded to upstream version 2.3.9, which fixes multiple bugs and adds multiple enhancements. These packages also add support for the CRoC-based 6 GB Serial Attached SCSI (SAS) vRAID adapters on IBM POWER7. (BZ#738890, BZ#817087)
All users of iprutils are advised to upgrade to these updated packages, which add fix these enhancements and add these enhancements.

5.83. iptraf

Updated iptraf packages that fix one bug are now available for Red Hat Enterprise Linux 6.
IPTraf is a console-based network monitoring utility. IPTraf gathers data such as TCP connection packet and byte counts, interface statistics and activity indicators, TCP/UDP traffic breakdowns, and LAN station packet and byte counts.

Bug Fix

BZ#682350
Prior to this update, interface names were checked by IPTraf against a whitelist of names to determine whether an interface was supported. Network devices can have arbitrary names and due to the changes for "Consistent Network Device Naming", the interface names will change to location-based names. Consequently, IPTraf could reject certain interface names. This update removes the interface name check and as a result IPTraf always accepts device names.
All users of iptraf are advised to upgrade to these updated packages, which fix this bug.

5.84. ipvsadm

Updated ipvsadm packages that fix one bug is now available for Red Hat Enterprise Linux 6.
The ipvsadm package provides the ipsvadm tool to administer the IP Virtual Server services offered by the Linux kernel.

Bug Fix

BZ#788529
Prior to this update, the ipvsadm utility did not correctly handle out-of-order messages from the kernel concerning the sync daemon. As a consequence, the "ipvsadm --list --daemon" command did not always output the status of the sync daemon. With this update, the ordering of messages from the kernel no longer influences the output, and the command always returns the sync daemon status.
All users of ipvsadm are advised to upgrade to these updated packages, which fix this bug.

5.85. irqbalance

Updated irqbalance packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The irqbalance packages provide a daemon that evenly distributes interrupt requests (IRQ) load across multiple CPUs for enhanced performance.

Bug Fix

BZ#682211
The irqbalance daemon assigns each interrupt source in the system to a "class", which represents the type of the device (for example Networking, Storage or Media). Previously, irqbalance used the IRQ handler names from the /proc/interrupts file to decide the source class, which caused irqbalance to not recognize network interrupts correctly. As a consequence, systems using biosdevname NIC naming did not have their hardware interrupts distributed and pinned as expected. With this update, the device classification mechanism has been improved, and so ensures a better interrupts distribution.
All users of irqbalance are advised to upgrade to these updated packages, which fix this bug.

5.86. iscsi-initiator-utils

Updated iscsi-initiator-utils packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The iscsi-initiator-utils package provides the server daemon for the iSCSI protocol, as well as utilities used to manage the daemon. iSCSI is a protocol for distributed disk access using SCSI commands sent over Internet Protocol networks.
The iscsiuio tool has been upgraded to upstream version 0.7.2.1, which provides a number of bug fixes and one enhancement over the previous version. (BZ#740054)

Bug Fixes

BZ#738192
The iscsistart utility used hard-coded values as its settings. Consequently, it could take several minutes before change failure detection and path failover when using dm-multipath took place. With this update, the iscsistart utility has been modified to process settings provided on the command line.
BZ#739049
The iSCSI README file incorrectly listed the --info option as the option to display iscsiadm iSCSI information. The README has been corrected and it now states correctly that you need to use the "-P 1" argument to obtain such information.
BZ#739843
The iSCSI discovery process via a TOE (TCP Offload Engine) interface failed if the "iscsiadm -m iface" command had not been executed. This happened because the "iscsiadm -m" discovery command did not check interface settings. With this update, the iscsiadm tool creates the default ifaces settings when first used and the problem no longer occurs.
BZ#796574
If the port number was passed with a non-fully-qualified hostname to the iscsiadm tool, the tool created records with the port being part of the hostname. Consequently, the login or discovery operation failed because iscsiadm was not able to find the record. With this update, the iscsiadm portal parser has been modified to separate the port from the hostname. As a result, the port is parsed and processed correctly.

Enhancement

BZ#790609
The iscsidm tool has been updated to support the ping command using QLogic's iSCSI offload cards and to manage the CHAP (Challenge-Handshake Authentication Protocol) entries on the host.
All users of iscsi-initiator-utils are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

5.87. java-1.6.0-openjdk

Updated java-1.6.0-openjdk packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.
The java-1.6.0-openjdk packages have been upgraded to upstream version 1.11.1, which provides a number of bug fixes and enhancements over the previous version. (BZ#771971)

Bug Fixes

BZ#751203
Previously, after updating OpenJDK to java-1.6.0-openjdk-1.6.0.0-1.40.1.9.10.el6_1, the Java Remote Object Registry (rmiregistry) started only if run with the java.rmi.server.codebase argument, otherwise the registry start failed. This update fixes the regression and the registry can be started without the argument as expected.
BZ#767537
Channel binding for the Kerberos protocol was implemented incorrectly and OpenJDK did not process Kerberos GSS (General Security Services) contexts which did not have incoming channel binding. This resulted in interopability problems with Internet Explorer on Windows Server 2008. With this update, OpenJDK handles unset channel binding correctly and processes Kerberos GSS contexts as expected.
BZ#804632
The SystemTap script translator (stap) run with jstack() systemtap support could terminate with an error similar to the following:
ERROR: kernel read fault at 0x0000000000000018 (addr) near identifier '@cast' at /usr/share/systemtap/tapset/x86_64/jstack.stp:362:29
This update improves the jstack code including, for example, the constant definition and error handling, and the stap script with jstack now works more reliably.
BZ#805936, BZ#807324
This update fixes multiple problems that occurred when using signed jar files.

Enhancement

BZ#751410
Support for huge pages was added.
All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

5.88. jss

Updated jss packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
JSS (Java Security Services) is a Java binding to Network Security Services (NSS), which provides SSL/TLS network protocols and other security services in the Public Key Infrastructure (PKI) suite. JSS is primarily utilized by the Certificate Server.

Bug Fixes

BZ#767768
During key archival process, DRM (Data Recovery Manager) decrypted user's private keys and then re-encrypted the keys for storage purposes. The reverse process took place during key recovery; therefore, the private key was not processed in a token at all times as the decrypted private key was present in the DRM memory between the time of decryption and encryption. This update adds the secure PKCS #12 and PKCS #5 v2.0 support, support for wrapping and unwrapping private keys in their token, and secure private key handling for TMS (Token Management System) key recovery to Red Hat Certificate System 8.1. As a result, the key archival operations now happen in the token.
BZ#767771
The "kra.storageUnit.hardware" configuration parameter did not exist in DRM's CS.cfg after upgrade. Consequently, if parameter "kra.storageUnit.hardware" was defined, recovery operations failed and the server returned the following error message:
PKCS #12 Creation Failed java.lang.IllegalArgumentException: bagType or bagContent is null
This update modifies the jss, pki-kra, pki-common components so that the "kra.storageUnit.hardware" configuration parameter is processed correctly. As a result, the key archival and recovery process is successful on in-place upgraded and migrated instances.
BZ#767773
Previously, JSS was using the HSM (Hardware Security Module) token name as manufacturer ID. If the HSM token name differed from the manufacturer ID, the key archival and recovery failed. This update adds logic to JSS so that it can recognize the currently supported HSMs: nCipher and SafeNet. Key archival and recovery in TMS and non-TMS Common Criteria environments now work as expected.
All users of jss are advised to upgrade to these updated packages, which fix these bugs.

5.89. kabi-whitelists

An updated kabi-whitelists package that adds various enhancements is now available for Red Hat Enterprise Linux 6.
The kabi-whitelists package contains reference files documenting interfaces provided by the Red Hat Enterprise Linux 6 kernel that are considered to be stable by Red Hat engineering, and safe for longer term use by third-party loadable device drivers, as well as for other purposes.

Enhancements

BZ#722619
Multiple symbols have been added to the Red Hat Enterprise Linux 6.3 kernel application binary interface (ABI) whitelists.
BZ#737276
Multiple symbols for Hitachi loadable device drivers have been added to the kernel ABI whitelists.
BZ#753771
This update modifies the structure of the kabi-whitelists package: whitelists are now ordered according to various Red Hat Enterprise Linux releases, and a symbolic link that points to the latest release has been added.
BZ#803885
The "__dec_zone_page_state" and "dec_zone_page_state" symbols have been added to the kernel ABI whitelists.
BZ#810456
The "blk_queue_rq_timed_out", "fc_attach_transport", "fc_release_transport", "fc_remote_port_add", "fc_remote_port_delete", "fc_remote_port_rolechg", "fc_remove_host", and "touch_nmi_watchdog" symbols have been added to the kernel ABI whitelists.
BZ#812463
Multiple symbols for Oracle Cloud File System have been added to the kernel ABI whitelists.
BZ#816533
The "get_fs_type" and "vscnprintf" have been added to the kernel ABI whitelists.
All users of kabi-whitelists are advised to upgrade to this updated package, which adds these enhancements.

5.90. kdeartwork

Updated kdeartwork packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The K Desktop Environment (KDE) is a graphical desktop environment for the X Window System. The kdeartwork packages include styles, themes and screen savers for KDE.

Bug Fix

BZ#736624
Previously, the KPendulum and KRotation screen savers, listed in the OpenGL group of KDE screen savers, produced only a blank screen. This update disables KPendulum and KRotation and none of them is listed in the OpenGL group anymore.
All users of kdeartwork are advised to upgrade to these updated packages, which fix this bug.

5.91. kdebase-workspace

Updated kdebase-workspace packages that fix one bug are now available for Red Hat Enterprise Linux 6.
KDE is a graphical desktop environment for the X Window System. The kdebase-workspace packages contain utilities for basic operations with the desktop environment. The utilities allow users for example, to change system settings, resize and rotate X screens or set panels and widgets on the workspace.

Bug Fix

BZ#724960
Previously, the kdebase-workspace package relied on the bluez-libs-devel package for rebuild. However, bluez-libs-devel was not supported on IBM System z architectures and builds could be created only with help of the fake-build-provides package which is not required behavior. With this update, the bluez-libs-devel package is no longer required as a dependency on IBM System z architecture and rebuilds are successful.
All users of kdebase-workspace are advised to upgrade to these updated packages, which fix this bug.

5.92. kdelibs

Updated kdelibs packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The kdelibs packages provide libraries for K Desktop Environment (KDE).

Bug Fix

BZ#698286
Previously, on big-endian architectures, including IBM System z, the Konqueror web browser could terminate unexpectedly or become unresponsive when loading certain web sites. A patch has been applied to address this issue, and Konqueror no longer crashes or hangs on the aforementioned architectures.
All users of kdelibs are advised to upgrade to these updated packages, which fix this bug.

