The text of and illustrations in this document are licensed by Red Hat under a Creative Commons
Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available
at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this
document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert,
Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity
Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States
and/or other countries.
All other trademarks are the property of their respective owners.
The Red Hat Enterprise Linux 5.5 Technical Notes list and document the changes made to the Red
Hat Enterprise Linux 5 operating system and its accompanying applications between minor release
Red Hat Enterprise Linux 5.4 and minor release Red Hat Enterprise Linux 5.5.
The Red Hat Enterprise Linux 5.5 Technical Notes list and document the changes made to the Red
Hat Enterprise Linux 5 operating system and its accompanying applications between minor release
Red Hat Enterprise Linux 5.4 and minor release Red Hat Enterprise Linux 5.5.
For system administrators and others planning Red Hat Enterprise Linux 5.5 upgrades and
deployments, the Technical Notes provide a single, organized record of the bugs fixed in, features
added to, and Technology Previews included with this new release of Red Hat Enterprise Linux.
For auditors and compliance officers, the Red Hat Enterprise Linux 5.5 Technical Notes provide a
single, organized source for change tracking and compliance testing.
For every user, the Red Hat Enterprise Linux 5.5 Technical Notes provide details of what has changed
in this new release.
The Technical Notes also include, as an Appendix, the Red Hat Enterprise Linux Package Manifest: a
listing of every changed package in this release.
ix
x
Chapter 1.
Package Updates
1.1. acl
1.1.1. RHBA-2009:1652: bug fix update
Note
This update has already been released (prior to the GA of this release) as FASTRACK
errata RHBA-2009:1652
Updated acl packages that fix a bug are now available.
Access Control Lists (ACLs) are used to define finer-grained discretionary access rights for files and
directories. The acl packages contain the getfacl and setfacl utilities needed for manipulating access
control lists.
1
This update fixes the following bug:
* the "setfacl" command, which sets the access control lists for files, always returned an exit status of
0, even when the command failed and printed out error messages. With this update, setfacl exits with
the correct exit status upon failure. (BZ#3684512)
* running "setfacl -- --test" caused setfacl to segmentation fault. This has been fixed in this update.
(BZ#4304583)
* running the "setfacl" command with the '-P' flag, which is the short form of the '--physical' option,
which is supposed to cause "setfacl" to skip over any symbolic links it encounters, did not work
as expected: symbolic links were still followed. This update fixes this so that the '-P' flag works as
expected and symbolic links are silently skipped over. (BZ#4360704)
* the "setfacl" command failed to resolve relative symbolic links when it encountered them unless
they were specified with a trailing forward-slash character (in the case of relative symbolic links to
directories), or the script or shell prompt's working directory was the directory which contained the
relative symbolic link(s). With this update, relative symbolic links are handled correctly by setfacl
regardless of where they are encountered or what their target is. (BZ#5000955)
* the "getfacl" and "setfacl" commands did not properly handle non-ASCII characters with the result
that calling either command on a system with the correct locale settings still produced incorrect output,
such as octal character representations. With this update, getfacl and setfacl are now able to produce
correct output when using non-ASCII character sets. (BZ#5077476)
All users of Access Control Lists should upgrade to these updated packages, which resolve this issue.
This update has already been released (prior to the GA of this release) as errata
RHBA-2010:0004
An updated acpid package that fixes a bug is now available.
acpid is a daemon that dispatches ACPI (Advanced Configuration and Power Interface) events to
user-space programs.
This updated acpid package fixes the following bug:
* the acpid package that was included with the Red Hat Enterprise Linux 5.4 update contained a
package update script that returned a non-zero exit code when the the /var/log/acpid log file did not
exist. However, if the acpid daemon had never been started on the system, and therefore /var/log/
acpid did not exist, the faulty check caused the update process to fail, which could have resulted
in two different acpid packages being installed on the same system and registered with the RPM
database (rpmdb). This updated acpid package removes the spurious record from the rpmdb, thus
resolving the problem. (BZ#5483748)
7
All users of acpid are advised to upgrade to this updated package, which resolves this issue.
1.2.2. RHSA-2009:1642: Important security update
Important
This update has already been released (prior to the GA of this release) as the security
errata RHSA-2009:1642
An updated acpid package that fixes one security issue is now available for Red Hat Enterprise Linux
5.
This update has been rated as having important security impact by the Red Hat Security Response
Team.
acpid is a daemon that dispatches ACPI (Advanced Configuration and Power Interface) events to
user-space programs.
It was discovered that acpid could create its log file ("/var/log/acpid") with random permissions on
some systems. A local attacker could use this flaw to escalate their privileges if the log file was created
as world-writable and with the setuid or setgid bit set. (CVE-2009-403310)
Please note that this flaw was due to a Red Hat-specific patch (acpid-1.0.4-fd.patch) included in the
Red Hat Enterprise Linux 5 acpid package.
Users are advised to upgrade to this updated package, which contains a backported patch to correct
this issue.
