Detailed notes on the changes implemented in Red Hat Enterprise Linux 6.4

Edition 4

Red Hat Engineering Content Services

Legal Notice

Copyright © 2013 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. (https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/6.4_Technical_Notes/index.html)
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
All other trademarks are the property of their respective owners.


1801 Varsity Drive
RaleighNC 27606-2072 USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701

Abstract

The Red Hat Enterprise Linux 6.4 Technical Notes list and document the changes made to the Red Hat Enterprise Linux 6 operating system and its accompanying applications between Red Hat Enterprise Linux 6.3 and minor release Red Hat Enterprise Linux 6.4.
Preface
1. Important Changes to External Kernel Parameters
2. Device Drivers
3. Technology Previews
3.1. Storage and File Systems
3.2. Networking
3.3. Clustering and High Availability
3.4. Authentication
3.5. Security
3.6. Devices
3.7. Kernel
3.8. Virtualization
3.9. Resource Management
4. Known Issues
4.1. Installation
4.2. Entitlement
4.3. Deployment
4.4. Virtualization
4.5. Storage and File Systems
4.6. Networking
4.7. Clustering
4.8. Authentication
4.9. Devices
4.10. Kernel
4.11. Desktop
4.12. Tools
5. New Packages
5.1. RHEA-2013:0278 — new packages: dev86 and iasl
5.2. RHEA-2013:0484 — new packages: hypervkvpd
5.3. RHEA-2013:0422 — new packages: libjpeg-turbo
5.4. RHEA-2013:0369 — new packages: pcs
5.5. RHEA-2013:0356 — new package: haproxy
5.6. RHEA-2013:0355 — new package: keepalived
5.7. RHEA-2013:0349 — new packages: linuxptp
5.8. RHEA-2013:0342 — new packages: libitm
5.9. RHEA-2013:0341 — new package: scipy
5.10. RHEA-2013:0340 — new packages: suitesparse
5.11. RHEA-2013:0339 — new packages: tbb
5.12. RHEA-2013:0336 — new package: tuna
5.13. RHEA-2013:0289 — new package: mtdev
5.14. RHEA-2013:0284 — new package: cpupowerutils
5.15. RHEA-2013:0283 — new package: cgdcbxd
6. Updated Packages
6.1. 389-ds-base
6.2. abrt, libreport and btparser
6.3. alsa-utils
6.4. amanda
6.5. anaconda
6.6. authconfig
6.7. autofs
6.8. automake
6.9. avahi
6.10. bacula
6.11. bash
6.12. bfa-firmware
6.13. bind-dyndb-ldap
6.14. bind
6.15. binutils
6.16. biosdevname
6.17. bridge-utils
6.18. brltty
6.19. btrfs-progs
6.20. ccid
6.21. cdrkit
6.22. certmonger
6.23. cifs-utils
6.24. clustermon
6.25. cluster and gfs2-utils
6.26. control-center
6.27. coolkey
6.28. Core X11 Libraries
6.29. Core X11 clients
6.30. corosync
6.31. cpuspeed
6.32. crash
6.33. createrepo
6.34. ctdb
6.35. curl
6.36. cvs
6.37. dash
6.38. device-mapper-multipath
6.39. dhcp
6.40. dnsmasq
6.41. docbook-utils
6.42. dovecot
6.43. dracut
6.44. dropwatch
6.45. dvd+rw-tools
6.46. e2fsprogs
6.47. eclipse-nls
6.48. environment-modules
6.49. espeak
6.50. ethtool
6.51. evolution-data-server
6.52. evolution
6.53. fcoe-target-utils
6.54. fcoe-utils
6.55. febootstrap
6.56. fence-agents
6.57. fence-virt
6.58. file
6.59. firstboot
6.60. ftp
6.61. gawk
6.62. gcc
6.63. gdb
6.64. gdm
6.65. gd
6.66. geronimo-specs
6.67. glibc
6.68. gnome-desktop
6.69. gnome-packagekit
6.70. gnome-screensaver
6.71. gnome-settings-daemon
6.72. gnome-terminal
6.73. gnutls
6.74. graphviz
6.75. grub
6.76. gstreamer-plugins-base
6.77. gtk2
6.78. gvfs
6.79. hivex
6.80. hplip
6.81. hsqldb
6.82. httpd
6.83. hwdata
6.84. hwloc
6.85. icedtea-web
6.86. initscripts
6.87. iok
6.88. ipa
6.89. iproute
6.90. iprutils
6.91. iptables
6.92. irqbalance
6.93. irssi
6.94. iscsi-initiator-utils
6.95. jss
6.96. kabi-whitelists
6.97. kdebase
6.98. kdebase-workspace
6.99. kdelibs3
6.100. kdelibs
6.101. kdepim
6.102. kernel
6.103. kexec-tools
6.104. krb5
6.105. ksh
6.106. ledmon
6.107. libburn
6.108. libcgroup
6.109. libdbi
6.110. libdvdread
6.111. libguestfs
6.112. libhbaapi
6.113. libhbalinux
6.114. libical
6.115. libica
6.116. libldb
6.117. libqb
6.118. libsemanage
6.119. libsoup
6.120. libssh2
6.121. libtalloc
6.122. libtdb
6.123. libtevent
6.124. libusb1
6.125. libvirt-cim
6.126. libvirt-java
6.127. libvirt
6.128. libwacom
6.129. lldpad
6.130. lm_sensors
6.131. logrotate
6.132. lohit-telugu-fonts
6.133. luci
6.134. lvm2
6.135. mailman
6.136. man-pages-overrides
6.137. man-pages
6.138. man
6.139. matahari
6.140. mcelog
6.141. mdadm
6.142. mesa
6.143. microcode_ctl
6.144. mlocate
6.145. mod_authz_ldap
6.146. mod_nss
6.147. mod_revocator
6.148. module-init-tools
6.149. mod_wsgi
6.150. mrtg
6.151. mt-st
6.152. netcf
6.153. net-snmp
6.154. NetworkManager
6.155. nfs-utils-lib
6.156. nfs-utils
6.157. nss-pam-ldapd
6.158. nss, nss-util, nspr
6.159. ntp
6.160. numactl
6.161. numad
6.162. openchange
6.163. OpenIPMI
6.164. openldap
6.165. openscap
6.166. openssh
6.167. openssl
6.168. pacemaker
6.169. PackageKit
6.170. pam
6.171. parted
6.172. pciutils
6.173. pcre
6.174. pcsc-lite
6.175. perl-GSSAPI
6.176. perl-IPC-Run3
6.177. perl-IPC-Run
6.178. perl-SOAP-Lite
6.179. perl-Sys-Virt
6.180. perl
6.181. php
6.182. piranha
6.183. pki-core
6.184. plymouth
6.185. pm-utils
6.186. policycoreutils
6.187. powerpc-utils
6.188. ppc64-diag
6.189. procps
6.190. pykickstart
6.191. PyQt4
6.192. python-ethtool
6.193. python-nss
6.194. python-paste
6.195. python-psycopg2
6.196. python-rhsm
6.197. python-rtslib
6.198. python
6.199. python-virtinst
6.200. qemu-kvm
6.201. ql2400-firmware
6.202. ql2500-firmware
6.203. qt
6.204. quota
6.205. rdesktop
6.206. rdma
6.207. redhat-lsb
6.208. redhat-release
6.209. redhat-rpm-config
6.210. Red Hat Enterprise Linux Release Notes
6.211. resource-agents
6.212. rgmanager
6.213. rhn-client-tools
6.214. ricci
6.215. rpcbind
6.216. rpmdevtools
6.217. rpm
6.218. rsyslog
6.219. s390utils
6.220. samba4
6.221. samba
6.222. scl-utils
6.223. seabios
6.224. selinux-policy
6.225. setroubleshoot
6.226. setup
6.227. slapi-nis
6.228. slf4j
6.229. smartmontools
6.230. sos
6.231. spice-gtk
6.232. spice-protocol
6.233. spice-server
6.234. spice-vdagent
6.235. spice-xpi
6.236. squid
6.237. sssd
6.238. strace
6.239. subscription-manager-migration-data
6.240. subscription-manager
6.241. sudo
6.242. sysfsutils
6.243. syslinux
6.244. system-config-kdump
6.245. system-config-kickstart
6.246. system-config-language
6.247. system-config-lvm
6.248. system-config-users
6.249. systemtap
6.250. tar
6.251. tboot
6.252. tcsh
6.253. tigervnc
6.254. tog-pegasus
6.255. tomcat6
6.256. trace-cmd
6.257. tuned
6.258. udev
6.259. usbredir
6.260. util-linux-ng
6.261. valgrind
6.262. vgabios
6.263. virtio-win
6.264. virt-manager
6.265. virt-top
6.266. virt-v2v
6.267. virt-viewer
6.268. virt-what
6.269. virt-who
6.270. wdaemon
6.271. wget
6.272. wpa_supplicant
6.273. x3270
6.274. xfsdump
6.275. xfsprogs
6.276. xinetd
6.277. X.Org Legacy Input Drivers
6.278. xorg-x11-drv-ati
6.279. xorg-x11-drv-evdev
6.280. xorg-x11-drv-intel
6.281. xorg-x11-drv-nouveau
6.282. xorg-x11-drv-qxl
6.283. xorg-x11-drv-synaptics
6.284. xorg-x11-drv-vmmouse
6.285. xorg-x11-drv-wacom
6.286. xorg-x11-server
6.287. xorg-x11
6.288. xorg-x11-xkb-utils
6.289. yaboot
6.290. ypbind
6.291. ypserv
6.292. yum-rhn-plugin
6.293. yum
6.294. zlib
A. Revision History

Preface

The Red Hat Enterprise Linux 6.4 Technical Notes list and document the changes made to the Red Hat Enterprise Linux 6 operating system and its accompanying applications between minor release Red Hat Enterprise Linux 6.3 and minor release Red Hat Enterprise Linux 6.4.
For system administrators and others planning Red Hat Enterprise Linux 6.4 upgrades and deployments, the Technical Notes provide a single, organized record of the bugs fixed in, features added to, and Technology Previews included with this new release of Red Hat Enterprise Linux.
For auditors and compliance officers, the Red Hat Enterprise Linux 6.4 Technical Notes provide a single, organized source for change tracking and compliance testing.
For every user, the Red Hat Enterprise Linux 6.4 Technical Notes provide details of what has changed in this new release.

Note

The Package Manifest is available as a separate document.

Chapter 1. Important Changes to External Kernel Parameters

This chapter provides system administrators with a summary of significant changes in the kernel shipped with Red Hat Enterprise Linux 6.4. These changes include added or updated procfs entries, sysfs default values, boot parameters, kernel configuration options, or any noticeable behavior changes.
intel_idle.max_cstate
A new kernel parameter, intel_idle.max_cstate, has been added to specify the maximum depth of a C-state, or to disable intel_idle and fall back to acpi_idle. For more information, refer to the /usr/share/doc/kernel-doc-<version>/Documentation/kernel-parameters.txt file.
nobar
The new nobar kernel parameter, specific to the AMD64 / Intel 64 architecture, can be used to not assign address space to the Base Address Registers (BARs) that were not assigned by the BIOS.
noari
The new noari kernel parameter can disable the use of PCIe Alternative Routing ID Interpretation (ARI).
MD state file
The state file of an MD array component device (found in the /sys/block/md<md_number>/md/dev-<device_name> directory) can now contain additional device states. For more information, refer to the /usr/share/doc/kernel-doc-<version>/Documentation/md.txt file.
route_localnet
The route_localnet kernel parameter can be used to enable the use of 127/8 for local routing purposes. For more information, refer to the /usr/share/doc/kernel-doc-<version>/Documentation/networking/ip-sysctl.txt file.
pf_retrans
The pf_retrans kernel parameter specifies the number of re-transmissions that will be attempted on a given path before traffic is redirected to an alternate transport (should one exist). For more information, refer to the /usr/share/doc/kernel-doc-<version>/Documentation/networking/ip-sysctl.txt file.
traceevent
The new traceevent library, used by perf, uses the following sysfs control files:
/sys/kernel/debug/tracing/events/header_page
/sys/kernel/debug/tracing/events/.../.../format
/sys/bus/event_source/devices/<dev>/format
/sys/bus/event_source/devices/<dev>/events
/sys/bus/event_source/devices/<dev>/type
/sys/kernel/fadump_*
On 64-bit IBM POWER machines, the following control files have been added to be used by the firmware-assisted dump feature:
/sys/kernel/fadump_enabled
/sys/kernel/fadump_registered
/sys/kernel/fadump_release_mem
For more information about these files, refer to /usr/share/doc/kernel-doc-<version>/Documentation/powerpc/firmware-assisted-dump.txt.
Transparent Hugepages
The /sys/kernel/mm/transparent_hugepage symbolic link, which points to /sys/kernel/mm/redhat_transparent_hugepage, has been added for consistency purposes.
Documentation for transparent hugepages has been added to the following file:
/usr/share/doc/kernel-doc-<version>/Documentation/vm/transhuge.txt
vmbus_show_device_attr
The vmbus_show_device_attr attribute of the Hyper-V vmbus driver shows the device attribute in sysfs. This is invoked when the /sys/bus/vmbus/devices/<busdevice>/<attr_name> file is read.
BNA debugfs Interface
The BNA debugfs interface can be accessed through the bna/pci_dev:<pci_name> hierarchy (note that the debugfs file system must be mounted). The following debugging services are available for each pci_dev>:
  • fwtrc — used to collect current firmware trace.
  • fwsave — used to collect last-saved firmware trace as a result of firmware crash.
  • regwr — used to write one word to the chip register.
  • regrd — used to read one or more words from the chip register.
iwlegacy debug_level
The iwlegacy driver includes a new sysfs control file, /sys/bus/pci/drivers/iwl/debug_level, to control per-device level of debugging. The CONFIG_IWLEGACY_DEBUG option enables this feature.
iwlwifi debug_level
The iwlwifi driver includes a new sysfs control file, /sys/class/net/wlan0/device/debug_level, to control per-device level of debugging. The CONFIG_IWLWIFI_DEBUG option enables this feature.
ie6xx_wdt
If debugfs is mounted, the new /sys/kernel/debug/ie6xx_wdt file contains a value that determines whether the system was rebooted by watchdog.
supported_krb5_enctypes
The new /proc/fs/nfsd/supported_krb5_enctypes proc file lists the encryption types supported by the kernel's gss_krb5 code.
usbmixer
The /proc/asound/card<card_number>/usbmixer proc file has been added. It contains a mapping between the ALSA control API and the USB mixer control units. This file can be used debugging and problem diagnostics.
codec#<number>
The /proc/asound/card<card_number>/codec#<number> proc files now contain information about the D3cold power state, the deepest power-saving state for a PCIe device. The codec#<number> files now also contain additional power state information, specifically: reset status, clock stop ok, and power states error. The following is an example output:
Power: setting=D0, actual=D0, Error, Clock-stop-OK, Setting-reset
cgroup.procs
The cgroup.procs file is now writable. Writing a TGID into the cgroup.procs file of a cgroup moves that thread group into that cgroup.
sysfs_dirent
The last sysfs_dirent, which represents a single sysfs node, is now cached to improve scalability of the readdir function.
iov
The iov sysfs directory was added under the ib device. This directory is used to manage and examine the port P_Key and guid paravirtualization.
FDMI attributes
Fabric Device Management Interface (FDMI) attributes can now be exposed to the fcoe driver via the fc_host class object.
ltm_capable
The /sys/bus/usb/devices/<device>/ltm_capable file has been added to show whether a device supports Latency Tolerance Messaging (LTM). This file is present for both USB 2.0 and USB 3.0 devices.
fwdump_state
The /sys/class/net/eth<number>/device/fwdump_state file has been added to determine whether the firmware dump feature is enabled or disabled.
flags, registers
The Commands in Q item was added to the /sys/block/rssd<number>/registers file. This file's output was also re-formatted. Also, a new /sys/block/rssd<number>/flags file has been added. This read-only file dumps the flags in a port and driver data structure.
duplex
The /sys/class/net/eth<number>/duplex file now reports unknown when the NIC duplex state is DUPLEX_UNKNOWN.
Mountpoint Interface
A sysfs mountpoint interface was added to the perf tool.
TCP_USER_TIMEOUT
TCP_USER_TIMEOUT is a TCP level socket option that specifies the maximum amount of time (in milliseconds) that transmitted data may remain unacknowledged before TCP will forcefully close the corresponding connection and return ETIMEDOUT to the application. If the value 0 is specified, TCP will continue to use the system default.
IPPROTO_ICMP
The IPPROTO_ICMP socket option makes it possible to send ICMP_ECHO messages and receive the corresponding ICMP_ECHOREPLY messages without any special privileges.
Increased Default in ST_MAX_TAPES
In Red Hat Enterprise Linux 6.4, the number of supported tape drives has increased from 128 to 512.
Increased Number of Supported IOMMUs
The number of supported input/output memory management units (IOMMUs) has been increased to be the same as the number of I/O Advanced Programmable Interrupt Controllers (APICs; defined in MAX_IO_APICS).
New Module Parameters
The following list summarizes new command line arguments passed to various kernel modules. For more information about the majority of these module parameters, refer to the output of the modinfo <module> command, for example, modinfo bna.
  • New kvm module parameter:
    module_param(min_timer_period_us, uint, S_IRUGO | S_IWUSR);
    
    • min_timer_period_us — Do not allow the guest to program periodic timers with small interval, since the hrtimers are not throttled by the host scheduler, and allow tuning the interval with this parameter. The default value is 500us.
  • New kvm-intel module parameter:
    module_param_named(eptad, enable_ept_ad_bits, bool, S_IRUGO);
    • enable_ept_ad_bits — Parameter to control enabling/disabling A/D bits, if supported by CPU. The default value is enabled.
  • New ata_piix module parameter:
    module_param(prefer_ms_hyperv, int, 0);
    • prefer_ms_hyperv — On Hyper-V Hypervisors, the disks are exposed on both the emulated SATA controller and on the paravirtualized drivers. The CD/DVD devices are only exposed on the emulated controller. Request to ignore ATA devices on this host. The default value is enabled.
  • New drm module parameters:
    module_param_named(edid_fixup, edid_fixup, int, 0400);
    module_param_string(edid_firmware, edid_firmware, sizeof(edid_firmware), 0644);
    
    • edid_fixup — Minimum number of valid EDID header bytes (0-8). The default value is 6.
    • edid_firmware — Do not probe monitor, use specified EDID blob from built-in data or /lib/firmware instead.
  • New i915 module parameters:
    module_param_named(lvds_channel_mode, i915_lvds_channel_mode, int, 0600);
    module_param_named(i915_enable_ppgtt, i915_enable_ppgtt, int, 0600);
    module_param_named(invert_brightness, i915_panel_invert_brightness, int, 0600);
    
  • New nouveau module parameter:
    module_param_named(vram_type, nouveau_vram_type, charp, 0400);
  • New radeon module parameter:
    module_param_named(lockup_timeout, radeon_lockup_timeout, int, 0444);
  • New i2c-ismt module parameters:
    module_param(stop_on_error, uint, S_IRUGO);
    module_param(fair, uint, S_IRUGO);
    
  • New iw-cxgb4 module parameters:
    module_param(db_delay_usecs, int, 0644);
    module_param(db_fc_threshold, int, 0644);
    
  • New mlx4_ib module parameter:
    module_param_named(sm_guid_assign, mlx4_ib_sm_guid_assign, int, 0444);
  • New ib_qib module parameter:
    module_param_named(cc_table_size, qib_cc_table_size, uint, S_IRUGO);
  • New bna module parameter:
    module_param(bna_debugfs_enable, uint, S_IRUGO | S_IWUSR);
  • New cxgb4 module parameters:
    module_param(dbfifo_int_thresh, int, 0644);
    module_param(dbfifo_drain_delay, int, 0644);
  • New e1000e module parameter:
    module_param(debug, int, 0);
  • New igb module parameter:
    module_param(debug, int, 0);
  • New igbvf module parameter:
    module_param(debug, int, 0);
  • New ixgbe module parameter:
    module_param(debug, int, 0);
  • New ixgbevf module parameter:
    module_param(debug, int, 0);
  • New hv_netvsc module parameter:
    module_param(ring_size, int, S_IRUGO);
  • New mlx4_core module parameter:
    module_param(enable_64b_cqe_eqe, bool, 0444);
    • enable_64b_cqe_eqe — Enable 64 byte CQEs/EQEs when the firmware supports this.
  • New sfc module parameters:
    module_param(vf_max_tx_channels, uint, 0444);
    module_param(max_vfs, int, 0444);
  • New ath5k module parameter:
    module_param_named(no_hw_rfkill_switch, ath5k_modparam_no_hw_rfkill_switch, bool, S_IRUGO);
  • New iwlegacy module parameters:
    module_param(led_mode, int, S_IRUGO);
    module_param(bt_coex_active, bool, S_IRUGO);
    
  • New wlcore module parameter:
    module_param(no_recovery, bool, S_IRUSR | S_IWUSR);
    
  • New s390 scm_block module parameters:
    module_param(nr_requests, uint, S_IRUGO);
    module_param(write_cluster_size, uint, S_IRUGO)
    
  • New s390 zfcp module parameters:
    module_param_named(no_auto_port_rescan, no_auto_port_rescan, bool, 0600);
    module_param_named(datarouter, enable_multibuffer, bool, 0400);
    module_param_named(dif, enable_dif, bool, 0400);
    
  • New aacraid module parameters:
    module_param(aac_sync_mode, int, S_IRUGO|S_IWUSR);
    module_param(aac_convert_sgl, int, S_IRUGO|S_IWUSR);
    
  • New be2iscsi module parameter:
    module_param(beiscsi_##_name, uint, S_IRUGO);
  • New lpfc module parameter:
    module_param(lpfc_req_fw_upgrade, int, S_IRUGO|S_IWUSR);
  • New megaraid_sas module parameters:
    module_param(msix_vectors, int, S_IRUGO);
    module_param(throttlequeuedepth, int, S_IRUGO);
    module_param(resetwaittime, int, S_IRUGO);
    
  • New qla4xxx module parameters:
    module_param(ql4xqfulltracking, int, S_IRUGO | S_IWUSR);
    module_param(ql4xmdcapmask, int, S_IRUGO);
    module_param(ql4xenablemd, int, S_IRUGO | S_IWUSR);
    
  • New hv_storvsc module parameter:
    module_param(storvsc_ringbuffer_size, int, S_IRUGO);
  • New ehci-hcd driver parameter:
    module_param(io_watchdog_force, uint, S_IRUGO);
    • io_watchdog_force — Force I/O watchdog to be ON for all devices.
  • New ie6xx_wdt module parameters:
    module_param(timeout, uint, 0);
    module_param(nowayout, bool, 0);
    module_param(resetmode, byte, 0);
    
  • New snd-ua101 module parameter:
    module_param(queue_length, uint, 0644);
    

Chapter 2. Device Drivers

This chapter provides a comprehensive listing of all device drivers which were updated in Red Hat Enterprise Linux 6.4.

Storage Drivers

Network Drivers

Miscellaneous Drivers

Chapter 3. Technology Previews

3.1. Storage and File Systems
3.2. Networking
3.3. Clustering and High Availability
3.4. Authentication
3.5. Security
3.6. Devices
3.7. Kernel
3.8. Virtualization
3.9. Resource Management
This chapter provides a list of all available Technology Previews in Red Hat Enterprise Linux 6.4.
Technology Preview features are currently not supported under Red Hat Enterprise Linux subscription services, may not be functionally complete, and are generally not suitable for production use. However, these features are included as a customer convenience and to provide the feature with wider exposure.
Customers may find these features useful in a non-production environment. Customers are also free to provide feedback and functionality suggestions for a Technology Preview feature before it becomes fully supported. Errata will be provided for high-severity security issues.
During the development of a Technology Preview feature, additional components may become available to the public for testing. It is the intention of Red Hat clustering to fully support Technology Preview features in a future release.

3.1. Storage and File Systems

Cross Realm Kerberos Trust Functionality for samba4 Libraries
The Cross Realm Kerberos Trust functionality provided by Identity Management, which relies on the capabilities of the samba4 client library, is included as a Technology Preview starting with Red Hat Enterprise Linux 6.4. This functionality uses the libndr-nbt library to prepare Connection-less Lightweight Directory Access Protocol (CLDAP) messages.
Package: samba-3.6.9-151
LVM support for (non-clustered) thinly-provisioned snapshots
A new implementation of LVM copy-on-write (cow) snapshots is available as a Technology Preview. The main advantage of this implementation, compared to the previous implementation of snapshots, is that it allows many virtual devices to be stored on the same data volume. This implementation also provides support for arbitrary depth of recursive snapshots (snapshots of snapshots of snapshots …).
This feature is for use on a single system. It is not available for multi-system access in cluster environments.
For more information, refer to the documentation of the -s/--snapshot option in the lvcreate man page.
Package: lvm2-2.02.98-9
LVM support for (non-clustered) thinly-provisioned LVs
Logical Volumes (LVs) can now be thinly provisioned to manage a storage pool of free space to be allocated to an arbitrary number of devices when needed by applications. This allows creation of devices that can be bound to a thinly provisioned pool for late allocation when an application actually writes to the pool. The thinly-provisioned pool can be expanded dynamically if and when needed for cost-effective allocation of storage space. In Red Hat Enterprise Linux 6, this feature is introduced as a Technology Preview. You must have the device-mapper-persistent-data package installed to try out this feature. For more information, refer to the lvcreate(8) man page.
Package: lvm2-2.02.98-9
Dynamic aggregation of LVM metadata via lvmetad
Most LVM commands require an accurate view of the LVM metadata stored on the disk devices on the system. With the current LVM design, if this information is not available, LVM must scan all the physical disk devices in the system. This requires a significant amount of I/O operations in systems that have a large number of disks.
The purpose of the lvmetad daemon is to eliminate the need for this scanning by dynamically aggregating metadata information each time the status of a device changes. These events are signaled to lvmetad by udev rules. If lvmetad is not running, LVM performs a scan as it normally would.
This feature is provided as a Technology Preview and is disabled by default in Red Hat Enterprise Linux 6. To enable it, refer to the use_lvmetad parameter in the /etc/lvm/lvm.conf file, and enable the lvmetad daemon by configuring the lvm2-lvmetad init script.
Package: lvm2-2.02.98-9
Open multicast ping (Omping), BZ#657370
Open Multicast Ping (Omping) is a tool to test the IP multicast functionality, primarily in the local network. This utility allows users to test IP multicast functionality and assists in the diagnosing if an issues is in the network configuration or elsewhere (that is, a bug). In Red Hat Enterprise Linux 6 Omping is provided as a Technology Preview.
Package: omping-0.0.4-1
System Information Gatherer and Reporter (SIGAR)
The System Information Gatherer and Reporter (SIGAR) is a library and command-line tool for accessing operating system and hardware level information across multiple platforms and programming languages. In Red Hat Enterprise Linux 6.4, SIGAR is considered a Technology Preview package.
Package: sigar-1.6.5-0.4.git58097d9
fsfreeze
Red Hat Enterprise Linux 6 includes fsfreeze as a Technology Preview. fsfreeze is a new command that halts access to a file system on a disk. fsfreeze is designed to be used with hardware RAID devices, assisting in the creation of volume snapshots. For more details on the fsfreeze utility, refer to the fsfreeze(8) man page.
Package: util-linux-ng-2.17.2-12.9
DIF/DIX support
DIF/DIX, is a new addition to the SCSI Standard and a Technology Preview in Red Hat Enterprise Linux 6. DIF/DIX increases the size of the commonly used 512-byte disk block from 512 to 520 bytes, adding the Data Integrity Field (DIF). The DIF stores a checksum value for the data block that is calculated by the Host Bus Adapter (HBA) when a write occurs. The storage device then confirms the checksum on receive, and stores both the data and the checksum. Conversely, when a read occurs, the checksum can be checked by the storage device, and by the receiving HBA.
The DIF/DIX hardware checksum feature must only be used with applications that exclusively issue O_DIRECT I/O. These applications may use the raw block device, or the XFS file system in O_DIRECT mode. (XFS is the only file system that does not fall back to buffered I/O when doing certain allocation operations.) Only applications designed for use with O_DIRECT I/O and DIF/DIX hardware should enable this feature.
For more information, refer to section Block Devices with DIF/DIX Enabled in the Storage Administration Guide.
Package: kernel-2.6.32-358
Filesystem in user space
Filesystem in Userspace (FUSE) allows for custom file systems to be developed and run in user space.
Package: fuse-2.8.3-4
Btrfs, BZ#614121
Btrfs is under development as a file system capable of addressing and managing more files, larger files, and larger volumes than the ext2, ext3, and ext4 file systems. Btrfs is designed to make the file system tolerant of errors, and to facilitate the detection and repair of errors when they occur. It uses checksums to ensure the validity of data and metadata, and maintains snapshots of the file system that can be used for backup or repair. The Btrfs Technology Preview is only available on AMD64 and Intel 64 architectures.

Btrfs is still experimental

Red Hat Enterprise Linux 6 includes Btrfs as a technology preview to allow you to experiment with this file system. You should not choose Btrfs for partitions that will contain valuable data or that are essential for the operation of important systems.
Package: btrfs-progs-0.20-0.2.git91d9eec
LVM Application Programming Interface (API)
Red Hat Enterprise Linux 6 features the new LVM application programming interface (API) as a Technology Preview. This API is used to query and control certain aspects of LVM.
Package: lvm2-2.02.98-9
FS-Cache
FS-Cache in Red Hat Enterprise Linux 6 enables networked file systems (for example, NFS) to have a persistent cache of data on the client machine.
Package: cachefilesd-0.10.2-1

3.2. Networking

linuxptp
The linuxptp package, included in Red Hat Enterprise Linux 6.4 as a Technology Preview, is an implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux. The dual design goals are to provide a robust implementation of the standard and to use the most relevant and modern Application Programming Interfaces (API) offered by the Linux kernel. Supporting legacy APIs and other platforms is not a goal.
Package: linuxptp-0-0.6.20121114gite6bbbb
PTP support in kernel drivers
PTP support has been added as a technology preview to the ixgbe, igb, and tg3 kernel drivers.
Packages: kernel-2.6.32-335
QFQ queuing discipline
In Red Hat Enterprise Linux 6, the tc utility has been updated to work with the Quick Fair Scheduler (QFQ) kernel features. Users can now take advantage of the new QFQ traffic queuing discipline from userspace. This feature is considered a Technology Preview.
Package: kernel-2.6.32-358
vios-proxy, BZ#721119
vios-proxy is a stream-socket proxy for providing connectivity between a client on a virtual guest and a server on a Hypervisor host. Communication occurs over virtio-serial links.
Package: vios-proxy-0.1-1
IPv6 support in IPVS
The IPv6 support in IPVS (IP Virtual Server) is considered a Technology Preview.
Package: kernel-2.6.32-358

3.3. Clustering and High Availability

pcs
The pcs package has been added to Red Hat Enterprise Linux 6 as a Technology Preview. This package provides a command-line tool configure and manage the corosync and pacemaker utilities.
Package: pcs-0.9.26-10
luci support for fence_sanlock
The luci tool now supports the Sanlock fence agent as a Technology Preview, which is available in the luci's list of agents.
Package: luci-0.26.0-37
Recovering a node via a hardware watchdog device
New fence_sanlock agent and checkquorum.wdmd, included in Red Hat Enterprise Linux 6.4 as a Technology Preview, provide new mechanisms to trigger the recovery of a node via a hardware watchdog device. Tutorials on how to enable this Technology Preview will be available at https://fedorahosted.org/cluster/wiki/HomePage
Note that SELinux in enforcing mode is currently not supported.
Package: cluster-3.0.12.1-49
keepalived
Red Hat Enterprise Linux 6.4 includes the keepalived package as a Technology Preview. The keepalived package provides simple and robust facilities for load-balancing and high-availability. The load-balancing framework relies on the well-know and widely used Linux Virtual Server kernel module providing Layer4 network load-balancing. The keepalived daemon implements a set of health checkers to load-balanced server pools according to their state. The keepalived daemon also implements the Virtual Router Redundancy Protocol (VRRP), allowing router or director failover to achieve high availability.
Package: keepalived-1.2.7-3
HAProxy
HAProxy is a stand-alone, layer-7, high-performance network load balancer for TCP and HTTP-based applications which can perform various types of scheduling based on the content of the HTTP requests. Red Hat Enterprise Linux 6.4 introduces the haproxy package as a Technology Preview.
Package: haproxy-1.4.22-3
Utilizing CPG API for inter-node locking
Rgmanager includes a feature which enables it to utilize Corosync's Closed Process Group (CPG) API for inter-node locking. This feature is automatically enabled when Corosync's RRP feature is enabled. Corosync's RRP feature is considered fully supported. However, when used with the rest of the High-Availability Add-Ons, it is considered a Technology Preview.
Package: rgmanager-3.0.12.1-17
Support for redundant ring for standalone Corosync, BZ#722469
Red Hat Enterprise Linux 6 includes support for redundant ring with autorecovery feature as a Technology Preview. Refer to Section 4.7, “Clustering” for a list of known issues associated with this Technology Preview.
Package: corosync-1.4.1-15
corosync-cpgtool, BZ#688260
The corosync-cpgtool now specifies both interfaces in a dual ring configuration. This feature is a Technology Preview.
Package: corosync-1.4.1-15
Disabling rgmanager in /etc/cluster.conf, BZ#723925
As a consequence of converting the /etc/cluster.conf configuration file to be used by pacemaker, rgmanager must be disabled. The risk of not doing this is high; after a successful conversion, it would be possible to start rgmanager and pacemaker on the same host, managing the same resources.
Consequently, Red Hat Enterprise Linux 6 includes a feature (as a Technology Preview) that forces the following requirements:
  • rgmanager must refuse to start if it sees the <rm disabled="1"> flag in /etc/cluster.conf.
  • rgmanager must stop any resources and exit if the <rm disabled="1"> flag appears in /etc/cluster.conf during a reconfiguration.
Package: rgmanager-3.0.12.1-17
libqb package
The libqb package provides a library with the primary purpose of providing high performance client server reusable features, such as high performance logging, tracing, inter-process communication, and polling. This package is introduced as a dependency of the pacemaker package, and is considered a Technology Preview.
Package: libqb-0.14.2-3
pacemaker, BZ#456895
Pacemaker, a scalable high-availability cluster resource manager, is included in Red Hat Enterprise Linux 6 as a Technology Preview. Pacemaker is not fully integrated with the Red Hat cluster stack.
Package: pacemaker-1.1.8-7

3.4. Authentication

Simultaneous maintaining of TGTs for multiple KDCs
Kerberos version 1.10 added a new cache storage type, DIR:, which allows Kerberos to maintain Ticket Granting Tickets (TGTs) for multiple Key Distribution Centers (KDCs) simultaneously and auto-select between them when negotiating with Kerberized resources. In Red Hat Enterprise Linux 6.4, SSSD has been enhanced to allow you to select the DIR: cache for users that are logging in via SSSD. This feature is introduced as a Technology Preview.
Package: sssd-1.9.2-82

3.5. Security

TPM
TPM (Trusted Platform Module) hardware can create, store and use RSA keys securely (without ever being exposed in memory), verify a platform's software state using cryptographic hashes and more. The trousers and tpm-tools packages are considered a Technology Preview.
Packages: trousers-0.3.4-4, tpm-tools-1.3.4-2

3.6. Devices

SR-IOV on the be2net driver, BZ#602451
The SR-IOV functionality of the Emulex be2net driver is considered a Technology Preview. You must meet the following requirements to use the latest version of SR-IOV support:
  • You must run the latest Emulex firmware (revision 4.1.417.0 or later).
  • The server system BIOS must support the SR-IOV functionality and have virtualization support for Direct I/O VT-d.
  • You must use the GA version of Red Hat Enterprise Linux 6.4.
SR-IOV runs on all Emulex-branded and OEM variants of BE3-based hardware, which all require the be2net driver software.
Package: kernel-2.6.32-358
iSCSI and FCoE boot
iSCSI and FCoE boot support on Broadcom devices is not included in Red Hat Enterprise Linux 6.4. These two features, which are provided by the bnx2i and bnx2fc Broadcom drivers, remain a Technology Preview until further notice.
Package: kernel-2.6.32-358
mpt2sas lockless mode
The mpt2sas driver is fully supported. However, when used in the lockless mode, the driver is a Technology Preview.
Package: kernel-2.6.32-358

3.7. Kernel

Thin-provisioning and scalable snapshot capabilities
The dm-thinp targets, thin and thin-pool, provide a device mapper device with thin-provisioning and scalable snapshot capabilities. This feature is available as a Technology Preview.
Package: kernel-2.6.32-358
Kernel Media support
The following features are presented as Technology Previews:
  • The latest upstream video4linux
  • Digital video broadcasting
  • Primarily infrared remote control device support
  • Various webcam support fixes and improvements
Package: kernel-2.6.32-358
Remote audit logging
The audit package contains the user space utilities for storing and searching the audit records generated by the audit subsystem in the Linux 2.6 kernel. Within the audispd-plugins sub-package is a utility that allows for the transmission of audit events to a remote aggregating machine. This remote audit logging application, audisp-remote, is considered a Technology Preview in Red Hat Enterprise Linux 6.
Package: audispd-plugins-2.2-2
Linux (NameSpace) Container [LXC]
Linux containers provide a flexible approach to application runtime containment on bare-metal systems without the need to fully virtualize the workload. Red Hat Enterprise Linux 6 provides application level containers to separate and control the application resource usage policies via cgroups and namespaces. This release includes basic management of container life-cycle by allowing creation, editing and deletion of containers via the libvirt API and the virt-manager GUI. Linux Containers are a Technology Preview.
Packages: libvirt-0.9.10-21, virt-manager-0.9.0-14
Diagnostic pulse for the fence_ipmilan agent, BZ#655764
A diagnostic pulse can now be issued on the IPMI interface using the fence_ipmilan agent. This new Technology Preview is used to force a kernel dump of a host if the host is configured to do so. Note that this feature is not a substitute for the off operation in a production cluster.
Package: fence-agents-3.1.5-25

3.8. Virtualization

Performance monitoring in KVM guests, BZ#645365
KVM can now virtualize a performance monitoring unit (vPMU) to allow virtual machines to use performance monitoring. Note that the -cpu flag must be set when using this feature.
With this feature, Red Hat virtualization customers running Red Hat Enterprise Linux 6 guests can use the CPU's PMU counter while using the performance tool for profiling. The virtual performance monitoring unit feature allows virtual machine users to identify sources of performance problems in their guests, thereby improving the ability to profile a KVM guest from the host.
This feature is a Technology Preview in Red Hat Enterprise Linux 6.4.
Package: kernel-2.6.32-358
Dynamic virtual CPU allocation
KVM now supports dynamic virtual CPU allocation, also called vCPU hot plug, to dynamically manage capacity and react to unexpected load increases on their platforms during off-peak hours.
The virtual CPU hot-plugging feature gives system administrators the ability to dynamically adjust CPU resources in a guest. Because a guest no longer has to be taken offline to adjust the CPU resources, the availability of the guest is increased.
This feature is a Technology Preview in Red Hat Enterprise Linux 6.4. Currently, only the vCPU hot-add functionality works. The vCPU hot-unplug feature is not yet implemented.
Package: qemu-kvm-0.12.1.2-2.355
System monitoring via SNMP, BZ#642556
This feature provides KVM support for stable technology that is already used in data center with bare metal systems. SNMP is the standard for monitoring and is extremely well understood as well as computationally efficient. System monitoring via SNMP in Red Hat Enterprise Linux 6 allows the KVM hosts to send SNMP traps on events so that hypervisor events can be communicated to the user via standard SNMP protocol. This feature is provided through the addition of a new package: libvirt-snmp. This feature is a Technology Preview.
Package: libvirt-snmp-0.0.2-3
Wire speed requirement in KVM network drivers
Virtualization and cloud products that run networking work loads need to run wire speeds. Up until Red Hat Enterprise Linux 6.1, the only way to reach wire speed on a 10 GB Ethernet NIC with a lower CPU utilization was to use PCI device assignment (passthrough), which limits other features like memory overcommit and guest migration
The macvtap/vhost zero-copy capabilities allow the user to use those features when high performance is required. This feature improves performance for any Red Hat Enterprise Linux 6.x guest in the VEPA use case. This feature is introduced as a Technology Preview.
Package: qemu-kvm-0.12.1.2-2.355

3.9. Resource Management

numad package
The numad package provides a daemon for NUMA (Non-Uniform Memory Architecture) systems that monitors NUMA characteristics. As an alternative to manual static CPU pining and memory assignment, numad provides dynamic adjustment to minimize memory latency on an ongoing basis. The package also provides an interface that can be used to query the numad daemon for the best manual placement of an application. The numad package is considered a Technology Preview.
Package: numad-0.5-8.20121015git

Chapter 4. Known Issues

4.1. Installation
4.2. Entitlement
4.3. Deployment
4.4. Virtualization
4.5. Storage and File Systems
4.6. Networking
4.7. Clustering
4.8. Authentication
4.9. Devices
4.10. Kernel
4.11. Desktop
4.12. Tools

4.1. Installation

anaconda component, BZ#895982
Physical-extents size less than 32MB on top of an MD physical volume leads to problems with calculating the capacity of a volume group. To work around this problem, use a physical-extent size of 32MB or leave space double the physical-extent size free when allocating logical volumes. Another option is to change the default 4MB size of a physical extent to 32MB.
anaconda component, BZ#875644
After upgrading the system using kickstart, IBM System z machines halt instead of rebooting, despite the instruction to reboot. To work around this problem, boot the system manually.
anaconda component
Setting the qla4xxx parameter ql4xdisablesysfsboot to 1 may cause boot from SAN failures.
anaconda component
To automatically create an appropriate partition table on disks that are uninitialized or contain unrecognized formatting, use the zerombr kickstart command. The --initlabel option of the clearpart command is not intended to serve this purpose.
anaconda component, BZ#676025
Users performing an upgrade using the Anaconda's text mode interface who do not have a boot loader already installed on the system, or who have a non-GRUB boot loader, need to select Skip Boot Loader Configuration during the installation process. Boot loader configuration will need to be completed manually after installation. This problem does not affect users running Anaconda in the graphical mode (graphical mode also includes VNC connectivity mode).
anaconda component
On s390x systems, you cannot use automatic partitioning and encryption. If you want to use storage encryption, you must perform custom partitioning. Do not place the /boot volume on an encrypted volume.
anaconda component
The order of device names assigned to USB attached storage devices is not guaranteed. Certain USB attached storage devices may take longer to initialize than others, which can result in the device receiving a different name than you expect (for example, sdc instead of sda).
During installation, verify the storage device size, name, and type when configuring partitions and file systems.
kernel component
Recent Red Hat Enterprise Linux 6 releases use a new naming scheme for network interfaces on some machines. As a result, the installer may use different names during an upgrade in certain scenarios (typically em1 is used instead of eth0 on new Dell machines). However, the previously used network interface names are preserved on the system and the upgraded system will still use the previously used interfaces. This is not the case for Yum upgrades.
anaconda component
The kdump default on feature currently depends on Anaconda to insert the crashkernel= parameter to the kernel parameter list in the boot loader's configuration file.
firstaidkit component
The firstaidkit-plugin-grub package has been removed from Red Hat Enterprise Linux 6.2. As a consequence, in rare cases, the system upgrade operation may fail with unresolved dependencies if the plug-in has been installed in a previous version of Red Hat Enterprise Linux. To avoid this problem, the firstaidkit-plugin-grub package should be removed before upgrading the system. However, in most cases, the system upgrade completes as expected.
anaconda component, BZ#623261
In some circumstances, disks that contain a whole disk format (for example, an LVM Physical Volume populating a whole disk) are not cleared correctly using the clearpart --initlabel kickstart command. Adding the --all switch—as in clearpart --initlabel --all—ensures disks are cleared correctly.
anaconda component
When installing on the IBM System z architecture, if the installation is being performed over SSH, avoid resizing the terminal window containing the SSH session. If the terminal window is resized during the installation, the installer will exit and the installation will terminate.
yaboot component, BZ#613929
The kernel image provided on the CD/DVD is too large for Open Firmware. Consequently, on the POWER architecture, directly booting the kernel image over a network from the CD/DVD is not possible. Instead, use yaboot to boot from a network.
anaconda component
The Anaconda partition editing interface includes a button labeled Resize. This feature is intended for users wishing to shrink an existing file system and an underlying volume to make room for an installation of a new system. Users performing manual partitioning cannot use the Resize button to change sizes of partitions as they create them. If you determine a partition needs to be larger than you initially created it, you must delete the first one in the partitioning editor and create a new one with the larger size.
system-config-kickstart component
Channel IDs (read, write, data) for network devices are required for defining and configuring network devices on IBM S/390 systems. However, system-config-kickstart—the graphical user interface for generating a kickstart configuration—cannot define channel IDs for a network device. To work around this issue, manually edit the kickstart configuration that system-config-kickstart generates to include the desired network devices.

4.2. Entitlement

subscription-manager component
When firstboot is running in text mode, the user can only register via Red Hat Network Register, not with subscription-manager. Both are available in GUI mode.
subscription-manager component
If multiple repositories are enabled, subscription-manager installs product certificates from all repositories instead of installing the product certificate only from the repository from which the RPM package was installed.
subscription-manager component
firstboot fails to provide Red Hat Network registration to a virtual machine in a NAT-based network; for example, in the libvirt environment. Note that this problem only occurs during the first boot after installation. If you run firstboot manually later, the registration finishes successfully.

4.3. Deployment

389-ds-base component, BZ#878111
The ns-slapd utility terminates unexpectedly if it cannot rename the dirsrv-<instance> log files in the /var/log/ directory due to incorrect permissions on the directory.
cpuspeed component, BZ#626893
Some HP Proliant servers may report incorrect CPU frequency values in /proc/cpuinfo or /sys/device/system/cpu/*/cpufreq. This is due to the firmware manipulating the CPU frequency without providing any notification to the operating system. To avoid this ensure that the HP Power Regulator option in the BIOS is set to OS Control. An alternative available on more recent systems is to set Collaborative Power Control to Enabled.
releng component, BZ#644778
Some packages in the Optional repositories on RHN have multilib file conflicts. Consequently, these packages cannot have both the primary architecture (for example, x86_64) and secondary architecture (for example, i686) copies of the package installed on the same machine simultaneously. To work around this issue, install only one copy of the conflicting package.
grub component, BZ#695951
On certain UEFI-based systems, you may need to type BOOTX64 rather than bootx64 to boot the installer due to case sensitivity issues.
grub component, BZ#698708
When rebuilding the grub package on the x86_64 architecture, the glibc-static.i686 package must be used. Using the glibc-static.x86_64 package will not meet the build requirements.

4.4. Virtualization

kernel component
In Red Hat Enterprise Linux 6.4, if Large Receive Offload (LRO) is enabled with the macvtap driver, a kernel panic can occur on the host machine. This problem was observed on machines using Broadcom, QLogic and Intel cards. To work around the problem, disable LRO by running ethtool -K large-receive-offload off.
kernel component
There is a known issue with the Microsoft Hyper-V host. If a legacy network interface controller (NIC) is used on a multiple-CPU virtual machine, there is an interrupt problem in the emulated hardware when we the IRQ balancing daemon is running. Call trace information is logged in the /var/log/messages file.
libvirt component, BZ#888635
Under certain circumstances, virtual machines try to boot from an incorrect device after a network boot failure. For more information, please refer to this article on Customer Portal.
qemu-kvm component, BZ#894277
"Fast startup" used in Microsoft Windows 8 is not fully compatible with qemu-kvm in Red Hat Enterprise Linux 6. Windows 8 can therefore fail to boot the second time after its shutdown. To ensure successful boot of Windows 8 inside qemu-kvm, disable Windows 8 "fast startup" in System Settings.
numad component, BZ#872524
If numad is run on a system with a task that has very large resident memory (>= 50% total system memory), then the numad-initiated NUMA page migrations for that task can cause swapping. The swapping can then induce long latencies for the system. An example is running a 256GB Microsoft Windows KVM Virtual Machine on a 512GB host. The Windows guest will fault in all pages on boot in order to zero them. On a four node system, numad will detect that a 256GB task can fit in a subset of two or three nodes, and then attempt to migrate it to that subset. Swapping can then occur and lead to latencies. These latencies may then cause the Windows guest to hang, as timing requirements are no longer met. Therefore, on a system with only one or two very large Windows machines, it is recommended to disable numad.
Note that this problem is specific to Windows 2012 guests that use more memory than exists in a single node. Windows 2012 guests appear to allocate memory more gradually than other Windows guest types, which triggers the issue. Other varieties of Windows guests do not seem to experience this problem. You can work around this problem by:
  • limiting Windows 2012 guests to less memory than exists in a given node -- so on a typical 4 node system with even memory distribution, the guest would need to be less than the total amount of system memory divided by 4; or
  • allowing the Windows 2012 guests to finish allocating all of its memory before allowing numad to run. numad will handle extremely huge Windows 2012 guests correctly after allowing a few minutes for the guest to finish allocating all of its memory.
grubby component, BZ#893390
When a Red Hat Enterprise Linux 6.4 guest updates the kernel and then the guest is turned of through Microsoft Hyper-V Manager, the guest fails to boot due to incomplete grub information. This is because the data is not synced properly to disk when the machine is turned off through Hyper-V Manager. To work around this problem, execute the sync command before turning the guest off.
kernel component
Using the mouse scroll wheel does not work on Red Hat Enterprise Linux 6.4 guests that run under Microsoft Hyper-V Manager installed on a physical machine. However, the scroll wheel works as expected when the vncviewer utility is used.
kernel component, BZ#874406
Microsoft Windows Server 2012 guests using the e1000 driver can become unresponsive consuming 100% CPU during reboot.
kernel component
When a kernel panic is triggered on a Microsoft Hyper-V guest, the kdump utility does not capture the kernel error information; an error is only displayed on the command line.
kernel component
Due to a bug in Microsoft Hyper-V Server 2008 R2, attempting to remove and then reload the hv_utils module on a Hyper-V guest running Red Hat Enterprise Linux 6.4 will cause a shutdown and the heartbeat service to not work. To work around this issue, upgrade the host system to Microsoft Hyper-V Server 2012.
quemu-kvm component, BZ#871265
AMD Opteron G1, G2 or G3 CPU models on qemu-kvm use the family and models values as follows: family=15 and model=6. If these values are larger than 20, the lahfm_lm CPU feature is ignored by Linux guests, even when the feature is enabled. To work around this problem, use a different CPU model, for example AMD Opteron G4.
qemu-kvm component, BZ#860929
KVM guests must not be allowed to update the host CPU microcode. KVM does not allows this and instead always returns the same microcode revision or patch level value to the guest. If the guest tries to update the CPU microcode, it will fail and show an error message similar to:
CPU0: update failed (for patch_level=0x6000624)
To work around this, configure the guest to not install CPU microcode updates; for example, uninstall the microcode_ctl package Red Hat Enterprise Linux of Fedora guests.
virt-p2v component, BZ#816930
Converting a physical server running either Red Hat Enterprise Linux 4 or Red Hat Enterprise Linux 5 which has its file system root on an MD device is not supported. Converting such a guest results in a guest which fails to boot. Note that conversion of a Red Hat Enterprise Linux 6 server which has its root on an MD device is supported.
virt-p2v component, BZ#808820
When converting a physical host with a multipath storage, Virt-P2V presents all available paths for conversion. Only a single path must be selected. This must be a currently active path.
virtio-win component, BZ#615928
The balloon service on Windows 7 guests can only be started by the Administrator user.
libvirt component, BZ#622649
libvirt uses transient iptables rules for managing NAT or bridging to virtual machine guests. Any external command that reloads the iptables state (such as running system-config-firewall) will overwrite the entries needed by libvirt. Consequently, after running any command or tool that changes the state of iptables, guests may lose access to the network. To work around this issue, use the service libvirt reload command to restore libvirt's additional iptables rules.
virtio-win component, BZ#612801
A Windows virtual machine must be restarted after the installation of the kernel Windows driver framework. If the virtual machine is not restarted, it may crash when a memory balloon operation is performed.
qemu-kvm component, BZ#720597
Installation of Windows 7 Ultimate x86 (32-bit) Service Pack 1 on a guest with more than 4GB of RAM and more than one CPU from a DVD medium often crashes during the final steps of the installation process due to a system hang. To work around this issue, use the Windows Update utility to install the Service Pack.
qemu-kvm component, BZ#612788
A dual function Intel 82576 Gigabit Ethernet Controller interface (codename: Kawela, PCI Vendor/Device ID: 8086:10c9) cannot have both physical functions (PF's) device-assigned to a Windows 2008 guest. Either physical function can be device assigned to a Windows 2008 guest (PCI function 0 or function 1), but not both.
virt-v2v component, BZ#618091
The virt-v2v utility is able to convert guests running on an ESX server. However, if an ESX guest has a disk with a snapshot, the snapshot must be on the same datastore as the underlying disk storage. If the snapshot and the underlying storage are on different datastores, virt-v2v will report a 404 error while trying to retrieve the storage.
virt-v2v component, BZ#678232
The VMware Tools application on Microsoft Windows is unable to disable itself when it detects that it is no longer running on a VMware platform. Consequently, converting a Microsoft Windows guest from VMware ESX, which has VMware Tools installed, will result in errors. These errors usually manifest as error messages on start-up, and a "Stop Error" (also known as a BSOD) when shutting down the guest. To work around this issue, uninstall VMware Tools on Microsoft Windows guests prior to conversion.

4.5. Storage and File Systems

kernel component
Storage that reports a discard_granularity that is not a power of two will cause the kernel to improperly issue discard requests to the underlying storage. This results in I/O errors associated with the failed discard requests. To work around the problem, if possible, do not upgrade to newer vendor storage firmware that reports discard_granularity that is not a power of two.
parted component
Users might be unable to access a partition created by parted. To work around this problem, reboot the machine.
lvm2 component, BZ#852812
When filling a thin pool to 100% by writing to thin volume device, access to all thin volumes using this thin pool can be blocked. To prevent this, try not to overfill the pool. If the pool is overfilled and this error occurs, extend the thin pool with new space to continue using the pool.
dracut component
The Qlogic QLA2xxx driver can miss some paths after booting from Storage Area Network (SAN). To workaroud this problem, run the following commands:
echo "options qla2xxx ql2xasynclogin=0" > /etc/modprobe.d/qla2xxx.conf
mkinitrd  /boot/initramfs-`uname -r`.img `uname -r` --force
lvm2 component, BZ#903411
Activating a logical volume can fail if the --thinpool and --discards options are specified on logical-volume creation. To work around this problem, manually deactive all thin volumes related to the changed thin pool prior to running the lvchange command.
kernel component
Unloading the nfs module can cause the system to terminate unexpectedly if the fsx utility was ran with NFSv4.1 before.
kernel component
Due to a bug in the CIFS mount code, it is not possible to unmount Distributed File System (DFS) shares in Red Hat Enterprise Linux 6.4.
device-mapper-multipath component
When the multipathd service is not running, failed devices will not be restored. However, the multipath command gives no indication that multipathd is not running. Users can unknowingly set up multipath devices without starting the multipathd service, keeping failed paths from automatically getting restored. Make sure to start multipathing by
  • either running:
    ~]# mpathconf --enable
    ~]# service multipathd start
    
  • or:
    ~]# chkconfig multipathd on
    ~]# service multipathd start
    
multipathd will automatically start on boot, and multipath devices will automatically restore failed paths.
lvm2 component, BZ#837603
When the administrator disables use of the lvmetad daemon in the lvm.conf file, but the daemon is still running, the cached metadata are remembered until the daemon is restarted. However, if the use_lvmetad parameter in lvm.conf is reset to 1 without an intervening lvmetad restart, the cached metadata can be incorrect. Consequently, VG metadata can be overwritten with previous versions. To work around this problem, stop the lvmedat daemon manually when disabling use_lvmetad in lvm.conf. The daemon can only be restarted after use_lvmetad has been set to 1. To recover from an out-of-sync lvmetad cache, execute the pvscan --cache command or restart lvmetad. To restore metadata to correct versions, use vgcfrestore with a corresponding file in /etc/lvm/archive.
lvm2 component, BZ#563927
Due to the limitations of the LVM 'mirror' segment type, it is possible to encounter a deadlock situation when snapshots are created of mirrors. The deadlock can occur if snapshot changes (e.g. creation, resizing or removing) happen at the same time as a mirror device failure. In this case, the mirror blocks I/O until LVM can respond to the failure, but the snapshot is holding the LVM lock while trying to read the mirror.
If the user wishes to use mirroring and take snapshots of those mirrors, then it is recommended to use the 'raid1' segment type for the mirrored logical volume instead. This can be done by adding the additional arguments '--type raid1' to the command that creates the mirrored logical volume, as follows:
~]$ lvcreate --type raid1 -m 1 -L 1G -n my_mirror my_vg
kernel component, BZ#606260
The NFSv4 server in Red Hat Enterprise Linux 6 currently allows clients to mount using UDP and advertises NFSv4 over UDP with rpcbind. However, this configuration is not supported by Red Hat and violates the RFC 3530 standard.
lvm2 component
The pvmove command cannot currently be used to move mirror devices. However, it is possible to move mirror devices by issuing a sequence of two commands. For mirror images, add a new image on the destination PV and then remove the mirror image on the source PV:
~]$ lvconvert -m +1 <vg/lv> <new PV>
~]$ lvconvert -m -1 <vg/lv> <old PV>
Mirror logs can be handled in a similar fashion:
~]$ lvconvert --mirrorlog core <vg/lv>
~]$ lvconvert --mirrorlog disk <vg/lv> <new PV>
or
~]$ lvconvert --mirrorlog mirrored <vg/lv> <new PV>
~]$ lvconvert --mirrorlog disk <vg/lv> <old PV>

4.6. Networking

kernel component
Destroying the root port before any NPIV ports can cause unexpected system behavior, including a full system crash. Note that one instance where the root port is destroyed before the NPIV ports is when the system is shut down. To work around this problem, destroy NPIV ports before destroying the root port that the NPIV ports were created on. This means that for each created NPIV port, the user should write to the sysfs vport_delete interface to delete that NPIV port. This should be done before the root port is destroyed. Users are advised to script the NPIV port deletion and configure the system such that the script is executed before the fcoe service is stopped, in the shutdown sequence.
kernel component
A Linux LIO FCoE target causes the bfa driver to reset all FCoE targets which might lead to data corruption on LUN. To avoid these problems, do not use the bfa driver with a Linux FCoE target.
NetworkManager component, BZ#896198
A GATEWAY setting in the /etc/sysconfig/network file causes NetworkManager to assign that gateway to all interfaces with static IP addresses, even if their configuration did not specify a gateway or specified a different gateway. Interfaces have the incorrect gateway information and the wrong interface may have the default route. Instead of using GATEWAY in /etc/sysconfig/network to specify which interface receives the default route, set DEFROUTE=no in each ifcfg file that should not have the default route. Any interface connected using configuration from an ifcfg file containing DEFROUTE=no will never receive the default route.
kernel component
Typically, on platforms with no Intelligent Platform Management Interface (IPMI) hardware the user can see the following message the on the boot console and in dmesg log:
Could not set up I/O space
This message can be safely ignored, unless the system really does have IPMI hardware. In that case, the message indicates that the IPMI hardware could not be initialized. In order to support Advanced Configuration and Power Interface (ACPI) opregion access to IPMI functionality early in the boot, the IPMI driver has been statically linked with the kernel image. This means that the IPMI driver is "loaded" whether or not there is any hardware. The IPMI driver will try to initialize the IPMI hardware, but if there is no IPMI hardware present on the booting platform, the driver will print error messages on the console and in the dmesg log. Some of these error messages do not identify themselves as having been issued by the IPMI driver, so they can appear to be serious, when they are harmless.
kernel component
Shutting down the fcoe-target service while the Fibre Channel over Ethernet (FCoE) can lead to a kernel crash. Please minimize FCoE traffic before stopping or restarting this service.
fcoe-utils component
After an ixgbe Fibre Channel over Ethernet (FCoE) session is created, server reboot can cause some or all of the FCoE sessions to not be created automatically. To work around this problem, follow the following steps (assuming that eth0 is the missing NIC for the FCoE session):
ifconfig eth0 down
ifconfig eth0 up
sleep 5
dcbtool sc eth0 dcb on
sleep 5
dcbtool sc eth0 pfc e:1 a:1 w:1
dcbtool sc eth0 app:fcoe e:1 a:1 w:1
service fcoe restart
fcoe-target-utils component
Using targetcli to configure the FCoE Target will fail with the message Could not create RTSRoot in configFS. To prevent this, ensure that the fcoe-target service is running by executing service fcoe-target start.
libibverbs component
The InfiniBand UD transport test utility could become unresponsive when the ibv_ud_pingpong command was used with a packet size of 2048 or greater. UD is limited to no more than the smallest MTU of any point in the path between point A and B, which is between 0 and 4096 given that the largest MTU supported (but not the smallest nor required) is 4096. If the underlying Ethernet is jumbo frame capable, and with a 4096 IB MTU on an RoCE device, the max packet size that can be used with UD is 4012 bytes.
bind-dyndb-ldap component
IPA creates a new DNS zone in two separate steps. When the new zone is created, it is invalid for a short period of time. A/AAAA records for the name server belonging to the new zone are created after this delay. Sometimes, BIND attempts to load this invalid zone and fails. In such a case, reload BIND by running either rndc reload or service named restart.
selinux-policy component
SELinux can prevent the nmbd service from writing into the /var/, which breaks NetBIOS name resolution and leads to SELinux AVC denials.
kernel component
If multiple DHCP6 servers are configured on multiple VLANs, for example two DHCP6 servers on VLAN1 and VLAN3, the bna driver NIC does not set up a VLAN interface but can get the VLAN3 IPv6 address.
kernel component
The latest version of the sfc NIC driver causes lower UDP and TX performance with large amounts of fragmented UDP packets. This problem can be avoided by setting a constant interrupt moderation period (not adaptive moderation) on both sides, sending and receiving.
kernel component
When IPv6 is administratively disabled via disable=1 module parameter, all of the IPv6 protocol handlers are disabled. This includes any offload handlers that support TSO/GSO. The lack of handlers results in the host dropping any TSO/GSO IPv6 packets it may receive from the guest. This can cause problems with retransmission on the guest and throughput. You can completely restore IPv6 network performance by:
  • setting the disable_ipv6 module to 1
  • or using the following sysctl entries:
    • net.ipv6.conf.all.disable_ipv6 = 1
    • net.ipv6.conf.default.disable_ipv6 = 1
kernel component
Some network interface cards (NICs) may not get an IPv4 address assigned after the system is rebooted. To work around this issue, add the following line to the /etc/sysconfig/network-scripts/ifcfg-<interface> file:
LINKDELAY=10
NetworkManager component, BZ#758076
If a Certificate Authority (CA) certificate is not selected when configuring an 802.1x or WPA-Enterprise connection, a dialog appears indicating that a missing CA certificate is a security risk. This dialog presents two options: ignore the missing CA certificate and proceed with the insecure connection, or choose a CA certificate. If the user elects to choose a CA certificate, this dialog disappears and the user may select the CA certificate in the original configuration dialog.
samba component
Current Samba versions shipped with Red Hat Enterprise Linux 6.4 are not able to fully control the user and group database when using the ldapsam_compat back end. This back end was never designed to run a production LDAP and Samba environment for a long period of time. The ldapsam_compat back end was created as a tool to ease migration from historical Samba releases (version 2.2.x) to Samba version 3 and greater using the new ldapsam back end and the new LDAP schema. The ldapsam_compat back end lack various important LDAP attributes and object classes in order to fully provide full user and group management. In particular, it cannot allocate user and group IDs. In the Red Hat Enterprise Linux Reference Guide, it is pointed out that this back end is likely to be deprecated in future releases. Refer to Samba's documentation for instructions on how to migrate existing setups to the new LDAP schema.
When you are not able to upgrade to the new LDAP schema (though upgrading is strongly recommended and is the preferred solution), you may work around this issue by keeping a dedicated machine running an older version of Samba (v2.2.x) for the purpose of user account management. Alternatively, you can create user accounts with standard LDIF files. The important part is the assignment of user and group IDs. In that case, the old Samba 2.2 algorithmic mapping from Windows RIDs to Unix IDs is the following: user RID = UID * 2 + 1000, while for groups it is: group RID = GID * 2 + 1001. With these workarounds, users can continue using the ldapsam_compat back end with their existing LDAP setup even when all the above restrictions apply.
kernel component
Because Red Hat Enterprise Linux 6.4 defaults to using Strict Reverse Path filtering, packets are dropped by default when the route for outbound traffic differs from the route of incoming traffic. This is in line with current recommended practice in RFC3704. For more information about this issue please refer to /usr/share/doc/kernel-doc-<version>/Documentation/networking/ip-sysctl.txt and https://access.redhat.com/knowledge/solutions/53031.