5.93. kernel

Updated kernel packages that fix two security issues, address several hundred bugs, and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 6. This is the third regular update.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security Fixes
CVE-2011-1083, Moderate
A flaw was found in the way the Linux kernel's Event Poll (epoll) subsystem handled large, nested epoll structures. A local, unprivileged user could use this flaw to cause a denial of service.
CVE-2011-4131, Moderate
A malicious Network File System version 4 (NFSv4) server could return a crafted reply to a GETACL request, causing a denial of service on the client.
Red Hat would like to thank Nelson Elhage for reporting CVE-2011-1083, and Andy Adamson for reporting CVE-2011-4131.
Bug Fixes
BZ#824025
Hotplugging SATA disks did not work properly and the system experienced various issues when hotplugging such devices. This update fixes several hotplugging issues in the kernel and SAS hotplugging now works as expected.
BZ#782374
Due to a bug in the hid_reset() function, a deadlock could occur when a Dell iDRAC controller was reset. Consequently, its USB keyboard or mouse device became unresponsive. A patch that fixes the underlying code has been provided to address this bug and the hangs no longer occur in the described scenario.
BZ#781531
The AMD IOMMU driver used wrong shift direction in the alloc_new_range() function. Consequently, the system could terminate unexpectedly or become unresponsive. This update fixes the code and crashes and hangs no longer occur in the described scenario.
BZ#781524
Previously, the AMD IOMMU (input/output memory management unit) driver could use the MSI address range for DMA (direct memory access) addresses. As a consequence, DMA could fail and spurious interrupts would occur if this address range was used. With this update, the MSI address range is reserved to prevent the driver from allocating wrong addresses and DMA is now assured to work as expected in the described scenario.
BZ#773705
Windows clients never send write requests larger than 64 KB but the default size for write requests in Common Internet File System (CIFS) was set to a much larger value. Consequently, write requests larger than 64 KB caused various problems on certain third-party servers. This update lowers the default size for write requests to prevent this bug. The user can override this value to a larger one to get better performance.
BZ#773522
Due to a race condition between the notify_on_release() function and task movement between cpuset or memory cgroup directories, a system deadlock could occur. With this update, the cgroup_wq cgroup has been created and both async_rebuild_domains() and check_for_release() functions used for task movements use it, thus fixing this bug.
BZ#773517
Due to invalid calculations of the vruntime variable along with task movement between cgroups, moving tasks between cgroups could cause very long scheduling delays. This update fixes this problem by setting the cfs_rq and curr parameters after holding the rq->lock lock.
BZ#784671
The kernel code checks for conflicts when an application requests a specific port. If there is no conflict, the request is granted. However, the port auto-selection done by the kernel failed when all ports were bound, even if there was an available port with no conflicts. With this update, the port auto-selection code has been fixed to properly use ports with no conflicts.
BZ#784758
A bug in the try_to_wake_up() function could cause status change from TASK_DEAD to TASK_RUNNING in a race condition with an SMI (system management interrupt) or a guest environment of a virtual machine. As a consequence, the exited task was scheduled again and a kernel panic occurred. This update fixes the race condition in the do_exit() function and the panic no longer occurs in the described scenario.
BZ#785891
Previously, if more than a certain number of qdiscs (Classless Queuing Disciplines) using the autohandle mechanism were allocated a soft lock-up error occurred. This update fixes the maximum loop count and adds the cond_resched() call in the loop, thus fixing this bug.
BZ#785959
Prior to this update, the find_busiest_group() function used sched_group->cpu_power in the denominator of a fraction with a value of 0. Consequently, a kernel panic occurred. This update prevents the divide by zero in the kernel and the panic no longer occurs.
BZ#772874
In the Common Internet File System (CIFS), the oplock break jobs and async callback handlers both use the SLOW-WORK workqueue, which has a finite pool of threads. Previously, these oplock break jobs could end up taking all the running queues waiting for a page lock which blocks the callback required to free this page lock from being completed. This update separates the oplock break jobs into a separate workqueue VERY-SLOW-WORK, allowing the callbacks to be completed successfully and preventing the deadlock.
BZ#772317
Previously, network drivers that had Large Receive Offload (LRO) enabled by default caused the system to run slow, lose frame, and eventually prevent communication, when using software bridging. With this update, LRO is automatically disabled by the kernel on systems with a bridged configuration, thus preventing this bug.
BZ#772237
When transmitting a fragmented socket buffer (SKB), the qlge driver fills a descriptor with fragment addresses, after DMA-mapping them. On systems with pages larger than 8 KB and less than eight fragments per SKB, a macro defined the size of the OAL (Outbound Address List) list as 0. For SKBs with more than eight fragments, this would start overwriting the list of addresses already mapped and would make the driver fail to properly unmap the right addresses on architectures with pages larger than 8 KB. With this update, the size of external list for TX address descriptors have been fixed and qlge no longer fails in the described scenario.
BZ#772136
Prior to this update, the wrong size was being calculated for the vfinfo structure. Consequently, networking drivers that created a large number of virtual functions caused warning messages to appear when loading and unloading modules. Backported patches from upstream have been provided to resolve this issue, thus fixing this bug.
BZ#771251
The fcoe_transport_destroy path uses a work queue to destroy the specified FCoE interface. Previously, the destroy_work work queue item blocked another single-threaded work queue. Consequently, a deadlock between queues occurred and the system became unresponsive. With this update, fcoe_transport_destroy has been modified and is now a synchronous operation, allowing to break the deadlock dependency. As a result, destroy operations are now able to complete properly, thus fixing this bug.
BZ#786518
On a system that created and deleted lots of dynamic devices, the 31-bit Linux ifindex object failed to fit in the 16-bit macvtap minor range, resulting in unusable macvtap devices. The problem primarily occurred in a libvirt-controlled environment when many virtual machines were started or restarted, and caused libvirt to report the following message: Error starting domain: cannot open macvtap tap device /dev/tap222364: No such device or address With this update, the macvtap's minor device number allocation has been modified so that virtual machines can now be started and restarted as expected in the described scenario.
BZ#770023
A bug in the splice code has caused the file position on the write side of the sendfile() system call to be incorrectly set to the read side file position. This could result in the data being written to an incorrect offset. Now, sendfile() has been modified to correctly use the current file position for the write side file descriptor, thus fixing this bug.
Note that in the following common sendfile() scenarios, this bug does not occur: when both read and write file positions are identical and when the file position is not important (e.g. if the write side is a socket).
BZ#769626
Prior to this update, Active State Power Management (ASPM) was not properly disabled, and this interfered with the correct operation of the hpsa driver. Certain HP BIOS versions do not report a proper disable bit, and when the kernel fails to read this bit, the kernel defaults to enabling ASPM. Consequently, certain servers equipped with a HP Smart Array controller were unable to boot unless the pcie_aspm=off option was specified on the kernel command line. A backported patch has been provided to address this problem, ASPM is now properly disabled, and the system now boots up properly in the described scenario.
BZ#769590
Due to a race condition, running the "ifenslave -d bond0 eth0" command to remove the slave interface from the bonding device could cause the system to crash when a networking packet was being received at the same time. With this update, the race condition has been fixed and the system no longer crashes under these circumstances.
BZ#769007
In certain circumstances, the qla2xxx driver was unable to discover fibre channel (FC) tape devices because the ADISC ELS request failed. This update adds the new module parameter, ql2xasynclogin, to address this issue. When this parameter is set to "0", FC tape devices are discovered properly.
BZ#786960
When running AF_IUCV socket programs with IUCV transport, an IUCV SEVER call was missing in the callback of a receiving IUCV SEVER interrupt. Under certain circumstances, this could prevent z/VM from removing the corresponding IUCV-path completely. This update adds the IUCV SEVER call to the callback, thus fixing this bug. In addition, internal socket states have been merged, thus simplifying the AF_IUCV code.
BZ#767753
When the nohz=off kernel parameter was set, kernel could not enter any CPU C-state. With this update, the underlying code has been fixed and transitions to CPU idle states now work as expected.
BZ#766861
Under heavy memory and file system load, the "mapping->nrpages == 0" assertion could occur in the end_writeback() function. As a consequence, a kernel panic could occur. This update provides a reliable check for mapping->nrpages that prevent the described assertion, thus fixing this bug.
BZ#765720
An insufficiently designed calculation in the CPU accelerator in previous kernel caused an arithmetic overflow in the sched_clock() function when system uptime exceeded 208.5 days. This overflow led to a kernel panic on the systems using the Time Stamp Counter (TSC) or Virtual Machine Interface (VMI) clock source. This update corrects the aforementioned calculation so that this arithmetic overflow and kernel panic can no longer occur under these circumstances.
BZ#765673
Previously, the cfq_cic_link() function had a race condition. When some processes, which shared ioc issue I/O to the same block device simultaneously, cfq_cic_link() sometimes returned the -EEXIST error code. Consequently, one of the processes started to wait indefinitely. A patch has been provided to address this issue and the cfq_cic_lookup() call is now retried in the described scenario, thus fixing this bug.
BZ#667925
Previously, the SFQ qdisc packet scheduler class had no bind_tcf() method. Consequently, if a filter was added with the classid parameter to SFQ, a kernel panic occurred due to a null pointer dereference. With this update, the dummy ".unbind_tcf" and ".put" qdisc class options have been added to conform with the behaviour of other schedulers, thus fixing this bug.
BZ#787762
Previously, an incorrect portion of memory was freed when unmapping a DMA (Direct Memory Access) area used by the mlx4 driver. Consequently, a DMA leak occurred after removing a network device that used the driver. This update ensures that the the mlx4 driver unmaps the correct portion of memory. As a result, the memory is freed correctly and no DMA leak occurs.
BZ#787771
Previously, when a memory allocation failure occurred, the mlx4 driver did not free the previously allocated memory correctly. Consequently, hotplug removal of devices using the mlx4 driver could not be performed. With this update, a memory allocation failure still occurs when the device MTU (Maximal Transfer Unit) is set to 9000, but hotplug removal the device is possible afer the failure.
BZ#759613
Due to a regression, the updated vmxnet3 driver used the ndo_set_features() method instead of various methods of the ethtool utility. Consequently, it was not possible to make changes to vmxnet3-based network adapters in Red Hat Enterprise Linux 6.2. This update restores the ability of the driver to properly set features, such as csum or TSO (TCP Segmentation Offload), via ethtool.
BZ#759318
Previously, when a MegaRAID 9265/9285 or 9360/9380 controller got a timeout in the megaraid_sas driver, the invalid SCp.ptr pointer could be called from the megasas_reset_timer() function. As a consequence, a kernel panic could occur. An upstream patch has been provided to address this issue and the pointer is now always set correctly.
BZ#790673
The vmxnet3 driver in Red Hat Enterprise Linux 6.2 introduced a regression. Due to an optimization, in which at least 54 bytes of a frame were copied to a contiguous buffer, shorter frames were dropped as the frame did not have 54 bytes available to copy. With this update, transfer size for a buffer is limited to 54 bytes or the frame size, whichever is smaller, and short frames are no longer dropped in the described scenario.
BZ#755885
Previously, when isolating pages for migration, the migration started at the start of a zone while the free scanner started at the end of the zone. Migration avoids entering a new zone by never going beyond what the free scanner scanned. In very rare cases, nodes overlapped and the migration isolated pages without the LRU lock held, which triggered errors in reclaim or during page freeing. With this update, the isolate_migratepages() function makes a check to ensure that it never isolates pages from a zone it does not hold the LRU lock for, thus fixing this bug.
BZ#755380
Due to regression, an attempt to open a directory that did not have a cached dentry failed and the EISDIR error code was returned. The same operation succeeded if a cached dentry existed. This update modifies the the nfs_atomic_lookup() function to allow fallbacks to normal look-up in the described scenario.
BZ#754356
Due to a race condition, the mac80211 framework could deauthenticate with an access point (AP) while still scheduling authentication retries with the same AP. If such an authentication attempt timed out, a warning message was returned to kernel log files. With this update, when deauthenticating, pending authentication retry attempts are checked and cancelled if found, thus fixing this bug.
BZ#692767
Index allocation in the virtio-blk module was based on a monotonically increasing variable "index". Consequently, released indexes were not reused and after a period of time, no new ones were available. Now, virtio-blk uses the ida API to allocate indexes, thus preventing this bug.
BZ#795441
When expired user credentials were used in the RENEW() calls, the calls failed. Consequently, all access to the NFS share on the client became unresponsive. With this update, the machine credentials are used with these calls instead, thus preventing this bug most of the time. If no machine credentials are available, user credentials are used as before.
BZ#753301
Previously, an unnecessary assertion could trigger depending on the value of the xpt_pool field. As a consequence, a node could terminate unexpectedly. The xpt_pool field was in fact unnecessary and this update removes it from the sunrpc code, thus preventing this bug.
BZ#753237
Prior to this update, the align_va_addr kernel parameter was ignored if secondary CPUs were initialized. This happened because the parameter settings were overridden during the initialization of secondary CPUs. Also, the align_va_addr parameter documentation contained incorrect parameter arguments. With this update, the underlying code has been modified to prevent the overriding and the documentation has been updated. This update also removes the unused code introduced by the patch for BZ#739456.
BZ#796277
Concurrent look-up operations of the same inode that was not in the per-AG (Allocation Group) inode cache caused a race condition, triggering warning messages to be returned in the unlock_new_inode() function. Although this bug could only be exposed by NFS or the xfsdump utility, it could lead to inode corruption, inode list corruption, or other related problems. With this update, the XFS_INEW flag is set before inserting the inode into the radix tree. Now, any concurrent look-up operation finds the new inode with XFS_INEW set and the operation is then forced to wait until XFS_INEW is removed, thus fixing this bug.
BZ#753030
Socket callbacks use the svc_xprt_enqueue() function to add sockets to the pool->sp_sockets list. In normal operation, a server thread will later take the socket off that list. Previously, on the nfsd daemon shutdown, still-running svc_xprt_enqueue() could re-add an socket to the sp_sockets list just before it was deleted. Consequently, system could terminate unexpectedly by memory corruption in the sunrpc module. With this update, the XPT_BUSY flag is put on every socket and svc_xprt_enqueue() now checks this flag, thus preventing this bug.
BZ#816034
Red Hat Enterprise Virtualization Hypervisor became unresponsive and failed to shut down or restart with the following message:
Shutting down interface breth0
This happened after configuring the NetConsole functionality with no bridge on top of a bond due to a mistake in the linking to the device structure. With this update, the linking has been fixed and the device binding is processed correctly in this scenario.
BZ#752528
When the md_raid1_unplug_device() function was called while holding a spinlock, under certain device failure conditions, it was possible for the lock to be requested again, deeper in the call chain, and causing a deadlock. With this update, md_raid1_unplug_device() is no longer called while holding a spinlock, thus fixing this bug.
BZ#797731
Previously, a bonding device had always the UFO (UDP Fragmentation Offload) feature enabled even when no slave interfaces supported UFO. Consequently, the tracepath command could not return correct path MTU. With this update, UFO is no longer configured for bonding interfaces by default if the underlying hardware does not support it, thus fixing this bug.
BZ#703555
When trying to send a kdump file to a remote system via the tg3 driver, the tg3 NIC (network interface controller) could not establish the connection and the file could not be sent. The kdump kernel leaves the MSI-X interrupts enabled as set by the crashed kernel, however, the kdump kernel only enables one CPU and this could cause the interrupt delivery to the tg3 driver to fail. With this update, tg3 enables only a single MSI-X interrupt in the kdump kernel to match the overall environment, thus preventing this bug.
BZ#751087
On a system with an idle network interface card (NIC) controlled by the e1000e driver, when the card transmitted up to four descriptors, which delayed the write-back and nothing else, the run of the watchdog driver about two seconds later forced a check for a transmit hang in the hardware, which found the old entry in the TX ring. Consequently, a false "Detected Hardware Unit Hang" message was issued to the log. With this update, when the hang is detected, the descriptor is flushed and the hang check is run again, which fixes this bug.
BZ#750237
Previously, the idle_balance() function dropped or retook the rq->lock parameter, leaving the previous task vulnerable to the set_tsk_need_resched() function. Now, the parameter is cleared in setup_thread_stack() after a return from balancing and no successfully descheduled or never scheduled task has it set, thus fixing this bug.
BZ#750166
Previously, the doorbell register was being unconditionally swapped. If the Blue Frame option was enabled, the register was incorrectly written to the descriptor in the little endian format. Consequently, certain adapters could not communicate over a configured IP address. With this update, the doorbell register is not swapped unconditionally, rather, it is always converted to big endian before it is written to the descriptor, thus fixing this bug.
BZ#705698
The CFQ (Completely Fair Queuing) scheduler does idling on sequential processes. With changes to the IOeventFD feature, traffic pattern at CFQ changed and CFQ considered everything a thread was doing sequential I/O operations. Consequently, CFQ did not allow preemption across threads in Qemu. This update increases the preemption threshold and the idling is now limited in the described scenario without the loss of throughput.
BZ#798984
When short audio periods were configured, the ALSA PCM midlevel code, shared by all sound cards, could cause audio glitches and other problems. This update adds a time check for double acknowledged interrupts and improves stability of the snd-aloop kernel module, thus fixing this bug.
BZ#748559
Previously, the utime and stime values in the /proc/<pid>/stat file of a multi-threaded process could wrongly decrease when one of its threads exited. A backported patch has been provided to maintain monotonicity of utime and stime in the described scenario, thus fixing this bug.
BZ#800555
During tests with active I/O on 256 LUNs (logical unit numbers) over FCoE, a large number SCSI mid layer error messages were returned. As a consequence, the system became unresponsive. This bug has been fixed by limiting the source of the error messages and the hangs no longer occur in the described scenario.
BZ#714902
Previously, the compaction code assumed that memory on all cluster nodes is aligned to the same page-block size when isolating a cluster node for migration. However, when running a cluster on IBM System x3850 X5 machines with two MAX 5 memory expansion drawers, memory is not properly aligned. Therefore, the isolate_migratepages() function could pass an invalid Page Frame Number (PFN) to the pfn_to_page() function, which resulted in a kernel panic. With this update, the compaction code has been modified so that the isolate_migratepages() function now calls the pfn_valid function to validate PFN when necessary, and the kernel no longer panics in this scenario described.
BZ#801730
The ctx->vif identifier is dereferenced in different parts of the iwlwifi code. When it was set to null before requesting hardware reset, the kernel could terminate unexpectedly. An upstream patch has been provided to address this issue and the crashes no longer occur in the described scenario.
BZ#717179
Previously, a CPU could service the idle load balancer kick request from another CPU, even without receiving the IPI. Consequently, multiple __smp_call_function_single() calls were done on the same call_single_data structure, leading to a deadlock. To kick a CPU, the scheduler already has the reschedule vector reserved. Now, the kick_process mechanism is used instead of using the generic smp_call_function mechanism to kick off the nohz idle load balancing and avoid the deadlock.
BZ#746484
A software bug related to Context Caching existed in the Intel IOMMU support module. On some newer Intel systems, the Context Cache mode has changed from previous hardware versions, potentially exposing a Context coherency race. The bug was exposed when performing a series of hot plug and unplug operations of a Virtual Function network device which was immediately configured into the network stack, i.e., successfully performed dynamic host configuration protocol (DHCP). When the coherency race occurred, the assigned device would not work properly in the guest virtual machine. With this update, the Context coherency is corrected and the race and potentially resulting device assignment failure no longer occurs.
BZ#746169
Due to a running cursor blink timer, when attempting to hibernate certain types of laptops, the i915 kernel driver could corrupt memory. Consequently, the kernel could crash unexpectedly. An upstream patch has been provided to make the i915 kernel driver use the correct console suspend API and the hibernate function now works as expected.
BZ#720611
Previously, the eth_type_trans() function was called with the VLAN device type set. If a VLAN device contained a MAC address different from the original device, an incorrect packet type was assigned to the host. Consequently, if the VLAN devices were set up on a bonding interface in Adaptive Load Balancing (ALB) mode, the TCP connection could not be established. With this update, the eth_type_trans() function is called with the original device, ensuring that the connection is established as expected.
BZ#806081
The slave member of "struct aggregator" does not necessarily point to a slave which is part of the aggregator. It points to the slave structure containing the aggregator structure, while completely different slaves (or no slaves at all) may be part of the aggregator. Due to a regression, the agg_device_up() function wrongly used agg->slave to find the state of the aggregator. Consequently, wrong active aggregator was reported to the /proc/net/bonding/bond0 file. With this update, agg->lag_ports->slave is used in the described scenario instead, thus fixing this bug.
BZ#806119
Due to the netdevice handler for FCoE (Fibre Channel over Ethernet) and the exit path blocking the keventd work queue, the destroy operation on an NPIV (N_Port ID Virtualization) FCoE port led to a deadlock interdependency and caused the system to become unresponsive. With this update, the destroy_work item has been moved to its own work queue and is now executed in the context of the user space process requesting the destroy, thus preventing this bug.
BZ#739811
Previously, when pages were being migrated via NFS with an active requests on them, if a particular inode ended up deleted, then the VFS called the truncate_inode_pages() function. That function tried to take the page lock, but it was already locked when migrate_page() was called. As a consequence, a deadlock occurred in the code. This bug has been fixed and the migration request is now refused if the PagePrivate parameter is already set, indicating that the page is already associated with an active read or write request.
BZ#808487
Previously, requests for large data blocks with the ZSECSENDCPRB ioctl() system call failed due to an invalid parameter. A misleading error code was returned, concealing the real problem. With this update, the parameter for the ZSECSENDCPRB request code constant is validated with the correct maximum value. Now, if the parameter length is not valid, the EINVAL error code is returned, thus fixing this bug.
BZ#809928
Due to incorrect use of the list_for_each_entry_safe() macro, the enumeration of remote procedure calls (RPCs) priority wait queue tasks stored in the tk_wait.links list failed. As a consequence, the rpc_wake_up() and rpc_wake_up_status() functions failed to wake up all tasks. This caused the system to become unresponsive and could significantly decrease system performance. Now, the list_for_each_entry_safe() macro is no longer used in rpc_wake_up(), ensuring reasonable system performance.
BZ#812259
Various problems were discovered in the iwlwifi driver happening in the 5 GHz band. Consequently, roaming between access points (AP) on 2.4 GHz and 5 GHz did not work properly. This update adds a new option to the driver that disables the 5 GHz band support.
BZ#810299
Previously, secondary, tertiary, and other IP addresses added to bond interfaces could overwrite the bond->master_ip and vlan_ip values. Consequently, a wrong IP address could be occasionally used, the MII (Media Independent Interface) status of the backup slave interface went down, and the bonding master interfaces were switching. This update removes the master_ip and vlan_ip elements from the bonding and vlan_entry structures, respectively. Instead, devices are directly queried for the optimal source IP address for ARP requests, thus fixing this bug.
BZ#727700
An anomaly in the memory map created by the mbind() function caused a segmentation fault in Hotspot Java Virtual Machines with the NUMA-aware Parallel Scavenge garbage collector. A backported upstream patch that fixes mbind() has been provided and the crashes no longer occur in the described scenario.
BZ#812108
Previously, with a transparent proxy configured and under high load, the kernel could start to drop packets, return error messages such as "ip_rt_bug: addr1 -> addr2, ?", and, under rare circumstances, terminate unexpectedly. This update provides patches addressing these issues and the described problems no longer occur.
BZ#811815
The kdump utility does not support Xen para-virtualized (PV) drivers on Hardware Virtualized Machine (HVM) guests in Red Hat Enterprise Linux 6. Therefore, kdump failed to start if the guest had loaded PV drivers. This update modifies underlying code to allow kdump to start without PV drivers on HVM guests configured with PV drivers.
BZ#735105
When running a userspace program, such as the Ceph client, on the ext4 file system, a race condition between the sync/flush thread and the xattr-set thread could occur. This was caused by an incorrectly-set state flag on an inode. As a consequence, memory for the file system was incorrectly allocated, which resulted in file system corruption. With this update, the ext4 code has been modified to prevent this race condition from occurring and file systems are no longer corrupted under these circumstances.
BZ#728852
An unwanted interrupt was generated when a PCI driver switched the interrupt mechanism from the Message Signaled Interrupt (MSI or MSI-X) to the INTx emulation while shutting down a device. Due to this, an interrupt handler was called repeatedly, and the system became unresponsive. On certain systems, the interrupt handler of Intelligent Platform Management Interface (IPMI) was called while shutting down a device on the way to reboot the system after running kdump. In such a case, soft lockups were performed repeatedly and the shutdown process never finished. With this update, the user can choose not to use MSI or MSI-X for the PCI Express Native Hotplug driver. The switching between the interrupt mechanisms is no longer performed so that the unwanted interrupt is not generated.
BZ#731917
The time-out period in the qla2x00_fw_ready() function was hard-coded to 20 seconds. This period was too short for new QLogic host bus adapters (HBAs) for Fibre Channel over Ethernet (FCoE). Consequently, some logical unit numbers (LUNs) were missing after a reboot. With this update, the time-out period has been set to 60 seconds so that the modprobe utility is able to recheck the driver module, thus fixing this bug.
BZ#730045
Previously, the idmapper utility pre-allocated space for all user and group names on an NFS client in advance. Consequently, page allocation failure could occur, preventing a proper mount of a directory. With this update, the allocation of the names is done dynamically when needed, the size of the allocation table is now greatly reduced, and the allocation failures no longer occur.
BZ#811703
As part of mapping the application's memory, a buffer to hold page pointers is allocated and the count of mapped pages is stored in the do_dio field. A non-zero do_dio marks that direct I/O is in use. However, do_dio is only one byte in size. Previously, mapping 256 pages overflowed do_dio and caused it to be set to 0. As a consequence, when large enough number of read or write requests were sent using the st driver's direct I/O path, a memory leak could occur in the driver. This update increases the size of do_dio, thus preventing this bug.
BZ#728315
In the hpet_next_event() function, an interrupt could have occurred between the read and write of the HPET (High Performance Event Timer) and the value of HPET_COUNTER was then beyond that being written to the comparator (HPET_Tn_CMP). Consequently, the timers were overdue for up to several minutes. Now, a comparison is performed between the value of the counter and the comparator in the HPET code. If the counter is beyond the comparator, the "-ETIME" error code is returned, which fixes this bug.
BZ#722297
In a Boot-from-San (BFS) installation via certain iSCSI adapters, driver exported sendtarget entries in the sysfs file system but the iscsistart failed to perform discovery. Consequently, a kernel panic occurred during the first boot sequence. With this update, the driver performs the discovery instead, thus preventing this bug.
BZ#805519
The SCSI layer was not using a large enough buffer to properly read the entire 'BLOCK LIMITS VPD' page that is advertised by a storage array. Consequently, the 'WRITE SAME MAX LEN' parameter was read incorrectly and this could result in the block layer issuing discard requests that were too large for the storage array to handle. This update increases the size of the buffer that the 'BLOCK LIMITS VPD' page is read into and the discard requests are now issued with proper size, thus fixing this bug.
BZ#803378
The Intelligent Platform Management Interface (IPMI) specification requires a minimum communication timeout of five seconds. Previously, the kernel incorrectly used a timeout of 1 second. This could result in failures to communicate with Baseboard Management Controllers (BMC) under certain circumstances. With this update, the timeout has been increased to five seconds to prevent such problems.
BZ#758404
The dm_mirror module can send discard requests. However, the dm_io interface did not support discard requests, and running an LVM mirror over a discard-enabled device led to a kernel panic. This update adds support for the discard requests to the dm_io interface, so that kernel panics no longer occur in the described scenario.
BZ#766051
Previously, when the schedule() function was run shortly after a boot, the following warning message was sometimes returned once per boot on the console:
5915: WARN_ON_ONCE(test_tsk_need_resched(next));
An upstream patch has been provided to address this issue and the WARN_ON_ONCE() call is no longer present in schedule(), thus fixing this bug.
BZ#786996
Prior to this update, bugs in the close() and send() functions caused delays and operation of these two functions took too long to complete. This update adds the IUCV_CLOSED state change and improves locking for close(). Also, the net_device handling has been improved in send(). As a result, the delays no longer occur.
BZ#770250
On NFS, when repeatedly reading a directory, content of which kept changing, the client issued the same readdir request twice. Consequently, the following warning messages were returned to the dmesg output:
NFS: directory A/B/C contains a readdir loop.
This update fixes the bug by turning off the loop detection and letting the NFS client try to recover in the described scenario and the messages are no longer returned.
BZ#635817
A number of patches have been applied to the kernel in Red Hat Enterprise Linux 6.3 to improve overall performance and reduce boot time on extremely large UV systems (patches were tested on a system with 2048 cores and 16 TB of memory). Additionally, boot messages for the SGI UV2 platform were updated.
BZ#822697
Previously, if creation of an MFN (Machine Frame Number) was lazily deferred, the MFN could appear invalid when is was not. If at this point read_pmd_atomic() was called, which then called the paravirtualized __pmd() function, and returned zero, the kernel could terminate unexpectedly. With this update, the __pmd() call is avoided in the described scenario and the open-coded compound literal is returned instead, thus fixing this bug.
BZ#781566
Previously, on a system where intermediate P-states were disabled, the powernow-k8 driver could cause a kernel panic in the cpufreq subsystem. Additionally, not all available P-states were recognized by the driver. This update modifies the drive code so that it now properly recognizes all P-states and does not cause the panics in the described scenario.
BZ#783497
Due to an off-by-one bug in max_blocks checks, on the 64-bit PowerPC architecture, the tmpfs file system did not respect the size= parameter and consequently reported incorrect number of available blocks. A backported upstream patch has been provided to address this issue and tmpfs now respects the size= parameter as expected.
BZ#681906
This update introduces a performance enhancement which dramatically improves the time taken to read large directories from disk when accessing them sequentially. Large in this case means several hundred thousand entries or more. It does not affect the speed of looking up individual files (which is already fast), nor does it make any noticeable difference for smaller directories. Once a directory is cached, then again no difference can be noticed in performance. The initial read however, should be faster due to the readahead which this update introduces.
BZ#729586
Red Hat Enterprise Linux 6.1 introduced naming scheme adjustments for emulated SCSI disks used with paravirtual drivers to prevent namespace clashes between emulated IDE and emulated SCSI disks. Both emulated disk types use the paravirt block device xvd. Consider the example below:
Table 5.1. The naming scheme example
Red Hat Enterprise Linux 6.0 Red Hat Enterprise Linux 6.1 or later
emulated IDE hda -> xvda unchanged
emulated SCSI sda -> xvda sda -> xvde, sdb -> xvdf, ...

This update introduces a new module parameter, xen_blkfront.sda_is_xvda, that provides a seamless upgrade path from 6.0 to 6.3 kernel release. The default value of xen_blkfront.sda_is_xvda is 0 and it keeps the naming scheme consistent with 6.1 and later releases. When xen_blkfront.sda_is_xvda is set to 1, the naming scheme reverts to the 6.0-compatible mode.

Note

Note that when upgrading from 6.0 to 6.3 release, if a virtual machine specifies emulated SCSI devices and utilizes paravirtual drivers and uses explicit disk names such as xvd[a-d], it is advised to add the xen_blkfront.sda_is_xvda=1 parameter to the kernel command line before performing the upgrade.
BZ#756307
In previous Red Hat Enterprise Linux 6 releases, the kernel option xen_emul_unplug=never did not disable xen platform pci device and that lead to using para-virtual devices instead of emulated ones. This fix, in addition to fixing the irq allocation issue for emulated network devices, allows to disable para-virtual drivers using the xen_emul_unplug=never kernel option as described in "Virtualization Guide: Edition 5.8" chapter "12.3.5. Xen Para-virtualized Drivers on Red Hat Enterprise Linux 6".
BZ#749251
When a process isolation mechanism such as LXC (Linux Containers) was used and the user space was running without the CAP_SYS_ADMIN identifier set, a jailed root user could bypass the dmesg_restrict protection, creating an inconsistency. Now, writing to dmesg_restrict is only allowed when the root has CAP_SYS_ADMIN set, thus preventing this bug.
BZ#788591
Previously, the code for loading multipath tables attempted to load the scsi_dh module even when it was already loaded, which caused the system to become unresponsive. With this update, the code does not attempt to load the scsi_dh module when it is already loaded and multipath tables are loaded successfully.
BZ#801877
Due to an error in the code for ASPM (Active State Power Management) tracking, the system terminated unexpectedly after attempts to remove a PCI bus with both PCIe and PCI devices connected to it when PCIe ASPM was disabled using the "pcie_aspm=off" kernel parameter. This update ensures that the ASPM handling code is not executed when ASPM is disabled and the server no longer crashes in the aforementioned scenario.
BZ#804608
Due to an error in the underlying source code, the perf performance counter subsystem calculated event frequencies incorrectly. This update fixes the code and calculation of event frequencies now returns correct results.
BZ#787771
Previously, when a memory allocation failure occurred, the mlx4 driver did not free the previously allocated memory correctly. Consequently, hotplug removal of devices using the mlx4 driver could not be performed. With this update, a memory allocation failure still occurs when the device MTU (Maximal Transfer Unit) is set to 9000, but hotplug removal the device is possible afer the failure.
BZ#787762
Previously, an incorrect portion of memory was freed when unmapping a DMA (Direct Memory Access) area used by the mlx4 driver. Consequently, a DMA leak occurred after removing a network device that used the driver. This update ensures that the the mlx4 driver unmaps the correct portion of memory. As a result, the memory is freed correctly and no DMA leak occurs.
BZ#812415
The Intel SCU driver did not properly interact with the system BIOS to honor the Spread Spectrum Clock (SSC) settings and state by the BIOS controls: even though the SSC mode was enabled in the preboot BIOS environment, it became disabled after boot due to incorrect parameter parsing from the ROM option. With this update, the kernel driver has been modified to correctly parse OEM parameters from the ROM option and the problem no longer occurs.
BZ#811023
The iw_cxgb4 driver has been updated so as to fix a race that occurred when an ingress abort failed to wake up the thread blocked in rdma_init() causing the application to become unresponsive. Also, the driver has been modified to return and not to call the wake_up() function if no endpoint is found as this is not necessary.
BZ#818371
When creating a snapshot of a mounted RAID volume, a kernel panic could occur. This happened because a timer designed to wake up an I/O processing thread was not deactivated when the RAID device was replace by a snapshot origin. The timer then woke a thread that attempted to access memory that had already been freed, resulting in a kernel panic. With this update, this bug has been fixed and the kernel panic no longer occurs in this scenario.
821329
Previously, attempts to add a write-intent bitmap to an MD array using v1.0 metadata and then using the array without rebooting caused a kernel OOPS. This occurred because the kernel did not reload the bitmap information correctly after creating the bitmap. With this update, the kernel loads the information correctly on bitmap creation, as expected and the kernel OOPS no longer occurs.
817090
On S/390 servers, a kernel panic occurred if there was high traffic workload on HiperSockets devices. This happened due to a conflict in the qeth driver between asynchronous delivery of storage blocks for HiperSockets and outdated SIGA (System Information GAthering) HiperSockets code. With this update, the SIGA retry code has been removed from the qeth driver and the problem no longer occurs.

Enhancements

Note

For more information on the most important of the RHEL 6.3 kernel enhancements, refer to the Kernel and Device Drivers chapters in the Red Hat Enterprise Linux 6.3 Release Notes.
For a summary of added or updated procfs entries, sysfs default values, boot parameters, kernel configuration options, or any noticeable behavior changes, refer to Chapter 1, Important Kernel Changes to Note.
BZ#808315
LED support has been added to the sysfs interfaces.
BZ#805658
The WinFast VP200 H (Teradici) snd-hda-intel audio device has been added, and is recognized by the alsa driver.
BZ#744301
The Brocade BFA Fibre Channel and FCoE driver is no longer a Technology Preview. In Red Hat Enterprise Linux 6.3 the BFA driver is fully supported.
BZ#744302
The Brocade BNA driver for Brocade 10Gb PCIe ethernet Controllers is no longer a Technology Preview. In Red Hat Enterprise Linux 6.3 the BNA driver is fully supported.
BZ#696383
Persistent storage (pstore), a file system interface for platform dependent persistent storage, now supports UEFI.
BZ#661765
This release adds support for a new kernel auditing feature that allows for inter-field comparisons. For each audit event, the kernel collects information about what is causing the event. Now, you can use the "-C" command to tell the kernel to compare: auid, uid, euid, suid, fsuid, or obj_uid; and gid, egid, sgid, fsgid, or obj_gid. The two groups cannot be mixed. Comparisons can use either of the equal or not equal operators.
BZ#821561
This update adds the rh_check_unsupported() function and blacklists unsupported future Intel processors.
BZ#786997
When AF_IUCV sockets were using the HiperSockets transport, maximum message size for such transports depended on the MTU (maximum transmission unit) size of the HiperSockets device bound to a AF_IUCV socket. However, a socket program could not determine maximum size of a message. This update adds the MSGSIZE option for the getsockopt() function. Through this option, the maximum message size can be read and properly handled by AF_IUCV.
BZ#596419
The cred argument has been included in the security_capable() function so that it can be used in a wider range of call sites.
BZ#773052
Red Hat Enterprise Linux 6.3 adds support for the Wacom Cintiq 24HD (a 24-inch Drawing Tablet).
BZ#738720
This update adds additional fixed tracepoints to trace signal events.
BZ#704003
This update adds the missing raid6test.ko module.
BZ#788634
The keyrings kernel facility has been upgraded to the upstream version, which provides a number of bug fixes and enhancements over the previous version. In particular, the garbage collection mechanism has been re-worked.
BZ#788156
The perf tool has been upgraded to upstream version 3.3-rc1, which provides a number of bug fixes and enhancements over the previous version.
BZ#766952
The wireless LAN subsystem has been updated. It introduces the dma_unmap state API and adds a new kernel header file: include/linux/pci-dma.h.
BZ#723018
The dm-thinp targets, thin and thin-pool, provide a device mapper device with thin-provisioning and scalable snapshot capabilities. This feature is available as a Technology Preview.
BZ#768460
In Red Hat Enterprise Linux 6.3, SHA384 and SHA512 HMAC authentication algorithms have been added to XFRM.
Users should upgrade to these updated packages, which contain backported patches to correct these issues, fix these bugs, and add these enhancement. The system must be rebooted for this update to take effect.