1.3. aide
1.3.1. RHBA-2010:0036: bug fix update
Note
This update has already been released (prior to the GA of this release) as FASTRACK
errata RHBA-2010:0036
An updated aide package that allows proper operation with the recently updated version of libgcrypt
and makes minor man page changes is now available.
Advanced Intrusion Detection Environment (AIDE) is a program that creates a database of files on a
system, and then uses that database to ensure file integrity and detect system intrusions.
11
This updated aide package includes the following fixes:
* the current version of libcgrypt includes a version-checking initialization step that aide was not doing.
Running "aide -i" logged the following message to /var/log/messages:
aide: Libgcrypt warning: missing initialization - please fix the application
With this update, aide now includes the version-checking step required by libgcrypt and the libgcrypt
warning is, consequently, no longer written to /var/log/messages. Note: although based on a proposed
upstream patch, this update leaves secure memory enabled, unlike the proposed upstream change.
(BZ#53048512)
* the FILES section of the aide man page previously listed the locations for aide.conf, aide.db.gz
and aide.db.new.gz with a pre-pended "%prefix" variable. The updated aide man page removes this
variable, listing the file locations as complete but plain paths (eg "/etc/aide.conf"). (No BZ#)
All aide users are advised to upgrade to this updated package, which includes this bug fix and man
page change.
1.4. anaconda
1.4.1. RHBA-2010:0194: bug fix and enhancement update
Anaconda is the system installer.
This updated anaconda package provides fixes for the following bugs:
• previously, when anaconda could not read the extended display identification data (EDID) of
a monitor, it reverted to text mode. However, EDID information is frequently not available on
systems connected to Keyboard–Video–Mouse (KVM) switches. Therefore, when installing Red Hat
Enterprise Linux 5 on a system with a KVM switch, installation would be constrained to text mode.
Anaconda no longer checks for bad or missing EDID, and allows graphical installation to proceed
even when this information is unavailable. Graphical installation on machines attached to KVM
switches therefore continues as if them monitor were connected directly to the graphics adapter.
(BZ#44548613)
• previously, anaconda expected storage devices to be available immediately when it probed for the
location of a kickstart file. On systems where USB storage might not be available immedately (for
example, IBM BladeCenter systems), anaconda would not find the kickstart file and would prompt
the user for its location. This interaction negated the usefulness of kickstart, since the installation
could not then complete unattended. Anaconda now waits until it has probed five times or for
more than 31 seconds before prompting the user for the location of a kickstart file. This allows USB
storage enough time to respond and for kickstart to proceed unattended. (BZ#46056614)
• previously, some user interface elements in the the Malayalam translation of anaconda overlapped.
The overlapping elements disabled some buttons in the screen where anaconda lets users to
choose a partitioning scheme for the system, and prevented installation from continuing. The text
of the Malayalam translation has been shortened so that the interface elements no longer overlap.
The buttons on the partitioning scheme screen now work correctly and allow installation to continue.
(BZ#47935315)
• during installation, anaconda automatically examines any storage device that has the label OEMDRV
for driver updates and applies any updates that it finds there. Previously, anaconda searched
for this label on the devices listed in /proc/partitions. However, /proc/partitions does
not identify CD or DVD media, so anaconda overlooked optical disks that had the correct label.
Anaconda now examines the devices listed in /sys/block. Therefore, anaconda correctly
identifies CDs and DVDs labelled OEMDRV as driver discs and automatically applies any driver
updates contained on them. (BZ#48506016)
• previously, if anaconda required network access early in an installation (for example, to retrieve a
kickstart file or driver disk image), it temporarily saved information about the network configuration
while it enabled access to the network. However, if anaconda required network access again for
a separate reason, it would not attempt to configure network access again, but would not be able
to connect to the network either, because it no longer retained the configuration information that it
had already used. Therefore, anaconda could not download both a kickstart file and a driver disk
image over a network. Anaconda now retains the network configuration that it obtains early in the
installation process, and can reuse this information multiple times. Therefore, anaconda can use
more than one resource obtained over a network during installation. (BZ#49504217)
• previously, while upgrading a system, anaconda did not check whether packages marked for
installation as dependencies were already installed on the system. Consequently, many packages
would be reinstalled during an upgrade, wasting time and, in the case of network installations,
bandwidth. Now, when performing an upgrade, anaconda matches the packages to be installed
against the packages that are already installed. Any packages with the same Name, Arch, Epoch,Version, Release (NAEVR) as a package already on the system are skipped and not reinstalled.
(BZ#49579618)
• previously, anaconda did not specify a value for HOTPLUG when writing the system's networking
configuration files, although it did write a value for ONBOOT. Because HOTPLUG is enabled by
default, the effect of disabling ONBOOT was limited because any interface not activated at boot
time would be enabled anyway whenever probed by the system. Anaconda now writes a value for
HOTPLUG, setting it to the same value as ONBOOT. Therefore, any network interface not meant to be
enabled at boot time will not be automatically enabled by probing either. (BZ#49808619)
4
RHBA-2010:0194: bug fix and enhancement update
• the part kickstart command accepts an option called --label that allows a label to be applied
to a disk partition during a kickstart installation. However, the code that implemented this option
was previously missing from anaconda. Any label specified in a kickstart file was therefore ignored.