4.7. Clustering

selinux-policy component
The fence-sanlock agent does not support Selinux in Enforcing mode at the moment.
lvm2 component, BZ#814779
Clustered environment is not supported by lvmetad at the moment. If global/use_lvmetad=1 is used together with global/locking_type=3 configuration setting (clustered locking), the use_lvmetad setting is automatically overriden to 0 and lvmetad is not used in this case at all. Also, the following warning message is displayed:
WARNING: configuration setting use_lvmetad overriden to 0 due to locking_type 3. Clustered environment not supported by lvmetad yet.
luci component, BZ#615898
luci will not function with Red Hat Enterprise Linux 5 clusters unless each cluster node has ricci version 0.12.2-14.

4.8. Authentication

ipa component, BZ#894388
The Identity Management installer configures all integrated services to listen on all interfaces. The administrator has no means to instruct the Identity Management installer to listen only on chosen interfaces even though the installer requires a valid interface IP address as one installation parameter. To work around this problem, change service configuration after Identity Management installation.
ipa component, BZ#894378
Identity Management LDAP permission manipulation plugin validates subtree and filter permission specifiers as mutually exclusive even though it is a valid combination in the underlying LDAP Access Control Instruction (ACI). Permissions with filter and subtree specifiers can be neither created nor modified. This affects for example the Add Automount Keys permission which cannot be modified.
ipa component, BZ#817080
In some cases the certificates tracked by certmonger are not cleared when running the ipa-server-install --uninstall command. This will cause a subsequent re-installation to fail with an unexpected error.
sssd component, BZ#892604
The ssh_cache utility sets the DEBUG level after it processes the command-line parameters. If the command-line parameters cannot be processed, the utility prints DEBUG lines that are not supposed to be printed by default. To avoid this, correct parameters must be used.
sssd component, BZ#891647
It is possible to specify the enumerate=true value in the sssd.conf file to access all users in the system. However, using enumerate=true is not recommended in large environments as this can lead to high CPU consumption. As a result, operations like login or logout can be slowed down.
ipa component, BZ#888579
The Identity Management server processes Kerberos Password Expiration Time field as a 32-bit integer. If Maximum Lifetime of a user password in Identity Management Password Policy is set to a value causing the resulting Kerberos Password Expiration Time timestamp to exceed 32 bits and to overflow, the passwords that are being changed are configured with an expiration time that lies in the past and are always rejected. To ensure that new user passwords are valid and can be changed properly, do not set password Maximum Lifetime in Identity Management Password Policy to values that would cause the Kerberos Password Expiration Time timestamp to exceed 32 bits; that is, passwords that would expire after 2038-01-19. At the moment, recommended values for the Maximum Lifetime field are numbers lower than 9000 days.
sssd component, BZ#785877
When reconnecting to an LDAP server, SSSD does not check it was re-initialized during the downtime. If the server was re-initialized during the downtime and was filled with completely different data, SSSD does not update its database. As a consequence, the user can get invalid information from SSSD. To work around this problem:
  1. stop SSSD before reconnecting to the re-initialized server;
  2. clear the SSSD caches manually before reconnecting;
  3. start SSSD.
krb5 component
In environments where entropy is scarce, the kadmind tool can take longer to initialize after startup than it did in previous releases as it attempts to read data from the /dev/random file and seed its internal random number generator (RNG). Clients which attempt to connect to the kadmin service can time out and fail with a GSS-API or Kerberos error. After the service completely finishes initializing itself, it will process messages received from now-disconnected clients and can log clock-skew or decrypt-integrity-check-failed errors for those connections. To work around this problem, use a service such as rngd to seed the system RNG using hardware sources of entropy.
ipa component, BZ#887193
The Identity Management server in Red Hat Enterprise Linux 6.3 introduced a technical preview of SELinux user mapping feature, which enabled a mapping of SELinux users to users managed by the Identity Management based on custom rules. However, the default configured SELinux user (guest_u:s0) used when no custom rule matches is too constraining. An Identity Management user authenticating to Red Hat Enterprise Linux 6.4 can be assigned the too constraining SELinux user in which case a login through graphical session would always fail. To work around this problem, change a too constraining default SELinux user in the Identity Management server from guest_u:s0 to a more relaxed value unconfined_u:s0-s0:c0.c1023:
kinit admin
ipa config-mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023
An unconfined SELinux user will be now assigned to the Identity Management user by default, which will allow the user to successfully authenticate through graphical interface.
ipa component, BZ#761574
When attempting to view a host in the web UI, the following message can appear:
Certificate operation cannot be completed: Unable to communicate with CMS (Unauthorized)
Attempting to to delete installed certificates through the web UI or command-line interface can fail with the same error message. To work around this problem, run the following command:
~]# yum downgrade ipa-server libipa_hbac libipa_hbac-python ipa-python ipa-client ipa-admintools ipa-server-selinux
ipa component, BZ#877324
After upgrading to Red Hat Identity Manager 2.2, it is not possible to add SSH public keys in the web UI. However, SSH public keys can be added on the command line by running ipa user-mod <user> --sshpubkey.
sssd component, BZ#880150
Rules with sudoUser specified as +netgroup are always matched with the sssd sudoers plugin.
sssd component
When the ldap_sasl_authid is not configured in the sssd.conf file, SSSD terminates unexpectedly with a segmentation fault. To avoid this problem, ensure that the option is configured.
ipa component
When upgrading the ipa-server package using anaconda, the following error message is logged in the upgrade.log file:
/sbin/restorecon:  lstat(/var/lib/pki-ca/publish*) failed:  No such file or directory
This problem does not occur when using yum.
sssd component
In the Identity Manager subdomain code, a User Principal Name (UPN) is by default built from the SAM Account Name and Active Directory trust users, that is user@DOMAIN. The UPN can be changed to differ from the UPN in Active Directory, however only the default format, user@DOMAIN, is supported.
sssd component, BZ#805921
Sometimes, group members may not be visible when running the getent group groupname command. This can be caused by an incorrect ldap_schema in the [domain/DOMAINNAME] section of the sssd.conf file. SSSD supports three LDAP schema types: RFC 2307, RFC 2307bis, and IPA. By default, SSSD uses the more common RFC 2307 schema. The difference between RFC 2307 and RFC 2307bis is the way which group membership is stored in the LDAP server. In an RFC 2307 server, group members are stored as the multi-valued memberuid attribute which contains the name of the users that are members. In an RFC2307bis server, group members are stored as the multi-valued attribute member (or sometimes uniqueMember) which contains the DN of the user or group that is a member of this group. RFC2307bis allows nested groups to be maintained as well.
When encountering this problem:
  • add ldap_schema = rfc2307bis in the sssd.conf file,
  • detele the /var/lib/sss/db/cache_DOMAINNAME.ldb file,
  • and restart SSSD.
If the workaround does not work, add ldap_group_member = uniqueMember in the sssd.conf file, delete the cache file and restart SSSD.
Identity Management component, BZ#826973
When Identity Management is installed with its CA certificate signed by an external CA, the installation is processed in 2 stages. In the first stage, a CSR is generated to be signed by an external CA. The second stage of the installation then accepts a file with the new signed certificate for the Identity Management CA and a certificate of the external CA. During the second stage of the installation, a signed Identity Management CA certificate subject is validated. However, there is a bug in the certificate subject validation procedure and its default value (O=$REALM, where $REALM is the realm of the new Identity Management installation) is never pulled. Consequently, the second stage of the installation process always fails unless the --subject option is specified. To work around this issue, add the following option for the second stage of the installation: --subject "O=$REALM" where $REALM is the realm of the new Identity Management installation. If a custom subject was used for the first stage of the installation, use its value instead. Using this work around, the certificate subject validation procedure succeeds and the installation continues as expected.
Identity Management component, BZ#822350
When a user is migrated from a remote LDAP, the user's entry in the Directory Server does not contain Kerberos credentials needed for a Kerberos login. When the user visits the password migration page, Kerberos credentials are generated for the user and logging in via Kerberos authentication works as expected. However, Identity Management does not generate the credentials correctly when the migrated password does not follow the password policy set on the Identity Management server. Consequently, when the password migration is done and a user tries to log in via Kerberos authentication, the user is prompted to change the password as it does not follow the password policy, but the password change is never successful and the user is not able to use Kerberos authentication. To work around this issue, an administrator can reset the password of a migrated user with the ipa passwd command. When reset, user's Kerberos credentials in the Directory Server are properly generated and the user is able to log in using Kerberos authentication.
Identity Management component
In the Identity Management webUI, deleting a DNS record may, under come circumstances, leave it visible on the page showing DNS records. This is only a display issue and does not affect functionality of DNS records in any way.
Identity Management component, BZ#790513
The ipa-client package does not install the policycoreutils package as its dependency, which may cause install/uninstall issues when using the ipa-client-install setup script. To work around this issue, install the policycoreutils package manually:
~]# yum install policycoreutils
Identity Management component, BZ#813376
Updating the Identity Management LDAP configuration via the ipa-ldap-updater fails with a traceback error when executed by a non-root user due to the SASL EXTERNAL bind requiring root privileges. To work around this issue, run the aforementioned command as the root user.
Identity Management component, BZ#794882
With netgroups, when adding a host as a member that Identity Management does not have stored as a host already, that host is considered to be an external host. This host can be controlled with netgroups, but Identity Management has no knowledge of it. Currently, there is no way to use the netgroup-find option to search for external hosts.
Also, note that when a host is added to a netgroup as an external host, rather than being added in Identity Management as an external host, that host is not automatically converted within the netgroup rule.
Identity Management component, BZ#786629
Because a permission does not provide write access to an entry, delegation does not work as expected. The 389 Directory Server (389-ds) distinguishes access between entries and attributes. For example, an entry can be granted add or delete access, whereas an attribute can be granted read, search, and write access. To grant write access to an entry, the list of writable attributes needs to be provided. The filter, subtree, and other options are used to target those entries which are writable. Attributes define which part(s) of those entries are writable. As a result, the list of attributes will be writable to members of the permission.
sssd component, BZ#808063
The manpage entry for the ldap_disable_paging option in the sssd-ldap man page does not indicate that it accepts the boolean values True or False, and defaulting to False if it is not explicitly specified.
Identity Management component, BZ#812127
Identity Management relies on the LDAP schema to know what type of data to expect in a given attribute. If, in certain situations (such as replication), data that does not meet those expectations is inserted into an attribute, Identity Management will not be able to handle the entry, and LDAP tools have do be used to manually clean up that entry.
Identity Management component, BZ#812122
Identity Management sudo commands are not case sensitive. For example, executing the following commands will result in the latter one failing due to the case insensitivity:
~]$ ipa sudocmd-add /usr/bin/X
⋮
~]$ ipa sudocmd-add /usr/bin/x
ipa: ERROR: sudo command with name "/usr/bin/x" already exists
Identity Management component
When an Identity Management server is installed with a custom hostname that is not resolvable, the ipa-server-install command should add a record to the static hostname lookup table in /etc/hosts and enable further configuration of Identity Management integrated services. However, a record is not added to /etc/hosts when an IP address is passed as an CLI option and not interactively. Consequently, Identity Management installation fails because integrated services that are being configured expect the Identity Management server hostname to be resolvable. To work around this issue, complete one of the following:
  • Run the ipa-server-install without the --ip-address option and pass the IP address interactively.
  • Add a record to /etc/hosts before the installation is started. The record should contain the Identity Management server IP address and its full hostname (the hosts(5) man page specifies the record format).
As a result, the Identity Management server can be installed with a custom hostname that is not resolvable.
sssd component
Upgrading SSSD from the version provided in Red Hat Enterprise Linux 6.1 to the version shipped with Red Hat Enterprise Linux 6.2 may fail due to a bug in the dependent library libldb. This failure occurs when the SSSD cache contains internal entries whose distinguished name contains the \, character sequence. The most likely example of this is for an invalid memberUID entry to appear in an LDAP group of the form:
memberUID: user1,user2
memberUID is a multi-valued attribute and should not have multiple users in the same attribute.
If the upgrade issue occurs, identifiable by the following debug log message:
(Wed Nov  2 15:18:21 2011) [sssd] [ldb] (0): A transaction is still active in
ldb context [0xaa0460] on /var/lib/sss/db/cache_<DOMAIN>.ldb
remove the /var/lib/sss/db/cache_<DOMAIN>.ldb file and restart SSSD.

Removing the /var/lib/sss/db/cache_<DOMAIN>.ldb file

Removing the /var/lib/sss/db/cache_<DOMAIN>.ldb file purges the cache of all entries (including cached credentials).
sssd component, BZ#751314
When a group contains certain incorrect multi-valued memberUID values, SSSD fails to sanitize the values properly. The memberUID value should only contain one username. As a result, SSSD creates incorrect users, using the broken memberUID values as their usernames. This, for example, causes problems during cache indexing.
Identity Management component
Two Identity Management servers, both with a CA (Certificate Authority) installed, use two replication replication agreements. One is for user, group, host, and other related data. Another replication agreement is established between the CA instances installed on the servers. If the CA replication agreement is broken, the Identity Management data is still shared between the two servers, however, because there is no replication agreement between the two CAs, issuing a certificate on one server will cause the other server to not recognize that certificate, and vice versa.
Identity Management component
The Identity Management (ipa) package cannot be build with a 6ComputeNode subscription.
sssd component, BZ#741264
Active Directory performs certain LDAP referral-chasing that is incompatible with the referral mechanism included in the openldap libraries. Notably, Active Directory sometimes attempts to return a referral on an LDAP bind attempt, which used to cause a hang, and is now denied by the openldap libraries. As a result, SSSD may suffer from performance issues and occasional failures resulting in missing information.
To work around this issue, disable referral-chasing by setting the following parameter in the [domain/DOMAINNAME] section of the /etc/sssd/sssd.conf file:
ldap_referrals = false

4.9. Devices

kernel component
A Linux LIO FCoE target causes the bnx2fc driver to perform sequence level error recovery when the target is down. As a consequence, the FCoE session cannot be resumed after the Ethernet link is bounced, the bnx2fc kernel module cannot be unloaded and the FCoE session cannot be removed when running the fcoeadm -d eth0 command. To avoid these problems, do not use the bnx2fc driver with a Linux FCoE target.
kernel component
When using large block size (1MB), the tape driver sometimes returns an EBUSY error. To work around this problem, use a smaller block size, that is 256KB.
kernel component
On some of the older Broadcom tg3 devices, the default Maximum Read Request Size (MRRS) value of 512 byte is known to cause lower performance. It is because these devices perform direct memory access (DMA) requests serially. 1500-byte ethernet packet will be broken into 3 PCIE read requests using 512 byte MRRS. When using a higher MRRS value, the DMA transfer can be faster as fewer requests will be needed. However, the MRRS value is meant to be tuned by system software and not by the driver. PCIE Base spec 3.0 section 7.8.4 contains an implementation note that illustrates how system software might tune the MRRS for all devices in the system. As a result, Broadcom modified the tg3 driver to remove the code that sets the MRRS to 4K bytes so that any value selected by system software (BIOS) will be preserved.
kernel component
The Brocade BFA Fibre Channel and FCoE driver does not currently support dynamic recognition of Logical Unit addition or removal using the sg3_utils utilities (for example, the sg_scan command) or similar functionality. Please consult Brocade directly for a Brocade equivalent of this functionality.
kernel component
iSCSI and FCoE boot support on Broadcom devices is not included in Red Hat Enterprise Linux 6.4. These two features, which are provided by the bnx2i and bnx2fc Broadcom drivers, remain a Technology Preview until further notice.
kexec-tools component
Starting with Red Hat Enterprise Linux 6.0 and later, kexec kdump supports dumping core to the Brtfs file system. However, note that because the findfs utility in busybox does not support Btrfs yet, UUID/LABEL resolving is not functional. Avoid using the UUID/LABEL syntax when dumping core to Btrfs file systems.
trace-cmd component
The trace-cmd service does start on 64-bit PowerPC and IBM System z systems because the sys_enter and sys_exit events do not get enabled on the aforementioned systems.
trace-cmd component
trace-cmd's subcommand, report, does not work on IBM System z systems. This is due to the fact that the CONFIG_FTRACE_SYSCALLS parameter is not set on IBM System z systems.
libfprint component
Red Hat Enterprise Linux 6 only has support for the first revision of the UPEK Touchstrip fingerprint reader (USB ID 147e:2016). Attempting to use a second revision device may cause the fingerprint reader daemon to crash. The following command returns the version of the device being used in an individual machine:
~]$ lsusb -v -d 147e:2016 | grep bcdDevice
kernel component
The Emulex Fibre Channel/Fibre Channel-over-Ethernet (FCoE) driver in Red Hat Enterprise Linux 6 does not support DH-CHAP authentication. DH-CHAP authentication provides secure access between hosts and mass storage in Fibre-Channel and FCoE SANs in compliance with the FC-SP specification. Note, however that the Emulex driver (lpfc) does support DH-CHAP authentication on Red Hat Enterprise Linux 5, from version 5.4. Future Red Hat Enterprise Linux 6 releases may include DH-CHAP authentication.
kernel component
The recommended minimum HBA firmware revision for use with the mpt2sas driver is "Phase 5 firmware" (that is, with version number in the form 05.xx.xx.xx). Note that following this recommendation is especially important on complex SAS configurations involving multiple SAS expanders.

4.10. Kernel

kernel component
In Red Hat Enterprise Linux 6.4, irqbalance has been updated to upstream version 1.0.4. This version of irqbalance requires /sys/device/system/cpu/cpu?/node* to exist; however, kernel-2.6.32-358 or earlier does not include support for this sysfs node. To work around this problem, use the irqbalance-0.55-35.el6_3 package or earlier.
kernel component
Red Hat Enterprise Linux 6.4 changed the maximum read/write socket memory default value to be higher, allowing for better performance on some machines. It was observed that if the values of ?mem_max are not symmetrical between two machines, the performance can be negatively affected. To work around this problem, adjust the value of ?mem_max to be equal across all Red Hat Enterprise Linux systems in the network.
kabi-whitelists component
The vxfs module might not work properly on Red Hat Enterprise Linux 6.4 because of the broken radix_tree_gang_lookup_slot symbol. Consult Symantec should you require a workaround for this issue.
kernel component
Enabling TCP Segmentation Offload (TSO) on TAP interface may cause low throughput when the uplink is a high-speed interface. To improve throughput, turn off TSO on the tap interface of the virtual machine.
kabi-whitelists component, BZ#871580
A patch submitted in Red Hat Enterprise Linux 6.3 broke a kABI symbol. Consequently, the previously working Red Hat Enterprise Linux 6.2 Veritas vxfs module did not work on the 6.3 kernel; a newer compiled version of the Red Hat Enterprise Linux 6.3 Veritas vxfs module had to be used. In Red Hat Enterprise Linux 6.4, the kABI issue has been fixed, and the Red Hat Enterprise Linux 6.3 Veritas vxfs module works as expected. Refer to Table 4.1, “Functionality Matrix” for a summary of what versions of Red Hat Enterprise Linux 6 and vxfs function as expected.

Table 4.1. Functionality Matrix

Red Hat Enterprise Linux Version (Kernel Version)
6.2 GA (2.6.32-220.el6) 6.3 GA (2.6.32-279.el6) 6.4 pre-alpha (2.6.32-330.el6)
vxfs Module Version 5.1.120.000-SP1PR2 works fails works
5.1.133.000-SP1RP3 - works fail

kernel component
When using Chelsio's iSCSI HBAs for an iSCSI root partition, the first boot after install fails. This occurs because Chelsio's iSCSI HBA is not properly detected. To work around this issue, users must add the iscsi_firmware parameter to grub's kernel command line. This will signal to dracut to boot from the iSCSI HBA.
kernel component
The installation of Red Hat Enterprise Linux 6.4 i386 may occasionally fail. To work around this issue, add the following parameter to the kernel command line:
vmalloc=256MB
kernel component
If a device reports an error, while it is opened (via the open(2) system call), then the device is closed (via the close(2) system call), and the /dev/disk/by-id link for the device may be removed. When the problem on the device that caused the error is resolved, the by-id link is not re-created. To work around this issue, run the following command:
~]# echo 'change' > /sys/class/block/sdX/uevent
kernel component
When an HBA that uses the mpt2sas driver is connected to a storage using an SAS switch LSI SAS 6160, the driver may become unresponsive during Controller Fail Drive Fail (CFDF) testing. This is due to faulty firmware that is present on the switch. To fix this issue, use a newer version (14.00.00.00 or later) of firmware for the LSI SAS 6160 switch.
kernel component, BZ#745713
In some cases, Red Hat Enterprise Linux 6 guests running fully-virtualized under Red Hat Enterprise Linux 5 experience a time drift or fail to boot. In other cases, drifting may start after migration of the virtual machine to a host with different speed. This is due to limitations in the Red Hat Enterprise Linux 5 Xen hypervisor. To work around this, add the nohpet parameter or, alternatively, the clocksource=jiffies parameter to the kernel command line of the guest. Or, if running under Red Hat Enterprise Linux 5.7 or newer, locate the guest configuration file for the guest and add the hpet=0 parameter in it.
kernel component
On some systems, Xen full-virt guests may print the following message when booting:
WARNING: BIOS bug: CPU MTRRs don't cover all of memory, losing <number>MB of RAM
It is possible to avoid the memory trimming by using the disable_mtrr_trim kernel command line option.
kernel component
The perf record command becomes unresponsive when specifying a tracepoint event and a hardware event at the same time.
kernel component
On 64-bit PowerPC, the following command may cause kernel panic:
~]# ./perf record -agT -e sched:sched_switch -F 100 -- sleep 3
kernel component
Applications are increasingly using more than 1024 file descriptors. It is not recommended to increase the default soft limit of file descriptors because it may break applications that use the select() call. However, it is safe to increase the default hard limit; that way, applications requiring a large amount of file descriptors can increase their soft limit without needing root privileges and without any user intervention.
kernel component
In network only use of Brocade Converged Network Adapters (CNAs), switches that are not properly configured to work with Brocade FCoE functionality can cause a continuous linkup/linkdown condition. This causes continuous messages on the host console:
bfa xxxx:xx:xx.x: Base port (WWN = xx:xx:xx:xx:xx:xx:xx:xx) lost fabric connectivity
To work around this issue, unload the Brocade bfa driver.
kernel component
In Red Hat Enterprise Linux 6, a legacy bug in the PowerEdge Expandable RAID Controller 5 (PERC5) which causes the kdump kernel to fail to scan for scsi devices. It is usually triggered when a large amounts of I/O operations are pending on the controller in the first kernel before performing a kdump.
kernel component, BZ#679262
In Red Hat Enterprise Linux 6.2 and later, due to security concerns, addresses in /proc/kallsyms and /proc/modules show all zeros when accessed by a non-root user.
kernel component
Superfluous information is displayed on the console due to a correctable machine check error occurring. This information can be safely ignored by the user. Machine check error reporting can be disabled by using the nomce kernel boot option, which disables machine check error reporting, or the mce=ignore_ce kernel boot option, which disables correctable machine check error reporting.
kernel component
The order in which PCI devices are scanned may change from one major Red Hat Enterprise Linux release to another. This may result in device names changing, for example, when upgrading from Red Hat Enterprise Linux 5 to 6. You must confirm that a device you refer to during installation, is the intended device.
One way to assure the correctness of device names is to, in some configurations, determine the mapping from the controller name to the controller's PCI address in the older release, and then compare this to the mapping in the newer release, to ensure that the device name is as expected.
The following is an example from /var/log/messages:
kernel: cciss0: <0x3230> at PCI 0000:1f:00.0 IRQ 71 using DAC
…
kernel: cciss1: <0x3230> at PCI 0000:02:00.0 IRQ 75 using DAC
If the device name is incorrect, add the pci=bfsort parameter to the kernel command line, and check again.
kernel component
The minimum firmware version for NIC adapters managed by netxen_nic is 4.0.550. This includes the boot firmware which is flashed in option ROM on the adapter itself.
kernel component
High stress on 64-bit IBM POWER series machines prevents kdump from successfully capturing the vmcore. As a result, the second kernel is not loaded, and the system becomes unresponsive.
kernel component
Triggering kdump to capture a vmcore through the network using the Intel 82575EB ethernet device in a 32 bit environment causes the networking driver to not function properly in the kdump kernel, and prevent the vmcore from being captured.
kernel component
Memory Type Range Register (MTRR) setup on some hyperthreaded machines may be incorrect following a suspend/resume cycle. This can cause graphics performance (specifically, scrolling) to slow considerably after a suspend/resume cycle.
To work around this issue, disable and then re-enable the hyperthreaded sibling CPUs around suspend/resume, for example:
#!/bin/sh
# Disable hyper-threading processor cores on suspend and hibernate, re-enable
# on resume.
# This file goes into /etc/pm/sleep.d/

case $1 in
        hibernate|suspend)
                echo 0 > /sys/devices/system/cpu/cpu1/online
                echo 0 > /sys/devices/system/cpu/cpu3/online
                ;;

        thaw|resume)
                echo 1 > /sys/devices/system/cpu/cpu1/online
                echo 1 > /sys/devices/system/cpu/cpu3/online
                ;;
esac
kernel component
In Red Hat Enterprise Linux 6.2, nmi_watchdog registers with the perf subsystem. Consequently, during boot, the perf subsystem grabs control of the performance counter registers, blocking OProfile from working. To resolve this, either boot with the nmi_watchdog=0 kernel parameter set, or run the following command to disable it at run time:
echo 0 > /proc/sys/kernel/nmi_watchdog
To re-enable nmi-watchdog, use the following command
echo 1 > /proc/sys/kernel/nmi_watchdog
kernel component, BZ#603911
Due to the way ftrace works when modifying the code during start-up, the NMI watchdog causes too much noise and ftrace can not find a quiet period to instrument the code. Consequently, machines with more than 512 CPUs will encounter issues with the NMI watchdog. Such issues will return error messages similar to BUG: NMI Watchdog detected LOCKUP and have either ftrace_modify_code or ipi_handler in the backtrace. To work around this issue, disable NMI watchdog by setting the nmi_watchdog=0 kernel parameter, or using the following command at run time:
echo 0 > /proc/sys/kernel/nmi_watchdog
kernel component
On 64-bit POWER systems the EHEA NIC driver will fail when attempting to dump a vmcore via NFS. To work around this issue, utilize other kdump facilities, for example dumping to the local file system, or dumping over SSH.
kernel component, BZ#587909
A BIOS emulated floppy disk might cause the installation or kernel boot process to hang. To avoid this, disable emulated floppy disk support in the BIOS.
kernel component
The preferred method to enable nmi_watchdog on 32-bit x86 systems is to use either nmi_watchdog=2 or nmi_watchdog=lapic parameters. The parameter nmi_watchdog=1 is not supported.
kernel component
The kernel parameter, pci=noioapicquirk, is required when installing the 32-bit variant of Red Hat Enterprise Linux 6 on HP xw9300 workstations. Note that the parameter change is not required when installing the 64-bit variant.

4.11. Desktop

Red_Hat_Enterprise_Linux-Release_Notes-6 component
The link in the RELEASE-NOTES-si-LK.html file (provided by the Red_Hat_Enterprise_Linux-Release_Notes-6-si-LK package) incorrectly points at the Beta online version of the 6.4 Release Notes. Because the si-LK language is no longer supported, the link should correctly point to the en-US online 6.4 Release Notes located at: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/6.4_Release_Notes/index.html.
libwacom component
The Lenovo X220 Tablet Touchscreen is not supported in the kernel shipped with Red Hat Enterprise Linux 6.4.
wacomcpl package, BZ#769466
The wacomcpl package has been deprecated and has been removed from the package set. The wacomcpl package provided graphical configuration of Wacom tablet settings. This functionality is now integrated into the GNOME Control Center.
acroread component
Running a AMD64 system without the sssd-client.i686 package installed, which uses SSSD for getting information about users, causes acroread to fail to start. To work around this issue, manually install the sssd-client.i686 package.
kernel component, BZ#681257
With newer kernels, such as the kernel shipped in Red Hat Enterprise Linux 6.1, Nouveau has corrected the Transition Minimized Differential Signaling (TMDS) bandwidth limits for pre-G80 NVIDIA chipsets. Consequently, the resolution auto-detected by X for some monitors may differ from that used in Red Hat Enterprise Linux 6.0.
fprintd component
When enabled, fingerprint authentication is the default authentication method to unlock a workstation, even if the fingerprint reader device is not accessible. However, after a 30 second wait, password authentication will become available.
evolution component
Evolution's IMAP backend only refreshes folder contents under the following circumstances: when the user switches into or out of a folder, when the auto-refresh period expires, or when the user manually refreshes a folder (that is, using the menu item FolderRefresh). Consequently, when replying to a message in the Sent folder, the new message does not immediately appear in the Sent folder. To see the message, force a refresh using one of the methods describe above.
anaconda component
The clock applet in the GNOME panel has a default location of Boston, USA. Additional locations are added via the applet's preferences dialog. Additionally, to change the default location, left-click the applet, hover over the desired location in the Locations section, and click the Set... button that appears.
xorg-x11-server component, BZ#623169
In some multi-monitor configurations (for example, dual monitors with both rotated), the cursor confinement code produces incorrect results. For example, the cursor may be permitted to disappear off the screen when it should not, or be prevented from entering some areas where it should be allowed to go. Currently, the only workaround for this issue is to disable monitor rotation.

4.12. Tools

coolkey component, BZ#906537
Personal Identity Verification (PIV) Endpoint Cards which support both CAC and PIV interfaces might not work with the latest coolkey update; some signature operations like PKINIT can fail. To work around this problem, downgrade coolkey to the version shipped with Red Hat Enterprise Linux 6.3.
libreport component
Even if the stored credentials are used , the report-gtk utility can report the following error message:
Wrong settings detected for Red Hat Customer Support [..]
To work around this problem, close the dialog window; the Login=<rhn-user> and Password=<rhn-password> credentials in the /etc/libreport/plugins/rhtsupport.conf will be used in the same way they are used by report-rhtsupport.
For more information, refer to this Knowledge Base article.
vlock component
When a user password is used to lock a console with vlock, the console can only be unlocked with the user password, not the root password. That is, even if the first inserted password is incorrect, and the user is prompted to provide the root password, entering the root password fails with an error message.
libreoffice component
Libreoffice contains a number of harmless files used for testing purposes. However, on Microsoft Windows system, these files can trigger false positive alerts on various anti-virus software, such as Microsoft Security Essentials. For example, the alerts can be triggered when scanning the Red Hat Enterprise Linux 6 ISO file.
gnome-power-manager component
When the computer runs on battery, custom brightness level is not remembered and restored if power saving features like "dim display when idle" or "reduce backlight brightness when idle" are enabled.
rsyslog component
rsyslog does not reload its configuration after a SIGHUP signal is issued. To reload the configuration, the rsyslog daemon needs to be restarted:
~]# service rsyslog restart
parted component
The parted utility in Red Hat Enterprise Linux 6 cannot handle Extended Address Volumes (EAV) Direct Access Storage Devices (DASD) that have more than 65535 cylinders. Consequently, EAV DASD drives cannot be partitioned using parted, and installation on EAV DASD drives will fail. To work around this issue, complete the installation on a non EAV DASD drive, then add the EAV device after the installation using the tools provided in the s390-utils package.

Chapter 5. New Packages

5.1. RHEA-2013:0278 — new packages: dev86 and iasl
5.2. RHEA-2013:0484 — new packages: hypervkvpd
5.3. RHEA-2013:0422 — new packages: libjpeg-turbo
5.4. RHEA-2013:0369 — new packages: pcs
5.5. RHEA-2013:0356 — new package: haproxy
5.6. RHEA-2013:0355 — new package: keepalived
5.7. RHEA-2013:0349 — new packages: linuxptp
5.8. RHEA-2013:0342 — new packages: libitm
5.9. RHEA-2013:0341 — new package: scipy
5.10. RHEA-2013:0340 — new packages: suitesparse
5.11. RHEA-2013:0339 — new packages: tbb
5.12. RHEA-2013:0336 — new package: tuna
5.13. RHEA-2013:0289 — new package: mtdev
5.14. RHEA-2013:0284 — new package: cpupowerutils
5.15. RHEA-2013:0283 — new package: cgdcbxd
New dev86 and iasl packages are now available for Red Hat Enterprise Linux 6.
The dev86 and iasl packages are build dependencies of the qemu-kvm package.
This enhancement update adds the dev86 and iasl packages to the 32-bit x862 Optional channels of Red Hat Enterprise Linux 6. (BZ#901677, BZ#901678)
All users who require dev86 and iasl are advised to install these new packages.
New hypervkvpd packages are now available for Red Hat Enterprise Linux 6.
The hypervkvpd packages contain hypervkvpd, the guest Hyper-V Key-Value Pair (KVP) daemon. Using VMbus, hypervkvpd passes basic information to the host. The information includes guest IP address, fully qualified domain name, operating system name, and operating system release number. An IP injection functionality is also provided which allows you to change the IP address of a guest from the host via the hypervkvpd daemon.
This enhancement update adds the hypervkvpd packages to Red Hat Enterprise Linux 6. For more information about inclusion of, and guest installation support for, Microsoft Hyper-V drivers, refer to the Red Hat Enterprise Linux 6.4 Release Notes. (BZ#850674)
All users who require hypervkvpd are advised to install these new packages. After installing the hypervkvpd packages, rebooting all guest machines is recommended, otherwise the Microsoft Windows server with Hyper-V might not be able to get information from these guest machines.
New libjpeg-turbo packages are now available for Red Hat Enterprise Linux 6.
The libjpeg-turbo packages contain a library of functions for manipulating JPEG images. They also contain simple client programs for accessing the libjpeg functions. These packages provide the same functionality and API as libjpeg but with better performance.
This enhancement update adds the libjpeg-turbo packages to Red Hat Enterprise Linux 6. (BZ#788687)
All users who require libjpeg-turbo are advised to install these new packages.
New pcs packages are now available for Red Hat Enterprise Linux 6.
The pcs packages provide a command-line tool and graphical web interface to configure and manage pacemaker and corosync.
This enhancement update adds the pcs package as a Technology Preview. (BZ#657370)
More information about Red Hat Technology Previews is available here:
All users who want to use the pcs Technology Preview are advised to install these new packages.
A new haproxy package is now available for Red Hat Enterprise Linux 6.
The haproxy package provides a reliable, high-performance network load balancer for TCP and HTTP-based applications. It is particularly suited for web sites crawling under very high loads while needing persistence or Layer7 processing.
This enhancement update adds the haproxy package to Red Hat Enterprise Linux 6 as a Technology Preview. (BZ#846067)
More information about Red Hat Technology Previews is available at
All users who want to use the haproxy Technology Preview should install this newly-released package, which adds this enhancement.
A new keepalived package is now available as a Technology Preview for Red Hat Enterprise Linux 6.
The keepalived package provides simple and robust facilities for load-balancing and high-availability. The load-balancing framework relies on the well-know and widely used Linux Virtual Server kernel module providing Layer4 network load-balancing. The keepalived daemon implements a set of health checkers to load-balanced server pools according their state. The keepalived daemon also implements the Virtual Router Redundancy Protocol (VRRP), allowing router or director failover to achieve high availability.
This enhancement update adds the keepalived package to Red Hat Enterprise Linux 6 as a Technology Preview. (BZ#846064)
More information about Red Hat Technology Previews is available at
All users who want to use the keepalived Technology Preview should install this newly-released package, which adds this enhancement.
New linuxptp packages are now available as a Technology Preview for Red Hat Enterprise Linux 6.
The Linux PTP project is a software implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux. These packages provide a robust implementation of the standard and use the most relevant and modern Application Programming Interfaces (API) offered by the Linux kernel. Supporting legacy APIs and other platforms is not a goal.
This enhancement update adds the linuxptp packages to Red Hat Enterprise Linux 6 as a Technology preview. (BZ#848856)
More information about Red Hat Technology Previews is available here:
All users who want to use the linuxptp Technology Preview should install these newly-released packages, which add this enhancement.
New libitm packages are now available for Red Hat Enterprise Linux 6.
The libitm packages contain the GNU Transactional Memory runtime library that provides GCC transactional memory support.
This enhancement update adds the libitm packages to Red Hat Enterprise Linux 6. (BZ#813301)
All users who require libitm are advised to install these new packages.
New scipy packages are now available for Red Hat Enterprise Linux 6.
The SciPy package provides software for mathematics, science, and engineering. The NumPy package, which is designed to manipulate large multi-dimensional arrays of arbitrary records, is the core library for SciPy. The SciPy library is built to work with NumPy arrays and provides various efficient numerical routines, for example routines for numerical integration and optimization.
This enhancement update adds the scipy packages to Red Hat Enterprise Linux 6. (BZ#697530)
All users who require scipy are advised to install these new package.
New suitesparse packages are now available for Red Hat Enterprise Linux 6.
The suitesparse packages are a collection of libraries for computations involving sparse matrices.
This enhancement update adds the suitesparse packages to Red Hat Enterprise Linux 6. (BZ#844974)
All users who require suitespare should install these new packages.
New tbb packages are now available for Red Hat Enterprise Linux 6.
The tbb packages contain a C++ runtime library that abstracts the low-level threading details necessary for optimal multi-core performance.
This enhancement update adds the tbb packages to Red Hat Enterprise Linux 6. (BZ#844976)
All users who require tbb are advised to install these new packages.
A new tuna package is now available for Red Hat Enterprise Linux 6.
The tuna package provides an interface for changing both scheduler and IRQ tunables, at whole CPU, per-thread or per-IRQ levels. tuna allows CPUs to be isolated for use by a specific application and threads and interrupts to be moved to a CPU simply by dragging and dropping them.
This enhancement update adds the tuna package to Red Hat Enterprise Linux 6. (BZ#812455)
All users who require tuna should install this new package.
A new mtdev package is now available for Red Hat Enterprise Linux 6.
The new mtdev package contains a library that converts kernel input events from multitouch protocol A into multitouch protocol B events. Protocol B events provide per-touchpoint tracking which is required by the xorg-x11-drv-evdev and xorg-x11-drv-synaptics packages.
This enhancement update adds the mtdev package to Red Hat Enterprise Linux 6. (BZ#860177)
All users who require mtdev should install this new package.
New cpupowerutils packages are now available for Red Hat Enterprise Linux 6.
The cpupowerutils packages provide a suite of tools to manage power states on appropriately enabled central processing units (CPU).
This enhancement update adds the cpupowerutils packages to Red Hat Enterprise Linux 6. (BZ#697418)
All users who require cpupowerutils are advised to install these new packages.
New cgdcbxd packages are now available for Red Hat Enterprise Linux 6.
The cgdcbxd packages provide a daemon to manage the priority of network traffic in Data Center Bridging (DCB) enabled environments. By using the information exchanged over the DCB Capability Exchange Protocol (DCBX) on a LAN, cgdcbxd enforces network priority on running applications on your host with the net_prio cgroup.
This enhancement update adds the cgdcbxd packages to Red Hat Enterprise Linux 6. (BZ#835171)
All users who require cgdcbxd are advised to install these new packages.

Chapter 6. Updated Packages

6.1. 389-ds-base
6.2. abrt, libreport and btparser
6.3. alsa-utils
6.4. amanda
6.5. anaconda
6.6. authconfig
6.7. autofs
6.8. automake
6.9. avahi
6.10. bacula
6.11. bash
6.12. bfa-firmware
6.13. bind-dyndb-ldap
6.14. bind
6.15. binutils
6.16. biosdevname
6.17. bridge-utils
6.18. brltty
6.19. btrfs-progs
6.20. ccid
6.21. cdrkit
6.22. certmonger
6.23. cifs-utils
6.24. clustermon
6.25. cluster and gfs2-utils
6.26. control-center
6.27. coolkey
6.28. Core X11 Libraries
6.29. Core X11 clients
6.30. corosync
6.31. cpuspeed
6.32. crash
6.33. createrepo
6.34. ctdb
6.35. curl
6.36. cvs
6.37. dash
6.38. device-mapper-multipath
6.39. dhcp
6.40. dnsmasq
6.41. docbook-utils
6.42. dovecot
6.43. dracut
6.44. dropwatch
6.45. dvd+rw-tools
6.46. e2fsprogs
6.47. eclipse-nls
6.48. environment-modules
6.49. espeak
6.50. ethtool
6.51. evolution-data-server
6.52. evolution
6.53. fcoe-target-utils
6.54. fcoe-utils
6.55. febootstrap
6.56. fence-agents
6.57. fence-virt
6.58. file
6.59. firstboot
6.60. ftp
6.61. gawk
6.62. gcc
6.63. gdb
6.64. gdm
6.65. gd
6.66. geronimo-specs
6.67. glibc
6.68. gnome-desktop
6.69. gnome-packagekit
6.70. gnome-screensaver
6.71. gnome-settings-daemon
6.72. gnome-terminal
6.73. gnutls
6.74. graphviz
6.75. grub
6.76. gstreamer-plugins-base
6.77. gtk2
6.78. gvfs
6.79. hivex
6.80. hplip
6.81. hsqldb
6.82. httpd
6.83. hwdata
6.84. hwloc
6.85. icedtea-web
6.86. initscripts
6.87. iok
6.88. ipa
6.89. iproute
6.90. iprutils
6.91. iptables
6.92. irqbalance
6.93. irssi
6.94. iscsi-initiator-utils
6.95. jss
6.96. kabi-whitelists
6.97. kdebase
6.98. kdebase-workspace
6.99. kdelibs3
6.100. kdelibs
6.101. kdepim
6.102. kernel
6.103. kexec-tools
6.104. krb5
6.105. ksh
6.106. ledmon
6.107. libburn
6.108. libcgroup
6.109. libdbi
6.110. libdvdread
6.111. libguestfs
6.112. libhbaapi
6.113. libhbalinux
6.114. libical
6.115. libica
6.116. libldb
6.117. libqb
6.118. libsemanage
6.119. libsoup
6.120. libssh2
6.121. libtalloc
6.122. libtdb
6.123. libtevent
6.124. libusb1
6.125. libvirt-cim
6.126. libvirt-java
6.127. libvirt
6.128. libwacom
6.129. lldpad
6.130. lm_sensors
6.131. logrotate
6.132. lohit-telugu-fonts
6.133. luci
6.134. lvm2
6.135. mailman
6.136. man-pages-overrides
6.137. man-pages
6.138. man
6.139. matahari
6.140. mcelog
6.141. mdadm
6.142. mesa
6.143. microcode_ctl
6.144. mlocate
6.145. mod_authz_ldap
6.146. mod_nss
6.147. mod_revocator
6.148. module-init-tools
6.149. mod_wsgi
6.150. mrtg
6.151. mt-st
6.152. netcf
6.153. net-snmp
6.154. NetworkManager
6.155. nfs-utils-lib
6.156. nfs-utils
6.157. nss-pam-ldapd
6.158. nss, nss-util, nspr
6.159. ntp
6.160. numactl
6.161. numad
6.162. openchange
6.163. OpenIPMI
6.164. openldap
6.165. openscap
6.166. openssh
6.167. openssl
6.168. pacemaker
6.169. PackageKit
6.170. pam
6.171. parted
6.172. pciutils
6.173. pcre
6.174. pcsc-lite
6.175. perl-GSSAPI
6.176. perl-IPC-Run3
6.177. perl-IPC-Run
6.178. perl-SOAP-Lite
6.179. perl-Sys-Virt
6.180. perl
6.181. php
6.182. piranha
6.183. pki-core
6.184. plymouth
6.185. pm-utils
6.186. policycoreutils
6.187. powerpc-utils
6.188. ppc64-diag
6.189. procps
6.190. pykickstart
6.191. PyQt4
6.192. python-ethtool
6.193. python-nss
6.194. python-paste
6.195. python-psycopg2
6.196. python-rhsm
6.197. python-rtslib
6.198. python
6.199. python-virtinst
6.200. qemu-kvm
6.201. ql2400-firmware
6.202. ql2500-firmware
6.203. qt
6.204. quota
6.205. rdesktop
6.206. rdma
6.207. redhat-lsb
6.208. redhat-release
6.209. redhat-rpm-config
6.210. Red Hat Enterprise Linux Release Notes
6.211. resource-agents
6.212. rgmanager
6.213. rhn-client-tools
6.214. ricci
6.215. rpcbind
6.216. rpmdevtools
6.217. rpm
6.218. rsyslog
6.219. s390utils
6.220. samba4
6.221. samba
6.222. scl-utils
6.223. seabios
6.224. selinux-policy
6.225. setroubleshoot
6.226. setup
6.227. slapi-nis
6.228. slf4j
6.229. smartmontools
6.230. sos
6.231. spice-gtk
6.232. spice-protocol
6.233. spice-server
6.234. spice-vdagent
6.235. spice-xpi
6.236. squid
6.237. sssd
6.238. strace
6.239. subscription-manager-migration-data
6.240. subscription-manager
6.241. sudo
6.242. sysfsutils
6.243. syslinux
6.244. system-config-kdump
6.245. system-config-kickstart
6.246. system-config-language
6.247. system-config-lvm
6.248. system-config-users
6.249. systemtap
6.250. tar
6.251. tboot
6.252. tcsh
6.253. tigervnc
6.254. tog-pegasus
6.255. tomcat6
6.256. trace-cmd
6.257. tuned
6.258. udev
6.259. usbredir
6.260. util-linux-ng
6.261. valgrind
6.262. vgabios
6.263. virtio-win
6.264. virt-manager
6.265. virt-top
6.266. virt-v2v
6.267. virt-viewer
6.268. virt-what
6.269. virt-who
6.270. wdaemon
6.271. wget
6.272. wpa_supplicant
6.273. x3270
6.274. xfsdump
6.275. xfsprogs
6.276. xinetd
6.277. X.Org Legacy Input Drivers
6.278. xorg-x11-drv-ati
6.279. xorg-x11-drv-evdev
6.280. xorg-x11-drv-intel
6.281. xorg-x11-drv-nouveau
6.282. xorg-x11-drv-qxl
6.283. xorg-x11-drv-synaptics
6.284. xorg-x11-drv-vmmouse
6.285. xorg-x11-drv-wacom
6.286. xorg-x11-server
6.287. xorg-x11
6.288. xorg-x11-xkb-utils
6.289. yaboot
6.290. ypbind
6.291. ypserv
6.292. yum-rhn-plugin
6.293. yum
6.294. zlib

6.1. 389-ds-base

Updated 389-ds-base packages that fix one security issue, a number of bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE link(s) associated with each description below.
The 389-ds-base packages provide 389 Directory Server, which is an LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration.

Upgrade to an upstream version

The 389-ds-base packages have been upgraded to upstream version 1.2.11, which provides a number of bug fixes and enhancements over the previous version. (BZ#800051)

Security Fixes

CVE-2012-4450
A flaw was found in the way 389 Directory Server enforced ACLs after performing an LDAP modify relative distinguished name (modrdn) operation. After modrdn was used to move part of a tree, the ACLs defined on the moved (Distinguished Name) were not properly enforced until the server was restarted. This could allow LDAP users to access information that should be restricted by the defined ACLs.
This issue was discovered by Noriko Hosoi of Red Hat.