5.94. kexec-tools

Updated kexec-tools packages that fix multiple bugs and add several enhancements are now available for Red Hat Enterprise Linux 6.
The kexec-tools package provides the /sbin/kexec binary that facilitates a new kernel to boot using the kernel kexec feature. This package contains ancillary utilities that together with the binary form the user-space component of the kernel kexec feature.
Bug Fixes
BZ#821930
The kdump utility failed to find the member device if a member device of a bridge was renamed, that is, it was not using its default device name. Consequently, bridge mapping and kdump over network failed. With this update, the bridge member details are acquired from transformed ifcfg files when gaining the bridge member name for the dump kernel and kdump over network succeeds in this scenario.
BZ#798886
The kdump utility does not support Xen para-virtualized (PV) drivers on Hardware Virtualized Machine (HVM) guests. Therefore, kdump failed to start if the guest had PV drivers. This update modifies the code that allows kdump to start without PV drivers on HVM guests configured with PV drivers.
BZ#752458
Previously, kdump did not handle dumping over a bonding device in an IEEE 802.1Q network correctly and failed when requesting a core dump through such a device. With this update, code to allow kdump to handle VLAN tagging, so as to operate on such bonding devices properly, has been added and kdump succeeds under these circumstances.
BZ#812816
On IBM System z architectures, kdump request over network failed as no core dump was found on the remote server. This happened because network devices were not brought online before IP configuration. The IP configuration, therefore, referred to a non-existing network interface and the connection failed. With this update, network devices are brought online before the IP information is set.
BZ#805803
Previously, kdump did not bring up a bonding device and failed if the BOOTPROTO property in the ifcfg<device> networking script of the bonding device was set to none. This happened because the mkdumprd utility did not handle the BOOTPROTO setting correctly. With this update, mkdumprd handles the setting correctly and kdump succeeds when dumping remotely over a bonding device with the BOOTPROTO=none setting.
BZ#802201
On x86 architectures, if the crashkernel boot option is set to auto to allow automatic reservation of memory for the kdump kernel, the threshold memory changes to 2 . However, the firstboot application was incorrectly using the 4 GB threshold. With this update, firstboot uses the same threshold value as the kernel.
BZ#785264
When kdump did not have permissions to dump to a NFS (Network File System) target, a kernel panic occurred. This happened because the init script of the kdump kernel did not check permissions to the target NFS resource after kdump had already started. With this update, the init script checks the NFS directory permissions and kdump performs the default action specified by the user for situations when NFS dump fails due to lacking permissions.
BZ#738290
Previously, kdump failed if run with FCoE HBA Driver (fnic) and iSCSI dump targets. This update adds the FNIC and iSCSI drivers to kdump and kdump succeeds with such dump target devices.
BZ#814629
The mkdumprd utility uses the root device as the default dump target for the kdump initrd if the /etc/kdump.conf file does not define a dump target. However, mkdumprd used the device name instead of its UUID (Universally Unique Identifier), which could cause kdump to fail. With this update, the device UUID is used instead of its device name by default and kdump over root device succeeds in the scenario described.
BZ#743551
Previously, kdump could not capture the core dump when the target partition was encrypted and errors occurred. With this update, kdump warns the user when they specify an encrypted device as a dump target.
BZ#748654
Due to a bug in the makedumpfile utility, the utility failed when used to re-filter the vmcore core dump. With this update, makedumpfile has been modified to handle the input from vmcore correctly.
BZ#771671
Previously, when makedumpfile was redirected using the pipeline to ssh and failed, kdump did not drop the shell to the user even though the default_action property was set to shell in the kdump.conf file. With this update, the pipeline redirection fails as soon as makedumpfile fails and the shell is dropped immediately in the scenario described.
BZ#781919
Previously, due to a bug in the mkdumprd utility, data on an NFS server could be removed when the NFS unmount process failed. With this update, the problem has been fixed and the original data on the NFS server is now retained unchanged if unmounting fails.
BZ#761488
The kdump kernel did not clear the MCE (Machine Check Exception) status propagated from the kernel; the kdump kernel continued to boot without clearing the MCE status bits and triggered the MCE error again. With this update the MCE error in the kernel is not passed to the kdump kernel.
BZ#805464
The kdump utility did not bring DASDs (Direct Access Storage Devices) online before copying the vmcore file on IBM System z architectures. Consequently, kdump was waiting for the device and became unresponsive. With this update, DASD devices are brought online before copying vmcore and kdump works as expected in the scenario described.
BZ#753756
When running kdump after a kernel crash on a system with an ext4 file system, the kdump initrd (initial RAM disk) could have been created with zero-byte size. This happened because the system waits for several seconds before writing the changes to the disk on an ext4 file system. Consequently, the kdump initial root file system (rootfs) could not be mounted and kdump failed. This update modifies kexec-tools so that it perform the sync operations after creating initrd. This ensures that initrd is properly written to the disk before trying to mount rootfs, and kdump now successfully proceeds and captures the core dump on systems with an ext4 file system.
BZ#759003
When using SSH or NFS, it was not possible to capture the vmcore file if using a static IP without a gateway. This happened because the mkdumprd utility wrote an empty value as the gateway address into initrd. With this update, the gateway address is not assigned any value and kdump in such environments succeeds.
BZ#782674
On IBM System z, the makedumpfile command could fail because it did not translate virtual addresses to physical addresses correctly. With this update, makedumpfile handles virtual addresses correctly on these architectures and the command execution succeeds in this scenario.
BZ#784114
The kdump utility failed to load proper fonts for the kdump shell. Consequently, colored characters were returned in the Cyrillic alphabet in the kdump shell. With this update, the console fonts are installed in kdump initrd and the kdump default shell returns colored characters in the Latin alphabet as expected.
BZ#794580
The mkdumprd utility handled only the default path (the /lib/modules/<kernelVersion>/ directory) of a modprobe and did not cover other module directories. Consequently, mkdumprd failed if there were modules located in other that the default path directory. The mkdumprd utility now handles /lib/modules/<kernelVersion>/updates/ as well as the /lib/modules/<kernelVersion>/ directory and mkdumprd succeeds under these circumstances.
BZ#697657
Previously, even though the SELinux policycoreutils package was not installed, mkdumprd used the sestatus and setenforce utilities. Consequently, kdump threw the following error while propagating ssh keys:
/etc/init.d/kdump: line 281: /usr/sbin/sestatus: No such file or directory
With this update, mkdumprd acquires information on the policycoreutils availability and processes the SELinux attribute using the sysfs tool.

Note

When the policycoreutils package is removed, SELinux must be disabled by adding the selinux=0 option to the kernel command line. A system with SELinux enabled and the policycoreutils package not installed is considered a broken environment in which kdump returns the aforementioned errors. When you remove the policycoreutils package, make sure you have also disabled SELinux with selinux=0; otherwise, the problem will preserve.
BZ#801497
The restricted shell (rksh) does not allow redirections using a pipeline. Consequently, kdump failed if the remote user that was used when requesting the core dump was configured with a restricted shell. With this update, the dd command is used instead of cat to copy vmcore, and kdump succeeds when a remote user uses the rksh shell.
BZ#635583
Previously, kdump could become unresponsive if called through a wireless interface as this option is not supported even though the iwlwifi (Intel Wireless WiFi Link) modules for interface devices were included in kdump initrd. With this update, the iwlwifi modules are no longer loaded into kdump initrd.
BZ#600575
Previously, the order in which kdump loaded storage drivers caused that a USB-attached storage was sometimes not correctly detected on certain 32-bit x86 systems. Consequently, devices were enumerated wrongly, and dumps therefore failed. The code has been fixed and the core dump takes place successfully.
BZ#699318
The mkdumprd utility ignored the PREFIX variable setting and the ifconfig utility failed during core dumping over network. With this update, the mkdumprd utility handles the PREFIX variable setting in ifcfg-<device> network scripts correctly.
BZ#794981
When the dump target was a raw device, the kdump init script created an unnecessary directory and an empty vmcore file in the /var/crash/ directory. With this update, kdump checks the device header of the target device. If the header is invalid, kdump does not handle the situation as a crash and the redundant resources are no longer created on raw devices.
BZ#729675
When booting the kdump environment failed, kdump mounted the root device and ran the init script in user space if no default action was specified in the kdump.conf file. However, running init in user space to capture the core dump could cause an OOM (Out of Memory) state in the dump kernel. With this update, the kernel is now rebooted by default under these circumstances. Also, a new default option, mount_root_run_init, has been added to kdump. With this option, the kernel mounts the root partition, and runs the init and kdump service to try to save the kernel core dump, which allows the user to apply the previous behavior of kdump.
Enhancements
BZ#738866
Support for kdump on IBM System z has been added.
BZ#805040
The firstboot utility now supports configuring kdump for IBM S/390 architectures.
BZ#694498
Previously, the vmcore code dump could contain sensitive information, such as security keys, and potentially leak security information of the root user. With this update, the makedumpfile tool filters out such sensitive kernel data and vmcore no longer contains any sensitive security information.
BZ#738864
On IBM System z, the makedumpfile utility has been improved to handle vmcore correctly and the output no longer contains spurious errors.
BZ#795804
The kdump utility now supports the NFSv4 file system format.
BZ#736886
The makedumpfile can now handle Fujitsu's sadump dump format.
BZ#727413
The kdump utility now supports multipath storage devices as its dump targets.
Users of kexec-tools should upgrade to these updated packages, which fix these bugs and add these enhancements.

5.95. keyutils

Updated keyutils packages that add one enhancement are now available for Red Hat Enterprise Linux 6.
The keyutils package provides utilities to control the Linux kernel key management facility and to provide a mechanism by which the kernel calls up to user space to get a key instantiated.

Enhancement

BZ#772497
With this update, the request-key utility allows multiple configuration files to be provided. The request-key configuration file and its associated key-type specific variants are used by the request-key utility to determine which program should be run to instantiate a key.
All users of keyutils are advised to upgrade to these updated packages, which add this enhancement.

5.96. krb5

Updated krb5 packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC).
Bug Fixes
BZ#748528
When obtaining initial credentials using a keytab file, a client failed to generate encrypted timestamp pre-authentication data to be sent to a KDC. This happened if the keytab file did not include a key of the first encryption type which the server suggested that the client could use, even if the client possessed other keys which would have been acceptable for this purpose. Attempts to use the kinit command with a keytab file often failed when the keytab file did not contain AES keys, but the client's libraries and the KDC both supported AES. If the client libraries and the KDC both support at least one encryption type for which the keytab contains a key, the client now succeeds in obtaining credentials.
BZ#752405
If the KDC was started with the "-w" flag, and one of the worker processes which it started exited abnormally, the KDC failed to correctly update its count of the number of child processes which were still running. Consequently, the KDC waited for one or more of its worker processes to exit when it was shut down but because those processes had already exited it would never finish. This update backports a fix to correctly account for the number of running processes and KDC now shuts down correctly in the scenario described.
BZ#761006
If a GSS acceptor application exported its security context, the file handle for the replay cache which it had used while establishing the security context would not be properly closed. Consequently, the number of opened files increased until the limit for the process was reached. When this happened in rpc.svcgssd, which exports all of its contexts in order to pass information to the kernel, the daemon became unresponsive. This update backports the fix for this bug and the file handles are now properly closed.
BZ#813883
When the system was authenticated to a Windows AD using SSSD, the Kerberos credentials cache files created after login were mislabeled with an incorrect SELinux context. This was because the SELinux context was not re-created for a new replay cache, and instead the context of the old replay cache was used for new files. Kerberos credential cache files are now properly labelled with a correct SELinux context.
BZ#801033
When uninstalling the krb5-workstation package, info pages in the package were being removed from the info page index after the files were already removed. Info pages are now removed from the info page index before they are removed.
BZ#786216
When a client asks a KDC for a ticket, it can set a flag (the canonicalize bit) in its request indicating that it will accept a referral to another realm if that service is in a different realm. if the service is in a different realm, the KDC may then reply with a cross-realm TGT, indicating that the request should be made to a different realm. In come cases, for example when obtaining password-changing credentials, a referral TGT for the same realm was generated. This could create a loop in the process which was caught and an error was returned, failing to acquire the password-changing credentials. With this update, the same request is now retried without the canonicalize bit set, which elicits the desired result from the KDC.
Enhancements
BZ#761523
This update backports modifications to the Kerberos client which allows server applications to store credentials which have been obtained using s4u2proxy in a credential cache.
BZ#799161
This update backports modifications which allow GSS acceptor applications to better accept authentication from clients which use mechanisms other than the server's default, but which the server could still support.
BZ#782211
Previous versions of Red Hat Enterprise Linux contained modifications to allow Kerberos-aware services to accept authentication requests which were encrypted using keys marked with version number "0" regardless of the version number used in the keytab. While this is now the default behavior when a service does not specify its principal name to the APIs which it uses, the krb5_verify_init_creds() function and applications which use it, still required the modifications to support these cases. This update reintroduces them.
Users are advised to upgrade to these updated krb5 packages, which provide numerous bug fixes and enhancements.

5.97. ksh

Updated ksh packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.
KSH-93 is the most recent version of the KornShell by David Korn of AT&T Bell Laboratories. KornShell is a shell programming language which is also compatible with sh, the original Bourne Shell.

Bug Fixes

BZ#577223
Previously, ksh sometimes did not restore terminal settings after read timeout when operating in a multibyte environment. This could cause the terminal to no longer echo input characters. This updates applies a patch ensuring that the terminal is restored properly after the timeout and the user's input is now echoed as expected.
BZ#742930
When exiting a subshell after a command substitution, ksh could prematurely exit without any error message. With this update, ksh no longer terminates under these circumstances and all subsequent commands are processed correctly.
BZ#743840
Previously, ksh did not prevent modifications of variables of the read-only type. As a consequence, ksh terminated unexpectedly with a segmentation fault when such a variable was modified. With this update, modification of read-only variables are not allowed, and ksh prints an error message in this scenario.
BZ#781498
Previously, ksh did not close certain file descriptors prior to execution. This could lead to a file descriptor leak, and certain applications could consequently report error messages. With this update, file descriptors are marked to be closed on execution if appropriate, so file descriptor leaks no longer occur.
BZ#781976
In certain cases, ksh unnecessarily called the vfork() function. An extra process was created, and it could be difficult to determine how many instances of a script were running. A patch has been applied to address this problem, and extra processes are no longer created if not required.
BZ#786787
Previously, ksh could incorrectly seek in the input stream. This could lead to data corruption in the here-document section of a script. This update corrects the seek behavior, so the data no longer gets corrupted in this scenario.
BZ#798868
Previously, ksh did not allocate the correct amount of memory for its data structures containing information about file descriptors. When running a task that used file descriptors extensively, ksh terminated unexpectedly with a segmentation fault. With this update, the proper amount of memory is allocated, and ksh no longer crashes if file descriptors are used extensively.
BZ#800684
Previously, ksh did not expand the tilde (~) character properly. For example, characters in the tilde prefix were not treated as a login name but as a part of the path and the "No such file or directory" message was displayed. The underlying source code has been modified and tilde expansion now works as expected in such a scenario.
All users of ksh are advised to upgrade to these updated packages, which fix these bugs.

5.98. latencytop

Updated latencytop packages that fix one bug and add one enhancement are now available for Red Hat Enterprise Linux 6.
LatencyTOP is a tool to monitor system latencies.

Bug Fix

BZ#633698
When running LatencyTOP as a normal user, LatencyTOP attempted and failed to mount the debug file system. A misleading error message was displayed, suggesting that kernel-debug be installed even though this was already the running kernel. LatencyTOP has been improved to exit and display "Permission denied" when run as a normal user. In addition, fsync view has been removed from the "latencytop" package because it depended on a non-standard kernel tracer that was never present in Red Hat Enterprise Linux kernels or upstream kernels. As a result, LatencyTOP no longer attempts to mount the debugfs file system.

Enhancement

BZ#726476
The "latencytop" package requires GTK libraries. Having GTK libraries installed on servers may be undesirable. A build of LatencyTOP without dependencies on GTK libraries is now available under the package name "latencytop-tui".
Users are advised to upgrade to these updated latencytop packages, which fix this bug and add this enhancement.

5.99. libbonobo

Updated libbonobo packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The libbonobo packages contain the libraries for bonobo, which is a component system based on CORBA, used by the GNOME desktop.

Bug Fix

BZ#728458
Prior to this update, the activation server handled parse errors incorrectly, for example as incorrectly nested tags, in server files. As a consequence, the activation server could, under certain circumstances, unexpectedly terminate with an abort signal upon encountering invalid server files in the activation path. This update modifies the underlying code so that invalid files no longer cause unexpected termination.
All users of libbonobo are advised to upgrade to these updated packages which fix this bug.

5.100. libcgroup

Updated libcgroup packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The libcgroup packages provides tools and libraries to control and monitor control groups.

Bug Fix

BZ#758493
Prior to this update, a bug in the libcgroup package caused admin_id and admin_gid to not be displayed correctly because cgroup control files were not differentiated from the 'tasks' file. This update fixes this problem by adding a check in the 'cgroup_fill_cgc()' function to see if a file is a 'tasks' file or not.
All users are advised to upgrade to these updated libcgroup packages, which fix this bug.

5.101. liberation-fonts

Updated liberation-fonts packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The liberation-fonts packages provide fonts intended to replace the three most commonly used fonts on Microsoft systems: Times New Roman, Arial, and Courier New.

Bug Fix

BZ#772165
Previously, the "fonts.dir" file provided with the liberation-fonts packages was empty. As a consequence, legacy applications were not able to make use of liberation-fonts even when the package was installed. This was because the "mkfontscale" command was run after the "mkfontdir" command. The order of running the commands has been changed and legacy applications can use liberation-fonts as expected.
All users of liberation-fonts are advised to upgrade to these updated packages, which fix this bug.

5.102. libevent

Updated libevent packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The libevent API provides a mechanism to execute a callback function when a specific event occurs on a file descriptor or after a timeout has been reached.

Bug Fix

BZ#658051
Prior to this update, several multilib files in the optional repositories could cause conflicts. As a consequence, these files could not use both a primary and a secondary architecture. This update modifies the underlying source code so that no more multilib file conflicts occur.
All users of libevent or applications that require the libevent library are advised to upgrade to these updated packages, which fix this bug.

5.103. libguestfs

Updated libguestfs packages that fix one security issue, multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link associated with the description below.
The libguestfs package contains a library for accessing and modifying guest disk images.

Upgrade to an upstream version

The libguestfs package has been upgraded to upstream version 1.16, which provides a number of bug fixes and enhancements over the previous version. (BZ#719879)
Security Fix
CVE-2012-2690
It was found that editing files with virt-edit left said files in a world-readable state (and did not preserve the file owner or Security-Enhanced Linux context). If an administrator on the host used virt-edit to edit a file inside a guest, the file would be left with world-readable permissions. This could lead to unprivileged guest users accessing files they would otherwise be unable to.
Bug Fixes
BZ#647174
When cloning, the virt-clone tool incorrectly adopted some of the properties of the original virtual machine image, for example, the udev rules for network interface: the clone was then created with a NIC identical to the NIC of the original virtual machine NIC. With this update, the virt-sysprep and virt-sparsify tools have been added to solve this problem. The virt-sysprep tool can erase the state from guests, and virt-sparsify can make guest images sparse. Users are advised to use virt-sysprep and virt-sparsify either as a replacement for or in conjunction with virt-clone.
BZ#789960
The libguestfs daemon terminated unexpectedly when it attempted to mount a non-existent disk. This happened because libguestfs returned an unexpected error to any program that accidentally tried to mount a non-existent disk and all further operations intended to handle such a situation failed. With this update, libguestfs returns an appropriate error message and remains stable in the scenario described.
BZ#790958
If two threads in one program called the guestfs_launch() function at the same time, an unexpected error could be returned. The respective code in the libguestfs library has been modified to be thread-safe in this scenario and the library can be used from multi-threaded programs with more than one libguestfs handle.
BZ#769359
After a block device was closed, the udev device manager triggered a process which re-opened the block device. Consequently, libguestfs operations occasionally failed as they rely on the disk being immediately free for the kernel to re-read the partition table. This commonly occurred with the virt-resize feature. With this update, the operations now wait for the udev action to finish and no longer fail in the scenario described.
BZ#809401
In Fedora 17, the /bin directory is a symbolic link, while it was a directory in previous releases. Due to this change, libguestfs could not inspect a guest with Fedora 17 and newer. With this update, the libguestfs inspection has been changed so that it now recognizes such guests as expected.
BZ#729076
Previously, libguestfs considered any disk that contained autoexec.bat or boot.ini or ntldr file in its root a candidate for a Windows root disk. If a guest had an HP recovery partition, libguestfs could not recognize the HP recovery partition and handled the system as being dual-boot. Consequently, some virt tools did not work as they do not support multi-boot guests. With this update, libguestfs investigates a potential Windows root disk properly and no longer recognizes the special HP recovery partition as a Windows root disk.
BZ#811673
If launching of certain appliances failed, libguestfs did not set the error string. As Python programs handling the bindings assumed that the error string was not NULL, the binding process terminated unexpectedly with a segmentation fault when the g.launch() function was called under some circumstances. With this update, the error string is now set properly on all failure paths in the described scenario and Python programs no longer terminate with a segmentation fault when calling the g.launch() function under these circumstances.
BZ#812092
The qemu emulator cannot open disk image files that contain the colon character (:). Previously, libguestfs resolved the link to the disk image before sending it to qemu. If the resolved link contained the colon character, qemu failed to run. Also, libguestfs sometimes failed to open a disk image file under these circumstances due to incorrect handling of special characters. With this update, libguestfs no longer resolves a link to a disk image before sending it to qemu and is able to handle any filenames, except for filenames that contain a colon character. Also, libguestfs now returns correct diagnostic messages when presented with a filename that contains a colon character.
Enhancements
BZ#741183
The libguestfs application now provides the virt-alignment-scan tool and updated virt-resize, which can diagnose unaligned partitions on a guest, so that you can fix the problem and improve the partitions' performance. For more information, refer to the virt-alignment-scan(1) and virt-resize(1) manual pages.
BZ#760221
Previously, libguestfs operations could not handle paths to HP Smart Array (cciss) devices. When the virt-p2v tool converted a physical machine that uses Linux software RAID devices to run in a VM, the libguestfs inspection failed to handle the paths in the /etc/fstab file. With this update, support for such cciss paths has been added and the virt-p2v tool is now able to successfully convert these guests.
BZ#760223
When the virt-p2v tool converted a physical machine that uses Linux software RAID devices to run in a VM, the libguestfs inspection failed to handle the paths in the /etc/fstab file. With this update, support for such RAID paths has been added and the virt-p2v tool is now able to successfully convert these guests.
Users of libguestfs should upgrade to these updated packages, which fix these issues and add these enhancements.

5.104. libgweather

An updated libgweather package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The libgweather library is used by applications to access weather information from online services for numerous locations.

Bug Fix

BZ#704105
Previously, the libgweather library did not contain information for the city of Jerusalem, making it impossible to search for the city or select the city from the list of cities offered by the weather panel applet. This update adds the missing information to the libgweather database, so that users can now select Jerusalem as a valid option.
All users of libgweather are advised to upgrade to this updated package, which fixes this bug.

5.105. libhbaapi

Updated libhbaapi packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.
The libhbaapi library is the Host Bus Adapter (HBA) API library for Fibre Channel and Storage Area Network (SAN) resources. It contains a unified API that programmers can use to access, query, observe and modify SAN and Fibre Channel services.
The libhbaapi build environment has been upgraded to upstream version 2.2.5, which provides a number of bug fixes over the previous version. (BZ#788504)

Bug Fix

BZ#806731
Prior to this update, the hba.conf file was not marked for exclusion from verification in the libhbaapi specification file. As a consequence, the file verify function "rpm -V libhbaapi" reported an error in the hba.conf file if the file was changed. This update marks hba.conf in the spec file as "%verify(not md5 size mtime)". Now, the hba.conf file is no longer incorrectly verified.
All users of libhbaapi are advised to upgrade to these updated packages, which fix these bugs.

5.106. libhbalinux

An updated libhbalinux package that fixes multiple bugs and adds various enhancements is now available for Red Hat Enterprise Linux 6.
The libhbalinux package contains the Host Bus Adapter API (HBAAPI) vendor library which uses standard kernel interfaces to obtain information about Fiber Channel Host Buses (FC HBA) in the system.
The libhbalinux packages have been upgraded to upstream version 1.0.13, which provides a number of bug fixes and enhancements over the previous version. (BZ#719584)
All users of libhbalinux are advised to upgrade to this updated libhbalinux package, which fixes these bugs and adds these enhancements.