Anaconda now includes code to transfer the specified label from the kickstart file to the disk
partition. Users can now label disk partitions during kickstart installations. (BZ#49885620)
• when running in rescue mode, anaconda previously lacked the ability to identify partitions on logical
volumes if the partitions were identified in fstab by label rather than by device name. Therefore,
if the root (/) partition were identified in this way, the usefulness of rescue mode would be limited.
Anaconda in rescue mode now uses the getLabels() method to find partitions and therefore
properly detects root partition even if it resides on a logical volume and is identified by label in
fstab. (BZ#50217821)
• previously, the help text available while configuring NETTYPE for IBM System z systems did not
mention HiperSockets. Users new to System z might therefore not have known to choose qeth to
configure HiperSocket interfaces on their hardware. The help text has now been updated to indicate
the correct choice and users can select the appropriate option. (BZ#51196222)
• when the RUNKS was set to 0 in the CMSCONFFILE file on IBM System z systems, anaconda should
have performed an installation in interactive mode. However, a rewrite of linuxrc.s390 changed
the behavior of RUNKS and led to anaconda ignoring this variable. Installation would therefore
proceed in non-interactive mode regardless of what value was set in CMSCONFFILE. A new test
is now included in the version of linuxrc.s390 in Red Hat Enterprise Linux 5.5 so that anaconda
honors RUNKS=0 and performs an interactive install if this value is set. (BZ#51395123)
• by design, anaconda recognizes any block device with the label OEMDRV as a driver disc and
searches it for a driver update. However, anaconda previously failed to examine dev nodes and
therefore, it would not recognize this label on USB storage devices mounted as a partitionless block
devices. Anaconda now examines dev nodes for the label OEMDRV and treats them the same
as partitions with this label. It is therefore possible to use a partitionless device as a driver disc.
(BZ#51543724)
• previously, anaconda did not reinitialize its record of the partition layout on a system when users
clicked the back button from the partitioning screen. Therefore, when a user selected a partition
layout, went back to an earlier screen, and then went forward again to choose a different partition
layout, anaconda would attempt to implement the new partition layout over the previously-selected
partition layout instead of the partition layout actually present on the system. This would sometimes
result in a crash. Now, when users step backwards from the partitioning screen. anaconda
reinitializes its record of the partitions present on the system. Users can therefore change their
minds about partitioning options without crashing anaconda. (BZ#51671525)
• systems store information about iSCSI targets to which they are connected in the iSCSI BootFirmware Table (iBFT) in BIOS. Previously, however, when anaconda installed Red Hat Enterprise
Linux 5 from a local installation source such as a CD, DVD, or hard disk, it would not initialize
network connections before asking users to configure storage on the system. Therefore, on systems
with iSCSI storage, users would have to configure a network connection manually before proceding
with installation, even when this information was already available to anaconda in the system BIOS.
Now, when anaconda detects a valid iBFT present on a system, it automatically loads the network
configuration specified there and does not requre users to enter this information. Installation from
local media on systems with iSCSI storage is therefore simpler and more reliable. (BZ#51776826)
• due to faulty logic, anaconda previously did not parse IPv6 addresses correctly and attempted
to read the final byte of the address as a port number. It was therefore not possible, for example,
5
Chapter 1. Package Updates
to install on an iSCSI target specified by in IPv6 address. The logic by which anaconda parses
IP addresses has now been corrected, but now requires IPv6 addresses to be specified in the
[address]:port form to comply with the relevant RFCs. This form removes ambiguity, since IPv6
addresses are still valid if they omit a sequence of bytes with zero values. When IPv6 addresses
are specified in this format, anaconda parses them correctly and installation continues as normal.
(BZ#52505427)
• comments in kickstart files are marked with a pound symbol (#) at the start of the line. However,
anaconda did not previously account for the possibility that users might mark a comment with
multiple pound symbols (for example, #####). Anaconda would therefore attempt to parse lines
that started with multiple pound symbols and installation would fail. Anaconda now recognizes lines
that start with multiple pound symbols as comments and does not attempt to parse them. Users can
now safely mark comments in kickstart files in this way. (BZ#52567628)
• to avoid a circular dependency that exists between the ghostscript and ghostscript-fonts packages,
anaconda ignored ghostscript's dependency on ghostscript-fonts. However, ghostscript-fonts
was not explicitly installed as part of the Printing package group. The usefulness of Ghostscript
as installed by anaconda was therefore limited. Anaconda still avoids the circular dependency,
but now specifically installs ghostscript-fonts when users select the Printing package group.
(BZ#53054829)
• previously, anaconda did not automatically instruct the kernel to check for multipath devices when
installing on IBM System z systems. Therefore, unless users booted with the mpath boot option,
iSCSI devices detected on more than one path would be represented in the installer multiple
times, one for each path. Anaconda now automatically loads the mpath boot option and therefore
represents multipath devices correctly. (BZ#53812930)
• Dell PowerEdge servers equipped with the SAS6i/R integrated RAID controller use BIOS EnhancedDisk Drive Services (EDD) to identify the storage device from which to boot the operating system.
