1801 Varsity Drive
Raleigh, NC 27606-2072 USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701
Error inserting audit rule for pid=13163
/etc/sysconfig/kernel
, which would lead to an incorrect kernel being set as the default in future updates. This would cause boot failure. /etc/sysconfig/kernel
now updates correctly.
grub.conf
file, virt-v2v assumed it was an i686 guest. This resulted in a converted guest that did not boot. virt-v2v now assumes an AMD64 or Intel 64 default architecture instead of i686.
/etc/securetty
file. Conversion without this file is now possible.
ControlSet001
was always the current control set, even if ControlSet001
had been marked as failed. The correct control set is now detected, and the VirtIO block driver installed in the correct location.
auto
. This made libvirt unable to start the guest. Disk type is now set explicitly based on source metadata or other detection methods.
0
, even though conversion failed. The correct values are now returned.
/boot/grub/device.map
with converted block device names in certain circumstances. device.map
now updates as expected.
C:\Temp
directory because it created a C:\temp
directory without checking for file names that used alternative cases. virt-v2v now checks for case-sensitive file names before creating an appropriate temporary directory.
-oa
flag.
ovf:disk-interface
field when converting for Red Hat Enterprise Virtualization. However, this produced an ovf
file that was not intelligible to Red Hat Enterprise Virtualization Manager. The disk-interface is now populated with correct enum values (IDE
, SCSI
, or VirtIO
), allowing Red Hat Enterprise Virtualization Manager to understand the ovf file.
sparse
or raw
. This combination is not supported when importing into a data center that uses block storage (fibre channel or iSCSI). virt-v2v can now convert storage format and allocation policy correctly. Additionally, customers can specify a format and allocation policy compatible with the target data center type by using the -of
and -oa
command line options.
Can't locate object method "can_handle" via package "Sys::VirtV2V::Converter::RedHat" at /usr/share/perl5/vendor_perl/Sys/VirtV2V/Converter.pm line 121.
/etc/virt-v2v.conf
. If you see the following error message when attempting to convert a Windows XP guest:
virt-v2v: No app in config matches os='windows' name='virtio' major='5' minor='1' arch='i386'
/etc/virt-v2v.conf
:
<app os='windows' major='5' minor='1' arch='i386' name='virtio'> <path>/usr/share/virtio-win/drivers/i386/WinXP</path> </app> <app os='windows' major='5' minor='1' arch='x86_64' name='virtio'> <path>/usr/share/virtio-win/drivers/amd64/WinXP</path> </app>
certmonger
utility monitors certificate expiration and can refresh certificates with the CAs (Certifying Authorities) in networks that use public-key infrastructure (PKI).
certmonger
service failed to contact a CA, the subprocess that submitted the request became defunct. This occurred because the parent process did not read the subprocess status. With this update, the parent process reads the subprocess status and there is no defunct process after a CA contact failure.
ipa-getcert
command with privileges that were insufficient for the system bus to allow it to communicate with the certmonger service. With this update, certmonger suppresses the original error message if a user-friendly message is available. The user can display both messages with the -v
option.
ipa-getcert list
command did not return any output if certmonger was not tracking any certificates. With this update, the command returns a message that the certificate list is empty.
certmonger
daemon could not execute some of its helper processes. The updated policy now allows certmonger to run these processes and the certmonger libraries create temporary files in a location that certmonger can access.
ipa-getcert request
command with the -p
option. This occurred because certmonger failed to detect reading errors in the file with the PIN and proceeded with an empty PIN value. With this update, such reading errors are logged and certmonger proceeded as if it had read an empty PIN value.
ipa-getcert
command. As a consequence, the certmonger
daemon runs its ipa-submit helper. The helper contacts the IPA server. Previously, if it received a fault message response from the server, it terminated with a segmentation fault and created a core dump; the installation failed. This happened because it attempted to dereference an uninitialized pointer while processing the fault message. With this update, the helper handles the fault message correctly and the enrollment process completes successfully.
getcert
command with an invalid Extended Key Usage parameter caused a segmentation fault. This happened because the command attempted to dereference a NULL pointer while attempting to report that the parameter value was not a valid OID (Object Identifier). With this update, certmonger reports that the OID validation failed and prints a message that the provided Extended Key Usage is invalid.
resubmit
command works as expected.
getcert
tool terminated unexpectedly with a segmentation fault if the user issued the getcert start-tracking
command with changed values of the parameters Extended Key Usage, DNS, Email and Principal name. The command caused a buffer overflow in the getcert
tool because the internal buffer in the getcert
command was too small to hold four new values. This update enlarges the internal buffer of the command and the bug no longer occurs.
ipa-getcert
and getcert
commands did not accept the location of a passphrase, which could provide the encrypted keying material and allow monitoring of an already-issued certificate or key pair. This update adds the -p
and -P
options to the getcert start-tracking
command, which allows the user to pass the utility a PIN either in a file or directly.
ipa-getcert
command. This update adds the --verbose
option to the command.
mount error(5): Input/output error
bt: read error: kernel virtual address: ffffffffff600000 type: "gdb_readmem_callback"
bt: cannot resolve stack trace: #0 [c09f1ef4] ia32_sysenter_target at c08208ce
multipathd
daemon a command consisting only of spaces, the daemon terminated unexpectedly with a segmentation fault. With this update, the daemon is able to handle such commands and no longer crashes in this circumstance.
mpathconf
command, the process could have failed. This happened when the user ran the command without any additional arguments due to a conflict of the environment variable DISPLAY
with the program variable DISPLAY
. With this update, all variables are unset when the script is started and the DISPLAY
program variable is renamed. The environment variable DISPLAY
remains unchanged when the mpathconf
is issued and the command works as expected.
path_checker
function to determine the path state in such cases and the problem no longer occurs.
tgt_node_name
value for iSCI devices. This occurred because multipath used the FC (Fibre Channel) path from the sysfs file system to obtain tgt_node_name
for iSCI devices. With this update, multipath first tries to acquire the FC path. If it fails, it uses the iSCI target name for the device.
dev_loss_tmo
to a value greater than 600 in multipath.conf
without setting the fast_io_fail_tmo
value, the multipathd
daemon failed to apply the setting. With this update, the multipathd
daemon sets dev_loss_tmo
for values over 600 correctly, as long as fast_io_fail_tmo
is also set in the /etc/multipath.conf
file.
multipath.conf
file contained parameters with no value. This occurred because it was trying to acquire the string length of an optional value before verifying that a value was actually defined. With this update, multipathd
first checks if the value exists and the bug is fixed.
multipathd
to fail all outstanding input/output. DM-Multipath now has a new default configuration for EMC Symmetrix arrays that queues input/output for up to 30 seconds if all paths are down and the problem no longer occurs.
multipathd
daemon consumed excessive memory when iSCI devices were unloaded and reloaded. This occurred because the daemon was caching unnecessary sysfs
data, which caused memory leaks. With this update, multipathd
no longer caches these data; it frees the data when the associated device is removed.
sysfs
device file is removed and the sysdev
path attribute is set to NULL. The sysfs
device cache is indexed by the actual sysfs
directory, and /sys/block/pathname
is a symlink. Prior to this update, if the path was deleted, multipathd
was not able to find the actual directory, which /sys/block/pathname
pointed to, and searched the cache. With this update, multipathd
verifies that sysdev has NULL
value before updating it.
multipathd
daemon did not always remove the path sysfs
device from its cache. The daemon kept searching the cache for the device and created sysfs
devices without the vecs lock held. Because of this, paths could have pointed to invalid sysfs
devices and caused multipathd
to crash. The multipathd
daemon now always removes the sysfs
device from cache when deleting a path and accesses the cache only with the vecs lock held.
log_checker_err
option was added to the multipath.conf
defaults section. By default, the option is set to always
and a path checker error is logged continuously. If set to once
, multipathd
logs a path checker error once at logging level 2
. Any later errors are logged at level 3
until the device is restored.
defaults
section of the multipath.conf
man page implied that the settings defined in the section became default and overrode the implied settings. Since the HWTABLE cannot be overridden, the wording of the man page has been changed.
multipath.conf
file. With this update, multipath prints warning messages that inform the user that the configuration files contains invalid or duplicate options and the bug is fixed.
initramfs
file system was not rebuilt when a new storage device was added to the system, the new device could have been assigned a user_friendly_names
value that matched the user_friendly_names
value already-assigned to another device. This device then stopped working correctly. The multipathd daemon now accepts a -B
option, which makes the user_friendly_names
bindings file read-only. When initramfs calls multipath with the -B
option, devices without a binding to a user_friendly_names use their World Wide Identifier (WWID).
multipathd
deamon printed add map
messages whenever it received a change uevent. In order not to clutter logs, multipathd now only prints add map
messages for the change uevents of the devices that are not yet monitored.
6
by default.
multipathd
daemon could have terminated unexpectedly with a segmentation fault on a multipath device with the path_grouping_policy
option set to the group_by_prio
value. This occurred when a device path came online after another device path failed because the multipath daemon did not manage to remove the restored path correctly. With this update multipath removes and restores such paths correctly.
initramfs
generator infrastructure based around udev. The initramfs
is loaded together with the kernel at boot time and initializes the system, so it can read and boot from the root partition.
mkinitrd
alone does not override an existing initramfs
image. When this is attempted, the message stated that the --force
parameter should be used, but mkinitrd
only supported the short version -f
of this parameter. --force
was added to mkinitrd
as the long version.
noiswmd
or rd_NO_MDIMSM
parameters specified.
/etc/multipath/bindings
. multipath uses this file in initramfs
when creating devices during early boot, and in the root file system during normal operation. These files were not synchronized during initramfs
creation, which resulted in naming conflicts that prevented new multipath devices from being created after boot. To work around this, the bindings for the devices in /etc/multipath/bindings
must be included in the initramfs
. This can be done by running dracut -f
.
/etc/multipath
directory to the initramfs
.
ip=ibft
parameter is specified on the kernel command line.
initramfs
, if the host on which it was running had no multipath root device. multipath support is now added to the initramfs
unconditionally.
initramfs
did not exclude those volumes and kept them busy. The udev rules in the initramfs
were updated to honor the DM_UDEV_DISABLE_OTHER_RULES_FLAG
, which fixes this issue.
initramfs
, which resulted in all encrypted devices not being activated. The missing checksum files have been replaced, and this issue no longer occurs. Note however that the dracut-fips must be installed at initramfs
creation time.
initramfs
with user_friendly_names set, if it did not find existing mappings in /etc/multipath/bindings
, it created new mappings. These mappings could conflict with the user_friendly_names set in the normal filesystem's /etc/multipath/bindings
file. dracut now starts the multipathd daemon with the new -B
option so that multipath treats the initial bindings file as read-only.
USE_BIOSDEVNAME
variable in the parse-biosdevname.sh
script was not initialized correctly, which caused an unexpected operator error. This issue was discovered and corrected during development, and did not occur in any production system in the field.
-l
or --local
parameter, or set the dracut base directory via the dracutbasedir
environment variable, dracut wrote its log to /tmp/dracut.log
, which could possibly allow local users to overwrite arbitrary files that were writable to the user running dracut, via a symlink attack. dracut now stores the logfile in $HOME/dracut.log
, when in -l
or --local
mode, if /var/log/dracut.log
is not writeable.