Bug Fixes

BZ#742054
Previously, 389 Directory Server did not support the Simple Authentication and Security Layer (SASL) PLAIN mechanism. This mechanism has been added to the list of supported SASL mechanisms.
BZ#742381
Due to certain changes under the cn=config suffix, when an attribute value was deleted and then added back in the same modify operation, error 53 was returned. Consequently, the configuration could not be reset. This update allows delete operations to succeed if the attribute is added back in the same modify operation and reset the configuration file as expected.
BZ#757836
Previously, the logconv.pl script used a connection number equal to 0 (conn=0) as a restart point, which caused the script to return incorrect restart statistics. The underlying source code has been modified and 389 Directory Server is now configured to use connection number equal to 1 (conn=1) as the restart point.
BZ#803873
The Windows Sync feature uses the name in a search filter to perform an internal search to find an entry. Parentheses, ( and ) are special characters in the LDAP protocol and therefore must be escaped. However, an attempt to synchronize an entry containing parentheses in the name from an Active Directory (AD) server failed with an error. With this update, 389 Directory Server properly escapes the parentheses and synchronization now proceeds correctly as expected.
BZ#818762
When having an entry in a directory server (DS) with the same user name, group name, or both as an entry in AD and simultaneously the entry in AD was out of scope of the Windows Sync feature, the DS entry was deleted. This update adds the new winSyncMoveAction DS attribute for the Windows Sync agreement entry, which allows the user to specify the behavior of out-of-scope AD entries. The value could be set to:
  • none, which means that an out-of-scope AD entry does nothing to the corresponding DS entry;
  • delete, which means that an out-of-scope AD entry deletes the corresponding DS entry;
  • unsync, which means that an out-of-scope AD entry is unsynchronized with the corresponding DS entry and changes made to either entry are not synchronized.
By default, the value is set to none, which fixes this bug.
BZ#830334
Due to an incorrect interpretation of an error code, a directory server considered an invalid chaining configuration setting as the disk full error and shut down unexpectedly. This bug has been fixed by using the correct error code and a directory server now no longer terminates due to an invalid chaining of a configuration setting.
BZ#830335
Previously, restoring an ldif file from a replica, which had older changes that other servers did not see yet, could lead to these updates not being replicated to other replicas. With this update, 389 Directory Server checks the Change Sequence Numbers (CSNs) and allows the older updates to be replicated. As a result, all replicas remain synchronized.
BZ#830336
When a directory server was under a heavy read and write load, and an update request was processed, the following error message or other similar DB_LOCK_DEADLOCK error messages appeared in the error log:
entryrdn-index - _entryrdn_put_data: Adding the parent link (XXX) failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)
These errors are common under these circumstances and there is no need to report them in the error log. With this update, 389 Directory Server ensures that these errors are handled properly and no longer logs these messages in the error log.
BZ#830337
When a directory server was configured to use multi-master replication and the Entry USN plug-in, the delete operation was not replicated to the other masters. This update modifies the Entry USN plug-in to prevent it from changing the delete operation into a delete tombstone operation, and from removing the operation before it logs into the change log to replay to other servers. As a result, the delete operation is replicated to all servers as expected.
BZ#830338
Previously, 389 Directory Server did not refresh its Kerberos cache. Consequently, if a new Kerberos ticket was issued for a host that had already authenticated against a directory server, it would be rejected by this server until it was restarted. With this update, the Kerberos cache is flushed after an authentication failure and 389 Directory Server works as expected in the described scenario.
BZ#830343
Using the Managed Entry plug-in in conjunction with other plug-ins, such as Distributed Numeric Assignment (DNA), Member of, and Auto Member, led to problems with delete operations on entries that managed the Managed Entry plug-in. The manager entry was deleted, but the managed entry was not. The deadlock retry handling has been improved so that both entries are deleted during the same database operation.
BZ#830344
Previously, replication errors logged in the error log could contain incorrect information. With this update, the replication errors have been modified to be more useful in diagnosing and fixing problems.
BZ#830346
When audit logging in a directory server was enabled, LDAP ADD operations were ignored and were not logged. This update removes a regression in the audit log code that caused the ADD operation to be ignored, and LDAP ADD operations are now logged to the audit log as expected.
BZ#830348
389 Directory Server with a large number of replication agreements took a considerable amount of time to shut down due to a long sleep interval coded in the replication stop code. This sleep interval has been reduced to speed up the system termination.
BZ#830349
Previously, in a SASL map definition, using a compound search filter that included the & character failed because the & character was escaped. The underlying source code has been modified and searching with a filter that includes the & character works as expected.
BZ#830353
When 389 Directory Server used the Managed Entry plug-in or the DNA plug-in, the valgrind tool reported memory errors and leaks. With this update, a patch has been applied to prevent these problems, and memory is now used and deleted correctly.
BZ#832560
When replication was configured and a conflict occurred, under certain circumstances, an error check did not reveal this conflict, because a to-be-deleted attribute was already deleted by another master. Consequently, the conflict terminated the server. This update improves error checks to prevent replication conflicts from crashing the server.
BZ#833202
Previously, internal entries that were in the cache were freed when retrying failed transactions due to a deadlock. This behavior caused problems in a directory server and this server could terminate under a heavy update load. With this update, the cached internal entries are no longer freed and directory servers do not crash in the described scenario.
BZ#833218
Due to improper deadlock handling, the database reported an error instead of retrying the transaction. Consequently, under a heavy load, the directory server got deadlock errors when attempting to write to the database. The deadlock handling has been fixed and 389 Directory Server works as expected in such a case.
BZ#834047
Internal access control prohibited deleting newly added or modified passwords. This update allows the user to delete any password if they have the modify rights.
BZ#834054
Certain operations, other than LDAP Modify operations, can cause the 389 Directory Server to modify internal attributes. For example, a BIND operation can cause updates to password failure counters. In these cases, 389 Directory Server was updating attributes that could only be updated during an explicit LDAP Modify operation, such as the modifyTimestamp attribute. This update adds a new internal flag to skip the update of these attributes on other than Modify operations.
BZ#834056
Due to an invalid configuration setup in the Auto Memmber plug-in, the directory server became unresponsive under certain circumstances. With this update, the configuration file is validated, invalid configurations are not allowed, and the server no longer hangs.
BZ#834057
When using SNMP monitoring, 389 Directory Server terminated at startup due to multiple ldap servers listed in the ldap-agent.conf file. With this update, the buffer between ldap servers no longer resets and 389 Directory Server starts up regardless of the number of ldap servers listed in the configuration file.
BZ#834064
Previously, the dnaNextValue counter was incremented in the pre-operation stage. Consequently, if the operation failed, the counter was still incremented. This bug has been fixed and the dnaNextValue counter is not incremented if the operation fails.
BZ#834065
When a replication agreement was added without the LDAP BIND credentials, the replication process failed with a number of errors. With this update, 389 Directory Server validates the replication configuration and ensures that all needed credentials are supplied. As a result, 389 Directory Server rejects invalid replication configuration before attempting to replicate with invalid credentials.
BZ#834075
Previously, the logconv.pl script did not grab the correct search base, and as a consequence, the searching statistics were invalid. A new hash has been created to store connections and operation numbers from search operations. As a result, logconv.pl now grabs the correct search base and no longer produces incorrect statistics.
BZ#838706
When using the Referential Integrity plug-in, renaming a user DN did not rename the user's DN in the user's groups, unless that case matched exactly. With this update, case-insensitive comparisons or DN normalizations are performed, so that the member attributes are updated when the user is renamed.
BZ#840153
Previously, the Attribute Uniqueness plug-in did comparisons of un-normalized values. Consequently, using this plug-in and performing the LDAP RENAME operation on an entry containing one of the attributes which were tested for uniqueness by this plug-in caused the LDAP RENAME operation to fail with the following error:
Constraint Violation - Another entry with the same attribute value already exists.
With this update, Attribute Uniqueness ensures that comparisons are performed between values which were normalized the same way, and LDAP RENAME works as expected in this situation.
BZ#841600
When the Referential Integrity plug-in was used with a delay time greater than 0, and the LDAP RENAME operation was performed on a user entry with DN specified by one or more group entries under the scope of the Referential Integrity plug-in, the user entry DN in the group entries did not change. The underlying source code has been modified and LDAP RENAME operations work as expected in the described scenario.
BZ#842437
Previously, the DNA plug-in could leak memory in certain cases for certain MODIFY operations. This update applies a patch to fix this bug and the modifications are freed as expected with no memory leaks.
BZ#842438
To improve the performance, the entry cache size is supposed to be larger then the primary database size if possible. Previously, 389 Directory Server did not alert the user that the size of the entry cache was too small. Consequently, the user could not notice that the size of the entry cache was too small and that they should enlarge it. With this update, the configured entry cache size and the primary database size are examined, and if the entry cache is too small, a warning is logged in the error log.
BZ#842440
Previously, the Memberof plug-in code executed redundant DN normalizations and therefore slowed down the system. The underlying source code has been modified to eliminate redundant DN normalizations.
BZ#842441
Previously, the directory server could disallow changes that were made to the nsds5ReplicaStripAttrs attribute using the ldapmodify operation. Consequently, the attribute could only be set manually in the dse.ldif file when the server was shut down. With this update, the user is now able to set the nsds5ReplicaStripAttrs attribute using the ldapmodify operation.
BZ#850683
Previously, 389 Directory Server did not check attribute values for the nsds5ReplicaEnabled feature which caused this feature to be disabled. With this update, 389 Directory Server checks if the attribute value for nsds5ReplicaEnabled is valid and reports an error if it is not.
BZ#852088
When multi-master replication or database chaining was used with the TLS/SSL protocol, a server using client certificate-based authentication was unable to connect and connection errors appeared in the error log. With this update, the internal TLS/SSL and certificate setup is performed correctly and communication between servers works as expected.
BZ#852202
Previously, there was a race condition in the replication code. When two or more suppliers were attempting to update a heavily loaded consumer at the same time, the consumer could, under certain circumstances, switch to total update mode, erase the database, and abort replication with an error. The underlying source code has been modified to prevent the race condition. As a result, the connection is now protected against access from multiple threads and multiple suppliers.
BZ#852839
Due to the use of an uninitialized variable, a heavily loaded server processing multiple simultaneous delete operations could terminate unexpectedly under certain circumstances. This update provides a patch that initializes the variable properly and the directory server no longer crashes under these circumstances.
BZ#855438
Due to an incorrect attempt to send the cleanallruv task to the Windows WinSync replication agreements, the task became unresponsive. With this update, the WinSync replication agreements are ignored and the cleanallruv task no longer hangs in the described scenario.
BZ#856657
Previously, the dirsrv init script always returned 0, even when one or all the defined instances failed to start. This update applies a patch that improves the underlying source code and dirsrv no longer returns 0 if any of the defined instances failed.
BZ#858580
The schema reload task reloads schema files in the schema directory. Simultaneously, Directory server has several internal schemas which are not stored in the schema directory. These schemas were lost after the schema reload task was executed. Consequently, adding a posixAccount class failed. With this update, the internal schemas are stashed in a hash table and reloaded with external schemas. As result, adding a posixAccount is successful.
BZ#863576
When abandoning a Simple Paged Result request, 389 Directory Server tried to acquire a connection lock twice, and because the connection lock is not self reentrant, 389 Directory Server was waiting for the lock forever and stopped the server. This update provides a patch that eliminates the second lock and 389 Directory Server works as expected in the described scenario.
BZ#864594
Previously, Anonymous Resource Limits applied to the Directory Manager. However, the Directory Manager should never have any limits. With this update, Anonymous Resource Limits no longer apply to Directory Manager.
BZ#868841
Even if an entry in AD did not contain all the required attributes for the POSIX account entry, the entry was synchronized to the DS as a POSIX entry. Consequently, the synchronization failed due to a missing attribute error. With this update, if an entry does not have all the required attributes, the POSIX account related attributes are dropped and the entry is synchronized as an ordinary entry. As a result, the synchronization is successful.
BZ#868853
When enabling replication level logging, the Windows Sync feature prints out what version of Windows or AD it detects. Previously, if the feature detected Windows Server 2003 or later, it printed out the following message:
detected win2k3 peer
This message could be confusing for users who had a later version of Windows, such as Windows Server 2008. This update modifies the message and now the following message is printed out:
detected win2k3 or later peer
BZ#870158
When a directory server was under a heavy load, deleting entries using the Entry USN feature caused tombstone entry indexes to be processed incorrectly. Consequently, the server could become unresponsive. This update fixes 389 Directory Server to process tombstone indexes correctly, so that the server no longer hangs in this situation.
BZ#870162
Previously, the abandon request checked if the operation to abandon existed. When a search operation was already finished and an operation object had been released, a Simple Page Results request could fail due to this check. This update modifies 389 Directory Server to skip operation existence checking, so that Simple Paged Results requests are always successfully aborted.
BZ#875862
Previously, the DNA plug-in attempted to dereference a NULL pointer value for the dnaMagicRegen attribute. Consequently, if DNA was enabled with no dnamagicregen value specified in its configuration and an entry with an attribute that triggered the DNA value generation was added, the server could terminate unexpectedly. This update improves the 389 Directory Server to check for an empty dnamagicregen value before it attempts to dereference this value. As a result, 389 Directory Server no longer crashes if no dnamagicregen attribute is specified.
BZ#876694
Previously, the code to check if a new superior entry existed, returned the No such object error only when the operation was requested by the directory manager. Consequently, if an ordinary non-root user attempted to use the modrdn operation to move an entry to a non-existing parent, the server terminated unexpectedly. This update provides a patch that removes the operator condition so that the check returns the No such object error even if the requester is an ordinary user, and the modrdn operation performed to the non-existing parent successfully fails for any user.
BZ#876727
aIf a filter contained a range search, the search retrieved one ID per one idl_fetch attribute and merged it to the ID list using the idl_union() function. This process is slow, especially when the range search result size is large. With this update, 389 Directory Server switches to ALLID mode by using the nsslapd-rangelookthroughlimit switch instead of creating a complete ID list. As a result, the range search takes less time.
BZ#889083
Previously, if an entry was added or created without plug-in interference, the nsslapd-plugin-track-binddn feature filled the value of the internalModifiersname and internalCreatorsname attributes with the original bind DN instead of the name of the actual plug-in that modified or added the entry. This behavior is undesired; thus the nsslapd-plugin-track-binddn has been modified to always show the name of the actual plug-in that performed these operations.
BZ#891930
In previous versions of the 389-ds-base packages, an attempt to add a new entry to the DNA plug-in when the range of values was depleted caused the following error message to be returned:
ipa: ERROR: Operations error: Allocation of a new value for range cn=posix
ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed!
Unable to proceed.
This message was missing all additional information in recent versions of the 389-ds-base packages. With this update, a patch is applied to provide the returned error message with additional information.
BZ#896256
Previously, an upgrade of the 389-ds-base packages affected configuration files. Consequently, custom configuration files were reverted to by default. This update provides a patch to ensure that custom changes in configuration files are preserved during the upgrade process.

Enhancements

BZ#746642
This update allows the PAM Pass-through plug-in to pass through the authentication process to different PAM stacks, based on domain membership or some property of the user entry, or both. Users now can login to Red Hat Directory Server using the credentials and account data from the correct AD server.
BZ#768084
This enhancement improves the automember plug-in to check existing entries and writes out the changes which occur if these entries are added.
BZ#782975
Previously, certain BINDs could cause only entries with the modifiersname or modifystimestamp attribute to be updated. This behavior led to unnecessary replication traffic. This enhancement introduces the new replication feature to decrease replication traffic caused by BINDs.
BZ#830331
This enhancement adds the new Disk Monitoring plug-in. When disk partitions fill up, Disk Monitoring returns a warning.
BZ#830340
Previously, two tasks were needed to be performed to clean an entire replication environment, the clean task and the release task. With this update, these tasks are incorporated in the Cleanallruv feature.
BZ#830347
Previously, the Paged Results search was allowed to perform only one request per connection. If the user used one connection, multiple Paged Results requests were not supported. This update adds support for multiple Paged Results requests.
BZ#830355
With this enhancement, obsolete elements in the Database Replica Update Vector (RUV) can be removed with the CLEANRUV operation, which removes them on a single supplier or master.
BZ#833222
This enhancement improves the memberOf plug-in to work across multiple back ends or suffixes.
BZ#834046
With this update, the Directory Server schema has been updated with the nsTLS1 attribute to make TLS/SSL configuration easier.
BZ#834049
With this update, the Directory Server schema has been updated to include the DNA plug-in attributes.
BZ#834052
This enhancement improves the Access Control feature to control the Directory Manager account.
BZ#834053
This enhancement adds the ability to execute internal modification operations without changing the operational modifiersname attribute.
BZ#834058
With this update, the logconv.pl script has been enhanced with the getopts() function.
BZ#834060
Previously, the password lockout process was triggered not when maximum the number of tries was reached, but the time after. This behavior was not consistent with other vendors' LDAP servers. This enhancement adds the new option which allows users to specify the behavior of password lockout.
BZ#834061
Previously, DS did not include the SO_KEEPALIVE settings and connections could not be closed properly. This enhancement implements the SO_KEEPALIVE settings to the DS connections.
BZ#834063
With this update, the new passwordTrackUpdateTime attribute has been added. This attribute records a timestamp when the password was last changed.
BZ#834074
This enhancement adds the new nsds5ReplicaEnabled attribute to the replication agreement. If the replication agreement is disabled, it appears to be removed, but can be easily re-enabled and resumed.
BZ#847868
Previously, the Windows Sync plug-in did not support the RFC 2307 and 2307bis types of POSIX schema which supports Windows Active Directory (AD). Under these circumstances, users had to synchronize data between AD and DS manually which could return errors. This enhancement changes the POSIX attributes to prevent these consequences.

Note

Note, that for the initial release, when adding new user and group entries to the DS, the POSIX attributes are not synchronized with AD. Adding new user and group entries to AD synchronizes to DS, and modifying attributes synchronizes both ways.
BZ#852087
This enhancement improves the Directory Server schema to allow setting up an access control for the nsslapd-readonly attribute.
All users of 389-ds-base are advised to upgrade to these updated packages, which correct this issue and provide numerous bug fixes and enhancements. After installing this update, the 389 server service will be restarted automatically.

6.2. abrt, libreport and btparser

Updated abrt, libreport and btparser packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
ABRT is a tool to help users to detect defects in applications and to create a problem report with all the information needed by a maintainer to fix it. ABRT uses a plug-in system to extend its functionality.
The libreport libraries provide an API for reporting different problems in applications to different bug targets like Bugzilla, ftp, and trac.
The btparser utility is a backtrace parser and analyzer library, which works with backtraces produced by the GNU Project Debugger. It can parse a text file with a backtrace to a tree of C structures, allowing to analyze the threads and frames of the backtrace and process them.

Upgrade to an upstream version

The btparser packages have been upgraded to upstream version 0.17, which provides a number of bug fixes and enhancements over the previous version. (BZ#846667)

Bug Fixes

BZ#799909
When the user attempted to remove a non-existing problem directory using the abrt-cli utility, abrt-cli emitted a confusing error message, such as in the following example:
# abrt-cli rm sdfsdf
'sdfsdf' does not exist
Can't connect to '/var/run/abrt/abrt.socket': Connection refused
With this update, abrt-cli has been modified to display only a message informing that such a problem directory does not exist.
BZ#808721, BZ#814594
When multiple kernel oopses occur in a short period of time, ABRT saves only the first oops because the later oopses are mostly only consequences of the first problem. However, ABRT sorted the processed oopses incorrectly so that the last oops that occurred was saved instead of the first oops. With this update, ABRT has been modified to process multiple kernel oopses in the correct order so that ABRT now saves the first oops as expected.
BZ#810309
Due to incorrect configuration, ABRT attempted to use the abrt-bodhi command, which is not available in Red Hat Enterprise Linux, while analyzing a backtrace. As a consequence, the user could see the following error message in the problem backtrace:
/bin/sh: line 6: abrt-bodhi: command not found
However, the error message had no influence on the problem reporting process. This update corrects the ABRT configuration so that the abrt-bodhi command is removed from the analyzer events and the error message no longer occurs.
BZ#811901
Previously, ABRT expected the dbus-send command to be always present on a system. However, ABRT does not depend on the related dbus package so there is no guarantee that the command is installed on the system. Therefore, when processing events that use the dbus-send command and the dbus package was not installed, ABRT emitted the following error message to the system log:
abrtd: /bin/sh: dbus-send: command not found
With this update, ABRT has been modified to verify the existence of dbus-send before attempting to call this command. The aforementioned error messages no longer occur in the system log.
BZ#813283
Previously, when running the report-gtk command with a non-existing problem directory, ABRT GUI attempted to process the problem directory. As a consequence, the terminal was flooded with GTK error messages. With this update, the ABRT GUI has been modified to no longer process non-existing problem directories. GUI now only prints a message informing that the processed directory does not exist and exits gracefully.
BZ#817051
The report tool always had to be executed from a problem directory even to perform actions which do not require the problem directory, such as adding an attachment to the existing bug report. When running from a directory that was not a problem directory, the report tool failed with the following error message:
'.' is not a problem directory
With this update, the report tool has been modified to not require a problem directory if the "-t" option is specified. The report tool can now be used to update existing bug reports without a need to run inside a problem directory.
BZ#815339, BZ#828673
Due to an error in the default libreport configuration, ABRT attempted to run the reporter-bugzilla command, which is not installed by default. This caused the following warning message to appear during problem reporting:
/bin/sh: line 4: reporter-bugzilla: command not found
However, the reporting process was not affected by this warning message. With this update, the default configuration of libreport has been corrected and reporter-bugzilla is no longer called by ABRT in the default configuration. The aforementioned warning message is no longer displayed during the reporting process.
BZ#820475
Previously, the abrt-ccpp init script did not emit any status message so that the service abrt-ccpp status command did not display any output. This update corrects the abrt-ccpp init script so that if the abrt-ccpp service is running the "abrt-ccpp hook is installed" message is displayed. If abrt-ccpp is stopped, the "abrt-ccpp hook is not installed" message appears.
BZ#826745
Certain ABRT libraries were previously built with wrong linker parameters and when running prelink on these libraries, the process returned error messages that the library contains "undefined non-weak symbols". With this update, the related makefiles have been corrected and the aforementioned errors no longer occur during prelink phase.
BZ#826924
ABRT ran the sosreport utility whenever a problem was detected. However, if the detected problem was caused by sosreport, ABRT could run sosreport in an infinite loop. Consequently, abrtd became unresponsive with extensive consumption of system resources. This update modifies ABRT to ignore consequent crashes in the same component that occur within a 20-second time period. The abrtd daemon no longer hangs if sosreport crashes.
BZ#847227
ABRT previously moved captured vmcore files from the default location in the /var/crash/ directory to the /var/spool/abrt/ directory. This affected the functioning of various tools that expected a vmcore file to be present in the /var/crash/ directory. This update modifies ABRT to use the CopyVMcore configuration option to specify whether to copy or move the core file. By default, ABRT no longer moves vmcore from the /var/crash/ directory but copies it.
BZ#847291
When disk space usage of the /var/spool/abrt/ directory reaches the specified disk space quota, ABRT finds and removes the largest problem directory. However, ABRT was previously unable to handle situations when the largest directory in /var/spool/abrt/ was not a problem directory. ABRT could not remove this directory and entered an infinite loop while searching for the largest directory to be removed. This update modifies ABRT to exclude unknown directories when determining which problem directory needs to be removed. The abrtd daemon no longer hangs in this scenario.
BZ#856960
When configured for centralized crash collection, ABRT previously printed logging credentials in plain text into the /var/log/messages log file on a dedicated system while uploading a crash report. This was a security risk, and so ABRT has been modified to no longer print the libreport-plugin-reportuploader plug-in credentials in log messages.
BZ#873815
When processing a large amount of problems, the inotify handling code could become out of sync, causing abrtd to be unable to read inotify events. Eventually, abrtd became unresponsive while trying to read an inotify event. If this happened and a Python application attempted to communicate with ABRT, abrtd and the Python application entered a deadlock situation. The daemon was busy trying to read an incoming inotify event and the Python script was waiting for a response from abrtd, which caused the application to become unresponsive as well. With this update, the ABRT exception handler sets timeout on a socket used for communication between abrtd and Python scripts, and also the inotify handling code has been modified. The abrtd daemon and Python applications no longer hang, however under heavy load, the inotify handling code can still become out of sync, which would cause abrtd to stop accepting new problems. If abrtd stops accepting new problems, it has to be restarted to work correctly again.
All users of abrt, libreport and btparser are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.3. alsa-utils

Updated alsa-utils packages that fix numerous bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The alsa-utils package contains command line utilities for the Advanced Linux Sound Architecture (ALSA).

Upgrade to an upstream version

The alsa-utils package has been upgraded to upstream version 1.0.22, which provides a number of bug fixes and enhancements over the previous version. (BZ#838951)

Enhancement

BZ#814832
The alsa-utils package has been enhanced to work better with the GNOME volume control applet and sound preferences user interface.
Users of alsa-utils are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.4. amanda

Updated amanda packages that fix one bug are now available for Red Hat Enterprise Linux 6.
AMANDA, the Advanced Maryland Automatic Network Disk Archiver, is a backup system that allows the administrator of a LAN to set up a single master backup server to back up multiple hosts to one or more tape drives or disk files.

Bug Fix

BZ#752096
Previously, the amandad daemon, which is required for successful running of AMANDA, was located in the amanda-client package; however, this package was not required during installation of the amanda-server package. Consequently, AMANDA did not work properly. The amanda-client package has been added to the amanda-server dependencies and AMANDA works correctly now.
All AMANDA users are advised to upgrade to these updated packages, which fix this bug.

6.5. anaconda

Updated anaconda packages that fix numerous bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The anaconda packages contain portions of the Anaconda installation program that can be run by the user for reconfiguration and advanced installation options.

Bug fixes

BZ#803883
Due to a bug in the multipath output parsing code, when installing Red Hat Enterprise Linux 6 on an IBM Power system with JBOD (Joined Body Of Disks — more than one hard drive attached to the same SAS controller), Anaconda could detect these multiple hard drives as a multipath device. This in turn caused the partitioning of the hard drive to fail, causing the installation of the system to fail as well. This update fixes the parsing code and the system is installed correctly.
BZ#848741
The Anaconda installer did not wait for BIOS storage devices to initialize when booted with the ks:bd:<bios disk>:/ks.cfg command-line option. As a consequence, BIOS storage devices could not be found and the installation could fail. To fix this bug, a delay algorithm for BIOS devices has been added to the code path used when booting with ks:bd:<bios disk>:/ks.cfg. As a result, Anaconda tries to wait for BIOS devices to initialize.
BZ#828650
The file system migration from ext2 to ext3 did not work because Anaconda did not modify the /etc/fstab file with the new ext3 file system type. Consequently, after the installation, the file system was mounted as an ext2 file system. With this update, Anaconda properly sets the migrated file system type in /etc/fstab. Thus, the file system is mounted as expected after installation.
BZ#886150
When installing Red Hat Enterprise Linux 6.4 Beta using the kickstart file, which included the partition scheme, LVM incorrectly removed the dashes from Logical Volume and Volume Group names. This caused the names to be malformed. This update fixes the aforementioned function to correctly format Logical Volume and Volume Group names during the installation process.
BZ#819486
Using IPv6 to install Red Hat Enterprise Linux 6.3 (both Alpha and Beta) on a z/VM guest enabled the user to SSH to the system and proceed with the language selection screen. However, after this step, the installation stopped and the SSH session was closed. With this update, the IPv6 installation on a z/VM guest is successful on Red Hat Enterprise Linux 6.4.
BZ#824963
A kickstart installation on unsupported hardware resulted in a dialog box asking for confirmation before proceeding with the installation process. As a consequence, it was not possible to perform a kickstart installation on unsupported hardware without any user input. To fix this bug, a new unsupported_hardware kickstart command has been added, which skips the interactive dialog warning when installing a system on unsupported hardware without user input.
BZ#811197
When a /boot partition was on a RAID device, inconsistent messages were returned because it was not supported to have this partition on such a device. These varied messages were confusing. To fix this bug, the error messages have been corrected to make sense and to not duplicate each other.
BZ#834689
Kernel modules containing Microsoft paravirtualized drivers were missing in the installation environment. To fix this bug, kernel modules with Microsoft PV have been added to the installation environment. As a result, better support for Microsoft virtualization is provided.
BZ#837835
Modules with VMware PV drivers were not included in the installation environment. This update adds the modules with VMware PV drivers to provide better virtualization support.
BZ#809641
The udev device manager was not used to resolve kickstart raid --onpart disk references. As a consequence, the /dev/disk/by-id/ path could not be used properly. With this update, the udev_resolve_devspec() function is used to resolve the --onpart command option. As a result, the raid --onpart command can now use the /dev/disk/by-id/ paths as expected.
BZ#809640
The Anaconda installer did not use the udev device manager to resolve /dev/disk/by-id/ names. This meant the kickstart installation method did not work with /dev/disk/by-id/ names. To fix this bug, Anaconda is now using udev to resolve /dev/disk/by-id/ names. As a result, kickstart installations using /dev/disk/by-id/ names work as expected.
BZ#804557
When installing a system using the text mode on a machine which already had Red Hat Enterprise Linux installed on it, a traceback error occurred when the Back button was used to go back from any dialog after the time zone dialog. With this update, disks are rescanned when moving back through the upgrade dialog, thus preventing this bug.
BZ#840723
The Anaconda installer called the modprobe tool without the -b argument that enabled blacklists. Consequently, modules were not blacklisted. To fix this bug, the required argument has been added to modprobe call. As a result, modules are blacklisted as expected.
BZ#851249
The Anaconda installer appended the boot= parameter on the command line whenever the fips=1 parameter was used. With this update, Anaconda appends the boot= parameter only when the fips=1 parameter is used and /boot is on a separate partition.
BZ#828029
This update fixes a typographical error in Korean version of a warning message used to alert users of a root password that is too simple.
BZ#681224
The Anaconda installer did not verify package checksums against the checksum in the repository metadata. A package which did not match the repo metadata checksum could be installed by the Yum utility. As a consequence, an incorrect package could be installed with no errors returned. This update adds verification of the package checksum against the checksum in the repository metadata.
BZ#656315
IPv6 configuration options of the installer's text UI (user interface) were using descriptions suggesting misleading meaning. Consequently, the description could mislead the users with DHCPv6 configured to use Dynamic IPv6 configuration (DHCPv6) which used DHCPv6 exclusively without using SLAAC automatic configuration. To fix this bug, the first option (Automatic neighbor discovery) has been renamed to Automatic; it is the (SLAAC) automatic configuration with the option of using a DHCPv6 server based on RA server configuration. The second option (Dynamic IP configuration (DHCPv6)) was renamed to Automatic, DHCP only, which describes the actual configuration to be used more accurately. These descriptions are now the same as those used by Network Manager. As a result, it is now clearer that the third option (Automatic, DHCP only) is using the DHCPv6 server exclusively.
BZ#836321
The command-line interface of the fcoe-utils package in Red Hat Enterprise Linux 6.3 was changed but the installer did not adapt to this change correctly. As a consequence, FCoE initiators were not able to log in to remote storages, which could then not be used for installation. To fix this bug, the fipvlan command arguments have been fixed to use the new -f option correctly. As a result, the installer now logs in to a FCoE remote storage correctly, and can be used for installation purposes.
BZ#823690
Repositories without size data caused a divide-by-zero error. Consequently, the installation failed. With this update, repositories without size data do not cause a divide-by-zero error and the installation succeeds.
BZ#848818
Support for the --hibernation option was only added to the part command. Consequently, --hibernation did not work with the logvol command. To fix this bug, support for --hibernation has been added to the logvol command. As a result, --hibernation now works with the logvol command.
BZ#784001
The linksleep option used to be applied only for the ksdevice= boot parameter using the value link. Consequently, when the ksdevice boot parameter was supplied a value containing a device name or a MAC address, the linksleep boot parameter did not take effect. Without waiting for the link, as required by the linksleep boot parameter, the installer could fail. To fix this bug, the linksleep boot parameter has been added to code paths where the to-be-activated device is specified. As a result, the linksleep boot parameter is honored also for installation where the ksdevice boot parameter is supplied a value containing a device name or a MAC address.
BZ#747278
The Anaconda installer did not check lengths of Logical Volume Manager (LVM) Volume Group names or Logical Volume names. As a consequence, an error occurred when creating disk partitions. To fix this bug, the length of LVM Volume Group names has been truncated to 32 characters and Logical Volume names to 16 characters. As a result, the installation completes successfully.
BZ#746925
Previously, Anaconda failed to enable add-on repositories when upgrading the system. Consequently, packages from the add-on repositories were not upgraded. This update allows Anaconda to enable add-on repositories when the system is upgrading and packages from the add-on repositories are upgraded as expected.

Enhancements

BZ#668065
With this update, the vlanid=boot and --vlanid=kickstart options can be used to allow users to set a virtual LAN ID (802.1q tag) for a specified network device. By specifying either one of these options, installation of the system can be done over a VLAN.
BZ#838736
This update allows users to select a LUKS encryption type in the kickstart configuration file.
BZ#662007
The bond boot, --bondslaves and --bondopts kickstart options can now be used to configure bonding as a part of the installation process. For more information on how to configure bonding, refer to the following parts of the Red Hat Enterprise Linux 6 Installation Guide: the Kickstart Options section and the Boot Options chapter.
BZ#813998
When using a kickstart file to install Red Hat Enterprise Linux 6.4, with the new fcoe kickstart option, users can now specify, which Fibre Channel over Ethernet (FCoE) devices should be activated automatically in addition to those discovered by Enhanced Disk Drive (EDD) services. For more information, refer to the Kickstart Options section in Red Hat Enterprise Linux 6 Installation Guide.
BZ#838742
RPM signatures are now generated using the sha256sum utility instead of the md5sum utility. With this update, the sha256sum command-line utility is included in Anaconda and is available in the shell during the installation process.
Users of anaconda are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.6. authconfig

Updated authconfig packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The authconfig packages provide a command line utility and a GUI application that can configure a workstation to be a client for certain network user information and authentication schemes, and other user information and authentication related options.

Bug Fixes

BZ#862195
Prior to this update, the authconfig utility used old syntax for configuring the idmap mapping in the smb.conf file when started with the "--smbidmapuid" and "--smbidmapgid" command line options. Consequently, Samba 3.6 ignored the configuration. This update adapts authconfig to use the new syntax of the idmap range configuration so that Samba 3.6 can read it.
BZ#874527
Prior to this update, the authconfig utility could write an incomplete sssd.conf file when using the options "--enablesssd" or "--enablesssdauth". As a consequence, the sssd daemon did not start. With this update, authconfig no longer tries to create the sssd.conf file without complete information, and the sssd daemon can now start as expected.
All users of authconfig are advised to upgrade to these updated packages, which fix these bugs.

6.7. autofs

Updated autofs packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The autofs utility controls the operation of the automount daemon. The automount daemon automatically mounts file systems when you use them, and unmounts them when they are not busy.

Bug Fixes

BZ#585059
When the automount daemon managed a large number of mount points, unmounting all active mount points could take a longer period of time than expected. If the daemon failed to exit within 45 seconds, the autofs init script timed out and returned a false-positive shutdown failure. To resolve this problem, the init script restart behavior has been modified. If the init script repeatedly fails to stop the daemon, the script terminates the daemon by sending the SIGKILL signal, which allows autofs to be restarted correctly.
BZ#819703
The automount interface matching code was able to detect only IPv4 interfaces. As a consequence, mount points were mounted with an incorrect mount type when using IPv6. To fix this problem, the automount interface matching code has been modified to use the getifaddrs() function insted of ioctl(). The automount interface matching code now properly recognizes IPv6 interfaces and both, IPv4 and IPv6 mounts are now mounted as expected.
BZ#827024, BZ#846852, BZ#847873
Previously, automount could terminate unexpectedly with a segmentation fault when using the internal hosts map. This could happen due to a function name collision between autofs and the libtirpc library. Both utilities called a debug logging function of the same name but with a different call signature. This update applies a series of patches that fix this problem by redefining the internal debug logging function in autofs. Also, several other bugs related to the autofs RPC function have been fixed. The automount daemon no longer crashes when using the internal hosts map and the libtirpc library is installed on the system.
BZ#834641
Due to an incorrectly placed port test in the get_nfs_info() function, autofs attempted to contact the portmap service when mounting NFSv4 file systems. Consequently, if the portmap service was disabled on the server, automount failed to mount the NFSv4 file systems with the following error message:
mount(nfs): no hosts available
With this update, the port check has been moved to the correct location in the code so that automount no longer contacts the server's port mapper when mounting NFSv4 file systems. NFSv4 file systems are mounted as expected in this scenario.
BZ#836422
Previously, the autofs internal hosts map could not be refreshed until all entries in the map had been unmounted. Consequently, users could not access newly exported NFS shares and any attempt to access such shares failed with the "No such file or directory" error message. This update allows the server export list to be updated by sending a HUP signal to the automount daemon. This causes automount to request server exports so the hosts map and associated automounts can be updated. Newly exported NFS shares can now be accessed as expected.
BZ#845512
Previously, the usage message displayed by the autofs init script did not contain the "usage" command entry. This update corrects the init script so it now displays all commands that can be used with the autofs service as expected.
BZ#856296
When stopping the autofs service, autofs did not correctly handle situations where a null map entry appeared after a corresponding indirect map entry in the autofs master map. As a consequence, automount attempted to unmount a unmount a non-existing automount point and became unresponsive. This update modifies autofs to process null map entries correctly so it no longer attempts to unmount non-existing automount points. The autofs service now stops gracefully as expected.
BZ#860184
Previously, the autofs init script did not allow any commands to be run by unprivileged users. However, it is desirable to let a non-root user check the status of autofs for example for monitoring purposes. Therefore, this update modifies the autofs init script to allow unprivileged users to execute the service autofs status command.
BZ#865311
Previous versions of autofs contained several typographical errors and misleading information in the auto.master(5) man page, and autofs.sysconfig and autofs.conf configuration files. This update corrects these bugs including the description of the MOUNT_NFS_DEFAULT_PROTOCOL and MOUNT_WAIT options.
BZ#868973
When attempting to mount an NFSv4 share from an unreachable NFSv4 server, autofs did not close IPv6 UDP sockets. This could eventually lead to depletion of free file descriptors and an automount failure. This update modifies autofs to close IPv6 UDP sockets as expected, and automount no longer fails due to too many open files in the described scenario.
BZ#892846
When using autofs with LDAP, the code used to perform a base DN search allowed a race between two threads executing the same function simultaneously to occur. As a result of this race, autofs could attempt to access already freed memory and terminate unexpectedly with a segmentation fault. With this update, the code used to perform base DN searches has been moved to the function protected by a mutex, which prevents the race from occurring. The base DN searches are now performed only when refreshing settings of the map lookup modules.

Enhancements

BZ#846870
This update modifies autofs to allow configuring of separate timeout values for individual direct map entries in the autofs master map.
BZ#859947
With this update, the auto.master(5) man page has been updated to document the "-t, --timeout" option in the FORMAT options section.
BZ#866338
The auto.master(5) man page has been updated to clarify description of the "nobind" option when it is used with direct mount maps.
BZ#866396
The autofs.spec file has been modified to update build dependency of the autofs sss interface library. The library now requires the libsss_autofs package instead of sssd.
BZ#822733
This update improves debug logging of autofs. With debug logging set on, automount now reports whether it needs to read a mount map or not.
All users of autofs are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.8. automake

An updated automake package that fixes one security issue is now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Automake is a tool for automatically generating Makefile.in files compliant with the GNU Coding Standards.

Security Fix

CVE-2012-3386
It was found that the distcheck rule in Automake-generated Makefiles made a directory world-writable when preparing source archives. If a malicious, local user could access this directory, they could execute arbitrary code with the privileges of the user running "make distcheck".
Red Hat would like to thank Jim Meyering for reporting this issue. Upstream acknowledges Stefano Lattarini as the original reporter.
Users of automake are advised to upgrade to this updated package, which corrects this issue.

6.9. avahi

Updated avahi packages that fix one bug are now available for Red Hat Enterprise Linux 6.
Avahi is an implementation of the DNS Service Discovery and Multicast DNS specifications for Zero Configuration Networking. It facilitates service discovery on a local network. Avahi and Avahi-aware applications allow you to plug your computer into a network and, with no configuration, view other people to chat with, view printers to print to, and find shared files on other computers.

Bug Fix

BZ#599435
Previously, the Avahi library packages required the Avahi daemon packages as a dependency. Consequently, whenever installing some of the Avahi libraries, the Avahi daemon was installed as well, which could pose a security risk in certain environments. This update removes these dependencies so that the Avahi libraries are now installed without the Avahi daemon.
All users of avahi are advised to upgrade to these updated packages, which fix this bug.

6.10. bacula

Updated bacula packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.
The bacula packages provide a tool set that allows you to manage the backup, recovery, and verification of computer data across a network of different computers.

Bug Fixes

BZ#728693
Prior to this update, the logwatch tool did not check the "/var/log/bacula*" file. As a consequence, the logwatch report was incomplete. This update adds all log files to the logwatch configuration file. Now, the logwatch report is complete.
BZ#728697
Prior to this update, the bacula tool itself created the "/var/spool/bacula/log" file. As a consequence, this log file used an incorrect SELinux context. This update modifies the underlying code to create the /var/spool/bacula/log file in the bacula package. Now, this log file has the correct SELinux context.
BZ#729008
Prior to this update, the bacula packages were built without the CFLAGS variable "$RPM_OPT_FLAGS". As a consequence, the debug information was not generated. This update modifies the underlying code to build the packages with CFLAGS="$RPM_OPT_FLAGS. Now, the debug information is generated as expected.
BZ#756803
Prior to this update, the perl script which generates the my.conf file contained a misprint. As a consequence, the port variable was not set correctly. This update corrects the misprint. Now, the port variable is set as expected.
BZ#802158
Prior to this update, values for the "show pool" command was obtained from the "res->res_client" item. As a consequence, the output displayed incorrect job and file retention values. This update uses the "res->res_pool" item to obtain the correct values.
BZ#862240
Prior to this update, bacula-storage-common utility wrongly removed alternatives for the bcopy function during the update. As a consequence, the Link to bcop.{mysql,sqlite,postgresql} disappeared after updating. This update modifies the underlying code to remove these links directly in storage-{mysql,sqlite,postgresql} and not in bacula-storage-common.
All users of bacula are advised to upgrade to these updated packages, which fix these bugs.

6.11. bash

Updated bash packages that fix three bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
The bash packages provide the Bash (Bourne-again shell) shell, which is the default shell for Red Hat Enterprise Linux.

Bug Fixes

BZ#695656
Prior to this update, the trap handler could, under certain circumstances, lose signals during another trap initialization. This update blocks the signal while the trap string and handler are being modified. Now, the signals are no longer lost.
BZ#799958
Prior to this update, the manual page for trap in Bash did not mention that signals ignored upon entry cannot be listed later. This is now fixed and the manual page entry text is amended to "Signals ignored upon entry to the shell cannot be trapped, reset or listed".
BZ#800473
Prior to this update, the Bash shell called the trap handler within a signal handler when a SIGCHLD signal was received in job control mode and a handler for the signal was installed. This was a security risk and could cause Bash to enter a deadlock or to terminate unexpectedly with a segmentation fault due to memory corruption. With this update, the trap handler is now called outside of the signal handler, and Bash no longer enters a deadlock.

Enhancement

BZ#677439
This update enables the system-wide "/etc/bash.bash_logout" file. This allows administrators to write system-wide logout actions for all users.
All users of bash are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

6.12. bfa-firmware

Updated bfa-firmware packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The bfa-firmware package contains the Brocade Fibre Channel Host Bus Adapter (HBA) Firmware to run Brocade Fibre Channel and CNA adapters. This package also supports the Brocade BNA network adapter.

Upgrade to an upstream version

The bfa-firmware packages have been upgraded to upstream version 3.0.3.1, which provides a number of bug fixes and enhancements over the previous version. (BZ#830015)
All users of bfa-firmware are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.13. bind-dyndb-ldap

Updated bind-dyndb-ldap packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The dynamic LDAP back end is a plug-in for BIND that provides back-end capabilities to LDAP databases. It features support for dynamic updates and internal caching that help to reduce the load on LDAP servers.

Upgrade to an upstream version

The bind-dyndb-ldap package has been upgraded to upstream version 2.3, which provides a number of bug fixes and enhancements over the previous version. In particular, many persistent search improvements. Refer to /usr/share/doc/bind-dyndb-ldap/NEWS for a detailed list of the changes. (BZ#827414)

Bug Fixes

BZ#767496
When persistent search was in use, the plug-in sometimes terminated unexpectedly due to an assertion failure when the "rndc reload" command was issued and the LDAP server was not reachable. With this update, the code has been improved so that connection failures and reconnects are now handled more robustly. As a result, the plug-in no longer crashes in the scenario described.
BZ#829388
Previously, some relative domain names were not expanded correctly to FQDNs. Consequently, zone transfers sometimes contained relative domain names although they should only contain FQDNs (for example, they contained "name." record instead of "name.example.com."). The plug-in has been patched, and as a result, zone transfers now contain the correct domain names.
BZ#840381
Due to a bug in bind-dyndb-ldap, the named process sometimes terminated unexpectedly when a connection to LDAP timed out. Consequently, when a connection to LDAP timed out (or failed), the named process was sometimes aborted and DNS service was unavailable. The plug-in has been fixed and as a result, the plug-in now handles situations when a connection to LDAP fails gracefully.
BZ#856269
Due to a race condition, the plug-in sometimes caused the named process to terminate unexpectedly when it received a request to reload. Consequently, the DNS service was sometimes unavailable. A patch has been applied and as a result, the race condition during reload no longer occurs.

Enhancements

BZ#733711
LDAP in Red Hat Enterprise Linux 6.4 includes support for persistent search for both zones and their resource records. Persistent search allows the bind-dyndb-ldap plug-in to be immediately informed about all changes in an LDAP database. It also decreases network bandwidth usage required by repeated polling.
BZ#829340
Previously, it was only possible to configure IPv4 forwarders in LDAP. With this update, a patch has been added to the plug-in, and as a result, the plug-in is now able to parse and use IPv6 forwarders. BIND9 syntax for "forwarders" is required.
BZ#829385
Previously, it was impossible to share one LDAP database between multiple master servers; only one master server could be used. A new bind-dyndb-ldap option "fake_mname" which allows for overriding the master server name in the SOA record has been added. With this option it is now possible to override the master server name in the SOA record so that multiple servers can act as master server for one LDAP database.
BZ#840383
When multiple named processes shared one LDAP database and dynamically updated DNS records (via DDNS), they did not update the SOA serial numbers so it was impossible to serve such zones on secondary servers correctly (that is to say, they were not updated on slave servers). With this update, the plug-in can now update SOA serial numbers automatically, if configured to do so. Refer to the new "serial_autoincrement" option in the /usr/share/doc/bind-dyndb-ldap/README file for more details.
BZ#869323
This update provides support for the per-zone disabling of forwarding. Some setups require the disabling of forwarding per-zone. For example, company servers are configured as authoritative for a non-public zone and have global forwarding turned on. When the non-public zone contains delegation for a non-public subdomain, the zone must have explicitly disabled forwarding otherwise the glue records will not be returned. As a result, a server can now return delegation glue records for private zones when global forwarding is turned on. Refer to /usr/share/doc/bind-dyndb-ldap/README for detailed information.
Users of bind-dyndb-ldap are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.14. bind

Updated bind packages that multiples bugs are now available for Red Hat Enterprise Linux 6.
BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.

Bug Fixes

BZ#827282
Previously, initscript sometimes reported a spurious error message "initscript: silence spurious "named.pid: No such file or directory" due to a race condition when the DNS server (named) was stopped. This spurious error message has been suppressed and is no longer reported in this scenario.
BZ#837165
Due to a race condition in the rbtdb.c source file, the named daemon could terminate unexpectedly with the INSIST error code. This bug has been fixed in the code and the named daemon no longer crashes in the described scenario.
BZ#853806
Previously, BIND rejected "forward" and "forwarders" statements in static-stub zones. Consequently, it was impossible to forward certain queries to specified servers. With this update, BIND accepts those options for static-stub zones properly, thus fixing this bug.
All users of bind are advised to upgrade to these updated packages, which fix these bugs.

6.15. binutils

Updated binutils packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The binutils packages provide a set of binary utilities, including "ar" (for creating, modifying and extracting from archives), "as" (a family of GNU assemblers), "gprof" (for displaying call graph profile data), "ld" (the GNU linker), "nm" (for listing symbols from object files), "objcopy" (for copying and translating object files), "objdump" (for displaying information from object files), "ranlib" (for generating an index for the contents of an archive), "readelf" (for displaying detailed information about binary files), "size" (for listing the section sizes of an object or archive file), "strings" (for listing printable strings from files), "strip" (for discarding symbols), and "addr2line" (for converting addresses to file and line).

Bug Fixes

BZ#773526
In order to display a non-printing character, the readelf utility adds the "0x40" string to the character. However, readelf previously did not add that string when processing multibyte characters, so that multibyte characters in the ELF headers were displayed incorrectly. With this update, the underlying code has been corrected and readelf now displays multibyte and non-ASCII characters correctly.
BZ#825736
Under certain circumstances, the linker could fail to produce the GNU_RELRO segment when building an executable requiring GNU_RELRO. As a consequence, such an executable failed upon start-up. This problem affected also the libudev library so that the udev utility did not work. With this update, the linker has been modified so that the GNU_RELRO segment is now correctly created when it is needed, and utilities such as udev now work correctly.
All users of binutils are advised to upgrade to these updated packages, which fix these bugs.

6.16. biosdevname

Updated biosdevname packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The biosdevname packages contain a udev helper utility which provides an optional convention for naming network interfaces; it assigns names to network interfaces based on their physical location. The utility is disabled by default, except for on a limited set of Dell PowerEdge, C Series and Precision Workstation systems.

Upgrade to an upstream version

The biosdevname packages have been upgraded to upstream version 0.4.1, which provides a number of bug fixes and enhancements over the previous version. (BZ#825142)

Bug Fixes

BZ#751373
The biosdevname utility ignored the SMBIOS version check for PCI network adapters. Consequently, PCI network adapter interfaces were renamed according to PCI slot and port numbers on systems with unsupported SMBIOS versions. With this update, the new biosdevname utility ensures that if the SMBIOS version is not supported, PCI network adapter interfaces are not renamed. As a result, PCI network adapters are named with the kernel default name in the scenario described.
BZ#804754
When using Single Root I/O Virtualization (SR-IOV) with embedded network interface devices, the biosdevname utility did not check the System Management BIOS (SMBIOS) type of the physical function for corresponding virtual functions. Consequently, biosdevname did not find SMBIOS type 41 structure for the device virtual functions and did not suggest interface names for these onboard network interfaces. With this update, biosdevname now looks up the SMBIOS type 41 structure for the device virtual functions in the corresponding physical function table. As a result, onboard network devices with virtual network interfaces are now renamed according to the biosdevname naming scheme.
BZ#815724
The biosdevname utility did not handle PCI cards with multiple ports. Consequently, only the network interface of the first port of these cards was renamed according to the biosdevname naming scheme. An upstream patch has been applied and biosdevname now handles PCI cards with multiple ports. As a result, all ports of multiple port PCI cards are now renamed according to the biosdevname naming scheme.
All users of biosdevname are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.17. bridge-utils

Updated bridge-utils packages that add two enhancements are now available for Red Hat Enterprise Linux 6.
The bridge-utils packages contain utilities for configuration of the Linux Ethernet bridge. The Linux Ethernet bridge can be used to connect multiple Ethernet devices together. This connection is fully transparent: hosts connected to one Ethernet device see hosts connected to the other Ethernet devices directly.

Enhancements

BZ#676355
The man page was missing the multicast option descriptions. This update adds that information to the man page.
BZ#690529
This enhancement adds the missing feature described in the BRCTL(8) man page, that allows the user to get the bridge information for a simple bridge using the "brctl show $BRIDGE" command.
All users of bridge-utils are advise to upgrade to these updated packages, which add these enhancements.

6.18. brltty

Updated brltty packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
BRLTTY is a background process (daemon) which provides access to the Linux console (when in text mode) for a blind person using a refreshable braille display. It drives the braille display, and provides complete screen review functionality.

Bug Fixes

BZ#684526
Previously, building the brltty package could fail on the ocaml's unpackaged files error. This happened only if the ocaml package was pre-installed in the build root. The "--disable-caml-bindings" option has been added in the %configure macro so that the package now builds correctly.
BZ#809326
Previously, the /usr/lib/libbrlapi.so symbolic link installed by the brlapi-devel package incorrectly pointed to ../../lib/libbrlapi.so. The link has been fixed to correctly point to ../../lib/libbrlapi.so.0.5.
All users of brltty are advised to upgrade to these updated packages, which fix these bugs.

6.19. btrfs-progs

Updated btrfs-progs packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The btrfs-progs packages provide user-space programs to create, check, modify, and correct any inconsistencies in a Btrfs file system.

Upgrade to an upstream version

The btrfs-progs packages have been upgraded to upstream version 0.2, which provides a number of bug fixes and enhancements over the previous version, including support for slashes in file system labels and new commands "btrfs-find-root", "btrfs-restore", and "btrfs-zero-log". This update also modifies the btrfs-progs utility, so that it is now built with the -fno-strict-aliasing method. (BZ#865600)
All users of btrfs-progs are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.20. ccid

An updated ccid package that fixes one security issue and one bug are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Chip/Smart Card Interface Devices (CCID) is a USB smart card reader standard followed by most modern smart card readers. The ccid package provides a Generic, USB-based CCID driver for readers, which follow this standard.

Security Fix

CVE-2010-4530
An integer overflow, leading to an array index error, was found in the way the CCID driver processed a smart card's serial number. A local attacker could use this flaw to execute arbitrary code with the privileges of the user running the PC/SC Lite pcscd daemon (root, by default), by inserting a specially-crafted smart card.

Bug Fix

BZ#808115
Previously, CCID only recognized smart cards with 5V power supply. With this update, CCID also supports smart cards with different power supply.
All users of ccid are advised to upgrade to this updated package, which contains backported patches to correct these issues.

6.21. cdrkit

Updated cdrkit packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The cdrkit packages contain a collection of CD/DVD utilities for generating the ISO9660 file-system and burning media.

Bug Fix

BZ#797990
Prior to this update, overlapping memory was handled incorrectly. As a consequence, newly created paths could be garbled when calling "genisoimage" with the "-graft-points" option to graft the paths at points other than the root directory. This update modifies the underlying code to generate graft paths as expected.
All users of cdrkit are advised to upgrade to these updated packages, which fix this bug.

6.22. certmonger

Updated certmonger packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The certmonger daemon monitors certificates which have been registered with it, and as a certificate's not-valid-after date approaches, the daemon can optionally attempt to obtain a fresh certificate from a supported CA.

Upgrade to an upstream version

The certmonger packages have been upgraded to upstream version 0.61, which provides a number of bug fixes and enhancements over the previous version. (BZ#827611)

Bug Fixes

BZ#810016
When certmonger was set up to not attempt to obtain a new certificate and the certificate's valid remaining time crossed a configured time to live (TTL) threshold, certmonger warned of a certificate's impending not-valid-after date. Certmonger then immediately logged the warning again, and continued to do so indefinitely, causing the /var/log/messages file to fill up with warnings. This bug has been fixed and certmonger returns a warning again only when another configured TTL threshold is crossed or the service is restarted.
BZ#893611
When certmonger attempts to save a certificate to an NSS database, it necessarily opens that database for writing. Previously, if any other process, including any other certmonger tasks that could require access to that database, had the database open for writing, that database could become corrupted. This update backports changes from later versions of certmonger which change its behavior. Now, actions that could result in database modifications are only performed one at a time.
All users of certmonger are advised to upgrade to these updated packages which fix these bugs and add these enhancements.

6.23. cifs-utils

Updated cifs-utils packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The SMB/CIFS protocol is a standard file sharing protocol widely deployed on Microsoft Windows machines. This package contains tools for mounting shares on Linux using the SMB/CIFS protocol. The tools in this package work in conjunction with support in the kernel to allow one to mount a SMB/CIFS share onto a client and use it as if it were a standard Linux file system.

Bug Fixes

BZ#856729
When the mount.cifs utility ran out of addresses to try, it returned the "System error" error code (EX_SYSERR) to the caller service. The utility has been modified and it now correctly returns the "Mount failure" error code (EX_FAIL).
BZ#826825
Typically, "/" characters are not allowed in user names for Microsoft Windows systems, but they are common in certain types of kerberos principal names. However, mount.cifs previously allowed the use of "/" in user names, which caused attempts to mount CIFS file systems to fail. With this package, "/" characters are now allowed in user names if the "sec=krb5" or "sec=krb5i" mount options are specified, thus CIFS file systems can now be mounted as expected.
BZ#838606
Previously, the cifs-utils packages were compiled without the RELRO (read-only relocations) and PIE (Position Independent Executables) flags. Programs provided by this package could be vulnerable to various attacks based on overwriting the ELF section of a program. The "-pie" and "-fpie" options enable the building of position-independent executables, and the "-Wl","-z","relro" turns on read-only relocation support in gcc. These options are important for security purposes to guard against possible buffer overflows that lead to exploits. The cifs-utils binaries are now built with PIE and full RELRO support. The cifs-utils binary is now more secured against "return-to-text" and memory corruption attacks and also against attacks based on the program's ELF section overwriting.

Enhancements

BZ#843596
With this update, the "strictcache", "actimeo", "cache=" and "rwpidforward" mount options are now documented in the mount.cifs(8) manual page.
BZ#843612
The "getcifsacl", "setcifsacl" and "cifs.idmap" programs have been added to the package. These utilities allow users to manipulate ACLs on CIFS shares and allow the mapping of Windows security IDs to POSIX user and group IDs.
BZ#843617
With this update, the cifs.idmap helper, which allows SID to UID and SID to GID mapping, has been added to the package. Also, the manual page cifs.upcall(8) has been updated and cifs.idmap(8) has been added.
Users of cifs-utils are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.24. clustermon

Updated clustermon packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The clustermon packages provide the modclusterd daemon, which is a service for remote cluster management. Modclusterd serves as an abstraction of the cluster status that utilizes other clustermon parts exposed through conga, the Simple Network Management (SNMP), and Common Information Model (CIM).

Bug Fixes

BZ#865588
Prior to this update, the dynamic library that represents the CIM provider of a cluster status was not built with all the required dependencies and therefore certain symbols could not be resolved. As a consequence, the cluster status could not be accessed via CIM. This update adds the missing dependencies to the dynamic library. Now, the cluster status is accessible as expected.
BZ#885830
Prior to this update, the size of XML-formatted cluster configuration (as in cluster.conf file) greater than 200 kB might have crashed modcluster, a program assisting the ricci daemon in handling the cluster configuration file (cluster.conf), or modclusterd, a daemon providing cluster status. This update drops this restriction and both executables no longer abort with larger configurations.
All users of clustermon are advised to upgrade to these updated packages, which fix these bugs.

6.25. cluster and gfs2-utils

Updated cluster and gfs2-utils packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Cluster Manager is a collection of technologies working together to provide data integrity and the ability to maintain application availability in the event of a failure. Using redundant hardware, shared disk storage, power management, and robust cluster communication and application failover mechanisms, a cluster can meet the needs of the enterprise market.

Bug Fixes

BZ#785866
With this update, a minor typographical error has been fixed in the /usr/share/cluster/cluster.rng.in.head RELAX NG schema.
BZ#803477
Previously, the fsck.gfs2 program printed irrelevant error messages when reclaiming free metadata blocks. These messages could have been incorrectly understood as file system errors. With this update, these messages are no longer displayed.
BZ#814807
The master_wins implementation of the qdiskd daemon was not sufficiently fast to hand over the master status during the ordered shutdown. Consequently, a temporary loss of quorum in the cluster could have occurred. With this update, master_wins has been modified to operate more quickly.
BZ#838047
Previously, the master_wins implementation of the qdiskd daemon did not check strictly for errors in the /etc/cluster/cluster.conf file. Consequently, with several incorrect options in cluster.conf, two quorate partitions could have been created at the same time. With this update, master_wins has been modified to perform strict error checking to avoid the creation of multiple quorate partitions.
BZ#838945
Prior to this update, an overly long cluster name in the /etc/cluster/cluster.conf file could cause a buffer overflow when running the fsck.gfs2 utility on a GFS2 file system with a corrupt super block. With this update, the cluster name is truncated appropriately when the super block is being rebuilt. Now, the buffer overflow condition no longer occurs in the described case.
BZ#839241
Under certain circumstances, the cman cluster manager did not propagate two internal values across configuration reloads. Consequently, runtime inconsistencies could occur. This bug has been fixed, and the aforementioned error no longer occurs. Also, a corner case memory leak has been fixed.
BZ#845341
Prior to this update, the fenced daemon created the /var/log/cluster/fenced.log file with world readable permissions. With this update, fenced has been modified to set more strict security permissions for its log file. Also, permissions of an existing log file are automatically corrected if necessary.
BZ#847234
Previously, an insufficient buffer length limitation did not allow long configuration lines in the /etc/cluster/cluster.conf configuration file. Consequently, a long entry in the file caused the corosync utility to terminate unexpectedly with a segmentation fault. With this update, the length limit has been extended. As a result, the segmentation fault no longer occurs in this situation.
BZ#853180
When a GFS2 file system was mounted with the lock_nolock option enabled, the cman cluster manager incorrectly checked the currently used resources. Consequently, cman failed to start. This bug has been fixed, and cman now starts successfully in the described case.
BZ#854032
In certain corner cases, triggered especially when shutting down all cluster nodes at the same time, the cluster daemons failed to quit within the cman shutdown limit (10 seconds). Consequently, the cman cluster manager declared a shutdown error. With this update, the default shutdown timeout has been increased to 30 seconds to prevent the shutdown error.
BZ#857952
Under rare circumstances, the fenced daemon polled an incorrect file descriptor from the cman cluster manager. Consequently, fenced entered a loop and the cluster became unresponsive. This bug has been fixed, and the aforementioned error no longer occurs.
BZ#861340
The fenced daemon is usually started before the messagebus (D-BUS) service, which has no harmful operational effects. Previously, this behavior was recorded as an error message in the /var/log/cluster/fenced.log file. To avoid confusion, this error message is now entered into /var/log/cluster/fenced.log only when the log level is set to debugging.
BZ#862847
Previously, the mkfs.gfs2 -t command accepted non-standard characters, like slash (/), in the lock table name. Consequently, only the first cluster node was able to mount a GFS2 file system successfully. The next node attempting to mount a GFS2 file system became unresponsive. With this update, a more strict validation of lock table names has been introduced. As a result, cluster nodes no longer hang when special characters are used in lock table.
BZ#887787
Previously, when the client using the cman API called the cman_stop_notification() function after cman was already closed, the client terminated with the SIGPIPE signal. With this update, the underlying source code has been modified to address this issue, and the MSG_NOSIGNAL message is now displayed to warn the user in the described scenario.
BZ#888053
Prior to this update, the gfs2_convert tool was unable to handle certain corner cases when converting between GFS1 and GFS2 file systems. Consequently, the converted GFS2 file system contained errors. With this update, gfs2_convert has been fixed to detect these corner cases and adjust the converted file system accordingly

Enhancements

BZ#661764
The cman cluster manager is now supported with the bonding mode options 0, 1, and 2. Prior to this update, only bonding mode 1 was supported.
BZ#738704
This update adds support for clusters utilizing the Red Hat Enterprise Virtualization Manager native shared storage between nodes.
BZ#786118
The hostname aliases from the /etc/hosts file are now accepted as cluster node names across cluster applications.
BZ#797952
A new tool, fence_check, has been added to provide a method to test the fence configuration in a non disruptive way. The tool has been designed to run via the crontab utility for regular monitoring of fence devices.
BZ#821016
This update enables passing additional command line options to the dlm_controld daemon using the /etc/sysconfig/cman file.
BZ#842370
The Distributed Lock Manager (DLM) now allows tuning of DLM hash table sizes from the /etc/sysconfig/cman file. The following parameters can be set in the /etc/sysconfig/cman file:
DLM_LKBTBL_SIZE=<size_of_table>
DLM_RSBTBL_SIZE=<size_of_table>
DLM_DIRTBL_SIZE=<size_of_table>
which, in turn, modifies the values in the following files respectively:
/sys/kernel/config/dlm/cluster/lkbtbl_size
/sys/kernel/config/dlm/cluster/rsbtbl_size
/sys/kernel/config/dlm/cluster/dirtbl_size
BZ#857299
Previously, it was not possible to modify the default TCP port (21064) of the Distributed Lock Manager (DLM). With this update, the DLM_TCP_PORT configuration parameter has been added into the /etc/sysconfig/cman file. As a result, the DLM TCP port can be manually configured.
BZ#860048
The fsck.gfs2 program now checks for formal mismatches between disk inode numbers and directory entries in the GFS2 file system.
BZ#860847
This update adds support for two and four node clusters utilizing the rgmanager daemon with the rrp_mode option enabled.
BZ#878196
This update adds support for clusters utilizing the VMware's VMDK (Virtual Machine Disk) disk image technology with the multi-writer option. This allows using VMDK-based storage with the multi-writer option for clustered file systems such as GFS2.
All users of cluster and gfs2-utils are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.26. control-center

Updated control-center packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The control-center packages provide various configuration utilities for the GNOME desktop. These utilities allow the user to configure accessibility options, desktop fonts, keyboard and mouse properties, sound setup, desktop theme and background, user interface properties, screen resolution, and other settings.

Bug Fix

BZ#805069
Prior to this update, the status LEDs on Wacom tablets did not correctly indicate the current mode. With this update, the LEDs now indicate which of the Touch Ring or Touch Strip modes are active.
All users of control-center are advised to upgrade to these updated packages, which fix this bug.