Previously, anaconda did not parse EDD to identify the correct boot device. Consequently, with a
RAID 0 and RAID 1 configured on the system, anaconda would choose the wrong device and the
system would not be bootable. Anaconda now parses EDD to support the SAS6i/R integrated RAID
controller, so that it selects the correct boot device for systems that use this device. (BZ#54063731)
• previously, anaconda would always attempt to reconstruct pre-existing Logical VolumeManagement (LVM) devices during installation. Anaconda would attempt to recreate the LVM
device even when a user cleared the LVM partitions from one or more of the disks that held
partitions that formed part of a volume group. In this case, installation would fail. Now, anaconda
no longer attempts to reconstruct incomplete LVM devices. Users can therefore safely reallocate storage that was once part of a volume group and installation will proceed as expected.
(BZ#54586932)
• when ksdevice=link is set in a kickstart file, anaconda should automatically select the first
available network interface and use it during installation. This avoids the need for user input and
allows installation to proceed unattended. However, if interfaces were in a state where anaconda
could not determine their status, anaconda would revert to interactive more and prompt the user
to select a network interface, thus making unattended installation impossible on systems where
network interfaces could be in such a state. Anaconda now forces the network interfaces on the
system into IFF_UP and IFF_RUNNING states before it attempts to obtain link status. Because
the interfaces are now in a state where they can report their link status to anaconda, Anaconda
can automatically choose one to use during installation and kickstart installations can proceed
unattended. (BZ#54975133)
6
RHBA-2010:0194: bug fix and enhancement update
• previously, when installing on IBM System z systems, anaconda assumed that the network gateway
was unreachable if its attempt to ping the gateway timed out after 10 seconds. Anaconda would
then prompt the user to select a gateway. However, if IPADDR in the conf file has changed recently,
network interfaces take longer to respond. Anaconda now prompts the user only when three pings
have failed and therefore avoids prompting the user for gateway information that is already correctly
specified in the conf file. (BZ#50674234)
In addition, this updated package provides the following enhancements:
• after transferring installation files to a z/VM guest, a user must execute a series of ConversationalMonitor System (CMS) commands to IPL the zLinux installation. These commands can be
scripted, but no such script was previously included with Red Hat Enterprise Linux 5. The lack of
a readymade script made installation more difficult for users unfamiliar with CMS commands. The
CMS script for starting the install process on z/VM is now included in the Red Hat Enterprise Linux 5
images, simplifying installation. (BZ#47534335)
• anaconda now loads the Brocade BNA Ethernet Controller driver, and supports Brocade Fibre
Channel to PCIe Host Bus Adapters. (BZ#47570736)
• previously, anaconda did not offer users the opportunity to configure NFS options during interactive
installation (although these could be configured in kickstart files). Users who needed to fine-tune
NFS parameters for installation were therefore forced to run an unattended installation. Now,
anaconda presents users who select NFS installation with a dialog in which they can configure NFS
options to suit their needs. (BZ#49305237)
• previously, it was not possible to configure hypervisor parameters during a kickstart installation. As
a result, users needed to specify hypervisor parameters manually after installation, negating the
usefulness of kickstart as as a mechanism for unattended installations. Now, anaconda recognizes
a new kickstart option, --hvargs and sets Hypervisor parameters accordingly. (BZ#50143838)
• previouisly, during a kickstart installation when multiple multipath LUNs were available, anaconda
would automatically choose the LUN with the lowest ID number for the root device. Users had no
ready way to customize this behavior. Now, anaconda supports a multipath kickstart command
with --name and --device options that allow users to specify a LUN for root. (BZ#50276839)
• anaconda can retrieve kickstart files from FTP servers. Previously, however, anaconda did not
support users specifying authentication credentials to access an FTP server. Therefore, if access
to the server were protected by a passphrase, anaconda could not retrieve the kickstart file.
Now, when specifying the location of a kickstart file with the ks= boot option, users can provide a
passphrase to allow anaconda to retrieve the kickstart files fom a protected server. (BZ#50542440)
• previously, troubleshooting errors that occurred while running %pre and %post kickstart scriptlets
was very difficult because anaconda did not log the behavior of these scriptlets. Anaconda now
copies %pre and %post kickstart scriptlets to /tmp together with a log. These records make
troubleshooting kickstart installations easier. (BZ#51063641)
• Reipl is a kernel feature that instructs IBM System z systems where to boot next, as these systems
do not have a default boot location. Anaconda did not previously support Reipl, which meant
that during installation, users had to specify a boot location manually between different phases
of the installation. Anaconda now supports Reipl, so these reboots can happen automatically.