/var/log/dracut.log
file was not created automatically, preventing dracut from writing its logs. dracut now creates its log files if they do not exist.
boot
parameter did not work when the machine was booted in FIPS mode, resulting in numerous mount errors, failed FIPS integrity tests, and dracut refusing to continue. This issue has been corrected, and the boot
parameter can now be used to specify a boot device, as expected.
/boot
must reside on a non-encrypted, plain (no LVM or RAID) partition, which can be specified with boot=<boot partition>
as a boot option on the kernel command line.
fips.sh
script did not wait for the boot drive to be created, which resulted in an error because the file system type did not exist yet. This has been corrected, and the script now waits for the boot drive to be identified.
fcoe=edd:nodcb
or fcoe=edd:dcb
is specified on the kernel command line. ifname=
is not needed in this case.
rdinsmodpost=[module]
, which allows a user to specify a kernel module to be loaded after all device drivers are loaded automatically.
initramfs
, adding support for FIPS-140.
Error: no partition information on disk [device]. Cowardly refusing to create a boot option.
libgnomevfs-WARNING **: Deprecated function. User modifications to the MIME database are no longer supported.
strstr()
and memmem()
functions did not handle certain periodic patterns correctly and could find a false positive match. This error has been fixed, and both functions now work as expected.
sqrtl
, sometimes returned an incorrect result if the relative magnitude difference between the high and low halves of the long double exceeded a certain number. This occurred because one of the variables used in the calculation was an unsigned integer. The integer is now signed and the function works correctly.
futex(FUTEX_WAKE_OP)
method did not default to futex(FUTEX_WAKE)
when FUTEX_WAKE_OP
was not supported by the kernel. This resulted in the method always failing on these systems. The code change in glibc pthread_cond_signal()
that caused this issue has now been corrected.
%_enable_debug_packages
was either not set, or set to 0. This has been corrected so that debug packages need not be set or enabled in order to build the glibc RPM.
strchr
did not handle its second parameter correctly when %rdi was aligned to a 16-byte boundary and glibc was enabled for multiple architectures on AMD64 or Intel 64 systems with CPUs that supported Supplemental Streaming SIMD Extension (SSE) 4.2. The method would therefore output incorrect results. This has been corrected, and strchr
now gives the expected output.
hwcap 1 nosegneg
was set in /etc/ld.so.conf.d/nosegneg.conf
, causing the incorrect library to be used. This has been corrected so that the nosegneg libraries are loaded.
sysconf(_SC_*CACHE)
method returned 0
for all caches on systems with Intel Xeon processors. This occurred because glibc used cpuid leaf 2 rather than cpuid leaf 4. This update uses cpuid leaf 4 where possible, resolving this issue.
strncmp
method failed with a segmentation fault when used with Supplemental Streaming SIMD Extension 4 (SSE4). Several checks have been implemented to prevent this.
memcpy()
, strcasecmp()
, strnlen()
, strcasestr()
and strncasestr()
.
memset
operation.
=~
operators and the strings were thus matched as literal strings. However, they should be matched as regular expressions. With this update, the quotes were dropped and the strings are matched as regular expressions as expected.
/dev/rtc
device even if it did not exist. With this update, initscripts verifies if the /dev/rtc
device exists before attempting to run the hwclock tool.
ifdown
command could have failed to stop an NIC (Network Interface Controller) with a warning that the connection was unknown. This happened because, in some cases, the function, which verifies whether the NIC is managed by NetworkManager, returned an incorrect result. With this update, the function returns the correct result and the ifdown
command stops the NIC correctly.
/
directory, the system could have failed to remount the root directory as a read-only file system on shutdown. This occurred because the script attempted to remount the defined bind mount instead of the root directory. With this update, the root directory is remounted successfully.
tty.conf
and serial.conf
files have been modified to have the login shell stopped when changing to runlevels S and the problem no longer occurs.
tty.conf
file contained a comment with a typographical mistake ("sepcified"
). With this update, the word is spelled correctly ("specified"
).
0
. With this update, this tag value is allowed.
/etc/sysconfig/clock
file did not document where the user can configure whether the hwclock tool should be using the local time or UTC (Coordinated Universal Time). This update adds comments documenting the setting location into the sysconfig.txt
file.
/etc/ppp/ipv6-up
and /etc/ppp/ip-up.ipv6to4
scripts used the incorrect alias ipv6_exec_ip
and failed to bring up the routes. This update modifies the scripts so that they uses the ip
command and the routes are now brought up as expected.
DEVICETYPE
variable was calculated incorrectly. This happened because the calculation preserved the period (.
) sign in the device name. This could have caused failure of the ifup-ib
and ifdown-ib
scripts. With this update, DEVICETYPE
is resolved correctly.
kdump
service is disabled in runlevel 1, the script freed the memory reserved for kdump
. After the user changed from runlevel 1 to runlevel 3, which has kdump
enabled, the system had set reserved memory size to 0 and kdump
failed to start up. With this update, the kexec-disable job is no longer run in runlevel 1.
shmmax
(maximum size of a shared memory segment) and shmall
(maximum size of the total shared memory) values. However, the values vary depending on the system architecture. This update provides the settings of these values for various architectures.
#
) signs, which were forbidden in such names. With this update, interface names can contain hash (#
) signs and the problem no longer occurs.
.
) signs used by the sysctl device, which were delimiting the paths, and the period (.
) signs used by VLANs, which were delimiting IDs. This caused that all sysctl calls to the VLAN interfaces failed. With this update, when calling a sysctl device, initscripts substitutes the periods in its name with forward slash (/
) signs and the sysctl calls to a VLAN interface succeed.
MASTER
in double quotes (for example, as "bond0"
). With this update, the respective scripts have been adapted to parse the value definition correctly even if double-quoted.
ifdown
command could have failed to stop a bridge device with a warning that the connection was unknown. This happened because the function, which verified whether the device is managed by NetworkManager
, returned an incorrect result. With this update, the function returns a correct result and the ifdown
command stops the bridge device correctly.
eth
prefix followed by digits. If the user provided a name, which did not follow these requirements, the interface could not be started or stopped. With this update, the user can provide a custom name and the interface can be operated correctly.
/etc/mdadm.conf
file existed and could have failed if mdadm was not installed. With this update, the script first verifies if the mdadm tool is installed and only then runs its binary.
brcm_iscsiuio
usage message displayed in response to the brcm_iscsiuio --help
command contained two unsupported options: --foreground
and --pid
. The man page omitted five supported options: --debug
, --help
, -h
, -p
and --version
. The unsupported options have been removed from the usage message, and all supported options have been added to the brcm_iscsiuio
man page.
iscsiadm
usage message displayed in response to the iscsiadm --help
command omitted 24 supported options. Additionally, the iscsiadm
man page omitted one supported option (--host
) and contained one unsupported option (--info
). These errors have now been corrected.
--portal
argument when in "node" mode. This resulted in failure, because iscsiadm expected the value returned during discovery as the value for --portal
. iscsiadm now attempts to match a host name to the IP address returned during discovery, so this issue no longer occurs.
b43
driver in the Linux kernel. If a system had an active wireless interface that uses the b43
driver, an attacker able to send a specially-crafted frame to that interface could cause a denial of service. (CVE-2011-3359, Moderate)
tpm_read()
could allow a local, unprivileged user to read the results of a previously run TPM command. (CVE-2011-1162, Low)
perf
tool, a part of the Linux kernel's Performance Events implementation, could load its configuration file from the current working directory. If a local user with access to the perf
tool were tricked into running perf
in a directory that contains a specially-crafted configuration file, it could cause perf
to overwrite arbitrary files and directories accessible to that user. (CVE-2011-2905, Low)
AGPGART
driver implementation when handling certain IOCTL commands could allow a local user to cause a denial of service or escalate their privileges. (CVE-2011-1745, CVE-2011-2022, Important)
agp_allocate_memory()
could allow a local user to cause a denial of service or escalate their privileges. (CVE-2011-1746, Important)
skb_gro_header_slow()
in the Linux kernel could lead to GRO (Generic Receive Offload) fields being left in an inconsistent state. An attacker on the local network could use this flaw to trigger a denial of service. GRO is enabled by default in all network drivers that support it. (CVE-2011-2723, Moderate)
PERF_COUNT_SW_CPU_CLOCK
counter overflow. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2011-2918, Moderate)
tpacket_rcv()
and packet_recvmsg()
functions in the Linux kernel. A local, unprivileged user could use these flaws to leak information to user-space. (CVE-2011-2898, Low)
ibmvscsi
driver to reset its CRQ, re-registering the CRQ returned H_CLOSED, indicating that the Virtual I/O Server was not ready to receive commands. As a consequence, the ibmvscsi
driver offlined the adapter and did not recover. With this update, the interrupt is re-enabled after the reset so that when the Virtual I/O server is ready and sends a CRQ init, it is able to receive it and resume initialization of the VSCSI adapter.
vmcore
file after triggering a crash on POWER7 systems with Dynamic DMA Windows enabled. This update provides a number of fixes that address this issue.
mark_tech_preview()
function, which would cause kernel lock debugging to be disabled by the add_taint()
function. However, the NFS and CIFS modules depend on the FS-Cache module so using either NFS or CIFS would cause the FS-Cache module to be loaded and the kernel tainted. With this update, FS-Cache only taints the kernel when a cache is brought online (for instance by starting the cachefilesd
service) and, additionally, the add_taint()
function has been modified so that it does not disable lock debugging for informational-only taints.
FSFREEZE
ioctl()
command to freeze an ext4 file system and mmap
I/O operations would result in a deadlock if these two operations ran simultaneously. This update provides a number of patches to address this issue, and a deadlock no longer occurs in the previously-described scenario.
LBA > 0xffffffff & cdb_len < 16
condition, then converts the CDB from the OS to a 16 byte CDB, before firing it as a FastPath I/O operation.
vcpus > 1
) during the installation. As soon the installation started after booting from ISO, a blue screen with the following error occurred:
A problem has been detected and windows has been shut down to prevent damage to your computer.
[bnx2x_extract_max_cfg:1079(eth11)]Illegal configuration detected for Max BW - using 100 instead
bnx2x
interfaces in the multi-function mode which were not used and had no link, thus, not indicating any actual problems with connectivity. With this update, the message has been removed and no longer appears in kernel log files.
inet6_sk_generic()
function was using the obj_size
variable to compute the address of its inner structure, causing memory corruption. With this update, the sk_alloc_size()
is called every time there is a request for allocation, and memory corruption no longer occurs.