6.27. coolkey

Updated coolkey packages that fix several bugs and add an enhancement are now available for Red Hat Enterprise Linux 6.
Coolkey is a smart card support library for the CoolKey, CAC (Common Access Card), and PIV (Personal Identity Verification) smart cards.

Bug Fixes

BZ#861108
Previously, Coolkey was unable to recognize PIV-I cards. This update fixes the bug and Coolkey now allows these cards to be read and display certificate information as expected.
BZ#879563
Prior to this update, The pkcs11_listcerts and pklogin_finder utilities were unable to recognize certificates and USB tokens on smart cards after upgrading the Coolkey library. A patch has been provided to address this issue and these utilities now work as expected.
BZ#806038
Previously, the remote-viewer utility failed to utilize a plugged smart card reader when a Spice client was running. Eventually, the client could terminate unexpectedly. Now, remote-viewer recognizes the reader and offers authentication once the card is inserted and the crashes no longer occur.
BZ#884266
Previously, certain new PIV-II smart cards could not be recognized by client card readers, the ESC card manager, or the pklogin_finder utility. A patch has been provided to address this issue and PIV-II cards now work with Coolkey as expected.

Enhancement

BZ#805693
Support for Oberthur Smart Cards has been added to the Coolkey library.
Users of coolkey are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

6.28. Core X11 Libraries

Updated Core X11 libraries packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Core X11 libraries contain the base protocol of the X Window System, which is a networked windowing system for bitmap displays used to build graphical user interfaces on Unix, Unix-like, and other operating systems.
The pixman package has been upgraded to upstream version 0.18.4, which provides a number of bug fixes and enhancements over the previous version. (BZ#644296)
The following packages have been upgraded to their upstream versions to conform to X Window System Test Suite (XTS5):

Table 6.1. Upgraded packages

Package name Upstream version BZ number
libxcb 1.8.1 755654
libXcursor 1.1.13 755656
libX11 1.5.0 755657
libXi 1.6.1 755658
libXt 1.1.3 755659
libXfont 1.4.5 755661
libXrender 0.9.7 755662
libXtst 1.2.1 755663
libXext 1.3.1 755665
libXaw 1.0.11 755666
libXrandr 1.4.0 755667
libXft 2.3.1 755668

The following packages have been upgraded to their respective upstream versions, which provides a number of bug fixes and enhancements over the previous versions.

Table 6.2. Upgraded packages

Package name Upstream version BZ number
libXau 1.0.6 835172
libXcomposite 0.4.3 835183
libXdmcp 1.1.1 835184
libXevie 1.0.3 835186
libXinerama 1.1.2 835187
libXmu 1.1.1 835188
libXpm 3.5.10 835190
libXres 1.0.6 835191
libXScrnSaver 1.2.2 835192
libXv 1.0.7 835193
libXvMC 1.0.7 835195
libXxf86dga 1.1.3 835196
libXxf86misc 1.0.3 835197
libXxf86vm 1.1.2 835198
libdrm 2.4.39 835202
libdmx 1.1.2 835203
pixman 0.26.2 835204
xorg-x11-proto-devel 7.6 835206
xorg-x11-util-macros 1.17 835207
xorg-x11-xtrans-devel 1.2.7 835276
xkeyboard-config 2.6 835284
libpciaccess 0.13.1 843585
xcb-proto 1.7 843593
libSM 1.2.1 843641

Bug Fixes

BZ#802559
Previously, in the xorg-x11-proto-devel package, the definition of the _X_NONNULL macro was incompatible with C89 compilers. Consequently, C89 applications could not be built in C89 mode if the X11/Xfuncproto.h file was included. This update fixes the macro definition to be compatible with C89 mode.
BZ#804907
Prior to this update, XI2 events were not properly initialized and could contain garbage values. A patch for the libXi package, which had been setting values to garbage, has been provided to fix this bug. Now, actual events no longer contain garbage values and are initialized as expected.
BZ#871460
Previously, the spec file of the xkeyboard-config package used the %{dist} macro in the Version tag. Although the standard Red Hat Enterprise Linux build environment defines this macro, it does not need to be defined. If it was not defined, %{dist} appeared literally in the resulting RPM package's version string when the package was rebuilt. The spec file has been corrected to use the conditional %{?dist} form, which expands to an empty string if %{dist} is not defined.
Users of Core X11 libraries are advised to upgrade to these updated packages, which fix these bugs and add various enhancements.

6.29. Core X11 clients

Updated core client packages for the X Window System that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The Core X11 clients packages provide the xorg-x11-utils, xorg-x11-server-utils, and xorg-x11-apps clients that ship with the X Window System.

Security Fix

CVE-2011-2504
It was found that the x11perfcomp utility included the current working directory in its PATH environment variable. Running x11perfcomp in an attacker-controlled directory would cause arbitrary code execution with the privileges of the user running x11perfcomp.

Note

The xorg-x11-utils and xorg-x11-server-utils packages have been upgraded to upstream version 7.5, and the xorg-x11-apps package to upstream version 7.6, which provides a number of bug fixes and enhancements over the previous versions. (BZ#835277, BZ#835278, BZ#835281)
All users of xorg-x11-utils, xorg-x11-server-utils, and xorg-x11-apps are advised to upgrade to these updated packages, which fix these issues and add these enhancements.

6.30. corosync

Updated corosync packages that fix several bugs and add multiple enhancements are now available for Red Hat Enterprise Linux 6.
The corosync packages provide the Corosync Cluster Engine and C Application Programming Interfaces (APIs) for Red Hat Enterprise Linux cluster software.

Bug Fixes

BZ#783068
Prior to this update, the corosync-notifyd service did not run after restarting the process. This update modifies the init script to wait for the actual exit of previously running instances of the process. Now, the corosync-notifyd service runs as expected afer restarting.
BZ#786735
Prior to this update, an incorrect node ID was sent in recovery messages when corosync entered recovery. As a consequence, the debuggung process in the source code could cause problems. This update sets the correct node ID.
BZ#786737
Prior to this update, the node spend a considerable long amount of time in the GATHER state. With this update, nodes in the in OPERATIONAL state enter the GATHER state when receiving the JoinMSG signal. Now, all nodes enter the GATHER state so nodes previously in GATHER state do no longer need to wait for token loss.
BZ#xxx
Prior to this update, the netfilter firewall blocked input and output packets. As a consequence, corosync could become suspended, failed to create memberships and the cluster could not be used. This update uses the sockpair unix dgram socket to send packets to the multicast group.
BZ#794744
Prior to this update, corosync also autogenerated the node ID when the configuration file or the cluster manager (cman) already set one. This update modifies the underlying code to recognized user-set mode IDs. Now, corosync autogenerates node IDs only when the user has not entered one.
BZ#xxx
Prior to this update, corosync sockets were bound to a PEERs IP address instead of the local IP address when the IP address was configured as peer-to-peer (netmask /32). As a consequence, corosync was unable to create memberships. This update modifies the underlying code to use the correct information about the local ip address.
BZ#824902
Prior to this update, the corosync logic always used the first IP address that was found. As a consequence, users could not use more than one IP addresss on the same network. This update modifies the logic to use the first network address if no exact match was found. Now, users can bind to the IP address they select.
BZ#827100
Prior to this update, some sockets were not bound to a concrete IP address but listened on all interfaces in UDPU mode. As a consequence, users could encounter problems when configuring the firewall. This update binds all sockets correctly.
BZ#847232
Prior to this update, configuration file names that consisted of more than 255 characters could cause corosync to abort unexpectedly. This update returns the complete item value. In case of the old ABI, corosync prints an error. Now, corosync no longer aborts with longer names.
BZ#848210
Prior to this update, the corosync-notifyd output was considerably slow and corosync memory grew when dbus output was enabled. Memory was not freed when corosync-notifyd was closed. This update modifies the corosync-notifyd event handler not to wait when there is nothing to receive and send from or to dbus. Now, corosync frees memory when the IPC client exits and corosync-notifyd produces output in speed of incoming events.
BZ#850757
Prior to this update, corosync dropped ORF tokens together with memb_join packets when using CPU timing on certain networks. As a consequence, the RRP interface could be wrongly marked as faulty. This update drops only memb_join messages.
BZ#861032
Prior to this update, the corosync.conf parser failed if the ring number was larger than the allowed maximum of 1. As a consequence, corosync could abort with a segmentation fault. This update adds a check to the corosync.conf parser. Now, an error message is printed if the ring number is larger than 1.
BZ#863940
Prior to this update, corosync stopped on multiple nodes. As a consequence, corosync could, under certain circumstances, abort with a segmentation fault. This update ensures that the corosync service no longer calls callbacks on unloaded services.
BZ#869609
Prior to this update, corosync could abort with a segmentation fault when a large number of corosync nodes were started together. This update modifies the underlying code to ensure that the NULL pointer is not dereferenced. Now, corosync no longer encounters segmentation faults when starting multiple nodes at the same time.
BZ#876908
Prior to this update, the parsercorosync-objctl command with additional parameters could cause the error "Error reloading DB 11". This update removes the reloading function and handles changes of changed objects in the configuration data base (confdb). Now, the logging level can be changed as expected.

Enhancements

BZ#770455
With this update, the corosync log includes the hostname and the porcess ID of the processes that join the cluster to allow for better troubleshooting.
BZ#123456
This update adds the manual page confdb_keys.8 to provide descriptions for corosync runtime statistics that are returned by corosync-objctl.
BZ#838743
This update adds the new trace level to filter corosync flow messages to improve debugging.
Users of corosync are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.31. cpuspeed

Updated cpuspeed packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The cpuspeed packages contain a daemon that dynamically changes speed of processors depending upon their current workload. This package also supports enabling CPU frequency scaling via in-kernel CPUfreq governors on Intel Centrino and AMD Athlon64/Opteron platforms.

Bug Fix

BZ#876738
Previously, the cpuspeed daemon used a naive method of getting the highest available scaling frequency. Consequently, on certain platforms, cpuspeed did not set the CPU to the correct maximum limit. A patch has been provided to address this issue and cpuspeed now sets the maximum speed correctly.
Users of cpuspeed are advised to upgrade to these updated packages, which fix this bug.
Updated cpuspeed packages that fix four bugs are now available for Red Hat Enterprise Linux 6.
The cpuspeed packages provide a daemon to manage the CPU frequency scaling.

Bug Fixes

BZ#642838
Prior to this update, the PCC driver used the “userspace” governor was loaded instead of the “ondemand” governor when loading. This update modifies the init script to also check the PCC driver.
BZ#738463
Prior to this update, the cpuspeed init script tried to set cpufrequency system files on a per core basis which was a deprecated procedure. This update sets thresholds globally.
BZ#616976
Prior to this update, the cpuspeed tool did not reset MIN and MAX values, when the configuration file was emptied. As a consequence, the MIN_SPEED or MAX_SPEED values were not reset as expected. This update adds conditionals in the init script to check these values. Now, the MIN_SPEED or MAX_SPEED values are reset as expected.
BZ#797055
Prior to this update, the init script did not handle the IGNORE_NICE parameter as expected. As a consequence, "-n" was added to command options when the IGNORE_NICE parameter was set. This update modifies the init script to stop adding the NICE option when using the IGNORE_NICE parameter.
All users of cpuspeed are advised to upgrade to these updated packages, which fix these bugs.

6.32. crash

Updated crash packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The crash packages provide a self-contained tool that can be used to investigate live systems, and kernel core dumps created from the netdump, diskdump, kdump, and Xen/KVM "virsh dump" facilities from Red Hat Enterprise Linux.

Upgrade to an upstream version

The crash packages have been upgraded to upstream version 6.1.0, which provides a number of bug fixes and enhancements over the previous version. (BZ#840051)

Bug Fix

BZ#843093
A recent time-keeping backport to the Red Hat Enterprise Linux 6 kernel caused the crash utility to fail during initialization with the "crash: cannot resolve: xtime" error message. This update modifies crash to recognize and handle the time-keeping change in the kernel so that crash now successfully starts up as expected.

Enhancements

BZ#739094
The crash utility has been modified to support dump files in the firmware-assisted dump (fadump) format for the 64-bit PowerPC architecture.
BZ#834260
The "struct -o" option has been enhanced to accept a virtual address argument. If an address argument is entered, the structure members are prepended by their virtual address.
BZ#834276
The "bt" command has been enhanced by adding new "-s" and "[-xd]" options that allow displaying symbol names plus their offset in each frame. The default behavior is unchanged where only the symbol name is displayed. The symbol offset is expressed in the default output format, which can be overridden using the "-x" (hexadecimal) or "-d" (decimal) options.
All users of crash are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.33. createrepo

Updated createrepo packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The createrepo packages contain the utility that generates a common metadata repository from a directory of RPM packages.

Upgrade to an upstream version

The createrepo packages have been upgraded to upstream version 0.9.9, which provides a number of bug fixes and enhancements over the previous version, including support for multitasking in the createrepo utility. This update also modifies the "--update" option to use the SQLite database instead of the XML files in order to reduce memory usage. (BZ#631989, BZ#716235)

Bug Fix

BZ#833350
Previously, the createrepo utility ignored the "umask" command for files created in the createrepo cache directory. This behavior caused problems when more than one user was updating repositories. The bug has been fixed, and multiple users can now update repositories without complications.

Enhancements

BZ#646644
It is now possible to use the "createrepo" command with both the "--split" and the "--pkglist" options simultaneously.
BZ#714094
It is now possible to remove metadata from the repodata directory using the modifyrepo program. This update also enhances updating of the existing metadata.
All users of createrepo are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.34. ctdb

Updated ctdb packages that fix various bugs and are now available for Red Hat Enterprise Linux 6.
The ctdb packages provide a clustered database based on Samba's Trivial Database (TDB) used to store temporary data.

Upgrade to an upstream version

The ctbd packages have been upgraded to upstream version 1.0.114.5, which provides a number of bug fixes over the previous version. (BZ#838885)

Bug Fixes

BZ#758367
While running ctdb on the GFS2 file system, ctdb could ban a stable node when another node was started or stopped. This bug has been fixed by the rebase and stable nodes get no longer banned in the described scenario.
BZ#821715
Previously, on the Glusterfs file system, the ctdb lock file and configuration files were shared. Consequently, the ctdbd daemon running on a node terminated unexpectedly when another node in the cluster was brought down. This bug has been fixed by the rebase and ctdbd no longer crashes in the described scenario.
BZ#866670
After removing a ctdb node, the "ctdb status" command reported the same number of nodes as before the node was removed. A patch has been provided to address this issue and "ctdb status" now returns an accurate number of nodes after a remove operation.
Users of ctdb are advised to upgrade to these updated packages, which fix these bugs.

6.35. curl

Updated curl packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The curl packages provide the cURL utility for getting files from HTTP, FTP, FILE, LDAP, LDAPS, DICT, TELNET, and TFTP servers, using any of the supported protocols. This utility offers many useful capabilities, such as proxy support, user authentication, FTP upload, HTTP post, and file transfer resume.

Bug Fixes

BZ#741935
The libssh2 library did not sufficiently reflect its ABI extensions in its version, which prevented the RPM dependency scanner from adding the correct dependency of libcurl on an updated version of libssh2. Consequently, if the user updated libcurl without first updating libssh2, the update ended with incorrect linkage of libcurl and the user was then unable to update libssh2 using yum. An explicit dependency of libcurl on an update version of libssh2 has been added and yum can now be used to update libcurl.
BZ#746629
Previously, libcurl required certificates loaded from files to have unique file base names due to limitation of the legacy API of NSS (Network Security Services). Some packages using libcurl did not fulfil this requirement and caused nickname collisions within NSS. Now, libcurl has been modified to use a newer API of NSS, which does not suffer from this limitation, and packages using libcurl are now allowed to load certificates from files with unrestricted file names.
BZ#813127
Previously, libcurl misinterpreted the Content-Length HTTP header when receiving data using the chunked encoding. Consequently, libcurl failed to read the last chunk of data and the transfer terminated prematurely. An upstream patch has been applied to fix the handling of the header and the chunked encoding in libcurl now works as expected.
BZ#841905
A sub-optimally chosen identifier in cURL source files clashed with an identifier from a public header file introduced in a newer version of libssh2, which prevented the curl package from a successful build. An upstream patch has been applied on cURL source files, which fixes the identifier collisions and the package now builds as expected.
BZ#738456
The OpenLDAP suite was recently modified to use NSS instead of OpenSSL as the SSL back end. This change led to collisions between libcurl and OpenLDAP on NSS initialization and shutdown. Consequently, applications that were using both libcurl and OpenLDAP failed to establish SSL connections. This update modifies libcurl to use the same NSS API as OpenLDAP, which prevents collisions from occurring. Applications using OpenLDAP and libcurl can now connect to the LDAP server over SSL as expected.
BZ#719938
As a solution to a security issue, GSSAPI credential delegation was disabled, which broke the functionality of applications that were relying on delegation, incorrectly enabled by libcurl. To fix this issue, the CURLOPT_GSSAPI_DELEGATION libcurl option has been introduced in order to enable delegation explicitly when applications need it. All applications using GSSAPI credential delegation can now use this new libcurl option to be able to run properly.
BZ#772642
SSL connections could not be established with libcurl if the selected NSS database was broken or invalid. This update modifies the code of libcurl to initialize NSS without a valid database, which allows applications to establish SSL connections as expected.
BZ#873789
Previously, libcurl incorrectly checked return values of the SCP/SFTP write functions provided by libssh2. Negative values returned by those functions were treated as negative download amounts, which caused applications to terminate unexpectedly. With this update, all negative values are treated as errors and as such are properly handled on the libcurl level, thus preventing the crashes.
BZ#879592
Prior to this update, libcurl used an obsolete libssh2 API for uploading files over the SCP protocol, which limited the maximum size of files being transferred on 32-bit architectures. Consequently, the 32-bit packages of libcurl were unable to transfer large files over SCP. With this update, a new libssh2 API for SCP uploads is used, which does not suffer from this limitation, thus fixing this bug.

Enhancements

BZ#676596
Previously, libcurl provided only HTTP status codes in error messages when reporting HTTP errors. This could confuse users not familiar with HTTP. Now, libcurl has been improved to include the HTTP reason phrase in error messages, thus providing more understandable output.
BZ#730445
This update introduces a new option, --delegation, which enables Kerberos credential delegation in cURL.
Users of curl are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.36. cvs

An updated cvs package that fixes two bugs is now available for Red Hat Enterprise Linux 6.
[Update 19 November 2012] The file list of this advisory was updated to move the new cvs-inetd package from the base repository to the optional repository in the Client and HPC Node variants. No changes have been made to the packages themselves.
The Concurrent Versions System (CVS) is a version control system that can record the history of your files. CVS only stores the differences between versions, instead of every version of every file you have ever created. CVS also keeps a log of who, when, and why changes occurred.
BZ#671145
Prior to this update, the C shell (csh) did not set the CVS_RSH environment variable to "ssh" and the remote shell (rsh) was used instead when the users accessed a remote CVS server. As a consequence, the connection was vulnerable to attacks because the remote shell is not encrypted or not necessarily enabled on every remote server. The cvs.csh script now uses valid csh syntax and the CVS_RSH environment variable is properly set at log-in.
BZ#695719
Prior to this update, the xinetd package was not a dependency of the cvs package. As a result, the CVS server was not accessible through network. With this update, the cvs-inetd package, which contains the CVS inetd configuration file, ensures that the xinetd package is installed as a dependency and the xinetd daemon is available on the system.
All users of cvs are advised to upgrade to these updated packages, which fix these bugs.

6.37. dash

Updated dash packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The dash packages provide the POSIX-compliant Debian Almquist shell intended for small media like floppy disks.

Bug Fix

BZ#706147
Prior to this update, the dash shell was not an allowed login shell. As a consequence, users could not log in using the dash shell. This update adds the dash to the /etc/shells list of allowed login shells when installing or upgrading dash package and removes it from the list when uninstalling the package. Now, users can login using the dash shell.
All users of dash are advised to upgrade to these updated packages, which fix this bug.

6.38. device-mapper-multipath

Updated device-mapper-multipath packages that fix numerous bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The device-mapper-multipath packages provide tools for managing multipath devices using the device-mapper multipath kernel module.

Bug Fixes

BZ#578114
When the kpartx tool tried to delete a loop device that was previously created, and the udev utility had this loop device still open, the delete process would fail with the EBUSY error and kpartx did not attempt retry this operation. The kpartx tool has been modified to wait for one second and then retry deleting up to three times after the EBUSY error. As a result, loop devices created by kpartx are now always deleted as expected.
BZ#595692
The multipathd daemon only checked SCSI IDs when determining World Wide Identifiers (WWIDs) for devices. However, CCISS devices do not support SCSI IDs and could not be used by Device Mapper Multipath. With this update, multipathd checks CCISS devices for CCISS IDs properly and the devices are detected as expected.
BZ#810755
Some device configurations in the /usr/share/doc/device-mapper-multipath-0.X.X/multipath.conf.defaults file were out of date. Consequently, if users copied those configurations into the /etc/multipath.conf file, their devices would be misconfigured. The multipath.conf.defaults file has been updated and users can now copy configurations from it without misconfiguring their devices. Note that copying configurations from the multipath.conf.defaults file is not recommended as the configurations in that file are built into dm-multipath by default.
BZ#810788
Previously, Device Mapper Multipath stored multiple duplicate blacklist entries, which were consequently shown when listing the device-mapper-multipath's configuration. Device Mapper Multipath has been modified to check for duplicates before storing configuration entries and to store only the unique ones.
BZ#813963
Device Mapper Multipath had two Asymmetric Logical Unit Access (ALUA) prioritizers, which checked two different values. Certain ALUA setups were not correctly failing back to the primary path using either prioritizer because both values need to be checked and neither prioritizer checked them both. With this update, configuration options of both ALUA prioritizers now select the same prioritizer function, which checks both values as expected.
BZ#816717
When removing kpartx device partitions, the multipath -f option accepted only the device name, not the full pathname. Consequently, an attempt to delete a mulitpath device by the full pathname failed if the device had the kpartx partitions. Device Mapper Mulitpath has been modified to except the full pathname, when removing kpartx device partitions and deleting process no longer fails in the described scenario.
BZ#821885
Previously, the multipath -c option incorrectly listed SCSI devices, which were blacklisted by device type, as valid mulitpath path devices. As a consequence, Device Mapper Multipath could remove the partitions from SCSI devices that never ended up getting multipathed. With this update, multipath -c now checks if a SCSI device is blacklisted by device type, and reports it as invalid if it is.
BZ#822389
On reload, if a multipath device was not set to use the user_friendly_names parameter or a user-defined alias, Device Mapper Multipath would use its existing name instead of setting the WWID. Consequently, disabling user_friendly_names did not cause the multipath device names to change back to WWIDs on reload. This bug has been fixed and Device Mapper Mulitpath now sets the device name to its WWID if no user_friendly_names or user defined aliases are set. As a result, disabling user_friendly_names now allows device names to switch back to WWIDs on reload.
BZ#829065
When the Redundant Disk Array Controller (RDAC) checker returned the DID_SOFT_ERROR error, Device Mapper Multipath did not retry running the RDAC checker. This behavior caused Device Mapper Multipath to fail paths for transient issues that may have been resolved if it retried the checker. Device Mapper Multipath has been modified to retry the RDAC checker if it receives the DID_SOFT_ERROR error and no longer fails paths due to this error.
BZ#831045
When a multipath vector, which is a dynamically allocated array, was shrunk, Device Mapper Multipath was not reassigning the pointer to the array. Consequently, if the array location was changed by the shrinking, Device Mapper Multipath would corrupt its memory with unpredictable results. The underlying source code has been modified and Device Mapper Multipath now correctly reassigns the pointer after the array has been shrunk.
BZ#836890
Device Mapper Multipath was occasionally assigning a WWID with a white space for AIX VDASD devices. As a consequence, there was no single blacklist of WWID entry that could blacklist the device on all machines. With this update, Device Mapper Multipath assigns WWIDs without any white space characters for AIX VDASD devices, so that all machines assign the same WWID to an AIX VDASD device and the user is always able to blacklist the device on all machines.
BZ#841732
If two multipath devices had their aliases swapped, Device Mapper Multipath switched their tables. Consequently, if the user switched aliases on two devices, any application using the device would be pointed to the incorrect Logical Unit Number (LUN). Device Mapper Multipath has been modified to check if the device's new alias matches a different multipath device, and if so, to not switch to it.
BZ#860748
Previously, Device Mapper Multipath did not check the device type and WWID blacklists as soon as this information was available for a path device. Device Mapper Multipath has been modified to check the device type and WWID blacklists as soon as this information is available. As a result, Device Mapper Multipath no longer waits before blacklisting invalid paths.
BZ#869253
Previously, the multipathd daemon and the kpartx tool did not instruct the libdevmapper utility to skip the device creation process and let udev create it. As a consequence, sometimes libdevmapper created a block device in the /dev/mapper/ directory, and sometimes udev created a symbolic link in the same directory. With this update, multipathd and kpartx prevent libdevmapper from creating a block device and udev always creates a symbolic link in the /dev/mapper/ directory as expected.

Enhancements

BZ#619173
This enhancement adds a built-in configuration for SUN StorageTek 6180 to Device Mapper Multipath.
BZ#735459
To set up persistent reservations on multipath devices, it was necessary to set it up on all of the path devices. If a path device was added later, the user had to manually add reservations to that path. This enhancement adds the ability to set up and manage SCSI persistent reservations using device-mapper devices with the mpathpersist utility. As a result, when path devices are added, persistent reservations are set up as well.
BZ#810989
This enhancement updates the multipathd init script to load the dm-multipathd module, so that users do not have to do this manually in cases when no /etc/multipath.conf file is present during boot. Note that it is recommended to create the multipath.conf file by running the mpathconf --enable command, which also loads the dm-multipath module.
BZ#818367
When the RDAC path device is in service mode, it is unable to handle I/O requests. With this enhancement, Device Mapper Multipath puts an RDAC path device into a failed state if it is in the service mode.
BZ#839386
This update adds two new options to the defaults and devices sections of the multipath.conf file; the retain_attached_hw_hander option and the detect_prio option. By default, both of these options are are set to no in the defaults section of the multipath.conf file. However, they are set to yes in the NETAPP/LUN device configuration file. If retain_attach_hw_handler is set to yes and the SCSI layer has attached a hardware handler to the device, Device Mapper Multipath sets the hardware as usual. If detect_prio is set to yes, Device Mapper Multipath will check if the device supports ALUA. If so, it automatically sets the prioritizer to the alua value. If the device does not support ALUA, Device Mapper Multipath sets the prioritizer as usual. This behavior allows NETAPP devices to work in ALUA or non-ALUA mode without making users change to built-in config.
In order for retain_attached_hw_handler to work, the SCSI layer must have already attached the device handler. To do this, the appropriate scsi_dh_XXX module, for instance scsi_dh_alua, must be loaded before the SCSI layer discovers the devices. To guarantee this, add the following parameter to the kernel command line:
rdloaddriver=scsi_dh_XXX

6.39. dhcp

Updated dhcp packages that fix one security issue and two bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The dhcp packages provide the Dynamic Host Configuration Protocol (DHCP) that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address.

Security Fix

CVE-2012-3955
A flaw was found in the way the dhcpd daemon handled the expiration time of IPv6 leases. If dhcpd's configuration was changed to reduce the default IPv6 lease time, lease renewal requests for previously assigned leases could cause dhcpd to crash.

Bug Fixes

BZ#803540
Prior to this update, the DHCP server discovered only the first IP address of a network interface if the network interface had more than one configured IP address. As a consequence, the DHCP server failed to restart if the server was configured to serve only a subnet of the following IP addresses. This update modifies network interface addresses discovery code to find all addresses of a network interface. The DHCP server can also serve subnets of other addresses.
BZ#824622
Prior to this update, the dhclient rewrote the /etc/resolv.conf file with backup data after it was stopped even when the PEERDNS flag was set to "no" before shut down if the configuration file was changed while the dhclient ran with PEERDNS=yes. This update removes the backing up and restoring functions for this configuration file from the dhclient-script. Now, the dhclient no longer rewrites the /etc/resolv.conf file when stopped.
All users of DHCP are advised to upgrade to these updated packages, which fix these issues. After installing this update, all DHCP servers will be restarted automatically.

6.40. dnsmasq

Updated dnsmasq packages that fix one security issue, one bug, and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.

Security Fix

CVE-2012-3411
It was discovered that dnsmasq, when used in combination with certain libvirtd configurations, could incorrectly process network packets from network interfaces that were intended to be prohibited. A remote, unauthenticated attacker could exploit this flaw to cause a denial of service via DNS amplification attacks.
In order to fully address this issue, libvirt package users are advised to install updated libvirt packages. Refer to RHSA-2013:0276 for additional information.

Bug Fix

BZ#815819
Due to a regression, the lease change script was disabled. Consequently, the "dhcp-script" option in the /etc/dnsmasq.conf configuration file did not work. This update corrects the problem and the "dhcp-script" option now works as expected.

Enhancements

BZ#824214
Prior to this update, dnsmasq did not validate that the tftp directory given actually existed and was a directory. Consequently, configuration errors were not immediately reported on startup. This update improves the code to validate the tftp root directory option. As a result, fault finding is simplified especially when dnsmasq is called by external processes such as libvirt.
BZ#850944
The dnsmasq init script used an incorrect Process Identifier (PID) in the "stop", "restart", and "condrestart" commands. Consequently, if there were some dnsmasq instances running besides the system one started by the init script, then repeated calling of "service dnsmasq" with "stop" or "restart" would kill all running dnsmasq instances, including ones not started with the init script. The dnsmasq init script code has been corrected to obtain the correct PID when calling the "stop", "restart", and "condrestart" commands. As a result, if there are dnsmasq instances running in addition to the system one started by the init script, then by calling "service dnsmasq" with "stop" or "restart" only the system one is stopped or restarted.
BZ#887156
When two or more dnsmasq processes were running with DHCP enabled on one interface, DHCP RELEASE packets were sometimes lost. Consequently, when two or more dnsmasq processes were running with DHCP enabled on one interface, releasing IP addresses sometimes failed. This update sets the SO_BINDTODEVICE socket option on DHCP sockets if running dnsmasq with DHCP enabled on one interface. As a result, when two or more dnsmasq processes are running with DHCP enabled on one interface, they can release IP addresses as expected.
All users of dnsmasq are advised to upgrade to these updated packages, which fix these issues and add these enhancements.

6.41. docbook-utils

Updated docbook-utils packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The docbook-utils packages provide a set of utility scripts to convert and analyze SGML documents in general, and DocBook files in particular. The scripts are used to convert from DocBook or other SGML formats into file formats like HTML, man, info, RTF and many more.

Bug Fix

BZ#639866
Prior to this update, the Perl script used for generating manpages contained a misprint in the header. As a consequence, the header syntax of all manual pages that docbook-utils built was wrong. This update corrects the script. Now the manual page headers have the right syntax.
All users of docbook-utils are advised to upgrade to these updated packages, which fix this bug.

6.42. dovecot

Updated dovecot packages that fix three security issues and one bug are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Dovecot is an IMAP server, written with security primarily in mind, for Linux and other UNIX-like systems. It also contains a small POP3 server. It supports mail in either of maildir or mbox formats. The SQL drivers and authentication plug-ins are provided as sub-packages.

Security Fixes

CVE-2011-2166, CVE-2011-2167
Two flaws were found in the way some settings were enforced by the script-login functionality of Dovecot. A remote, authenticated user could use these flaws to bypass intended access restrictions or conduct a directory traversal attack by leveraging login scripts.
CVE-2011-4318
A flaw was found in the way Dovecot performed remote server identity verification, when it was configured to proxy IMAP and POP3 connections to remote hosts using TLS/SSL protocols. A remote attacker could use this flaw to conduct man-in-the-middle attacks using an X.509 certificate issued by a trusted Certificate Authority (for a different name).

Bug Fix

BZ#697620
When a new user first accessed their IMAP inbox, Dovecot was, under some circumstances, unable to change the group ownership of the inbox directory in the user's Maildir location to match that of the user's mail spool (/var/mail/$USER). This correctly generated an "Internal error occurred" message. However, with a subsequent attempt to access the inbox, Dovecot saw that the directory already existed and proceeded with its operation, leaving the directory with incorrectly set permissions. This update corrects the underlying permissions setting error. When a new user now accesses their inbox for the first time, and it is not possible to set group ownership, Dovecot removes the created directory and generates an error message instead of keeping the directory with incorrect group ownership.
Users of dovecot are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the dovecot service will be restarted automatically.

6.43. dracut

Updated dracut packages that fix several bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
The dracut packages include an event-driven initramfs generator infrastructure based on the udev device manager. The virtual file system, initramfs, is loaded together with the kernel at boot time and initializes the system, so it can read and boot from the root partition.

Bug Fixes

BZ#835646
Previously, dracut could not handle uppercase MAC addresses for the PXE "BOOTIF=" parameter. As a consequence, a machine with a dracut generated initramfs could not boot over the network, when the "BOOTIF=" parameter contained uppercase MAC addresses. With this update, dracut converts internally the MAC addresses to lowercase. Now, a machine with a dracut generated initramfs can boot over the network successfully when the "BOOTIF=" parameter contains uppercase MAC addresses.
BZ#831338
Previously, the default mount option of the /proc/ directory during boot up was "mount -t proc -o nosuid,noexec,nodev proc/proc". This resulted in inaccessible device nodes in the /proc/ directory for some kernel drivers. The default mount option of the /proc directory has been changed to "mount -t proc proc /proc" and all kernel modules now load successfully.
BZ#794751
Previously, dracut could not use the Internet Small Computer System Interface (iSCSI) and dmsquash-live module together. As a consequence, it was not possible to boot from a live medium over iSCSI. After this update, a dracut-generated initramfs, which contains the iSCSI and dmsquash-live modules, is able to boot a live medium via iSCSI. This can be done using the kernel command "root=live:LABEL=<partition-or-iso-label> netroot=iscsi: ".
BZ#813057
Previously, the new Brocade switch firmware took longer to complete the BCBx negotiation and a dracut-generated initramfs did not wait long enough for the DCBx negotiation. Now, the initramfs sleeps for three seconds after loading the "802q" kernel module and the DCBx negotiation with the new Brocade switch firmware completes successfully.
BZ#843105
When using the "live_ram" parameter for booting from live media, the dracut-generated initramfs ejected the medium. After this action, a reboot caused the machine to not boot from the medium again, even if it was intended. After this update, dracut honors the "no_eject" kernel command-line parameter. Now, if "no_eject" is given on the kernel command-line, the dracut-generated initramfs no longer ejects the live medium after copying it to the RAM.
BZ#850493
In FIPS mode, the kernel image has to be validated by a checksum. The sha512hmac tool reads the absolute path of the file to check from the checksum file. Previously, if "/boot" was not on a separate file system, dracut mounted the root file system to "/sysroot". The "/sysroot/boot" partition was not accessible with the "/boot" path and the sha512hmac tool could not access the file in "/boot" to check for. The check failed and the boot process was cancelled. Consequently, the boot processes did not succeed in FIPS mode if "/boot" was not on a separate file system. Now, dracut creates a symbolic link from the "/sysroot/boot" partition to the "/boot" partition in the initramfs and the sha512hmac tool can check the kernel image and the machine can continue booting, if the check was successful.
BZ#890081
Previously, the kernel module "scsi_dh_alua" was not included in the initramfs and as a consequence, "scsi_dh_alua" could not be preloaded via the "rdloaddriver" kernel command. The "scsi_dh_alua" kernel module is now included in the initramfs and "scsi_dh_alua" can be preloaded successfully using "rdloaddriver".
BZ#854416
Previously, dracut did not strip the kernel modules as mentioned in the man page. Consequently, initramfs size grew very big if the customer had kernel modules with a lot of debug info. The dracut utility now strips the kernel modules, except when in FIPS mode, and as a result, the initramfs size is smaller and can be loaded on machines with small memory.

Enhancements

BZ#823507
Documentation for the "rd_retry=" boot option has been added to the dracut(8) man page.
BZ#858187
The dracut utility can now boot from iSCSI on a network with virtual LANs configured, where the virtual LAN settings are stored in the iSCSI Boot Firmware Table BIOS.
Users of dracut are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.44. dropwatch

Updated dropwatch packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The dropwatch package contains a utility that provides packet monitoring services.

Bug Fix

BZ#725464
Prior to this update, the dropwatch utility could become unresponsive because it was waiting for a deactivation acknowledgement to be issued by an already deactivated or stopped service. With this update, dropwatch detects an attempt to deactivate/stop an already deactivated/stopped service and no longer hangs.
All users of dropwatch are advised to upgrade to these updated packages, which fix this bug.

6.45. dvd+rw-tools

Updated dvd+rw-tools packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The dvd+rw-tools packages contain a collection of tools to master DVD+RW/+R media.
BZ#807474
Prior to this update, the growisofs utility wrote chunks of 32KB and reported an error during the last chunk when burning ISO image files that were not aligned to 32KB. This update allows the written chunk to be smaller than a multiple of 16 blocks.
All users of dvd+rw-tools are advised to upgrade to these updated packages, which fix this bug.

6.46. e2fsprogs

Updated e2fsprogs packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
The e2fsprogs packages provide a number of utilities for creating, checking, modifying, and correcting any inconsistencies in the ext2 file systems.

Bug Fixes

BZ#806137
On a corrupted file system, the "mke2fs -S" command could remove files instead of attempting to recover them. This bug has been fixed; the "mke2fs -S" command writes metadata properly and no longer removes files instead of recovering them.
BZ#813820
The resize2fs(8) man page did not list an ext4 file system as capable of on-line resizing. This omission has been fixed and the resize2fs(8) man page now includes all file systems that can be resized on-line.
BZ#858338
A special flag was used to indicate blocks allocated beyond the end of file on an ext4 file system. This flag was sometimes mishandled, resulting in file system corruption. Both the kernel and user space have been reworked to eliminate the use of this flag.

Enhancement

BZ#824126
Previously, users could use the e2fsck utility on a mounted file system, although it was strongly recommended not to do so. Using the utility on a mounted file system led to file system corruption. With this update, e2fsck opens the file system exclusively and fails when the file system is busy. This behavior avoids possible corruption of the mounted file system.
Users of e2fsprogs are advised to upgrade to these updated packages, which fix these bugs and add this enhancement

6.47. eclipse-nls

Updated eclipse-nls packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The eclipse-nls packages provide Native Language Support langpacks for the Eclipse IDE that contain translations into many languages.

Upgrade to an upstream version

The clipse-nls packages have been upgraded to upstream version 3.6.0.v20120721114722, which updates the language packs and provides a number of bug fixes and enhancements over the previous version. (BZ#692358)
All users of eclipse-nls are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.48. environment-modules

Updated environment-modules packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The environment-modules packages provide for the dynamic modification of a user's environment using modulefiles. Each modulefile contains the information needed to configure the shell for an application. Once the package is initialized, the environment can be modified on a per-module basis using the module command which interprets modulefiles.

Upgrade to an upstream version

The environment-modules package has been upgraded to upstream version 3.2.9c, which provides a number of bug fixes over the previous version. (BZ#765630)

Bug Fixes

BZ#818177
Due to an error in the Tcl library, some allocated pointers were invalidated inside the library. Consequently, running the "module switch" command in the tcsh shell led to a segmentation fault. The bug has been fixed and the system memory is now allocated and pointed to correctly.
BZ#848865
Previously, the /usr/share/Modules/modulefiles/modules file contained an incorrect path. Consequently, an error occurred when the "module load modules" command was executed. With this update, the incorrect path has been replaced and the described error no longer occurs.
All users of environment-modules are advised to upgrade to these updated packages, which fix these bugs.

6.49. espeak

Updated espeak packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The espeak packages contain a software speech synthesizer for English and other languages. eSpeak uses a "formant synthesis" method, which allows many languages to be provided in a small size.

Bug Fix

BZ#789997
Previously, eSpeak manipulated the system sound volume. As a consequence, eSpeak could set the sound volume to maximum regardless of the amplitude specified. The sound volume management code has been removed from eSpeak, and now only PulseAudio manages the sound volume.
All users of espeak are advised to upgrade to these updated packages, which fix this bug.

6.50. ethtool

Updated ethtool packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The ethtool utility allows the querying and changing of Ethernet adapter settings, such as port speed, auto-negotiation, and device-specific performance options.

Upgrade to an upstream version

The ethtool packages have been upgraded to upstream version 3.5, which provides a number of bug fixes and enhancements over the previous version. (BZ#819846)
All users of ethtool are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.51. evolution-data-server

Updated evolution-data-server packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The evolution-data-server packages provide a unified back end for applications which interact with contacts, task and calendar information. Evolution Data Server was originally developed as a back end for Evolution, but is now used by various other applications.

Bug Fix

BZ#734048
The CalDav calendar back end was converting Uniform Resource Identifiers (URIs) with unescaped space characters or the "%20" string to "%2520". As a consequence, rendering the back end did not allow to contact the remote CalDav service that caused CalDav calendars to be inaccessible. This bug has been fixed and evolution-data-server works correctly in the described scenario.
All users of evolution-data-server are advised to upgrade to these updated packages, which fix this bug.

6.52. evolution

Updated evolution packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Evolution is the GNOME mailer, calendar, contact manager and communication tool. The components which make up Evolution are tightly integrated with one another and act as a seamless personal information-management tool.

Security Fix

CVE-2011-3201
The way Evolution handled mailto URLs allowed any file to be attached to the new message. This could lead to information disclosure if the user did not notice the attached file before sending the message. With this update, mailto URLs cannot be used to attach certain files, such as hidden files or files in hidden directories, files in the /etc/ directory, or files specified using a path containing "..".
Red Hat would like to thank Matt McCutchen for reporting this issue.

Bug Fixes

BZ#707526
Creating a contact list with contact names encoded in UTF-8 caused these names to be displayed in the contact list editor in the ASCII encoding instead of UTF-8. This bug has been fixed and the contact list editor now displays the names in the correct format.
BZ#805239
Due to a bug in the evolution-alarm-notify process, calendar appointment alarms did not appear in some types of calendars. The underlying source code has been modified and calendar notifications work as expected.
BZ#890642
An attempt to print a calendar month view as a PDF file caused Evolution to terminate unexpectedly. This update applies a patch to fix this bug and Evolution no longer crashes in this situation.
All evolution users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of Evolution must be restarted for this update to take effect.

6.53. fcoe-target-utils

Updated fcoe-target-utils packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The fcoe-target-utils packages provide a command-line interface for configuring FCoE LUNs (Fibre Channel over Ethernet Logical Unit Numbers) and backstores.

Bug Fixes

BZ#819698
Prior to this update, stopping the fcoe-target daemon did not not stop the target session when rebooting. This update improves the fcoe-target script and the fcoe-target daemon can now properly shut down the kernel target.
BZ#824227
Prior to this update, a delay in the FCoE interface initialization sometimes resulted in the target configuration not being loaded for that interface. This update permits target configuration for absent interfaces, allowing target and interface configuration in any order.
BZ#837730
Prior to this update, specifying a nonexistent backing file when creating a backstore resulted in the unhelpful Python error "ValueError: No such path". This update reports the error in a more helpful way.
BZ#837992
Prior to this update, attempting to remove a storage object in a backstore resulted in a Python error. This update fixes the problem and storage objects can now be removed as expected.
BZ#838442
Prior to this update, attempting to redirect the output of targetcli resulted in a Python error. This update allows targetcli to be successfully redirected.
BZ#846670
Due to a regression, creating a backstore resulted in a Python error. This update allows backstore creation without error.

Enhancements

BZ#828096
Prior to this update, backstore size listing abbreviations did not clearly specify between power of 10 (for example Gigabyte) and power of 2 (Gibibyte). This update lists backstore sizes using power-of-2 sizes and labels them as such.
BZ#828681
The caching characteristics of backstores are now exposed via the SCSI Write Cache Enable (WCE) bit to initiators, instead of being set opaquely via the "buffered-mode" backstore setting. The default setting for WCE is "on".
All users of fcoe-target-utils are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.54. fcoe-utils

Updated fcoe-utils packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The fcoe-utils packages provide Fibre Channel over Ethernet (FCoE) utilities, such as the fcoeadm command line tool for configuring FCoE interfaces, and the fcoemon service to configure DCB Ethernet QOS filters.

Upgrade to an upstream version

The fcoe-utils packages have been upgraded to upstream version 1.0.24, which provides a number of bug fixes and enhancements over the previous version.

Bug Fix

BZ#867117
When turning off DCB on a Fibre Channel over Ethernet (FCoE) initiator interface connected to a Cisco Fibre Channel Forwarder (FCF), the fcoemon utility disabled the interface but the FCoE interface was re-enabled by a Netlink event before DCB was operational again. Consequently, the interface did not operate in degraded mode with LUNS present as expected and the output of the "ip l" and "fcoeadm -i" commands was contradictory. A patch has been applied to the fcoemon utility to ensure DCB is operational again before enabling the FCoE interface when a link is brought up. In addition, a patch has been applied to fcoe-utils to improve error handling and error messages related to creating and deleting of FCoE interfaces when DCB is not ready.

Enhancement

BZ#826291
Support for VLAN notification with VLAN ID 0 has been added. If a VLAN notification has the tag "VLAN 0", the physical port will now be activated. The VLAN interface will not be created but FCoE will be started on the physical interface itself.
All users of fcoe-utils are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.55. febootstrap

Updated febootstrap packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The febootstrap packages provide a tool to create a basic Red Hat Enterprise Linux or Fedora file system, and build initramfs (initrd.img) or file system images.

Bug Fix

BZ#803962
The "febootstrap-supermin-helper" program is used when opening a disk image using the libguestfs API, or as part of virt-v2v conversion. Previously, this tool did not always handle the "-u" and "-g" options correctly when the host used an LDAP server to resolve user names and group names. This caused the virt-v2v command to fail when LDAP was in use. With this update, the "febootstrap-supermin-helper" program has been modified to parse the "-u" and "-g" options correctly, so that virt-v2v works as expected in the described scenario.
Users of febootstrap are advised to upgrade to these updated packages, which fix this bug.

6.56. fence-agents

Updated fence-agents packages that fix multiple bugs and add four enhancements are now available for Red Hat Enterprise Linux 6.
The fence-agents packages provide the Red Hat fence agents to handle remote power management for cluster devices. The fence-agents allow failed or unreachable nodes to be forcibly restarted and removed from the cluster.

Bug Fixes

BZ#769798
The speed of fencing is critical because otherwise, broken nodes have more time to corrupt data. Prior to this update, the operation of the fence_vmware_soap fence agent was slower than expected when used on the VMWare vSphere platform with hundreds of virtual machines. With this update, the fencing process is faster and does not terminate if virtual machines without an UID are encountered.
BZ#822507
Prior to this update, the attribute "unique" in XML metadata was set to TRUE (1) by default. This update modifies the underlying code to use FALSE (0) as the default value because fence agents do not use these attributes.
BZ#825667
Prior to this update, certain fence agents did not generate correct metadata output. As a result, it was not possible to use the metadata for automatic generation of manual pages and user interfaces. With this update, all fence agents generate their metadata as expected.
BZ#842314
Prior to this update, the fence_apc script failed to log into APC power switches where firmware changed the end-of-line marker from CR-LF to LF. This update modifies the script to log into a fence device as expected.
BZ#863568
Prior to this update, the fence_rhevm agent failed to run the regular expression get_id regex when using a new href attribute. As a consequence, the plug status was not available. This update modifies the underlying code to show the correct status either as ON or OFF.

Enhancements

BZ#740869
This update adds the fence_ipdu agent to support IBM iPDU fence devices in Red Hat Enterprise Linux 6.
BZ#752449
This update adds the fence_eaton agent to support Eaton ePDU (Enclosure Power Distribution Unit) devices in Red Hat Enterprise Linux 6.
BZ#800650
This update adds symlinks for common fence types that utilize standards-based agents in Red Hat Enterprise Linux 6.
BZ#818337
This update adds the fence_bladecenter agent to the fence-agents packages in Red Hat Enterprise Linux 6 to support the --missing-as-off feature for the HP BladeSystem to handle missing nodes as switched off nodes so that fencing can end successfully even if a blade is missing.
BZ#837174
This update supports action=metadata via standard input for all fence agents.
All users of fence-agents are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.57. fence-virt

Updated fence-virt packages that fix two bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
The fence-virt packages provide a fencing agent for virtual machines as well as a host agent, which processes fencing requests.

Bug Fixes

BZ#761228
Previously, the fence_virt man page contained incorrect information in the "SERIAL/VMCHANNEL PARAMETERS" section. With this update, the man page has been corrected.
BZ#853927
Previously, the fence_virtd daemon returned an incorrect error code to the fence_virt agent when the virt domain did not exist. Consequently, the fence_node utility occasionally failed to detect fencing. With this update, the error codes have been changed and the described error no longer occurs.

Enhancements

BZ#823542
The "delay" (-w) option has been added to the fence_virt and fence_xvm fencing agents. The delay option can be used, for example, as a method of preloading a winner in a fence race in a CMAN cluster.
BZ#843104
With this update, the documentation of the "hash" parameter in the fence_virt.conf file has been improved to notify that hash is the weakest hashing algorithm allowed for client requests.
All users of fence-virt are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.58. file

Updated file packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.
The "file" command is used to identify a particular file according to the type of data contained in the file. The command can identify various file types, including ELF binaries, system libraries, RPM packages, and different graphics formats.

Bug Fixes

BZ#795425
The file utility did not contain a "magic" pattern for detecting QED images and was therefore not able to detect such images. A new "magic" pattern for detecting QED images has been added, and the file utility now detects these images as expected.
BZ#795761
The file utility did not contain a "magic" pattern for detecting VDI images and was therefore not able to detect such images. A new "magic" pattern for detecting VDI images has been added, and the file utility now detects these images as expected.
BZ#797784
Previously, the file utility did not attempt to load "magic" patterns from the ~/.magic.mgc file, which caused "magic" patterns stored in this file to be unusable. This update modifies the file utility so it now attempts to load the ~/.magic.mgc file. The file is loaded if it exists and "magic" patterns defined in this file work as expected.
BZ#801711
Previously, the file utility used read timeout when decompressing files using the "-z" option. As a consequence, the utility was not able to detect files compressed by the bzip2 tool. The underlying source code has been modified so that file no longer uses read timeout when decompressing compressed files. Compressed files are now detected as expected when using the "-z" option.
BZ#859834
Previously, the file utility contained multiple "magic" patterns to detect output of the "dump" backup tool. On big-endian architectures, the less detailed "magic" pattern was used and output of the file utility was inconsistent. The less detailed "magic" pattern has been removed, and only one, more detailed, "magic" pattern to detect "dump" output is used now.
All users of file are advised to upgrade to these updated packages, which fix these bugs.

6.59. firstboot

Updated firstboot packages that add one enhancement are now available for Red Hat Enterprise Linux 6.
The firstboot utility runs after installation and guides the user through a series of steps that allows for easier configuration of the machine.

Enhancement

BZ#831818
Previously, the Firstboot utility allowed displaying only the English version of the End User Licence Agreement (EULA), which could be problematic for users who do not understand English. This update modifies Firstboot so that it uses the $LANG environment variable to find the localized EULA file according to the language set during installation. If the EULA file in the selected language is not found, the default EULA file, which is in English, is used. Users can now read the EULA document in the language chosen during installation before accepting it.
All users of firstboot are advised to upgrade to these updated packages, which add this enhancement.

6.60. ftp

Updated ftp packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The ftp package provides the standard UNIX command line File Transfer Protocol (FTP) client. FTP is a widely used protocol for transferring files over the Internet, and for archiving files.

Bug Fix

BZ#783868
Prior to this update, using the ftp command "put" when the stack size was set to unlimited caused the sysconf(_SC_ARG_MAX) function to return -1, which in turn resulted in the malloc() function being called with an argument of 0 and causing an "Out of memory" message to be displayed. With this update, the underlying source code has been improved to allocate a reasonable minimum of memory. As a result, the "Out of memory" message no longer appears if the stack size was previously set to unlimited.
All users of ftp are advised to upgrade to these updated packages, which fix this bug.
Updated ftp packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The ftp packages provide the standard UNIX command line File Transfer Protocol (FTP) client. FTP is a widely used protocol for transferring files over the Internet, and for archiving files.

Bug Fixes

BZ#869858
Prior to this update, the ftp client could encounter a buffer overflow and aborted if a macro longer than 200 characters was defined and then used after a connection. This update modifies the underlying code and the buffer that holds memory for the macro name was extended. Now, ftp matches the length of the command line limit and the ftp client no longer aborts when a macro with a long name is executed.
All users of ftp are advised to upgrade to these updated packages, which fix this bug.
Updated ftp packages that fix four bugs are now available for Red Hat Enterprise Linux 6.
The ftp packages provide the standard UNIX command line File Transfer Protocol (FTP) client. FTP is a widely used protocol for transferring files over the Internet, and for archiving files.

Bug Fixes

BZ#665337
Previously, the command line width in the ftp client was limited to 200 characters. With this update, the maximum possible length of the FTP command line is extended to 4296 characters.
BZ#786004
Prior to this update, "append", "put", and "send" commands were causing system memory to leak. The memory holding the ftp command was not freed appropriately. With this update, the underlying source code has been improved to correctly free the system resources and the memory leaks are no longer present.
BZ#849940
Previously, the ftp client could not be invoked to run directly in the active mode. This functionality has been added to the source code and documented in the manual page. The client can now be executed with an additional "-A" command line parameter and will run in the active mode.
BZ#852636
Previously, the ftp client hung up when the ftp-data port (20) was not available (e.g. was blocked). The client then had to be terminated manually. Additional logic has been added to the source code. With this update, ftp has an internal timeout set to 30 seconds. If there is no answer from the server when this time has passed, ftp will now gracefully time out and not hang up.
All users of ftp are advised to upgrade to these updated packages, which fix these bugs.

6.61. gawk

Updated gawk packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The gawk packages provide the GNU version of the text processing utility awk. Awk interprets a special-purpose programming language to do quick and easy text pattern matching and reformatting jobs.

Bug Fix

BZ#829558
Prior to this update, the "re_string_skip_chars" function incorrectly used the character count instead of the raw length to estimate the string length. As a consequence, any text in multi-byte encoding that did not use the UTF-8 format failed to be processed correctly. This update modifies the underlying code so that the correct string length is used. multi-byte encoding is processed correctly.
All users of gawk requiring multi-byte encodings that do not use UTF-8 are advised to upgrade to these updated packages, which fix this bug.

6.62. gcc

Updated gcc packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The gcc packages provide compilers for C, C++, Java, Fortran, Objective C, and Ada 95 GNU, as well as related support libraries.

Bug Fixes

BZ#801144
Due to the incorrect size of a pointer in GCC GNAT code, GNAT used an incorrect function of the libgcc library when compiling 32-bit Ada binaries on PowerPC architecture. Consequently, these programs could not be linked and the compilation failed. This update fixes the problem so that the sizeof operator now returns the correct size of a pointer, and the appropriate function from libgcc is called. GNAT compiles Ada binaries as expected in this scenario.
BZ#808590
The Standard Template Library (STL) contained an incomplete move semantics implementation, which could cause GCC to generate incorrect code. The incorrect headers have been fixed so that GCC now produce the expected code when depending on move semantics.
BZ#819100
GCC did not, under certain circumstances, handle generating a CPU instruction sequence that would be independent of indexed addressing on PowerPC architecture. As a consequence, an internal compiler error occurred if the "__builtin_bswap64" built-in function was called with the "-mcpu=power6" option. This update corrects the relevant code so that GCC now generates an alternate instruction sequence that does not depend on indexed addressing in this scenario.
BZ#821901
A bug in converting the exception handling region could cause an internal compiler error to occur when compiling profile data with the "-fprofile-use" and "-freorder-basic-blocks-and-partition" options. This update fixes the erroneous code and the compilation of profile data now proceeds as expected in this scenario.
BZ#826882
Previously, GCC did not properly handle certain situations when an enumeration was type cast using the static_cast operator. Consequently, an enumeration item could have been assigned an integer value greater than the highest value of the enumeration's range. If the compiled code contained testing conditions using such enumerations, those checks were incorrectly removed from the code during code optimization. With this update, GCC was modified to handle enumeration type casting properly and C++ now no longer removes the mentioned checks.
BZ#831832
Previously, when comparing the trees equality, the members of a union or structure were not handled properly in the C++ compiler. This led to an internal compiler error. This update modifies GCC so that unions and structures are now handled correctly and code that uses tree equality comparing is now compiled successfully.
BZ#867878
GCC previously processed the "srak" instructions without the z196 flag, which enables a compiler to work with these instructions. Consequently, some binaries, such as Firefox, could not be compiled on IBM System z and IBM S/390 architectures. With this update, GCC has been modified to support the z196 flag for the srak instructions, and binaries requiring these instructions can now be compiled successfully on IBM System z and IBM S/390 architectures.
All users of gcc are advised to upgrade to these updated packages, which fix these bugs.

6.63. gdb

Updated gdb packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The GNU Debugger (GDB) allows debugging of programs written in C, C++, Java, and other languages by executing them in a controlled fashion and then printing out their data.

Security Fix

CVE-2011-4355
GDB tried to auto-load certain files (such as GDB scripts, Python scripts, and a thread debugging library) from the current working directory when debugging programs. This could result in the execution of arbitrary code with the user's privileges when GDB was run in a directory that has untrusted content.

Note

With this update, GDB no longer auto-loads files from the current directory and only trusts certain system directories by default. The list of trusted directories can be viewed and modified using the "show auto-load safe-path" and "set auto-load safe-path" GDB commands. Refer to the GDB manual for further information:

Bug Fixes

BZ#795424
When a struct member was at an offset greater than 256 MB, the resulting bit position within the struct overflowed and caused an invalid memory access by GDB. With this update, the code has been modified to ensure that GDB can access such positions.
BZ#811648
When a thread list of the core file became corrupted, GDB did not print this list but displayed the "Cannot find new threads: generic error" error message instead. With this update, GDB has been modified and it now prints the thread list of the core file as expected.
BZ#836966
GDB did not properly handle debugging of multiple binaries with the same build ID. This update modifies GDB to use symbolic links created for particular binaries so that debugging of binaries that share a build ID now proceeds as expected. Debugging of live programs and core files is now more user-friendly.
All users of gdb are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

6.64. gdm

Updated gdm packages that fix four bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
The gdm packages provide the GNOME Display Manager (GDM), which implements the graphical login screen, shown shortly after boot up, log out, and when user-switching.

Bug Fixes

BZ#616755
Previously, the gdm_smartcard_extension_is_visible() function returned "TRUE" instead of the "ret" variable. Consequently, the smartcard login could not be disabled in the system-config-authentication window if the pcsd package was installed. With this update, gdm_smartcard_extension_is_visible() has been modified to return the correct value. As a result, the described error no longer occurs.
BZ#704245
When GDM was used to connect to a host via XDMCP (X Display Manager Control Protocol), another connection to a remote system using the "ssh -X" command resulted in failed authentication with the X server. Consequently, applications such as xterm could not be displayed on a remote system. This update provides a compatible MIT-MAGIC-COOKIE-1 key in the described scenario, thus fixing this incompatibility.
BZ#738462
Previously, X server audit messages were not included by default in the X server log. Now, those messages are unconditionally included in the log. Also, with this update, verbose messages are added to the X server log if debugging is enabled in the /etc/gdm/custom.conf file by setting "Enable=true" in the "debug" section.
BZ#820058
Previously, after booting the system, the following message occurred in the /var/log/gdm/:0-greeter.log file:
gdm-simple-greeter[PID]: Gtk-WARNING: gtkwidget.c:5460: widget not within a GtkWindow
With this update, this warning is no longer displayed.