5.107. libibverbs-rocee and libmlx4-rocee

Updated libibverbs-rocee and libmlx4-rocee packages that fix one bug are now available for for Red Hat Enterprise Linux High Performance Network.
The libibverbs-rocee packages provide a library to enable userspace processes to use RDMA over Converged Ethernet (RoCE) "verbs" acording to the InfiniBand Architecture Specification and the RoCE Protocol Verbs Specification. The libmlx4-rocee packages provide a device-specific driver for Mellanox ConnectX InfiniBand host channel adapters (HCAs) for the libibverbs-rocee library.

Bug Fix

BZ#805717
Prior to this update, running modprobe could, under certain circumstances, cause an infinite loop. As a consequence, the system ran out of processes and required a restart to recover. This update modifies the underlying code so that an incorrect configuration of options in the /etc/modprobe.d/libmlx4.conf file no longer requires to restart the system.

Note

This package is a dependency of the RDMA package and both packages have to be updated together.
All users who require RDMA are advised to upgrade to these updated packages which fix this bug.

5.108. libselinux

Updated libselinux packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The libselinux packages contain the core library of an SELinux system. The libselinux library provides an API for SELinux applications to get and set process and file security contexts, and to obtain security policy decisions. It is required for any applications that use the SELinux API, and used by all applications that are SELinux-aware.

Bug Fix

BZ#717147
While the libselinux library was waiting on a netlink socket, if the socket received an EINTR signal, it returned an error which could cause applications like dbus to fail. With this update, the library now retries the netlink socket when it receives an EINTR signal, rather than failing.
All users of libselinux are advised to upgrade to these updated packages, which fix this bug.

5.109. libservicelog

Updated libservicelog packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The libservicelog packages provide a library for logging service-related events to the servicelog database, and a number of command-line utilities for viewing the contents of the database.

Bug Fix

BZ#814171
Prior to this update, the "servicelog_manage --truncate" command cleared only the "events" table. As a consequence, the other tables were not deleted. This update modifies the option "servicelog_event_delete()" function so that all rows in all tables associated with a deleted event are correctly deleted. Now, the tables for "callouts", "os", "rtas", "enclosure" and "repair_actions" are cleared together with the "events" table.
All users of libservicelog are advised to upgrade to these updated packages, which fix this bug.

5.110. libtar

Updated libtar packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The libtar package contains a C library for manipulating tar archives. The library supports both the strict POSIX tar format and many of the commonly used GNU extensions.

Bug Fix

BZ#729009
Previously, the build system configuration files included in the libtar package were incompatible with the way the rpmbuild tool extracts debugging information from the binaries installed to the rpm build root during the build of a package. As a consequence, the libtar-debuginfo package did not contain debugging information. A patch has been applied to address this issue, and the libtar-debuginfo package now contains the appropriate content.
All users of libtar are advised to upgrade to these updated packages, which fix this bug.

5.111. libunistring

An updated libunistring package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The libunistring package contains a portable C library that implements the UTF-8, UTF-16 and UTF-32 Unicode string types, together with functions for character processing (names, classifications, and properties) and functions for string processing (iteration, formatted output, width, word breaks, line breaks, normalization, case folding, and regular expressions).

Bug Fix

BZ#732017
Previously, when calling the malloc() function, no check for the returned pointer was performed to find out whether memory was successfully allocated. Therefore, if a null pointer was returned, this could cause the libunistring library to misbehave in low-memory situations. This update adds the missing check to properly handle such situations.
All users of libunistring are advised to upgrade to this updated package, which fixes this bug.

5.112. libusb1

Updated libusb1 package that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The libusb1 packages provide a way for applications to access USB devices.
The libusb1 packages have been upgraded to upstream version 1.0.9, which provides a number of bug fixes and enhancements over the previous version. In addition, this update adds a new API needed for support of the SPICE (The Simple Protocol for Independent Computing Environments) USB redirection. (BZ#758094)
All users of libusb1 are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

5.113. libuser

Updated libuser packages that fix three bugs are now available for Red Hat Enterprise Linux 6.
The libuser library implements a standardized interface for manipulating and administering user and group accounts. The library uses pluggable back-ends to interface to its data sources. Sample applications modeled after those included with the shadow password suite are included.

Bug Fixes

BZ#670151
When creating a user account in Lightweight Directory Access Protocol (LDAP), the libuser library used the value of the "gecos" attribute as the default value of the "cn" attribute. When the "gecos" attribute was empty, this made the value of "cn" invalid, and the creation of the user account failed. With this update, the user name of the account is stored in the "cn" attribute if the "gecos" attribute is empty, thus allowing successful creation of the user account.
BZ#724987
When populating a home directory by copying files from the /etc/skel directory, libuser ignored the "set user-id" and "set group-id" flags. This made it impossible to set up group-shared directories in a home directory. With this update, the "set user-id" and "set group-id" flags are preserved.
BZ#788521
Previously, when searching for the user or group account information in files of certain sizes, the libuser library could terminate unexpectedly with a segmentation fault. A patch has been applied to address this issue, and crashes no longer occur in the aforementioned scenario.
All users of libuser are advised to upgrade to these updated packages, which fix these bugs.

5.114. libvirt

Updated libvirt packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems.

Bug Fixes

BZ#827050
Closing a file descriptor multiple times could, under certain circumstances, lead to a failure to execute the qemu-kvm binary. As a consequence, a guest failed to start. A patch has been applied to address this issue, so that the guest now starts successfully.
BZ#832184
Libvirt 0.9.10 has added support for keepalive checking to detect broken connections between the client and the server. However, due to bugs in the implementation this could have caused a failure of service and disconnection, for example, during parallel migrations. The keepalive support is now disabled by default and random disconnections no longer occur.
All users of libvirt are advised to upgrade to these updated packages, which fix these bugs.
Updated libvirt packages that fix one security issue, multiple bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link associated with the description below.
The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems.

Upgrade to an upstream version

The libvirt packages have been upgraded to upstream version 0.9.10, which provides a number of bug fixes and enhancements over the previous version. (BZ#752433)
Security Fix
CVE-2012-2693
Bus and device IDs were ignored when attempting to attach multiple USB devices with identical vendor or product IDs to a guest. This could result in the wrong device being attached to a guest, giving that guest root access to the device.
Bug Fixes
BZ#754621
Previously, libvirt incorrectly released resources in the macvtap network driver in the underlying code for QEMU. As a consequence, after an attempt to create a virtual machine failed, a macvtap device that was created for the machine could not be deleted from the system. Any virtual machine using the same MAC address could not be created in such a case. With this update, an incorrect function call has been removed, and macvtap devices are properly removed from the system in the scenario described.
BZ#742087
Under certain circumstances, a race condition between asynchronous jobs and query jobs could occur in the QEMU monitor. Consequently, after the QEMU guest was stopped, it failed to start again with the following error message:
error: Failed to start domain [domain name]
error: Timed out during operation cannot acquire state change lock
With this update, libvirt handles this situation properly, and guests now start as expected.
BZ#769500
Previously, libvirt defined a hard limit for the maximum number of virtual machines (500) in Python bindings. As a consequence, the vdsmd daemon was unable to properly discover all virtual machines on a system with more than 500 guests. With this update, the number of virtual machines is now determined dynamically and vdsmd correctly discovers all virtual machines.
BZ#739075
Previously, it was not possible to cancel all migration-family commands (for example, it was possible to cancel the "virsh migration" command, but not the "virsh dump" command). This update implements a mechanism used for "virsh migration" also for the other commands, so it is now possible to cancel these commands.
BZ#773667
Previously, libvirt was unable to verify if there were multiple active PCI devices on the same I/O bus. As a consequence, the "virsh attach-device" command failed even if such a device had already been detached from the host. With this update, libvirt properly checks for active devices on the same PCI I/O bus. Users can now attach devices to a guest successfully if the devices on the same bus are detached from the host.
BZ#701654
When the libvirt's virDomainDestroy API is shutting down the qemu process, the API first sends the SIGTERM signal, then waits for 1.6 seconds and, if the process is still running, the API sends the SIGKILL signal. Previously, this could lead to data loss because the guest running in QEMU did not have time to flush its disk cache buffers before it was unexpectedly killed. This update provides a new flag, "VIR_DOMAIN_DESTROY_GRACEFUL". If this flag is set in the call to virDomainDestroyFlags, SIGKILL is not sent to the qemu process; instead, if the timeout is reached and the qemu process still exists, virDomainDestroy returns an error. It is recommended that management applications always first call virDomainDestroyFlags with VIR_DOMAIN_DESTROY_GRACEFUL. If that fails, then the application can decide if and when to call virDomainDestroyFlags again without VIR_DOMAIN_DESTROY_GRACEFUL.
BZ#784151
The localtime_r() function used in the libvirt code was not async-signal safe, which caused child processes to enter a deadlock when attempting to generate a log message. As a consequence, the virsh utility became unresponsive. This update applies backported patches and adds a new API for generating log time stamps in an async-signal safe manner. The virsh utility no longer hangs under these circumstances.
BZ#785269
Previously, if the libvirt package was built with Avahi support, libvirt required the avahi package to be installed on the system as a prerequisite for its own installation. If the avahi package could not be installed on the system due to security concerns, installation of libvirt failed. This update modifies the libvirt.spec file to require only the avahi-libs package. The libvirt package is now successfully installed and libvirtd starts as expected.
BZ#639599
The schema for the XML files contained stricter rules than those that were actually enforced by libvirt. As a consequence, validation tools failed to validate guest XML files that contained special characters in the guest's name even if libvirt accepted the XML file. With this update, the XML schema now allows arbitrary strings with no limitation, leaving the enforcement of rules to the hypervisor driver. As a result, users are now able to validate these XML files.
BZ#785164
Previously, the libxml2 tool did not parse IPv6 URIs as expected. As a consequence, attempting to establish an IPv6 connection through SSH failed, because an invalid IPv6 address was used. A patch has been applied to address this problem and IPv6 connections can now be established successfully in this scenario.
BZ#625362
Previously, the libvirt-guests init script executed operations on guests serially. Consequently, on machines with many guests, the shutdown process took a long time because guests were waiting for other guests to be shut down. The libvirt-guests init script was modified to enable parallel operation on domains, which reduces the time of the shutdown process of the host. Now, guests start and shut down in parallel, and utilize the host system's resources more efficiently.
BZ#783968
When migrating a QEMU virtual machine and using SPICE for a remote display, the migration was failing and the display was erratic under certain circumstances. This was happening because with the incoming migration connection open, QEMU was unable to accept any other connections on the target host. With this update, the underlying code has been modified to delay the migration connection until the SPICE client is connected to the target destination. The guest virtual machines can now be successfully migrated without disrupting the display during the migration.
BZ#701106
Previously, migration of a virtual machine failed if the machine had an ISO image attached as a CD-ROM drive and the ISO domain was inactive. With this update, libvirt introduces the new startupPolicy attribute for removable devices, which allows marking CD-ROM and diskette drives as optional. With this option, virtual machines can now be started or migrated without a removable drive if the source image is inaccessible.
BZ#725373
When a destination host lost network connectivity while a domain was being migrated to it, the migration process could not be canceled. This update implements an internal keep-alive protocol, which is able to detect broken connections or blocked libvirt daemons. When such a situation is detected during migration, libvirt now automatically cancels the process.
BZ#729694
With certain combinations of IDE and VirtIO disks, a guest operating system did not boot after the installation process. This happened because the order of disks in which they were presented to the guest during the installation was different from the order used after the installation. As a result, the system could have been installed on a disk which was not used as the primary bootable disk. With this update, libvirt makes sure that the order in which disks are presented to a guest operating system during the installation is the correct order that will be used later once the guest operating system is installed.
BZ#729940
Previously, libvirt did not provide any way to prevent multiple clients from accessing a console device. When two clients connected to a single console of a guest, the connections entered a race condition on reading data from the console device. Each of the connections only got a fragment of the data and that fragment was not copied to the other connection. This rendered the terminal unusable to all the simultaneous connections. With this update, when opening a console, a check is performed to ensure that only one client is connected to it at a given point in time. If such a session is locked, a new connection has the ability to disconnect previous console sessions. Users are now able to safely access the console and disconnect inactive sessions to take control of a guest in case the console is accidentally left connected.
BZ#769503
Virtualization hosts can have thousands of CPUs and run a thousand guests, and libvirt should be capable of controlling all of them. However, libvirt was not able to do so, and the limit was below 1000, and users were therefore unable to fully utilize their hardware. With this update, the array of file descriptors which is passed to the child process is now allocated dynamically and can handle as many file descriptors as possible. Moreover, init and startup scripts have been changed so that the maximum limit of open files can be overridden for the libvirtd daemon. Users can now fully utilize their hardware and run as many guests as they require.
BZ#746666
Due to several problems with security labeling, libvirtd became unresponsive when destroying multiple guest domains with disks on an unreachable NFS storage device. This update fixes the security labeling problems and libvirtd no longer hangs under these circumstances.
BZ#795305
When live migration of a guest was terminated abruptly (using the Ctrl+C key combination), the libvirt daemon could have failed to accept any future migration request of that guest with the following error message:
error: Timed out during operation: cannot acquire state change lock
This update adds support for registering cleanup callbacks which are called for a domain when a connection is closed. The migration API is more robust to failures, and if a migration process is terminated, it can be restarted with a subsequent command.
BZ#752255
Previously, libvirt's implementation of nwfilter attempted to execute a temporary file generated directly in the /tmp/ directory, which failed if /tmp/ was mounted with the "noexec" options for security reasons. The implementation of nwfilter has been improved to avoid the need for a temporary file altogether, so it is no longer necessary for libvirt to modify or use files in the /tmp/ directory.
BZ#575160
Prior to this update, QEMU did not provide a notify mechanism when a block device tray status was changed. As a consequence, libvirt was unable to determine if the block data medium was ejected or was not present inside a guest. If the medium was ejected inside a guest, libvirt started the guest with the media being still present when migrating, saving and restoring the guest. This update introduces a new XML attribute for removable disk devices to represent and update the tray status.
BZ#758026
Under certain circumstances, a rare race condition between the poll() event handler and the dmidecode utility could occur. This race could result in dmidecode waiting indefinitely to perform a read operation on the already closed file descriptor. As a consequence, it was impossible to perform any tasks for virtualized guests using the libvirtd management daemon, or perform certain tasks using the virt-manager utility, such as creating a new virtual machine. This update modifies the underlying code so that the race condition no longer occurs and libvirtd and virt-manager work as expected.
BZ#758870
The libvirtd daemon could become unresponsive when starting the QEMU driver because the dmidecode tool needed a lot of time to process a large amount of data. It was consequently impossible to connect to the QEMU driver. The underlying source code has been modified to properly handle the POLLHUP event, so that users can now connect to the QEMU driver successfully in this scenario.
BZ#767333
The management application can request a guest to shut down or reboot. However, this was previously implemented by issuing Advanced Configuration and Power Interface (ACPI) events to a guest which could have ignored them. Consequently, the management application was unable to reboot such a guest. This update implements support for the guest-agent application that runs on a guest and calls the "shutdown" or "reboot" command when required. This means that a guest can be shut down or rebooted even when the guest ignores the ACPI events.
BZ#754128
When shutting down, a virtual machine changed its status from the "Up" state to the "Paused" state before it was shutdown. The "Paused" state represented the state when the guest had been already stopped, but QEMU was flushing its internal buffers and was waiting for libvirt to kill it. This state change confused users so this update adds respective events and modifies libvirt to use the "shutdown" state. A virtual machine now moves from "Up" to "Powering Down" and then to the "Down" state.
BZ#733587
If a domain failed to start, the host device for the domain was re-attached to the host regardless of whether the device was used by another domain. The underlying source code has been modified so that the device that is being used by another domain is not re-attached.
BZ#726174
Differences between the Red Hat Enterprise Linux and Debian implementations of the "nc" command, such as the presence or absence of the "-q" option, could lead to various problems. For example attempting to use a remote connection from a client expecting certain behavior to a server providing another behavior could fail on reconnection. With this update, libvirt probes capabilities of the "nc" command, and uses the appropriate options of the server even if the options differ from the "nc" on the client, which allows for successful interaction between either type of operating system.
BZ#771603
In Red Hat Enterprise Linux 6.2, libvirt unconditionally reserved PCI address 0:0:2.0 for a VGA adapter. Any domain that was created using an earlier version of libvirt with no VGA adapter and had another PCI device attached at this address could not be started. With this update, libvirt does not automatically use this PCI address for any device except for a VGA adapter. However, other devices can be attached at this address explicitly (either by the user or by using an older version of libvirt) and libvirt does not forbid to start domains with such devices. Thus, domains that could not be migrated from Red Hat Enterprise Linux 6.1 to 6.2 can be migrated from Red Hat Enterprise Linux 6.1 to 6.3.
BZ#782457
Previously, QEMU only offered the ability to perform a live snapshot of one disk at a time, but with no rollback functionality if the snapshot process failed. With this update, libvirt has been enhanced to take advantage of QEMU improvements that guarantee that either all disks have a successful snapshot, or that the failure is detected before any change which cannot be rolled back is made. This is easier for management applications performing a live disk snapshot of a guest with multiple disks.
BZ#697808
Parsing an XML file containing an incorrect root element caused an incorrect and confusing error to be displayed. The error message has been modified to display proper and detailed information about the problem when the user provides an incorrect XML file.
BZ#815206
If the umask used when starting init services was set to mask the executable or the search bit for other users, KVM virtual machines that were explicitly configured to use the "hugepages" mechanism could fail to start because the QEMU user was unable to access the directory that libvirt had created for QEMU in the hugetlbfs file system. This was because while the directory itself was owned by QEMU, its parent directory was not searchable by QEMU. To prevent this problem, when creating the parent directory, libvirt now makes sure that the parent directory is searchable by anyone regardless of umask settings.
BZ#796526
Previously, libvirt returned guest memory values in kibibytes (multiples of 1024), but with no indication of the scale. Furthermore, the libvirt documentation referred to kilobytes (multiples of 1000). Also, QEMU used mebibytes (multiples of 1024*1024) and these differences in scale could result in users making mistakes, such as giving a guest 1000 times less memory than planned, with a failure mode that was not easy to diagnose. Now the output is clear on the unit used, and the input allows users to use other units that can be more convenient.
BZ#619846
Previously, the qemu monitor command "query-migrate" did not return any error message when a problem occurred. Consequently, libvirt produced the "Migration unexpectedly failed" error message, which did not provide the proper information about the problem. The "fd:" protocol is now used to retrieve and produce the exact error message when a problem occurs.
BZ#624447
In some configurations, log messages similar to the following could be reported to libvirt or Red Hat Enterprise Virtualization users:
warning : virDomainDiskDefForeachPath:7654 : Ignoring open failure on xxx.xxx
These messages were harmless and could be safely ignored. With this update, the messages are no longer reported unless a problem occurs.
BZ#638633
Previously, libvirt and virsh ignored any script file given in the specification for a network interface of a type that did not actually use script files. To avoid confusion, this is now explicitly prohibited, an error is logged, and attempting to specify a script file for an interface type that does not support script files fails.
BZ#726771
This update provides improvements in reporting errors in XML file parsing, which makes identifying of errors easier.
BZ#746111
The libvirt package was missing a dependency on the avahi-libs package. The dependency is required due to libvirt linking in libavahi-client for mDNS support. As a consequence, the libvirtd daemon failed to start if the libvirt package was installed on the system without the avahi-libs package. With this update, the dependency on avahi-libs is now defined in the libvirt.spec file, and avahi-libs is installed along with libvirt.
BZ#802856
In previous versions of Red Hat Enterprise Linux, a "hostdev" device could be hot plugged to a guest, but making that device persistent across restarts of the guest required separately editing the guest configuration. This update adds support for persistent hot plug of "hostdev" devices, both to the libvirt API and to the virsh utility.
BZ#806633
Previously, attempting to migrate a server from a bridge network to direct network could fail when using libvirt with a virtio network interface. With this update, if a virtual guest created using the tools in Red Hat Enterprise Linux 6.2 or earlier is started on a host running Red Hat Enterprise Linux 6.3 with the vhost-net driver module loaded, and if that guest has a virtio network interface that uses macvtap, the "merge receive buffers" feature of the virtio driver is disabled. Compatibility with Red Hat Enterprise Linux 6.2 hosts is preserved and migration no longer fails under these circumstances.
Enhancements
BZ#761005
With this update, libvirt now supports for the latest Intel processors and new features these processors include.
BZ#767364
With this update, libvirt now supports family 15h microarchitecture AMD processors.
BZ#643373
Now, libvirt is capable of controlling the state (up or down) of a link of the guest virtual network interfaces. This allows users to perform testing and simulation as though plugging and unplugging the network cable from the interface. This feature also lets users isolate guests in case any issues arise.
BZ#691539
This update adds the ability to assign an SR-IOV (Single Root I/O Virtualization) network device Virtual Functions (VF) to a guest using the "interface" element rather than the "hostdev" element. This gives the user the opportunity to specify a known or fixed MAC address (<mac address='xx:xx:xx:xx:xx:xx'/>).
BZ#638506
Previously, the only way to perform storage migration was to stop a guest, edit the XML configuration file, and restart the guest. This led to a downtime that could have lasted several minutes. With this update, it is now possible to perform live storage migration with minimal guest downtime. This is ensured by new libvirt API flags to the virDomainStorageRebase() function, which map to new QEMU features.
BZ#693842
Previously, libvirt was able to notify a switch capable of the 802.1Qbg standard about changes in the guest network interface configuration, but there was no way for the switch to notify libvirt. This update provides extended support for libvirt synchronization with the lldpad daemon. As a result, if there are changes in the network infrastructure that require libvirt to re-associate the guest's interface, libvirt is informed and can take the proper action.
BZ#782034
With this update, libvirt supports a new model for the Small Computer System Interface (SCSI) controller, virtio-scsi.
BZ#713170
With this update, "fabric_name" of the "fc_host" class is exposed, so that users can see which fabric the virtual host bus adapter (vHBA) is connected to.
BZ#715019
This update introduces a new API, which allows the management system to query the disk latency using libvirt.
BZ#725013
It is sometimes required not only to delete a domain's storage but also overwrite the data to make sure sensitive data are no longer readable. This update introduces a new API, that allows users to erase the storage and use various wiping patterns.
BZ#769930
With this update, libvirt supports dynamic NUMA tuning, so that significant processes can be pre-bound to nodes with sufficient available resources.
BZ#740375
Previously, when doing disk snapshots, the guest had to be paused in order to avoid writing of data. Otherwise, the data could be corrupted. A new utility, guest-agent, has been introduced, and allows to freeze disks or file systems from inside the guest. It is no longer needed to pause the guest. However, disk write operations are delayed until the snapshot is completed.
BZ#768450
Previously, no mappings were specified for the "cpu64-rhel*" CPU models found in QEMU and therefore they could not be used. These mappings have been added with this update.
BZ#754073
Previously, it was not possible to see the memory used by the qemu-kvm process using only the virsh utility. The API call that reports the domain memory statistics has been modified to show this value. The value is now displayed when running the "virsh dommemstat" command.
BZ#533138
This update adds support for hot plugging and unplugging processors. It is now possible to add CPUs to guests and remove them as needed, without shutting down the guest.
BZ#713932
This update introduces a new virsh command, "change-media", which makes it easier to frequently insert and eject media from CD-ROM or floppy devices.
BZ#720691
The libvirt-guests init script attempted to make calls to the libvirtd daemon even if the daemon was inaccessible. As a consequence, the init script printed superfluous error messages that could be confusing. With this update, the script checks for a working connection, and skips calls on that connection if it is not working.
BZ#714759
This update introduces a new virsh command, "domiflist" to display detailed network interfaces information, and two new field for the "domblklist" command.
BZ#781562
Along with the "rombar" option that controls whether or not a boot ROM is made visible to the guest, QEMU also has the "romfile" option that allows specifying a binary file to present as the ROM BIOS of any emulated or pass-through PCI device. This update adds support for specifying "romfile" to both pass-through PCI devices, and emulated network devices that attach to the guest's PCI bus.
BZ#681033
Previously, libvirt did not provide means to add and display host metadata while listing guests. It was therefore impossible to store additional information about guests. A new element has been added to the libvirt XML configuration file, which allows users to store a description along with the API that allows modifications of guest metadata. The "virsh list" command has been updated to allow printing of the short description. As a result, identification of guests is now easier.
BZ#605953
This update adds a new virsh command, "iface-virsh", that allows users to "bridge" one of the host's Ethernet devices so that virtual guests can be connected directly to the physical network, rather than through a libvirt virtual network. The "iface-unbridge" command can be used to revert the interface to its previous state.
All users of libvirt are advised to upgrade to these updated packages, which fix these issues and add these enhancements.