CAP_NET_ADMIN
capability, to cause a denial of service or escalate their privileges on systems that have an active wireless interface. (CVE-2011-2517, Important)
napi_reuse_skb()
to be called on VLAN packets. An attacker on the local network could use this flaw to send crafted packets to a target, possibly causing a denial of service. (CVE-2011-1576, Moderate)
next_pidmap()
could allow a local, unprivileged user to cause a denial of service. (CVE-2011-1593, Moderate)
ksm
/ksmtuned
services. (CVE-2011-2183, Moderate)
inet_diag_bc_audit()
could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2213, Moderate)
fallocate()
request, it could result in a denial of service. Setting quotas to prevent users from using all available disk space would prevent exploitation of this flaw. (CVE-2011-2689, Moderate)
sigqueueinfo
system call, with si_code
set to SI_TKILL
and with spoofed process and user IDs, to other processes. This flaw does not allow existing permission checks to be bypassed; signals can only be sent if your privileges allow you to already do so. (CVE-2011-1182, Low)
/proc/[PID]/io
is world-readable by default. Previously, these files could be read without any further restrictions. A local, unprivileged user could read these files, belonging to other, possibly privileged processes to gather confidential information, such as the length of a password used in a process. (CVE-2011-2495, Low)
UNCHECKED NFS CREATE
call when an open system call was attempted with the O_EXCL
|O_CREAT
flag combination. An EXCLUSIVE NFS CREATE
call should have been used instead to ensure that O_EXCL
semantics were preserved. As a result, an application could be led to believe that it had created the file when it was in fact created by another application.
ehea
driver caused a kernel oops during a memory hotplug if the ports were not up. With this update, the waitqueues are initialized during the port probe operation, instead of during the port open operation.
be2net
cards firmware may not recognize certain commands and return illegal/unsupported errors, causing confusing error messages to appear in the logs. With this update, the driver handles these errors gracefully and does not log them.
be2net
driver to work in a kdump environment. It clears an interrupt bit (in the card) that may be set while the driver is probed by the kdump kernel after a crash.
hpsa
driver has been updated to provide a fix for hpsa
driver kdump failures.
CONFIG_XEN_MAX_DOMAIN_MEMORY=128
.
do_wp_page
function to reuse the wrprotected page before PageKsm would be set in page->mapping
. With this update, a new version of the original fix was introduced, thus fixing this issue.
gfs2_grow
, the file system became unresponsive. This was due to the log not getting flushed when a node dropped its rindex glock so that another node could grow the file system. If the log did not get flushed, GFS2 could corrupt the sd_log_le_rg
list, ultimately causing a hang. With this update, a log flush is forced when the rindex glock is invalidated; gfs2_grow
completes as expected and the file system remains accessible.
md
driver would enter an infinite resync loop thinking there was a spare disk available, when, in fact, there was none. This update adds an additional check to detect the previously mentioned situation; thus, fixing this issue.
Rx
checksum offloading. These bugs caused a data corruption transferred over r8169 NIC when Rx
checksum offloading was enabled.
pvclock.h
function was missing an output constraint for EDX which caused a register corruption to appear. As a result, Red Hat Enterprise Linux 3.8 and Red Hat Enterprise Linux 3.9 KVM guests with a Red Hat Enterprise Linux 6.1 KVM host kernel exhibited time inconsistencies. With this update, the underlying source code has been modified to address this issue, and time runs as expected on the aforementioned systems.
be2net
driver was using the BE3 chipset in legacy mode. This update enables this chipset to work in a native mode, making it possible to use all 4 ports on a 4-port integrated NIC.
ipip_init()
function in the ipip
module, and in the ipgre_init()
function in the ip_gre
module, could be called before network namespaces setup is complete. If packets were received at the time the ipip
or ip_gre
module was still being loaded into the kernel, it could cause a denial of service. (CVE-2011-1767, CVE-2011-1768, Moderate)
mmap()
call with the MAP_PRIVATE
flag on /dev/zero
would create transparent hugepages and trigger a certain robustness check. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2011-2479, Moderate)
lost+found
directory on a file system with inodes of size greater than 128 bytes and reusing inode 11 for a different file caused the extended attributes for inode 11 (which were set before a umount
operation) to not be saved after a file system remount. As a result, the extended attributes were lost after the remount. With this update, inodes store their extended attributes under all circumstances.
dinode
's i_nlink
value to assure inode operations such as link, unlink, or rename no longer cause the aforementioned problems.
cgroupfs
file system due to the way security checks were applied to the new cgroupfs inodes during the mount
operation. With this update, the security checks applied during the mount operation have been changed so that they always succeed, and the cgroupfs
file system can now be successfully mounted and used with the MLS SELinux policy. This issue did not affect systems which used the default targeted
policy.
mpt2sas
driver could occur on an IBM system using a drive with SMART (Self-Monitoring, Analysis and Reporting Technology) issues. This was because the driver was sending an SEP request while the kernel was in the interrupt context, causing the driver to enter the sleep state. With this update, a fake event is not executed from the interrupt context, assuring the SEP request is properly issued.
queue_mapping
value was not properly decremented because the VLAN devices called the physical devices via the ndo_select_queue
method. This update removes the multiqueue functionality, resolving this issue.
netif_set_real_num_tx_queues()
function which prevented an increment of the real number of TX queues (the real_num_tx_queues
value). This update adds the missing code; thus, resolving this issue.
scan_dispatch_log
function to ensure the dispatch log has been allocated.
__cache_alloc()
function, the ac
variable could be changed after cache_alloc_refill()
and the following kmemleak_erase()
function could receive an incorrect pointer, causing kernel panic. With this update, the ac
variable is updated after the cache_alloc_refill()
unconditionally.
isr_ack
variable), a virtual guest could become unresponsive when migrated while being rebooted. With this update, the said variable is properly initialized, and virtual guests no longer hang in the aforementioned scenario.
intel_iommu=on
boot option. With this update, the underlying source code of the intel-iommu
driver has been modified to resolve both of these problems. A forced flush is now used to avoid the lazy use after free issue, and extra checks have been added to avoid the erroneous reference removal.
mmap
system call on the AMD64 architecture could return a pointer which appeared to be of value negative
even though pointers are normally of unsigned values. This resulted in the success
field being incorrect. This patch fixes the success field for all system calls on all architectures.
prot->obj_size
pointer had to be adjusted in the proto_register
function. Prior to this update, the adjustment was done only if the alloc_slab
parameter of the proto_register
function was not 0
. When the alloc_slab
parameter was 0
, drivers performed allocations themselves using sk_alloc
and as the allocated memory was lower than needed, a memory corruption could occur. With this update, the underlying source code has been modified to address this issue, and a memory corruption no longer occurs.
/proc/diskstats
file showed erroneous values. This occurred when the kernel merged two I/O operations for adjacent sectors which were located on different disk partitions. Two merge requests were submitted for the adjacent sectors, the first request for the second partition and the second request for the first partition, which was then merged to the first request. The first submission of the merge request incremented the in_flight
value for the second partition. However, at the completion of the merge request, the in_flight
value of a different partition (the first one) was decremented. This resulted in the erroneous values displayed in the /proc/diskstats file. With this update, the merging of two I/O operations which are located on different disk partitions has been fixed and works as expected.
kprobe
(a dynamic instrumentation system), and enhances the performance of SystemTap.
setup_arg_pages()
in the Linux kernel. When making the size of the argument and environment area on the stack very large, it could trigger a BUG_ON()
, resulting in a local denial of service. (CVE-2010-3858, Moderate)
bcm_release()
and raw_release()
functions in the Linux kernel's Controller Area Network (CAN) implementation. This could allow a local, unprivileged user to cause a denial of service. (CVE-2011-1598, CVE-2011-1748, Moderate)
cifs_close()
function in the Linux kernel's Common Internet File System (CIFS) implementation. A local, unprivileged user with write access to a CIFS file system could use this flaw to cause a denial of service. (CVE-2011-1771, Moderate)
bna
driver, specifically:
bna
driver control path state machine and firmware did not receive a notification of the crash, and, as a result, were not shut down cleanly.
ixgbe
driver to use the kernel's generic routine to set and obtain the DCB (Data Center Bridging) priority. Without this fix, applications could not properly query the DCB priority.
%p
format specifier (which is used to show the memory address value of a pointer).
bfa
driver) has been upgraded to version 2.3.2.4. Additionally, this update provides the following two fixes:
release_firmware()
function not being called after the request_firmware()
function. Similarly, the firmware download interface has been fixed and now works as expected.
bfa
I/O control state machine and firmware did not receive a notification of the crash, and, as a result, were not shut down cleanly.
0
to /proc/sys/fs/leases-enable
(ideally on boot, before the nfs server is started). This change prevents NFSv4 delegations from being given out, restoring correctness at the expense of some performance.
disk = [ 'file:/var/lib/xen/images/rhel6-guest.dsk,hda,w', ]
disk = [ 'tap:aio:/var/lib/xen/images/rhel6-guest.dsk,hda,w', ]
NMI watchdog disabled for cpu1: unable to create perf event: -2
JBD: Spotted dirty metadata buffer (dev = sda10, blocknr = 17635). There's a risk of filesystem corruption in case of system crash.
ACPI Error: Illegal I/O port address/length above 64K: 0x0000000000400020/4 (20090903/hwvalid-154) ACPI Exception: AE_LIMIT, Returned by Handler for [SystemIO] (20090903/evregion-424) ACPI Error (psparse-0537): Method parse/execution failed [\_GPE._L09] (Node ffff8800797cd298), AE_LIMIT ACPI Exception: AE_LIMIT, while evaluating GPE method [_L09] (20090903/evgpe-568)
Unable to handle kernel paging request for data at address 0x00000468 Oops: Kernel access of bad area, sig: 11 [#1]
NMI: IOCK error (debug interrupt?)
perf
subsystem's trace
command has been replaced with the script
command. Users should now use the script
command.
kexec
fastboot mechanism allows booting a Linux kernel from the context of an already running kernel. The kexec-tools package provides the /sbin/kexec
binary and ancillary utilities that form the user-space component of the kernel's kexec
feature.
kdump
crash recovery service allows users to specify a raw device (that is, a raw disk or partition) as a target location for core dumps. Previously, when a kernel crash occurred and a core dump was written to such a raw device, kdump
was unable to retrieve it after a reboot. With this update, the corresponding init script has been updated to search the configured raw device for the presence of a core dump upon the service startup. Now, when the kdump
service is started and a core dump is found on the raw device, the init script retrieves it and creates a proper vmcore
file in a local file system.
kdump.conf
(5) manual page did not provide a description of the blacklist
directive. This update corrects this error, and the blacklist
directive is now included in the “OPTIONS” section of the kdump.conf
(5) manual page as expected.
kdump
crash recovery service were presented to a user in the original English version. This update corrects this error, and the Kdump section of the firstboot application no longer contains untranslated strings.
/etc/modprobe.d/modprobe.conf
file caused the utility to stop responding. With this update, this error no longer occurs, and mkdumprd now works as expected.
kdump
service did not take into account the value of the path
option in the /etc/kdump.conf
configuration file, and always saved the vmcore
file to the /var/crash/
directory. This update adapts the corresponding init script to ensure that kdump
uses the directory specified in the configuration.
/usr/sbin/
directory.
kdump
service to store core dumps over a network on a system that used channel bonding or bridging caused the mkdumprd utility to display the following error message on the service startup:
Netmask is missed!
kdump
crash recovery service is unable to operate in Xen environment. With this update, an attempt to start kdump
in such an environment fails with the “Kdump is not supported on this kernel” message.