Enhancements

BZ#719647
With this update, GDM has been modified to allow smartcard authentication when the visible user list is disabled.
BZ#834303
Previously, the GDM debugging logs were stored in the /var/log/messages file. With this update, a separate /var/log/gdm/daemon.log file has been established for these debugging logs.
All users of gdm are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.65. gd

Updated gd packages that fix one bug is now available for Red Hat Enterprise Linux 6.
The gd packages provide the gd graphics library. GD allows code to draw images as PNG or JPEG files.
BZ#790400
Prior to this update, ,the gd graphics library handled inverted Y coordinates incorrectly, when changing the thickness of a line. As a consequence, lines with changed thickness were drawn incorrectly. This update modifies the underlying code to draw lines with changed thickness correctly.
All users of gd are advised to upgrade to these updated packages, which fix this bug.

6.66. geronimo-specs

Updated geronimo-specs packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The geronimo-specs packages provide the specifications for Apache's ASF-licenced J2EE server Geronimo.

Bug Fix

BZ#818755
Prior to this update, the geronimo-specs-compat package description contained inaccurate references. This update removes these references so that the description is now accurate.
All users of geronimo-specs are advised to upgrade to these updated packages, which fix this bug.

6.67. glibc

Updated glibc packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.
The glibc packages provide the standard C and standard math libraries, which are used by multiple programs on the system. These libraries are required for the Linux system to function correctly.

Bug Fixes

BZ#804686
Prior to this update, a logic error caused the DNS code of glibc to incorrectly handle rejected responses from DNS servers. As a consequence, additional servers in the "/etc/resolv.conf" could not be searched after one server responded with a REJECT. This update modifies the logic in the DNS. Now, glibc cycles through the servers listed in "/etc/resolv.conf" even if one returns a REJECT response.
BZ#806404
Prior to this update, the "nss/getnssent.c" function contained an unchecked malloc call and an incorrect loop test. As a consequence, glibc could abort unexpectedly. This update modifies the malloc call and the looptest.
BZ#809726
Prior to this update, locale data for the characters in the range a-z where incorrect in the Finnish locale. As a consequence, some characters in the range a-z failed to print correctly in the Finnish locale. This update modifies the underlying code to provide the correct output for these characters. Now, characters in the Finnish locale print as expected.
BZ#823909
Prior to this update, the iconv() function or the "iconv" command did not handle the invalid multibyte character 0xffff> when attempting to convert a file or sting that used the IBM-930 code format to another format, such as UTF-8. As a consequence, a segmentation fault occurred. This update modifies the conversion code for the IBM-930 encoding to recognize this invalid character and handles it now as an error.
BZ#826149
Prior to this update, the fnmatch() function failed with the return value -1 when the wildcard character "*" was part of the pattern argument and the filename argument contained an invalid multibyte encoding. This update modifies the fnmatch() code to recognize this case. Now, the invalid characters are treated as not matching and then the process proceeds.
BZ#827362
Prior to this update, the internal FILE offset was set incorrectly in wide character streams. As a consequence, the offset returned by ftell was incorrect. In some cases, this could result in over-writing data. This update modifies the ftell code to correctly set the internal FILE offset field for wide characters. Now, ftell and fseek handle the offset as expected.
BZ#829222
Prior to this update, the "/etc/rpc" file was not set as a configuration file in the glibc build. As a consequence, updating glibc caused the "/etc/rpc" file to be replaced without warning or creating a back-up copy. This update correctly marks "/etc/rpc" as a configuration file. Now, the existing /etc/rpc file is left in place, and the bundled version can be installed in "/etc/rpc.rpmnew".
BZ#830127
Prior to this update, the vfprintf command returned the wrong error codes when encountering an overflow. As a consequence, applications which checked return codes from vfprintf could get unexpected values. This update modifies the error codes for overflow situations.
BZ#832516
Prior to this update, the newlocale flag relied entirely on failure of an underlying open() call to set the errno variable for an incorrect locale name. As a consequence, the newlocale() function did not set the errno variable to an appropriate value when failing, if it has already been asked about the same incorrect locale name. This update modifies the logic in the loadlocale call so that subsequent attempts to load a non-existent locale more than once always set the errno variable appropriately.
BZ#832694
Prior to this update, the ESTALE error message referred only to NFS file systems. As a consequence, users were confused when non-NFS file systems triggered this error. This update modifies the error message to apply the error message to all file systems that can trigger this error.
BZ#835090
Prior to this update, an internal array of name servers was only partially initialized when the /etc/resolv.conf file contained IPV6 name servers. As a consequence, applications could, depending on the exact contents of a nearby structure, abort. This update modifies the underlying code to handle IPV6 name servers listed in /etc/resolv.conf.
BZ#837695
Prior to this update, a buffer in the resolver code for glibc was too small to handle results for certain DNS queries. As a consequence, the query had to be repeated after a larger buffer was allocated and wasted time and network bandwidth. This update enlarges the buffer to handle the larger DNS results.
BZ#837918
Prior to this update, the logic for the functions "exp", "exp2", "pow", "sin", "tan", and "rint" was erroneous. As a consequence, these functions could fail when running them in the non-default rounding mode. With this update, the functions return correct results across all 4 different rounding modes.
BZ#841787
Prior to this update, glibc incorrectly handled the "options rotate" option in the "/etc/resolv.conf" file if this file also contained one or more IPv6 name servers. As a consequence, DNS queries could unexpectedly fail, particularly when multiple queries were issued by a single process. This update modifies the internalization of the listed servers from /etc/resolv.conf into internal structures of glibc, as well as the sorting and rotation of those structures to implement the "options rotate" capability. Now, DNS names are resolved correctly in glibc.
BZ#846342
Prior to this update, certain user-defined 32 bit executables could issue calls to the memcpy() function with overlapping arguments. As a consequence, the applications invoked undefined behavior and could fail. With this update, users with 32 bit applications which issue the memcpy function with overlapping arguments can create the /etc/sysconfig/32bit_ssse3_memcpy_via_32bit_ssse3_memmove. If this file exists, glibc redirects all calls to the SSSE3 memcpy copiers to the SSSE3 memmove copier, which is tolerant of overlapping arguments.
Note: we strongly encourage customers to identify and fix these problems in their source code. Overlapping arguments to memcpy() is a clear violation of the ANSI/ISO standards and Red Hat does not provide binary compatibility for applications which violate these standards.
BZ#847932
Prior to this update, the strtod(), strtof(), and strtold() functions to convert a string to a numeric representation in glibc contained multiple integer overflow flaws, This caused stack-based buffer overflows. As a consequence, these functions could cause an application to abort or, under certain circumstances, execute arbitrary code. This update modifies the underlying code to avoid these faults.
BZ#848082
Prior to this update, the setlocale() function failed to detect memory allocation problems. As a consequence, the setlocale() function eventually core dumped, due to NULL pointers or uninitialized strings. This update modifies the setlocale code to insure that memory allocation succeeded. Now, the setlocale() function no longer core dumps.
BZ#849651
Prior to this update, the expf() function was considerably slowed down when saving and restoring the FPU state. This update adds a hand optimized assembler implementation of the expf() function for Intel 64 and AMD64 platforms. Now, the expf() function is considerably faster.
BZ#852445
Prior to this update, the PowerPC specific pthread_once code did not correctly publish changes it made. As a consequence, the changes were not visible to other threads at the right time. This update adds release barriers to the appropriate thread code to ensure correct synchronization of data between multiple threads.
BZ#861167
This update adds the MADV_DONTDUMP and MADV_DODUMP macros to the mman.h file to compile code that uses these macros.
BZ#863453
Prior to this update, the nscd daemon attempted to free a pointer that was not provided by the malloc() function, due to an error in the memory management in glibc. As a consequence, nscd could terminate unexpectedly, when handling groups with a large number of members. This update ensures that memory allocated by the pool allocator is no longer passed to free. Instead, we allow the pool allocator's garbage collector to reclaim the memory.
BZ#864322
Prior to this update, the IPTOS_CLASS definition referenced the wrong object. As a consequence, applications that referenced the IPTOS_CLASS definition from the ip.h file did not build or failed to operate as expected. This update modifies the definition to reference the right object and applications that reference to the IPTOS_CLASS definition.
Users of glibc are advised to upgrade to these updated packages, which fix these bugs ...

6.68. gnome-desktop

Updated gnome-desktop packages that fix a bug are now available.
The gnome-desktop package contains an internal library (libgnome-desktop) used to implement some portions of the GNOME desktop, and also some data files and other shared components of the GNOME user environment.

Bug Fix

BZ#829891
Previously, when a user hit the system's hot-key (most commonly Fn+F7) to change display configurations, the system could potentially switch to an invalid mode, which would fail to display. With this update, gnome-desktop now selects valid XRandR modes and correctly switching displays with the hot-key works as expected.
All users of gnome-desktop are advised to upgrade to these updated packages, which fix this bug.

6.69. gnome-packagekit

An updated gnome-packagekit package that fixes four bugs is now available.
gnome-packagekit provides session applications for the PackageKit API.

Bug Fixes

BZ#744980
If a package adds or removes a .repo file while updates are being installed, PackageKit (packagekitd) sends a RepoListChanged() message. If Software Update (/usr/bin/gpk-update-viewer) was being used to install these updates it responded to the message by attempting to refresh the available updates list. This resulted in said list going blank. As of this update, gpk-update-viewer ignores such signals from packagekitd, leaving the available updates list visible and unchanged.
BZ#744906
When a 64-bit Red Hat Enterprise Linux instance had both 32-bit and 64-bit versions of a package installed, and an update for both packages was available and presented in the Software Update (/usr/bin/gpk-update-viewer) window, the summary and package name appeared for both architectures. Package size and the errata note only presented for the 32-bit version, however. For the 64-bit version, the size column remained blank. And, when the 64-bit version was selected in Software list, the display pane below presented a ‘Loading...’ message rather than the errata note. With this update, gpk-update-viewer seeks out the exact package ID before falling back to the package name, ensuring both package versions are found and associated meta-data displayed when more than one package architecture is installed.
BZ#694793
When an application is installed using the Add/Remove Software interface (/usr/bin/gpk-application), a dialogue box appears immediately post-install offering a Run button. Clicking this button launches the newly-installed program. Previously, under some circumstances, an improperly assigned pointer value meant clicking this Run button caused gpk-application to crash (segfault). With this update, the pointer is correctly assigned and gpk-application no longer crashes when launching a newly-installed application.
BZ#669798
Previously, it was possible for an ordinary user to shutdown their system or log-out from a session while the PackageKit update tool was running. Depending on the transaction PackageKit was engaged in when the shutdown or logout was initiated, this could damage the RPM database and, consequently, damage the system. With this update, when ordinary users attempting to shutdown or log out while PackageKit is running an update, PackageKit inhibits the process and presents the user with an alert:
A transaction that cannot be interrupted is running.
Note: this update does not prevent a root user (or other user with equivalent administrative privileges) from shutting the system down or logging an ordinary user out of their session.
All PackageKit users should install this update which resolves these issues.

6.70. gnome-screensaver

Updated gnome-screensaver packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The gnome-screensaver packages contain the GNOME project's official screen saver program. The screen saver is designed for improved integration with the GNOME desktop, including themeability, language support, and Human Interface Guidelines (HIG) compliance. It also provides screen-locking and fast user-switching from a locked screen.

Bug Fixes

BZ#648869
Previously, NVIDIA hardware did not support the X Resize and Rotate Extension (xRandR) gamma changes. Consequently, the fade-out function did not work on the NVIDIA hardware. With this update, xRandR gamma support detection code fails on NVIDIA cards, and the XF86VM gamma fade extension is automatically used as a fallback so the fade-out function works as expected.
BZ#744763
Previously, the mouse cursor could be moved to a non-primary monitor so the unlock dialog box did not appear when the user moved the mouse. This bug has been fixed and the mouse cursor can no longer be moved to a non-primary monitor. As a result, the unlock dialog box comes up anytime the user moves the mouse.
BZ#752230
Previously, the shake animation of the unlock dialog box could appear to be very slow. This was because the background was updated every time the window's size allocation changed, and the widget's size allocation consequently changed every frame of the shake animation. The underlying source code has been modified to ensure a reasonable speed of the shake animation.
BZ#759395
When a Mandatory profile was enabled, the "Lock screen when screen saver is active" option in the Screensaver Preferences window was not disabled. This bug could expose the users to a security risk. With this update, the lock-screen option is disabled as expected in the described scenario.
BZ#824752
When using dual screens, moving the mouse did not unlock gnome-screensaver after the initial timeout. The users had to press a key to unlock the screen. The underlying source code has been modified and the user can now unlock gnome-screensaver by moving the mouse.
All users of gnome-screensaver are advised to upgrade to these updated packages, which fix these bugs.

6.71. gnome-settings-daemon

Updated gnome-settings-daemon packages that fix several bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
The gnome-settings-daemon packages contain a daemon to share settings from GNOME with other applications. It also handles global key bindings, as well as a number of desktop-wide settings.

Bug Fixes

BZ#805064
Previously, the LED indicators of some Wacom graphics tablets were not supported in the gnome-settings-daemon package. Consequently, the status LEDs on Wacom tablets would not accurately indicate the current control mode. With this update, LED support has been added to gnome-settings-daemon. As a result, the tablet LEDs now work as epected.
BZ#812363
Previously, using function keys without modifiers (F1, F2, and so on) as keyboard shortcuts for custom actions did not work. With this update, a patch has been added to fix this bug. As a result, gnome-settings-daemon now allows unmodified function keys to be used as keyboard shortcuts for custom actions.
BZ#824757
In certain cases, the gnome-settings-daemon did not properly handle the display configuration settings. Consequently, using the system's hot-key to change the display configuration either did not select a valid XRandR configuration or kept monitors in clone mode. This bug has been fixed and gnome-settings-daemon now selects valid XRandR modes and handles the clone mode as expected.
BZ#826128
Previously, connecting a screen tablet to a computer before activation of the tablet screen caused the input device to be matched with the only available monitor - the computer screen. Consequently, the stylus motions were incorrectly mapped to the computer screen instead of the tablet itself. With this update, a patch has been introduced to detect the tablet screen as soon as it becomes available. As a result, the device is correctly re-matched when the tablet screen is detected.
BZ#839328
Previously, using the shift key within a predefined keyboard shortcut mapped to the tablet's ExpressKey button caused gnome-settings-daemon to crash after pressing ExpressKey. This bug has been fixed, and the shortcuts which use the shift key can now be mapped to ExpressKey without complications.
BZ#853181
Prior to this update, the mouse plug-in in the gnome-settings-daemon package interfered with Wacom devices. Consequently, using ExpressKey on a tablet after hot-plugging generated mouse click events. With this update, the mouse plug-in has been fixed to ignore tablet devices and the interference no longer occurs.
BZ#886922
Previously, on tablets with multiple mode-switch buttons such as the Wacom Cintiq 24HD, all mode-switch buttons would cycle though the different modes. With this update, each different mode-switch button will select the right mode for the given button.
BZ#861890
Due to a bug in the gnome settings daemon, changing the monitor layout led to incorrect tablet mapping. With this update, the graphics tablet mapping is automatically updated when the monitor layout is changed. As a result, the stylus movements are correctly mapped after the layout change and no manual update is needed.

Enhancements

BZ#772728
With this update, several integration improvements for Wacom graphics tablets have been backported from upstream: - touchscreen devices are now automatically set in absolute mode instead of relative - memory leaks on tablet hot plug have been fixed - ExpressKeys no longer fail after the layout rotation - test applications are now included in the package to help with debugging issues.
BZ#858255
With this update, the touch feature of input devices has been enabled in the default settings of gnome-settings-daemon.
All users of gnome-settings-daemon are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.72. gnome-terminal

Updated gnome-terminal packages that fix one bug are now available for Red Hat Enterprise Linux 6.
Gnome-terminal is a terminal emulator for GNOME. It supports translucent backgrounds, opening multiple terminals in a single window (tabs) and clickable URLs.

Bug Fix

BZ#819796
Prior to this update, gnome-terminal was not completely localized into Asamese. With this update, the Assamese locale has been updated.
All gnome-terminal users are advised to upgrade to these updated packages, which fix this bug.

6.73. gnutls

Updated gnutls packages that fix four bugs are now available for Red Hat Enterprise Linux 6.
The gnutls packages provide the GNU Transport Layer Security (GnuTLS) library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS.

Bug Fixes

BZ#648297
Previously, the gnutls_priority_init.3 man page contained incorrect information on the gnutls-2.8.5-safe-renegotiation patch, particularly on special control keywords. The manual page has been updated to provide accurate information about the described subject.
BZ#745242
Prior to this update, the gnutls_x509_privkey_import() function failed to load private keys in the PKCS#8 format. Consequently, these keys were not processed by applications which use gnutls_x509_privkey_import(). This bug has been fixed, and gnutls_x509_privkey_import() now allows loading of private keys formatted in PKCS#8.
BZ#771378
Multiple bugs were present in the implementation of the TLS-1.2 protocol in the gnutls package. Consequently, gnutls was incompatible with clients and servers conforming to the TLS-1.2 protocol standard. With this update, the TLS-1.2 implementation has been fixed. As a result, the compatibility of gnutls with other TLS-1.2 clients and servers is now assured.
BZ#807746
Previously, the gnutls-cli-debug man page contained typographical errors and incorrect information on the command-line options. The manual page has been updated, and no longer contains the aforementioned errors.
All users of gnutls are advised to upgrade to these updated packages, which fix these bugs.

6.74. graphviz

Updated graphviz packages that fix three bugs are now available for Red Hat Enterprise Linux 6.
Graphviz is open-source graph-visualization software. Graph visualization is a way of representing structural information as diagrams of abstract graphs and networks. It has important applications in networking, bioinformatics, software engineering, database and web design, machine learning, and in visual interfaces for other technical domains.

Bug Fixes

BZ#772637
Previously, the dot tool could generate different images on 32-bit and 64-bit architectures, which could consequently lead to multilib conflicts of packages that use graphviz during its build process. The problem was caused by different instructions used for floating points processing. On 32-bit Intel architecture, the code is now compiled with the "--ffloat-store" compiler flag, which ensures that identical images are generated regardless of the used architecture.
BZ#821920
The graphviz-tcl package included the "demo" directory, which contained examples in various languages. This caused implicit dependencies to be introduced. With this update, all examples are installed as documentation, which reduces the number of implicit dependencies.
BZ#849134
The "dot -c" command which is run in the %postun scriptlet recreates graphviz configuration files to be up-to-date with the current state of the installed plug-ins. Previously, if the command failed to load plug-ins specified in the configuration files, warning messages were printed when removing the graphviz-gd package. These messages could have been confusing, and have been therefore removed.
All users of graphviz are advised to upgrade to these updated packages, which fix these bugs.

6.75. grub

Updated grub packages that fix several bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
The GRUB utility is a powerful boot loader, which can load a wide variety of operating systems.

Bug Fixes

BZ#783169
When the BIOS was set to Unified Extensible Firmware Interface (UEFI) mode, all legacy option ROMs in the setup were disabled, and the grub.efi utility was loaded, an attempt to access the network with the NET0 protocol was not successful and the "nd" root command did not work. This bug has been fixed and GRUB works correctly in this situation.
BZ#814014
Previously, the GRUB utility did not scan for KVM virtio disks when creating a device map. Consequently, these disks were not added to this map. This bug has been fixed and GRUB now scans for vd* devices located in the /dev/ directory, so virtio disks are added to a device map as expected.
BZ#825054
The GRUB utility did not pass high order address bits for the Extensible Firmware Interface (EFI) memory map and system table high order bits. As a consequence, the EFI system map and memory map did not work correctly on computers with RAM bigger then 4 GB. This bug has been fixed by passing high order address bits, so that grub works properly in the described scenario.
BZ#870420
When symbolic links in the /dev/mapper/ directory were resolved to the original file, this file did not match proper file entry in the device.map file. Consequently, the grub-install package failed and an error message was returned. With this update, symbolic links are now prevented to resolve in the /dev/mapper/ directory. As a result, grub-install proceeds as expected.
BZ#876519
Due to an error in the underlying source code, an incorrect attempt to dereference a NULL pointer could previously cause GRUB to terminate unexpectedly. This update corrects the underlying source code to prevent this error so that GRUB no longer crashes.

Enhancements

BZ#642396
This enhancement includes support for IPV6 UEFI 2.3.1 netboot, which was previously missing.
BZ#737732
With this update, the users can use EFI boot partition as a root partition, which can be specified in the grub.conf file. As a consequence, the users do not have to specify particular drive, but can use the one specified in the EFI boot manager.
All users of GRUB are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.76. gstreamer-plugins-base

Updated gstreamer-plugins-base packages thatadd one enhancement are now available for Red Hat Enterprise Linux 6.
The gstreamer-plugins-base packages provide a collection of base plug-ins for the GStreamer streaming media framework.

Enhancement

BZ#755777
This update adds color-matrix support for color conversions to the ffmpegcolorspace plugin.
All users of gstreamer-plugins-base are advised to upgrade to these updated packages, which add this enhancement.

6.77. gtk2

Updated gtk2 packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
GIMP Toolkit (GTK+) is a multi-platform toolkit for creating graphical user interfaces.

Bug Fixes

BZ#882346
Due to a recent change in the behavior of one of the X.Org Server components, GTK+ applications could not use certain key combinations for key bindings. This update makes GTK+ compatible with the new behavior, which ensures that no regressions occur in applications that use the library.
BZ#889172
Previously, when switching between the "Recently Used" and "Search" tabs in the the “Open Files” dialog box, the "Size" column in the view disappeared. This update ensures the column is visible when the relevant option is selected.
Users of GTK+ are advised to upgrade to these updated packages, which fix these bugs.

6.78. gvfs

Updated gvfs packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.
GVFS is the GNOME desktop's virtual file system layer, which allows users to easily access local and remote data, including via the FTP, SFTP, WebDAV, CIFS and SMB protocols, among others. GVFS integrates with the GIO (GNOME I/O) abstraction layer.

Bug Fixes

BZ#599055
Previously, rules for ignoring mounts were too restrictive. If the user clicked on an encrypted volume in the Nautilus' sidebar, an error message was displayed and the volume could not be accessed. The underlying source code now contains additional checks so that encrypted volumes have proper mounts associated (if available), and the file system can be browsed as expected.
BZ#669526
Due to a bug in the kernel, a freshly formatted Blu-ray Disk Rewritable (BD-RE) medium contains a single track with invalid data that covers the whole medium. This empty track was previously incorrectly detected, causing the drive to be unusable for certain applications, such as Brasero. This update adds a workaround to detect the empty track, so that freshly formatted BD-RE media are properly recognized as blank.
BZ#682799, BZ#746977, BZ#746978, BZ#749369, BZ#749371, BZ#749372
The code of the gvfs-info, gvfs-open, gvfs-cat, gvfs-ls and gvfs-mount utilities contained hard-coded exit codes. This caused the utilities to always return zero on exit. The exit codes have been revised so that the mentioned gvfs utilities now return proper exit codes.
BZ#746905
When running gvfs-set-attribute with an invalid command-line argument specified, the utility terminated unexpectedly with a segmentation fault. The underlying source code has been modified so that the utility now prints a proper error message when an invalid argument is specified.
BZ#809708
Due to missing object cleanup calls, the gvfsd daemon could use excessive amount of memory, which caused the system to become unresponsive. Proper object cleanup calls have been added with this update, which ensures that the memory consumption is constant and the system does not hang in this scenario.
All users of gvfs are advised to upgrade to these updated packages, which fix these bugs.

6.79. hivex

Updated hivex packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
Hivex is a library for extracting the contents of Windows Registry "hive" files, which is designed to be secure against corrupted or malicious registry files. Hive files are undocumented binary files.

Bug Fixes

BZ#822741
Previously, the description of the package contained inappropriate text. This update provides a correction of the language used and now, the spec file contains only neutral expressions.
BZ#841924
Certain hive files that had a very large number of child nodes under a single parent node could not be parsed. A patch has been added to allow read-only access to these child nodes.
Users of hivex are advised to upgrade to these updated packages, which fix these bugs.

6.80. hplip

Updated hplip packages that fix several security issues, multiple bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The hplip packages contain the Hewlett-Packard Linux Imaging and Printing Project (HPLIP), which provides drivers for Hewlett-Packard printers and multi-function peripherals.

Security Fix

CVE-2013-0200, CVE-2011-2722
Several temporary file handling flaws were found in HPLIP. A local attacker could use these flaws to perform a symbolic link attack, overwriting arbitrary files accessible to a process using HPLIP.
The CVE-2013-0200 issues were discovered by Tim Waugh of Red Hat.

Note

The hplip packages have been upgraded to upstream version 3.12.4, which provides a number of bug fixes and enhancements over the previous version. (BZ#731900)

Bug Fixes

BZ#829453
Previously, the hpijs package required the obsolete cupsddk-drivers package, which was provided by the cups package. Under certain circumstances, this dependency caused hpijs installation to fail. This bug has been fixed and hpijs no longer requires cupsddk-drivers.
BZ#683007
The configuration of the Scanner Access Now Easy (SANE) back end is located in the /etc/sane.d/dll.d/ directory, however, the hp-check utility checked only the /etc/sane.d/dll.conf file. Consequently, hp-check checked for correct installation, but incorrectly reported a problem with the way the SANE back end was installed. With this update, hp-check properly checks for installation problems in both locations as expected.
All users of hplip are advised to upgrade to these updated packages, which fix these issues and add these enhancements.

6.81. hsqldb

Updated hsqldb packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The hsqldb packages provide a relational database management system written in Java. The Hyper Structured Query Language Database (HSQLDB) contains a JDBC driver to support a subset of ANSI-92 SQL.

Bug Fix

BZ#827343
Prior to this update, the hsqldb database did not depend on java packages of version 1:1.6.0 or later. As a consequence, the build-classpath command failed on systems without the java-1.6.0-openjdk package installed and the hsqldb packages could be installed incorrectly. This update adds a requirement for java-1.6.0-openjdk. Now, the installation of hsqldb proceeds correctly as expected.
All users of hsqldb are advised to upgrade to these updated packages, which fix this bug.

6.82. httpd

Updated httpd packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The httpd packages contain the Apache HTTP Server (httpd), which is the namesake project of The Apache Software Foundation.

Security Fixes

CVE-2008-0455, CVE-2012-2687
An input sanitization flaw was found in the mod_negotiation Apache HTTP Server module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use this flaw to conduct cross-site scripting attacks against users visiting the site.
CVE-2012-4557
It was discovered that mod_proxy_ajp, when used in configurations with mod_proxy in load balancer mode, would mark a back-end server as failed when request processing timed out, even when a previous AJP (Apache JServ Protocol) CPing request was responded to by the back-end. A remote attacker able to make a back-end use an excessive amount of time to process a request could cause mod_proxy to not send requests to back-end AJP servers for the retry timeout period or until all back-end servers were marked as failed.

Bug Fixes

BZ#787247
When the Apache module mod_proxy was configured, and a particular back-end URL was reverse proxied into the server two or more times, a spurious warning in the following format was given:
[warn] worker [URL] already used by another worker
The level of this message has been changed from WARNING to INFO as it is not incorrect to proxy more than one URL to the same back-end server.
BZ#822587
The mod_cache module did not handle 206 partial HTTP responses correctly. This resulted in incorrect responses being returned to clients if a cache was configured. With this update, mod_cache no longer caches 206 responses, thus ensuring correct responses are returned.
BZ#829689
If LDAP authentication was used with a Novell eDirectory LDAP server, mod_ldap could return 500 Internal Server Error response if the LDAP server was temporarily unavailable. This update fixes mod_ldap to retry LDAP requests if the server is unavailable, and the 500 errors will not be returned in this case.
BZ#837086
Previously, mod_proxy_connect performed unnecessary DNS queries when ProxyRemote was configured. Consequently, in configurations with ProxyRemote, mod_proxy_connect could either fail to connect, or be slow to connect to the remote server. This update changes mod_proxy to omit DNS queries if ProxyRemote is configured. As a result, the proxy no longer fails in such configurations.
BZ#837613
When an SSL request failed and the -v 2 option was used, the ApacheBench (ab) benchmarking tool tried to free a certificate twice. Consequently, ab terminated unexpectedly due to a double free() error. The ab tool has been fixed to free certificates only once. As a result, the ab tool no longer crashes in the scenario described.
BZ#848954
Previously, mod_ssl presumed the private key was set after the certificate in SSLProxyMachineCertificateFile. Consequently, httpd terminated unexpectedly if the private key had been set before the certificate in SSLProxyMachineCertificateFile. This update improves mod_ssl to check if the private key is set before the certificate. As a result, mod_ssl no longer crashes in this situation and prints an error message instead.
BZ#853160
Prior to this update, mod_proxy_ajp did not correctly handle a flush message from a Java application server if received before the HTTP response headers had been sent. Consequently, users could receive a truncated response page without the correct HTTP headers. This update fixes mod_proxy_ajp to ignore flush messages before the HTTP response headers have been sent. As a result, truncated responses are no longer sent in scenario described.
BZ#853348
In a proxy configuration, certain response-line strings were not handled correctly. If a response-line without a description string was received from the origin server, for a non-standard status code, such as the 450 status code, a 500 Internal Server Error would be returned to the client. This bug has been fixed so that the original response line is returned to the client.
BZ#867268
Previously, the value of ${cookie}C in the LogFormat directive's definition matched substrings of cookie. Consequently, a bad cookie could be printed if its name contained a substring of the name defined in LogFormat using the ${cookie}C string. With this update, the code is improved so that cookie names are now matched exactly. As a result, a proper cookie is returned even when there are other cookies with its substring in their name.
BZ#867745
Previously, no check was made to see if the /etc/pki/tls/private/localhost.key file was a valid key prior to running the %post script for the mod_ssl package. Consequently, when /etc/pki/tls/certs/localhost.crt did not exist and localhost.key was present but invalid, upgrading the Apache HTTP Server daemon (httpd) with mod_ssl failed. The %post script has been fixed to test for an existing SSL key. As a result, upgrading httpd with mod_ssl now proceeds as expected.
BZ#868253
Previously, in a reverse proxy configuration, mod_cache did not correctly handle a 304 Not Modified response from the origin server when refreshing a cache entry. Consequently, in some cases an empty page was returned to a client requesting an entity which already existed in the cache. This update fixes handling of 304 Not Modified responses in mod_cache and as a result no empty pages will be displayed in the scenario described.
BZ#868283
Due to a regression, when mod_cache received a non-cacheable 304 response, the headers were served incorrectly. Consequently, compressed data could be returned to the client without the cached headers to indicate the data was compressed. An upstream patch has been applied to merge response and cached headers before data from the cache is served to the client. As a result, cached data is now correctly interpreted by the client.

Enhancements

BZ#748400
The Apache module mod_proxy now allows changing the BalancerMember state in the web interface.
BZ#757735
The rotatelogs program now provides a new rotatelogs -p option to execute a custom program after each log rotation.
BZ#757739
The rotatelogs program now provides a new rotatelogs -c option to create log files for each set interval, even if empty.
BZ#796958
The LDAPReferrals configuration directive has been added, as an alias for the existing LDAPChaseReferrals directive.
BZ#805720
The mod_proxy and mod_ssl modules have been updated to support the concurrent use of the mod_nss (NSS) and mod_ssl (OpenSSL) modules.
BZ#805810
An init script for the htcacheclean daemon has been added.
BZ#824571
The failonstatus parameter has been added for balancer configuration in mod_proxy.
BZ#828896
Previously, mod_authnz_ldap had the ability to set environment variables from received LDAP attributes, but only by LDAP authentication, not by LDAP authorization. Consequently, if the mod_authnz_ldap module was used to enable LDAP for authorization but not authentication, the AUTHORIZE_ environment variables were not populated. This update applies a patch to implement setting of AUTHORIZE_ environment variables using LDAP authorization. As a result, other methods of authentication can be used while using LDAP authorization for setting environment variables for all configured LDAP attributes.
BZ#833064
The %posttrans scriptlet which automatically restarts the httpd service after a package upgrade can now be disabled. If the file /etc/sysconfig/httpd-disable-posttrans exists, the scriptlet will not restart the daemon.
BZ#833092
The output of httpd -S now includes configured alias names for each virtual host.
BZ#838493
The rotatelogs program has been updated to support the -L option to create a hard link from the current log to a specified path.
BZ#842375
New certificate variable names are now exposed by mod_ssl using the _DN_userID suffix, such as SSL_CLIENT_S_DN_userID, which uses the commonly used object identifier (OID) definition of userID, OID 0.9.2342.19200300.100.1.1.
BZ#842376
Chunked Transfer Coding is described in RFC 2616. Previously, the Apache server did not correctly handle a chunked encoded POST request with a chunk-size or chunk-extension value of 32 bytes or more. Consequently, when such a POST request was made the server did not respond. An upstream patch has been applied and the problem no longer occurs.
Users of httpd are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.83. hwdata

An updated hwdata package that adds various enhancements is now available for Red Hat Enterprise Linux 6.
The hwdata package contains tools for accessing and displaying hardware identification and configuration data.

Enhancements

BZ#839221
The PCI ID numbers have been updated for the Beta and the Final compose lists.
BZ#739816
Support for NVidia graphic card N14E-Q5, 0x11BC has been added.
BZ#739819
Support for NVidia graphic card N14E-Q3, 0x11BD has been added.
BZ#739821
Support for NVidia graphic card N14E-Q1, 0x11BE has been added.
BZ#739824
Support for NVidia graphic card N14P-Q3, 0x0FFB has been added.
BZ#739825
Support for NVidia graphic card N14P-Q1, 0x0FFC has been added.
BZ#760031
Support for Broadcom BCM943228HM4L 802.11a/b/g/n 2x2 Wi-Fi Adapter has been added.
BZ#830253
Support for Boot from Dell PowerEdge Express Flash PCIe SSD devices has been added.
BZ#841423
Support for the Intel C228 chipset and a future Intel processor based on Socket H3 has been added.
BZ#814114
This update also adds the current hardware USB IDs file from the upstream repository. This file provides support for Broadcom 20702 Bluetooth 4.0 Adapter Softsailing.
All users of hwdata are advised to upgrade to this updated package, which adds these enhancements.

6.84. hwloc

Updated hwloc packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The hwloc package provides Portable Hardware Locality, which is a portable abstraction of the hierarchical topology of current architectures.

Upgrade to an upstream version

The hwloc packages have been upgraded to upstream version 1.5, which provides a number of bug fixes and enhancements over the previous version. (BZ#797576)
Users of hwloc are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.85. icedtea-web

Updated icedtea-web packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations.

Bug Fix

BZ#838084
Previously, the IcedTea-Web plug-in was built against JDK 6, but in runtime it was possible to use it with JDK 7. Consequently, IcedTea-Web sometimes failed to run. With this update, the icedtea-web package is built against JDK 7 and IcedTea-Web is using JDK 7 in runtime, thus preventing this bug. Note that the end of public updates for JDK 6 is scheduled to go into effect in upcoming weeks.
Users of icedtea-web are advised to upgrade to these updated packages, which fix this bug.

6.86. initscripts

Updated iniscripts package that fixes several bugs and adds two enhancements are now available for Red Hat Enterprise Linux 6.
The initscripts package contains basic system scripts to boot the system, change runlevels, activate and deactivate most network interfaces, and shut the system down cleanly.

Bug Fixes

BZ#893395
Previously, an ip link command was called before the master device was properly set. Consequently, the slaves could be in the unknown state. This has been fixed by calling ip link for master after the device is installed properly, and all slaves are up. As a result, all slaves are in the expected state and connected to the master device.
BZ#714230
Previously, the naming policy for VLAN names was too strict. Consequently, the ifdown utility failed to work with descriptively-named interfaces. To fix this bug, the name format check has been removed and ifdown now works as expected.
BZ#879243
Prior to this update, there was a typographic error in the /etc/sysconfig/network-scripts/ifup-aliases file, which caused the duplicate check to fail. The typo has been corrected and the check works again.
BZ#885235
The BONDING_OPTS variable was applied by the ifup utility on a slave interface, even if the master was already on and had active slaves. This caused an error message to be returned by ifup. To address this bug, it is now checked whether the master does not have any active slaves before applying BONDING_OPTS, and no error messages are returned.
BZ#880684
Prior to this update, the arping utility, which checks for IP address duplicates in the network, failed when the parent device was not up. Consequently, the failure was handled the same way as finding of a second IP address in the network. To fix this bug, ifup-aliases files have been set to be checked whether the master device is up before the duplicity check is run. As a result, no error messages are returned when the parent device is down in the described scenario.
BZ#723936
The rename_device.c file did not correspond with VLAN interfaces, and thus could lead to improperly named physical interfaces. A patch has been provided to address this bug and interfaces are now named predictably and properly.
BZ#856209
When calling the vgchange -a y command instead of vgchange -a ay on the netfs interface by the rc.sysinit daemon, all volumes were activated. This update provides a patch to fix this bug. Now, only the volumes declared to be activated are actually activated. If the list is not declared, all volumes are activated by default.
BZ#820430
Previously, when a slave was attached to a master interface, which did not have a correct mode set, the interface did not work properly and could eventually cause a kernel oops. To fix this bug, the BONDING_OPTS variables are set before the master interface is brought up, which is the correct order of setting.
BZ#862788
If there was a process blocking a file system from unmounting, the /etc/init.d/halt script tried to kill all processes currently using the file system, including the script itself. Consequently, the system became unresponsive during reboot. With this update, shutdown script PIDs are excluded from the kill command, which enables the system to reboot normally.
BZ#874030
When the ifup utility was used to set up a master interface, the BONDING_OPTS variables were not applied. Consequently, bonding mode configuration done through the ifcfg utility had no effect. A patch has been provided to fix this bug. BONDING_OPTS are now applied and bonding mode works in the described scenario.
BZ#824175
If a network bond device had a name that was a substring of another bond device, both devices changed their states due to an incorrect test of the bond device name. A patch has been provided in the regular expression test and bond devices change their states as expected.
BZ#755699
The udev daemon is an event-driven hot-plug agent. Previously, an udev event for serial console availability was emitted only on boot. If runlevels were changed, the process was not restarted, because the event had already been processed. Consequently, the serial console was not restarted when entering and then exiting runlevel 1. With this update, the fedora.serial-console-available event is emitted on the post-stop of the serial console, and the console is now restarted as expected.
BZ#852005
Prior to this update, no check if an address had already been used was performed for alias interfaces. Consequently, an already used IP address could be assigned to an alias interface. To fix this bug, the IP address is checked whether it is already used. If it is, an error message is returned and the IP address is not assigned.
BZ#852176
Previously, the init utility tried to add a bond device even if it already existed. Consequently, a warning message was returned. A patch that checks whether a bond device already exists has been provided and warning messages are no longer returned.
BZ#846140
Prior to this update, the crypttab(5) manual page did not describe handling white spaces in passwords. Now, the manual page has been updated and contains information concerning a password with white spaces.
BZ#870025
Previous crypttab (5) manual page contained a typografic error (crypptab insted of crypttab), which has now been corrected.
BZ#795778
Previously, usage description was missing in the /init/tty.conf and /init/serial.conf files and this information was not returned in error messages. With this update, the information has been added to the aforementioned files and is now returned via an error message.
BZ#669700
Prior to this update, the /dev/shm file system was mounted by the dracut utility without attributes from the /etc/fstab file. To fix this bug, /dev/shm is now remounted by the rc.sysinit script. As a result, /dev/shm now contains the attributes from /etc/fstab.
BZ#713757
Previous version of the sysconfig.txt file instructed users to put the VLAN=yes option in the global configuration file. Consequently, interfaces with names containing a dot were recognized as VLAN interfaces. The sysconfig.txtfile has been changed so that the VLAN describing line instructs users to include the VLAN option in the interface configuration file, and the aforementioned devices are no longer recognized as VLAN interfaces.
BZ#869075
The sysconfig.txt file advised users to use the saslauthd -a command instead of saslauthd -v, which caused the command to fail with an error message. In sysconfig.txt, the error in the command has been corrected and the saslauthd utility now returns expected results.
BZ#714250
When the ifup utility initiated VLAN interfaces, the sysctl values were not used. With this update, ifup rereads the sysctl values in the described scenario and VLAN interfaces are configured as expected.

Enhancements

BZ#851370
The brctl daemon is used to connect two Ethernet segments in a protocol-independent way, based on an Ethernet address, rather than an IP address. In order to provide a simple and centralized bridge configuration, bridge options can now be used via BRIDGING_OPTS. As a result, a space-separated list of bridging options for either a bridge device or a port device can be added when the ifup utility is used.
BZ#554392
The updated halt.local file has been enhanced with new variables to reflect the character of call. This change leaves users with better knowledge of how halt.local was called during a halt sequence.
BZ#815431
With this update, it is possible to disable duplicate address detection in order to allow administrators to use direct routing without ARP checks.
Users of initscripts are advised to upgrade to this updated package, which fixes these bugs and adds these enhancements.

6.87. iok

Updated iok packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The iok package contains an Indic on-screen virtual keyboard that supports the Assamese, Bengali, Gujarati, Hindi, Kannada, Marathi, Malayalam, Punjabi, Oriya, Sindhi, Tamil and Telugu languages. Currently, iok works with Inscript and xkb keymaps for Indian languages, and is able to parse and display non-Inscript keymaps as well.

Bug Fixes

BZ#814541, BZ#814548
Previously, when saving a keymap with a specified name, predefined naming convention was followed and the file name was saved with the "-" prefix without noticing the user. With this update, if the user attempts to save a keymap, a dialog box displaying the required file name format appears.
BZ#819795
This update provides the complete iok translation for all supported locales.
All users of iok are advised to upgrade to these updated packages, which fix these bugs.

6.88. ipa

Updated ipa packages that fix one security issue, several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
Red Hat Identity Management is a centralized authentication, identity management and authorization solution for both traditional and cloud-based enterprise environments. It integrates components of the Red Hat Directory Server, MIT Kerberos, Red Hat Certificate System, NTP, and DNS. It provides web browser and command-line interfaces. Its administration tools allow an administrator to quickly install, set up, and administer a group of domain controllers to meet the authentication and identity management requirements of large-scale Linux and UNIX deployments.

Upgrade to an upstream version

The ipa packages have been upgraded to upstream version 3.0.0, which provides a number of bug fixes and enhancements over the previous version. (BZ#827602)

Security Fix

CVE-2012-4546
It was found that the current default configuration of IPA servers did not publish correct CRLs (Certificate Revocation Lists). The default configuration specifies that every replica is to generate its own CRL, however this can result in inconsistencies in the CRL contents provided to clients from different Identity Management replicas. More specifically, if a certificate is revoked on one Identity Management replica, it will not show up on another Identity Management replica.

Bug Fixes

BZ#784378
When a master was removed from a replicated environment via the "ipa-replica-manage del" command, the metadata for that master was still contained in the other servers, thus the Directory Server replication plug-in produced warnings about the outdated metadata. Now, the Directory Server CLEANALLRUV task is triggered to handle outdated metadata in the whole replicated Directory Server environment and deleting an Identity Management replica no longer causes problems.
BZ#790515
When the "ipactl" command was used to start Identity Management, it waited only 6 seconds for the Directory Server to start and when the Directory Server did not start in time, the start procedure was aborted. A higher default start up wait value was added. A configurable value, "startup_timeout", can be added to /etc/ipa/default.conf or /etc/ipa/server.conf files when the default value of 120 seconds is not sufficient to start the Directory Server.
BZ#809565
Previously, DNS records could not be renamed and administrators had to re-enter all DNS records under certain names when the name changed. Now, rename operations for DNS records names and the rename option in the Identity Management CLI interface are able to rename a DNS name and all of its records to other names within the same zone.
BZ#811295
Before, when installing Identity Management, there was an option to choose a certificate subject base with a Common Name (CN) as one component. However, it is illegal to have more than one CN attribute in a certificate subject. This caused the Identity Management installation to fail. Now, the CN attribute in a subject base option is no longer allowed, administrators are warned when they choose an incorrect certificate subject base and Identity Management installs properly.
BZ#815837
The Identity Management Certificate Authority component did not accept Directory Manager passwords which were set to a non-ASCII control character, "&" or "\". Use of these characters in passwords caused a malformed XML error and the Identity Management installation failed when such characters were a part of the Directory Manager password. Currently, these characters are not allowed in the Identity Management installer and IdM installs successfully.
BZ#816317
The Identity Management server or client used programs from the policycoreutils package when SELinux was enabled. However, the installers did not check if the package was actually installed. This caused the Identity Management installation to terminate with a python backtrace when SELinux was enabled and the policycoreutils package was not installed on a system. Currently, the Identity Management installers no longer fail when SELinux is enabled and the policycoreutils package is missing, but, instead, ask the administrator to install it first.
BZ#817865
The "ipa" command or Identity Management installers forced a set of address families (IPv4, IPv6) when a network connection was established, instead of letting the system choose the right address family for the new connection. In some cases this caused the connection, command or installer to fail, or the connection to take longer than normal. Automatic address family detection has been implemented and is now respected, with the result that network connections established with an "ipa" command are faster and less vulnerable to errors caused by non-common network settings.
BZ#819629
Identity Management DNS modules used a "pull" model for updating DNS records provisioned to the BIND name server by a bind-dyndb-ldap plug-in. When a DNS zone LDAP entry or DNS records present in bind-dyndb-ldap cache were changed via Identity Management CLI or Web UI, the update was not provisioned to the BIND nameserver until a zone was checked with a periodic poll or the DNS record in the cache expired. Now, persistent search is enabled by default for new Identity Management installations and for running Identity Management server instances. A change to the DNS zone LDAP entry or to the DNS record that is already cached by bind-dydnb-ldap is instantly provisioned to the BIND name server and thus resolvable.
BZ#820003
The default value of the Directory Server in-memory entry cache was configured to a lower value than the size of an administrator's deployment, which caused the Directory Server to underperform. Now, the Identity Management package requires an updated version of the Directory Server, which warns administrators when the in-memory cache is too small and allows administrators to adjust the value appropriate to ratio of deployment.
BZ#822608
When users were migrated from the remote Directory Server, entries in the Identity Management Directory Server did not have complete Kerberos data needed for Kerberos authentication, even though the users passed the Identity Management password migration page. The migrated Identity Management user was not able to authenticate via Identity Management until the password was manually reset. Currently, the Kerberos authentication data generates properly during the migration process and users can successfully access Identity Management.
BZ#824488
The Identity Management Kerberos data back end did not support an option to control automatic user log-on attributes, which were updated with every authentication. Administrators with large deployments and high numbers of authentication events in their Identity Management realm could not disable these automatic updates to avoid numerous Directory Server modification and replication events. Now, users can utilize options in Identity Management to customize automatic Kerberos authentication attribute updates.
BZ#824490
Previously, Identity Management enforced lowercase letters for all user IDs which caused some operations, such as password changes, to fail when the user ID was uppercase. Also, the WinSync agreement with Active Directory replicated such user information into the Identity Management database. Currently, the Identity Management WinSync plug-in can convert user names and Kerberos principal user parts to lowercase, and passwords replicated from Active Directory via the Winsync agreement can now be changed.
BZ#826677
When Identity Management replicas were deleted using the "ipa-replica-manage" command, the script did not verify if the deletion would orphan other Identity Management replicas. Users unaware of the Identity Management replication graph structure might accidentally delete a replica forcing them to reinstall the orphaned replicas. Now, the "ipa-replica-manage" command will not allow users to delete a remote replica if such operation would orphan a replica with a replication agreement.
BZ#832243
Identity Management Web UI was not fully compatible with the Microsoft Internet Explorer browser, which caused glitches when working with the Identity Management administration interface. Identity Management Web UI is now compatible with Microsoft Internet Explorer versions 9 or later and glitches no longer occur when working with the Web UI.
BZ#837356
Several attributes in the Identity Manager Directory Server that are used to store links to other objects in the directory were not added to the Directory Server Referential Integrity plug-in configuration. When a referred object was deleted or renamed it caused some links to break in the affected attribute and made them point to an invalid object. This update adds all attributes storing links to other objects to the Referential Integrity plug-in configuration, which are updated when the referred object is deleted or renamed.
BZ#839008
The Identity Management Web UI Administrator interface was not enabled for users who were indirect members of administrative roles. These users were not able to perform administrative tasks in the Web UI. Presently, indirect members of administrative roles can use the Web UI Administrator interface and are able to perform administrative tasks within the Identity Management Web UI.
BZ#840657
Normally, Identity Management SSH capabilities allow storage of public user or host SSH keys, but the keys did not accept the OpenSSH-style public key format. This caused Identity Management to estimate public key type based on the public key blob, which could have caused an issue in the future with new public key types. Now, Identity Management stores SSH public keys in extended OpenSSH format and SSH public keys now contain all required parts, making the functionality acceptable in more deployments.
BZ#855278
Previously, Identity Management Web UI used a jQuery library to raise errors when processing Directory Server records with some strings, for example, sudo commands with the "??" string in the name, which, in turn, caused the Web UI to be unable to show, modify or add such records. With this jQuery library update, Identity Management Web UI no longer reports errors for these strings and processes them normally.
BZ#859968
Firefox 15 and newer versions did not allow signed JavaScript JAR files to gain privilege escalation to change browser configuration. The Identity Management browser auto configuration configured the browser to access Web UI through Kerberos authentication, which affects these versions of Firefox. Now Identity Management is deployed with its own Firefox extension and is able to auto configure and authenticate using Kerberos.
BZ#868956
The Identity Management "dnszone-add" command accepts the "--name-server" option specifying a host name of the primary name server resolving the zone. The option considered all host names as fully qualified domain names (FQDN) even though they were not FQDN, for example, name server "ns.example.com." for zone example.com and were relative to the zone name, such as, name server "ns" for zone "example.com." Users were not able to specify the name server in the relative name format when using the Identity Management "dnszone-add" command. Presently, Identity Management detects the name server format correctly and the "dnszone-add" command can process both relative and fully qualified domain names.
BZ#877324
After upgrading to Red Hat Identity Management 2.2, it was not possible to add SSH public keys in the Web UI. However, SSH public keys could be added on the command line by running the "ipa user-mod user --sshpubkey" command. This update allows SSH public keys to be added in the Web UI normally.
BZ#883484
Previously, the IPA automatic certificate renewal, in some cases, did not function properly and some certificates were not renewed while other certificates with the same "Not After" values were renewed. Certmonger is now updated, users can serialize access to the NSS databases to prevent corruption and do not have to renew and restart all the services at the same time.
BZ#888956
A 389-ds-base variable set during the PKI install "nsslapd-maxbersize" was not dynamically initialized and a restart was required for it to take effect. This caused installation to fail during the replication phase when building a replica from a PKI-CA master with a large CRL. This update includes an LDIF file (/usr/share/pki/ca/conf/database.ldif) to set the default maxbersize to a larger value and allows PKI-CA Replica Installs when CRL exceeds the default maxber value.
BZ#891980
Previously, on new IPA server installations, the root CA certificate lifetime was only valid for 8 years and users had to renew the certificate after it expired, which caused some inconvenience. This issue was fixed in Dogtag and this update increases the FreeIPA root CA validity to 20 years.
BZ#894131
The "ipa-replica-install" command sometimes failed to add the idnsSOAserial attribute for a new zone and in some cases, zones were added, but with missing data and did not replicate back to the master. With this update, the idnsSOAserial attribute sets properly and synchronizes across all servers and zones are added correctly.
BZ#894143
The "ipa-replica-prepare" command failed when a reverse zone did not have SOA serial data and reported a traceback error, which was difficult to read, when the problem occurred. Now, the "ipa-replica-prepare" command functions properly and if SOA serial data is missing, returns a more concise error message.
BZ#895298
When either dirsrv or krb5kdc were down, the "service named restart" command in the ipa-upgradeconfig failed during the upgrade of the ipa packages. With this update, the "service named restart" command functions normally and installation no longer fails during upgrades.
BZ#895561
Previously, the IPA install on a server with no IPv4 address failed with a "Can't contact LDAP server" error. With this update, both the server and replica install correctly and error messages no longer occur.
BZ#903758
Users who upgraded from IPA version 2.2 to version 3.0 encountered certmonger errors and the update failed with the error message, "certmonger failed to start tracking certificate." With this update, IPA 2.2 properly upgrades to version 3.0 without any errors.
BZ#905594
Before, users were unable to install the ipa-server-trust-ad package on a 32-bit platform and when doing so received the error message "Unable to read consumer identity." This update provides fixes in the spec file, and the package now installs properly on 32-bit platforms.

Enhancements

BZ#766007
This update introduces SELinux User Mapping rules which can be used in Identity Management in conjunction with HBAC rules to define the users, groups and hosts to which the rules apply.
BZ#766068
Support for SSH public key management added to the IPA server and OpenSSH on IPA clients is automatically configured to use the public keys stored on the IPA server. Now, when a host enrolled in Identity Management connects to another enrolled host, the SSH public key is verified in the central Identity Management storage.
BZ#766179
The Cross Realm Kerberos Trust functionality provided by Identity Management is included as a Technology Preview. This feature allows users to create a trust relationship between an Identity Management and an Active Directory domain. Users from the Active Directory domain can access resources and services from the Identity Management domain with their AD credentials and data does not need to be synchronized between the Identity Management and Active Directory domain controllers.
BZ#767379
An automated solution to configure automount on clients for automount maps configured in the central Identity Management server was added. After an Identity Management client has been configured, administrators may use the provided ipa-client-automount script to configure client hosts to use automount maps configured in the Identity Management server.
BZ#782981
Users using the Identity Management Web UI were previously forced to log in to client machines enrolled in Identity Management in order to update a password that had expired or been reset. With this update, users are able to more conveniently change an expired or reset password from the Web UI itself.
BZ#783166
This update allows the ipa-client-install interface to accept prioritization of IPA servers that clients connect to. Previously, administrators could not configure a prioritized IPA server that SSSD should connect to before connecting to other servers which were potentially returned in a SRV DNS query. Now, when a new option "--fixed-primary" is passed to the "ipa-client-install" command, the discovered or user-provided server is configured as the first value in the ipa_server directive in the "/etc/sssd/sssd.conf" file. Thus, SSSD will always try to connect to this host first.
BZ#783274
This enchancement allows MAC address attributes for host entries in Identity Management and publishes them in the Identity Management NIS server. Users can utilize the "--macaddress" option to configure MAC addresses for an Identity Management host entry and, when NIS is enabled, MAC address can be read by an ethers map.
BZ#786199
Each ipa command line request previously required full and time-consuming Kerberos authentication, particularly when a series of commands were scripted. This update enhances the command line to take advantage of server-side sessions using a secure cookie, which provides a significant performance improvement due to avoidance of full Kerberos authentication for each ipa command. The session cookie is stored in the session keyring; refer to the keyctl(1) man page for more information about the key management facility.
BZ#798363
This update introduces Web UI and CLI "Create Password Policy" entry labels and specifies measurement units, for example, "seconds" for all configured policy fields. Previously, missing measurement units in the Identity Management Web UI or CLI "Create Password Policy" might have confused some users. Now, all missing measurement units are specified in configured policy fields.
BZ#801931
This update allows administrators to delegate write privileges to a selected zone only, whereas, when administrators wanted to delegate privileges to update the DNS zone to other Identity Management users, they had to allow write access to the entire DNS tree. Now, administrators can use the "dnszone-add-permission" command to create a system permission allowing its assignee to read and write only a selected DNS zone managed by Identity Management.
BZ#804619
Prior to this update, administrators could not configure a slave DNS server because it could not function properly unless an SOA serial number was changed every time a DNS record was changed. With this update, SOA serial numbers are automatically increased when a record in a DNS zone managed by Identity Management is updated. This feature takes advantage of and requires the persistent search data refresh mechanism, which is enabled by default in the Identity Management server install script. Administrators can now configure a slave DNS server for zones managed by Identity Management.
BZ#805233
This update prevents deletion of the last administrator, because administrators could accidentally delete the last user from the Identity Management Administrators group, which could only be repaired with direct LDAP modification by the Directory Manager. Now, Identity Management does not allow administrators to delete or disable the last member in the administrator group and Identity Management always has at least one active administrator.
BZ#813402
This enhancement warns users in the Identity Management Web UI when their password is about to expire. When the Identity Management user password is about to expire in a configurable number of days, the user is notified in the Identity Management Web UI about this and is offered a link to reset the password.
BZ#821448
The Identity Management Firefox browser configuration script now checks if the browser is configured to send Referrer header in HTTP requests for Identity Management. Previously, Firefox browsers which did not have the "network.http.sendRefererHeader" configuration option set to "True" would fail to connect to the Identity Management Web UI, even though they ran the configuration script. Presently, the configuration option is set correctly and the Firefox browser can connect to the Web UI.
BZ#831010
This enhancement allows Identity Management client installer to accept a fixed set of Identity Management servers and circumvent automatic server discovery via DNS SRV records. Some network environments may contain SRV records which are not suitable for Identity Management client and should not be used by the client at all. The "--fixed-primary" option of ipa-client-install can now be used to configure SSSD to not use DNS SRV records to auto-discover Identity Management servers and the client install script now accepts a fixed list of Identity Management servers which is then passed to SSSD.
BZ#835643
This update introduces an auto-renew of Identity Management Subsystem Certificates. The default validity period for a new Certificate Authority is 10 years and the CA issues a number of certificates for its subsystems (OCSP, audit log, and others). Subsystem certificates are normally valid for two years and if the certificates expire, the CA does not start up or does not function properly. Therefore, in Red Hat Enterprise Linux 6.4, Identity Management servers are capable of automatically renewing their subsystem certificates and the subsystem certificates are tracked by certmonger, which automatically attempts to renew the certificates before they expire.
Users of ipa are advised to upgrade to these updated packages, which address this security issue, fix these bugs and add these enhancements.

6.89. iproute

Updated iproute packages that fix one bug and add one enhancement are now available for Red Hat Enterprise Linux 6.
The iproute packages contain networking utilities (ip and rtmon, for example) which are designed to use the advanced networking capabilities of the Linux kernel.

Bug Fix

BZ#811219
Invoking the socket stat utility, ss, with the "-ul" arguments did not list open UDP sockets. Consequently, users could not list open or listening UPD sockets. A patch has been applied to the ss utility to list UDP sockets and now the utility correctly reports all open UDP sockets.

Enhancement

BZ#821106
The iproute packages were distributed without the libnetlink library for accessing the netlink service. Consequently, it was not possible for users to utilize the libnetlink library features. The libnetlink library is now included in the newly introduced "iproute-devel" subpackage. As a result, users can now utilize libnetlink features.
All users of iproute are advised to upgrade to these updated packages, which fix this bug and add this enhancement.

6.90. iprutils

An updated iprutils package that fixes several bugs and adds various enhancements is now available for Red Hat Enterprise Linux 6.
The iprutils package provides utilities to manage and configure SCSI devices that are supported by the IBM Power RAID SCSI storage device driver.