(BZ#51219542)
7
Chapter 1. Package Updates
• NPort ID Virtualization (NPIV) presents one physical Fibre Channel adapter port to the SAN as
multiple WWNN/WWPN pairs. Anaconda now supports NPIV, which allows users on PowerPC
systems to install to a NPIV LUN. (BZ#51223743)
• the Python executables that make up anaconda now all explicitly use the system Python (#! /usr/bin/python instead of #! /usr/bin/env python). This ensures that anaconda functions
correctly when more than one Python stack is present on a system. (BZ#52133744)
• anaconda now supports the Emulex OneConnect iSCSI network interface card. (BZ#52944245)
• anaconda now supports PMC Sierra MaxRAID controller adapters. (BZ#53277746)
• although users have been able to specify package groups for installation in kickstart files, using the
@ prefix, it was not possible to exclude package groups from installation, only individual packages.
Anaconda now supports excluding package groups with the -@ prefix (BZ#55851647)
• anaconda now loads the xorg-x11-qxl-drv and xorg-x11-ast-drv X11 video drivers as required.xorg-x11-qxl-drv supports the qemu QXL video accelerator when installing Red Hat Enterprise
Linux 5 as a guest operating system. xorg-x11-ast-drv supports ASPEED Technologies video
hardware. (BZ#56766648)
1.5. apr-util
1.5.1. RHEA-2010:0310: enhancement update
Updated apr-util packages that add support for MySQL are now available.
apr-util is a utility library used with the Apache Portable Runtime (APR). It aims to provide a free library
of C data structures and routines. This library contains additional utility interfaces for APR; including
support for XML, LDAP, database interfaces, URI parsing, and more.
In previous releases, the APR utility library DBD (database abstraction) interface did not include
support for MySQL databases. This update adds the MySQL driver to the DBD interface.
(BZ#25207349, BZ#49134250)
All users requiring MySQL support should install these newly released packages, which add this
enhancement.
1.6. at
1.6.1. RHBA-2009:1654: bug fix and enhancement update
Note
This update has already been released (prior to the GA of this release) as FASTRACK
errata RHBA-2009:1654
An updated "at" package that adds and documents a configuration enhancement and corrects the debuginfo build is now available.
"At" and "Batch" read commands from standard input or from a specified file. At allows you to specify
that a command will be run at a particular time. Batch will execute commands when the system load
levels drop to a particular level. Both commands use /bin/sh.
This update addresses the following issue:
* although "at" contains ELF objects, the at-debuginfo package was empty. With this update the debuginfo package contains valid debugging information as expected. (BZ#50054252)
This update also adds the following enhancements:
* previously, the atd daemon ran with hard-coded options and could only be configured at the
command-line. The atd daemon now reads a configuration file, /etc/sysconfig/atd, when it starts up,
enabling easier configuration, particularly for load options and multiprocessor systems. (BZ#23225953)
* The DESCRIPTION section of the "at" man page has been updated to note the existence, location
and purpose of the /etc/sysconfig/atd configuration file. Note: as the man page suggests, the sample
configuration file included with this update is the primary source of information about atd configuration
options. (BZ#53779254)
Users are advised to upgrade to this updated package, which fixes this bug and adds these
enhancements.
1.7. audit
1.7.1. RHBA-2010:0228: bug fix update
An updated audit package that fixes various bugs and provides an enhancement is now available.
The audit package contains the user space utilities for storing and searching the audit records
generate by the audit subsystem in the Linux 2.6 kernel.
This update includes the following fixes:
* The man page was ambiguous in explaining the structure of dates and the supplied examples
often did not work because of different date formats in various locales. This caused some confusion
amongst users. The page has been rewritten to clarify that the date format accepted by aureport and
ausearch is influenced by the LC_TIME environmental variable, eliminating the confusion about this
issue. (BZ#51397455)
* The audit package's libauparse function had a bug that meant it could not interpret IPC (inter-process
communication) mode fields. When it attempted to do so, a segmentation fault would occur. The
audit package has now been patched so that IPC mode fields are interpreted by the software without
crashes resulting. (BZ#51979056)
This update also includes the following enhancement:
* The audit package has been rebased and, as a result, a number of new features have been added.
These include:
1. Allowing ausearch/report to specify multiple node names (which are needed for remote logging).
2. auparse can now handle empty AUSOURCE_FILE_ARRAYs. 3. auditctl rules now allow a0-a3 to
be negative numbers. 4. An audit.rules man page has been added. 5. auditd resets syslog warnings
if disk space becomes available. 6. The != operator in audit_rule_fieldpair_data is now checked. 7. A
tcp_max_per_addr option has been added to auditd.conf in order to limit concurrent connections. 8.
Many improvements to remote logging code.
As a result, these enhancements are now available for system administrators, making auditing options
much more flexible. (BZ#52985157)
1.8. autofs
1.8.1. RHBA-2009:1468: bug fix update
Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1468
An updated autofs package that fixes two bugs is now available.
The autofs utility controls the operation of the automount daemon. The automount daemon
automatically mounts file systems when you use them, and unmounts them when they are not busy.
This updated package fixes the following two autofs bugs:
* autofs was incorrectly using a non-thread-safe libxml2 function as though it was thread-safe.