/etc/kdump.conf
configuration file contains the following line:
#core_collector cp --sparse=always
/bin/cp
in the initial RAM disk (that is, by using the extra_bins
directive) would cause the kdump
crash recovery service to fail. This update corrects this error, and the above line is now followed by #extra_bins /bin/cp
.
ml_IN
language code), certain keyboard shortcuts on the Kdump screen did not work. This update corrects the Malayalam translation of the firstboot application, and all shortcuts can now be used as expected.
ml_IN
language code), the first paragraph on the Kdump screen contained an incorrect string. This update adapts the Malayalam translation of the firstboot application, and the Kdump screen is now translated correctly.
kdump
service on a system with a large amount of memory (that is, 1TB and more) caused kdump
to terminate unexpectedly with a segmentation fault. With this update, the underlying source code has been adapted to address this issue, and kdump
no longer crashes
kdump
may have failed to resolve an IP address when storing a core dump to a remote server. This update corrects this error, and kdump
no longer fails.
kdump
crash recovery service failed to start on IBM System x3850 X5 machines. This update applies an upstream patch that extends the size of kcore ELF headers. Now, kdump
can be started on such machines as expected.
kdump
service to store core dumps to a remote machine over the SSH
protocol and changing the core collector to cp
caused it to name core dump files vmcore.flat
, even when the SCP
(Secure Copy) protocol was used. This update corrects this error, and kdump
now only uses the .flat
file extension when the makedumpfile utility is used as the core collector.
kdump
, the screen of the firstboot application incorrectly displayed the Enable kdump? check box as selected, but did not allow a user to change it. This error has been fixed, and the Enable kdump? check box is no longer displayed when the kdump
service cannot be configured.
Insufficient memory to configure kdump!
kdump
is not running before displaying this message.
initrd
). This update adapts mkdumprd to use the /boot/
directory in this case. As a result, mounting the root partition as a read-only file system no longer renders mkdumprd unable to create an initial RAM disk.
kdump
crash recovery service unable to recognize the disk drive. This update adapts the mkdumprd utility to ignore disk drive firmware revisions, and kdump
now works as expected.
hpsa
and cciss
drivers, kdump
is unable to save core dumps to certain HP Smart Array Controllers that use these drivers. This update ensures that the kdump
service is disabled on such controllers.
crashkernel
kernel parameter (such as crashkernel=4G-:256M
) caused the firstboot application to terminate unexpectedly during the configuration of kdump
. This update applies a patch to address this issue, and firstboot no longer crashes.
ru_RU
language code) of the firstboot application, the first paragraph on the Kdump screen incorrectly contained the —
string. This update corrects this error, and the Kdump section of the firstboot application is now translated correctly.
makedumpfile -V
command caused the makedumpfile utility to terminate unexpectedly with a segmentation fault. This update applies an upstream patch that removes -V
from the list of supported command line options, and running the above command no longer causes makedumpfile to crash.
kdump
service to store core dumps to a raw device caused it to display a message similar to the following when a kernel crash occurred:
kill: cannot kill pid 887: No such process
kdump
no longer display the above error message upon a kernel crash.
kdump
service recovers the dump file at next startup. Previously, an attempt to use this configuration without the core_collector
option specified in the configuration file caused kdump
to fail to recover the core dump. With this update, the underlying source code has been adapted to use the makedumpfile utility by default, and kdump
is now able to recover core dumps as expected.
kdump
crash recovery service, a dialog box appears and prompts a user to reboot the system in order for the changes to take effect. Previously, closing this dialog box by clicking the button had the same effect as clicking , and incorrectly initiated the system restart. This error no longer occurs, and clicking the button now only closes the dialog box as expected.
kdump
service may have failed to create a core dump with the following error:
readmem: Can't read the dump memory(/proc/vmcore). Cannot allocate memory
kdump
no longer fails to store the core dump.
tmpfs
file system, rendering the kdump
service unable to start in a diskless environment. With this update, the underlying source code has been adapted to allow the use of the tmpfs
file system, so that kdump
is now able to start on diskless nodes as expected.
-d
option) set to 16
or 31
may have caused the utility to fail. This update applies a patch that addresses this issue, and makedumpfile now works as expected.
--override-resettable
option. This allows system administrators to start the kdump
service on otherwise unsupported devices, such as HP Smart Array Controllers that use the hpsa
or cciss
driver.
kdump
crash recovery service was unable to find an LVM device identified by a universally unique identifier (UUID). Consequent to this, when a system crashed, kdump
may have failed to write a core dump to such a device. This update fixes this error, and kdump
now locates LVM devices according to their UUIDs as expected.
/etc/kdump.conf
configuration file.
mkmountpoint
and umount-all
commands are considered incompatible. Mount points created with the mkmountpoint
command become invalid after the umount-all
command is used. This is now documented in the guestfish man page. Customers should note that it is possible to safely unmount devices that were mounted with mkmountpoint
by using the umount
command.
-net
and vlan=...
options in the qemu package are deprecated. To avoid relying on these deprecated options, libguestfs now uses the -netdev
option instead.
vfs-type
command could not determine the type of a file system newly created by guestfish. This occurred because the vfs-type
command tried to read the type from a cache file (blkid.c
) that had not yet been updated. The cache file is now deleted between file system creation and attempting to read the file system type, resulting in updated file system information for vfs-type
to read.
$HOME
variable was not set, guestfish did not expand a path containing ~
(tilde) into a path to the user's home directory. Guestfish now examines the current user's passwd
file for the location of the user's home directory so that a path containing ~
can be expanded correctly.
umask
. This has been corrected, and guestfish commands that return integers now return them in the natural radix for that number.
get-e2uuid
command retrieved file system UUIDs via tune2fs -l
. This failed on journaling block devices (JBDs) and other devices that were not second, third or fourth extended file systems (ext2, ext3 or ext4). get-e2uuid
has been reimplemented so that it retrieves UUIDs via blkid
instead of tune2fs -l
, resolving this issue. However, since the get-e2uuid
command has been deprecated, customers are advised to retrieve UUIDs with the vfs-uuid
command instead.
virt-ls
at the command line. The following has been added to the libguestfs documentation:
Libvirt guest names can contain arbitrary characters, some of which have meaning to the shell such as#
and space. You may need to quote or escape these characters on the command line. See the shell manual pagesh(1)
for details.
virt-list-filesystems
at the command line. The following has been added to the libguestfs documentation:
Libvirt guest names can contain arbitrary characters, some of which have meaning to the shell such as#
and space. You may need to quote or escape these characters on the command line. See the shell manual pagesh(1)
for details.
checksum
command contained a file descriptor that was not closed properly in an error path. If the checksum
command resulted in an error, this would later prevent the file system from being unmounted with either umount
or umount-all
. The file descriptor is now closed properly on the error path, so an error in checksum
no longer causes problems unmounting file systems.
/etc/fstab
of a guest machine contained a reference to a floppy disk (/dev/fd0
), both virt-inspector and virt-v2v printed the following harmless warning during inspection or conversion:
unknown filesystem /dev/fd0
/etc/fstab
.
/etc/fstab
of a guest machine contained a reference to a CD-ROM drive (/dev/hdc
), both virt-inspector and virt-v2v printed the following harmless warning during inspection or conversion:
unknown filesystem /dev/hdc
/etc/fstab
.
virt-filesystems
command failed when used against a guest which had a missing or corrupt file system label. This command has been updated to handle guest file systems with missing or corrupt file system labels.
/etc/fstab
did not exist, the guestfish -i
command failed with a "No such file or directory" error. In the event of missing devices, guestfish now completes, and reports that some file systems could not be mounted.
libguestfs: trace:
) is now added to the beginning of each line of the trace output so that it can be easily distinguished and filtered out of logs with the grep
command or similar.
virt-make-resize
. This reference should have been to the virt-make-fs tool. The man page has been corrected.
set-trace
command was not prepared to handle all possible error conditions. This resulted in a segmentation fault when attempting to handle several conditions. The command now handles trace errors separately, so the segmentation fault no longer occurs.
/etc/fstab
of a guest machine contained a reference to a virtio disk (/dev/vda1
), virt-inspector printed a warning and ignored the virtio disk. The warning has been suppressed, and virtio disks are now recognized by virt-inspector.
libvirt
library to upstream version 0.8.7, fix a number of bugs, and add various enhancements and new features are now available for Red Hat Enterprise Linux 6.
CHANGELOG
file installed to /usr/share/doc/libvirt-0.8.7
when the updated package is installed.
virDomainSetMemory()
setting, making it impossible to set a hard limit on guest memory consumption. New virDomainGetMemoryParameters
and virDomainSetMemoryParameters
methods have been introduced to allow users to fine-tune and enforce memory limits.
downtime
setting is increased. However, libvirt was sending an incorrectly formatted request to increase the downtime
setting of a guest. This update corrects the format of this request to assist in live migration completion.
virsh managedsave dom
) even if it failed to restore and start the domain using that file. This caused data loss. The managed state file is now removed only if the restore operation succeeds.
%post
script (part of the libvirt-client package) started the libvirt-guests
service even when the service was explicitly turned off. The libvirt-guests
service is no longer started when explicitly turned off.
virsh vcpuinfo
or setting up virtual CPU pinning on a host machine that used NUMA, virsh vcpuinfo
showed the incorrect number of virtual CPUs. Virtual CPU pinning could also fail because libvirt reported an incorrect number of CPU sockets per NUMA node. Virtual CPUs are now counted correctly.
/var/lib/libvirt
directory to change when a system was upgraded. With this update, correct permissions are assigned to the aforementioned directory.
<boot>
element has been introduced, which can be used to specify the exact order of boot devices.
dnsmasq
with the correct options so that these statically configured addresses are properly served to the guests.
virsh freecell
command could be run with an invalid (non-integer) argument without error, and the free memory for node 0 would still be printed. The validity of the argument is now checked, and an error message is now printed when an invalid value is detected.
virsh detach-interface
command was used on a domain with multiple NICs, but a particular MAC address was not specified with --mac
, virsh detached the first interface without error. The --mac
option is now required where a domain has multiple NICs, and an appropriate error message has been added.
virsh attach-disk
, virsh set phy
as the driver value by default. Because this value is not supported everywhere, the disk did not persist over domain shutdown, and could prevent domain startup. This update corrects virsh behavior such that the driver value is not set if it is not provided by the user.
setvcpus
commands resulted in unknown errors. More useful error messages have been added to this command.
auth
data caused unrelated data to be overwritten, which caused a crash in libvirt. The error has been corrected, and auth
can now be set without issue.
forward-delay
or stp-enable
parameters. The string is no longer freed prematurely, and in the event of a problem with these parameters, users receive a specific error message.
openssl x509 -in clientcert.pem -text
). This command has been replaced with the following command, which gives more helpful, accurate output:
certtool -i --infile /etc/pki/libvirt/clientcert.pem
--all
option has been added to the virsh freecell
command to allow the command to iterate across all nodes instead of forcing users to run the command manually on each node. virsh freecell --all
will list the free memory on all available nodes.