Upgrade to an upstream version

The iprutils package has been upgraded to upstream version 2.3.12, which provides a number of bug fixes and enhancements over the previous version and adds support for the suspend/resume utility for IBM BlueHawk. (BZ#822648, BZ#860532, BZ#829761)

Bug Fixes

BZ#826907
Previously, showing disk details caused the iprconfig utility, which is used to configure Hardware RAID devices, to terminate unexpectedly. Now, disk details are shown properly and iprconfig no longer crashes.
BZ#830982
Previously, in some situations, iprconfig failed to change the IOA asymmetric access mode if the saved mode in the configuration file located in the "/etc/ipr/" directory was different than the current mode. With this update, iprconfig sets the mode correctly and a warning message is returned when this inconsistency is detected.
BZ#869751
Previously, iprutils showed the wrong disk platform location within the system location string when the "iprconfig -c show-details sgx" command was used. Now, the platform location for the hard disk is combined with the location of "secured easy setup" (SES) and the physical location slot number which prevents this error from occurring.
Users of iprutils are advised to upgrade to this updated package, which fixes these bugs.

6.91. iptables

Updated iptables packages that fix several bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
The iptables utility controls the network packet filtering code in the Linux kernel.

Bug Fixes

BZ#800208
The sysctl values for certain netfilter kernel modules, such as nf_conntrack and xt_conntrack, were not restored after a firewall restart. Consequently, the firewall did not always perform as expected after a restart. This update allows iptables to load sysctl settings on start if specified by the user in the /etc/sysctl.conf file. Users can now define sysctl settings to load on start and restart.
BZ#809108
The iptables(8) and ip6tables(8) man pages were previously missing information about the AUDIT target module, which allows creating audit records of the packet flow. This update adds the missing description of the audit support to these man pages.
BZ#821441
The iptables and ip6tables commands did not correctly handle calculation of the maximum length of iptables chains. Consequently, when assigning a firewall rule to an iptables chain with a name longer than 28 characters, the iptables or ip6tables command terminated with a buffer overflow and the rule was not assigned. This update corrects the related code so that iptables and ip6tables now handle names of iptable chains correctly and a firewall rule is assigned in the described scenario as expected.
BZ#836286
The iptables init script calls the /sbin/restorecon binary when saving firewall rules so that the iptables packages depend on the policycoreutils packages. However, the iptables packages previously did not require the policycoreutils as a dependency. Consequently, the "/etc/init.d/iptables save" command failed if the policycoreutils packages were not installed on the system. This update modifies the iptables spec file to require the policycoreutils packages as its prerequisite and thus prevents this problem from occurring.

Enhancements

BZ#747068
The iptables packages has been modified to support the update-alternatives mechanism to allow easier delivery of new iptables versions for the MRG Realtime kernel.
BZ#808272
Fallback mode has been added for the iptables and ip6tables services. A fallback firewall configuration can be stored in the /etc/sysconfig/iptables.fallback and /etc/sysconfig/ip6tables.fallback files in the iptables-save file format. The firewall rules from the fallback file are used if the service fails to apply the firewall rules from the /etc/sysconfig/iptables file (or the /etc/sysconfig/ip6tables file in case of ip6tables).
All users of iptables are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.92. irqbalance

Updated irqbalance packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The irqbalance packages provide a daemon that evenly distributes interrupt request (IRQ) load across multiple CPUs for enhanced performance.

Upgrade to an upstream version

The irqbalance packages have been upgraded to upstream version 1.0.4, which provides a number of bug fixes and enhancements over the previous version. Among other changes, the irqbalance daemon has been enhanced to support multiple MSI-X interrupts for PCI devices, which significantly boosts speed of devices producing high-rate interrupts, such as network cards. Also, the irqbalance logic has been modified to consider PCI bus topology when making IRQ mapping decisions. (BZ#789946)

Bug Fixes

BZ#813078
The irqbalance(1) man page did not contain documentation for the IRQBALANCE_BANNED_CPUS environment variable. This update adds the extensive documentation to this man page.
BZ#843379
The irqbalance daemon assigns each interrupt source in the system to a "class", which represents the type of the device (for example Networking, Storage or Media). Previously, irqbalance used the IRQ handler names from the /proc/interrupts file to decide the source class, which caused irqbalance to not recognize network interrupts correctly. As a consequence, systems that use NIC biosdevnames did not have their hardware interrupts distributed and pinned as expected. With this update, the device classification mechanism has been improved, which ensures a better interrupts distribution.
BZ#860627
Previously, the irqbalance init script started the irqbalance daemon with the "--foreground" option, which caused irqbalance to become unresponsive. With this update, the "--foreground" option has been removed from the init script and irqbalance now starts as expected.
All users of irqbalance are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.93. irssi

Updated irssi packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
Irssi is a modular IRC client with Perl scripting. Only the text-mode front end is currently supported.

Bug Fix

BZ#639258
Prior to this update, when the user attempted to use the "/unload" command to unload a static module, Irssi incorrectly marked this module as unavailable, rendering the user unable to load this module again without restarting the client. This update adapts the underlying source code to ensure that only dynamic modules can be unloaded.
BZ#845047
The previous version of the irssi(1) manual page documented "--usage" as a valid command line option. This was incorrect, because Irssi no longer supports this option and an attempt to use it causes it to fail with an error. With this update, the manual page has been corrected and no longer documents unsupported command line options.
All users of irssi are advised to upgrade to these updated packages, which fix these bugs.

6.94. iscsi-initiator-utils

Updated iscsi-initiator-utils packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The iscsi-initiator-utils packages provide the server daemon for the Internet Small Computer System Interface (iSCSI) protocol, as well as the utility programs used to manage it. iSCSI is a protocol for distributed disk access using SCSI commands sent over Internet Protocol (IP) networks.

Upgrade to an upstream version

The iSCSI user-space driver, iscsiuio, has been upgraded to upstream version 0.7.6.1, which provides a number of bug fixes and enhancements over the previous version. In particular, VLAN and routing support. (BZ#826300)

Bug Fixes

BZ#826300
The iSCSI user-space driver, iscsiuio, has been upgraded to upstream version 0.7.6.1, which provides a number of bug fixes and enhancements over the previous version. In particular, VLAN and routing support.
BZ#811428
The "iscsiadm --version" command was missing the main version number, the leading "6.". This update corrects the version number value and "iscsiadm --version" now shows the main version number correctly.
BZ#854776
For some bnx2i cards, the network interface must be active for the iSCSI interface to report a valid MAC address. This sometimes lead to a failure to connect to an iSCSI target and consequently, iSCSI root setups failing to boot. This update changes iscsistart to put the network interface associated with the iSCSI context into an active state. As a result, iSCSI boot with bnx2i cards now works correctly.
BZ#868305
Due to a regression in the iscsiuio 0.7.4.3 update, iSCSI discovery and login failed on certain hardware. This has been corrected as part of the iscsiuio 0.7.6.1 update. As a result, iSCSI is functional again.
All users of iscsi-initiator-utils are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.95. jss

Updated jss packages that fix one bug and add one enhancement are now available for Red Hat Enterprise Linux 6.
Java Security Services (JSS) provides an interface between Java Virtual Machine and Network Security Services (NSS). It supports most of the security standards and encryption technologies supported by NSS including communication through SSL/TLS network protocols. JSS is primarily utilized by the Certificate Server.

Bug Fix

BZ#797352
Previously, some JSS calls to certain NSS functions were to be replaced with calls to the JCA interface. The original JSS calls were therefore deprecated and as such caused warnings to be reported during refactoring. However, the deprecated calls have not been fully replaced with their JCA-based implementation in JSS 4.2. With this update, the calls are now no longer deprecated and the warnings now longer occur.

Enhancement

BZ#804838
This update adds support for Elliptic Curve Cryptography (ECC) key archival in JSS. It provides new methods, such as getCurve(), Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid() and getECCurveBytesByX509PublicKeyBytes().
All users of jss are advised to upgrade to these updated packages, which fix this bug and add this enhancement.

6.96. kabi-whitelists

Updated kabi-whitelists packages that add various enhancements are now available for Red Hat Enterprise Linux 6.
The kabi-whitelists packages contain reference files documenting interfaces provided by the Red Hat Enterprise Linux 6 kernel that are considered to be stable by Red Hat engineering, and safe for long-term use by third-party loadable device drivers, as well as for other purposes.

Enhancements

BZ#826795
The "blk_queue_physical_block_size", "close_bdev_exclusive", "filemap_fdatawrite_range", "get_sb_nodev", "kill_anon_super", "open_bdev_exclusive", "jiffies_to_timespec", "kernel_getsockopt", "kernel_setsockopt", "radix_tree_delete", "pagevec_lookup", "recalc_sigpending", "path_put", and "simple_write_end" symbols have been added to the kernel application binary interface (ABI) whitelists.
BZ#831247
The "unlock_rename", "vfs_rename", "path_put", "default_llseek", "d_find_alias", "d_invalidate", "file_fsync", "strspn", "vfs_writev", "path_get", "nobh_truncate_page", "nobh_write_begin", "nobh_write_end", "nobh_writepage", "____pagevec_lru_add", "add_to_page_cache_locked", and "filemap_flush" symbols have been added to the kernel ABI whitelists.
BZ#902825
The "__generic_file_aio_write", "blk_queue_resize_tags", and "blk_queue_segment_boundary" symbols have been added to the kernel ABI whitelists.
BZ#849732
The following symbols have been added to the kernel ABI whitelists: "__alloc_pages", "__bitmap_weight", "__down_failed", "__free_pages", "__init_rwsem", "__init_waitqueue_head", "__kmalloc", "__memcpy", "__put_cred", "__raw_local_save_flags", "__stack_chk_fail", "__tasklet_schedule", "__tracepoint_kmalloc", "__up_wakeup", "__vmalloc", "__wake_up", "_cond_resched", "_spin_lock", "_spin_lock_irqsave", "_spin_unlock_irqrestore", "add_disk", "alloc_disk", "alloc_pages_current", "allow_signal", "autoremove_wake_function", "bio_endio", "bio_init", "bio_put", "blk_alloc_queue", "blk_cleanup_queue", "blk_queue_hardsect_size", "blk_queue_logical_block_size", "blk_queue_make_request", "blkdev_put", "complete", "complete_and_exit", "cond_resched", "contig_page_data", "copy_from_user", "copy_to_user", "cpu_present_map", "cpu_present_mask", "create_proc_entry", "daemonize", "del_gendisk", "do_gettimeofday", "down", "down_read", "down_read_trylock", "down_write", "down_write_trylock", "dump_stack", "filp_close", "filp_open", "finish_wait", "get_user_pages", "init_waitqueue_head", "jiffies", "jiffies_to_msecs", "jiffies_to_timeval", "kernel_thread", "kfree", "kmem_cache_alloc", "kmem_cache_alloc_notrace", "kmem_cache_create", "kmem_cache_destroy", "kmem_cache_free", "malloc_sizes", "mcount", "mem_map", "mem_section", "memcpy", "memset", "mod_timer", "msecs_to_jiffies", "msleep", "msleep_interruptible", "open_by_devnum", "override_creds", "panic", "per_cpu__current_task", "per_cpu__kernel_stack", "prepare_creds", "prepare_to_wait", "printk", "proc_mkdir", "put_disk", "put_page", "pv_irq_ops", "register_blkdev", "remove_proc_entry", "revert_creds", "schedule", "schedule_timeout", "send_sig", "set_user_nice", "sigprocmask", "slab_buffer_size", "snprintf", "sprintf", "strchr", "strcpy", "strncmp", "strncpy", "strnicmp", "strspn", "strstr", "submit_bio", "tasklet_init", "unregister_blkdev", "up", "up_read", "up_write", "vfree", "vfs_writev", "vscnprintf", and "wait_for_completion".
BZ#864893
The following symbols have been added to the kernel ABI whitelists: "blkdev_get", "send_sig_info", "__task_pid_nr_ns", "register_shrinker", "set_page_dirty_lock", "current_umask", "balance_dirty_pages_ratelimited_nr", "dentry_open", "generic_file_llseek_unlocked", "posix_acl_alloc", "posix_acl_from_xattr", "posix_acl_to_xattr", "posix_acl_valid", "read_cache_pages", "cancel_dirty_page", "clear_page", "grab_cache_page_nowait", "inode_init_always", "memparse", "put_unused_fd", "radix_tree_tag_set", "congestion_wait", "shrink_dcache_sb", "fd_install", "blk_make_request", "lookup_bdev", "__register_binfmt", "unregister_binfmt", "vm_stat", "kill_pid", and "kobject_get".
BZ#869353
A kernel checker tool (KSC) has been added to the kabi-whitelists packages.
Users of kabi-whitelists are advised to upgrade to these updated packages, which add these enhancements.

6.97. kdebase

Updated kdebase packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The K Desktop Environment (KDE) is a graphical desktop environment for the X Window System. The kdebase packages include core applications for KDE.

Bug Fixes

BZ#608007
Prior to this update, the Konsole context menu item "Show menu bar" was always checked in new windows even if this menu item was disabled before. This update modifies the underlying code to handle the menu item "Show menu bar" as expected.
BZ#729307
Prior to this update, users could not define a default size for xterm windows when using the Konsole terminal in KDE. This update modifies the underlying code and adds the functionality to define a default size.
All users of kdebase are advised to upgrade to these updated packages, which fix these bugs.

6.98. kdebase-workspace

Updated kdebase-workspace packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The kdebase-workspace packages contain utilities for basic operations with the desktop environment. The utilities allow users for example, to change system settings, resize and rotate X screens or set panels and widgets on the workspace.

Bug Fix

BZ#749460
Prior to this update, the task manager did not honor the order of manually arranged items. As a consequence, manually arranged taskbar entries were randomly rearranged when the user switched desktops. This update modifies the underlying code to make manually arranged items more persistent.
All users of kdebase-workspace are advised to upgrade to these updated packages, which fix this bug.

6.99. kdelibs3

Updated kdelibs3 packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The kdelibs3 packages provide libraries for the K Desktop Environment (KDE).

Bug Fixes

BZ#681901
Prior to this update, the kdelibs3 libraries caused a conflict for the subversion version control tool. As a consequence, subvervision was not correctly built if the kdelibs3 libraries were installed. This update modifies the underlying code to avoid this conflict. Now, subversion builds as expected with kdelibs3.
BZ#734447
kdelibs3 provided its own set of trusted Certificate Authority (CA) certificates. This update makes kdelibs3 use the system set from the ca-certificates package, instead of its own copy.
All users of kdelibs3 are advised to upgrade to these updated packages, which fix these bugs.

6.100. kdelibs

Updated kdelibs packages that fix various bugs are now available for Red Hat Enterprise Linux 6.
The kdelibs packages provide libraries for the K Desktop Environment (KDE).

Bug Fixes

BZ#587016
Prior to this update, the KDE Print dialog did not remember previous settings, nor did it allow the user to save the settings. Consequent to this, when printing several documents, users were forced to manually change settings for each printed document. With this update, the KDE Print dialog retains previous settings as expected.
BZ#682611
When the system was configured to use the Traditional Chinese language (the zh_TW locale), Konqueror incorrectly used a Chinese (zh_CN) version of its splash page. This update ensures that Konqueror uses the correct locale.
BZ#734734
Previously, clicking the system tray to display hidden icons could cause the Plasma Workspaces to consume an excessive amount of CPU time. This update applies a patch that fixes this error.
BZ#754161
When using Konqueror to recursively copy files and directories, if one of the subdirectories was not accessible, no warning or error message was reported to the user. This update ensures that Konqueror displays a proper warning message in this scenario.
BZ#826114
Prior to this update, an attempt to add "Terminal Emulator" to the Main Toolbar caused Konqueror to terminate unexpectedly with a segmentation fault. With this update, the underlying source code has been corrected to prevent this error so that users can now use this functionality as expected.
All users of kdelibs are advised to upgrade to these updated packages, which fix these bugs.
Updated kdelibs packages that fix two security issues are now available for Red Hat Enterprise Linux 6 FasTrack.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The kdelibs packages provide libraries for the K Desktop Environment (KDE). Konqueror is a web browser.
CVE-2012-4512
A heap-based buffer overflow flaw was found in the way the CSS (Cascading Style Sheets) parser in kdelibs parsed the location of the source for font faces. A web page containing malicious content could cause an application using kdelibs (such as Konqueror) to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
CVE-2012-4513
A heap-based buffer over-read flaw was found in the way kdelibs calculated canvas dimensions for large images. A web page containing malicious content could cause an application using kdelibs to crash or disclose portions of its memory.
Users should upgrade to these updated packages, which contain backported patches to correct these issues. The desktop must be restarted (log out, then log back in) for this update to take effect.

6.101. kdepim

Updated kdepim packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The KDE Personal Information Management (kdepim) suite helps to organize your mail, tasks, appointments, and contacts.

Bug Fix

BZ#811125
Prior to this update, the cyrus-sasl-plain package was not a dependency of the kdepim package. As a consequence, Kmail failed to send mail. This update modifies the underlying code to include the cyrus-sasl-plain dependency.
All users of kdepim are advised to upgrade to these updated packages, which fix this bug.

6.102. kernel

Updated kernel packages that fix two security issues, address several hundred bugs and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 6. This is the fourth regular update.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fixes

CVE-2012-4508, Important
A race condition was found in the way asynchronous I/O and fallocate() interacted when using the ext4 file system. A local, unprivileged user could use this flaw to expose random data from an extent whose data blocks have not yet been written, and thus contain data from a deleted file.
CVE-2013-0311, Important
A flaw was found in the way the vhost kernel module handled descriptors that spanned multiple regions. A privileged guest user in a KVM guest could use this flaw to crash the host or, potentially, escalate their privileges on the host.
CVE-2012-4542, Moderate
It was found that the default SCSI command filter does not accommodate commands that overlap across device classes. A privileged guest user could potentially use this flaw to write arbitrary data to a LUN that is passed-through as read-only.
CVE-2013-0190, Moderate
A flaw was found in the way the xen_failsafe_callback() function in the Linux kernel handled the failed iret (interrupt return) instruction notification from the Xen hypervisor. An unprivileged user in a 32-bit para-virtualized guest could use this flaw to crash the guest.
CVE-2013-0309, Moderate
A flaw was found in the way pmd_present() interacted with PROT_NONE memory ranges when transparent hugepages were in use. A local, unprivileged user could use this flaw to crash the system.
CVE-2013-0310, Moderate
A flaw was found in the way CIPSO (Common IP Security Option) IP options were validated when set from user mode. A local user able to set CIPSO IP options on the socket could use this flaw to crash the system.
Red Hat would like to thank Theodore Ts'o for reporting CVE-2012-4508, and Andrew Cooper of Citrix for reporting CVE-2013-0190. Upstream acknowledges Dmitry Monakhov as the original reporter of CVE-2012-4508. The CVE-2012-4542 issue was discovered by Paolo Bonzini of Red Hat.

Bug Fixes

BZ#807385
Suspending a system (mode S3) running on a HP Z1 All-in-one Workstation with an internal Embedded DisplayPort (eDP) panel and an external DisplayPort (DP) monitor, and, consequently, waking up the system caused the backlight of the eDP panel to not be re-enabled. To fix this issue, the code that handles suspending in the i915 module has been modified to write the BLC_PWM_CPU_CTL parameter using the I915_WRITE function after writing the BLC_PWM_CPU_CTL2 parameter.
BZ#891839
Prior to this update, when a VLAN device was set up on a qlge interface, running the TCP Stream Performance test using the netperf utility to test TCP/IPv6 traffic caused the kernel to produce warning messages that impacted the overall performance. This was due to an unsupported feature (NETIF_F_IPV6_CSUM) which was enabled via the NETIF_F_TSO6 flag. This update removes the NETIF_F_TSO6 flag from qlge code and TCP/IPv6 traffic performance is no longer impacted.
BZ#876912
The isci driver copied the result of a "Register Device to Host" frame into the wrong buffer causing the SATA DOWNLOAD MICROCODE command to fail, preventing the download of hard drive firmware. This bug in the frame handler routine caused a timeout, resulting in a reset. With this update, the underlying source code has been modified to address this issue, and the isci driver successfully completes SATA DOWNLOAD MICROCODE commands as expected.
BZ#813677
In the xHCI code, due to a descriptor that incorrectly pointed at the USB 3.0 register instead of USB 2.0 registers, kernel panic could occur when more USB 2.0 registers were available than USB 3.0 registers. This update fixes the descriptor to point at the USB 2.0 registers, and kernel panic no longer occurs in the aforementioned case.
BZ#879509
When the "perf script --gen-script" command was called with a perf.data file which contained no tracepoint events, the command terminated unexpectedly with a segmentation fault due to a NULL "pevent" pointer. With this update, the underlying source code has been modified to address this issue, and the aforementioned command no longer crashes.
BZ#885030
Running the mq_notify/5-1 test case from the Open POSIX test suite resulted in corrupted memory, later followed by various kernel crash/BUG messages. This update addresses the mq_send/receive memory corruption issue in the inter-process communication code, and the aforementioned test case no longer fails.
BZ#841983
Bond masters and slaves now have separate VLAN groups. As such, if a slave device incurred a network event that resulted in a failover, the VLAN device could process this event erroneously. With this update, when a VLAN is attached to a master device, it ignores events generated by slave devices so that the VLANs do not go down until the bond master does.
BZ#836748
Previously in the kernel, when the leap second hrtimer was started, it was possible that the kernel livelocked on the xtime_lock variable. This update fixes the problem by using a mixture of separate subsystem locks (timekeeping and ntp) and removing the xtime_lock variable, thus avoiding the livelock scenarios that could occur in the kernel.
BZ#836803
After the leap second was inserted, applications calling system calls that used futexes consumed almost 100% of available CPU time. This occurred because the kernel's timekeeping structure update did not properly update these futexes. The futexes repeatedly expired, re-armed, and then expired immediately again. This update fixes the problem by properly updating the futex expiration times by calling the clock_was_set_delayed() function, an interrupt-safe method of the clock_was_set() function.
BZ#822691
When the Fibre Channel (FC) layer sets a device to "running", the layer also scans for other new devices. Previously, there was a race condition between these two operations. Consequently, for certain targets, thousands of invalid devices were created by the SCSI layer and the udev service. This update ensures that the FC layer always sets a device to "online" before scanning for others, thus fixing this bug.
BZ#852847
If there are no active threads using a semaphore, blocked threads should be unblocked. Previously, the R/W semaphore code looked for a semaphore counter as a whole to reach zero - which is incorrect because at least one thread is usually queued on the semaphore and the counter is marked to reflect this. As a consequence, the system could become unresponsive when an application used direct I/O on the XFS file system. With this update, only the count of active semaphores is checked, thus preventing the hang in this scenario.
BZ#861164
When performing PCI device assignment on AMD systems, a virtual machine using the assigned device could not be able to boot, as the device had failed the assignment, leaving the device in an unusable state. This was due to an improper range check that omitted the last PCI device in a PCI subsystem or tree. The check has been fixed to include the full range of PCI devices in a PCI subsystem or tree. This bug fix avoids boot failures of a virtual machine when the last device in a PCI subsystem is assigned to a virtual machine on an AMD host system.
BZ#859533
The mlx4 driver must program the mlx4 card so that it is able to resolve which MAC addresses to listen to, including multicast addresses. Therefore, the mlx4 card keeps a list of trusted MAC addresses. The driver used to perform updates to this list on the card by emptying the entire list and then programming in all of the addresses. Thus, whenever a user added or removed a multicast address or put the card into or out of promiscuous mode, the card's entire address list was re-written. This introduced a race condition, which resulted in a packet loss if a packet came in on an address the card should be listening to, but had not yet been reprogrammed to listen to. With this update, the driver no longer rewrites the entire list of trusted MAC addresses on the card but maintains a list of addresses that are currently programmed into the card. On address addition, only the new address is added to the end of the list, and on removal, only the to-be-removed address is removed from the list. The mlx4 card no longer experiences the described race condition and packets are no longer dropped in this scenario.
BZ#858850
Filesystem in Userspace (FUSE) did not implement scatter-gather direct I/O optimally. Consequently, the kernel had to process an extensive number of FUSE requests, which had a negative impact on system performance. This update applies a set of patches which improves internal request management for other features, such as readahead. FUSE direct I/O overhead has been significantly reduced to minimize negative effects on system performance.
BZ#865637
A previous kernel update introduced a bug that caused RAID0 and linear arrays larger than 4 TB to be truncated to 4 TB when using 0.90 metadata. The underlying source code has been modified so that 0.90 RAID0 and linear arrays larger than 4 TB are no longer truncated in the md RAID layer.
BZ#865682
A larger command descriptor block (CDB) is allocated for devices using Data Integrity Field (DIF) type 2 protection. The CDB was being freed in the sd_done() function, which resulted in a kernel panic if the command had to be retried in certain error recovery cases. With this update, the larger CDB is now freed in the sd_unprep_fn() function instead. This prevents the kernel panic from occurring.
BZ#857518
Previously, a use-after-free bug in the usbhid code caused a NULL pointer dereference. Consequent kernel memory corruption resulted in a kernel panic and could cause data loss. This update adds a NULL check to avoid these problems.
BZ#856325
A race condition could occur between page table sharing and virtual memory area (VMA) teardown. As a consequence, multiple "bad pmd" message warnings were displayed and "kernel BUG at mm/filemap.c:129" was reported while shutting down applications that share memory segments backed by huge pages. With this update, the VM_MAYSHARE flag is explicitly cleaned during the unmap_hugepage_range() call under the i_mmap_lock. This makes VMA ineligible for sharing and avoids the race condition. After using shared segments backed by huge pages, applications like databases and caches shut down correctly, with no crash.
BZ#855984
When I/O is issued through blk_execute_rq(), the blk_execute_rq_nowait() routine is called to perform various tasks. At first, the routine checks for a dead queue. Previously, however, if a dead queue was detected, the blk_execute_rq_nowait() function did not invoke the done() callback function. This resulted in blk_execute_rq() being unresponsive when waiting for completion, which had never been issued. To avoid such hangs, the rq->end_io pointer is initialized to the done() callback before the queue state is verified.
BZ#855759
The Stream Control Transmission Protocol (SCTP) ipv6 source address selection logic did not take the preferred source address into consideration. With this update, the source address is chosen from the routing table by taking this aspect into consideration. This brings the SCTP source address selection on par with IPv4.
BZ#855139
Under certain circumstances, a system crash could result in data loss on XFS file systems. If files were created immediately before the file system was left to idle for a long period of time and then the system crashed, those files could appear as zero-length once the file system was remounted. This occurred even if a sync or fsync was run on the files. This was because XFS was not correctly idling the journal, and therefore it incorrectly replayed the inode allocation transactions upon mounting after the system crash, which zeroed the file size. This problem has been fixed by re-instating the periodic journal idling logic to ensure that all metadata is flushed within 30 seconds of modification, and the journal is updated to prevent incorrect recovery operations from occurring.
BZ#854376
Mellanox hardware keeps a separate list of Ethernet hardware addresses it listens to depending on whether the Ethernet hardware address is unicast or multicast. Previously, the mlx4 driver was incorrectly adding multicast addresses to the unicast list. This caused unstable behavior in terms of whether or not the hardware would have actually listened to the addresses requested. This update fixes the problem by always putting multicast addresses on the multicast list and vice versa.
BZ#854140
Previously, the kernel had no way to distinguish between a device I/O failure due to a transport problem and a failure as a result of command timeout expiration. I/O errors always resulted in a device being set offline and the device had to be brought online manually even though the I/O failure occured due to a transport problem. With this update, the SCSI driver has been modified and a new SDEV_TRANSPORT_OFFLINE state has been added to help distinguish transport problems from another I/O failure causes. Transport errors are now handled differently and storage devices can now recover from these failures without user intervention.
BZ#854053
In a previous release of Red Hat Enterprise Linux, the new Mellanox packet steering architecture had been intentionally left out of the Red Hat kernel. With Red Hat Enterprise Linux 6.4, the new Mellanox packet steering architecture was merged into Red Hat Mellanox driver. One merge detail was missing, and as a result, the multicast promiscuous flag on an interface was not checked during an interface reset to see if the flag was on prior to the reset and should be re-enabled after the reset. This update fixes the problem, so if an adapter is reset and the multicast promiscuous flag was set prior to the reset, the flag is now still set after the reset.
BZ#854052
On dual port Mellanox hardware, the mlx4 driver was adding promiscuous mode to the correct port, but when attempting to remove promiscuous mode from a port, it always tried to remove it from port one. It was therefore impossible to remove promiscuous mode from the second port, and promiscuous mode was incorrectly removed from port one even if it was not intended. With this update, the driver now properly attempts to remove promiscuous mode from port two when needed.
BZ#853007
The kernel provided by the Red Hat Enterprise Linux 6.3 release included an unintentional kernel ABI (kABI) breakage with regards to the "contig_page_data" symbol. Unfortunately, this breakage did not cause the checksums to change. As a result, drivers using this symbol could silently corrupt memory on the kernel. This update reverts the previous behavior.
BZ#852148
In case of a regular CPU hot plug event, the kernel does not keep the original cpuset configuration and can reallocate running tasks to active CPUs. Previously, the kernel treated switching between suspend and resume modes as a regular CPU hot plug event, which could have a significant negative impact on system performance in certain environments such as SMP KVM virtualization. When resuming an SMP KVM guest from suspend mode, the libvirtd daemon and all its child processes were pinned to a single CPU (the boot CPU) so that all VMs used only the single CPU. This update applies a set of patches which ensure that the kernel does not modify cpusets during suspend and resume operations. The system is now resumed in the exact state before suspending without any performance decrease.
BZ#851118
Prior to this update, it was not possible to set IPv6 source addresses in routes as it was possible with IPv4. With this update, users can select the preferred source address for a specific IPv6 route with the "src" option of the "ip -6 route" command.
BZ#849702
Previously, when a server attempted to shut down a socket, the svc_tcp_sendto() function set the XPT_CLOSE variable if the entire reply failed to be transmitted. However, before XPT_CLOSE could be acted upon, other threads could send further replies before the socket was really shut down. Consequently, data corruption could occur in the RPC record marker. With this update, send operations on a closed socket are stopped immediately, thus preventing this bug.
BZ#849188
The usb_device_read() routine used the bus->root_hub pointer to determine whether or not the root hub was registered. However, this test was invalid because the pointer was set before the root hub was registered and remained set even after the root hub was unregistered and deallocated. As a result, the usb_device_read() routine accessed freed memory, causing a kernel panic; for example, on USB device removal. With this update, the hcs->rh_registered flag - which is set and cleared at the appropriate times - is used in the test, and the kernel panic no longer occurs in this scenario.
BZ#894344
BE family hardware could falsely indicate an unrecoverable error (UE) on certain platforms and stop further access to be2net-based network interface cards (NICs). A patch has been applied to disable the code that stops further access to hardware for BE family network interface cards (NICs). For a real UE, it is not necessary as the corresponding hardware block is not accessible in this situation.
BZ#847838
Previously, a race condition existed whereby device open could race with device removal (for example when hot-removing a storage device), potentially leading to a kernel panic. This was due a use-after-free error in the block device open patch, which has been corrected by not referencing the "disk" pointer after it has been passed to the module_put() function.
BZ#869750
The hugetlbfs file system implementation was missing a proper lock protection of enqueued huge pages at the gather_surplus_pages() function. Consequently, the hstate.hugepages_freelist list became corrupted, which caused a kernel panic. This update adjusts the code so that the used spinlock protection now assures atomicity and safety of enqueued huge pages when handling hstate.hugepages_freelist. The kernel no longer panics in this scenario.
BZ#847310
An unnecessary check for the RXCW.CW bit could cause the Intel e1000e NIC (Network Interface Controller) to not work properly. The check has been removed so that the Intel e1000e NIC now works as expected.
BZ#846585
If a mirror or redirection action is configured to cause packets to go to another device, the classifier holds a reference count. However, it was previously assuming that the administrator cleaned up all redirections before removing. Packets were therefore dropped if the mirrored device was not present, and connectivity to the host could be lost. To prevent such problems, a notifier and cleanup are now run during the unregister action. Packets are not dropped if the a mirrored device is not present.
BZ#846419
Previously, the MultiTech MT9234MU USB serial device was not supported by version 0.9 of the it_usb_3410_5052 kernel module. With this update, the MultiTech MT9234MU USB serial device is supported by this version.
BZ#846024
Previously, the I/O watchdog feature was disabled when Intel Enhanced Host Controller Interface (EHCI) devices were detected. This could cause incorrect detection of USB devices upon addition or removal. Also, in some cases, even though such devices were detected properly, they were non-functional. The I/O watchdog feature can now be enabled on the kernel command line, which improves hardware detection on underlying systems.
BZ#845347
A kernel panic could occur when using the be2net driver. This was because the Bottom Half (BF) was enabled even if the Interrupt ReQuest (IRQ) was already disabled. With this update, the BF is disabled in callers of the be_process_mcc() function and the kernel no longer crashes in this scenario. Note that, in certain cases, it is possible to experience the network card being unresponsive after installing this update. A future update will correct this problem.
BZ#844814
This issue affects O_DSYNC performance on GFS2 when only data (and not metadata such as file size) has been dirtied as the result of a write system call. Prior to this patch, O_DSYNC writes were behaving in the same way as O_SYNC for all cases. After this patch, O_DSYNC writes will only write back data, if the inode's metadata is not dirty. This gives a considerable performance improvement for this specific case. Note that the issue does not affect data integrity. The same issue also applies to the pairing of write and fdatasync calls.
BZ#844531
Previously, a cgroup or its hierarchy could only be modified under the cgroup_mutex master lock. This introduced a locking dependency on cred_guard_mutex from cgroup_mutex and completed a circular dependency, which involved cgroup_mutex, namespace_sem and workqueue, and led to a deadlock. As a consequence, many processes were unresponsive, and the system could be eventually unusable. This update introduces a new mutex, cgroup_root_mutex, which protects cgroup root modifications and is now used by mount options readers instead of the master lock. This breaks the circular dependency and avoids the deadlock.
BZ#843771
On architectures with the 64-bit cputime_t type, it was possible to trigger the "divide by zero" error, namely, on long-lived processes. A patch has been applied to address this problem, and the "divide by zero" error no longer occurs under these circumstances.
BZ#843541
The kernel allows high priority real time tasks, such as tasks scheduled with the SCHED_FIFO policy, to be throttled. Previously, the CPU stop tasks were scheduled as high priority real time tasks and could be thus throttled accordingly. However, the replenishment timer, which is responsible for clearing a throttle flag on tasks, could be pending on the just disabled CPU. This could lead to a situation that the throttled tasks were never scheduled to run. Consequently, if any of such tasks was needed to complete the CPU disabling, the system became unresponsive. This update introduces a new scheduler class, which gives a task the highest possible system priority and such a task cannot be throttled. The stop-task scheduling class is now used for the CPU stop tasks, and the system shutdown completes as expected in the scenario described.
BZ#843163
The previous implementation of socket buffers (SKBs) allocation for a NIC was node-aware, that is, memory was allocated on the node closest to the NIC. This increased performance of the system because all DMA transfer was handled locally. This was a good solution for networks with a lower frame transmitting rate where CPUs of the local node handled all the traffic of the single NIC well. However, when using 10Gb Ethernet devices, CPUs of one node usually do not handle all the traffic of a single NIC efficiently enough. Therefore, system performance was poor even though the DMA transfer was handled by the node local to the NIC. This update modifies the kernel to allow SKBs to be allocated on a node that runs applications receiving the traffic. This ensures that the NIC's traffic is handled by as many CPUs as needed, and since SKBs are accessed very frequently after allocation, the kernel can now operate much more efficiently even though the DMA can be transferred cross-node.
BZ#872813
Bug 768304 introduced a deadlock on the super block umount mutex. Consequently, when two processes attempted to mount an NFS file system at the same time they would block. This was because a backport mistake with one of the patches of bug 768304, which resulted in an imbalance between the mutex aquires and releases. Rather than just fix the imbalance, an upstream patch that the problem patch depended on was identified and backported so that the kernel code then matched the upstream code. The deadlock no longer occurs in this scenario.
BZ#842881
A kernel oops could occur due to a NULL pointer dereference upon USB device removal. The NULL pointer dereference has been fixed and the kernel no longer crashes in this scenario.
BZ#842435
When an NFSv4 client received a read delegation, a race between the OPEN and DELEGRETURN operation could occur. If the DELEGRETURN operation was processed first, the NFSv4 client treated the delegation returned by the following OPEN as a new delegation. Also, the NFSv4 client did not correctly handle errors caused by requests that used a bad or revoked delegation state ID. As a result, applications running on the client could receive spurious EIO errors. This update applies a series of patches that fix the NFSv4 code so an NFSv4 client recovers correctly in the described situations instead of returning errors to applications.
BZ#842312
Due to a missing return statement, the nfs_attr_use_mounted_on_file() function returned a wrong value. As a consequence, redundant ESTALE errors could potentially be returned. This update adds the proper return statement to nfs_attr_use_mounted_on_file(), thus preventing this bug. Note that this bug only affects NFSv4 file systems.
BZ#841987
Previously, soft interrupt requests (IRQs) under the bond_alb_xmit() function were locked even when the function contained soft IRQs that were disabled. This could cause a system to become unresponsive or terminate unexpectedly. With this update, such IRQs are no longer disabled, and the system no longer hangs or crashes in this scenario.
BZ#873949
Previously, the IP over Infiniband (IPoIB) driver maintained state information about neighbors on the network by attaching it to the core network's neighbor structure. However, due to a race condition between the freeing of the core network neighbor struct and the freeing of the IPoIB network struct, a use after free condition could happen, resulting in either a kernel oops or 4 or 8 bytes of kernel memory being zeroed when it was not supposed to be. These patches decouple the IPoIB neighbor struct from the core networking stack's neighbor struct so that there is no race between the freeing of one and the freeing of the other.
BZ#874322
Previously, XFS could, under certain circumstances, incorrectly read metadata from the journal during XFS log recovery. As a consequence, XFS log recovery terminated with an error message and prevented the file system from being mounted. This problem could result in a loss of data if the user forcibly "zeroed" the log to allow the file system to be mounted. This update ensures that metadata is read correctly from the log so that journal recovery completes successfully and the file system mounts as expected.
BZ#748827
If a dirty GFS2 inode was being deleted but was in use by another node, its metadata was not written out before GFS2 checked for dirty buffers in the gfs2_ail_flush() function. GFS2 was relying on the inode_go_sync() function to write out the metadata when the other node tried to free the file. However, this never happened because GFS2 failed the error check. With this update, the inode is written out before calling the gfs2_ail_flush() function. If a process has the PF_MEMALLOC flag set, it does not start a new transaction to update the access time when it writes out the inode. The inode is marked as dirty to make sure that the access time is updated later unless the inode is being freed.
BZ#839973
A USB Human Interface Device (HID) can be disconnected at any time. If this happened right before or while the hiddev_ioctl() call was in progress, hiddev_ioctl() attempted to access the invalid hiddev->hid pointer. When the HID device was disconnected, the hiddev_disconnect() function called the hid_device_release() function, which frees the hid_device structure type, but did not set the hiddev->hid pointer to NULL. If the deallocated memory region was re-used by the kernel, a kernel panic or memory corruption could occur. The hiddev->exist flag is now checked while holding the existancelock and hid_device is used only if such a device exists. As a result, the kernel no longer crashes in this scenario.
BZ#839311
The CONFIG_CFG80211_WEXT configuration option previously defined in the KConfig of the ipw2200 driver was removed with a recent update. This led to a build failure of the driver. The driver no longer depends on the CONFIG_CFG80211_WEXT option, so it can build successfully.
BZ#875036
The mmap_rnd() function is expected to return a value in the [0x00000000 .. 0x000FF000] range on 32-bit x86 systems. This behavior is used to randomize the base load address of shared libraries by a bug fix resolving the CVE-2012-1568 issue. However, due to a signedness bug, the mmap_rnd() function could return values outside of the intended scope. Consequently, the shared libraries base address could be less than one megabyte. This could cause binaries that use the MAP_FIXED mappings in the first megabyte of the process address space (typically, programs using vm86 functionality) to work incorrectly. This update modifies the mmap_rnd() function to no longer cast values returned by the get_random_int() function to the long data type. The aforementioned binaries now work correctly in this scenario.
BZ#837607
Due to an error in the dm-mirror driver, when using LVM mirrors on disks with discard support (typically SSD disks), repairing such disks caused the system to terminate unexpectedly. The error in the driver has been fixed and repairing disks with discard support is now successful.
BZ#837230
During the update of the be2net driver between the Red Hat Enterprise Linux 6.1 and 6.2, the NETIF_F_GRO flag was incorrectly removed, and the GRO (Generic Receive Offload) feature was therefore disabled by default. In OpenVZ kernels based on Red Hat Enterprise Linux 6.2, this led to a significant traffic decrease. To prevent this problem, the NETIF_F_GRO flag has been included in the underlying source code.
BZ#875091
Previously, the HP Smart Array driver (hpsa) used the target reset functionality. However, HP Smart Array logical drives do not support the target reset functionality. Therefore, if the target reset failed, the logical drive was taken offline with a file system error. The hpsa driver has been updated to use the LUN reset functionality instead of target reset, which is supported by these drives.
BZ#765665
A possible race between the n_tty_read() and reset_buffer_flags() functions could result in a NULL pointer dereference in the n_tty_read() function under certain circumstances. As a consequence, a kernel panic could have been triggered when interrupting a current task on a serial console. This update modifies the tty driver to use a spin lock to prevent functions from a parallel access to variables. A NULL pointer dereference causing a kernel panic can no longer occur in this scenario.
BZ#769045
Traffic to the NFS server could trigger a kernel oops in the svc_tcp_clear_pages() function. The source code has been modified, and the kernel oops no longer occurs in this scenario.
BZ#836164
Previously, reference counting was imbalanced in the slave add and remove paths for bonding. If a network interface controller (NIC) did not support the NETIF_F_HW_VLAN_FILTER flag, the bond_add_vlans_on_slave() and bond_del_vlans_on_slave() functions did not work properly, which could lead to a kernel panic if the VLAN module was removed while running. The underlying source code for adding and removing a slave and a VLAN has been revised and now also contains a common path, so that kernel crashes no kernel no longer occur in the described scenario.
BZ#834764
The bonding method for adding VLAN Identifiers (VIDs) did not always add the VID to a slave VLAN group. When the NETIF_F_HW_VLAN_FILTER flag was not set on a slave, the bonding module could not add new VIDs to it. This could cause networking problems and the system to be unreachable even if NIC messages did not indicate any problems. This update changes the bond VID add path to always add a new VID to the slaves (if the VID does not exist). This ensures that networking problems no longer occur in this scenario.
BZ#783322
Previously, after a crash, preparing to switch to the kdump kernel could in rare cases race with IRQ migration, causing a deadlock of the ioapic_lock variable. As a consequence, kdump became unresponsive. The race condition has been fixed, and switching to kdump no longer causes hangs in this scenario.
BZ#834038
Previously, futex operations on read-only (RO) memory maps did not work correctly. This broke workloads that had one or more reader processes performing the FUTEX_WAIT operation on a futex within a read-only shared file mapping and a writer process that had a writable mapping performing the FUTEX_WAKE operation. With this update, the FUTEX_WAKE operation is performed with a RO MAP_PRIVATE mapping, and is successfully awaken if another process updates the region of the underlying mapped file.
BZ#833098
When a device was registered to a bus, a race condition could occur between the device being added to the list of devices of the bus and binding the device to a driver. As a result, the device could already be bound to a driver which led to a warning and incorrect reference counting, and consequently to a kernel panic on device removal. To avoid the race condition, this update adds a check to identify an already bound device.
BZ#832135
Sometimes, the crypto allocation code could become unresponsive for 60 seconds or multiples thereof due to an incorrect notification mechanism. This could cause applications, like openswan, to become unresponsive. The notification mechanism has been improved to avoid such hangs.
BZ#832009
When a device is added to the system at runtime, the AMD IOMMU driver initializes the necessary data structures to handle translation for it. Previously, however, the per-device dma_ops structure types were not changed to point to the AMD IOMMU driver, so mapping was not performed and direct memory access (DMA) ended with the IO_PAGE_FAULT message. This consequently led to networking problems. With this update, the structure types point correctly to the AMD IOMMU driver, and networking works as expected when the AMD IOMMU driver is used.
BZ#830716
It is possible to receive data on multiple transports. Previously, however, data could be selectively acknowledged (SACKed) on a transport that had never received any data. This was against the SHOULD requirement in section 6.4 of the RFC 2960 standard. To comply with this standard, bundling of SACK operations is restricted to only those transports which have moved the ctsn of the association forward since the last sack. As a result, only outbound SACKs on a transport that has received a chunk since the last SACK are bundled.
BZ#830209
On ext4 file systems, when fallocate() failed to allocate blocks due to the ENOSPC condition (no space left on device) for a file larger than 4 GB, the size of the file became corrupted and, consequently, caused file system corruption. This was due to a missing cast operator in the "ext4_fallocate()" function. With this update, the underlying source code has been modified to address this issue, and file system corruption no longer occurs.
BZ#829739
Previously, on Fibre Channel hosts using the QLogic QLA2xxx driver, users could encounter error messages and long I/O outages during fabric faults. This was because the number of outstanding requests was hard-coded. With this update, the number of outstanding requests the driver keeps track of is based on the available resources instead of being hard-coded, which avoids the aforementioned problems.
BZ#829211
Previously introduced firmware files required for new Realtek chipsets contained an invalid prefix ("rtl_nic_") in the file names, for example "/lib/firmware/rtl_nic/rtl_nic_rtl8168d-1.fw". This update corrects these file names. For example, the aforementioned file is now correctly named "/lib/firmware/rtl_nic/rtl8168d-1.fw".
BZ#829149
Due to insufficient handling of a dead Input/Output Controller (IOC), the mpt2sas driver could fail Enhanced I/O Error Handling (EEH) recovery for certain PCI bus failures on 64-bit IBM PowerPC machines. With this update, when a dead IOC is detected, EEH recovery routine has more time to resolve the failure and the controller in a non-operational state is removed.
BZ#828271
USB Request Blocks (URBs) coming from user space were not allowed to have transfer buffers larger than an arbitrary maximum. This could lead to various problems; for example, attempting to redirect certain USB mass-storage devices could fail. To avoid such problems, programs are now allowed to submit URBs of any size; if there is not sufficient contiguous memory available, the submission fails with an ENOMEM error. In addition, to prevent programs from submitting a lot of small URBs and so using all the DMA-able kernel memory, this update also replaces the old limits on individual transfer buffers with a single global limit of 16MB on the total amount of memory in use by USB file system (usbfs).
BZ#828065
A race condition could occur due to incorrect locking scheme in the code for software RAID. Consequently, this could cause the mkfs utility to become unresponsive when creating an ext4 file system on software RAID5. This update introduces a locking scheme in the handle_stripe() function, which ensures that the race condition no longer occurs.
BZ#826375
Previously, using the e1000e driver could lead to a kernel panic. This was caused by a NULL pointer dereference that occurred if the adapter was being closed and reset simultaneously. The source code of the driver has been modified to address this problem, and kernel no longer crashes in this scenario.
BZ#878204
When a new rpc_task is created, the code takes a reference to rpc_cred and sets the task->tk_cred pointer to it. After the call completes, the resources held by the rpc_task are freed. Previously, however, after the rpc_cred was released, the pointer to it was not zeroed out. This led to an rpc_cred reference count underflow, and consequently to a kernel panic. With this update, the pointer to rpc_cred is correctly zeroed out, which prevents a kernel panic from occurring in this scenario.
BZ#823822
When removing a bonding module, the bonding driver uses code separate from the net device operations to clean up the VLAN code. Recent changes to the kernel introduced a bug which caused a kernel panic if the vlan module was removed after the bonding module had been removed. To fix this problem, the VLAN group removal operations found in the bonding kill_vid path are now duplicated in alternate paths which are used when removing a bonding module.
BZ#823371
When TCP segment offloading (TSO) or jumbo packets are used on the Broadcom BCM5719 network interface controller (NIC) with multiple TX rings, small packets can be starved for resources by the simple round-robin hardware scheduling of these TX rings, thus causing lower network performance. To ensure reasonable network performance for all NICs, multiple TX rings are now disabled by default.
BZ#822651
Previously, the default minimum entitled capacity of a virtual processor was 10%. This update changes the PowerPC architecture vector to support a lower minimum virtual processor capacity of 1%.
BZ#821374
On PowerPC architecture, the "top" utility displayed incorrect values for the CPU idle time, delays and workload. This was caused by a previous update that used jiffies for the I/O wait and idle time, but the change did not take into account that jiffies and CPU time are represented by different units. These differences are now taken into account, and the "top" utility displays correct values on PowerPC architecture.
BZ#818172
A bug in the writeback livelock avoidance scheme could result in some dirty data not being written to disk during a sync operation. In particular, this could occasionally occur at unmount time, when previously written file data was not synced, and was unavailable after the file system was remounted. Patches have been applied to address this issue, and all dirty file data is now synced to disk at unmount time.
BZ#807704
Previously, the TCP socket bound to NFS server contained a stale skb_hints socket buffer. Consequently, kernel could terminate unexpectedly. A patch has been provided to address this issue and skb_hints is now properly cleared from the socket, thus preventing this bug.
BZ#814877
Previously, bnx2x devices did not disable links with a large number of RX errors and overruns, and such links could still be detected as active. This prevented the bonding driver from failing over to a working link. This update restores remote-fault detection, which periodically checks for remote faults on the MAC layer. In case the physical link appears to be up but an error occurs, the link is disabled. Once the error is cleared, the link is brought up again.
BZ#813137
Various race conditions that led to indefinite log reservation hangs due to xfsaild "idle" mode occurred in XFS file system. This could lead to certain tasks being unresponsive; for example, the cp utility could become unresponsive on heavy workload. This update improves the Active Item List (AIL) pushing logic in xfsaild. Also, the log reservation algorithm and interactions with xfsaild have been improved. As a result, the aforementioned problems no longer occur in this scenario.
BZ#811255
The Out of Memory (OOM) killer killed processes outside of a memory cgroup when one or more processes inside that memory cgroup exceeded the "memory.limit_in_bytes" value. This was because when a copy-on-write fault happened on a Transparent Huge Page (THP), the 2 MB THP caused the cgroup to exceed the memory.limit_in_bytes value but the individual 4 KB page was not exceeded. With this update, the 2 MB THP is correctly split into 4 KB pages when the memory.limit_in_bytes value is exceeded. The OOM kill is delivered within the memory cgroup; tasks outside the memory cgroups are no longer killed by the OOM killer.
BZ#812904
This update blacklists the ADMA428M revision of the 2GB ATA Flash Disk device. This is due to data corruption occurring on the said device when the Ultra-DMA 66 transfer mode is used. When the "libata.force=5:pio0,6:pio0" kernel parameter is set, the aforementioned device works as expected.
BZ#814044
With certain switch peers and firmware, excessive link flaps could occur due to the way DCBX (Data Center Bridging Exchange) was handled. To prevent link flaps, changes were made to examine the capabilities in more detail and only initialize hardware if the capabilities have changed.
BZ#865115
If an abort request times out to the virtual Fibre Channel adapter, the ibmvfc driver initiates a reset of the adapter. Previously, however, the ibmvfc driver incorrectly returned success to the eh_abort handler and then sent a response to the same command, which led to a kernel oops on IBM System p machines. This update ensures that both the abort request and the request being aborted are completed prior to exiting the en_abort handler, and the kernel oops no longer occurs in this scenario.
BZ#855906
A kernel panic occurred when the size of a block device was changed and an I/O operation was issued at the same time. This was because the direct and non-direct I/O code was written with the assumption that the block size would not change. This update introduces a new read-write lock, bd_block_size_semaphore. The lock is taken for read during I/O operations and for write when changing the block size of a device. As a result, block size cannot be changed while I/O is being submitted. This prevents the kernel from crashing in the described scenario.
BZ#883643
The bonding driver previously did not honor the maximum Generic Segmentation Offload (GSO) length of packets and segments requested by the underlying network interface. This caused the firmware of the underlying NIC, such as be2net, to become unresponsive. This update modifies the bonding driver to set up the lowest gso_max_size and gso_max_segs values of network devices while attaching and detaching the devices as slaves. The network drivers no longer hangs and network traffic now proceeds as expected in setups using a bonding interface.
BZ#855131
In Fibre Channel fabrics with large zones, the automatic port rescan on incoming Extended Link Service (ELS) frames and any adapter recovery could cause high traffic, in particular if many Linux instances shared a host bus adapter (HBA), which is common on IBM System z architecture. This could lead to various failures; for example, names server requests, port or adapter recovery could fail. With this update, ports are re-scanned only when setting an adapter online or on manual user-triggered writes to the sysfs attribute "port_rescan".
BZ#824964
A deadlock sometimes occurred between the dlm_controld daemon closing a lowcomms connection through the configfs file system and the dlm_send process looking up the address for a new connection in configfs. With this update, the node addresses are saved within the lowcomms code so that the lowcomms work queue does not need to use configfs to get a node address.
BZ#827031
On Intel systems with Pause Loop Exiting (PLE), or AMD systems with Pause Filtering (PF), it was possible for larger multi-CPU KVM guests to experience slowdowns and soft lock-ups. Due to a boundary condition in kvm_vcpu_on_spin, all the VCPUs could try to yield to VCPU0, causing contention on the run queue lock of the physical CPU where the guest's VCPU0 is running. This update eliminates the boundary condition in kvm_vcpu_on_spin.
BZ#796352
On Red Hat Enterprise Linux 6, mounting an NFS export from a Windows 2012 server failed due to the fact that the Windows server contains support for the minor version 1 (v4.1) of the NFS version 4 protocol only, along with support for versions 2 and 3. The lack of the minor version 0 (v4.0) support caused Red Hat Enterprise Linux 6 clients to fail instead of rolling back to version 3 as expected. This update fixes this bug and mounting an NFS export works as expected.
BZ#832575
Previously, the size of the multicast IGMP (Internet Group Management Protocol) snooping hash table for a bridge was limited to 256 entries even though the maximum is 512. This was due to the hash table size being incorrectly compared to the maximum hash table size, hash_max, and the following message could have been produced by the kernel:
Multicast hash table maximum reached, disabling snooping: vnet1, 512
With this update, the hash table value is correctly compared to the hash_max value, and the error message no longer occurs under these circumstances.
BZ#834185
The xmit packet size was previously 64K, exceeding the hardware capability of the be2net card because the size did not account for the Ethernet header. The adapter was therefore unable to process xmit requests exceeding this size, produced error messages and could become unresponsive. To prevent these problems, GSO (Generic Segmentation Offload) maximum size has been reduced to account for the Ethernet header.
BZ#835797
Signed-unsigned values comparison could under certain circumstances lead to a superfluous reshed_task() routine to be called, causing several unnecessary cycles in the scheduler. This problem has been fixed, preventing the unnecessary cycles in the scheduler.
BZ#838025
When using virtualization with the netconsole module configured over the main system bridge, guests could not be added to the bridge, because TAP interfaces did not support netpoll. This update adds support of netpoll to the TUN/TAP interfaces so that bridge devices in virtualization setups can use netconsole.
BZ#838640
In the ext4 file system, splitting an unwritten extent while using Direct I/O could fail to mark the modified extent as dirty, resulting in multiple extents claiming to map the same block. This could lead to the kernel or fsck reporting errors due to multiply claimed blocks being detected in certain inodes. In the ext4_split_unwritten_extents() function used for Direct I/O, the buffer which contains the modified extent is now properly marked as dirty in all cases. Errors due to multiply claimed blocks in inodes should no longer occur for applications using Direct I/O.
BZ#839266
When the netconsole module was configured over bridge and the "service network restart" command was executed, a deadlock could occur, resulting in a kernel panic. This was caused by recursive rtnl locking by both bridge and netconsole code during network interface unregistration. With this update, the rtnl lock usage is fixed, and the kernel no longer crashes in this scenario.
BZ#756044
Migrating virtual machines from Intel hosts that supported the VMX "Unrestricted Guest" feature to older hosts without this feature could result in kvm returning the "unhandled exit 80000021" error for guests in real mode. The underlying source code has been modified so that migration completes successfully on hosts where "Unrestricted Guest" is disabled or not supported.
BZ#843849
The kernel contains a rule to blacklist direct memory access (DMA) modes for "2GB ATA Flash Disk" devices. However, this device ID string did not contain a space at the beginning of the name. Due to this, the rule failed to match the device and failed to disable DMA modes. With this update, the string correctly reads " 2GB ATA Flash Disk", and the rule can be matched as expected.

Enhancements

Note

For more information on the most important of the Red Hat Enterprise Linux 6.4 kernel enhancements, refer to the Kernel chapter in the Red Hat Enterprise Linux 6.4 Release Notes or Chapter 2, Device Drivers.
For a summary of added or updated procfs entries, sysfs default values, boot parameters, kernel configuration options, or any noticeable behavior changes, refer to Chapter 1, Important Changes to External Kernel Parameters.
BZ#872799
The INET socket interface has been modified to send a warning message when the ip_options structure is allocated directly by a third-party module using the kmalloc() function.
BZ#823010
The z90crypt device driver has been updated to support the new Crypto Express 4 (CEX4) adapter card.
Users should upgrade to these updated packages, which contain backported patches to correct these issues, fix these bugs, and add these enhancement. The system must be rebooted for this update to take effect.

6.103. kexec-tools

Updated kexec-tools packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The kexec fastboot mechanism allows booting a Linux kernel from the context of an already running kernel. The kexec-tools package provides the /sbin/kexec binary and ancillary utilities that form the user-space component of the kernel's kexec feature.