This sometimes resulted in autofs crashing. With this update the calls to xmlCleanupParser() and
xmlInitParser() have been moved: these functions are now only called as autofs starts and exits,
ensuring these libxml2 functions are not called more than once while autofs is running. (BZ#52318859)
* a recent correction related to autofs master map entry updating introduced a regression whereby
it was possible to deadlock when requesting a map re-load when an entry in a direct map had been
removed. This update adds a check that ensures such map re-load requests do not cause a deadlock.
(BZ#52543160)
All autofs users should install this updated package which addresses these issues.
58
1.8.2. RHBA-2010:0265: bug fix update
The autofs utility controls the operation of the automount daemon. The automount daemon
automatically mounts file systems when you use them, and unmounts them when they are not busy.
• If an included map read failed, autofs returned an error and subsequent master map entries were
not read. This update reports the failure in the log but master map reading no longer ceases.
(BZ#50603461)
• autofs could segfault if it called xmlCleanupParser concurrently from multiple threads, as this
function is not re-entrant. autofs has been changed to call this function only once from its main
thread, when the application exits. (BZ#51328962)
• autofs could segfault at startup when using LDAP under certain circumstances. autofs would fail to
try and retrieve a query dn if:
• LDAP is being used to store autofs maps and...
• The LDAP schema to be used for the maps is explicitly defined in the autofs configuration and...
• No master map entries exist in LDAP.
This set of conditions would return success instead of failure. This update fixes the get query dn
failure. (BZ#57260363)
• If a master map entry is changed in any other way besides the map name (for example, map wide
options) the system encountered two application data structures for the "same" map during a map
re-read. If the contents of that map has also changed, a deadlock can occur.
Having the duplicate data structure also caused entries in the problem map to be umounted. Since
direct mount maps have a distinct autofs mount for each entry direct mount they appeared to stop
working. This update corrects this behaviour. (BZ#51441264)
• autofs would block for several minutes when attempting to mount from a server that was not
available. A new mount_wait parameter has been added to prevent this block. This update requires
SELinux policy 255 or later. (BZ#51734965)
• The autofs parser objected to locations containing the characters '@' and '#' (Lustre and sshfs
mounts) causing the mount request to fail. This update allows autofs to parse these characters and
mount successfully. (BZ#52074566)
• Due to an incorrect system call an error message stating "Operation not permitted" would be
returned when attempting to mount an unknown hostname. This call has been corrected and autofs
now returns "hostname lookup failed" as would be expected. (BZ#53332367)
• A typing error in the usage text of the autofs service script has been corrected. (BZ#53401268)
• When changing the timed wait from using select(2) to poll(2) in the non-blocking TCP connection
function, to overcome the 1024 file handle limit of select(2), the wait timeout was not correctly
converted from seconds to milliseconds. This update corrects the problem. (BZ#53974769)
• autofs failed to mount locations whose path depended on another local auto-mounted mount.
Dependent mounts are triggered by calling access(2) on the mount location path prior to mounting
the location. The check for whether a location was a local path was restrictive and didn't cater for all
cases. This has now been fixed. (BZ#53740370)
• Inter-operability between autofs and some non-open source LDAP servers was impaired when a
SASL authenticated connection was used over muliple bind and unbind operations. autofs has been
updated use distinct authentication connection for each server it binds to. (BZ#53779371)
11
Chapter 1. Package Updates
• autofs failed to load its maps if all LDAP servers were down, or unreachable, when the daemon
started. The dependency on an LDAP server being available at startup has been removed. This
change resolved the issue of the map server being unreachable for some common usage cases.
(BZ#54355472)
• The random selection option used with mount locations that have multiple servers was not being
set correctly during the paring of master map entries. If specified as a mount option in master map
entries the option is now used as has been requested. (BZ#54847673)
• Setting the expire timeout to 0 was causing autofs to constantly schedule expire runs leading to
excessive resource usage and preature umounting of mounts. Setting the timeout to 0 should in fact
disable expiry of mounts and this update fixes this incorrect behavior. (BZ#54827774)
• autofs would abort when using DIGEST-MD5 authentication under heavy concurrent access.
This was caused by autofs not providing the locking functions required by the cyrus-sasl library.
In addition the cyrus-sasl library locking functions contained a race which sometimes lead to a
deadlock. This update adds the needed locking functions to autofs and passes them to cyrus-sasl at
initialization. The bug in the cyrus-sasl library is fixed in cyrus-sasl-lib 2.1.22-5.el5.el5_4.3 and later
which is required for the update to install if cyrus-sasl is also installed. (BZ#55943075)
All autofs users should upgrade to this updated package, which resolves these issues.
1.9. automake
1.9.1. RHSA-2010:0321: Low security update
Updated automake, automake14, automake15, automake16, and automake17 packages that fix one
security issue are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having low security impact. A
Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is
available from the CVE link in the References section.
Automake is a tool for automatically generating Makefile.in files compliant with the GNU Coding
Standards.
Automake-generated Makefiles made certain directories world-writable when preparing source
archives, as was recommended by the GNU Coding Standards. If a malicious, local user could access
the directory where a victim was creating distribution archives, they could use this flaw to modify the
files being added to those archives. Makefiles generated by these updated automake packages no
longer make distribution directories world-writable, as recommended by the updated GNU Coding
Standards. (CVE-2009-402976)
Note: This issue affected Makefile targets used by developers to prepare distribution source archives.