-redhat-disable-KSM
flag.
virsh
documentation has been updated to clarify usage of the cpu_shares
parameter.
virsh
documentation has been updated to remove references to the deprecated virt-mem
command.
virsh
documentation for the setvcpus
, setmem
, and setmaxmem
sub-commands has been updated to correct and expand the information available for these sub-commands.
libvirtd
. Access it with the man libvirtd
command.
root
or luci
attempted to run the luci init script, the service failed to start and a traceback was written to standard error. With this update, the init script has been corrected to terminate with exit code 4 in this case.
luci.log
log file. This error has been fixed, and luci now correctly displays “Unknown fence device type” when an unknown or unsupported fence device is encountered.
luci.log
log file:
DeprecationWarning: BaseException.message has been deprecated as of Python 2.6
cluster.conf
configuration file or shut down the clustering on the nodes. This update corrects this error, and users are now allowed to completely destroy a whole cluster by selecting all of its nodes and clicking the Delete button.
ricci
daemon encountered an error, previous version of luci did not present this error to a user and displayed a generic error message instead. In order to make it easier to determine the cause of such errors, this update adapts luci to display the error messages reported by ricci
.
fence_scsi
from being unfenced at boot time. With this update, the underlying source code has been adapted to provide this functionality, and users are now allowed to configure unfencing from the user interface.
No nodes from this cluster could be contacted. The status of this cluster is unknown.
nodename
parameter for the fence_scsi
fence agent correctly. This update corrects this error, and the nodename
parameter is now handled properly.
fence_egenera
fence agent correctly. With this update, the underlying source code has been modified to address this issue, and the username for fence_egenera
is now handled correctly.
luci.log
log file. This error no longer occurs, and users are now allowed to configure such nodes as expected.
luci.log
log file:
AttributeError: 'ClusterNode' object has no attribute 'getID'
OracleListener
and OracleInstance
resource agents has been added.
ricci
daemon on an interface different from the one that is used for the cluster communication.
fence_cisco_ucs
fence agent has been added.
fence_rhev
fence agent has been added.
fence_brocade
to the list of supported fence agents.
request failed: error reading the headers
PKCS#11
module interface used a wrong object type which caused it to return an object with an invalid CKA_CERTIFICATE_TYPE
attribute. With this update, the softokn PKCS#11
module interface uses the correct object type.
IPv6
is enabled caused it to enter a loop in the test part of the rebuild. With this update, the selfserv test tool has been modified to use a dual-stack IPv6 listening socket, which can accept connections from both IPv4 and IPv6 clients.
certutil -H
command was missing the -W
option (which changes the password to a key database). With this update, the -W
option has been added to the help page.
pk12util
command) did not work for private keys placed in the /etc/pki/nssdb/
directory due to permission restrictions. This update addresses this issue, and the nss-sysinit
module now enables the root user to import private key.
This Connection is Untrusted.
error even though the web page had a valid security certificate. With this update, this issue has been fixed and visiting the specific web site no longer returns SSL errors.
PKCS#8
encoded PEM (Privacy Enhanced Mail) RSA private key files could not be read by nss and resulted in an error when being imported. With this update, nss correctly handles the aforementioned files.
SECKEY_DestroyPublicKey(SECKEY_ImportDERPublicKey(…))
function.
pkcs11.txt
file, it took the current umask
(user mask) into an account. However, if run with restrictive umask
settings, the pkcs11.txt
file could be created with permissions that did not allow non-privileged users to read it. This could cause nss-sysinit to remain disabled even when it was intended to be enabled. With this update, the permissions of the pkcs11.txt
file are changed at the end of the run of the setup-nsssysinit.sh script, fixing this issue.
%verify(not md5 size mtime)
declarations have been added to the configuration files.
OpenLDAP
command and using the LDAPTLS_CACERTDIR variable to pass in an arbitrary directory containing other directories caused the command to abort because OpenLDAP tried to pass down the directory as a file. With this update, specified files that are directories are properly rejected in the aforementioned case.
PayPalEE.cert
certificate expired on Oct 31, 2010, which caused the nss package to fail to build. This update prolongs this expiration date of this certificate, and the nss package no longer fails to build.
Error parsing *roff command from file /usr/share/man/man8/nslcd.8.gz
README.nss
file. This update adds the file to the documentation.
crm_standby not available, check your installation
AttributeError: 'PackageKitYumBase' object has no attribute 'prerepoconf'
ERROR: pam_pkcs11.c:334: no suitable token available
ERROR: pam_pkcs11.c:445: open_pkcs11_login() failed: Login incorrect
pydoc -k
command performs a keyword search of the synopses in all installed Python modules. This command failed on modules that did not import, resulting in a traceback. pydoc -k
now ignores modules that have import exceptions, allowing searches on the remaining modules.
commands
module selftests was corrected.
lib2to3
. This update adds the missing content to the subpackage.
in
operator for dbm mappings erroneously returned False
for all keys on big-endian 64-bit builds of Python (64-bit PowerPC and IBM System z). This update fixes this issue.
_sqlite3.so
module was removed. Execution and "#!" lines from .py
files within the standard library that did not require these lines were also removed.
urllib2
module ignored the no_proxy
variable for the FTP scheme. This could lead to programs such as yum
erroneously accessing a proxy server for ftp:// URLs covered by a no_proxy
exclusion. The no_proxy
variable now overrides the ftp_proxy
variable, enforcing this exclusion.
gdb
(configured using the --with-python
option) on python applications to generate backtraces caused a traceback error. python-gdb.py
, the python module that deals with the case of debugging a python process, was updated to prevent this.
urllib2
module resulted in infinite recursion. This behavior has been patched, and urllib2
2 now attempts authentication a maximum of five times before authentication is considered failed.
ulimit -n
to enable communication with large numbers of subprocesses could still monitor only 1024 file descriptors at a time, due to the subprocess module using the select
system call. This could cause an exception:
ValueError: filedescriptor out of range in select()
poll
system call, removing this limitation.
urllib2
module was limited to six requests because the retried
attribute was not reset when authentication was successful. This attribute is now reset, and authentication requests work as expected.
test_structmembers
unit test failed on big-endian 64-bit builds of Python (64-bit PowerPC and IBM System z) because a variable was not well-defined. The variable is now defined correctly, and the unit test works as expected. Note that this issue was discovered and corrected during development, and was not encountered in production systems in the field.
PyErr_Clear()
method, which exposed an assertion failure in RhythmBox that resulted in RhythmBox crashing. Python now compensates for the RhythmBox assertion failure.
Makefile.pre.in
. The make
command interprets a make rule with two dependents as two copies of the rule. On machines with more than one core, this could lead to race conditions in which the compiler attempted to read a partially-overwritten file. This resulted in syntax or link errors when attempting to build python on machines with multiple cores. A check has been added to prevent this issue.
timeout
argument, which can be used by the subprocess.call
, Popen.communicate
and Popen.wait
API entry points. This argument allows users to specify either an integer or a float value, which represents the number of seconds these processes will wait for a call to return before raising an exception of type TimeoutExpired
.
pyfuntop.stp
, which provides a top
-like view of all bytecode being executed; and systemtap-example.stp
, which shows the function-call hierarchy of Python bytecode.
# rhn_register Segmentation fault (core dumped)
# rhn_register ***MEMORY-ERROR***: rhn_register[11525]: GSlice: assertion failed: sinfo->n_allocated > 0 Aborted (core dumped)
Fatal Python error: deallocating None Aborted (core dumped)
Device '[device_name]' could not be initialized
VGA_RAM_SIZE
variable to 16 MB so that the user can now use high resolution modes.
ksm
and ksmtuned
initscripts were not consistent in their behavior with other initscripts included in Red Hat Enterprise Linux 6. This update modifies the ksm
and ksmtuned
initscripts so that their behavior is now consistent.
vhostfd
command line parameter due to improper handling of file descriptors. With this update, if an invalid argument is provided to the vhostfd
parameter, qemu-kvm exits and displays an appropriate warning message.
BUS_MCEERR_AO SIGBUS
signals and this caused Software Recoverable Action Optional (SRAO) MCE to kill the qemu-kvm process when a page was constantly used by the virtual guest. The problem has been fixed partly in this update, partly in the kernel update (see BZ#550938) so that SRAO MCE handling now works properly even if the page is being constantly read or written by the virtual guest.
rxbuf_size
option. This caused networking to stop if the maximum transmission unit (MTU) of the e1000 virtual network interface controller (NIC) was set to the value of 16110. With this update, support for larger multi-buffer packets has been added so that the MTU can now be set to 16110.
netdump
) on a Red Hat Enterprise Linux 3 virtual guest which was based on the i386 architecture caused a failure when using the e1000 NIC emulation. The support for the SECRC
field has been added so that netdump
now works correctly.
qemu-doc.html
file. The problem has been fixed by removing the empty index with this update.
O_DIRECT
support. As a consequence, I/O requests to a device with large sector sizes (e.g. the CD-ROM drive) did not work in the cache=none
mode. This update has fixed QEMU so that it uses a properly aligned memory for the I/O requests and I/O requests to devices like the CD-ROM drives now work as expected.
committed_memory()
function, the ksmtuned
service was unable to determine the correct amount of memory used by qemu-kvm
processes when no such process existed. This has been fixed and ksmtuned
now works as expected.
vhost_net
back end did not work. This has been fixed by adding support for a buffer, which can be merged, to the vhost_net
back end so that the migration works as expected.
SIGABORT
signal rather than clearly indicating the cause for failure to the user. This problem has been resolved so that an error message is now displayed, clearly indicating the failure cause.
-cpu check
command line option, the output was not as expected if a valid CPU model name was not provided. As a consequence, the -cpu check
and -cpu enforce
options did not work with the default CPU model and QEMU failed with a command line interface parsing error. The problem has been fixed so that it is now possible to enter "default" as a CPU model name, which allows the -cpu check
and -cpu enforce
options to function as expected.
scp
command failed during a virtual machine migration in qemu-kvm. This bug has been fixed so that scp
does not fail anymore during the migration.
vhost
was set as a back end, qemu-kvm terminated unexpectedly. The fix for this problem has been provided with this update so that the VirtIO NIC hot plug works correctly.
initrd
file, QEMU failed. As a consequence, a virtual machine was not able to start, and QEMU did not display any error message to the user either. The fix for this bug has been provided by checking for the initrd
file's validity and displaying an error message in case of the file's invalidity.
virtio-net
) used a packet transmission algorithm that was using a timer to delay a transmission in an attempt to batch multiple packets together. This problem caused a higher virtio-net
transmission latency. With this update, the default algorithm has been changed so that the virtio-net
transmission latency is now significantly lower.
removable
check for virtual media change for devices with the if=none
option set. The bug caused a failure when a user changed the media of virtual floppy devices. This problem has been resolved with this update so that changing the media of virtual floppy devices now works without problems.
-nodefconfig
option did not work correctly in that QEMU did not read an alternate cpu-x86_64.conf
file and used the default cpu-x86_64.conf
file instead when combined with the -readconfig
option. This bug has been fixed so that the -nodefconfig
option now works as intended and expected.
qemu-kvm
became unresponsive when it failed to start the vhost_net
back end. The bug has been fixed in this update so that qemu-kvm
now works as expected when the vhost_net
back end is unable to start.