5.115. libvirt-cim

An updated libvirt-cim package that fixes various bugs and adds multiple enhancements is now available for Red Hat Enterprise Linux 6.
The libvirt-cim package contains a Common Information Model (CIM) provider based on Common Manageability Programming Interface (CMPI). It supports most libvirt virtualization features and allows management of multiple libvirt-based platforms.
The libvirt-cim package has been upgraded to upstream version 0.6.1, which provides a number of bug fixes and enhancements over the previous version. (BZ#739154)

Bug Fix

BZ#799037
Previously, the libvirt-cim package required as its dependency the tog-pegasus package, which contains the OpenPegasus Web-Based Enterprise Management (WBEM) services. This is, however, incorrect as libvirt-cim should not require specifically tog-pegasus but any CIM server. With this update, libvirt-cim has been changed to require cim-server instead. The spec files of libvirt-cim and sblim-sfcb have been modified appropriately and libvirt-cim now uses either of the packages as its dependency.

Enhancements

BZ#633338
Extension for Quality-of-Service (QoS) networking has been added.
BZ#739153
Support for domain events has been added.
BZ#739156
Extensions for networking of Central Processing Unit (CPU) shares have been added.
All libvirt-cim users are advised to upgrade to this updated package, which fixes these bugs and adds these enhancements.

5.116. libvirt-qmf

Updated libvirt-qmf packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The libvirt-qmf packages provide an interface with libvirt using Qpid Management Framework (QMF), which utilizes the Advanced Message Queuing Protocol (AMQP). AMQP is an open standard application layer protocol providing reliable transport of messages.

Bug Fix

BZ#830087
The libvirt-qmf packages included in Red Hat Enterprise Linux 6.2 were of version 0.3.0-7, whereas the packages in Red Hat Enterprise Linux 6.3 were of version 0.3.0-6. To prevent possible problems with upgrading, Red Hat Enterprise Linux 6.3 now uses libvirt-qmf version 0.3.0-8.
All users of libvirt-qmf are advised to upgrade to these updated packages, which fix this bug.
Updated libvirt-qmf packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The libvirt-qmf packages provide an interface with libvirt using Qpid Management Framework (QMF), which utilizes the Advanced Message Queuing Protocol (AMQP). AMQP is an open standard application layer protocol providing reliable transport of messages.

Bug Fix

BZ#806950
Prior to this update, Qpid APIs used the libpidclient and libpidcommon libraries, which were not application binary interface (ABI) stable. This update removes these dependencies so that Qpid rebuilds do not affect the libvirt-qmf packages.
All users of libvirt-qmf are advised to upgrade to these updated packages, which fix this bug.

5.117. libxklavier

Updated libxklavier packages that fix three bugs are now available for Red Hat Enterprise Linux 6.
The libxklavier library provides a high-level API for the X Keyboard Extension (XKB) that allows extended keyboard control. This library supports X.Org and other commercial implementations of the X Window system. The library is useful for creating XKB-related software, such as layout indicators.

Bug Fixes

BZ#657726, BZ#766645
Prior to this update, an attempt to log into the server using an NX or VNC client triggered an XInput error that was handled incorrectly by the libxklavier library due to the way how the NoMachine NX Free Edition server implements XInput support. As a consequence, the gnome-settings-daemon aborted unexpectedly. This update modifies the XInput error handling routine in the libxklavier library. Now, the library ignores this error and the gnome-settings-daemon runs as expected.
BZ#726885
Prior to this update, the keyboard layout indicator did not show if the layout was changed for the first time. As a consequence, users could, under certain circumstances, not log in. This update modifies the gnome-settings-daemon so that the indicator now shows the correct layout.
All users of libxklavier are advised to upgrade to these updated packages, which fix these bugs.

5.118. lldpad

Updated lldpad packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The lldpad packages provide the Linux user space daemon and configuration tool for Intel's Link Layer Discovery Protocol (LLDP) agent with Enhanced Ethernet support.

Bug Fix

BZ#828684
Previously, dcbtool commands could, under certain circumstances, fail to enable the Fibre Channel over Ethernet (FCoE) application type-length-values (TLV) for a selected interface during the installation process. Consequently, various important features might have not been enabled (for example priority flow control, or PFC) by the Data Center Bridging eXchange (DCBX) peer. To prevent such problems, application-specific parameters (such as the FCoE application TLV) in DCBX are now enabled by default.
All users of lldpad are advised to upgrade to these updated packages, which fix this bug.
Updated lldpad packages that fix various bugs and provide an enhancement are now available for Red Hat Enterprise Linux 6.
The lldpad package provides the Link Layer Discovery Protocol (LLDP) Linux user space daemon and associated configuration tools. It supports Intel's Link Layer Discovery Protocol (LLDP) and provides Enhanced Ethernet support.

Bug Fixes

BZ#768555
The lldpad tool is initially invoked by initrd during the boot process to support Fibre Channel over Ethernet (FCoE) boot from a Storage Area Network (SAN). The runtime lldpad initscript did not kill lldpad before restarting it after system boot. Consequently, lldpad could not be started normally after system boot. In this update, lldpad init now contains the "-k" option to terminate the first instance of lldpad that was started during system boot.
BZ#803482
When the Data Center Bridging Exchange (DCBX) IEEE mode fails, it falls back to Converged Enhanced Ethernet (CEE) mode and Data Center Bridging (DCB) is enabled as part of the ifup routine. Normally, this does not occur unless either a CEE-DCBX Type-Length-Value (TLV) is received or the user explicitly enables this mode. However, in kernels released earlier than 2.6.38, DCBX IEEE mode is not supported and IEEE falls back to CEE mode immediately. Consequently, DCB was enabled in CEE mode on some kernels when IEEE mode failed, even though a peer TLV had not yet been received and the user did not manually enable it. This update fixes the logic by only enabling and advertising DCBX TLVs when a peer TLV is received. As a result, lldpad DCBX works as expected; IEEE mode is the default and CEE mode is used only if a peer CEE-DCBX TLV is received or the user enables it through the command line.
BZ#811422
A user may use dcbtool commands to clear the advertise bits on CEE-DCBX feature attributes (such as PFC, PG, APP). However, the user settings were lost during ifdown and ifup sequences and the default values were restored. This update fixes the problem so that the values are only set to defaults if the user has not explicitly enabled them.
Enhancement
BZ#812202
When a switch disassociated a connection for a virtual machine (VM) running on a host and the VM was configured to use 802.1Qbg, then libvirt was not informed and the VM connectivity was lost. Libvirt has support for restarting a VM, but it relies on the LLDP Agent Daemon to forward the Virtual Switch Interface (VSI) information. This update enables forwarding of the switch-originated VSI message to libvirt.
All users of lldpad are advised to upgrade to this updated package, which fixes these bugs and adds this enhancement.

5.119. logrotate

An updated logrotate package that fixes various bugs and adds one enhancement is now available for Red Hat Enterprise Linux 6.
The logrotate utility simplifies the administration of multiple log files, allowing the automatic rotation, compression, removal, and mailing of log files.

Bug Fixes

BZ#659705
Prior to this update, the AUTHORS section of the logrotate(8) manual page contained invalid contact information for previous maintainers. This update modifies the manual page and adds this information to ensure that the contact information of the current maintainers is correct.
BZ#659173
Prior to this update, the definition of the "size" parameter in the logrotate(8) manual page was misleading. This update modifies the manual page and this definition is now easier to understand.
BZ#659720
Prior to this update, the logrotate(8) manual page did not list all options that the logrotate utility actually recognizes. This update adds the missing options and the manual list contains now all available options.
BZ#674864
Prior to this update, the logrotate(8) manual page contained several misprints. This update modifies the logrotate(8) manual page and corrects the misprints.
BZ#736053
Prior to this update, logrotate did not check the configuration file for correctly matched brackets. As a consequence, system files could be wrongly removed. This update modifies logrotate so that brackets are detected and checked for correct matching. Now, configuration files without matching brackets are skipped.

Enhancement

BZ#683622
Prior to this update, logrotate removed the Access Control Lists (ACL) flags, which are used to permit selected groups to access all logs, when rotating logs. As a consequence, selected groups could not access all logs. With this update, ACL support has been added to logrotate.
All users of logrotate are advised to upgrade to this updated package, which fixes these bugs and adds this enhancement.

5.120. lohit-kannada-fonts

An updated lohit-kannada-fonts package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The lohit-kannada-fonts package provides a free Kannada TrueType/OpenType font.

Bug Fix

BZ#603415
When using Kannada (kn_IN) locale, multiple strings could appear incomplete due to incorrect rendering of the end characters. As a consequence, users were not able to properly read the menu items on the desktop panel's menu bar. With this update, all characters are rendered correctly and users are now able to read the menu items.
All users of lohit-kannada-fonts are advised to upgrade to this updated package, which fixes this bug.

5.121. lsof

An updated lsof package that fixes two bugs is now available for Red Hat Enterprise Linux 6.
The lsof (LiSt Open Files) package provides a utility to list information about files that are open and running on Linux and UNIX systems.

Bug Fixes

BZ#747375
Previously, only the first "+e" or "-e" option was processed and the rest were ignored. Consequently it was not possible to exclude more than one file system from being subjected to kernel function calls. This update fixes this issue and lsof now functions as expected with multiple +e or -e options.
BZ#795799
Prior to this update, the lsof utility ignored the "-w" option if both the "-b" and the "-w" options were specified. As a consequence, lsof failed to suppress warning messages. Now, the -w option successfully suppresses warning messages.
All users of lsof are advised to upgrade to this updated package, which fixes these bugs.

5.122. lsvpd

Updated lsvpd packages that fix four bugs are now available for Red Hat Enterprise Linux 6.
The lsvpd package provides the lsvpd command to list device Vital Product Data (VPD), the lscfg command to display configuration, diagnostic, and vital product data (VPD) information, and the lsmcode command to display the microcode and firmware levels.
Bug Fixes
BZ#684646
Prior to this update, the vpdupdate tool tried to collect additional information about the SCSI devices. As a consequence, vpdupdate sent irrelevant messages to the syslog file. This update modifies the sysfs layout in lsvpd. Now, no more unwanted messages are sent to the syslog file.
BZ#688574
Prior to this update, the lsvpd man page did not correctly describe the "-p" option. With this update, the man page correctly states that the "-p" option prints the designed output.
BZ#714086
Prior to this update, the lscfg(8), lsmcode(8), lsmsr(8), lsvio(8), and vpdupdate(8) man pages missed to document several lsvpd options. This update adds all missing options to the man pages.
BZ#741899
Prior to this update, the lsmcode tool did not contain the build requirement "librtas-devel". As a consequence, the firmware version was not displayed. This update modifies lsmcode file so that the missing build requirement is added to the spec file.
All users of lsvpd are advised to upgrade to this updated package, which adds this enhancement.

5.123. ltrace

Updated ltrace packages that fix multiple bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
The ltrace utility is a debugging program that runs a specified command until the command exits. While the command is executing, ltrace intercepts and records both the dynamic library calls called by the executed process and the signals received by the executed process. The ltrace utility can also intercept and print system calls executed by the process.

Bug Fixes

BZ#742340
Prior to this update, a traced process that had more than one thread could be aborted if the threads ran into breakpoints which the ltrace utility did not handle. With this update, ltrace attaches to the newly created threads, and carefully handles the breakpoints so that tracing events are not missed. This update also improves the detach logic so that a running process to which ltrace has been attached is left in a consistent state before detaching.
BZ#811184
Prior to this update, the ltrace utility could, under certain circumstances, fail to trace returns from functions which where called with a tail call optimization. This update adds support for tracing returns from functions called with a tail call optimization.

Enhancement

BZ#738254
Prior to this update, ltrace could not trace library functions loaded via libdl. This update changes the behavior of the "-x" option for placing static breakpoints so that dynamic libraries are also considered and breakpoints set in them. This works for dynamic libraries that are linked to the binary as well as those that are opened with the function "dlopen" in runtime.
All users of ltrace are advised to upgrade to this updated package, which fixes these bugs and adds this update.

5.124. luci

Updated luci packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The luci packages contain a web-based high-availability cluster configuration application.
Bug Fixes
BZ#796731
A cluster configuration can define global resources (declared outside of cluster service groups) and in-line resources (declared inside a service group). The names of resources must be unique regardless of whether the resource is a global or an in-line resource. Previously, luci allowed a global resource with a name, which was already used by a resource that had been declared in-line, and a name of a resource within a service group with a name that was already used by a global resource. As a result, luci could terminate unexpectedly with error 500 or the cluster configuration could be modified improperly. With this update, luci fails gracefully under these circumstances and reports the problems, and the cluster configuration remains unmodified.
BZ#749668
If a cluster configuration was not valid, luci terminated unexpectedly without any report about the cluster configuration problem. It was therefore impossible to use luci for administration of clusters with invalid configurations. With this update, luci detects invalid configurations and returns warnings with information about possible mistakes along with proposed fixes.
BZ#690621
The user could not debug problems on-the-fly if debugging was not enabled prior to starting luci. This update adds new controls to allow the user to change the log level of messages generated by luci according to the message type while luci is running.
BZ#801491
When the user created a cluster resource with a name that contained a period symbol (.), luci failed to redirect the browser to the resource that was just created. As a result, error 500 was displayed, even though the resource was created correctly. This update corrects the code that handles redirection of the browser after creating such a resource and luci redirects the browser to a screen that displays the resource as expected.
BZ#744048
Previously, luci did not require any confirmation on removal of cluster services. Consequently, the user could remove the services by accident or without properly considering the consequences. With this update, luci displays a confirmation dialog when the user requests removal of cluster services, which informs the user about the consequences, and forces them to confirm their action.
BZ#733753
Since Red Hat Enterprise Linux 6.3, authenticated sessions automatically expired after 15 minutes of inactivity. With this update, the user can now change the time-out period in the who.auth_tkt_timeout parameter in the /etc/sysconfig/luci file.
BZ#768406
Previously, the default value of the monitor_link attribute of the IP resource agent was displayed incorrectly: when not specified explicitly, its value was displayed as enabled while it was actually disabled, and vice versa. When the user made changes to the monitor_link value using luci, an incorrect value was stored. With this update, the monitor_link value is display properly, and the user can now view and modify the value as expected.
BZ#755092
The force_unmount option was not shown for file-system resources and the user could not change the configuration to enable or disable this option. A checkbox that displays its current state was added and the user can now view and change the force_unmount attribute of file-system resources.
BZ#800239
A new attribute, tunneled, was added to the VM (Virtual Machine) resource agent script. This update adds a checkbox displaying the current value of the tunneled attribute to the VM configuration screen so that the user can enable or disable the attribute.
BZ#772314
Previously, an ACL (Access Control List) system was added to allow delegation of permissions to other luci users. However, permissions could not be set for users until they had logged in at least once. With this update, ACLs can be added and changed before the user logs in to luci for the first time.
BZ#820402
Due to a regression, the Intel Modular and IF MIB fencing agents were removed from the list of devices for which users could configure new instances. Consequently, users could not create a new instance of these fencing devices. The Intel Modular and IF MIB fencing device entries have been added back to the list of fence devices and users are again able to create new instances of Intel Modular and IF MIB fencing devices.
Enhancements
BZ#704978
In the Create and edit service groups form, the relationships between groups could not always be easily discerned. Solid borders were added along the side of resources within the forms to make the relationships between resources clearer. Also, when adding a resource to a service group, the screen is scrolled to the resource that was added.
BZ#740835
While creating and editing fail-over domains, the user could select and unselect checkboxes and enter values into text fields whose values were ignored. Such checkboxes and text fields are now disabled and become enabled only when their values are used.
BZ#758821
To provide an interface for working with the RRP (Redundant Ring Protocol) configuration in luci, Technology Preview support was added for RRP in the corosync cluster engine that the Red Hat HA stack is built upon. The Redundant Ring configuration tab is now available in the Configure tab of clusters to allow RRP configuration from luci.
BZ#786584
A new resource agent was added to provide high-availability of condor-related system daemons. This update adds support for viewing, creating, and editing the configuration of Condor resources to allow the user to configure the Condor resource agent.
BZ#707471
The reboot icon was similar to the refresh icon and the user could have mistakenly rebooted a cluster node instead of refreshing the status information. With this update, the reboot icon has been changed. Also, a dialog box is now displayed before reboot so the user must confirm their reboot request.
Users of luci are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

5.125. lvm2

Updated lvm2 packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The lvm2 packages contain support for Logical Volume Management (LVM).
Bug Fixes
BZ#683270
When mirrors are up-converted it was impossible to add another image (copy) to a mirrored logical volume whose activation was regulated by tags present in the volume_list parameter of lvm.conf. The code has been improved to temporarily copy the mirror's tags to the in-coming image so that it can be properly activated. As a result, high-availability (HA) LVM service relocation now works as expected.
BZ#700128
Previously, the lvremove command could fail with the error message Can't remove open logical volume despite the volume itself not being in use anymore. In most cases, such a situation was caused by the udev daemon that still processed events that preceded the removal and it kept the device open while lvremove tried to remove it at the same time. This update adds a retry loop to help to avoid this problem. The removal is tried several times before the command fails completely.
BZ#733522
Previously, if a snapshot with a virtual origin was created in a clustered Volume Group (VG), it incorrectly tried to activate on other nodes as well and the command failed with Error locking on node error messages. This has been fixed and a snapshot with virtual origin, using --virtualsize, is now properly activated exclusively only (on local node).
BZ#738484
Previously, if clvmd received an invalid request through its socket (for example an incomplete header was sent), the clvmd process could terminate unexpectedly or stay in an infinite loop. Additional checks have been added so that such invalid packets now cause a proper error reply to the client and clvmd no longer crashes in the scenario described.
BZ#739190
The device-mapper daemon (dmeventd) is used, for example, for monitoring LVM based mirrors and snapshots. When attempting to create a snapshot using lvm2, the lvcreate -s command resulted in a dlopen error if dmeventd was upgraded after the last system restart. With this update, dmeventd is now restarted during a package update to fetch new versions of installed libraries to avoid any code divergence that could end up with a symbol lookup failure.
BZ#740290
Restarting clvmd with option -S should preserve exclusive locks on a restarted cluster node. However the option -E, which should pass such exclusive locks, had errors in its implementation. Consequently, exclusive locks were not preserved in a cluster after restart. This update implements proper support for option -E. As a result, after restarting clvmd the locks will preserve a cluster's exclusive state.
BZ#742607
If a device-mapper device was left open by a process, it could not be removed with the dmsetup [--force] remove device_name command. The --force option failed, reporting that the device was busy. Consequently, the underlying block device could not be detached from the system. With this update, dmsetup has a new command wipe_table to wipe the table of the device. Any subsequent I/O sent to the device returns errors and any devices used by the table, that is to say devices to which the I/O is forwarded, are closed. As a result, if a long-running process keeps a device open after it has finished using it, the underlying devices can be released before that process exits.
BZ#760946
Using a prefix or command names on LVM command output (the log/prefix and log/command_names directive in lvm.conf) caused the lvm2-monitor init script to fail to start monitoring for relevant VGs. The init script acquires the list of VGs first by calling the vgs command and then it uses its output for further processing. However, if the prefix or command name directive is used on output, the VG name was not correctly formatted. To solve this, the lvm2-monitor init script now overrides the log/prefix and log/command_names setting so the command's output is always suitable for use in the init script.
BZ#761267
Prior to this update, the lvconvert --merge command did not check if the snapshot in question was invalid before proceeding. Consequently, the operation failed part-way through, leaving an invalid snapshot. This update disallows an invalid snapshot to be merged. In addition, it allows the removal of an invalid snapshot that was to be merged on next activation, or that was invalidated while merging (the user will be prompted for confirmation).
BZ#796602
If a Volume Group name is supplied together with the Logical Volume name, lvconvert --splitmirrors fails to strip it off. This leads to an attempt to use a Logical Volume name that is invalid. This release detects and validates any supplied Volume Group name correctly.
BZ#799071
Previously, if pvmove was used on a clustered VG, temporarily activated pvmove devices were improperly activated cluster-wide (that is to say, on all nodes). Consequently, in some situations, such as when using tags or HA-LVM configuration, pvmove failed. This update fixes the problem, pvmove now activates all such devices exclusively if the Logical Volumes to be moved are already exclusively activated.
BZ#807441
Previously, when the vgreduce command was executed with a non-existent VG, it unnecessarily tried to unlock the VG at command exit. However the VG was not locked at that time as it was unlocked as part of the error handling process. Consequently, the vgreduce command failed with the internal error Attempt to unlock unlocked VG when it was executed with a non-existent VG. This update improves the code to provide a proper check so that only locked VGs are unlocked at vgreduce command exit.
BZ#816711
Previously, requests for information regarding the health of the log device were processed locally. Consequently, in the event of a device failure that affected the log of a cluster mirror, it was possible for a failure to be ignored and this could cause I/O to the mirror LV to become unresponsive. With this update, the information is requested from the cluster so that log device failures are detected and processed as expected.
Enhancements
BZ#464877
Most LVM commands require an accurate view of the LVM metadata stored on the disk devices on the system. With the current LVM design, if this information is not available, LVM must scan all the physical disk devices in the system. This requires a significant amount of I/O operations in systems that have a large number of disks. The purpose of the LV Metadata daemon (lvmetad) is to eliminate the need for this scanning by dynamically aggregating metadata information each time the status of a device changes. These events are signaled to lvmetad by udev rules. If lvmetad is not running, LVM performs a scan as it normally would. This feature is provided as a Technology Preview and is disabled by default in Red Hat Enterprise Linux 6.3. To enable it, refer to the use_lvmetad parameter in the /etc/lvm/lvm.conf file, and enable the lvmetad daemon by configuring the lvm2-lvmetad init script.
BZ#593119
The expanded RAID support in LVM is now fully supported in Red Hat Enterprise Linux 6.3, with the exception of RAID logical volumes in HA-LVM. LVM now has the capability to create RAID 4/5/6 Logical Volumes and supports a new implementation of mirroring. The MD (software RAID) modules provide the back-end support for these new features.
BZ#637693
When a new LV is defined, anyone who has access to the LV can read any data already present on the LUNs in the extents allocated to the new LV. Users can create thin volumes by using the "lvcreate -T" command to meet the requirement that zeros are returned when attempting to read a block not previously written to. The default behavior of thin volumes is the provisioning of zero data blocks. The size of provisioned blocks is in the range of 64KB to 1GB. The bigger the blocks the longer it takes for the initial provisioning. After first write, the performance should be close to a native linear volume. However, for a clustering environment there is a difference as thin volumes may be only exclusively activated.
BZ#658639
This update greatly reduces the time spent on creating identical data structures, which allows even a very large number of devices (in the thousands) to be activated and deactivated in a matter of seconds. In addition, the number of system calls from device scanning has been reduced, which also gives a 10%-30% speed improvement.
BZ#672314
Some LVM segment types, such as mirror, have single machine and cluster-aware variants. Others, such as snapshot and the RAID types, have only single machine variants. When switching the cluster attribute of a Volume Group (VG), the aforementioned segment types must be inactive. This allows for re-loading of the appropriate single machine or cluster variant, or for the necessity of the activation to be exclusive in nature. This update disallows changing cluster attributes of a VG while RAID LVs are active.
BZ#731785
The dmsetup command now supports displaying block device names for any devices listed in the deps, ls and info command output. For the dmsetup deps and ls command, it is possible to switch among devno (major and minor number, the default and the original behavior), devname (mapping name for a device-mapper device, block device name otherwise) and blkdevname (always display a block device name). For the dmsetup info command, it is possible to use the new blkdevname and blkdevs_used fields.
BZ#736486
Device-mapper allows any character except / to be used in a device-mapper name. However, this is in conflict with udev as its character whitelist is restricted to 0-9, A-Z, a-z and #+-.:=@_. Using any black-listed character in the device-mapper name ends up with incorrect /dev entries being created by udev. To solve this problem, the libdevmapper library together with the dmsetup command now supports encoding of udev-blacklisted characters by using the \xNN format where NN is the hex value of the character. This format is supported by udev. There are three mangling modes in which libdevmapper can operate: none (no mangling), hex (always mangle any blacklisted character) and auto (use detection and mangle only if not mangled yet). The default mode used is auto and any libdevmapper user is affected unless this setting is changed by the respective libdevmapper call. To support this feature, the dmsetup command has a new --manglename <mangling_mode> option to define the name mangling mode used while processing device-mapper names. The dmsetup info -c -o command has new fields to display: mangled_name and unmangled_name. There is also a new dmsetup mangle command that renames any existing device-mapper names to its correct form automatically. It is strongly advised to issue this command after an update to correct any existing device-mapper names.
BZ#743640
It is now possible to extend a mirrored logical volume without inducing a synchronization of the new portion. The --nosync option to lvextend will cause the initial synchronization to be skipped. This can save time and is acceptable if the user does not intend to read what they have not written.
BZ#746792
LVM mirroring has a variety of options for the bitmap write-intent log: core, disk, mirrored. The cluster log daemon (cmirrord) is not multi-threaded and can handle only one request at a time. When a log is stacked on top of a mirror (which itself contains a 'core' log), it creates a situation that cannot be solved without threading. When the top level mirror issues a "resume", the log daemon attempts to read from the log device to retrieve the log state. However, the log is a mirror which, before issuing the read, attempts to determine the "sync" status of the region of the mirror which is to be read. This sync status request cannot be completed by the daemon because it is blocked on a read I/O to the very mirror requesting the sync status. With this update, the mirrored option is not available in the cluster context to prevent this problem from occurring.
BZ#769293
A new LVM configuration file parameter, activation/read_only_volume_list, makes it possible to activate particular volumes always in read-only mode, regardless of the actual permissions on the volumes concerned. This parameter overrides the --permission rw option stored in the metadata.
BZ#771419
In previous versions, when monitoring of multiple snapshots was enabled, dmeventd would log redundant informative messages in the form Another thread is handling an event. Waiting.... This needlessly flooded system log files. This behavior has been fixed in this update.
BZ#773482
A new implementation of LVM copy-on-write (cow) snapshots is available in Red Hat Enterprise Linux 6.3 as a Technology Preview. The main advantage of this implementation, compared to the previous implementation of snapshots, is that it allows many virtual devices to be stored on the same data volume. This implementation also provides support for arbitrary depth of recursive snapshots. This feature is for use on a single-system. It is not available for multi-system access in cluster environments. For more information, refer to the documentation of the -s or --snapshot option in the lvcreate man page.
BZ#773507
Logical Volumes (LVs) can now be thinly provisioned to manage a storage pool of free space to be allocated to an arbitrary number of devices when needed by applications. This allows creation of devices that can be bound to a thinly provisioned pool for late allocation when an application actually writes to the LV. The thinly-provisioned pool can be expanded dynamically if and when needed for cost-effective allocation of storage space. In Red Hat Enterprise Linux 6.3, this feature is introduced as a Technology Preview. For more information, refer to the lvcreate man page. Note that the device-mapper-persistent-data package is required.
BZ#796408
LVM now recognizes EMC PowerPath devices (emcpower) and uses them in preference to the devices out of which they are constructed.
BZ#817130
LVM now has two implementations for creating mirrored logical volumes: the mirror segment type and the raid1 segment type. The raid1 segment type contains design improvements over the mirror segment type that are useful to its operation with snapshots. As a result, users who employ snapshots of mirrored volumes are encouraged to use the raid1 segment type rather than the mirror segment type. Users who continue to use the mirror segment type as the origin LV for snapshots should plan for the possibility of the following disruptions.
When a snapshot is created or resized, it forces I/O through the underlying origin. The operation will not complete until this occurs. If a device failure occurs to a mirrored logical volume (of mirror segment type) that is the origin of the snapshot being created or resized, it will delay I/O until it is reconfigured. The mirror cannot be reconfigured until the snapshot operation completes, but the snapshot operation cannot complete unless the mirror releases the I/O. Again, the problem can manifest itself when the mirror suffers a failure simultaneously with a snapshot creation or resize.
There is no current solution to this problem beyond converting the mirror from the mirror segment type to the raid1 segment type. In order to convert an existing mirror from the mirror segment type to the raid1 segment type, perform the following action:
~]$ lvconvert --type raid1 <VG>/<mirrored LV>
This operation can only be undone using the vgcfgrestore command.
With the current version of LVM2, if the mirror segment type is used to create a new mirror LV, a warning message is issued to the user about possible problems and it suggests using the raid1 segment type instead.
Users of lvm2 should upgrade to these updated packages, which fix these bugs and add these enhancements.