Those targets are not used when compiling programs from the source code.
All users of automake, automake14, automake15, automake16, and automake17 should upgrade to
these updated packages, which resolve this issue.
This update has already been released (prior to the GA of this release) as FASTRACK
errata RHBA-2010:0034
Updated avahi packages that address two bugs are now available.
Avahi is an implementation of the DNS Service Discovery and Multicast DNS specifications for
Zeroconf Networking. It facilitates service discovery on a local network. Avahi and Avahi-aware
applications allow you to plug your computer into a network and, with no configuration, view other
people to chat with, see printers to print to, and find shared files on other computers.
This update fixes the following two bugs:
77
avahi
* previously, avahi published a static SSH-SFTP service by default, regardless of the machine and
regardless of whether an ssh server was running or not. As a result, all Red Hat Enterprise Linux
instances also running Avahi appeared in the LAN listings of file browsers and file managers (eg
"Places > Network" in Nautilus or "Go > Network Folders" in Konquerer) even if they were not acting
as file servers. This update still includes a static SSH-SFTP service but it now ships as a deactivated
example service (ie, is not published by default). The static SSH-FTP service can be activated
manually, but systems running Avahi no longer appear in file manager LAN listings by default.
(BZ#21914378)
* previously, running the Avahi init scripts with a "status" argument resulted in a return code of 0,
regardless of whether the daemons are running or not. This update corrects that: a missing avahi
daemon now results in a failure return code (1) as expected. (BZ#23216179)
All avahi users should install these updated packages, which address these issues.
1.11. bind
1.11.1. RHSA-2010:0062: Moderate security update
Important
This update has already been released (prior to the GA of this release) as the security
errata RHSA-2010:0062
80
Updated bind packages that fix two security issues are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response
Team.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS)
protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use
when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.
A flaw was found in the BIND DNSSEC NSEC/NSEC3 validation code. If BIND was running as a
DNSSEC-validating resolver, it could incorrectly cache NXDOMAIN responses, as if they were valid,
for records proven by NSEC or NSEC3 to exist. A remote attacker could use this flaw to cause a BIND
server to return the bogus, cached NXDOMAIN responses for valid records and prevent users from
retrieving those records (denial of service). (CVE-2010-009781)
The original fix for CVE-2009-4022 was found to be incomplete. BIND was incorrectly caching certain
responses without performing proper DNSSEC validation. CNAME and DNAME records could be
cached, without proper DNSSEC validation, when received from processing recursive client queries
that requested DNSSEC records but indicated that checking should be disabled. A remote attacker
could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if
the target BIND server was receiving such client queries. (CVE-2010-029082)
All BIND users are advised to upgrade to these updated packages, which contain a backported
patch to resolve these issues. After installing the update, the BIND daemon (named) will be restarted
automatically.
1.11.2. RHSA-2009:1620: Moderate security update
Important
This update has already been released (prior to the GA of this release) as the security
errata RHSA-2009:1620
Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response
Team.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS)
protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use
when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.
Michael Sinatra discovered that BIND was incorrectly caching responses without performing proper
DNSSEC validation, when those responses were received during the resolution of a recursive client
query that requested DNSSEC records but indicated that checking should be disabled. A remote
attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning
attack if the target BIND server was receiving such client queries. (CVE-2009-402284)
83
All BIND users are advised to upgrade to these updated packages, which contain a backported
patch to resolve this issue. After installing the update, the BIND daemon (named) will be restarted
automatically.
Updated binutils packages that fix various bugs are now available.
Binutils is a collection of binary utilities, including ar (for creating, modifying and extracting from
archives), as (a family of GNU assemblers), gprof (for displaying call graph profile data), ld (the GNU
linker), nm (for listing symbols from object files), objcopy (for copying and translating object files),
objdump (for displaying information from object files), ranlib (for generating an index for the contents of
an archive), readelf (for displaying detailed information about binary files), size (for listing the section
sizes of an object or archive file), strings (for listing printable strings from files), strip (for discarding
symbols), and addr2line (for converting addresses to file and line).
These updated binutils packages provide fixes for the following bugs:
* The readelf debugging utility was placing subject error messages in the middle of the .debug_str in
the stderr output. This meant that location lists in the .debug._info section that were not in ascending
order could not be handled correctly and the debugger could pick the wrong function, leading to
dropped debug information. A patch has now been added and, as a result, the location lists can now
be handled correctly, irrespective of order. As a result, the debugger now picks the right function when
looking up symbols and debug information is no longer dropped. (BZ#49916485,
BZ#50912486)
* The strings command was not parsing files correctly. When used with a multi-digit <NUM>
argument (such as strings -10 filename.txt) an "invalid integer argument" error would occur because it
regarded each numeral as a separate argument. The parsing has now been corrected via a patch to
strings.c.multidigit_input so that multi-digit numerals are regarded as parts of a single argument. As a
result, files are now parsed correctly. (BZ#50876587)
* There was a regression in binutils-devel that caused it to build "oprofile" files incorrectly. As a
result, bfd_get_section_by_name() returned incorrect information about the debuginfo section and an
"opreport" error would occur. The bfd.h header's API has now been fixed to match the BFD library's
ABI. As a result, the per-symbol profile is now generated correctly and the opreport runs without error.