Device '[device_name]' could not be initializedThis update has fixed this bug so that hot-plugging a NIC in a virtual machine with four or more gigabytes of the virtual memory no longer fails.
qemu-img commit
command, the file was reopened with the wrong format (the format of the snapshot image), and the following error message was printed:
qemu-img: Error while committing image
qemu-img rebase
command. In this update, a metadata cache for Qcow2 has been introduced, and thus performance is now improved.
qemu -cpu check
and/or qemu -cpu enforce
command, the CPU feature flags vmx
and svm
were not validated correctly. This could possibly cause a virtual guest's confusion if the feature flags were unintentionally exposed. This problem has been fixed by disallowing the vmx
flag in all cases and the svm
flag only if a nested Kernel-based Virtual Machine (KVM) is in effect.
snapshot_blkdev
command in the QEMU monitor.
vgabios
) for the QEMU Standard VGA expected to find the framebuffer memory at the magic address 0xe0000000. Due to the overlapping memory reservations, qemu-kvm aborted unexpectedly when the guest operating system tried to use the address space at 0xe0000000 for other spaces, e.g. mapping resources of hot-plugged PCI devices. This update changes vgabios
to lookup the framebuffer memory in PCI space instead. Now, the address space at 0xe0000000 can freely be used by the guest operating system.
ru.orig
file have been corrected, and pressing these keys now produces the expected results.
qemu-img create
command. In this update, error handling of the output of the qemu-img create
command has been made more reliable and the emitted errors are no longer ignored.
pcscd
) terminated unexpectedly when a user removed the card during a transaction. The last problem was that the device was only tested in a single card and reader setup so it only supported this particular reader/device setup. All these problems have been resolved in this update so that they no longer occur.
qemu-kvm
process exiting. To work around this issue, shut down the virtual guest before adding additional rtl8139 NICs. Alternatively, install the virtio-net drivers and add a VirtIO NIC.
qemu-kvm
man page has been updated with information on available -spice
options.
Exception in do_call: %r local variable 'smsg' referenced before assignment
rhn_register --nox
command) used different names for various window titles and buttons. This update corrects these inconsistencies, and both variants of rhn_register now share the same window titles and button labels.
/usr/share/rhn/up2date_client/messageWindow.py:72: DeprecationWarning: use set_markup() instead
ml_IN
language code) of the firstboot application to configure software updates, the Why Register dialog box may have been too long to fit to the screen on certain display resolutions (that is, with height 600px and smaller). This update extends the width of the dialog box to ensure it fits to the screen as expected.
/proc/cpuinfo
on IBM System z machines, Red Hat Network Client Tools may have reported an incorrect number of CPUs on this platform. This update adapts the underlying source code to ensure that the correct number of CPUs is reported on IBM System z machines.
networkRetries
configuration option in the /etc/sysconfig/rhn/up2date
file was set to a non-integer value, network operations of the registration tools did not time out at all. With this update, the registration tools correctly set the default value of networkRetries
to 1
, and invalid values are now interpreted as a single attempt. As a result, network operations now time out as expected.
yum install --tsflags
command failed with the following error:
Command line error: no such option: --tsflags
or_IN
language code), the No thanks, I'll connect later button did not have any shortcut key assigned to it. With this update, the button is now associated with the N key.
hostedWhitelist
option in the /etc/sysconfig/rhn/up2date
configuration file. This update corrects this error, and rhn_register now uses this option as expected.
ru_RU
language code) of the firstboot application, various screens regarding the configuration of software updates contained HTML tags, such as <b>
or </b>
. This update replaces these entities with plain text, and the Russian translation of firstboot is now displayed correctly.
XML-RPC
protocol.
useNoSSLForPackages
option in the /etc/sysconfig/rhn/up2date
configuration file. When enabled (that is, when set to 1
), this option forces the use of the HTTP protocol for downloading repository metadata and RPM packages. Note that enabling this option disables Location-Aware Updates.
metadata_expire
configuration option, all channels used the default expiration time of 6 hours. This update adapts rhnplugin to use Yum's global settings.
yum remove
command failed, and a traceback was written to standard error. This was caused by rhnplugin incorrectly sending the list of removed packages to a Red Hat Network server. This update adapts rhnplugin not to send the list to a server when a system is not registered, and the yum remove
command now works as expected.
/sys/devices/system/cpu
instead of /proc/cpuinfo
, which reports all present CPUs.
/var/cache/yum/rhnplugin.repos
file caused certain Yum commands to fail with the following error:
Error: Cannot retrieve repository metadata (repomd.xml) for repository: repository_name
. Please verify its path and try again
yum groupinstall
command may have failed to install the selected package group with the following result:
No packages in any requested group available to install or update
yum groupinstall
command now works as expected.
rhnreg_ks --help
command in a non-English environment may have failed with a traceback written to standard error. This was caused by the presence of a non-ASCII character in translated strings. With this update, the underlying source code has been adapted to retrieve the strings in Unicode, and running the rhnreg_ks utility with the --help
option no longer causes it to crash.
-L
(or --available-channels
) option, which allows a user to list all available child channels that are related to a system.
serverURL
option in the /etc/sysconfig/rhn/up2date
configuration file has been updated to mention that a fully qualified domain name (FQDN) must be specified.
lib-zfcp-hbaapi
library provided by this package is rebased to version 2.1.
FUSE
infrastructure on Linux. This new tool allows you to read and write configuration files on CMS disks directly.
ziomon
command exits successfully, it should return a value of 0
. Previously, faulty logic caused the command to return an exit status of 1
when run with the --help
or -v
arguments. The logic is now corrected and ziomon
returns 0
when run successfully with --help
or -v
.
0
. Consequently, devices where the subchannel was set to any other value were not processed and did not appear on the IPA list. Now, qethconf recognizes devices where the subchannel is set to values other than 0
and these devices appear correctly in the IPA list.
cio_settle
kernel facility is a new mechanism by which processes in user space can monitor CIO actions. Previously, user-space processes could not wait for devices to become available, leading to possible race conditions, particularly as the system started and started processing CIO requests. This updated s390-utils package uses this mechanism to enable user space processes to wait for devices to become usable. Now that processes can wait for device availability, handling of all CIO actions is ensured and race conditions are avoided.
DELAY_MINUTES
as a new keyword for the etc/sysconfig/dumpconf
configuration file, and updates the dumpconf
manual page to describe its use. When configured, the new keyword delays the dump and therefore help to avoid situations where triggering the dump leads to a re-IPL loop.
getty
programs and prevents re-spawns through the init program if a terminal is not available.
-h
option of the login program. Depending on the implementation of the login program, passing the user ID to login -h
can cause timeouts when the target system does not have a working network connection. Now iucvtty no longer passes the user ID and therefore avoids timing out during login.
-Q
as a new option to the tunedasd tool that allows it to show the reservation status of a given DASD in relation to the current Linux instance. Used on the command line, tunedasd -Q
returns the reservation status to standard out.
format 7
label written by fdasd and dasdfmt was incorrect. Therefore, backups of Linux on System z disks from z/OS did not work when the disk was not fully partitioned. libvtoc now writes the format 7
label correctly and backups work correctly.
/proc/sys/vm/cmm_pages
to 0
, regardless of its previous value. Also, when where cmm_pages
was equal to cmm_inc
, cmm_pages did not correctly reach a cmm_min
of 0
during run-time. The incorrect checks in the cpuplugd utility are now fixed, so that /proc/sys/vm/cmm_pages
maintains its correct value, and the evaluation of cmm_min
is now correct.
LUN 0
or the WLUN
is already available. If both LUNs are not available, LUN 0
is tried first; if this fails, WLUN
is tried.
mon_statd
script contained a call to udevsettle
instead of udevadm settle
, which failed because udevsettle
doesn't exist. The call is now corrected and mon_statd
works correctly.
fdasd
tried to write to an read-only disk, it would attempt to format an error message through libvtoc
, where it would cause a buffer overflow. Therefore, rather than a useful error message, users were presented with an error about a buffer overflow. The fdasd
tool now prints the error message directly and therefore avoids the buffer overflow.
cupsaddsmb
command using the Adobe Postscript Driver. Running the command resulted in the "WERR_UNKNOWN_PRINTER_DRIVER" error message. The problem has been fixed so that the cupsaddsmb
command can now be executed successfully without the error.
/etc/rc.d/init.d/nmb
startup script contained an erroneous description saying that it started Samba's smbd
service. In fact, the nmb
script starts the nmbd
service, which communicates with NetBIOS
name service requests. This update corrects the description in the nmb
startup script.
unix charset
and display charset
in the smb.conf
configuration file were not displayed correctly while a user browsed the network file system with the Windows Explorer application. This has been fixed so that file names with characters encoded in ISO-8859-15 are now displayed without any character encoding problems on the Samba network file system.
winbindd
daemon. The limit was hard coded to the number of 200 connections, thus disallowing any other winbindd
clients that would exceed the limit to connect. A fix resolving this bug has been applied so that it is now possible to exceed the original limit. The limit can now be set by modifying the winbind max clients
option.
smb.conf
configuration file, which is included in Samba. The name of the SELinux label samba_share_t
that a user uses when creating a new directory was misspelled as samba-share_t
. The typo has been corrected and the smb.conf
file now contains valid information.
smb.conf
configuration file, which is included in Samba, misspelled the words "Network" and "Security". The misspellings have been corrected so that the content of the smb.conf
file is now spelled properly.
default case
parameter in the smb.conf
configuration file was unclear and contained misleading punctuation. This update clarifies the description so that it is unambiguous.
posix_fallocate()
function in write paths.
smb.conf
configuration file is configured in ADS (Active Directory Service) mode. This was not possible with the previous version of the smbpasswd Samba utility. The smbd
daemon must run in order to change non-root user passwords with smbpasswd successfully. Also, with the wbinfo --change-user-password
command, non-root users can now change both the local user password as well as the remote Active Directory domain password at the same time.
smb.conf
Samba configuration file with the testparm utility. The utility was not user-friendly in that its usage was not consistent with the way the sanity check has been called and performed in other similar packages like postfix. This has been improved by adding a new option configtest
to the service smb
command.
allow_corosync_rw_tmpfs
Boolean value allowed third party applications to create, write and read generic tmpfs
(temporary file system) files. To prevent this undesired behavior, the Boolean value has been removed, and unless the unconfined policy is disabled, generic tmpfs
files can now be managed using the Corosync Cluster Engine.
qemu-kvm
binary file, from running. With this update, the SELinux policy has been fixed so that the binary file can now be run as expected.
virsh dominfo
command from producing the expected results. This update fixes the relevant policy so that the command now works as expected.
tgtd
service emitted Access Vector Cache (AVC) messages. With this update, the relevant policy rules have been modified to resolve this issue, and running the tgtd
service no longer emits AVC messages.
cmirror
resulted in Access Vector Cache (AVC) messages. This bug has been fixed in this update so that cmirror
now runs as expected.
fence_scsi
I/O fencing agent, running either the cman
startup script, or using the fence_node -U [nodename]
command, resulted in failure. This update contains updated SELinux rules and adds the security file context for the /var/lib/cluster/
directory, which allows a cluster with fence_scsi
enabled to work properly.
smbd
, nmbd
, or winbindd
service did not work properly. This bug has been fixed, the relevant policy has been added, and SELinux no longer prevents smbcontrol from working properly.