5.126. m2crypto

An updated m2crypto package that fixes various bugs is now available for Red Hat Enterprise Linux 6.
The m2crypto package allows Python programs to call OpenSSL functions.

Bug Fixes

BZ#742914
The M2Crypto.httpslib.HTTPSConnection class always created an IPv4 socket. This made it impossible to connect to IPv6 servers using this class. With this update, the implementation now correctly creates an IPv4 or IPv6 socket, as necessary, thus adding support for IPv6 servers.
BZ#803520
Prior to this update, the AES_crypt() function did not free a temporary buffer. This caused a memory leak when the function was called repeatedly. This problem has been fixed and the AES_crypt() function now frees memory correctly.
BZ#803554
The implementation of HTTPS connections via a proxy did not reflect the changes in Python 2.6. Consequently, every attempt to connect to an HTTPS server using a proxy failed, generating an exception. The M2Crypto implementation has been updated and now works correctly.
All users of m2crypto are advised to upgrade to this updated package, which fixes these bugs.

5.127. make

An updated make package that fixes one bug is now available for Red Hat Enterprise Linux 6.
GNU make is a tool for controlling the generation of executables and other non-source files of a program from the program's source files. Users can build and install packages by using make without any significant knowledge about the details of the build process.

Bug Fix

BZ#699911
Prior to this update, memory corruption could occur in an "eval" expression if one of its sub-expressions was assigned to the same variable. An upstream patch has been applied to address this issue, and memory corruption no longer appears in the described scenario.
All users of make are advised to upgrade to this updated package, which fixes this bug.

5.128. man

An updated man package that fixes two bugs is now available for Red Hat Enterprise Linux 6.
The man package provides the man, apropos, and whatis tools for finding information and documentation about the Linux system.

Bug Fixes

BZ#659646
Previously, the Japanese version of the man(1) manual page contained a duplicate line in the specification of the "-p pager" option. This update removes the duplicate.
BZ#749290
Prior to this update, the makewhatis script, which creates the whatis database of manual pages, ignored symbolic links between pages. With this update, the makewhatis script includes symbolic links in the whatis database.
All users of man are advised to upgrade to this updated package, which fixes these bugs.

5.129. man-pages-fr

An updated man-pages-fr package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The man-pages-fr package contains a collection of manual pages from the man-pages Project, translated into French. It also includes supplemental pages provided by Dr. Patrick Atlas and Dr. Gerard Delafond.

Bug Fix

BZ#613622
Prior to this update, the mansupfr.tar.bz2 tarball that contains supplemental French manual pages, was not correctly extracted. As a consequence, some manual pages were not installed. With this update, supplemental manual pages are added back when no known file conflicts appear, and the supplemental French manual pages are again available.
All users, requiring localized manual pages in French, are advised to upgrade to this updated package, which fixes this bug.

5.130. man-pages-overrides

Updated man-pages-overrides packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.
The man-pages-overrides package provides a collection of manual (man) pages to complement other packages or update those contained therein.

Bug Fixes

BZ#528879
Prior to this update, manual pages for the mksquashfs and unsquashfs utilities were missing. This update adds the mksquashf(1) and unsquashfs(1) manual pages.
BZ#529335
Prior to this update, manual pages for the FUSE utilities fusermount, fuse, and ulockmgr_server were missing. This update adds the fusermount(1), mount.fuse(8), and ulockmgr_server(1) manual pages to the man-pages-overrides packages.
BZ#605521
Prior to this update, a manual page for the urlgrabber utility was missing. This update adds the urlgrabber(1) manual page to the man-pages-overrides packages.
BZ#653908
Prior to this update, the replcon(1) manual page was missing the description of the "-R" and "--regex" options. This update adds this description to the man-pages-overrides packages.
BZ#695363, BZ#801783
Prior to this update, the iptables(8), ip6tables(8) and ebtables(8) manual pages were missing a description of the AUDIT target module. This update adds a description of this module to the these manual pages.
BZ#745467
Prior to this update, a manual page for the pkcs_slot utility was missing. This update adds the pkcs_slot(1) manual page to the man-pages-overrides packages.
BZ#747970
Prior to this update, the lsblk(8) manual page was missing the description for the "-D" option. This update adds this description.
BZ#768949
Prior to this update, the manual page for trap in Bash did not mention that signals ignored upon entry cannot be listed later. This update modifies the text to mention that "Signals ignored upon entry to the shell cannot be trapped, reset or listed".
BZ#766341
Prior to this update, the cgcreate(1) manual page contained the invalid "-s" option in the synopsis. This update removes this option.
BZ#769566
Prior to this update, the wbinfo(1) manual page contained an incorrect description of the "--group-info" option. This update modifies this description.
BZ#800256
Prior to this update, the shmat(2) manual page was missing the description for the EIDRM error. With this update, this description is added to the shmat(2) manual page.
BZ#800385
The manual pages expect, logrotate2, logrotate3, logrotate4, logrotate5, logrotate, pcre2, pcre, lsvpd, nfs-utils, and vsftpd have been fixed in their original packages. This update removes these manual pages from the man-pages-overrides packages.
BZ#801742
Prior to this update, the request-key.conf(5) manual page contained a misprint in one sentence. With this update, this misprint is removed.
BZ#801784
Prior to this update, the yum(8) manual page contained a misprint. With this update, this misprint is corrected.
BZ#810910
Prior to this update, the mount(8) man page did not include the default option "relatime". This update includes this option in the list of options.
All users of man-pages-overrides are advised to upgrade to this updated package, which fixes these bugs.

5.131. matahari

Updated matahari packages that fix multiple bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
The matahari packages provide a set of APIs for operating system management that are exposed to remote access over the Qpid Management Framework (QMF).

matahari-* packages deprecated

The Matahari agent framework (matahari-*) packages are deprecated starting with the Red Hat Enterprise Linux 6.3 release. Focus for remote systems management has shifted towards the use of the CIM infrastructure. This infrastructure relies on an already existing standard, which provides a greater degree of interoperability for all users. It is strongly recommended that users discontinue the use of the matahari packages and other packages which depend on the Matahari infrastructure (specifically, libvirt-qmf and fence-virtd-libvirt-qpid). It is recommended that users uninstall Matahari from their systems to remove any possibility of security issues being exposed.
Users who choose to continue to use the Matahari agents should note the following:
  • The matahari packages are not installed by default starting with Red Hat Enterprise Linux 6.3 and are not enabled by default to start on boot when they are installed. Manual action is needed to both install and enable the matahari services.
  • The default configuration for qpid (the transport agent used by Matahari) does not enable access control lists (ACLs) or SSL. Without ACLs/SSL, the Matahari infrastructure is not secure. Configuring Matahari without ACLs/SSL is not recommended and may reduce your system's security.
  • The matahari-services agent is specifically designed to allow remote manipulation of services (start, stop). Granting a user access to Matahari services is equivalent to providing a remote user with root access. Using Matahari agents should be treated as equivalent to providing remote root SSH access to a host.
  • By default in Red Hat Enterprise Linux, the Matahari broker (qpidd running on port 49000) does not require authentication. However, the Matahari broker is not remotely accessible unless the firewall is disabled, or a rule is added to make it accessible. Given the capabilities exposed by Matahari agents, if Matahari is enabled, system administrators should be extremely cautious with the options that affect remote access to Matahari.
Note that Matahari will not be shipped in future releases of Red Hat Enterprise Linux (including Red Hat Enterprise Linux 7), and may be considered for formal removal in a future release of Red Hat Enterprise Linux 6.
Bub Fix
BZ#752325
Prior to this update, matahari agents were being unnecessarily restarted during upgrades. As a consequence, unexpected output could appear during the upgrade process. This update modifies the underlying code so that agents are not restarted more than once and no more unexpected reporting occurs.

Enhancements

BZ#723078
Prior to this update, no shell tool for using matahari agents was available. This update adds a Python API and command-line shell to matahari.
BZ#759243
Prior to this update, the matahari interface could not identify Python scripts written by users. This update adds the RPC agent to provide an API to execute user-written Python scripts installed on the target machine.
All users of matahari are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

5.132. mcelog

Updated mcelog packages that fix three bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
The mcelog packages provide the mcelog daemon to collect and decode Machine Check Exception data on AMD64 and Intel 64 platforms.

Bug Fixes

BZ#728265
Prior to this update, the mcelog README file contained references to nonexistent directories. This update removes these references and updates the file.
BZ#769363
Prior to this update, the mcelog daemon wrongly displayed an error that a certain microarchitecture was not supported even if the CPU was supported if mcelog was run on Intel CPUs only with architectural decoding enabled. This update removes this message.
BZ#784091
Prior to this update, a cron job tried to install regardless whether a system was supported or not. As a result, the mcelog daemon displayed the message "No such device" if mcelog was installed on unsupported systems. This update prevents the cron job from installing on unsupported processors.

Enhancements

BZ#746785
Prior to this update, the mcelog daemon displayed the error "mcelog read: No such device" when running the unsupported AMD Family 16 microarchitecture or higher. This update adds a check to mcelog to determine what AMD processor family is used. If needed, the new message "CPU is unsupported" is displayed.
BZ#795508
Prior to this update, The cron file for mcelog did not use the "--supported" option. As a consequence, the "--supported" option did not correctly check whether the mcelog daemon worked. This update adds the "--supported" option to the crontab file and removes two redundant strings.
All users of mcelog are advised to upgrade to these updated mcelog packages, which fix these bugs and add these enhancements.

5.133. mdadm

Updated mdadm packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The mdadm package contains a utility for creating, managing, and monitoring Linux MD (multiple disk) devices.

Upgrade to an upstream version

The mdadm package has been upgraded to upstream version 3.2.3, which provides a number of bug fixes and enhancements over the previous version. (BZ#745802)
Bug Fixes
BZ#771332
Previously, removing a device from its container occasionally failed. With this update, mdadm attempts to remove such a device again.
BZ#808776
The mdadm --add command could fail when adding to an array a device similar to a recent member of the array. With this update, the code restricting device addition has been corrected to only apply to members of recent arrays which have failed and require manual assembly.
BZ#811282
It was not possible to add a write-intent bitmap to a multiple-device (MD) array built with the metadata version property 1.0. This happened because mdadm occasionally failed to calculate the bitmap location correctly. With this update, a write-intent bitmap can be added to such an MD array as expected.
BZ#730052
If the user rebooted the system during a reshape process, MD RAID devices could remain inactive due to several problems. This update introduces several patches adjusting the logic of the reshape process and fixing several errors.
BZ#808424
The mdadm --monitor command terminated unexpectedly after completing a resynchronization process due to buffer overflowing. This happened when there were more than 40 mismatches reported during the resync process as the respective buffer could hold only 40 mismatch reports. With this update, the buffer has been enlarged and can now hold up to 80 mismatch reports.
BZ#790394
The mdadm tool could fail to add a device to a degraded array with bitmaps and exited silently. This happened because the called functions attempted to write to not-aligned buffers. With this update, an upstream patch to fix this bug has been applied: the patch modifies the underlying functions to use their own aligned buffers and the problem no longer occurs.
BZ#788022
If the user installed Red Hat Enterprise Linux 6.0 on a machine with a version 0.90 MD RAID array already installed, the array did not automatically start at the next reboot. This happened because the policy statement in the /etc/mdadm.conf file excluded automatic startup of version 0.90 RAID arrays (however, if such an array was needed on boot, dracut did start this array). The user could add +0.90 to the AUTO line in the /etc/mdadm.conf file to have such RAID arrays come up on boot.
In Red Hat Enterprise Linux 6.1 and 6.2, mdadm always assembled version 0.90 RAID arrays automatically due to a bug. This update fixes the bug. The user needs to implement the same fix as described above for Red Hat Enterprise Linux 6.0 to have version 0.90 RAID arrays come up on boot (add +0.90 to the AUTO line in /etc/mdadm.conf).
BZ#808438
The mdadm utility did not check how many volumes per controller were allowed for arrays on Intel controllers with OROM (Option ROM) or EFI (Extensible Firmware Interface) created by IMSM (Intel Matrix Storage Manager). Consequently, only the respective limited number of arrays were available even if further arrays were previously added. With this update, mdadm checks OROM limitations and adding a new volume is blocked if the number of volumes on the device attached to the given controller has exceeded the limit.
BZ#771554
The mdadm tool did not apply the --oneshot/-1 option when running the mdadm --monitor --scan --oneshot command or its short equivalent. Consequenlty, mdadm was monitoring the respective device continuously. With this update, the underlying code has been modified and the --oneshot option is applied as expected.
BZ#808492
IMSM RAID only supports two volumes per container. Previously, mdadm allowed an administrator to create the second volume smaller than the remaining free space leaving unallocated space in the container. With this update, the second volume must take up the remaining space of the container by applying the same restrictions as when managing the IMSM RAID throught the BIOS interface.
BZ#808507
Disk and volume sizes were stored as metadata in 32-bit blocks. If the disk size exceeded 2 TB, the allocated space was no longer sufficient to store the size value and volume sizes returned incorrect results for such disks. With this update, the size of the block is calculated depending on the disk or volume size, and, in the scenario described, the correct disk and volume sizes are used and displayed.
BZ#808519
The mdadm tool failed to create a link to the IMSM container device during incremental assembly. This happened when the device metadata did not provide a name for the container. With this update, if no container name has been provided, the metadata version name is used as the container name and a digit is added to the end of the container name so that the link to the IMSM container device is created correctly.
BZ#754998
When an array reshape process was restarted during array assembly, the file system placed on the array could not be mounted and the system returned a busy error. This happened because the child process of the reshape that handled the external metadata of the array was not closed on restart and a memory leak occurred. Consequently, the metadata update failed. With this update, the underlying code has been changed so that the child process of the reshape process is closed under these circumstances and the problem no longer occurs.
BZ#754986
When migrating a non-RAID system to a RAID5 system, an excessive amount of memory could be consumed and the migration process could fail due to a memory leak. With this update, the underlying code has been modified so that the respective resources are freed and the problem no longer occurs.
BZ#812001
If a system containing IMSM RAID devices was rebooted during the rebuild of the IMSM RAID devices, the MD driver changed the device sync_action status from recover to idle. Consequently, the mdmon daemon could detect this change, finish the rebuild process, and write the metadata of the unfinished rebuild process to disks before the restart. After restart, the RAID volume was in the Normal state in OROM and the rebuild seemed to be finished. However, the RAID volume was in the auto-read-only state, metadata was in the Dirty state, and the data was inconsistent (out-of-sync). With this update, the appropriate test has been added and, when mdmon now detects the change of sync_action from recover to idle, it checks if the rebuild process has really finished.
BZ#814743
An entry could be missing in the device map file if an entry for an array with the same name existed in the device map file. This update fixes the problem so the entry is added to the device map file in such cases.
Enhancement
BZ#808475
The --size max option has been added, allowing the administrator of an IMSM array to enlarge the last volume in the array to take up the remaining space in the array.
Users of mdadm should upgrade to these updated packages, which fix these bugs and add these enhancements.

5.134. metacity

Updated metacity packages that fix one bug are now available for Red Hat Enterprise Linux 6.
Metacity is a window manager that integrates with the GNOME desktop.
BZ#802916
Previously, password dialog boxes did not automatically have the focus after they were opened and could remain covered by a full-screen window. With this update, password dialog boxes are automatically given the focus so that they are raised above full-screen windows, and the problem no longer occurs.
All users of metacity are advised to upgrade to these updated packages, which fix this bug.

5.135. microcode_ctl

Updated microcode_ctl packages that fix one bug and add two enhancements are now available for Red Hat Enterprise Linux 6.
The microcode_ctl packages provide microcode updates for Intel and AMD processors.

Bug Fix

BZ#768803
Previously, running the microcode_ctl utility with long arguments for the "-d" or "-f" options led to a buffer overflow. Consequently, microcode_ctl terminated unexpectedly with a segmentation fault and a backtrace was displayed. With this update, microcode_ctl has been modified to handle this situation gracefully. The microcode_ctl utility no longer crashes and displays an error message informing the user that the file name used is too long.

Enhancements

BZ#736266
The Intel CPU microcode file has been updated to version 20111110, which is the latest version of the microcode available from Intel.
BZ#787757
The AMD CPU microcode file has been updated to version 20120117, which is the latest version of the microcode available from AMD.
All users of microcode_ctl are advised to upgrade to these updated packages, which fix this bug and add these enhancements.

5.136. mingw32-matahari

An updated mingw32-matahari package that fixes one bug is now available for Red Hat Enterprise Linux 6.
This package includes Matahari Qpid Management Framework (QMF) Agents for Windows guests. QMF Agent can be used to control and manage various pieces of functionality for an ovirt node, using the Advanced Message Queuing Protocol (AMQP) protocol.

Bug Fix

BZ#806948
Previously, Matahari depended on libqpidclient and libqpidcommon. As a result, Qpid's APIs using libqpidclient and libqpidcommon did not have stable ABI and rebuilding Qpid negatively affected mingw32-matahari. With this update, the dependencies have been removed, thus fixing this bug.
All mingw32-matahari users are advised to upgrade to this updated package, which fixes this bug.

5.137. mingw32-qpid-cpp

Updated mingw32-qpid-cpp packages that fix three bugs are now available for Red Hat Enterprise Linux 6.
The mingw32-qpid-cpp packages provide a message broker daemon that receives, stores, and routes messages by means of runtime libraries for Advanced Message Queuing Protocol (AMQP) client applications developed using the Qpid C++ language.

Bug Fixes

BZ#751349
Previously, HTML documentation was required by the mingw32-qpid-cpp package builds, but was not available. Consequently, the following error message was displayed during the build process:
CMake Error at docs/api/cmake_install.cmake:31 (FILE): file INSTALL cannot find file "/usr/src/redhat/BUILD/qpid-cpp-0.12/build/docs/api/html" to install.
As the HTML documentation is not considered essential, this update disables its generation. As a result, the aforementioned error message is not displayed during the build process of the mingw32-qpid-cpp package.
BZ#807345
Previously, mingw32-qpid-cpp had an unnecessary dependency on the mingw32-gnutls package. This update removes the dependency.
BZ#813537
Previously, mingw32-qpid-cpp had an unnecessary dependency on the mingw32-libxslt package. This update removes the dependency.
All users of mingw32-qpid-cpp are advised to upgrade to these updated packages, which fix these bugs.

5.138. mkbootdisk

An updated mkbootdisk package that fixes two bugs is now available for Red Hat Enterprise Linux 6.
The mkbootdisk program creates a standalone boot floppy disk for booting the running system.

Bug Fixes

BZ#761590
Previously, the "mkbootdisk --iso" command could fail with a "Volume ID string too long" error. This was because the length of the volume ID is limited to 32 characters but the limit was not verified. With this update, the string length is verified and if it is longer than 32 characters, the fixed string "Red Hat Linux" is used for volume ID.
BZ#790039
Previously, the mkbootdisk package was missing a dependency on the genisoimage package that was required for functionality of the "--iso" option. This update adds the missing dependency.
All users of mkbootdisk are advised to upgrade to this updated package, which fixes these bugs.

5.139. mod_auth_kerb

Updated mod_auth_kerb packages that fix a bug and add an enhancement are now available for Red Hat Enterprise Linux 6.
The mod_auth_kerb package provides a module for the Apache HTTP Server designed to provide Kerberos authentication over HTTP. The module supports the Negotiate authentication method, which performs full Kerberos authentication based on ticket exchanges.

Bug Fix

BZ#688210
Due to a bug in the handling of memory lifetime when the module was configured to allow delegated credentials, the $KRB5CCNAME variable was lost after the first request of an authenticated connection, causing web applications which relied on the presence of delegated credentials to fail. The memory lifetime handling has been fixed, allowing such web applications to access delegated credentials.
Enhancement
BZ#767741
Support for "S4U2Proxy" constrained delegation has been added, which allows mod_auth_kerb to obtain credentials on behalf of an authenticated user.
Users are advised to upgrade to these updated mod_auth_kerb packages, which fix this bug and add this enhancement.

5.140. mod_nss

An updated mod_nss package that fixes several bugs is now available for Red Hat Enterprise Linux 6.
The mod_nss module provides strong cryptography for the Apache HTTP Server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, using the Network Security Services (NSS) security library.

Bug Fixes

BZ#749408
PK11_ListCerts was called for every server instead of only once. If there were more than a few hundred certificates in the database, the PK11_ListCerts call could take several seconds or even minutes.
BZ#749409
ECC is now enabled by default for mod_nss.
BZ#797326 and BZ#797358
The fix for BZ#691502, related to clearing the SSL cache when mod_nss started, introduced a file descriptor leak in the httpd Apache daemon. This has been fixed.
Users of mod_nss are advised to upgrade to this updated package, which fixes these bugs.