Bug Fixes

BZ#628610
When starting the kdump service, kdump always verifies the following vendor model attributes on the present block devices: "/sys/block/vda/device/model", "/sys/block/vda/device/rev" and "/sys/block/vda/device/type". However, the virtio block devices do not provide these attributes to sysfs so if such a device was tested, the following error messages were displayed:
cat: /sys/block/vda/device/model: No such file or directory
cat: /sys/block/vda/device/type: No such file or directory
This update modifies the underlying code to restrain kdump from printing these error messages if a block device does not provide the aforementioned sysfs attributes.
BZ#770000
Previously, if memory ballooning was enabled in the first kernel, the virtio balloon driver was included in the kdump kernel, which led to extensive memory consumption. Consequently, kdump failed due to an out of memory (OOM) error and the vmcore file could not be saved. With this update, the virtio_balloon kernel module is no longer loaded in the second kernel so that an OOM failure no longer prevents kdump from capturing vmcore.
BZ#788253
Previously, the microde.ko module was included and loaded in the kdump kernel, however, related firmware was not included in the kdump initrd. As a consequence, the kdump kernel waited for 60-second timeout to expire before loading the next module. This update modifies kdump to exclude the microcode driver from the second kernel so that the kdump kernel no longer waits unnecessarily and loads kernel modules as expected.
BZ#813354
The kdump.conf(5) man page previously did not document what file system types are supported by kdump. The user could therefore attempt to specify an unsupported file-system-type option, such as "auto", in the kdump.conf file. This would result in a failure to start the kdump service while the user expected success. With this update, all supported file system types are clearly listed in the kdump.conf(5) man page.
BZ#816467
When configuring kdump to dump a core file to a remote target over SSH without requiring a password, the "service kdump propagate" command has to be executed to generate and propagate SSH keys to the target system. This action required SELinux to be switched from enforcing mode to permissive mode and back. Previously, kdump init script used an incorrect test condition to determine SELinux mode so that SELinux mode could not be switched as required. Consequently, if SELinux was in enforcing mode, SSH keys could not be generated and kdump failed to start. This update removes the code used to switch between permissive and enforcing modes, which is no longer required because with Red Hat Enterprise Linux 6.3 SELinux added a policy allowing applications to access the ssh-keygen utility to generate SSH keys. SSH keys can now be generated and propagated as expected, and kdump no longer fails to start in this scenario.
BZ#818645
When dumping a core file on IBM System z architecture using the line mode terminals, kdump displays its progress on these terminals. However, these terminals do not support cursor positioning so that formatting of the kdump output was incorrect and the output was hard to read. With this update, a new environment variable, TERM, has been introduced to correct this problem. If "TERM=dumb" is set, the makedumpfile utility produces an easily-readable output on the line mode terminals.
BZ#820474
Previously, kdump expected that the generic ATA driver was always loaded as the ata_generic.ko kernel module and the mkdumprd utility thus added the module explicitly. However, the ata_generic.ko module does not exist on the IBM System z architecture and this assumption caused the kdump service to fail to start if the SCSI device was specified as a dump target on these machines. With this update, mkdumprd has been modified to load the ata_generic module only when required by the specific hardware. The kdump service now starts as expected on IBM System z architecture with SCSI device specified as a dump target.
BZ#821376
Previously, kdump always called the hwclock command to set the correct time zone. However, the Real Time Clock (RTC) interface, which is required by hwclock, is not available on IBM System z architecture. Therefore, running kdump on these machines resulted in the following error messages being emitted:
hwclock: can't open '/dev/misc/rtc': No such file or directory
With this update, kdump has been modified to no longer call the hwclock command when running on IBM System z, and the aforementioned error messages no longer occur.
BZ#825640
When dumping a core file to a remote target using SSH, kdump sends random seeds from the /dev/mem device to the /dev/random device to generate sufficient entropy required to establish successful SSH connection. However, when dumping a core file on the IBM System z with the CONFIG_STRICT_DEVMEM configuration option enabled, reading the /dev/mem was denied and the dump attempt failed with the following error:
dd: /dev/mem: Operation not permitted
With this update, kdump has been modified to reuse the /etc/random_seed file instead of reading /dev/mem. Dumping no longer fails and the core file can now be successfully dumped to a remote target using SSH.
BZ#842476
When booting to the kdump kernel and the local file system specified as the dump target was unmounted, the kernel module required for the respective file-system driver would not have to be included in dumprd. Consequently, kdump could not mount the dump device and failed to capture vmcore. With this update, mkdumprd has been modified to always install the required file system module when dumping a core file to the local file system. The vmcore file can be successfully captured in this scenario.
BZ#859824
When dumping a core file to a remote target using a bonded interface and the target was connected by other than the bond0 interface, kdump failed to dump the core file. This happened because a bonding driver in the kdump kernel creates only one bonding interface named bond0 by default. This update modifies kdump to use the correct bonding interface in the kdump init script so that a core file can be dumped as expected in this scenario.
BZ#870957
When dumping a core file to a SCSI device over Fibre Channel Protol (FCP) on IBM System z, the zFCP device has to be configured and set online before adding WWPN and SCSI LUN to the system. Previously, the mkdumprd utility parsed the zfcp.conf file incorrectly so that the zFCP device could not be set up and the kdump kernel became unresponsive during the boot. Consequently, kdump failed to dump a core file to the target SCSI device. With this update, mkdumprd has been modified to parse the zfcp.conf file correctly and kdump can now successfully dump a core file to the SCSI target on IBM System z. Also, mkdumprd previously always tried to set online Direct Access Storage Devices (DASD) on IBM System z. This resulted in the "hush: can't open '/sys/bus/ccw/devices//online': No such file or directory" error messages to be emitted when booting the kdump kernel in a SCSI-only environment. This update modifies mkdumprd to skip entries from the dasd.conf file if the Linux on IMB System z runs without DASD devices. The aforementioned error messages no longer occur during the kdump kernel boot in the SCSI-only environment on IBM System z.
BZ#872086
Previously, the kexec utility incorrectly recognized the Xen DomU (HVM) guest as the Xen Dom0 management domain. Consequently, the kernel terminated unexpectedly and the kdump utility generated the vmcore dump file with no NT_PRSTATUS notes. The crash also led to a NULL pointer dereference. With this update, kexec collects positions and sizes of NT_PRSTATUS from /sys/devices/system/cpu/cpuN/crash_notes on Xen DomU and from /proc/iomem on Xen Dom0. As a result, the crashes no longer occur.
BZ#874832
Due to recent changes, LVM assumes that the udev utility is always present on the system and creates correct device nodes and links. However, the kdump initramfs image does not contain udev so that LVM was unable to create disk devices and kdump failed. With this update, the mkdumprd utility modifies the lvm.conf configuration file to inform LVM that initramfs does not contain functional udev. If the lvm.conf file does not exist, mkdumprd creates it. The LVM now creates the devices correctly and kdump works as expected.
BZ#876891
Previously, the mlx4_core kernel module was loaded in the kdump kernel on systems using Mellanox ConnectX InfiniBand adapter cards. However, the mlx4_core module requires an extensive amount of memory, which caused these systems to run into an OOM situation and kdump failed. With this update, the second kernel no longer loads the mlx4_core module so that the OOM situation no longer occurs and kdump captures the vmcore file successfully in this scenario.
BZ#880040
Due to recent changes, the libdevmapper library assumes that the udev utility is always present on the system and creates correct device nodes for mulitpath devices. However, the kdump initramfs image does not contain udev therefore LVM was unable to create disk devices and kdump failed. With this update, the mkdumprd utility sets the DM_DISABLE_UDEV environment variable to 1 to inform libdevmapper that the initramfs image does not contain functional udev. The LVM now creates the devices correctly and kdump can successfully dump a core file to a multipath device.
BZ#892703
When setting up a network in the kdump kernel, the mkdumprd code incorrectly renamed network bridges along with NIC names in the network configuration files. This caused the kdump network setup to fail and the vmcore file could not be captured on the remote target. This update modifies kdump to substitute names of network devices correctly so that the network can be set up and vmcore dumped on the remote target as expected.

Enhancements

BZ#822146
With this update, the mkdumprd utility has been modified to support multipath storage devices as dump targets, which includes the ability to activate multiple NICs in the second kernel.
BZ#850623
This update modifies kdump to always extract the dmesg output from the captured vmcore dump file, and save the output in a separate text file before dumping the core file.
BZ#878200
The /usr/share/doc/kexec-tools-2.0.0/kexec-kdump-howto.txt file has been modified to provide a comprehensive list of supported, unsupported, and unknown dump targets under the “Dump Target support status” section.
Users of kexec-tools are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.104. krb5

Updated krb5 packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC).

Upgrade to an upstream version

The krb5 packages have been upgraded to upstream version 1.10.3, which provides a number of bug fixes over the previous version, including better support of cross-domain trust functionality in other packages. (BZ#823926)

Bug Fixes

BZ#771687
Older versions of the libsmbclient package incorrectly depended on the krb5_locate_kdc() function, which is no longer supported. Consequently, applications which used older versions of libsmbclient became incompatible after the Kerberos library update. With this update, an explicit conflict with older versions of libsmbclient has been added. As a result, an incompatible combination cannot be installed.
BZ#773496
Previously, when the krb5-auth-dialog application was used and the prompter was left hanging for a long period of time, a large clock skew was mistakenly recorded. This clock drift was applied in the next kinit session. Consequently, the klist function reported an incorrect expiration time. This bug has been fixed, and the spurious time offset no longer occurs in the described scenario.
BZ#834718
Previously, when a list of trusted roots of a PKINIT client included the KDC's certificates, certain KDC implementations omitted such anchors from the list of certificates in the signed data structure. Consequently, the client failed to verify the KDC's signature on the signed data. With this update, a backported fix has been included to allow the client to use its own copies of relevant certificates. As a result, the verification no longer fails in the aforementioned scenario.
BZ#837855
Prior to this update, attempts to use the kinit command with a keytab file often failed when the keytab file did not contain the Advanced Encryption Standard (AES) keys, but the client's libraries and the KDC both supported AES. The strongest supported encryption type (AES) was chosen by default, even though it was not present in keytab. Consequently, a mismatch error occurred. The bug has been fixed, and keytabs containing any of the supported encryption types are now correctly processed.
BZ#838548
Previously, the krb5 package did not handle the timeout variable properly. In certain cases, the timeout variable became a negative number. Consequently, the client entered a loop while checking for responses. With this update, the client logic has been modified and the described error no longer occurs.
BZ#839017
Prior to this update, the passwd utility failed when used by an Identity Management client. Consequently, an error occurred with the following message:
token manipulation error
The bug has been fixed, and the passwd utility now works with Identity Management as expected.
BZ#845125, BZ#846472
Due to a previous update to a locally-applied patch, files created by the libkrb5 library were given correct SELinux labels. However, each flushing of the replay cache caused the file context configuration to be reloaded to ensure that the correct label is applied to the newly-created replacement replay cache file. This resulted in large performance degradation in applications which accept authentication and use replay caches. With this update, the context configuration is only loaded when the context configuration file has been modified and the configuration is now freed only when the library is unloaded or the calling application exits, thus greatly lowering the impact of this problem.
All users of krb5 are advised to upgrade to these updated packages, which fix these bugs.

6.105. ksh

Updated ksh packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
KSH-93 is the most recent version of the KornShell by David Korn of AT&T Bell Laboratories. KornShell is a shell programming language which is also compatible with sh, the original Bourne Shell.

Bug Fixes

BZ#827512
Originally, ksh buffered output of a subshell, flushing it when the subshell completed. This slowed certain processes that waited for a particular output, because they had to wait for the subshell to complete. Moreover, it made it difficult to determine the order of events. The new version of ksh flushes output of the subshell every time the subshell executes a new command. Thanks to this change, processes waiting for the subshell output receive their data after every subshell command and the order of events is preserved.
BZ#846663
Previously, the sfprints() function was unsafe to be called during the shell initialization, which could corrupt the memory. Consequently, assigning a right-aligned variable to a smaller size could result in inappropriate output format. With this update, the sfprints() call is no longer used in the described scenario, which fixes the format of the output.
BZ#846678
Due to a bug in the typeset command, when executed with the -Z option, output was being formatted to an incorrect width. As a result, exporting a right-aligned variable of a smaller size than the predefined field size caused it to not be prepended with the "0" character. A patch has been provided and the typeset command now works as expected in the aforementioned scenario.

Enhancement

BZ#869155
With this update, ksh has been enhanced to support logging of the shell output.
Users of ksh are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

6.106. ledmon

Updated ledmon packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The ledmon and ledctl are user space applications designed to control LEDs associated with each slot in an enclosure or a drive bay. There are two types of system: 2-LED system (Activity LED, Status LED) and 3-LED system (Activity LED, Locate LED, Fail LED). User must have root privileges to use this application.

Upgrade to an upstream version

The ledmon package has been upgraded to upstream version 0.72., which provides a number of bug fixes and enhancements over the previous version. (BZ#817974)
Users of ledmon are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.107. libburn

Updated libburn packages that fix one bug are now available for Red Hat Enterprise Linux 6.
problem description Libburn is an open-source library for reading, mastering and writing optical discs. For now this means only CD-R and CD-RW.
BZ#822906
Prior to this update, libburn library contained the "burn_write_close_track" command, which was redundant and not fully supported by all burning drives. As a consequence, the burning process CD-R or CD-RW could log errors while closing a track after the burning process, even if the data was written correctly. This update removes this redundant call.
All users of gfs-kmod are advised to upgrade to these updated packages, which fix this bug.

6.108. libcgroup

Updated libcgroup packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
The libcgroup packages provide tools and libraries to control and monitor control groups.

Bug Fixes

BZ#773544
Previously, the cgrulesengd daemon ignored the "--sticky" option of the cgexec command and, as a consequence, moved a process to another cgroup when the process called the setuid() or setgid() functions even if the process had to be stuck to the current cgroup. This bug is now fixed and the cgrulesengd daemon now checks whether the process is "sticky" or not when the process calls setuid or setgid.
BZ#819137
Previously, the lscgroup command dropped the first character of a path unless prefixed with a slash, which led to lscgroup generating invalid paths. This bug is now fixed and the generated paths are now correct.
BZ#849757
Previously, adding a cgroup after the cgrulesengd daemon had started did not work. As a consequence, if a directory was created after cgrulesengd was already started, any /etc/cgrules.conf configuration for that directory would not be processed. With this update, a routine has been added to scan the cgrules.conf file and move matching running tasks in the /proc/pid/ directory into configured cgroups. This new routine is called at init time and also after inotify events on cgroups. With this update, a routine has been added to scan the cgrules.conf file and move matching running tasks into configured cgroups.
BZ#869990
Previously, the cgconfig service was not working properly with read-only file systems. As a consequence, cgconfig was not able to start with the default configuration on a Red Hat Enterprise Virtualization Hypervisor system. This update adds a check for the read-only file systems to the cgconfig service and it now works as expected with the default configuration on Red Hat Enterprise Virtualization Hypervisor systems.

Enhancement

BZ#738737
This update improves the logging facility and error messages generated by libcgroup.
Users of libcgroup are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

6.109. libdbi

Updated libdbi packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The libdbi packages provide implementation of a database-independent abstraction layer in the C language. This framework allows programmers to write one generic set of code that works with multiple databases and multiple simultaneous database connections.

Bug Fix

BZ#733413
Previously, when processing query results, the last row of a query result was not freed due to an off-by-one logic error. This resulted in a memory leak that could become significant after processing a large number of query results. This update corrects an incorrect test condition in the underlying source code and memory leaks no longer occur in this scenario.
All users of libdbi are advised to upgrade to these updated packages, which fix this bug.

6.110. libdvdread

Updated libdvdread packages that fix one bug is now available for Red Hat Enterprise Linux 6.
The libdvdread packages contain a simple foundation to read DVD video disks. This provides the functionality that is required to access many DVDs.

Bug Fix

BZ#842016
Prior to this update, the dvd_stat_t structure was not public. As a consequence, source code that required such structures could not be compiled. This update makes the dvd_stat_t structure public, to allow compiling code with of this type.
All users of libdvdread are advised to upgrade to these updated packages, which fix this bug.

6.111. libguestfs

Updated libguestfs packages that fix numerous bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The libguestfs packages contain a library, which is used for accessing and modifying guest disk images.

Bug Fixes

BZ#801640
Previously, when using the resize2fs -M command and an error due to lack of free space occurred, the returned error message was incorrect and could confuse the user. With this update, a proper error message is returned instead.
BZ#822626
Due to a bug in the source code, an error occurred when using the virt-ls --checksum command and the following error message was returned:
libguestfs: error: checksum: path: parameter cannot be NULL
The underlying source code has been modified and virt-ls --checksum now works as expected.
BZ#830369
Due to the guestfs_inspect_get_hostname() function, the libguestfs-based commands did not work properly when an empty /etc/HOSTNAME file was created on a Linux guest. This update applies a patch to fix this bug and the libguestfs based commands now work in the described scenario.
BZ#836573
Previously, the libguestfs library did not handle the /dev/disk/by-id/* paths. Consequently, it was impossible to examine a guest using commands with such a path and an error message was returned. With this update, a patch has been applied to fix this bug and the libguestfs library no longer returns error in this situation.
BZ#837691
Previously, under certain conditions, writing to disks in the qcow2 format could cause silent data loss. The underlying source code has been modified to prevent this behavior and writing to disks in the qcow2 format now works as expected.
BZ#838609
Due to a race condition between the guestmount and the fusermount tools, unmouting and then immediately using a disk image was not safe and could cause data loss or memory corruption. This update adds the new --pid-file option for guestmount to avoid the race condition between these tools and attempts to use disk images immediately after unmounting can no longer cause data loss or memory corruption.
BZ#852396
Previously, the libguestfs library limited the total size of downloaded hive files from a Windows Registry to 100 MB. Consequently, an attempt to inspect systems with large amount of hive files caused libguestfs to return an error message. With this update, the limit was increased to 300 MB and libguestfs can now inspect a larger Widows Registry properly.
BZ#853763
Previously, using the file utility to detect the format of a disk image could produce different output for different versions of this utility. The underlying source code has been modified and output is now the same for all versions of the file utility.
BZ#858126
Due to a bug in the underlying source code, the virt-inspector tool failed to work with certain Windows guests. This update applies a patch to fix this bug and virt-inspector now supports all Windows guests as expected.
BZ#858648
Due to recent changes in the iptables packages, the libguestfs library could not be installed with the new version of the iptables tool. The underlying source code has been modified to fix this bug and the installation of libguestfs works as expected.
BZ#872454
Previously, the libguestfs library detected the Red Hat Enterprise Linux 5.1 guests as NetBSD guests. This update applies a patch to fix this bug and libguestfs now detects Red Hat Enterprise Linux 5.1 guest correctly.
BZ#880805
The virt-df command with -a or -d arguments works correctly only with a single guest. An attempt to use this command with multiple arguments, such as virt-df -a RHEL-Server-5.9-32-pv.raw -a opensuse.img, caused the disk image names to be displayed incorrectly. With this update, the plus sign (+) is displayed for each additional disk, so that the user can easily recognize them. In addition, the correct usage of the virt-df command has been described in the virt-df(1) man page.

Enhancements

BZ#830135
This enhancement improves the libguestfs library to support mount-local APIs.
BZ#836501
With this update, the dependency on the fuse packages has been added to libguestfs dependencies.
All users of libguestfs are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.112. libhbaapi

Updated libhbaapi packages that add one enhancement are now available for Red Hat Enterprise Linux 6.
The libhbaapi library is the Host Bus Adapter (HBA) API library for Fibre Channel and Storage Area Network (SAN) resources. It contains a unified API that programmers can use to access, query, observe, and modify SAN and Fibre Channel services.

Enhancement

BZ#862386
This update converts libhbaapi code to a merged upstream repository at Open-FCoE.org. Consequently, the libhbaapi packages are no longer compiled from different sources, thus making maintenance and further development easier.
Users of libhbaapi are not required to upgrade to these updated packages as the change introduced by them is purely formal and does not affect functionality.

6.113. libhbalinux

Updated libhbalinux packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The libhbalinux package contains the Host Bus Adapter API (HBAAPI) vendor library which uses standard kernel interfaces to obtain information about Fiber Channel Host Buses (FC HBA) in the system.

Upgrade to an upstream version

The libhbalinux packages have been upgraded to upstream version 1.0.14, which provides a number of bug fixes and enhancements over the previous version. (BZ#819936)
All users of libhbalinux are advised to upgrade to these updated libhbalinux packages, which fix these bugs and add these enhancements.

6.114. libical

Updated libical packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The libical packages provide a reference implementation of the iCalendar data type and serialization format used in dozens of calendaring and scheduling products.

Bug Fix

BZ#664332
The libical packages can be configured to abort when parsing improperly formatted iCalendar data, primarily useful for testing and debugging. In Red Hat Enterprise Linux this behavior is disabled, but some parts of the libical source code were improperly checking for this option. Consequently, the library aborted even if configured not to do so. The underlying source code has been modified and libical no longer aborts in the described scenario.
All users of libical are advised to upgrade to these updated packages, which fix this bug.

6.115. libica

Updated libica packages that add one enhancement are now available for Red Hat Enterprise Linux 6.
The libica library contains a set of functions and utilities for accessing the IBM eServer Cryptographic Accelerator (ICA) hardware on IBM System z.

Enhancement

BZ#738835
The libica library has been modified to allow usage of new algorithms that support the Message Security Assist Extension 4 instructions in the Central Processor Assist for Cryptographic Function (CPACF) feature. For the DES and 3DES block ciphers, the new feature supports the following modes of operation:
  • Cipher Block Chaining with Ciphertext Stealing (CBC-CS)
  • Cipher-based Message Authentication Code (CMAC)
For the AES block cipher, this feature supports the following modes of operation:
  • Cipher Block Chaining with Ciphertext Stealing (CBC-CS)
  • Counter with Cipher Block Chaining Message Authentication Code (CCM)
  • Galois/Counter (GCM)
With this acceleration of complex cryptographic algorithms, performance of IBM System z machines significantly improves.
All users of libica are advised to upgrade to these updated packages, which add this enhancement.

6.116. libldb

Updated libldb packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The libldb packages provide an extensible library that implements an LDAP-like API to access remote LDAP servers, or use local TDB databases.

Upgrade to an upstream version

The libldb packages have been upgraded to upstream version 1.1.13, which provides a number of bug fixes and enhancements over the previous version. One of the most significant changes is that the source code of libldb is no longer a part of the samba4 packages but has been extracted to a separate SRPM package. This resolves the problem caused by recent changes in the Samba build system, which made the libldb library impossible to build as a shared library from the Samba tarball. (BZ#859229)

Bug Fix

BZ#873422
Recent changes in the Samba compiling script caused libldb to expose internal functions and symbols in the public interface. This could lead to various linking and building problems if these internal symbols were used directly out of the libldb code. This update corrects the compiling script so that internal symbols of libldb are no longer exported and visible in the libldb public interface.
All users of libldb are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.117. libqb

Updated libqb packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The libqb packages provide a library with the primary purpose of providing high performance client server reusable features, such as high performance logging, tracing, inter-process communication, and polling.

Upgrade to an upstream version

The libqb packages have been upgraded to upstream version 0.14.2, which provides a number of bug fixes and enhancements over the previous version. (BZ#845275)

Bug Fix

BZ#869446
Previously, a timeout argument given to the qb_ipcc_recv() API function was not passed to poll() while waiting for a reply. Consequently, this function could consume nearly 100% CPU resources and affect the pacemaker utility. This bug has been fixed by passing the timeout value to poll() in qb_ipcc_recv(). As a result, the timeout period is honored as expected and pacemaker works correctly in such a case.
All libqb users are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.118. libsemanage

Updated libsemanage packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The libsemanage library provides an API for the manipulation of SELinux binary policies. It is used by checkpolicy (the policy compiler) and similar tools, as well as by programs such as load_policy, which must perform specific transformations on binary policies (for example, customizing policy boolean settings).

Bug Fixes

BZ#798332
Previously, the "usepasswd" parameter was not available in the /etc/selinux/semanage.conf file. This update adds the missing "usepasswd" parameter to this file.
BZ#829378
When a custom SELinux policy module was loaded with an error, an error message that was not very informative was returned. This update fixes the error message to be more helpful for users.
All users of libsemanage are advised to upgrade to these updated packages, which fix these bugs.

6.119. libsoup

Updated libsoup packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The libsoup packages provide an HTTP client and server library for GNOME.

Bug Fixes

BZ#657622
Prior to this update, the clock-applet did not handle canceled requests during a DNS lookup correctly and accessed already freed memory. As a consequence, the weather view of the clock-applet could, under certain circumstances, abort with a segmentation fault when updating the weather if the hostname of the weather server needed more than 30 seconds, for example due to network problems. This update modifies the underlying code to allow requests that take too long to be canceled.
BZ#746587
Prior to this update, the weather view of the clock-applet tried to connect to the weather server indefinitely as fast as it could if the weather server (or an HTTP proxy) closed the connection without responding. This update modifies the underlying code to retry a request only if the server unexpectedly closes a previously-used connection, not a new connection. Now, libsoup returns a "Connection terminated unexpectedly" error, so the clock-applet does not update the weather display, and tries again later.
All users of libsoup are advised to upgrade to these updated packages, which fix these bugs.

6.120. libssh2

Updated libssh2 packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The libssh2 packages provide a library that implements the SSH2 protocol.

Upgrade to an upstream version

The libssh2 packages have been upgraded to upstream version 1.4.2, which provides a number of bug fixes and enhancements over the previous version, including fixes for memory leaks, missing error handling, and incompatibilities in the SSH2 protocol implementation. (BZ#749873)

Bug Fixes

BZ#741919
With this update, several stability patches have been added to libssh2. As a result, memory leaks, buffer overruns, and null pointer problems are avoided when managing a large number of nodes.
BZ#801428
Previously, an insufficient data type was used for certain bit shift operations in the libssh2 code. This behavior caused the curl utility to terminate unexpectedly when downloading files larger than 2 GB over the SSH File Transfer Protocol (SFTP). With this update, the underlying code has been modified to use the correct data type and curl now works as expected in the described scenario.
BZ#804145
Under certain circumstances, libssh2 failed to resume an interrupted key exchange when sending a large amount of data over SSH. Moreover, further data was erroneously sent, which caused the remote site to close the connection immediately. With this update, libssh2 has been modified to properly resume the interrupted key exchange before sending any further data. As a result, the connection remains open and the data transfer proceeds as expected.
BZ#804150
Previously, the function for writing to a channel in libssh2 incorrectly handled error states, which, under certain circumstances, resulted in an infinite loop. The function has been fixed and the error handling now works properly.
BZ#806862, BZ#873785
Previously, the window size adjustment in libssh2 did not work properly, which resulted in unclosed connections when transferring huge files over SCP or SFTP, extensive memory consumption or both. The window-adjusting code has been fixed and works now properly for blocks of arbitrary size.
BZ#826511
Previously, libssh2 incorrectly returned the LIBSSH2_ERROR_EAGAIN error code when operating in blocking mode. The error code is used by libssh2 internally to initiate a blocking operation on a socket. The error code was, however, not properly cleared on success and leaked through the public API of libssh2. An upstream patch has been applied to clear the error code prior to initiating the blocking operation, and libssh2 no longer returns LIBSSH2_ERROR_EAGAIN when operating in blocking mode.
All users of libssh2 are advised to upgrade to these updated packages, which fix these bugs and add these enhancements. After installing these updated packages, all running applications using libssh2 have to be restarted for this update to take effect.

6.121. libtalloc

Updated libtalloc packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The libtalloc packages provide a library that implements a hierarchical memory allocator with destructors.

Upgrade to an upstream version

The libtalloc packages have been upgraded to upstream version 2.0.7, which provides a number of bug fixes over the previous version. (BZ#766335)
All libtalloc users are advised to upgrade to these updated packages, which fix these bugs.

6.122. libtdb

Updated libtdb packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6
The libtdb packages provide a library that implements the Trivial Database (TDB). TDB is a simple hashed database that uses internal locking to allow multiple simultaneous writers and readers.

Upgrade to an upstream version

The libtdb packages have been upgraded to upstream version 1.2.10, which provides a number of bug fixes and enhancements over the previous version. These updated libtdb packages are compliant with requirements of Samba 4. (BZ#766334)
All users of libtdb are advised to upgrade to these updated packages, which fix these bugs and adds these enhancements.

6.123. libtevent

Updated libtevent packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The libtevent packages provide Tevent, an event system based on the talloc memory management library. Tevent supports many event types, including timers, signals, and the classic file descriptor events. Tevent also provides helpers to deal with asynchronous code represented by the tevent_req (Tevent Request) functions.

Upgrade to an upstream version

The libtevent packages have been upgraded to upstream version 0.9.17, which provides a number of bug fixes and enhancements over the previous version. These updated libtevent packages are compliant with requirements of Samba 4. (BZ#766336)
All users of libtevent are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.124. libusb1

Updated libusb1 packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The libusb1 packages provide a library to communicate with USB devices from userspace.

Bug Fixes

BZ#820205
Prior to this update, the usbredir network protocol caused a conflict with the libusb library. As a consequence, SPICE USB-redirection failed with the following errors in the virt-viewer tool: usbredirhost error: submitting bulk transfer on ep 02: -1" when trying to redirect one USB device to two guests simultaneously. This update modifies the underlying code to send the error message "Device is busy" and fail after the second attempt.
BZ#830751
Prior to this update, USB Request Blocks (URBs) from the user space were not allowed to have transfer buffers larger than an arbitrary maximum. As a consequence, attempting to redirect certain USB mass-storage devices could fail. This update modifies the underlying code to allow programs to submit URBs of any size. If there is not sufficient memory available, the submission fails with an ENOMEM error. In addition, this update also replaces the old limits on individual transfer buffers with a single global limit of 16MB on the total amount of memory in use by the USB file system (usbfs) to prevent programs from submitting a lot of small URBs and so using all the DMA-able kernel memory.
All users of libusb1 are advised to upgrade to these updated packages, which fix these bugs.

6.125. libvirt-cim

Updated libvirt-cim packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The libvirt-cim package contains a Common Information Model (CIM) provider based on Common Manageability Programming Interface (CMPI). It supports most libvirt virtualization features and allows management of multiple libvirt-based platforms.

Bug Fixes

BZ#805892
If the sblim-sfcb package was installed on the system, rebuilding the libvirt-cim package failed with an error due to an incomplete substitution in the Makefile. The substitution has been corrected and rebuilding libvirt-cim now works as expected.
BZ#864096
When upgrading the libvirt-cim package to a newer version after libvirt-cim had registered its classes with a cim-server, the %preun code unregistered the classes leaving the system without libvirt-cim classes being registered. Now the libvirt-cim package only unregisters the libvirt-cim classes on uninstall.
Users of libvirt-cim are advised to upgrade to these updated packages, which fix these bugs.

6.126. libvirt-java

Updated libvirt-java packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The libvirt-java packages provide Java bindings to use libvirt, which is the virtualization API to manage and interact with virtualization capabilities.

Upgrade to an upstream version

The libvirt-java packages have been upgraded to upstream version 0.4.9, which provides a number of bug fixes and enhancements over the previous version. (BZ#838046)

Bug Fix

BZ#836920
Due to a failing Java Native Access (JNA) conversion, the "setSchedulerParameters()" method for domains did not process input parameters properly. With this update, the conversion process has been modified. As a result, setSchedulerParameters() now works as expected.
All users of libvirt-java are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.127. libvirt

Updated libvirt packages that fix one security issue, multiple bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The libvirt packages provide the libvirt library which is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems.

Upgrade to an upstream version

The libvirt packages have been upgraded to upstream version 0.10.2, which provides a number of bug fixes and enhancements over the previous version, such as support for Open vSwitch, a new API for detailed CPU statistics, improved support of LXC method including the sVirt technology, improvements of the virsh edit command, improved APIs for listing various objects and support for pinning and tuning emulator threads. (BZ#836934)

Security Fixes

CVE-2012-3411
It was discovered that libvirt made certain invalid assumptions about dnsmasq's command line options when setting up DNS masquerading for virtual machines, resulting in dnsmasq incorrectly processing network packets from network interfaces that were intended to be prohibited. This update includes the changes necessary to call dnsmasq with a new command line option, which was introduced to dnsmasq via RHSA-2013:0277.
In order for libvirt to be able to make use of the new command line option (--bind-dynamic), updated dnsmasq packages need to be installed. Refer to RHSA-2013:0277 for additional information.

Bug Fixes

BZ#794523
The libvirt library was issuing the PAUSED event before the QEMU processor emulator really paused. Consequently, a domain could be reported as paused before it was actually paused, which could confuse a management application using the libvirt library. With this update, the PAUSED event is started after QEMU is stopped on a monitor and the management application is no longer confused by libvirt.
BZ#797279, BZ#808980, BZ#869557
The fixed limit for the maximum size of an RPC message that could be sent between the libvirtd daemon and a client, such as the virsh utility, was 65536 bytes. However, this limit was not always sufficient and messages that were longer than that could be dropped, leaving a client unable to fetch important data. With this update, the buffer for incoming messages has been made dynamic and both sides, a client and libvirtd, now allocate as much memory as is needed for a given message, thus allowing to send much bigger messages.
BZ#807996
Previously, repeatedly migrating a guest between two machines while using the tunnelled migration could cause the libvirtd daemon to lock up unexpectedly. The bug in the code for locking remote drivers has been fixed and repeated tunnelled migrations of domains now work as expected.
BZ#814664
Previously, multiple libvirt API calls were needed to determine the full list of guests on a host controlled by the libvirt library. Consequently, a race condition could occur when a guest changed its state between two calls that were needed to enumerate started and stopped guests. This behavior caused the guest to disappear from both of the lists, because the time of enumeration was not considered to be a part of the lists. This update adds a new API function allowing to gather the guest list in one call while the driver is locked. This guarantees that no guest changes its state before the list is gathered so that guests no longer disappear in the described scenario.
BZ#818467
Previously, libvirt did not report many useful error messages that were returned by external programs such as QEMU and only reported a command failure. Consequently, certain problems, whose cause or resolution could be trivial to discover by looking at the error output, were difficult to diagnose. With this update, if any external command run by libvirt exits with a failure, its standard error output is added to the system log as a libvirt error. As a result, problems are now easier to diagnose, because better information is available.
BZ#823716
Closing a file descriptor multiple times could, under certain circumstances, lead to a failure to execute the qemu-kvm binary. As a consequence, a guest failed to start. A patch has been applied to address this issue, so that the guest now starts successfully.
BZ#825095
Prior to this update, libvirt used an unsuitable detection procedure to detect NUMA and processor topology of a system. Consequently, topology of some advanced multi-processor systems was detected incorrectly and management applications could not utilize the full potential of the system. Now, the detection has been improved and the topology is properly recognized even on modern systems.
BZ#825820
Previously, the libvirt library had hooks for calling a user-written script when a guest was started or stopped, but had no hook to call a script for each guest when the libvirtd daemon itself was restarted. Consequently, certain custom setups that required extra operations not directly provided by libvirt could fail when libvirtd was restarted. For example, packet forwarding rules installed to redirect incoming connections to a particular guest could be overridden by libvirt's refresh of its own iptables packet forwarding rules, breaking the connection forwarding that had been set up. This update improves libvirt with a new reconnect hook; the QEMU hook script is called with a type of reconnect for every active guest each time libvirtd is restarted. Users can now write scripts to recognize the reconnect event, and for example reload the user-supplied iptables forwarding rules when this event occurs. As a result, incoming connections continue to be forwarded correctly, even when libvirtd is restarted.
BZ#828729
On certain NUMA architectures, libvirt failed to process and expose the NUMA topology, sometimes leading to performance degradation. With this update, libvirt can parse and expose the NUMA topology on such machines and makes the correct CPU placement, thus avoiding performance degradation.
BZ#831877
The virsh undefine command supports deleting volumes associated with a domain. When using this command, the volumes are passed as additional arguments and if the user adds any trailing string after the basic command, the string is interpreted as a volume to be deleted. Previously, the volumes were checked after the guest was deleted, which could lead to user's errors. With this update, the check of the volume arguments is performed before the deleting process so that errors can be reported sensibly. As a result, the command with an incorrect argument fails before it attempts to delete a guest and the host system stays in a sane state.
BZ#832081
Due to several bugs in the implementation of keep-alive messages that are used for the detection of broken connections or non-functional peers, these connections and peers could be incorrectly considered broken or non-functional and thus the keep-alive messages were disabled by default in Red Hat Enterprise Linux 6.3. The implementation of the keep-alive messages has been fixed and this feature is now enabled by default.
BZ#834927
Previously, a reversed condition in a check which is used during registering callbacks prevented multiple callbacks from being registered. This update applies a patch to fix this condition and multiple callbacks can be registered successfully now.
BZ#836135
The SPICE server needs certain time at the end of the migration process to transfer an internal state to a destination guest. Previously, the libvirt library could kill the source QEMU and the SPICE server before the internal state was transmitted. This behavior caused the destination client to be unresponsive. With this update, libvirt waits until the end of SPICE migration. As a result, the SPICE server no longer becomes unresponsive in this situation.
BZ#837659
When using the sanlock daemon for locking resources used by a domain, if such a resource was read-only, the locking attempt failed. Consequently, it was impossible to start a domain with a CD-ROM drive. This bug has been fixed and sanlock can now be properly used with read-only devices.
BZ#839661
Previously, the libvirt library did not support the S4 (Suspend-to-Disk) event on QEMU domains. Consequently, management applications could not register whether a guest was suspended to disk or powered off. With this update, support for S4 event has been added and management applications can now request receiving S4 events.
BZ#842208
Due to an installation of the vdsm daemon, the libvirt library was reconfigured and under certain conditions, libvirt was searching for a non-existing option when used outside of vdsm. Consequently, using the virsh utility on such a machine caused the system to terminate with a segmentation fault. The underlying source code has been modified to fix this bug and users can now use virsh on machines configured by vdsm as expected.
BZ#844266
Previously, a condition in a check, which is used for checking if modification of a domain XML in a saved file was successful or not, was inverted. Consequently, the virsh utility reported that this check failed even if it was successful and vice versa. This update applies a patch to fix this bug and success and failure of this check are reported correctly now.
BZ#844408
Disk hot plug is a two-part action: the qemuMonitorAddDrive() call is followed by the qemuMonitorAddDevice() call. When the first part succeeded but the second one failed, libvirt failed to roll back the first part and the device remained in use even though the disk hot plug failed. With this update, the rollback for the drive addition is properly performed in the described scenario and disk hot plug now works as expected.
BZ#845448
Previously the SIGINT signal was not blocked when the virDomainGetBlockJobInfo() function was performed. Consequently, an attempt to abort a process initialized by a command with the --wait option specified using the CTRL+C shortcut did not work properly. This update applies a patch to block SIGINT during virDomainGetBlockJobInfo() and aborting processes using the CTRL+C shortcut now works as expected.
BZ#845635
Previously, an unspecified error with a meaningless error code was returned when a guest agent became unresponsive. Consequently, management applications could not recognize why the guest agent hung; whether the guest agent was not configured or was unusable. This update introduces a new VIR_ERR_AGENT_UNRESPONSIVE error code and fixes the error message. As a result, management applications now can recognize why the guest agent hangs.
BZ#846639
Due to a bug in the libvirt code, two mutually exclusive cases could occur. In the first case, a guest operating system could fail do detect that it was being suspended because the suspend routine is handled by hypervisor. In the second case, the cooperation of the guest operating system was required, for example during synchronization of the time after the resume routine. Consequently, it was possible to successfully call the suspend routine on a domain with the pmsuspended status and libvirt returned success on operation, which in fact failed. This update adds an additional check to prevent libvirt from suspending a domain with the pmsuspended status.
BZ#851397
Due to recent changes in port allocation, SPICE ports and SPICE TLS ports were the same. Consequently, QEMU domains started with both options configured to use the same port and SPICE TLS ports could not allocate one port twice. With this update, the port allocation has been fixed and the QEMU domains now work as expected in this situation.
BZ#853567
A virtual guest can have a network interface that is connected to an SR-IOV (Single Root I/O Virtualization) device's virtual function (VF) using the macvtap driver in passthrough mode, and from there is connected to an 802.1Qbh-capable switch. Previously, when shutting down the guest, libvirt erroneously set SR-IOV device's physical function (PF) instead of VF and the PF offline rather than setting the VF offline. Here is an example of the type of an interface that could be affected:
   <interface type='direct'>
     <source dev='eth7' mode='passthrough'/>
     <virtualport type='802.1Qbh'>
      <parameters profileid='test'/>
     </virtualport>
   </interface>
Consequently, if PF was being used by the host for its own network connectivity, the host networking would be adversely affected, possibly completely disabled, whenever the guest was shut down, or when the guest's network device was detached. The underlying source code has been modified to fix this bug and the PF associated with the VF used by the macvtap driver now continues to work in the described scenario.
BZ#856247
Red Hat Enterprise Linux 6.3 implemented the block copy feature before the upstream version of QEMU. Since then, several improvements were made to the upstream version of this feature. Consequently, previous versions of the libvirt library were unable to fully manage the block copy feature in current release of QEMU. With this update, the block copy feature has been updated to upstream versions of QEMU and libvirt. As a result, libvirt is able to manage all versions of the block copy feature.
BZ#856864
Previously, libvirt put the default USB controller into the XML configuration file during the live migration to Red Hat Enterprise Linux 6.1 hosts. These hosts did not support USB controllers in the XML file. Consequently, live migration to these hosts failed. This update prevents libvirt from including the default USB controller in the XML configuration file during live migration and live migration works properly in the described scenario.
BZ#856950
When a QEMU process is being destroyed by libvirt, a clean-up operation frees some internal structures and locks. However, since users can destroy QEMU processes at the same time, libvirt holds the QEMU driver mutex to protect the list of domains and their states, among other things. Previously, a function tried to lock up the QEMU driver mutex when it was already locked, creating a deadlock. The code has been modified to always check if the mutex is free before attempting to lock it up, thus fixing this bug.
BZ#858204
When the host_uuid option was present in the libvirtd.conf file, the augeas libvirt lens was unable to parse the file. This bug has been fixed and the augeas libvirt lens now parses libvirtd.conf as expected in the described scenario.
BZ#862515
Previously, handling of duplicate MAC addresses differed between live attach or detach, and persistent attach or detach of network devices. Consequently, the persistent attach-interface of a device with a MAC address that matches an existing device could fail, even though the live attach-interface of such a device succeed. This behavior was inconsistent, and sometimes led to an incorrect device being detached from the guest. With this update, libvirt has been modified to allow duplicate MAC addresses in all cases and to check a unique PCI address in order to distinguish between multiple devices with the same MAC address.
BZ#863115
Previously, libvirt called the qemu-kvm -help command every time it started a guest to learn what features were available for use in QEMU. On a machine with a number of guests, this behavior caused noticeable delays in starting all of the guests. This update modifies libvirt to store information cache about QEMU until the QEMU time stamp is changed. As a result, libvirt is faster when starting a machine with various guests.
BZ#865670
Previously, the ESX 5.1 server was not fully tested. Consequently, connecting to ESX 5.1 caused a warning to be returned. The ESX 5.1 server has been properly tested and connecting to this server now works as expected.
BZ#866369
Under certain circumstances, the iohelper process failed to write data to disk while saving a domain and kernel did not report an out-of-space error (ENOSPC). With this update, libvirt calls the fdatasync() function in the described scenario to force the data to be written to disk or catch a write error. As a result, if a write error occurs, it is now properly caught and reported.
BZ#866388
Certain operations in libvirt can be done only when a domain is paused to prevent data corruption. However, if a resuming operation failed, the management application was not notified since no event was sent. This update introduces the VIR_DOMAIN_EVENT_SUSPENDED_API_ERROR event and management applications can now keep closer track of domain states and act accordingly.
BZ#866999
When libvirt could not find a suitable CPU model for a host CPU, it failed to provide the CPU topology in host capabilities even though the topology was detected correctly. Consequently, applications that work with the host CPU topology but not with the CPU model could not see the topology in host capabilities. With this update, the host capabilities XML description contains the host CPU topology even if the host CPU model is unknown.
BZ#869096
Previously, libvirt supported the emulatorpin option to set the CPU affinity for a QEMU domain process. However, this behavior overrode the CPU affinity set by the vcpu placement="auto" setting when creating a cgroup hierarchy for the domain process. This CPU affinity is set with the advisory nodeset from the numad daemon. With this update, libvirt does not allow emulatorpin option to change the CPU affinity of a domain process if the vcpu placement setting is set to auto. As a result, the numad daemon is supported as expected.
BZ#873792
The libvirt library allows users to cancel an ongoing migration. Previously, if an attempt to cancel the migration was made in the migration preparation phase, QEMU missed the request and the migration was not canceled. With this update, the virDomainAbortJob() function sets a flag when a cancel request is made and this flag is checked before the main phase of the migration starts. As a result, a migration can now be properly canceled even in the preparation phase.
BZ#874050
Certain AMD processors contain modules which are reported by the kernel as both threads and cores. Previously, the libvirt processor topology detection code was not able to detect these modules. Consequently, libvirt reported the actual number of processors twice. This bug has been fixed by reporting a topology that adds up to the total number of processors reported in the system. However, the actual topology has to be checked in the output of the virCapabilities() function. Additionally, documentation for the fallback output has been provided.

Note

Note that users should be instructed to use the capability output for topology detection purposes due to performance reasons. The NUMA topology has the important impact performance-wise but the physical topology can differ from that.
BZ#879780
Due to changes in the virStorageBackendLogicalCreateVol() function, the setting of the volume type was removed. Consequently, logical volumes were treated as files without any format and libvirt was unable to clone them. This update provides a patch to set the volume type and libvirt clones logical volumes as expected.
BZ#880919
When a saved file could not be opened, the virFileWrapperFdCatchError() function was called with a NULL argument. Consequently, the libvirtd daemon terminated unexpectedly due to a NULL pointer dereference. With this update, the virFileWrapperFdCatchError() function is called only when the file is open and instead of crashing, the daemon now reports an error.
BZ#884650
Whenever the virDomainGetXMLDesc() function was executed on an unresponsive domain, the call also became unresponsive. With this update, QEMU sends the BALLOON_CHANGE event when memory usage on a domain changes so that virDomainGetXMLDesc() no longer has to query an unresponsive domain. As a result, virDomainGetXMLDesc() calls no longer hang in the described scenario.

Enhancements

BZ#638512
This update adds support for external live snapshots of disks and RAM.
BZ#693884
Previously, libvirt could apply packet filters, among others the anti-spoofing filter, to guest network connections using the nwfilter subsystem. However, these filter rules required manually entering the IP address of a guest into the guest configuration. This process was not effective when guests were acquired their IP addresses via the DHCP protocol; the network needed a manually added static host entry for each guest and the guest's network interface definition needed that same IP address to be added to its filters. This enhancement improves libvirt to automatically learn IP and MAC addresses used by a guest network connection by monitoring the connection's DHCP and ARP traffic in order to setup host-based guest-specific packet filtering rules that block traffic with incorrect IP or MAC addresses from the guests. With this new feature, nwfilter packet filters can be written to use automatically detected IP and MAC addresses, which simplifies the process of provisioning a guest.
BZ#724893
When the guest CPU definition is not supported due to the user's special configuration, an error message is returned. This enhancement improves this error message to contain flags that indicate precisely which options of the user's configuration are not supported.
BZ#771424
The Resident Set Size (RSS) limits control how much RAM can a process use. If a process leaks memory, the limits do not let the process influence other processes within the system. With this update, the RSS limits of a QEMU process are set by default according to how much RAM and video RAM is configured for the domain.
BZ#772088
Previously, the libvirt library could create block snapshots, but could not clean them up. For a long-running guest, creating a large number of snapshots led to performance issues as the QEMU process emulator had to traverse longer chains of backing images. This enhancement improves the libvirt library to control the feature of the QEMU process emulator which is responsible for committing the changes in a snapshot image back into the backing file and the backing chain is now kept at a more manageable length.
BZ#772290
Previously, the automatically allocated ports for the SPICE and VNC protocols started on the port number 5900. With this update, the starting port for SPICE and VNC is configurable by users.
BZ#789327
The QEMU guest and the media of CD_ROM or Floppy could be suspended or resumed inside the guest directly instead of using the libvirt API. This enhancement improves the libvirt library to support three new events of the QEMU Monitor Protocol (QMP): the SUSPEND, WAKEUP, and DEVICE_TRAY_MOVED event. These events let a management application know that the guest status or the tray status has been changed:
  • when the SUSPEND event is emitted, the domain status is changed to pmsuspended;
  • when the WAKEUP event is emitted, the domain status is changed to running;
  • when the DEVICE_TRAY_MOVED event is emitted for a disk device, the current tray status for the disk is reflected to the libvirt XML file, so that management applications do not start the guest with the medium inserted while the medium has been previously ejected inside the guest.
BZ#804749
The QEMU process emulator now supports TSC-Deadline timer mode for guests that are running on the Intel 64 architecture. This enhancement improves the libvirt library with this feature's flag to stay synchronized with QEMU.
BZ#805071
Previously, it was impossible to move a guest's network connection to a different network without stopping the guest. In order to change the connection, the network needed to be completely detached from the guest and then re-attached after changing the configuration to specify the new connection. With this update, it is now possible to change a guest's interface definition to specify a different type of interface, and to change the network or bridge name or both, all without stopping or pausing the guest or detaching its network device. From the point of view of the guest, the network remains available during the entire transition; if the move requires a new IP address, that can be handled by changing the configuration on the guest, or by requesting that it renews its DHCP lease.
BZ#805243
When connecting to the libvirt library, certain form of authentication could be required and if so, interactive prompts were presented to the user. However, in certain cases, the interactive prompts cannot be used, for example when automating background processes. This enhancement improves libvirt to use the auth.conf file located in the $HOME/.libvirt/ directory to supply authentication credentials for connections. As a result, these credentials are pre-populated, thus avoiding the interactive prompts.
BZ#805654
This enhancement improves libvirt to support connection of virtual guest network devices to Open vSwitch bridges, which provides a more fully-featured replacement for the standard Linux Host Bridge. Among other features, Open vSwitch bridges allow setting more connections to a single bridge, transparent VLAN tagging, and better management using the Open Flow standard. As a result, libvirt is now able to use an already existing Open vSwitch bridge, either directly in the interface definition of a guest, or as a bridge in a libvirt network. Management of the bridge must be handled outside the scope of libvirt, but guest network devices can be attached and detached, and VLAN tags and interface IDs can be assigned on a per-port basis.
BZ#818996
Certain users prefer to run minimal configurations for server systems and do not need graphical or USB support. This enhancement provides a new feature that allows users to disable USB and graphic controllers in guest machines.
BZ#820808, BZ#826325
With this enhancement, the virsh dump command is now supported for domains with passthrough devices. As a result, these domains can be dumped with an additional --memory-only option.
BZ#822064
The libvirt library has already supported pinning and limiting QEMU threads associated with virtual CPUs, but other threads, such as the I/O thread, could not be pinned and limited separately. This enhancement improves libvirt to support pinning and limiting of both CPU threads and other emulator threads separately.
BZ#822589
This enhancement improves the libvirt library to be able to configure Discretionary Access Control (DAC) for each domain, so that certain domains can access different resources.
BZ#822601
Previously, only the system instance of the libvirtd daemon, that is the one that is running as the root user, could set up a guest network connection using a tap device and host bridge. A session instance, that is the one that is running as a non-root user, was only able to use QEMU's limited user mode networking. User mode network connection have several limitations; for example, they do not allow incoming connections, or ping in either direction, and are slower than a tap-device based network connection. With this enhancement, libvirt has been updated to support QEMU's new SUID network helper, so that non-privileged libvirt users are able to create guest network connections using tap devices and host bridges. Users who require this behavior need to set the interface type to bridge in the virtual machine's configuration, libvirtd then automatically notices that it is running as a non-privileged user, and notifies QEMU to set up the network connection using its network helper.

Note

This feature is only supported when the interface type is bridge, and does not work with the network interface type even if the specified network uses a bridge device.
BZ#822641
Previously, core dumps for domains with a large amount of memory were unnecessarily huge. With this update, a new dumpCore option has been added to control whether guest's memory should be included in a core dump. When this option is set to off, core dumps are reduced by the size of the guest's memory.
BZ#831099
This enhancement allows the libvirt library to set the World Wide Name (WWN), which provides stable device paths, for IDE and SCSI disks.
BZ#836462
This enhancement adds the possibility to control the advertising of S3 (Suspend-to-RAM) and S4 (Suspend-to-Disk) domain states to a guest. As a result, supported versions of QEMU can be configured to not advertise its S3 or S4 capability to a guest.
BZ#838127
With this update, support for the AMD Opteron G5 processor model has been added to the libvirt library. This change allows the user to utilize the full potential of new features, such as 16c, fma, and tbm.
BZ#843087
This enhancement adds support for the next generation Intel Core and Intel Xeon processors to the libvirt library. The next generation supports the following features: fma, pcid, movbe, fsgsbase, bmi1, hle, avx2, smep, bmi2, erms, invpcid, and rtm, compared to the previous Intel Xeon Processor E5-XXXX and Intel Xeon Processor E5-XXXX V2 family of processors.
BZ#844404
When changing the configuration of a libvirt virtual network, it was necessary to restart the network for these changes to take effect. This enhancement adds a new virsh net-update command that allows certain parts of a network configuration to be modified, and the changes to be applied immediately without requiring a restart of the network and disconnecting of guests. As a result, it is now possible to add static host entries to and remove them from a network's dhcp section; change the range of IP addresses dynamically assigned by the DHCP server; modify, add, and remove portgroup elements; and add and remove interfaces from a forward element's pool of interfaces, all without restarting the network. Refer to the virsh(1) man page for more details about the virsh net-update command.
BZ#860570
With this enhancement, the virsh program supports the --help option for all its commands and displays appropriate documentation.
BZ#864606
With this enhancement, the libvirt library can now control the hv_relaxed feature. This feature makes a Windows guest more tolerant to long periods of inactivity.
BZ#874171
Current release of the libvirt library added several capabilities related to snapshots. Among these was the ability to create an external snapshot, whether the domain was running or was offline. Consequently, it was also necessary to improve the user interface to support those features in the virsh program. With this update, these snapshot-related improvements were added to virsh to provide full support of these features.
BZ#878578
For security reasons, certain SCSI commands were blocked in a virtual machine. This behavior was related to applications where logical unit numbers (LUNs) of SCSI disks were passed to trusted guests. This enhancement improves libvirt to support a new sgio attribute. Setting this attribute to unfiltered allows trusted guests to invoke all supported SCSI commands.
All users of libvirt are advised to upgrade to these updated packages, which fix these issues and add these enhancements. After installing the updated packages, the libvirtd daemon must be restarted using the service libvirtd restart command for this update to take effect.

6.128. libwacom

Updated libwacom packages that add one enhancement are now available for Red Hat Enterprise Linux 6.
The libwacom packages contain a library that provides access to a tablet model database. The libwacom packages expose the contents of this database to applications, allowing for tablet-specific user interfaces. The libwacom packages allow the GNOME tools to automatically configure screen mappings and calibrations, and provide device-specific configurations.

Enhancement

BZ#857073
Previously, the Wacom Cintiq 22HD graphics tablet was not supported by the libwacom library. Consequently, this specific type of graphics tablet was not recognized by the system. This update adds the support for Wacom Cintiq 22HD, which can be now used without complications.
All users of libwacom are advised to upgrade to these updated packages, which add this enhancement.

6.129. lldpad

Updated lldpad packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The lldpad packages provide the Linux user space daemon and configuration tool for Intel's Link Layer Discovery Protocol (LLDP) agent with Enhanced Ethernet support.

Upgrade to an upstream version

The lldpad packages have been upgraded to upstream version 0.9.45, which provides a number of bug fixes and enhancements over the previous version. In particular, a new subpackage, lldpad-libs, has been introduced. It contains the liblldp_clif shared library which provides an easy way for applications to talk to the LLDPAD daemon (lldpad). (BZ#819938)

Bug Fixes

BZ#818598
Previously, LLDPAD did not listen to multicast MAC addresses. Consequently, it could not gather information from locally connected bridges and lldptool displayed the wrong information. A patch has been applied to enable monitoring of broadcast MAC addresses and users can now display the correct information about locally connected bridges.
BZ#824188
Previously, dcbtool commands could, under certain circumstances, fail to enable the Fibre Channel over Ethernet (FCoE) application type-length-values (TLV) for a selected interface during the installation process. Consequently, various important features might have not been enabled (for example priority flow control, or PFC) by the Data Center Bridging Exchange (DCBX) peer. To prevent such problems, application-specific parameters (such as the FCoE application TLV) in DCBX are now enabled by default.
BZ#829857
Previously, an error in the DCBX (Data Center Bridging Exchange) version selection logic could cause LLDPDUs (Link Layer Discovery Protocol Data Units) to be not encoded in the TLV (Type-Length Value) format during the transition from IEEE DCBX to the legacy DCBX mode. Consequently, link flaps, a delay, or a failure in synchronizing up DCBX between the host and a peer device could occur. In the case of booting from a remote FCoE (Fibre-Channel Over Ethernet) LUN (Logical Unit Number), this bug could result in a failure to boot. This update fixes the bug and TLV is now always used in the described scenario.
BZ#870576
When none of the user priority attributes were PFC (Priority-based Flow Control) enabled, attempting to query the currently configured LocalAdminParam values for the "enabled" parameter produced the message "End of LLDPDU TLV". An upstream patch has been applied and now the lldptool utility returns "none" as expected in the scenario described.
BZ#870578
Previously, when a peer removed a TLV (ETS, PFC, or APP) the 802.1Qaz module did not update the local MIB. Consequently, this resulted in the old peer data persisting even though it was no longer in the received PDU. This update resolves the problem by clearing the local MIB even in the case of a NULL PTR indicating that no MIB was received. As a result, the operational status for PFC reverts to the localAdminParams settings as expected in the scenario described.

Enhancement

BZ#738897
This update adds support for the IEEE 802.1Qbg standard over bonded interfaces. Users can now take full advantage of 802.1Qbg capabilities.
All users of lldpad are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.130. lm_sensors

Updated lm_sensors packages that fix three bugs are now available for Red Hat Enterprise Linux 6.
The lm_sensors packages provide a set of modules for general SMBus access and hardware monitoring.

Bug Fixes

BZ#610000, BZ#623587
Prior to this update, the sensors-detect script did not detect all GenuineIntel CPUs. As a consequence, lm_sensors did not load coretemp module automatically. This update uses a more generic detection for Intel CPUs. Now, the coretemp module is loaded as expected.
BZ#768365
Prior to this update, the sensors-detect script reported an error when running without user-defined input. This behavior had no impact on the function but could confuse users. This update modifies the underlying code to allow for the sensors-detect script to run without user.
All users of lm_sensors are advised to upgrade to these updated packages, which fix these bugs.

6.131. logrotate

Updated logrotate packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The logrotate utility simplifies the administration of multiple log files, allowing the automatic rotation, compression, removal, and mailing of log files.

Bug Fix

BZ#827570
Attempting to send a file to a specific e-mail address failed if the "mailfirst" and "delaycompress" options were used at the same time. This was because logrotate searched for a file with the "gz" suffix, however the file had not yet been compressed. The underlying source code has been modified, and logrotate correctly finds and sends the file under these circumstances.
All users of logrotate are advised to upgrade to these updated packages, which fix this bug.

6.132. lohit-telugu-fonts

An updated lohit-telugu-fonts package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The lohit-telugu-fonts package provides a free Telugu TrueType/OpenType font.

Bug Fix

BZ#640610
Due to a bug in the lohit-telugu-fonts package, four certain syllables were rendering incorrectly. This bug has been fixed and these syllables now render correctly.
All users of lohit-telugu-fonts are advised to upgrade to this updated package, which fixes this bug.

6.133. luci

Updated luci packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The luci packages contain a web-based high-availability cluster configuration application.