/etc/fstab
file. With this update, SELinux rules have been added to allow the mount process to communicate with the gfs_controld
service so that GFS2 file systems can now be mounted as expected.
/root/.ssh/
directory, which caused the restorecon
command not to function properly. With this update, the relevant security context has been modified in order to fix this bug.
rpc.quotad
service has been adjusted in order to make it work properly.
iptables-save
or iptables -L
, were unable to write to files with output redirection. With this update, the SELinux domain transition from the unconfined_t
to iptables_t
domain has been removed, and such commands now work as expected.
/etc/resolv.conf
file not having the correct security context. This was caused by NetworkManager, which ran under an incorrect SELinux domain (devicekit_power_t
). With this update, the proper SELinux domain transition from DeviceKit-power to NetworkManager has been added, and resuming from suspend mode now works as expected.
passwd
command in single user mode failed when SELinux was enabled. With this update, the SELinux policy rules have been updated so that passwd
can now access the system console as well as all terminals (TTYs) and pseudo-terminals (PTYs) on the operating system.
certmonger
service was not permitted to search through directories that contained certificates. This bug has been fixed by updating SELinux policy rules so that they now allow certmonger
to access these directories.
ssh
command with a ProxyCommand
option. With this update, the relevant SELinux policy has been corrected so that the ssh
command with a ProxyCommand
option works as expected.
/etc/sysconfig/ip6tables.save
file has been corrected.
/sys/kernel/debug/
directory was not possible. This error has been fixed so that the updated SELinux policy rules now allow mounting of the /sys/kernel/debug/
directory.
allow_httpd_mod_auth_ntlm_winbind
policy was fixed in this update.
pam_tally2
module was added. The new module uses the /var/run/faillock/
directory to store files that record recent login failures for individual users. Due to this change, a new SELinux security context was added for this directory.
udevadm settle
command was very slow and took several minutes to complete. This update fixes the relevant policy so that the command now runs much faster.
mount
command resulted Access Vector Cache (AVC) messages during the system startup. With this update, the relevant policy has been corrected and mount
no longer produces AVC messages.
runlevel 1
. This update corrects the SELinux policy, and network can now be started as expected.
certmonger
service was not able to track 389-ds certificates due to an incorrect SELinux policy. This update corrects the SELinux policy so that certmonger
is now able to track these certificates.
slapi-nis
Network Information Service (NIS) server plug-in, Access Vector Cache (AVC) messages were displayed. This update fixes the relevant SELinux policy so that AVC messages do not appear anymore.
ping
command if the user_ping
Boolean value was enabled. With this update, the relevant policy has been corrected, and users confined to SELinux can run ping
as expected.
rpm -qa
command from producing the expected results. This update fixes the relevant policy so that the command works as expected.
namespace_init
script.
spice-vdagent
command has been introduced in this update to enable the SPICE
protocol features with SELinux.
rpmverify
check of the sssd package. With this update, the sssd package successfully passes the rpmverify
check.
multilib
platform (for example, i686 on AMD64) were not able to identify the Kerberos server for authentication. With this update, the Kerberos locator plugin is located in the sssd-client package to allow installation of both the 32-bit and 64-bit versions on 64-bit systems.
initgroups
for which they were a member of in LDAP. This could cause several issues related to group-based permissions. With this update, the initgroups()
call always returns all groups for the specified user.
\
' character). As a result, an error was issued that caused SSSD to treat the LDAP server as unreachable. With this update, escaping of characters in LDAP queries has been fixed and works as expected.
getent passwd
command on a username with a very large user or group identifier (that is, UID or GID greater than 2147483647) resulted in an empty output. With this update, the underlying source code has been modified to address this issue, and the getent
command now returns the expected output.
/etc/security/access.conf
and /etc/sudoers
. With this update, groups, for which a user has the group as its primary GID, are no longer discarded from the cache.
authorizedService
LDAP attributes are now supported.
sssd
service to ensure the running instance is properly replaced with the newer version. However, prior to this update, a race condition could occur upon the service shutdown, causing the parent process not to wait for its children to terminate. When this happened, these running sub-processes may have prevented sssd
from starting again. With this update, the sssd
service has been corrected to wait for the children processes to terminate, so that it can be restarted as expected.
sssd
service (either by using the service sssd stop
command, or with the SIGTERM
signal) could cause SSSD to enter a busy-loop and never complete the shut down. This error has been fixed, and sssd
no longer fails to shut down.
sssd
service was restarted when it was configured for a local domain. This was due to a tevent
request that was not being posted properly. With this update, this issue has been fixed and enumeration works as expected.
-s
/--stdin
option of the sss_obfuscate
command (which obfuscates a plain text password) reads the password to obfuscate from the standard input. However, not specifying the -s
/--stdin
option resulted in the same behavior. With this update, when no option is specified for the sss_obfuscate
command, an interactive dialog for the password is shown.
SFTP
(Secure File Transfer Protocol) only and be restricted to the user's home directory resulted in the SFTP
connections being closed when SSSD was running on the system. This was due to improper closing of the file descriptors. This update adds additional checks which assure a correct closing of sockets and prevent the dropped SFTP connections.
initgroups
lookups. With this update, initgroups
lookups have been improved and authentication no longer fails in the aforementioned case.
/etc/sssd/sssd.conf
file disappeared from the file after running authconfig-tui or authconfig-gtk.
sss_obfuscate
command as a non-root user. With this update, a human-readable error is displayed in such a case instead of the traceback messages.
sss_obfuscate
could fail if it could not establish (by reading the /etc/sssd/sssd.conf
file) which domain was the default one. With this update, the sss_obfuscate
command now always mandates the use of the -d
/--domain
option which requires a user to specify a domain to be used on the command line.
rfc2307bis_nested_groups_update_sysdb()
and save_rfc2307bis_user_memberships()
functions calling the sysdb_search_groups()
function with a non-sanitized member_dn
parameter. With this update, search filters have been fixed and work as expected.
-p
/--password
option of the sss_obfuscate
command was not properly setting the provided password (specifically, it always used an empty string instead of the provided password). As a result, SSSD was unable to successfully complete an LDAP bind. This update removes the -p
/--password
option of the sss_obfuscate
command as it is not safe to pass a password on the command line.
authorizedService
attribute for access control, even though a user's authentication request completed successfully, the following message was logged in the /var/log/secure
log file:
Authorized service attribute has no matching rule, access denied
START_TLS
function when performing LDAP authentication. However, some LDAP servers (especially those configured to work behind SSL accelerators) cannot handle TLS (Transport Layer Security) over LDAPS (Secure LDAP) which prevented authentication from succeeding on those platforms. With this update, SSSD no longer attempts to start TLS if it is connected over LDAPS.
ccache
file was not being checked. With this update, the ccache
file is checked for any renewable TGTs at every startup unless indicated otherwise.
cn=account
subtree of FreeIPAv2. However, the final version of FreeIPAv2 stores them in the cn=hbac
subtree instead. This resulted in denial errors from SSSD because no rules could be accepted. With this update, denials/permissions are based on the HBAC rules, and SSSD no longer returns denial errors.
initgroups()
request to the backend to ensure that user and group memberships are accurate for the login. However, a bug has been discovered which causes this lookup to be performed on the first domain in the list of domains only. This update fixes this issue; initgroups()
requests are properly processed on all existing domains.
initgroups()
request on a user, the IPA provider did not properly remove group memberships from the local cache when they were removed from the IPA server. With this update, a removed group is no longer present in the local cache.
ipa-client-install
command (which configures an IPA client) is executed with the --realm
option, the specified realm is set in all SSSD configuration files in both the realm
and the krb5_realm
configuration directives.
ipa_server
option in the /etc/sssd/sssd.conf
file resulted in a successful dynamic update of the DNS records of the IPA DNS server. However, if two or more servers are specified, the update failed. This update addresses this issue, and specifying multiple servers in the ipa_server
works as expected.
memberOf
attributes defined, SSSD attempted to remove them from the sysdb
cache. However, this attribute is exclusively managed by the memberOf plugin. With this update, SSSD no longer attempts to delete the memberOf
attribute under any circumstances.
ipactl
(an IPA server control interface) command as a non-root user resulted in a segmentation fault. With this update, a segmentation fault no longer occurs.
sssd_nss
module tried to delete the entry and failed with a segmentation fault. With this update, the aforementioned netgroups are properly handled, and a segmentation fault no longer occurs.
initgroups()
call if it attempted to process a such a group. With this update, groups with multi-values attributes are skipped when issuing an initgroups()
call.
/etc/sssd/sssd.conf
file (access_provider = krb5
) resulted in a traceback error when trying to update all SSSD-related files with the authconfig --enablesssd --enablesssdauth --updateall
command. With this update, this issue has been fixed; all SSSD-related files are updated and SSSD starts as expected.
initgroups()
call in the IPA provider caused only the user the call was being issued on to be stored in the cache. This was because the group, the user was a part of, only contained that user in the cache and was not being refreshed with the rest of the users of that group. Thus, a command such as getgrnam
would only show the single user of that group. With this update, all users are properly taken into account in the aforementioned case.
sss_obfuscate
command with the CTRL+D shortcut.
memberuid
attribute are now properly handled, and no longer cause new lookups to not be cached properly.
cn
attribute for GECOS
information (entry in the /etc/passwd
file) if the GECOS
field is empty, making SSSD fully compliant with section 5.3 of RFC 2307.
select()
call could only handle file descriptors smaller than 1024. If an sssd
, nss
, or pam
client was called from an application with many open files, the file descriptor used by the client could be larger than 1024, which resulted in undefined and unexpected behavior. With this update, the poll()
call is used instead of the select()
call, eliminating any possible memory corruption issues in the calling process.
dns_discovery_domain
option. If not specified, the domain part of the machine's hostname is used (previously, it was the name of the SSSD configuration domain). As a backwards-compatibility measure, the SSSD domain is used in case the domain part cannot be acquired from the machine's hostname.
nfs:/share 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
make -C prefix
/share/systemtap/runtime/uprobes
prefix
is the install prefix for SystemTap, and that this manual build of uprobes.ko will only need to be done once.
.debug_frame
section in a prelinked shared library was broken on an i686. This update ensures user space shared libraries are no longer a special case, but are treated similarly to other sections using .debug_frames for unwinding, resulting in unwinding working as expected on an i686. This also fixes a similar issue with unwinding through kernel modules.
--remote
command, allowing users to build the SystemTap module locally, and execute remotely via SSH.
repnz;ret
to end a function. SystemTap's uprobes module then rejected this as an unknown instruction sequence. This patch allows such instructions to be treated as rep;ret = ret
, allowing stap to run without risk, even with such optimized GCC code.