5.141. module-init-tools

Updated module-init-tools packages that fix two bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
The module-init-tools packages include various programs needed for automatic loading and unloading of modules under 2.6 kernels, as well as other module management programs. Device drivers and file systems are two examples of loaded and unloaded modules.

Bug Fixes

BZ#670613
Previously, on low-memory systems (such as low-memory high-performance infrastructure, or HPC, nodes or virtual machines), depmod could use excessive amount of memory. As a consequence, the depmod process was killed by the OOM (out of memory) mechanism, and the system was unable to boot. With this update, the free() function is correctly used on several places in the code so that depmod's memory consumption is reduced.
BZ#673100
Previously, if the "override" keyword was present in the depmod.conf file without any parameters specified, the depmod utility terminated unexpectedly with a segmentation fault. A patch has been applied to ensure that the depmod utility no longer crashes and a syntax warning is displayed instead.

Enhancement

BZ#761511
This update adds the "backports" directory to the search path in the depmod.conf file, which is necessary to support integration of the compat-wireless package into kernel packages.
All users of module-init-tools are advised to upgrade to these updated packages, which fix these bugs and add this enhancements.

5.142. mysql

Updated mysql packages that fix one security issue and add one enhancement are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries.
Security Fix
CVE-2012-2102
A flaw was found in the way MySQL processed HANDLER READ NEXT statements after deleting a record. A remote, authenticated attacker could use this flaw to provide such requests, causing mysqld to crash. This issue only caused a temporary denial of service, as mysqld was automatically restarted after the crash.

Enhancement

BZ#740224
The InnoDB storage engine is built-in for all architectures. This update adds InnoDB Plugin, the InnoDB storage engine as a plug-in for the 32-bit x86, AMD64, and Intel 64 architectures. The plug-in offers additional features and better performance than when using the built-in InnoDB storage engine. Refer to the MySQL documentation, linked to in the References section, for information about enabling the plug-in.
All MySQL users should upgrade to these updated packages, which add this enhancement and contain a backported patch to correct this issue. After installing this update, the MySQL server daemon (mysqld) will be restarted automatically.

5.143. mysql-connector-java

An updated mysql-connector-java package that fixes several bugs and adds various enhancements is now available for Red Hat Enterprise Linux 6.
The mysql-connector-java package provides a native Java driver that converts JDBC (Java Database Connectivity) calls into the network protocol used by the MySQL database. It lets developers working with the Java programming language easily build programs and applets that interact with MySQL.
The mysql-connector-java package has been upgraded to the latest upstream version, which provides a number of bug fixes and enhancements over the previous version. For a list of changes, refer to the MySQL Connector/J documentation:
This update also adds "stub" implementations of methods required by the JDBC 4.1 API specification. Currently, these methods throw exceptions when called, but their presence is necessary for the driver to function properly in JDK 7 and later. This update also converts the driver from a GCJ build to a pure jar (noarch) build. (BZ#816696)
Users are advised to upgrade to this updated mysql-connector-java package, which resolves these issues and adds these enhancements.

5.144. nautilus

Updated nautilus packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
Nautilus is the file manager and graphical shell for the GNOME desktop that makes it easy to manage your files and the rest of your system. It allows to browse directories on local and remote file systems, preview files and launch applications associated with them. It is also responsible for handling the icons on the GNOME desktop.

Bug Fixes

BZ#600260
When the display size was changed, no desktop folder refresh was performed. Consequently, icons disappeared outside the visible screen when the screen resolution was lowered. With this update, an explicit refresh action has been placed on screen size changes and the icons are now visible when the screen resolution is lowered.
BZ#782467
Previously, an empty file with the name ending ".desktop" was automatically identified as a special file. Consequently, some operations on the file, such as rename, failed. Now, a fallback that allows to use the regular file rename operation has been added to the code and these files can now be renamed as expected.
BZ#772103
Due to a short-lived internal object, free-space information was not displayed in the volume Properties dialog. With this update, a reference to another internal object has been placed in the code and the free-space information is now displayed properly.
BZ#755561
Previously, when the Nautilus desktop was set to display a user home directory, an internal queued load operation did not get canceled after refresh. Consequently, nautilus terminated unexpectedly on startup. With this update, pending internal operations that are not valid are correctly canceled and the crashes no longer occur.
All users of nautilus are advised to upgrade to these updated packages, which fix these bugs.

5.145. net-snmp

Updated net-snmp packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The net-snmp packages provide various libraries and tools for the Simple Network Management Protocol (SNMP), including an SNMP library, an extensible agent, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which uses SNMP, and a Tk/Perl Management Information Base (MIB) browser.
Security Fix
CVE-2012-2141
An array index error, leading to an out-of-bounds buffer read flaw, was found in the way the net-snmp agent looked up entries in the extension table. A remote attacker with read privileges to a Management Information Base (MIB) subtree handled by the extend directive (in /etc/snmp/snmpd.conf) could use this flaw to crash snmpd via a crafted SNMP GET request.
Bug Fixes
BZ#736580
In the previous update, a change was made in order to stop snmpd terminating unexpectedly when an AgentX subagent disconnected while processing a request. This fix, however, introduced a memory leak. With this update, this memory leak is fixed.
BZ#740172
In a previous update, a new BRIDGE-MIB was implemented in the net-snmp-perl subpackage. This MIB used incorrect conversion of interface-index values from the kernel and reported incorrect values of ifIndex OIDs (object identifiers). With this update, conversion of interface indexes is fixed and BRIDGE-MIB reports correct ifIndex OIDs.
BZ#746903
Previously, snmpd erroneously enabled verbose logging when parsing the proxy option in the snmpd.conf file. Consequently, unexpected debug messages were sometimes written to the system log. With this update, snmpd no longer modifies logging settings when parsing the proxy option. As a result, no debug messages are sent to the system log unless explicitly enabled by the system administrator.
BZ#748410
Previously, the snmpd daemon strictly implemented RFC 2780. However, this specification no longer scales well with modern big storage devices with small allocation units. Consequently, snmpd reported a wrong value for the HOST-RESOURCES-MIB::hrStorageSize object when working with a large file system (larger than 16TB), because the accurate value did not fit into Integer32 as specified in the RFC. To address this problem, this update adds a new option to the /etc/snmp/snmpd.conf configuration file, realStorageUnits. By changing the value of this option to 0, users can now enable recalculation of all values in hrStorageTable to ensure that the multiplication of hrStorageSize and hrStorageAllocationUnits always produces an accurate device size. The values of hrStorageAllocationUnits are then artificial in this case and no longer represent the real size of the allocation unit on the storage device.
BZ#748411, BZ#755481, BZ#757685
In the previous net-snmp update, the implementation of HOST-RESOURCES-MIB::hrStorageTable was rewritten and devices with Veritas File System (VxFS), ReiserFS, and Oracle Cluster File System (OCFS2) were not reported. In this update, snmpd properly recognizes VxFS, ReiserFS, and OCFS2 devices and reports them in HOST-RESOURCES-MIB::hrStorageTable.
BZ#748907
Prior to this update, the Net-SNMP Perl module did not properly evaluate error codes in the register() method in the NetSNMP::agent module and terminated unexpectedly when this method failed. With this update, the register() method has been fixed and the updated Perl modules no longer crash on failure.
BZ#749227
The SNMP daemon (snmpd) did not properly fill a set of watched socket file descriptors. Therefore, the daemon sometimes terminated unexpectedly with the select: bad file descriptor error message when more than 32 AgentX subagents connected to snmpd on 32-bit platforms or more than 64 subagents on 64-bit platforms. With this update, snmpd properly clears sets of watched file descriptors and no longer crashes when handling a large number of subagents.
BZ#754275
Previously, snmpd erroneously checked the length of SNMP-TARGET-MIB::snmpTargetAddrRowStatus value in incoming SNMP-SET requests on 64-bit platforms. Consequently, snmpd sent an incorrect reply to the SNMP-SET request. With this update, the check of SNMP-TARGET-MIB::snmpTargetAddrRowStatus is fixed and it is possible to set it remotely using SNMP-SET messages.
BZ#754971
Previously, snmpd did not check the permissions of its MIB index files stored in the /var/lib/net-snmp/mib_indexes directory and assumed it could read them. If the read access was denied, for example due to incorrect SELinux contexts on these files, snmpd crashed. With this update, snmpd checks if its MIB index files were correctly opened and does not crash if they cannot be opened.
BZ#786931
Before this release, the length of the OID parameter of sysObjectID (an snmpd.conf config file option) was not correctly stored in snmpd, which resulted in SNMPv2-MIB::sysObjectID being truncated if the OID had more than 10 components. In this update, handling of the OID length is fixed and SNMPv2-MIB::sysObjectID is returned correctly.
BZ#788954
Prior to this update, when snmpd was started and did not find a network interface which had been present during the last snmpd shutdown, the following error message was logged:
snmpd: error finding row index in _ifXTable_container_row_restore 
This happened on systems which dynamically create and remove network interfaces on demand, such as virtual hosts or PPP servers. In this update, this message has been removed and no longer appears in the system log.
BZ#789909
Previously, snmpd, enumerated active TCP connections for TCP-MIB::tcpConnectionTable in an inefficient way with O(n^2) complexity. With many TCP connections, an SNMP client could time out before snmpd processed a request regarding the tcpConnectionTable, and sent a response. This update improves the enumeration mechanism and snmpd now swiftly responds to SNMP requests in the tcpConnectionTable.
BZ#799291
When an object identifier (OID) was out of the subtree registered by the proxy statement in the /etc/snmp/snmpd.conf configuration file, the previous version of the snmpd daemon failed to use a correct OID of proxied GETNEXT requests. With this update, snmpd now adjusts the OIDs of proxied GETNEXT requests correctly and sends correct requests to the remote agent as expected.
BZ#822480
Net-SNMP daemons and utilities use the /var/lib/net-snmp directory to store persistent data, for example the cache of parsed MIB files. This directory is created by the net-snmp package and when this package is not installed, Net-SNMP utilities and libraries create the directory with the wrong SELinux context, which results in an Access Vector Cache (AVC) error reported by SELinux. In this update, the /var/lib/net-snmp directory is created by the net-snmp-lib package, therefore all Net-SNMP utilities and libraries do not need to create the directory and the directory will have the correct SELinux context.
All users of net-snmp are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the update, the snmpd and snmptrapd daemons will be restarted automatically.

5.146. NetworkManager

An updated NetworkManager package that fixes several bugs and adds various enhancements is now available for Red Hat Enterprise Linux 6.
NetworkManager is a system network service that manages network devices and connections, attempting to keep active network connectivity when available. It manages Ethernet, wireless, mobile broadband (WWAN), and PPPoE devices, and provides VPN integration with a variety of different VPN services.
Bug Fixes
BZ#663820
NetworkManager used a DHCP transaction timeout of 45 seconds without the possibility of configuring a different value. Consequently, in certain cases NetworkManager failed to obtain a network address. NetworkManager has been extended to read the timeout parameter from a DHCP configuration file and use that instead of the default value. As a result, NetworkManager will wait to obtain an address for the duration of the DHCP transaction period as specified in the DHCP client configuration file.
BZ#696967
If no Web browser was installed and the web site link was clicked in nm-applet's About dialog box, there was no response and NetworkManager did not display an error message. This has now been improved and the user is now presented with an error dialog box in the scenario described.
BZ#747649
NetworkManager did not update the timestamps for system connections. Consequently, the entry under the heading Last Used in the connection editor was always never, even if the connection had been used. An upstream patch has been applied and NetworkManager now updates connection timestamps for all connections.
BZ#773590
After system boot or when the user re-logged into the Gnome display manager, NetworkManager tried to initialize the user settings proxy even if it was not active. Consequently, this caused an unnecessary warning to be written to the /var/log/messages file. An upstream patch has been applied to prevent NetworkManager from trying to initialize the user settings proxy if the user settings service does not exist. As a result, warning messages are no longer generated in the scenario described.
BZ#787084
NetworkManager inserted erroneous warning messages in the /var/log/messages log file when changing the hostname. An upstream patch has been applied to the nm-dispatcher script and NetworkManager no longer generates unnecessary warnings during a hostname change.
BZ#801744
When an existing DHCP lease was renewed, NetworkManager did not recognize it as a change in DHCP state and therefore failed to run the dispatcher scripts. Consequently, hostnames where purged from DHCP records. With this update the code has been improved and NetworkManager now handles same-state transitions correctly. As a result, hostnames are not purged from the DHCP server when a lease is renewed.
BZ#809784
There were errors in nm-applet's message catalog for some languages. Consequently, the Routes button name in the connection editor was not translated for those languages and appeared in English. The message catalog has been corrected and now the button text is translated correctly for all supported languages.
Enhancements
BZ#209339
NetworkManager did not support EAP-FAST authentication for WPA2 Enterprise wireless networks, which made it unusable in some wireless environments. NetworkManager has been enhanced to handle EAP-FAST authentication.
BZ#673476
NetworkManager did not handle RFC3442-standard classless static routes provided by a DHCP server without manual changes to the dhclient's configuration file. An enhancement has been made to ensure that RFC3442 classless static routes are requested from the DHCP server, and that they are properly processed by NetworkManager without any manual intervention.
BZ#685096
NetworkManager did not recognize IP-over-InfiniBand interfaces, which prevented installation in some situations. These interfaces are now recognized.
BZ#712302, BZ#717475, BZ#804797
Previously, VLAN and bonding interfaces were not supported by NetworkManager and required special configuration to ensure NetworkManager did not interfere with their operation. NetworkManager now recognizes and can configure VLAN and bonding interfaces but only if the NM_BOND_VLAN_ENABLED key is set to yes in /etc/sysconfig/network. The default is that this option is set to no.
BZ#719892
If PolicyKit setup was used to disable creation of shared Wi-Fi networks, and a user tried to create a network using nm-applet, the setup silently failed. With this update, nm-applet now issues a notification providing the reason for the failure.
BZ#798294
When no VPN plug-in for NetworkManager was installed and a user tried to configure a VPN connection, the connection editor displayed an insensitive Add button without giving any indication of the cause. This update adds a tooltip to the button informing the user that editing a VPN connection is disabled due to missing VPN plug-ins.
Users are advised to upgrade to these updated NetworkManager packages, which resolve these bugs and add these enhancements.

5.147. NetworkManager-openswan

An updated NetworkManager-openswan package that fixes various bugs is now available for Red Hat Enterprise Linux 6.
NetworkManager-openswan contains software for integrating the Openswan VPN software with NetworkManager and the GNOME desktop.
Bug Fixes
BZ#696946
Prior to this update, it was possible to enter an incorrect IP address into the gateway field and it was sometimes interpreted as a gateway hostname. With this update, the code has been improved to validate IP addresses. As a result, valid IPv4 addresses, as well as hostnames, are more reliably distinguished.
BZ#748365
NetworkManager-openswan was not able to import configuration files that were previously exported using NetworkManager. This release adds support for this functionality and importing Openswan IPsec configuration files is now possible using NetworkManager.
All users of NetworkManager-openswan are advised to upgrade to this updated package, which fixes these bugs.

5.148. nfs-utils

Updated nfs-utils packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.
The nfs-utils packages provide a daemon for the kernel Network File System (NFS) server, and related tools such as the mount.nfs, umount.nfs, and showmount.
Bug Fixes
BZ#737990
Prior to this update, the nfs(5) man page contained incorrect information on the Transmission Control Protocol (TCP) retries. This update modifies the man page and describes more accurately how the TCP time out code works.
BZ#740472
Prior to this update, the "nfs_rewrite_pmap_mount_options()" function did not interrupt RPC timeouts as expected. As a consequence, mounts that used the "-o bg" and "vers=" options did not retry but failed when the server was down. This update modifies the underlying code to allow mounts to retry when the server is down.
BZ#751089
Prior to this update, the rpc.idmapd daemon handled the "SIGUSR*" signal incorrectly. As a consequence, idmapd could, under certain circumstances, close without an error message. This update modifies the underlying code to process the "SIGUSR*" signal as expected.
BZ#758000
Prior to this update, mount points could not be unmounted when the path contained multiple slash characters. This update modifies the "umount" paths so that the mount point can now be unmounted as expected.
BZ#772543
Prior to this update, nfs-utils used the wrong nfs lock file. As a consequence, the "status nfsd" command did not return the correct status. This update modifies the startup script to use the "/var/lock/subsys/nfsd" file as the nfs lock file. Now the correct nfsd status is returned.
BZ#772619
Prior to this update, NFS ID Mapping could redirect Unicode characters using umlaut diacritics (ö, ä, ü) in group names to the group "nobody". This update deactivates the Unicode characters check.
BZ#787970
Prior to this update, the name mapping daemon idmapd failed to decode group names that contained spaces. This update modifies the character size check for decoding the octal encoded value. Now, group names with spaces are decoded as expected.
BZ#800335
Prior to this update, concurrent executions of the "exportfs" command could, under certain circumstances, cause conflicts when updating the etab file. As a consequence, not all exports were successful. This update modifies the exportfs script to allow for concurrent executions.
BZ#801085
Prior to this update, symlinks mounted with NFS could not be unmounted. This update modifies the underlying code so that symlinks are now exported as expected.
BZ#803946
Prior to this update, the nfsd daemon was started before the mountd daemon and nfsd could not validate file handles with mountd. The NFS client received an "ESTALE" error and client applications failed if an existing client sent requests to the NFS server when nfsd was started. This update changes the startup order of the daemons so that nfsd can use the mountd daemon.
BZ#816149
Prior to this update, the preinstall scriptlet could fail to change the default group ID for nfsnobody. This update modifies the preinstall scriptlet and the default group ID is changed after the nfs-utils upgrade as expected.
BZ#816162
Prior to this update, mounting a subdirectory of non-user accounts could, under certain circumstances, fail. This update modifies the underlying code ensure that also the parent directory of the pseudo exports have root squashing disabled. Now, subdirectories of non-user accounts can be successfully mounted.
All users of nfs-utils are advised to upgrade to these updated packages, which fix these bugs.

5.149. nfs4-acl-tools

An updated nfs4-acl-tools package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The nfs4-acl-tools package provides utilities for managing NFSv4 Access Control Lists (ACLs) on files and directories mounted on ACL-enabled NFSv4 file systems.

Bug Fix

BZ#769862
Prior to this update, several uninitialized stack pointers were incorrectly freed. As a consequence, the "nfs4_setfacl" command failed with the error message "*** glibc detected *** nfs4_setfacl: double free or corruption (out)" if the format of the input ACL file was incorrect. This update corrects the memory handling process. Now, the nfs4_setfacl command displays a useful error message if the input file syntax is invalid.
All users of nfs4-acl-tools are advised to upgrade to this updated package, which fixes this bug.

5.150. nmap

Updated nmap packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The nmap packages provide a network exploration utility and a security scanner.
The nmap package has been upgraded to version 5.51, which provides a number of bug fixes and enhancements over the previous version and improves performance. (BZ#512042)

Bug Fix

BZ#813734
Prior to this update, the nping man page listed "--md" for the "More Fragments" option. This update corrects this misprint and now correctly lists "--mf" for this option.
All users of nmap are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

5.151. nss

Updated nss packages that fix one bug are now available for Red Hat Enterprise Linux 6.
Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications.

Bug Fix

BZ#828679
Due to a missing out-of-memory (OOM) check and improper freeing of allocated memory, the Privacy Enhanced Mail (PEM) module did not fully validate the encoding of certificates stored in a PEM-formatted file. As a consequence, error handling tests failed. With this update, the PEM module correctly validates the encoding, handles memory deallocation consistently, and error handling tests pass as expected.
All users of nss are advised to upgrade to these updated packages, which fix this bug.

5.152. nss, nss-util, and nspr

Updated nss, nss-util, and nspr packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact.
Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities.
Security Fix
BZ#798533
It was found that a Certificate Authority (CA) issued a subordinate CA certificate to its customer, that could be used to issue certificates for any name. This update renders the subordinate CA certificate as untrusted.

Note

This fix only applies to applications using the NSS Builtin Object Token. It does not render the certificates untrusted for applications that use the NSS library, but do not use the NSS Builtin Object Token.
The nspr package has been upgraded to upstream version 4.9, which provides a number of bug fixes and enhancements over the previous version. (BZ#799193)
The nss-util package has been upgraded to upstream version 3.13.3, which provides a number of bug fixes and enhancements over the previous version. (BZ#799192)
The nss package has been upgraded to upstream version 3.13.3, which provides numerous bug fixes and enhancements over the previous version. In particular, SSL 2.0 is now disabled by default, support for SHA-224 has been added, PORT_ErrorToString and PORT_ErrorToName now return the error message and symbolic name of an NSS error code, and NSS_GetVersion now returns the NSS version string. (BZ#744070)
These updated nss, nss-util, and nspr packages also provide fixes for the following bugs:
BZ#746632
A PEM module internal function did not clean up memory when detecting a non-existent file name. Consequently, memory leaks in client code occurred. The code has been improved to deallocate such temporary objects and as a result the reported memory leakage is gone.
BZ#761086
Recent changes to NSS re-introduced a problem where applications could not use multiple SSL client certificates in the same process. Therefore, any attempt to run commands that worked with multiple SSL client certificates, such as the "yum repolist" command, resulted in a re-negotiation handshake failure. With this update, a revised patch correcting this problem has been applied to NSS, and using multiple SSL client certificates in the same process is now possible again.
BZ#768669
The PEM module did not fully initialize newly constructed objects with function pointers set to NULL. Consequently, a segmentation violation in libcurl was sometimes experienced while accessing a package repository. With this update, the code has been changed to fully initialize newly allocated objects. As a result, updates can now be installed without problems.
BZ#784674
A lack-of-robustness flaw caused the administration server for Red Hat Directory Server to terminate unexpectedly because the mod_nss module made nss calls before initializing nss as per the documented API. With this update, nss protects itself against being called before it has been properly initialized by the caller.
BZ#795693
Compilation errors occurred with some compilers when compiling code against NSS 3.13.1. The following error message was displayed:
pkcs11n.h:365:26: warning: "__GNUC_MINOR" is not defined
An upstream patch has been applied to improve the code and the problem no longer occurs.
BZ#797426
Unexpected terminations were reported in the messaging daemon (qpidd) included in Red Hat Enterprise MRG after a recent update to nss. This occurred because qpidd made nss calls before initializing nss. These updated packages prevent qpidd and other affected processes that call nss without initializing as mandated by the API from crashing.
Users of NSS, NSPR, and nss-util are advised to upgrade to these updated packages, which fix these issues and add these enhancements. After installing this update, applications using NSS, NSPR, or nss-util must be restarted for this update to take effect.

5.153. numactl

Updated numactl packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The numactl packages provide a simple Non-Uniform Memory Access (NUMA) policy support and consist of the numactl program to run other programs with a specific NUMA policy and the libnuma library to do allocations in applications using the NUMA policy.
The numactl packages have been upgraded to upstream version 2.0.7, which provides a number of bug fixes and enhancements over the previous version. (BZ#645066)

Bug Fix

BZ#751764
Prior to this update, the man page for the numastat tool was not included in the numactl package. This update adds the missing numastat man page to numactl.
All users of numactl are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

5.154. numpy

Updated numpy packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The numpy packages provide NumPY. NumPY is an extension to the Python programming language, which adds support for large, multi-dimensional arrays and matrices, and a library of mathematical functions that operate on such arrays.
The numpy packages have been upgraded to upstream version 1.4.1, which provides a number of bug fixes and enhancements over the previous version.
BZ#692959
This update introduces two important changes in NumPY's behavior:
  • When operating on 0-d arrays, the numpy.max() function and other functions now no longer accept axis values other than 0, -1, and None, and NumPY now raises an error for other axis values.
  • It is now no longer possible to specify an axis value greater than the MAX_DIMS value and NumPY now raises an error under these circumstances.
Refer to the /usr/share/doc/numpy-1.4.1/1.4.0-notes.rst file for further details about the changes.
Users of numpy are advised to upgrade to these updated numpy packages, which fix these bugs and add these enhancements.