Bug Fixes

BZ#807344
Previously, the resource and service names in the /etc/cluster/cluster.conf configuration file that contained non-standard characters, like hash (#), question mark (?), or slash (/), were not properly handled by the luci application. Consequently, when processing such configuration file, luci failed with the following message:
Error 500
We're sorry but we weren't able to process this request.
This bug has been fixed, and luci now handles resources and services whose names contain the aforementioned characters without complications.
BZ#815666
When the fence instance was configured with the delay attribute in the /etc/cluster/cluster.conf file, the luci application ignored the subsequently enabled unfence instance that was configured without the delay attribute. The unfence status was incorrectly displayed as disabled in the luci interface, but unfencing was performed without complications. With this update, the underlying source code has been modified to address this issue. As a result, unfence is now properly reported in luci.
BZ#826951
Previously, it was possible to create a fencing device with an invalid name (starting with a number) using the luci application. The device was successfully created, but the /etc/cluster/cluster.conf file did not pass the schema validation check. The bug has been fixed, and a warning message is now displayed to prevent users from setting invalid device names in the /etc/cluster/cluster.conf file.
BZ#853151
Previously, certain errors related to the communication between the luci and ricci applications could have been dropped without notification to the user. Also, the following message could occur in the /var/log/luci/luci.log file:
No object (name: translator) has been registered for this thread
With this update, this behavior has been modified and the described errors are now properly written to the log file.
BZ#856253
Prior to this update, a double click on the Connect button in the Add Existing Cluster dialog window led to listing the cluster twice. With this update, the underlying source code has been modified to address this issue, and the cluster is now listed only once regardless of how many times the Connect button was pressed.
BZ#860042
Previously, when attempting to create a service that referenced the same global resource twice, the luci application terminated unexpectedly with the following message:
A resource named "<name>" already exists
This bug has been fixed, and luci now accepts multiple references inside a service group.
BZ#877188
Previously, the luci application allowed the max_restarts, __max_restarts, and __max_failures variables to be set without setting their corresponding timeout variables (restart_expire_time, __restart_expire_time, __failure_expire_time), and in the opposite way. This behavior has been changed, and an error is now issued in case the corresponding variables are not set.
BZ#877392
When the self_fence property was enabled using the luci interface, the corresponding entry in the /etc/cluster/cluster.conf file was written incorrectly. A value was assigned in the form of self_fence="on" instead of self_fence="1" or self_fence="yes". Consequently, fencing actions failed. The bug has been fixed, and self_fence is now assigned with the correct value. As a result, fencing now works properly when enabled with luci.
BZ#881796
Certain previous versions of Microsoft Internet Explorer incorrectly processed JavaScript files containing trailing commas. Consequently, several dialog windows of the luci interface were affected. With this update, the trailing commas have been removed from luci JavaScript files to assure proper luci functionality in older versions of Microsoft Internet Explorer.
BZ#881955
Prior to this update, resource and service attributes that accept boolean input did not use consistent values to denote enabled or disabled status. The accepted values were: 1 or 0, on or off, yes or no, true or false. With this update, only the values 1 or 0 are accepted in attributes that use boolean input.
BZ#882995
Previously, after renaming a fencing device with an enabled unfence option, this unfence instance was not updated with the new name and referred to a non-existent device. This bug has been fixed, and an unfence reference is now correctly updated when a fencing device was renamed.
BZ#886678
Prior to this update, the luci resource template searched for the oracletype attribute instead of type when processing the /etc/cluster/cluster.conf file. Consequently, the oracledb attribute was always displayed as Default in the luci interface, regardless of its actual assigned value. This bug has been fixed, and oracletype type is now correctly displayed by luci.

Enhancements

BZ#740867
With this update, support for the IBM iPDU fence device has been added to the luci application.
BZ#809892
With this update, a new user table has been added to the Admin/User and Permissions pages of the luci interface. It is now possible to remove users from luci.
BZ#821928
With this update, support for configuring the privlvl (privilege level) attribute used by the fence_ipmilan fencing agent has been added to the luci application. As a result, privlvl can now be successfully configured by luci.
BZ#822502
With this update, support for the nfsrestart option for the file system and cluster file system resource agents has been added to the luci application. This option provides a way to forcefully restart NFS servers and allow a clean unmount of an exported file system.
BZ#865300
This update adds the fence_eaton agent to support Eaton ePDU (Enclosure Power Distribution Unit) devices in Red Hat Enterprise Linux 6, into the luci package.
BZ#865533
With this update, an interface for configuring and displaying the fence_hpblade fence devices has been added to the luci application.
Users of luci are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.134. lvm2

Updated lvm2 packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The lvm2 packages provide support for Logical Volume Management (LVM).

Bug fixes

BZ#837927
When creating a RAID Logical Volume, if the --regionsize(-R) option (used with the lvcreate command) was not specified, LVs larger than 2 TB could not be created or extended. Consequently, creating or extending such volumes caused errors. With this update, the region size is automatically adjusted upon creation or extension and large LVs can now be created.
BZ#834703
Extending a RAID 4/5/6 Logical Volume failed to work properly because the parity devices were not properly accounted for. This has been corrected by covering the "simple" case where the LV is extended with the same number of stripes as the original (reducing or extending a RAID 4/5/6 LV with different number of stripes is not implemented yet). As a result, it is now possible to extend a RAID 4/5/6 Logical Volume.
BZ#832392
When the issue_discards=1 configuration option was used or configured in the /etc/lvm/lvm.conf file, moving Physical Volumes via the pvmove command resulted in data loss. The problem has been fixed with this update.
BZ#713599, BZ#800801
Device-mapper devices (including LVM devices) were not deactivated at system shutdown or reboot. Consequently, when device-mapper devices were layered on the top of other block devices and these were detached during the shutdown or reboot procedure, any further access to the device-mapper devices ended up with either I/O errors or an unresponsive system as the underlying devices were unreachable (for example iSCSI or FCoE devices). With this update, a new blkdeactivate script along with blk-availability shutdown script have been provided. These scripts unmount and deactivate any existing device-mapper devices before deactivating and detaching the underlying devices on shutdown or reboot. As a result, there are no I/O errors or hangs if using attached storage that detaches itself during the shutdown or reboot procedure.
BZ#619574
An LVM mirror can be created with three different types of log devices: core (in-memory), disk, and mirrored. The mirrored log is itself redundant and resides on two different Physical Volumes. Previously, if both devices composing the mirror log were lost, they were not always properly replaced during repair, even if spare devices existed. With this update, a mirrored log is properly replaced with a mirrored log if there are sufficient replacement PVs.
BZ#832120, BZ#743505
A mirror Logical Volume can itself have a mirrored log device. When a device in an image of the mirror and its log failed at the same time, it was possible for unexpected I/O errors to appear on the mirror LV. The kernel did not absorb the I/O errors from the failed device by relying on the remaining device. This bug then caused file systems built on the device to respond to the I/O errors (turn read-only in the case of the ext3/4 file systems). The cause was found to be that the mirror was not suspended for repair using the noflush flag. This flag allows the kernel to re-queue I/O requests that need to be retried. Because the kernel was not allowed to re-queue the requests, it had no choice but to return the I/O as errored. This bug has been corrected by allowing the log to be repaired first, thus, the top-level mirror's log can be completed successfully. As a result, the mirror is now properly suspended with the noflush flag.
BZ#803271
When using the lvmetad daemon (global/use_lvmetad=1 LVM2 configuration option) while processing LVM2 commands in a cluster environment (global/locking_type=3), the LVM2 commands did not work correctly and issued various error messages. With this update, if clustered locking is set, the lvmetad daemon is disabled automatically as this configuration is not yet supported with LVM2. As a result, there is now a fallback to non-lvmetad operation in LVM2, if clustered locking is used and a warning message is issued:
WARNING: configuration setting the use_lvmetad parameter overriden to 0 due to the locking_type 3 parameter. Clustered environment is not supported by the lvmetad daemon yet.
BZ#855180
When the user tried to convert a thin snapshot volume into a read-only volume, internal error messages were displayed and the operation failed. With this update, thin snapshot volumes can be converted to read-only mode. Also for the conversion of the thin pool to read-only mode, en explicit error message about an unsupported feature is added.
BZ#801571
Previously, if a device failed while a RAID Logical Volume was not in-sync, any attempts to fix it failed. This case is now handled, however the following limitations are to be noted:
  1. The user cannot repair or replace devices in a RAID Logical Volume that is not active. The tool (the lvconvert -repair command) must know the sync status of the array and can only get that when the array is active.
  2. The user cannot replace a device in a RAID Logical Volume that has not completed its initial synchronization. Doing so would produce unpredictable results and is therefore disallowed.
  3. The user can repair a RAID Logical Volume that has not completed its initial synchronization, but some data may not be recoverable because it had not had time to make that data fully redundant. In this case, a warning is printed and the user is queried if they would like to proceed.
BZ#871058
A race condition in the lvmetad daemon occasionally caused LVM commands to fail intermittently, failing to find a VG that was being updated at the same time by another command. With this update, the race condition does no longer occur.
BZ#857554
If the issue_discards option was enabled in the configuration file and the lvremove command ran against a partial Logical Volume where Physical Volumes were missing, the lvremove command terminated unexpectedly. This bug has been fixed. Also, the new p attribute in the LVS command output is set when the Logical Volume is partial.
BZ#820116
Previously, when there was a Physical Volume in the Volume Group with zero Physical Extents (PEs), so the Physical Volume was used to store metadata only, the vgcfgrestore command failed with a "Floating point exception" error, because the command attempted to divide by zero. A proper check for this condition has been added to prevent the error and now, after using the vgcfgrestore command, VG metadata is successfully written.
BZ#820229
Previously, when attempting to rename thin Logical Volumes, the procedure failed with the following error message:
"lvrename Cannot rename <volume_name>: name format not recognized for internal LV <pool_name>"
This bug is now fixed and the user can successfully rename thin Logical Volumes.
BZ#843546
Previously, it was not possible to add a Physical Volume to a Volume Group if a device failure occurred in a RAID Logical Volume and there were no spare devices in the VG. Therefore users could not replace the failed devices in a RAID LV and the VG could not be made consistent without physically editing LVM metadata. It is now possible to add a PV to a VG with missing or failed devices and to replace failed devices in a RAID LV with the lvconvert --repair <vg>/<LV> command.
BZ#855398
An improper restriction placed on mirror Logical Volumes caused them to be ignored during activation. Users were unable to create Volume Groups on top of clustered mirror LV and could not recursively stack cluster VG. The restriction has been refined to pass over mirrors that cause LVM commands to block indefinitely and it is now possible to layer clustered VG on clustered mirror LV.
BZ#865035
When a device was missing from a Volume Group or Logical Volume, tags could not be added or removed from the LV. If the activation of an LV was based on tagging using the volume_list parameter in the configuration file (lvm.conf), the LV could not be activated. This affected High Availability LVM (HA-LVM) and without the ability to add or remove tags while a device was missing, RAID LVs in HA-LVM configuration could not be used. This update allows vgchange and lvchange to alter the LVM metadata for a limited set of options while PVs are missing. The "- --[add|del]" tag is included and the set of allowable options do not cause changes to the device-mapper kernel target and do not alter the structure of the LV.
BZ#845269
When an LVM command encountered a response problem with the lvmetad daemon, the command could cause the system to terminate unexpectedly with a segmentation fault. Currently, LVM commands work properly with lvmetad and crashes no longer occur even if there is a malformed response from lvmetad.
BZ#823918
A running LVM process could not switch between the lvmetad daemon and non-lvmetad modes of operation and this caused the LVM process to terminate unexpectedly with a segmentation fault when polling for the result of running lvconvert operation. With this update, the segmentation fault no longer occurs.
BZ#730289
The clvmd daemon consumed a lot of memory resource to process every request. Each request invoked a thread, and by default each thread allocated approximately 9 MB of RAM for stack. To fix this bug, the default thread's stack size has been reduced to 128 KB which is enough for the current version of LVM to handle all tasks. This leads to massive reduction of memory used during runtime by the clvmd daemon.
BZ#869254
Previously, disabling the udev synchronisation caused udev verification to be constantly enabled, ignoring the actual user-defined setting. Consequently, libdevmapper/LVM2 incorrectly bypassed udev when processing relevant nodes. The libdevmapper library has been fixed to honor the actual user's settings for udev verification. As a result, udev works correctly even in case the udev verification and udev synchronization are disabled at the same time.
BZ#832033
Previously, when using the lvmetad daemon, passing the --test argument to commands occasionally caused inconsistencies in the lvmetad cache that lvmetad maintains. Consequently, disk corruption occurred when shared disks were involved. An upstream patch has been applied to fix this bug.
BZ#870248
Due to a missing dependency on the device-mapper-persistent-data thin pool devices were not monitored on activation. Consequently, unmonitored pools could overfill the configured threshold. To fix this bug, the code path for enabling monitoring of thin pool has been fixed and the missing package dependency added. As a result, when monitoring for thin pool is configured, the dmeventd daemon is enabled to watch for pool overfill.
BZ#836653
A failed attempt to reduce the size of a Logical Volume was sometimes not detected and the lvremove command exited successfully even though it had failed to operate the LV. With this update, lvremove returns the right exit code in the described scenario.
BZ#836663
When using a Physical Volume (PV) that contained ignored metadata areas, an LVM command, such as pvs, could incorrectly display the PV as being an orphan due to the order of processing individual PV in the VG. With this update, the processing of PVs in a VG has been fixed to properly account for PVs with ignored metadata areas so that the order of processing is no longer important, and LVM commands now always give the same correct result, regardless of PVs with ignored metadata areas.
BZ#837599
Issuing the vgscan --cache command (to refresh the lvmetad daemon) did not remove data about Physical Volumes or Volume Groups that no longer existed — it only updated metadata of existing entities. With this update, the vgscan --cache command removes all metadata that are no longer relevant.
BZ#862253
When there were numerous parallel LVM commands running, the lvmetad daemon could deadlock and cause other LVM commands to stop responding. This behavior was caused by a race condition in lvmetad's multi-threaded code. The code has been improved and now the parallel commands succeed and no deadlocks occur.
BZ#839811
Previously, the first attribute flag was incorrectly set to S when an invalid snapshot occurred, whereas this value in the first position is supposed to indicate a merging snapshot. Invalid snapshot is normally indicated by capitalizing the fifth Logical Volume attribute character. This bug has been fixed and the lvs utility no longer capitalizes the first LV attribute character for invalid snapshots but the fifth, as required.
BZ#842019
Previously, it was possible to specify incorrect arguments when creating a RAID Logical Volume, which could harmfully affect the created device. These inappropriate arguments are no longer allowed.
BZ#839796
Due to incorrect handling of sub-Logical-Volumes (LVs), the pvmove utility was inconsistent and returned a misleading message for RAID. To fix this bug, pvmove has been disallowed from operating on RAID LVs. Now, if it is necessary to move a RAID LV's components from one device to another, the lvconvert --replace <old_pv> <vg>/<lv> <new_pv> command is used.
BZ#836381
The kernel does not allow adding images to a RAID Logical Volume while the array is not synchronized. Previously, the LVM RAID code did not check whether the LV was synchronized. As a consequence, an invalid request could be issued, which caused errors. With this update, the aforementioned condition is checked and the user is now informed that the operation cannot take place until the array is synchronized. The kernel does not allow to add additional images to a RAID Logical Volume when the array is not synchronized. Previously, the LVM RAID code did not check whether the LV was in synchronized condition, which could have caused invalid requests. With this update, LVM RAID has been modified to check for the aforementioned condition and the user is now informed in case the operation is stopped due to unsynchronized array.
BZ#855171, BZ#855179
Prior to this update, the conversion of a thin pool into a mirror resulted in an aborting error message. As this conversion is not supported, an explicit check which prohibits this conversion before the lvm utility attempts to perform it has been added. Now, the error message returns an explicit error message stating that the feature is not supported.
BZ#822248
Prior to this update, RAID Logical Volumes could become corrupted if they were activated in a clustered Volume Group. To fix this bug, a VG is no longer allowed to be changed to a clustered VG if there are RAID LVs in a VG.
BZ#822243
Previously, it was possible to create RAID Logical Volumes in a clustered Volume Group. As RAID LVs are not cluster capable and activating them in a cluster could cause data damage, the ability to create RAID LVs in a cluster has been disabled.
BZ#821007
Previously, if no last segment on an pre-existing Logical Volume was defined, the normal cling allocation policy was applied and an LV could be successfully created or extended even though there was not enough space on a single Physical Volume and no additional PV was defined in the lvm.conf file. This update corrects the behavior of the cling allocation policy and any attempts to create or extend an LV under these circumstances now fail as expected.
BZ#814782
The interaction of LVM filters and lvmetad could have lead to unexpected and undesirable results. Also, updates to the "filter" settings while the lvmetad daemon was running did not force lvmetad to forget the devices forbidden by the filter. Since the normal "filter" setting in the lvm.conf file is often used on the command line, a new option has been added to lvm.conf (global_filter) which also applies to lvmetad. The traditional "filter" settings only applies at the command level and does not affect device visibility to lvmetad. The options are documented in more detail in the example configuration file.
BZ#814777
Prior to this update, the lvrename utility did not work with thin provisioning (pool, metadata, or snapshots) correctly. This bug has been fixed by implementing full support for stacked devices. Now, lvrename handles all types of thin Logical Volumes as expected.
BZ#861456
When creating a Logical Volume using the lvcreate command with the --thinpool and --mirror options, the thinpool flag was ignored and a regular Logical Volume was created. With this update, use of the --thinpool option with the --mirror option is no longer allowed and the lvcreate command fails with a proper error message under these circumstances.
BZ#861841
Previously, the lvm_percent_to_float() function declared in the lvm2app.h header file did not have an implementation in the lvm2app library. Any program, which tried to use this function, failed at linking time. A patch for lvm2app.h has been applied to fix this bug and lvm_percent_to_float() now works as expected.
BZ#813766
Prior to this update, the LVM utilities returned spurious warning messages during the boot process, if the use_lvmetad = 1 option was set in the lvm.conf file. This has been fixed and warning messages are no longer issued during boot.
BZ#862095
Due to the unimplemented <data_percent> property for the lvm2app library, incorrect value -1 was returned for thin volumes. This bug has been fixed by adding proper support for the lvm_lv_get_property(lv, <data_percent>) function. Now, lvm2app returns correct values.
BZ#870534
Due to a wrong initialization sequence, running an (LVM) command caused the LVM utility to abort instead of proceeding with scanning-based metadata discovery (requested by using the --config "global{use_lvmetad=0"} option). This bug occurred only when an LVM command was run with lvmetad cache daemon running. The bug has been fixed and LVM no longer aborts.
BZ#863401
Previously, the pvscan --cache command failed to read part of LVM1 metadata. As a consequence, when using LVM1 (legacy) metadata and the lvmetad daemon together, LVM commands could run into infinite loops when invoked. This bug has been fixed and LVM1 and lvmetad now work together as expected.
BZ#863881
Due to the missing lvm2app library support, incorrect values for thin snapshots origin field were reported. A patch has been updated to return the correct response to the lvm_lv_get_property(lv, "origin") function.
BZ#865850
Previously, the degree to which RAID 4/5/6 Logical Volumes had completed their initial array synchronization (i.e. initial parity calculations) was not printed in the lvs command output. This information is now included under the heading that has been changed from Copy% to Cpy%Sync. Users can now request the Cpy%Sync information directly via lvs with either the lvs -o copy_percent or the lvs -o sync_percent option.
BZ#644752
Previously, when using Physical Volumes, the exclusive lock was held to prevent other PVs commands to run concurrently in case any Volume Group metadata needed to be read in addition. This is not necessary anymore when using lvmetad as lvmetad caches VG metadata and thus avoids taking the exclusive lock. As a consequence, numerous PVs commands reading VG metadata can be run in parallel without the need for the exclusive lock.
BZ#833180
Attempting to convert a linear Logical Volume to a RAID 4/5/6 Logical Volume is not allowed. When the user tried to execute this operation, a message indicating that the original LV had been striped instead of linear, was returned. The messages have been updated to provide correct information and only messages with correct and relevant content are now returned under these circumstances.
BZ#837114
Previously, an attempt to test the create command of a RAID Logical Volume resulted in failure even though the process itself succeeded without the --test argument of the command. With this update, a test run of the create command now properly indicates success if the command is successful.
BZ#837098
Previously, a user-instantiated resynchronization of a RAID Logical Volume failed to cause the RAID LV to perform the actual resynchronization. This bug has been fixed and the LV now performs the resynchronization as expected.
BZ#837093
When a RAID or mirror Logical Volume is created with the --nosync option, an attribute with this information is attached to the LV. Previously, a RAID1 LV did not clear this attribute when the LV was converted to a linear LV and back, even though it underwent a complete resynchronization in the process. With this update, --nosync has been fixed and the attribute is now properly cleared after the LV conversion.
BZ#836391
Due to an error in the code, user-initiated resynchronization of a RAID Logical Volume was ineffective. With this update, the lvchange --resync command has been added on a RAID LV, which makes the LV undergo complete resynchronization.
BZ#885811
Previously, an error in the Volume Group (VG) auto-activation code could cause LVM commands to terminate unexpectedly with the following message:
Internal error: Handler needs existing VG
With this update, cached VG metadata are used instead of relying on an absent MDA content of the last discovered PV. As a result, the aforementioned error no longer occurs.
BZ#885993
Prior to this update, testing the health status of the mirror utility caused a minor memory leak. To fix this bug, all resources taken in the function have been released, and memory leaks for longterm living processes (such as the dmeventd daemon) no longer occur.
BZ#887228
Previously, a nested mutex lock could result in a deadlock in the lvmetad daemon. As a consequence, Logical Volume Manager (LVM) commands trying to talk to lvmetad became unrepsonsive. The nested lock has been removed, and the deadlock no longer occurs.
BZ#877811
Previously, the lvconvert utility handled the -y and -f command line options inconsistently when repairing mirror or RAID volumes. Whereas the -f option alone worked correctly, when used along with the -y option, the -f option was ignored. With this update, lvconvert handles the -f option correctly as described in the manual page.
BZ#860338
When Physical Volumes were stored on read-only disks, the vgchange -ay command failed to activate any Logical Volumes and the following error message was returned:
/dev/dasdf1: open failed: Read-only file system
device-mapper: reload ioctl failed: Invalid argument
1 logical volume(s) in volume group "v-9c0ed7a0-1271-452a-9342-60dacafe5d17" now active
However, this error message did not reflect the nature of the bug. With this update, the command has been fixed and Volume Group can now be activated on a read-only disk.
BZ#832596
An error in the space allocation logic caused Logical Volume creation with the --alloc anywhere option to occasionally fail. RAID 4/5/6 systems were particularly affected. The bug was fixed to avoid picking already-full areas for RAID devices.

Enhancements

BZ#783097
Previously, the device-mapper driver UUIDs could have been used to create the /dev content with the udev utility. If mangling was not enabled, udev created incorrect entries for UUIDs containing unsupported characters. With this update, character-mangling support in the libdevmapper library and the dmsetup utility for characters not on the udev-supported whitelist has been enhanced to process device-mapper UUIDs the same way as device-mapper names are. The UUIDs and names are now always controlled by the same mangling mode, thus the existing --manglename dmsetup option affects UUIDs as well. Furthermore, the dmsetup info -c -o command has new fields to display: mangled_uuid and unmangled_uuid.
BZ#817866, BZ#621375
Previously, users had to activate Volume Groups and Logical Volumes manually by calling vgchange/lvchange -ay on the command line. This update adds the autoactivation feature, LVM2 now lets the user specify precisely which Logical Volumes should be activated at boot time and which ones should remain inactive. Currently, the feature is supported only on non-clustered and complete VGs. Note that to activate the feature, lvmetad must be enabled (global/use_lvmetad=1 LVM2 configuration option).
BZ#869402
The manual page for the lvconvert utility has been updated with new supported options for conversion of existing volumes into a thin pool.
BZ#814732
Previously, the user could not specify conversion of an Logical Volume already containing pool information ("pre-formatted LV") into a legitimate thin pool LV. Furthermore, it was rather complex to guide the allocation mechanism to use proper Physical Volumes (PVs) for data and metadata LV. As the lvconvert utility is easier to use in these cases, lvconvert has been enhanced to support conversion of pre-formatted LVs into a thin pool volume. With the --thinpool data_lv_name and --poolmetadata metadata_lv_name options, the user may use a pre-formatted LV to construct a thin pool as with the lvcreate utility.
BZ#636001
A new optional metadata caching daemon (lvmetad) is available as part of this LVM2 update, along with udev integration for device scanning. Repeated scans of all block devices in the system with each LVM command are avoided if the daemon is enabled. The original behavior can be restored at any time by disabling lvmetad in the lvm.conf file.
BZ#814766
Previously, no default behavior could be used to fine-tune performance of some workloads. Now, the thin pool support has been enhanced with configurable discards support. The user may now select from three types of behavior: passdown is default and allows to pass-through discard requests to the thin pool backing device; nopassdown processes allows discards only on the thin pool level and requests are not passed to the backing device; ignore allows ignoring of discard request.
BZ#844492
LVM support for 2-way mirror RAID10 has been added. LVM is now able to create, remove, and resize RAID10 Logical Volumes. To create a RAID10 Logical Volume, specify individual RAID parameters similarly as for other RAID types, like in the following example:
~]# lvcreate --type raid10 -m 1 -i 2 -L 1G -n lv vg
Note that the -m and -i arguments behave in the same way they would for other segment types. That is, -i is the total number of stripes while -m is the number of (additional) copies (that is, -m 1 -i 2 gives 2 stripes on the top of 2-way mirrors).
BZ#861843
The lvm2app library now reports the data_percent field which indicates how full snapshots, thin pools and volumes are. The Logical Volume needs to be active to obtain this information.
BZ#814824
The thin pool now supports non-power-of-2 chunk size. However, the size must be a multiple of 64KiB.
BZ#823660
The -l option has been added to the lvmetad daemon to allow logging of wire traffic and more detailed information on internal operation to the standard error stream. This new feature is mainly useful for troubleshooting and debugging.
BZ#834031
Previously, it was possible to pass an incorrect argument on the command line when creating a RAID Logical Volume, for example the --mirrors command for RAID5. Consequently, erroneous and unexpected results were produced. With this update, invalid arguments are caught and reported.
BZ#823667
The lvmdump utility has been extended to include a dump of the internal lvmetad daemon state, helping with troubleshooting and analysis of lvmetad-related problems.
BZ#830250
In Red Hat Enterprise Linux 6.4, LVM adds support for Micron PCIe Solid State Drives (SSDs) as devices that may form a part of a Volume Group.
BZ#883416
The DM_DISABLE_UDEV environment variable is now recognized and takes precedence over other existing setting when using LVM2 tools, dmsetup and libdevmapper to fallback to non-udev operation. Setting the DM_DISABLE_UDEV environment variable provides a more convenient way of disabling udev support in libdevmapper, dmsetup and LVM2 tools globally without a need to modify any existing configuration settings. This is mostly useful if the system environment does not use udev.
BZ#829221
Physical Volumes (PV) are now automatically restored from the missing state after they become reachable again and even if they had no active metadata areas. In cases of transient inaccessibility of a PV, for example with Internet Small Computer System Interface (iSCSI) or other unreliable transport, LVM required manual action to restore a PV for use even if there was no room for conflict, because there was no active metadata area (MDA) on the PV. With this update, the manual action is no longer required if the transiently inaccessible PV has no active metadata areas.
Users of lvm2 should upgrade to these updated packages, which fix these bugs and add these enhancements.

6.135. mailman

Updated mailman packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.
Mailman is a program used to help manage e-mail discussion lists.

Bug Fixes

BZ#772998
The reset_pw.py script contained a typo, which could cause the mailman utility to fail with a traceback. The typo has been corrected, and mailman now works as expected.
BZ#799323
The "urlhost" argument was not handled in the newlist script. When running the "newlist" command with the "--urlhost" argument specified, the contents of the index archive page was not created using proper URLs; the hostname was used instead. With this update, "urlhost" is now handled in the newlist script. If the "--urlhost" argument is specified on the command line, the host URL is used when creating the index archive page instead of the hostname.
BZ#832920
Previously, long lines in e-mails were not wrapped in the web archive, sometimes requiring excessive horizontal scrolling. The "white-space: pre-wrap;" CSS style has been added to all templates, so that long lines are now wrapped in browsers that support that style.
BZ#834023
The "From" string in the e-mail body was not escaped properly. A message containing the "From" string at the beginning of a line was split and displayed in the web archive as two or more messages. The "From" string is now correctly escaped, and messages are no longer split in the described scenario.
All users of mailman are advised to upgrade to these updated packages, which fix these bugs.

6.136. man-pages-overrides

Updated man-pages-overrides package that fixes several bugs is now available for Red Hat Enterprise Linux 6.
The man-pages-overrides package provides a collection of manual (man) pages to complement other packages or update those contained therein.

Bug Fixes

BZ#806845
Prior to this update, documentation about SMBIOS on the dmidecode(8) manual page was unclear. This update fixes the information about SMBIOS on the dmidecode(8) manual page.
BZ#814417
Prior to this update, description of the "-SecurityTypes" option in the TigerVNC utility was missing in the vncviewer(1) and Xvnc(1) manual pages. This update adds a description to the vncviewer(1) and Xvnc(1) manual pages.
BZ#845657
Prior to this update, the localalloc option on the numactl(8) manual page was not clearly described. This update adds a clear description of the localalloc option to the numactl(8) utility.
BZ#846591
Prior to this update, some options were missing from the ipmitool(1) manual page. With this update, all options are described on the ipmitool(1) manual page.
BZ#849201
Previously, the alsaunmute(1) manual page was missing. This update adds the alsaunmute(1) manual page.
BZ#853959
Prior to this update, the "--no-tpm" option was not described in the rngd(8) manual page. This update adds a description of the "--no-tpm" option.
BZ#867332
Prior to this update, the groupmems(8) manual page was missing information about the setuid permission of the groupmems binary. This update clarifies the setuid permission in the groupmems(8) manual page.
BZ#872526
Prior to this update, the dump(8) manual page was missing information about the ext4 file system support. This update adds this information to the dump(8) manual page.
Users of man-pages-overrides are advised to upgrade to this updated package, which fixes these bugs.

6.137. man-pages

An updated man-pages package that fixes numerous bugs and add two enhancements is now available for Red Hat Enterprise Linux 6.
The man-pages package provides man (manual) pages from the Linux Documentation Project (LDP).

Bug Fixes

BZ#714073
Prior to this update, a manual page for the fattach() function was missing. This update adds the fattach(2) manual page.
BZ#714074
Prior to this update, a manual page for the recvmmsg() call was missing. This update adds the recvmmsg(2) manual page.
BZ#714075
Prior to this update, manual pages for the cciss and hpsa utilities were missing. This update adds the cciss(4) and hpsa(4) manual pages.
BZ#714078
The host.conf(5) manual page contained a description for the unsupported order keyword. This update removes the incorrect description.
BZ#735789
Prior to this update, the clock_gettime(2), clock_getres(2), and clock_nanosleep(2) manual pages did not mention the -lrt option. With this update, the description of the -lrt option has been added to the aforementioned manual pages.
BZ#745152
This update adds the description of the single-request-reopen to the resolv.conf(5) manual page.
BZ#745501
With this update, usage of SSSD in the nsswitch.conf file is now described in the nsswitch.conf(5) manual page.
BZ#745521
With this update, the new UMOUNT_NOFOLLOW flag is described in the umount(2) manual page.
BZ#745733
Previously, a manual page for the sendmmsg() function was missing. This update adds the sendmmsg(2) manual page.
BZ#752778
Previously, the db(3) manual page was pointing to the non-existent dbopen(3) manual page. When the man db command was issued, the following error message was returned:
fopen: No such file or directory.
With this update, the db(3) manual page is removed.
BZ#771540
This update adds the missing description of the TCP_CONGESTION socket option to the tcp(7) manual page.
BZ#804003
Descriptions of some socket options were missing in the ip(7) manual page. This update adds these descriptions to the ip(7) manual page.
BZ#809564
Prior to this update, the shmat(2) manual page was missing the description for the EIDRM error code. With this update, this description has been added to the shmat(2) manual page.
BZ#822317
The bdflush(2) system call manual page was missing information that this system call is obsolete. This update adds this information to the bdflush(2) manual page.
BZ#835679
The nscd.conf(5) manual page was not listing services among valid services. With this update, services are listed in the nscd.conf(5) manual page as expected.
BZ#840791
Previously, the nsswitch.conf(5) manual page lacked information on the search mechanism, particularly about the notfound status. This update provides an improved manual page with added description of notfound.
BZ#840796
Prior to this update, the behavior of the connect() call with the local address set to the INADDR_ANY wildcard address was insufficiently described in the ip(7) manual page. Possible duplication of the local port after the call was not acknowledged. With this update, the documentation has been reworked in order to reflect the behavior of the connect() call correctly.
BZ#840798
Due to the vague description of the getdents() function in the getdents(2) manual page, the risk of using this function directly was not clear enough. The description has been extended with a warning to prevent incorrect usage of the getdents() function.
BZ#840805
The nscd.conf(5) manual page was missing descriptions and contained several duplicate entries. With this update, the text has been clarified and redundant entries have been removed.
BZ#857163
Previously, the tzset(3) manual page contained an incorrect interval in the description of the start and end format for Daylight Saving Time. Consequently, users thought the number was 1-based rather than 0-based when not using the J option. With this update, the manual page has been corrected. The Julian day can be specified with an interval of 0 to 365 and February 29 is counted in leap years when the J option is not used.
BZ#857962
The description of the /proc/sys/fs/file-nr file in the proc(5) manual page was outdated. This update adds the current information to this manual page.
BZ#858278
The connect(2) manual page in the Error section listed EAGAIN error code instead of EADDRNOTAVAIL error code. This update amends the manual page with correct information.

Enhancements

BZ#857162
An update in the close(2) man page explains the interaction between system calls close() and recv() in different threads.
BZ#858240
This update adds the description of the --version switch to the zdump(8) manual page.
All users of man-pages are advised to upgrade to this updated package, which fixes these bugs and add these enhancements.

6.138. man

Updated man packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The man packages provide the man, apropos, and whatis tools to find information and documentation about the Linux system.

Bug Fix

BZ#815209
Previously, the patch for the man-pages-overrides package ignored localized man pages. Consequently, installing this package also overrode man pages localized in different languages. With this update, this bug has been fixed and man pages from the man-pages-overrides package now override only man pages in the same language.
All users of man are advised to upgrade to these updated packages, which fix this bug.

6.139. matahari

The matahari packages have been removed from Red Hat Enterprise Linux 6.
The matahari packages provide a set of APIs for operating system management that are exposed to remote access over the Qpid Management Framework (QMF).
With this update, an empty package has been provided to ensure that the matahari packages are removed from Red Hat Enterprise Linux 6. (BZ#833109)
All users of matahari are advised to remove these packages.

6.140. mcelog

Updated mcelog packages that fix numerous bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The mcelog package contains a daemon that collects and decodes Machine Check Exception (MCE) data on AMD64 and Intel 64 machines.

Upgrade to an upstream version

The mcelog packages have been upgraded to upstream version 0.6, which provides a number of bug fixes and enhancements over the previous version. (BZ#795931)

Bug Fixes

BZ#851406
The mcelog(8) man page contained incorrect information about usage of the "--supported" flag. This man page has been updated and the information is correct now.
BZ#871249
Previously, the mcelog daemon ignored the 15h microarchitecture family of AMD processors and did not report the Machine Check Exception (MCE) errors. Consequently, reported errors were unavailable to system administrators. The 15h microarchitecture family of AMD processors has been included to the list of supported processors and mcelog reports MCE errors correctly in this case.

Enhancement

BZ#740915
This enhancement adds support for the Intel Core i5 and i7 processors to the mcelog packages.
All users of mcelog are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.141. mdadm

Updated mdadm packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The mdadm packages contain a utility for creating, managing, and monitoring Linux MD (multiple disk) devices.

Upgrade to an upstream version

The mdadm packages have been upgraded to upstream version 3.2.5, which provides a number of bug fixes and enhancements over the previous version. (BZ#812358)

Bug Fixes

BZ#824815
While an Intel Matrix Storage Manager (IMSM) RAID volume was in the process of a reshape, an attempt to stop all arrays could cause an IMSM RAID array to be broken or corrupted. The underlying source code has been modified and mdadm works as expected in the described scenario.
BZ#862565
This update clarifies a number of mdadm license ambiguities.
BZ#878810
The IMSM optional ROM (OpROM) does not support RAID volumes across more than one controller. Previously, creating an IMSM RAID volume across more than one controller caused data loss. With this update, creating an IMSM RAID volume on multiple controllers is forbidden to prevent the data loss.
BZ#880208
Previously, it was possible to create a second RAID1 volume with the size equal to 0. As a consequence, when resyncing the first RAID1 volume was finished, the system became unresponsive. This update applies a patch to correct this error and it is no longer possible to create a second RAID1 volume with the size equal to 0.
BZ#880225
After turning off two disk drives of a RAID1 volume, using the "mdadm --detail" command caused mdadm to terminate unexpectedly with a segmentation fault. This update applies a patch that fixes this bug. Using the "mdadm --detail" command now returns valid information and mdadm no longer crashes in the described scenario.
BZ#820643
This update fixes the map file location in mdadm(8) man page.
Users of mdadm are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.142. mesa

Updated mesa packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
Mesa provides a 3D graphics API that is compatible with Open Graphics Library (OpenGL). It also provides hardware-accelerated drivers for many popular graphics chips.

Upgrade to an upstream version

The mesa packages have been upgraded to upstream version 9.0, which provides a number of bug fixes and enhancements over the previous version. (BZ#835200)

Bug Fixes

BZ#786508, BZ#820746
If the user logged in from Red Hat Enterprise Linux 5 to a Red Hat Enterprise Linux 6 machine by using the "ssh" command with the "-Y" option, an attempt to run an application that uses GLX failed with the "Error: couldn't find RGB GLX visual or fbconfig" error message. This bug has been fixed and the remote login now works as expected.
BZ#885882
Due to an error in the mesa packages, using the multisample anti-aliasing (MSAA) technique with the KWin window manager caused errors in the desktop compositing. This update provides a patch that fixes this bug and MSAA now works correctly with the KWin window manager.
BZ#901627
Previously, when connecting to a remote machine using SSH with the X11 forwarding enabled caused a "failed to load driver: i965" error in the libGL library. With this update, a patch has been provided to fix this bug and drivers are now loaded as expected.

Enhancements

BZ#816661
An accelerated driver for Intel Core i5 and i7 processors has been added to the mesa packages.
BZ#835201
This update adds the new mesa-dril-drivers package to mesa. This package implements support for the DRI1 drivers.
All users of mesa are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.143. microcode_ctl

Updated microcode_ctl packages that fix a bug and add various enhancements are now available for Red Hat Enterprise Linux 6.
The microcode_ctl packages provide utility code and microcode data to assist the kernel in updating the CPU microcode at system boot time. This microcode supports all current x86-based, Intel 64-based, and AMD64-based CPU models. It takes advantage of the mechanism built-in to Linux that allows microcode to be updated after system boot. When loaded, the updated microcode corrects the behavior of various processors, as described in processor specification updates issued by Intel and AMD for those processors.

Bug Fix

BZ#740932
Previously, a udev rule in /lib/udev/rules.d/89-microcode.rules allowed the module to load more than once. On very large systems (for example, systems with 2048 or more CPUs), this could result in the system becoming unresponsive on boot. With this update, the udev rule has been changed to ensure the module loads only once. Very large systems now boot as expected.

Enhancements

BZ#818096
The Intel CPU microcode file has been updated to version 20120606.
BZ#867078
The AMD CPU microcode file has been updated to version 20120910.
All users of microcode_ctl are advised to upgrade to these updated packages, which fix this bug and add these enhancements. Note: a system reboot is necessary for this update to take effect.

6.144. mlocate

Updated mlocate packages that fix two bugs are now available for Red Hat Enterprise 6.
The mlocate packages provide a locate/updatedb implementation. Mlocate keeps a database of all existing files and allows you to look up files by name.

Bug Fixes

BZ#690800
Prior to this update, the locate(1) manual page contained a misprint. This update corrects the misprint.
BZ#699363
Prior to this update, the mlocate tool aborted the "updatedb" command if an incorrect filesystem implementation returned a zero-length file name. As a consequence, the locate database was not be updated. This update detects invalid zero-length file names, warns about them, and continues to the locate database.
All users of mlocate are advised to upgrade to these updated packages, which fix these bugs.

6.145. mod_authz_ldap

Updated mod_authz_ldap packages that fix three bugs are now available for Red Hat Enterprise Linux 6.
The mod_authz_ldap packages provide a module for the Apache HTTP Server to authenticate users against an LDAP database.

Bug Fixes

BZ#607797
Prior to this update, the License field of the mod_authz_ldap packages contained an incorrect tag. This update modifies the license text. Now, the license tag correctly reads "ASL1.0".
BZ#643691
Prior to this update, the mod_authz_ldap module could leak memory. As a consequence, the memory consumption of the httpd process could increase as more requests were processed. This update modifies the underlying code to handle LDAP correctly. Now, the memory consumption as at expected levels.
BZ#782442
Prior to this update, passwords were logged in plain text to the error log when an LDAP bind password was configured if a connection error occurred. This update modifies the underlying code to prevent passwords from being logged in error conditions.
All users of mod_authz_ldap are advised to upgrade to this updated package, which fixes these bugs.

6.146. mod_nss

Updated mod_nss packages that fix one bug and add two enhancements are now available for Red Hat Enterprise Linux 6.
The mod_nss module provides strong cryptography for the Apache HTTP Server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, using the Network Security Services (NSS) security library.

Bug Fix

BZ#769906
The mod_nss module reported 'Required value NSSCipherSuite not set.' even though a value for NSSCipherSuite was present in the virtual host. This bug was a configuration issue which was exacerbated by a couple of confusing log messages. As a result, several log messages were changed to help clarify what values were actually missing.

Enhancements

BZ#816394
Added support for TLSv1.1 to mod_nss module.
BZ#835071
Added the ability to share mod_proxy with other SSL providers.
Users of mod_nss are advised to upgrade to these updated packages, which fix this bug and add these enhancements.

6.147. mod_revocator

Updated mod_revocator packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The mod_revocator module retrieves and installs remote Certificate Revocation Lists (CRLs) into an Apache web server.

Bug Fix

BZ#861999
When "exec" URIs were used to configure Certificate Revocate Lists (CRLs), the mod_revocator module failed to load these URIs with the following error message:
Unable to load Revocation module, NSS error -8187. CRL retrieval will be disabled.
A patch has been provided to fix this problem, and CRL URIs are now loaded as expected in this scenario.
Users of mod_revocator are advised to upgrade to these updated packages, which fix this bug.

6.148. module-init-tools

Updated module-init-tools packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The module-init-tools packages include various programs needed for automatic loading and unloading of modules under kernels version 2.6 and later, as well as other module management programs. Device drivers and file systems are two examples of loaded and unloaded modules.

Bug Fix

BZ#670653
Previously, the rpmbuild utility received warnings about specific tags being deprecated for module-init-tools. This update fixes the module-init-tools spec file and rpmbuild no longer receives warnings.
Users of module-init-tools are advised to upgrade to these updated packages, which fix this bug.

6.149. mod_wsgi

Updated mod_wsgi packages that fix one bug and add one enhancement are now available for Red Hat Enterprise Linux 6.
The mod_wsgi packages provide a Apache httpd module, which implements a WSGI compliant interface for hosting Python based web applications.

Bug Fix

BZ#670577
Prior to this update, a misleading warning message from the mod_wsgi utilities was logged during startup of the Apache httpd daemon. This update removes this message from the mod_wsgi module.

Enhancement

BZ#719409
With this update, access to the SSL connection state is now available in WSGI scripts using the methods "mod_ssl.is_https" and "mod_ssl.var_lookup".
All users of mod_wsgi are advised to upgrade to these updated packages, which fix this bug and add this enhancement.

6.150. mrtg

Updated mrtg packages that fix three bugs are now available for Red Hat Enterprise Linux 6.
The mrtg packages provide the Multi Router Traffic Grapher (MRTG) to monitor the traffic load on network-links. MRTG generates HTML pages containing Portable Network Graphics (PNG) images, which provide a live, visual representation of this traffic.

Bug Fix

BZ#706519
Prior to this update, the MRTG tool did not handle the socket6 correctly. As a consequence, MRTG reported errors when run on a system with an IPv6 network interface due to a socket conflict. This update modifies the underlying code to socket6 as expected. (#706519)
BZ#707188
Prior to this update, changing the "kMG" keyword in the MRTG configuration could cause the labels on the y-axis to overlap the main area of the generated chart. With this update, an upstream patch has been applied to address this issue, and changing the "kMG" keyword in the configuration no longer leads to the incorrect rendering of the resulting charts.
BZ#836197
Prior to this update, the wrong value was returned from the IBM Fibrechannel switch when using the ifSpeed interface. As a consequence, mrtg cfgmaker failed to use ifHighSpeed on IBM FibreChannel switches. This update modifies the underlying code to return the correct value.
All users of mrtg are advised to upgrade to these updated packages, which fix these bugs.

6.151. mt-st

Updated mt-st packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The mt-st package contains the mt and st tape drive management programs. Mt (for magnetic tape drives) and st (for SCSI tape devices) can control rewinding, ejecting, skipping files and blocks and more.

Bug Fix

BZ#820245
Prior this update, the stinit init script did not support standard actions like "status" or "restart". As a consequence, an error code was returned. This update modifies the underlying code to use all use all standard actions.
All users of mt-st are advised to upgrade to these updated packages, which fix this bug.

6.152. netcf

Updated netcf packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The netcf packages contain a library for modifying the network configuration of a system. Network configuration is expressed in a platform-independent XML format, which netcf translates into changes to the system's "native" network configuration files.

Bug Fix

BZ#886862
Previously, the netcf utility had been calling the nl_cache_mngt_provide() function in the libnl library, which was not thread-safe. Consequently, the libvirtd daemon could terminate unexpectedly. As nl_cache_mngt_provide() was not necessary for proper operation, it is no longer called by netcf, thus preventing this bug.
Users of netcf are advised to upgrade to these updated packages, which fix this bug.

6.153. net-snmp

Updated net-snmp packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The net-snmp packages provide various libraries and tools for the Simple Network Management Protocol (SNMP), including an SNMP library, an extensible agent, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat utility which uses SNMP, and a Tk/Perl Management Information Base (MIB) browser.

Bug Fixes

BZ#829271
Previously, there was a limit of 50 exec entries in the /etc/snmp/snmpd.conf congiguration file. With more than 50 such entries in the file, the snmpd daemon reported the following error message:
Error: No further UCD-compatible entries
With this update, the fixed limit has been removed, and there can now be any number of exec entries in /etc/snmp/snmpd.conf.
BZ#848319
Prior to this update, the libnetsnmpmibs.so.20 and libnetsnmphelpers.so.20 libraries did not contain an RPATH entry to the libperl.so package for embedding Perl. This could cause problems when linking custom SNMP applications or modules. An upstream patch, which adds RPATH for the Perl libraries, has been provided, and all libperl.so references are now resolved.
BZ#800671
Previously, the snmpd daemon ignored the trapsess -e <engineID> configuration option in the /etc/snmp/snmpd.conf file and sent a default engineID string even if trapsess was configured with an explicit engineID value. An upstream patch has been provided to fix this bug and snmpd now sends outgoing traps with an engineID string as specified in /etc/snmp/snmpd.conf.
BZ#846436
Due to a possible race condition, the snmpd daemon could fail to count some processes when filling in the UCD-SNMP-MIB::prTable table. With this update, the underlying source code has been adapted to prevent such a race condition, so that all processes are now counted as expected.
BZ#833013
Prior to this update, the snmpd daemon ignored the port number of the clientaddr option when specifying the source address of outgoing SNMP requests. As a consequence, the system assigned a random port number to the udp socket. This update introduces a new configuration option clientaddrUsesPort, which, if set to yes, allows to specify both the port number and the source IP address in the clientaddr option. Now, administrators can increase security with firewall rules and SELinux policies by configuring a specific source port of outgoing traps and other requests.
BZ#851637
When the snmpd daemon was shutting down during processing of internal queries, a request was neither marked as failed nor finished, and snmpd waited indefinitely for the request to be processed. With this update, snmpd marks all internal queries as failed during shutdown.
BZ#842279
Previously, implementation of the UCD-SNMP-MIB::extCommand variable in the snmpd daemon reported only names of the executable parameters, missing all other command line parameters. With this update, UCD-SNMP-MIB::extCommand has been fixed and snmpd returns the full command line output.
BZ#784502
Previously, snmptrapd(8) manual page did not properly describe how to load multiple configuration files using the -c option. With this update, the manual page has been fixed and describes that multiple configuration files must be separated by the comma character.
BZ#846532, BZ#861152
In the previous net-snmp update, implementation of the HOST-RESOURCES-MIB::hrStorageTable table was rewritten and devices with CentraVision File System (CVFS) and OpenVZ container file systems (simfs) were not reported. With this update, the snmpd daemon properly recognizes CVFS and simfs devices and reports them in HOST-RESOURCES-MIB::hrStorageTable.
BZ#846906
When the snmpd daemon was not able to expand 32-bit counter provided by the operating system to 64-bits, as required by SNMP standards, the snmpd daemon occasionally reported the following error messages:
c64 32 bit check failed
Error expanding XXX to 64bits
looks like a 64bit wrap, but prev!=new
These messages were in fact harmless but confusing. This update suppresses them and they are no longer returned in the described scenario.
BZ#845157
The snmpd daemon reported an error message to system log files when it could not open the following files: /proc/net/if_inet6, /proc/net/snmp6, /proc/net/ipv6_route, /proc/net/tcp6, and /proc/net/udp6. These files are typically missing on machines with disabled IPv6 networking, and thus reporting such error messages for them is meaningless. With this update, the error messages are suppressed, and the system log files are not filled with redundant messages.
BZ#848155
Prior to this update, the net-snmp utility failed to read the diskIOLA1, diskIOLA5, and diskIOLA15 object variables of the UCD-DISKIO-MIB object, as these variables were not implemented on the Linux operating system. Consequently, the snmptable utility failed to return values of the three variables correctly. With this update, these objects are implemented and their values are now displayed in the UCD-DISKIO-MIB::diskIOTable table as expected.
BZ#825889
Previously, the snmpd daemon was updated to send an SNMP response to broadcast requests from the same interface, on which a SNMP response had been received. However, this update also introduced a bug which prevented snmpd from sending responses to unicast request on multihomed machines. This update fixes this bug, so the snmpd daemon is now able to both answer unicast requests on multihomed machines and send responses to broadcast requests from the same interface, on which the request has been received.
BZ#824402
Previously, the snmptrapd daemon terminated the embedded Perl interpreter immediately after the TERM signal was received, regardless of whether embedded Perl code was still being used. Consequently, snmptrapd could rarely terminate unexpectedly during shutdown. With this update, the embedded Perl interpreter is destroyed later during the snmptrapd shutdown, when all Perl processing is finished.
Users of net-snmp are advised to upgrade to these updated packages, which fix these bugs.

6.154. NetworkManager

Updated NetworkManager packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
NetworkManager is a system network service that manages network devices and connections, attempting to keep active network connectivity when available. It manages Ethernet, wireless, mobile broadband (WWAN), and PPPoE (Point-to-Point Protocol over Ethernet) devices, and provides VPN integration with a variety of different VPN services.

Bug Fixes

BZ#813573
Previously, NetworkManager did not allow selecting the WPA protocol version for a connection. Certain enterprise WLAN networks using Cisco equipment do not allow roaming between WPA and WPA2 Virtual Access Points (VAP) provided by the same physical access point, requiring the use of a specific WPA protocol version to prevent disconnections. This update adds a WPA protocol combo box to the NetworkManager user interface allowing a specific WPA protocol version to be used when necessary, thus preventing this problem.
BZ#829499
Previously, NetworkManager tried to enable an interface only once. Consequently, after a network failure, if a link was restored before the connection to a DHCP server was functioning, NetworkManager sometimes timed out and failed to bring up the interface. A patch has been applied so that NetworkManager now tries three times to connect after a failure and then again in five minute intervals. As a result, NetworkManager can now more reliably restore connections after a network failure.
BZ#833199
Due to a bug in reading and writing network configuration files, network connections using the LEAP authentication method could not be made available to all users. A patch has been applied to address this issue and the network configuration files now allow LEAP as expected.
BZ#834349
When a connection was locked to a specific WPA protocol version (either v1 or v2/RSN) via either the GConf system or settings in the "/etc/sysconfig/network-scripts/" configuration files, NetworkManager overwrote that preference when the connection was edited and saved. This bug has been fixed and such WPA preferences are now preserved in the described scenario.
BZ#837056
When attempting to configure a wireless LEAP authenticated connection, the credentials were asked for twice by the authentication dialog. A patch has been applied and the problem no longer occurs.
BZ#840580
The NetworkManager service logged a warning when the Bluetooth service was not running or not installed. A patch has been applied to prevent this and the problem no longer occurs.

Enhancements

BZ#558983
This update adds bridging support for NetworkManager. Note that this is dependent on the NM_BOND_VLAN_ENABLED directive in /etc/sysconfig/network. If and only if that directive is present and is one of yes, y, or true, will NetworkManager detect and manage bridging, bonding and VLAN interfaces.
BZ#465345
The NetworkManager service now provides support for bonding network connections as well as creating VLAN and IPoIB network connections.
BZ#817660
NetworkManager now copies the DHCP lease files created by init scripts if they are newer then those NetworkManager currently has. This results in a more seamless takeover of DHCP assigned connections.
BZ#834444
This update enables Proactive Key Caching (PKC), also known as Opportunistic Key Caching (OKC), for all WPA-Enterprise configurations.
BZ#901662
A number of improvements have been made to NetworkManager to allow more bonding options and to handle incompatibilities between options. As a result, more complex bonding configurations can now be controlled by NetworkManager.
All users of NetworkManager are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

6.155. nfs-utils-lib

Updated nfs-utils-lib packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The nfs-utils-lib packages provide support libraries that programs in the nfs-utils package require.

Bug Fix

BZ#804812
When building the list of local realms, idmapd overwrote the string buffer, which is used to keep that list, every time a new realm was added to the list. As a consequence, the idmapd daemon logged only the last local realm added to the list. This update modifies the source code so the realms are correctly appended to the string buffer and idmapd now logs the complete list of the local realms as expected. Also, buffer size calculation has been corrected.
Users of nfs-utils-lib are advised to upgrade to these updated packages, which fix this bug.

6.156. nfs-utils

Updated nfs-utils packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The nfs-utils packages provide a daemon for the kernel Network File System (NFS) server, and related tools such as the mount.nfs, umount.nfs, and showmount.

Bug Fixes

BZ#797209
Prior to this update, the rpc.mound daemon could cause NFS clients with already mounted NFSv3 shares to become suspended. This update modifies the underlying code to parse the IP address earlier.
BZ#802469
Prior to this update, nfs-utils allowed stronger encryption types than Single DES. As a consequence, mounts to legacy servers that used the "-o sec=krb5" option failed. This update adds the -l flag to allow only Single DES. Now, secure mounts work with legacy servers as expected.
BZ#815673
Prior to this update, NFS clients could fail to mount a share with the NFSv4 server if the the server had a large amount of exports to netgroups. As a consequence, NFSv4 mounts could become suspended. This update modifies the use_ipaddr case so that NFSv4 now mounts as expected.
BZ#849945
Prior to this update, the NFS idmapper failed to initialize as expected. As a consequence, file permissions were incorrect. This update modifies the underlying code so that the idmapper initializes correctly.
Users of nfs-utils are advised to upgrade to these updated packages, which fix these bugs.

6.157. nss-pam-ldapd

Updated nss-pam-ldapd packages that fix three bugs are now available for Red Hat Enterprise Linux 6.
The nss-pam-ldapd packages provides the nss-pam-ldapd daemon (nslcd), which uses a directory server to look up name service information on behalf of a lightweight nsswitch module.

Bug Fixes

BZ#747281
Prior to this update, the disconnect logic contained a misprint and a failure return value was missing. This update corrects the misprint and adds the missing return value.
BZ#769289
Prior to this update, the nslcd daemon performed the idle time expiration check for the LDAP connection before starting an LDAP search operation. On a lossy network or if the LDAP server was under a heavy load, the connection could time out after the successful check and the search operation then failed. With this update, the idle time expiration test is now performed during the LDAP search operation so that the connection now no longer expires under these circumstances.
BZ#791042
Prior to this update, when the nslcd daemon requested access to a large group, a buffer provided by the glibc library could not contain such a group and retried again with a larger buffer to process the operation successfully. As a consequence, redundant error messages were logged in the /var/log/message file. This update makes sure that even when glibc provides a buffer that is too small on first attempt in the described scenario, no redundant error messages are returned.
All users of nss-pam-ldapd are advised to upgrade to these updated packages, which fix these bugs.

6.158. nss, nss-util, nspr

Updated nss, nss-util, and nspr packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities.

Upgrade to an upstream version

The nss and nss-util packages have been upgraded to upstream version 3.14 which provides a number of bug fixes and enhancements over the previous version. In particular, support for TLS version 1.1 in NSS (RFC 4346). In addition, the nspr packages have been upgraded to upstream version 4.9.2. Note that support for certificate signatures using the MD5 hash algorithm is now disabled by default. For more information, refer to the Mozilla NSS 3.14 Release Notes. (BZ#837089, BZ#863285, BZ#863286)

Bug Fixes

BZ#555019
The Privacy Enhanced Mail (PEM) module initialization function did not return an error informing the caller that it is not thread-safe. Consequently, invalid writes were made resulting in unexpected terminations in multi-threaded libcurl-based applications. The PEM module initialization function now returns the PKCS #11 prescribed KR_CANT_LOCK constant when the type of locking requested by the caller for thread safety is not available. As a result, clients are informed of the lack of thread safety and can provide their own locking to prevent crashes.
BZ#827351
Due to a missing out-of-memory (OOM) check and improper freeing of allocated memory, the Privacy Enhanced Mail (PEM) module did not fully validate the encoding of certificates stored in a PEM-formatted file. As a consequence, error handling tests failed. With this update, the PEM module correctly validates the encoding, handles memory deallocation consistently, and error handling tests pass as expected.
Users of nss, nspr, and nss-util are advised to upgrade to these updated packages, which fix these bugs and add these enhancements. After installing this update, applications using NSS, NSPR, or nss-util must be restarted for this update to take effect.

6.159. ntp

Updated ntp packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source.

Bug Fix

BZ#875798
When at least one system network interface had an IPv6 address and the network service was stopped or started, the ntpd daemon could terminate unexpectedly. This happened if the ntpd service attempted to read the device addresses at the moment when the network service had managed to configure only the IPv6 address of the first device. With this update, the underlying library function has been fixed and the daemon no longer crashes in the scenario described.
All users of ntp are advised to upgrade to these updated packages, which fix this bug.

6.160. numactl

Updated numactl packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
The numactl packages provide a simple Non-Uniform Memory Access (NUMA) policy support and consist of the numactl program to run other programs with a specific NUMA policy and the libnuma library to do allocations in applications using the NUMA policy.

Bug Fixes

BZ#804480
Previously, the number of CPUs were miscalculated in the "/sys/devices/system/cpu" directory, because the "cpufreq" and "cpuidle" files were counted, so, the additional two CPUs were added erroneously. With this update, the number of CPUs is now counted correctly.
BZ#814294
The global pointer "numa_all_cpus_ptr" was supposed to be set to a bitmask allocated by the library with bits that represent all CPUs on which the calling thread can execute. Consequently, it did not function as documented when the bitmask was only set to CPU0. With this update, the underlying source code is now fixed and the "numa_all_cpus_ptr" contains only specified CPUs, when the taskset option contains CPU0.

Enhancement

BZ#829896
The existing tool numastat, which was a Perl script, was rewritten to a C program to provide much more NUMA information. The default operation of numastat will remain the same for compatibility with current users' end scripts.
Users of numactl are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.