/user/bin/dtrace
was provided by systemtap-sdt-devel
, while dtrace(1) man page was provided by SystemTap. This caused confusion when the binary was not found. This update puts the dtrace(1) man page in the same package as the binary, removing the confusion and resolving this issue.
sys/sdt.h
probes were not being activated on IBM System z architectures. This was because some IBM System z architectures do not have noexec mappings for data sections so the .probes section with SDT semaphores was mapped with RWX rather than RW-. This patch checks VM flag needs to accommodate this giving the ability to deal with mappings that are both executable and writable so semaphores can be found.
systemtap.base/bench.exp
FAILed. This was due to a change of output from Red Hat Enterprise Linux 6.0 and Red Hat Enterprise Linux 6.1. This patch updates the test to handle newer probe timing report output, preventing this.
systemtap.printf/ring_buffer.exp
had 1 FAIL. This was because the variable was already static so needed to be initialized to 0. This patch removes the unneeded initializer and eliminated a warning message from compiling the code, preventing this error.
systemtap.stress/conversions.exp
had 3 FAILs. This was because PR12168 eliminated duplicated error messages and changed the count of ERROR and WARNING messages. This patch adds the -vv
option which turns off the duplication eliminate and allows an accurate count of the number of times ERROR and WARNING messages occurred, preventing these errors.
systemtap.examples/process/errsnoop build
, buildok/syscall.stp
, and buildok/syscalls2-detailed.stp
failed to build with a semantic error. This patch checks for the existence of dwarf variables instead of using CONFIG_NFSD, which allows these testcases to build successfully.
force key release
for these advanced function keys so that the keys behave as expected and unwanted key repeats no longer occur.
scsi_id
command only queried one sort of page id and returned either the id of page 0x80
or 0x83
was used for ID_SERIAL_RAW
. To query the other id, another run of scsi_id
was needed. This update adds two new options to the --page=
page code argument: 0x80-0x83
and 0x83-0x80
. Both export ID_SERIAL_80
and ID_SERIAL_83
:
0x80-0x83
, ID_SERIAL_SHORT
always equals ID_SERIAL_80
.
0x83-0x80
, ID_SERIAL_SHORT
always equals ID_SERIAL_83
.
/etc/scsi_id.config
to change the default page code.
# scsi_id --export --page=0x80-0x83 --whitelisted /dev/sdc|grep ID_SERIAL_ ID_SERIAL_RAW="SATA SAMSUNG HD400LDS0AXJ1LL903246 " ID_SERIAL_80=SATA_SAMSUNG_HD400LDS0AXJ1LL903246 ID_SERIAL_SHORT=S0AXJ1LL903246 ID_SERIAL_83=1ATA_SAMSUNG_HD400LD_S0AXJ1LL903246
/lib/udev/cdrom_id
failed to get the correct information about the drive and medium. In this update, /lib/udev/cdrom_id
has been fixed to correctly read information about the drive and medium of an iDRAC virtual drive.
/etc/udev/rules.d/70-persistent-net.rules
. This resulted network interfaces being named incorrectly. In this updated package, these interfaces are no longer listed as persistent, which corrects the naming problem.
udevadm trigger
caused a segmentation fault when udevadm
if debugging was turned on in /etc/udev.conf
. With this update, this option udevadm trigger
behaves as expected and the segmentation fault does not occur.
cdrom_id
which now works with iDRAC cards.
/dev/hugepages
was not created by udev and therefore could not be mounted automatically. This directory is now created in the start_udev
script after /dev
is mounted.
SUBSYSTEM=="block", ENV{ID_CDROM}=="1", ENV{ACL_MANAGE}="0"
ENV{ACL_MANAGE}="0"
was not completly honored.
0
as a setting
PIE
and RELRO
flags, so the daemon was missing some security mechanisms available. This update release fixes the issue.
udevadm trigger
to fail with a segmentation fault when a device was delayed. In this release, the memory allocation issue is corrected, and udevadm trigger
does not fail when devices are delayed.
READ TOC
SCSI command. On such virtual machgines, the Red Hat Enterprise Linux installer (anaconda) could not recognize the DVD medium properly. These updated udev packages include a workaround in cdrom_id which allow virtual machines with faulty implementations of the READ TOC
SCSI command to recognize DVDs.
udevadm info --query=property
could not be used as input to shell interpreters. This update adds an --export
argument so that the output of udevadm info --query=property --option
is parsable by the shell.
context=
, defcontext=
, fscontext=
, and rootcontext=
options should not be used for remount operations. Prior to this update, using these options when remounting a manually mounted volume could cause the mount utility to fail with an error message similar to the following:
mount: /dev/shm not mounted already, or bad option
context=
, defcontext=
, fscontext=
, and rootcontext=
options when remounting a file system, and manually mounted volumes can now be remounted as expected.
tmpfs
file system, the previous version of the mount
utility incorrectly required root
privileges even when the corresponding entry in the /etc/fstab
file contained the user
option. Consequent to this, an attempt to mount such a file system as a non-root user failed with the following error:
mount: only root can do that
tmpfs
file system. As a result, the mount
utility no longer requires root
privileges when the user
option is specified in /etc/fstab
.
--help
(or -h
) command line option caused the utility to return exit status 1
, even though it successfully displayed the usage information. This error has been fixed, and losetup now correctly terminates with exit status 0
in this situation.
lscpu: error: cannot open /sys/devices/system/cpu/cpu1/cache/index0/shared_cpu_map: No such file or directory
user
option was specified in the /etc/fstab
file. This update adapts the mount and umount utilities to provide support for file system subtypes (that is, in the type
.subtype
form). As a result, non-root users are now allowed to unmount the fuse.sshfs
file systems as expected.
p
command to display the partition table, he may have been presented with a message similar to the following:
Partition 1 does not start on physical sector boundary.
_rnetdev
mount option. However, this functionality was missing in the package for Red Hat Enterprise Linux 6. With this update, the mount utility has been updated to support this option.
-t
command line option, an attempt to use the same character on standard input and as an argument of the -s
option caused the utility to terminate unexpectedly with a segmentation fault. With this update, a patch has been applied to address this issue, and the column utility no longer crashes.
fdisk -l
and sfdisk -d
commands incorrectly listed multipath devices in the /dev/dm-number
form. This update corrects this error, and both commands now list multipath devices in the /dev/mapper/mpathnumber
form as expected.
CPU op-mode(s)
field. With this update, the underlying source code has been modified to address this issue, and lscpu now lists 32-bit capabilities of 64-bit AMD processors as expected.
libuuid
library did not provide a safe variant of the uuid_generate_time()
function. Under certain circumstances, this may have caused the uuidd
service to generate duplicate UUIDs (universally unique identifiers). This update applies a series of patches that introduce a safe variant of the uuid_generate_time()
function. As a result, the uuidd
service now always generates unique UUIDs.
atime
mount option. This update corrects this error, and the mount(8) manual page now describes the atime
option properly.
ext3
and ext4
file systems. This update corrects the “Mount options for ext3” and “Mount options for ext4” sections of the manual page to include descriptions of all available ext3
and ext4
mount options as expected.
/usr/sbin/semanage: No such file or directory
There are no enabled repos.
INFO:rhsm-app.repolib:repos updated: Ignored option -q, -v, -d or -e (probably due to merging: -yq != -y -q)
fsfreeze(8)
man page.
clearpart --initlabel
kickstart command. Adding the --all
switch — as in clearpart --initlabel --all
— ensures disks are cleared correctly.
attempt to access beyond end of device loop0: rw=0, want=248626, limit=248624may be returned to
sys.log
. The errors do not prevent installation and only occur during initial setup. The filesystem created by the installer will function correctly.
multipath -ll output
command:
mpatha (3600a59a0000c2fd0003079284c122fec) dm-0, size=2.0G hwhandler='0' |-+- policy='round-robin 0' prio=0 status=enabled | `- #:#:#:# - #:# failed faulty running `-+- policy='round-robin 0' prio=0 status=enabled |- #:#:#:# - #:# failed faulty running `- #:#:#:# - #:# failed faulty runningOutput of this type indicates that there are no paths to the device. The erroneous lines in the output preceded by the string
#:#:#:#
will be removed in a future release.
$> lvconvert -m +1 <vg/lv> <new PV> $> lvconvert -m -1 <vg/lv> <old PV>Mirror logs can be handled in a similar fashion:
$> lvconvert --mirrorlog core <vg/lv> $> lvconvert --mirrorlog disk <vg/lv> <new PV>
or $> lvconvert --mirrorlog mirrored <vg/lv> <new PV> $> lvconvert --mirrorlog disk <vg/lv> <old PV>
search
entry will not be propagated to /etc/resolv.conf
. Consequently, short host names that do not include the domain name will fail to resolve. To workaround this issue, add a search
entry manually to /etc/resolv.conf
.
option rfc3442-classless-static-routes code 121 = array of unsigned integer 8; option ms-classless-static-routes code 249 = array of unsigned integer 8; also request rfc3442-classless-static-routes; also request ms-classless-static-routes;These lines will ensure that RFC3442 classless static routes are requested from the DHCP server, and that they are properly processed by NetworkManager.
[07/Apr/2011:10:46:23 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [07/Apr/2011:10:46:23 -0400] NSMMReplicationPlugin - agmt="cn=meToipaqa64vmb.testrelm" (ipaqa64vmb:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found))These messages can be safely ignored.
lsusb -v -d 147e:2016 | grep bcdDevicewill return the version of the device being used in an individual machine.
lpfc
) does support DH-CHAP authentication on Red Hat Enterprise Linux 5, from version 5.4. Future Red Hat Enterprise Linux 6 releases may include DH-CHAP authentication.
05.xx.xx.xx
.) Note that following this recommendation is especially important on complex SAS configurations involving multiple SAS expanders.
#!/bin/sh # Disable hyper-threading processor cores on suspend and hibernate, re-enable # on resume. # This file goes into /etc/pm/sleep.d/ case $1 in hibernate|suspend) echo 0 > /sys/devices/system/cpu/cpu1/online echo 0 > /sys/devices/system/cpu/cpu3/online ;; thaw|resume) echo 1 > /sys/devices/system/cpu/cpu1/online echo 1 > /sys/devices/system/cpu/cpu3/online ;; esac
INFO: task insmod:201 blocked for more than 120 seconds.Refer to BZ#682110 for more information.
nmi_watchdog=0
kernel parameter set, or run echo 0 > /proc/sys/kernel/nmi_watchdog
to disable at run time. To re-enable the watchdog, use the command echo 1 > /proc/sys/kernel/nmi_watchdog
.
nmi_watchdog=0
nmi_watchdog=2
or nmi_watchdog=lapic
parameters. The parameter nmi_watchdog=1
is not supported.
pci=noioapicquirk
, is required when installing the 32 bit variant of Red Hat Enterprise Linux 6 on HP xw9300 workstations. Note that the parameter change is not required when installing the 64 bit variant.
Folder > Refresh
). Consequently, when replying to a message in the Sent folder, the new message does not immediately appear in the Sent folder. To see the message, force a refresh using one of the methods describe above.
. /etc/sysconfig/keyboard; echo $LAYOUT | grep -q ",us" && gconftool-2 --direct --config-source xml:readwrite:/var/lib/gdm/.gconf --set /apps/gdm/simple-greeter/recent-layouts --type list --list-type string $(echo $LAYOUT | awk -F, '{ print "[" $2 "," $1 "]"; }') && echo "DONE"
Revision History | ||||
---|---|---|---|---|
Revision 1-35 | Mon May 23 2011 | |||
| ||||
Revision 1-31 | Thu May 19 2011 | |||
|