5.155. openldap

Updated openldap packages that fix a security issue and several bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. LDAP is a set of protocols for accessing directory services (usually phone-book style information, but other information is possible) over the Internet, similar to the way DNS (Domain Name System) information is propagated over the Internet. The openldap package contains configuration files, libraries, and documentation for OpenLDAP.
Security Fix
CVE-2012-1164
A denial of service flaw was found in the way the OpenLDAP server daemon (slapd) processed certain search queries requesting only attributes and no values. In certain configurations, a remote attacker could issue a specially-crafted LDAP search query that, when processed by slapd, would cause slapd to crash due to an assertion failure.
Bug Fixes
BZ#784211
When OpenLDAP was set with master-master replication and with the "unique" overlay configured on the back-end database, a server failed to synchronize after getting online. An upstream patch has been applied and the overlay no longer causes breaches in synchronization.
BZ#790687
When the OpenLDAP server was enabled on the ldaps port (636), this port could already be taken by another process using the bindresvport() call. Consequently, the slapd daemon could not bind to the ldaps port. This update adds a configuration file for the portreserve service to reserve the ldaps port and this port is now always available for slapd.
BZ#742163
When the OpenLDAP server was running with the "constraint" overlay enabled and the "count" restrictions configured, specific modify operations could cause "count" restriction violation without the overlay detecting it. Now, the count overlay has been fixed to detect such situations and the server returns the "constraint violation" error as expected.
BZ#783445
If the slapd daemon was set up with master-master replication over TLS, when started, it terminated unexpectedly with a segmentation fault due to accessing unallocated memory. This update applies a patch that copies and stores the TLS initialization parameters, until the deferred TLS initialization takes place and the crashes no longer occur in the described scenario.
BZ#796808
When an OpenLDAP server used TLS and a problem with loading the server key occurred, the server terminated unexpectedly with a segmentation fault due to accessing uninitialized memory. With this update, variables holding TLS certificate and keys are properly initialized, the server no longer crashes in the described scenario, and information about the failure is logged instead.
BZ#807363
Due to a bug in the libldap library, when a remote LDAP server responded with a referral to a client query and the referral chasing was enabled in the library on the client, a memory leak occurred in libldap. An upstream patch has been provided to address this issue and memory leaks no longer occur in the described scenario.
BZ#742023
If a client established a TLS connection to a remote server, which had a certificate issued by a commonly trusted certificate authority (CA), the server certificate was rejected because the CA certificate could not be found. Now, during the package installation, certificate database is created and a module with a trusted root CA is loaded. Trusted CAs shipped with the Mozilla NSS package are used and TLS connections to a remote server now work as expected.
BZ#784203
Under certain conditions, when the unbind operation was called and the ldap handle was destroyed, the library attempted to close the connection socket, which was already closed. Consequently, warning messages from the valgrind utility were returned. An upstream patch has been applied, additional checks before closing a connection socket have been added, and the socket in the described scenario is now closed only once with no warnings returned.
BZ#732916
Previously, description of the SASL_NOCANON option was missing under the "SASL OPTIONS" section in the ldap.conf man page. This update amends the man page.
BZ#743781
When mutually exclusive options "-w" and "-W" were passed to any OpenLDAP client tool, the tool terminated with an assertion error. Upstream patch has been applied and client tools now do not start if these options are passed on the command line together, thus preventing this bug.
BZ#745470
Previously, description of the "-o" and "-N" options was missing in man pages for OpenLDAP client tools. This update amends the man pages.
BZ#730745
When the "memberof" overlay was set up on top of the front end database, the server terminated unexpectedly with a segmentation fault if an entry was modified of deleted. With this update, the "memberof" overlay can no longer be set up on top of the front end database. Instead, it is required to be set up on top the back end database or databases. Now, the crash no longer occurs in the described scenario.
BZ#816168
When a utility from the openldap-clients package was called without a specified URL, a memory leak occurred. An upstream patch has been applied to address this issue and the bug no longer occurs in the described scenario.
BZ#818844
When connecting to a remote LDAP server with TLS enabled, while the TLS_CACERTDIR parameter was set to Mozilla NSS certificate database and the TLS_CACERT parameter was set to PEM bundle with CA certificates, certificates from the PEM bundle were not loaded. If the signing CA certificate was present only in the PEM CA bundle specified by TLS_CACERT, validation of the remote certificate failed. This update allows loading of CA certificates from the PEM bundle file if the Mozilla NSS certificate database is set up as well. As a result, the validation succeeds in the described scenario.
Users of openldap are advised to upgrade to these updated packages, which fix this issue and these bugs.

5.156. openssh

Updated openssh packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
OpenSSH is OpenBSD's Secure Shell (SSH) protocol implementation. These packages include the core files necessary for the OpenSSH client and server.
Security Fix
CVE-2011-5000
A denial of service flaw was found in the OpenSSH GSSAPI authentication implementation. A remote, authenticated user could use this flaw to make the OpenSSH server daemon (sshd) use an excessive amount of memory, leading to a denial of service. GSSAPI authentication is enabled by default ("GSSAPIAuthentication yes" in "/etc/ssh/sshd_config").

Bug Fixes

BZ#732955
SSH X11 forwarding failed if IPv6 was enabled and the parameter X11UseLocalhost was set to "no". Consequently, users could not set X forwarding. This update fixes sshd and ssh to correctly bind the port for the IPv6 protocol. As a result, X11 forwarding now works as expected with IPv6.
BZ#744236
The sshd daemon was killed by the OOM killer when running a stress test. Consequently, a user could not log in. With this update, the sshd daemon sets its oom_adj value to -17. As a result, sshd is not chosen by OOM killer and users are able to log in to solve problems with memory.
BZ#809619
If the SSH server is configured with a banner that contains a backslash character, then the client will escape it with another "\" character, so it prints double backslashes. An upstream patch has been applied to correct the problem and the SSH banner is now correctly displayed.
Enhancements
BZ#657378
Previously, SSH allowed multiple ways of authentication of which only one was required for a successful login. SSH can now be set up to require multiple ways of authentication. For example, logging in to an SSH-enabled machine requires both a passphrase and a public key to be entered. The RequiredAuthentications1 and RequiredAuthentications2 options can be configured in the /etc/ssh/sshd_config file to specify authentications that are required for a successful login. For example, to set key and password authentication for SSH version 2, type:
echo "RequiredAuthentications2 publickey,password" >> /etc/ssh/sshd_config
For more information on the aforementioned /etc/ssh/sshd_config options, refer to the sshd_config man page.
BZ#756929
Previously, OpenSSH could use the Advanced Encryption Standard New Instructions (AES-NI) instruction set only with the AES Cipher-block chaining (CBC) cipher. This update adds support for Counter (CTR) mode encryption in OpenSSH so the AES-NI instruction set can now be used efficiently also with the AES CTR cipher.
BZ#798241
Prior to this update, an unprivileged slave sshd process was run as the sshd_t context during privilege separation (privsep). sshd_t is the SELinux context used for running the sshd daemon. Given that the unprivileged slave process is run under the user's UID, it is fitting to run this process under the user's SELinux context instead of the privileged sshd_t context. With this update, the unprivileged slave process is now run as the user's context instead of the sshd_t context in accordance with the principle of privilege separation. The unprivileged process, which might be potentially more sensitive to security threats, is now run under the user's SELinux context.
Users are advised to upgrade to these updated openssh packages, which contain backported patches to resolve these issues and add these enhancements. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically.

5.157. openswan

Updated openswan packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
Openswan is a free implementation of IPsec (Internet Protocol Security) and IKE (Internet Key Exchange) for Linux. The openswan package contains the daemons and user space tools for setting up Openswan. It supports the NETKEY/XFRM IPsec kernel stack that exists in the default Linux kernel. Openswan 2.6.x also supports IKEv2 (RFC4306).
Bug Fixes
BZ#768162
Previously, Openswan sometimes generated a KE payload that was 1 byte shorter than specified by the Diffie-Hellman algorithm. Consequently, IKE renegotiation failed at random intervals. An error message in the following format was logged:
next payload type of ISAKMP Identification Payload has an unknown value:
This update checks the length of the generated key and if it is shorter than required, leading zero bytes are added.
BZ#768442
Older versions of kernel required the output length of the HMAC hash function to be truncated to 96 bits, therefore Openswan previously worked with 96-bit truncation length when using the HMAC-SHA2-256 algorithm. However, newer kernels require the 128-bit HMAC truncation length, which is as per the RFC4868 specification. Consequently, this difference could cause incompatible SAs to be set on IKE endpoints due to one endpoint using 96-bit and the other 128-bit output length of the hash function. This update modifies the underlying code so that Openswan now complies with RFC4868 and adds support for the new kernel configuration parameter, sha2_truncbug. If the sha2_truncbug parameter is set to yes, Openswan now passes the correct key length to the kernel, which ensures interoperability between older and newer kernels.
BZ#771457
When processing an IKE_SA_INIT exchange and the RESERVED field of the IKE_SA_INIT request or response messages was modified, Openswan did not ignore the field as expected according to the IKEv2 RFC5996 specification. Consequently, IKE_SA_INIT messages with reserved fields set were processed as erroneous messages by Openswan and the IKE_SA_INIT exchange failed. With this update, Openswan has been modified to ignore reserved fields as expected and IKE_SA_INIT exchanges succeed in this scenario.
BZ#771460
When processing an IKE_AUTH exchange and the RESERVED field of the IKE_AUTH request or response messages was modified, Openswan did not ignore the field as expected according to the IKEv2 RFC5996 specification. Consequently, the IKE_AUTH messages were processed as erroneous messages by Openswan and the IKE_AUTH exchange failed. With this update, Openswan has been modified to ignore reserved fields as expected and IKE_AUTH exchanges succeed in this scenario.
BZ#771461
Openswan incorrectly processed traffic selector messages proposed by the responder (the endpoint responding to an initiated exchange) by failing to confine them to a subset of the initially proposed traffic selectors. As a consequence, Openswan set up CHILD security associations (SAs) incorrectly. With this update, Openswan reduces the set of traffic selectors correctly, and sets up IKE CHILD SAs accordingly.
BZ#771463
Previously, Openswan did not behave in accordance with the IKEv2 RFC5996 specification and ignored IKE_AUTH messages that contained an unrecognized Notify payload. This resulted in IKE SAs being set up successfully. With this update, Openswan processes any unrecognized Notify payload as an error and IKE SA setup fails as expected.
BZ#771464
When processing an INFORMATIONAL exchange, the responder previously did not send an INFORMATIONAL response message as expected in reaction to the INFORMATIONAL request message sent by the initiator. As a consequence, the INFORMATIONAL exchange failed. This update corrects Openswan so that the responder now sends an INFORMATIONAL response message after every INFORMATIONAL request message received, and the INFORMATIONAL exchange succeeds as expected in this scenario.
BZ#771465
When processing an INFORMATIONAL exchange with a Delete payload, the responder previously did not send an INFORMATIONAL response message as expected in reaction to the INFORMATIONAL request message sent by the initiator. As a consequence, the INFORMATIONAL exchange failed and the initiator did not delete IKE SAs. This updates corrects Openswan so that the responder now sends an INFORMATIONAL response message and the initiator deletes IKE SAs as expected in this scenario.
BZ#771466
When the responder received an INFORMATIONAL request with a Delete payload for a CHILD SA, Openswan did not process the request correctly and did not send the INFORMATIONAL response message to the initiator as expected according to the RFC5996 specification. Consequently, the responder was not aware of the request and only the initiator's CHILD SA was deleted. With this update, Openswan sends the response message as expected and the CHILD SA is deleted properly on both endpoints.
BZ#771467
Openswan did not ignore the minor version number of the IKE_SA_INIT request messages as required by the RFC5996 specification. Consequently, if the minor version number of the request was higher than the minor version number of the IKE protocol used by the receiving peer, Openswan processed the IKE_SA_INIT messages as erroneous and the IKE_SA_INIT exchange failed. With this update, Openswan has been modified to ignore the Minor Version fields of the IKE_SA_INIT requests as expected and the IKE_SA_INIT exchange succeeds in this scenario.
BZ#771470
The Openswan IKEv2 implementation did not correctly process an IKE_SA_INIT message containing an INVALID_KE_PAYLOAD Notify payload. With this fix, Openswan now sends the INVALID_KE_PAYLOAD notify message back to the peer so that IKE_SA_INIT can restart with the correct KE payload.
BZ#771472
Openswan incorrectly processed traffic selector messages proposed by the initiator (the endpoint which started an exchange) by failing to confine them to a subset of the initially proposed traffic selectors. As a consequence, Openswan set up CHILD SAs incorrectly. With this update, Openswan reduces the set of traffic selectors correctly, and sets up IKE CHILD SAs accordingly.
BZ#771473
Previously, Openswan did not respond to INFORMATIONAL requests with no payloads that are used for dead-peer detection. Consequently, the initiator considered the responder to be a dead peer and deleted the respective IKE SAs. This update modifies Openswan so that an empty INFORMATIONAL response message is now sent to the initiator as expected, and the initiator no longer incorrectly deletes IKE SAs in this scenario.
BZ#771475
When processing an INFORMATIONAL exchange and the RESERVED field of the INFORMATIONAL request or response messages was modified, Openswan did not ignore the field as expected according to the IKEv2 RFC5996 specification. Consequently, the INFORMATIONAL messages were processed as erroneous by Openswan, and the INFORMATIONAL exchange failed. With this update, Openswan has been modified to ignore reserved fields as expected and INFORMATIONAL exchanges succeed in this scenario.
BZ#795842
When the initiator received an INFORMATIONAL request with a Delete payload for an IKE SA, Openswan did not process the request correctly and did not send the INFORMATIONAL response message to the responder as expected according to the RFC5996 specification. Consequently, the initiator was not aware of the request and only the responder's IKE SA was deleted. With this update, Openswan sends the response message as expected and the IKE SA is deleted properly on both endpoints.
BZ#795850
IKEv2 requires each IKE message to have a sequence number for matching a request and response when re-transmitting the message during the IKE exchange. Previously, Openswan incremented sequence numbers incorrectly so that IKE messages were processed in the wrong order. As a consequence, any messages sent by the responder were not processed correctly and any subsequent exchange failed. This update modifies Openswan to increment sequence numbers in accordance with the RFC5996 specification so that IKE messages are matched correctly and exchanges succeed as expected in this scenario.
Users of openswan should upgrade to this updated package, which fixes these bugs.

5.158. oprofile

Updated oprofile packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
OProfile is a system-wide profiler for Linux systems. The profiling runs transparently in the background and profile data can be collected at any time. OProfile uses the hardware performance counters provided on many processors, and can use the Real Time Clock (RTC) for profiling on processors without counters.
The oprofile packages have been upgraded to upstream version 0.9.7, which provides a number of bug fixes and enhancements over the previous version. (BZ#739142)

Bug Fix

BZ#748789
Under certain circumstances, the "opannotate" and "opreport" commands reported no results. With this update, this problem has been fixed so that these commands work as expected.
All OProfile users are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

5.159. pacemaker

Updated pacemaker packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
Pacemaker is a high-availability cluster resource manager with a powerful policy engine.

Bug Fixes

BZ#720214
Previously, the "port" parameter was declared as required in the fencing agent metadata. Some devices, however, determine the correct port automatically and therefore do not need it specified in their configuration. As a consequence, updating configurations that didn't contain the "port" parameter failed with the following error message:
ERROR: apc-fencing: required parameter port not defined
This update modifies the fencing agent metadata so that "port" is not declared as a required configuration option. As a result, updating configurations in which the "port" parameter is not specified succeeds.
BZ#720218
Previously, the "start" and "stop" actions were not declared in the fencing agent metadata. As a consequence, the following warning messages were displayed when configuring fencing devices:
WARNING: apc-fencing: action start not advertised in meta-data, it may not be supported by the RA
WARNING: apc-fencing: action stop not advertised in meta-data, it may not be supported by the RA
This update adds the "start" and "stop" actions to all fencing agent metadata. As a result, configuring fencing devices no longer displays the aforementioned warning messages.
BZ#789397
Due to an error in the underlying source code, operation failure records were not removed together with removed resources. Consequently, resources re-defined after previous deletion were associated with the previous failure records. This update modifies the underlying source code so that failure records are removed together with removed resources. As a consequence, previously deleted resources are not associated with any failure records after being re-defined.
BZ#799070
Previously, the logic for determining whether a resource is active was incorrect. Consequently, active resources on nodes in the "UNCLEAN" state were ignored by tools that relied on this logic. This update fixes the logic. As a result, tools relying on this logic report active resources on nodes in the "UNCLEAN" state as active.
BZ#801351
Previously, descriptions of the -v and -V options of the crm_report command were swapped in text of its manual pages. Consequently, some users were mislead by unexpected behavior when using these options. This update corrects the text of the manual pages so that they reflect the actual behavior of the crm_report command.

Enhancement

BZ#782255
Pacemaker now uses the libqb library for logging. This provides less verbose logs while still providing the ability to debug and support Pacemaker.
All users of Pacemaker are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

5.160. PackageKit

Updated PackageKit packages that fix four bugs are now available for Red Hat Enterprise Linux 6.
PackageKit is a D-Bus abstraction layer that allows the session user to manage packages in a secure way using a cross-distribution, cross-architecture API.

Bug Fixes

BZ#744359
If a user attempted to install or update packages that were either unsigned, or signed with a GPG key that was not installed and not available for installation, PackageKit kept reporting that the packages are from an untrusted source and repeatedly prompted the user for confirmation. This update corrects this behavior and ensures that up-to-date interfaces are used to specify that untrusted packages are to be installed.
BZ#783537
If the pkcon console client is executed with the "--noninteractive" command line option, it is not supposed to prompt the user for any confirmation. Previously, running pkcon with this option did not prevent it from requiring confirmation in certain situations, such as if a package signing key had to be imported or additional dependent packages needed to be removed during package removal. With this update, the pkcon utility no longer requires confirmation in these situations and proceeds as if the user answered "yes" on the command line.
BZ#684861, BZ#700448
Prior to this update, the PackageKit-yum and PackageKit-yum-plugin subpackages did not specify pygobject2 and dbus-python as their dependencies. Consequently, if these packages were not present on the system, certain tools such as the pkcon console client or the refresh-packagekit plug-in for YUM did not work properly. This update adapts the PackageKit-yum and PackageKit-yum-plugin subpackages to require pygobject2 and dbus-python respectively. As a result, the tools that are installed with either of these subpackages no longer fail to work properly due to missing dependencies.
All users of PackageKit are advised to upgrade to these updated packages, which fix these bugs.

5.161. pam_pkcs11

Updated pam_pkcs11 packages which fix a bug are now available for Red Hat Enterprise Linux 6.
The pam_pkcs11 package allows X.509 certificate-based user authentication. It provides access to the certificate and its dedicated private key with an appropriate Public Key Cryptographic Standards #11 (PKCS#11) module.

Bug Fix

BZ#756917
When remotely logged into a system with smart card log-in turned on, users saw the following unnecessary error message when trying to use su:
ERROR:pam_pkcs11.c:224: Remote login (from localhost:13.0) is not (yet) supported
The user was still able to use su despite this message. With this update the message is logged but no longer displayed.
All users of pam_pkcs11 are advised to upgrade to these updated packages, which fix this bug.

5.162. parted

Updated parted packages that fix three bugs are now available for Red Hat Enterprise Linux 6.
The parted packages allow you to create, destroy, resize, move, and copy hard disk partitions. The parted program can be used for creating space for new operating systems, reorganizing disk usage, and copying data to new hard disks.

Bug Fixes

BZ#698121, BZ#751164
Prior to this update, editing partitions on a mpath device udev could, under certain circumstances, interfere with re-reading the partition table. This update adds the dm_udev_wait option so that udev now correctly synchronizes.
BZ#750395
Prior to this update, the libparted partition_duplicate() function did not correctly copy all GPT partition flags. This update modifies the underlying code so that all flags are correctly copied and adds a test to ensure correct operation.
All parted users are advised to upgrade to these updated packages, which fix these bugs.

5.163. pcre

Updated pcre packages that fix three bugs are now available for Red Hat Enterprise Linux 6.
The pcre packages provide the Perl-compatible regular expression (PCRE) library.

Bug Fixes

BZ#613690
Prior to this update, the PCRE license file was missing from the pcre-static subpackage. This update adds the license file.
BZ#676636
Prior to this update, the pcretest(1) manual page contained various misprints. This update corrects these misprints.
BZ#676643
Prior to this update, the pcregrep(1) manual page contained various misprints. This update corrects these misprints.
All users of pcre are advised to upgrade to these updated packages, which fix these bugs.

5.164. pcsc-lite

Updated pcsc-lite packages that fix one bug are now available for Red Hat Enterprise Linux 6.
PC/SC Lite provides a Windows SCard compatible interface for communicating with smart cards, smart card readers, and other security tokens.

Bug Fix

BZ#812469
Previously, the pcscd init script pointed to the wrong value to identify the HAL daemon. It also wrongly started at runlevel 2. As a result, chkconfig did not automatically place pcscd after the start of the HAL daemon, thus pcscd failed to see USB readers. With this update, the pcscd init script has been changed to properly identify the HAL daemon and only start at runlevels 3, 4, and 5, thus fixing this bug.
All pcsc-lite users are advised to upgrade to these updated packages, which fix this bug.

5.165. perl

Updated perl packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
Perl is a high-level programming language commonly used for system administration utilities and web programming.

Bug Fixes

BZ#707960, BZ#717565
Previously, the perl and perl-libs packages owned the /usr/local/lib/perl5/, /usr/local/lib64/perl5/, and /usr/local/share/perl5/ directories. Consequent to this, when the /usr/local/ directory was read-only or contained local changes, the perl and perl-libs packages could not be installed, reinstalled, updated, or removed. With this update, the perl and perl-libs packages have been updated not to own the aforementioned directories. This ensures that after applying this update, both these packages can be installed, reinstalled, updated, or removed as expected and that such an action no longer affects the /usr/local/ directory.
BZ#738421
Prior to this update, an attempt to use bzip2 compression or decompression in a Perl program (for example, by using the IO::Compress::Bzip2 module) failed with an error, because no bzip2 module was available. This update adds support for bzip2 compression and decompression, and provides two new packages, perl-Compress-Raw-Bzip2 and perl-IO-Compress-Bzip2, for the IO:Compress::Bzip2 and Compress::Raw::Bzip2 modules respectively.
BZ#750145
When the perl-ExtUtils-MakeMaker package was not present on the system, an attempt to run the cpanp utility that is provided by the perl-CPANPLUS package previously failed with the following error:
Can't locate ExtUtils/MakeMaker.pm in @INC
With this update, perl-ExtUtils-MakeMaker is now required by the perl-IPC-Cmd package, and the cpanp utility installed from the RPM package now works as expected.
BZ#801804
Due to an error in the corresponding spec file, the version of the perl-Compress-Raw-Zlib package was higher than the version reported by the Compress::Raw::Zlib module it provides. This update changes the package version to "2.020" so that it matches the version of the Perl module. Additionally, this update changes the epoch number to preserve the RPM package version string ordering.
BZ#805606
Prior to this update, when a POSIX::strftime() function call returned a string that was longer than 64 bytes, a memory leak occurred. Consequent to this, any script that repeatedly called this function could consume a significant amount of memory over time. This update applies an upstream patch that adapts the implementation of the POSIX::strftime() function to reallocate the memory instead of allocating new one, and such memory leaks no longer occur.
BZ#806373
When the nextStream() method was called on an IO::Uncompress::Unzip object with the last stream in the ZIP decoder, it did not behave according to the documentation and returned a non-zero value. With this update, an upstream patch has been applied to correct this error, and the nextStream() method now behaves as documented.

Enhancement

BZ#817480
Previous versions of the Perl interpreter were not compiled with the "usesitecustomize" feature, which rendered users unable to use the /usr/local/share/perl5/sitecustomize.pl script to automatically modify the Perl environment when the interpreter is executed. With this update, the Perl interpreter has been recompiled with the "-Dusesitecustomize" option so that the interpreter now automatically executes the /usr/local/share/perl5/sitecustomize.pl script before interpreting the Perl code.
All users of perl are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

5.166. perl-Sys-Virt

Updated perl-Sys-Virt packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The perl-Sys-Virt packages provide application programming interfaces (APIs) to manage virtual machines from Perl with the libvirt library.
The perl-Sys-Virt package has been upgraded to upstream version 0.9.10, which provides a number of bug fixes and enhancements over the previous version. (BZ#752436)

Bug Fixes

BZ#661801
Prior to this update, the perl-Sys-Virt spec file did not contain the "perl(Time::HiRes)" requirement. As a consequence, perl-Sys-Virt could not be rebuild in mock mode. This update adds the missing requirement to the spec file. Now, perl-Sys-Virt can is rebuild in mock mode as expected.
BZ#747483
Prior to this update, the perl-Sys-Virt man page did not document the "$flags" parameter for the "get_xml_description" executable. This update modifies the man page so that the parameter is correctly documented.
BZ#748689
P