(BZ#52902888)
* There was a link failure whereby when a symbol in a comdat/linkonce section had a different level
of visibility in different files, the linker could not merge the visibility. As a consequence, after the
ld command was run, a "final link failed: Bad value" error would occur. A patch has been added
to elflink.c.sym_visibility to make sure that the visibility is kept. As a result, ld now can now merge
different levels of visibility without error. (BZ#53126989)
Users are advised to upgrade to these updated binutils packages, which resolve these issues.
This update has already been released (prior to the GA of this release) as FASTRACK
errata RHBA-2009:1593
Updated bogl packages that fix a bug are now available.
Ben's Own Graphics Library (BOGL) is a small graphics library for Linux kernel frame buffers. It
supports only very simple graphics. The bogl packages also include bterm, a Unicode-capable
terminal program for the Linux frame buffer.
These updated packages provide a fix for the following bug:
90
* when editing a file with vi from within the bterm console, a SIGSEGV error could occur, causing both
vi and bterm to crash. This update adds a check that keeps "yorig" from equaling -1, which prevents
the underlying memory reference error occurring. (BZ#51795791)
All bogl users are advised to upgrade to these updated packages, which resolve this issue.
1.14. bootparamd
1.14.1. RHBA-2010:0057: bug fix update
Note
This update has already been released (prior to the GA of this release) as FASTRACK
errata RHBA-2010:0057
An updated bootparamd package that fixes a bug is now available.
Bootparamd is a server process that provides information to diskless clients necessary for booting;
consulting the /etc/bootparams file for required information.
92
When bootparamd is used for multihomed environment handling, it would previously evaluate the
route to be returned to the first requesting client and re-evaluate the route to be returned for each
client thereafter. Even though it re-evaluates what router IP to return for each following client, it would
always send back the first route, due to it being the one that was cached. This updated package
ensures that no re-evaluation occurs concerning the router IP to return for each client. (BZ#44610893)
All users of bootparamd are advised to upgrade to this updated package, which resolves this issue.
1.15.1. RHBA-2010:0185: bug fix and enhancement update
An updated booty package that fixes a bug and adds an enhancement is now available.
The booty package contains a python library which provides an interface for the creation of boot
loader configuration files and the addition of stanzas to said configuration files. These boot loader
configuration files are used by the anaconda installer.
This updated booty package fixes the following bug:
* early in the installation process, anaconda creates a ramdisk to hold files that it will need to complete
the installation. Previously, when installing the debug kernel for Red Hat Enterprise Linux on IBM
System z, the ramdisk was larger than the default memory address that ZIPL allocated to hold the
ramdisk. Installation would therefore fail. The /etc/zipl.conf file that booty creates for anaconda now
explicitly specifies a suitable address for the ramdisk so that ZIPL does not rely on the insufficient
default address. With enough space to create the ramdisk, installation succeeds. (BZ#42990694)
In addition, this updated package provides the following enhancement:
* previously, there was no way to configure hypervisor parameters during a kickstart installation.
Therefore, these parameters would have to be configured manually after installation. Red Hat
Enterprise Linux now includes a new option for the "bootloader" command in kickstart, "--hvargs",
which sets hypervisor parameters in grub.conf during installation. It is now possible to automate
this part of the installation process. Refer to the Red Hat Enterprise Linux 5 Installation Guide for a
description of the "--hvargs" option. (BZ#55295795)
Users of booty are advised to upgrade to this updated booty package, which resolves this issue and
adds this enhancement.
1.16. brltty
1.16.1. RHSA-2010:0181: Low security and bug fix update
Updated brltty packages that fix one security issue and several bugs are now available for Red Hat
Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having low security impact. A
Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is
available from the CVE link in the References section.
brltty (Braille TTY) is a background process (daemon) which provides access to the Linux console
(when in text mode) for a blind person using a refreshable braille display. It drives the braille display,
and provides complete screen review functionality.
It was discovered that a brltty library had an insecure relative RPATH (runtime library search path)
set in the ELF (Executable and Linking Format) header. A local user able to convince another user
to run an application using brltty in an attacker-controlled directory, could run arbitrary code with the
privileges of the victim. (CVE-2008-327996)
These updated packages also provide fixes for the following bugs:
* the brltty configuration file is documented in the brltty manual page, but there is no separate manual
page for the /etc/brltty.conf configuration file: running "man brltty.conf" returned "No manual entry for
brltty.conf" rather than opening the brltty manual entry. This update adds brltty.conf.5 as an alias to the
brltty manual page. Consequently, running "man brltty.conf" now opens the manual entry documenting
the brltty.conf specification. (BZ#530554
9897
)
* previously, the brltty-pm.conf configuration file was installed in the /etc/brltty/ directory. This file,
which configures Papenmeier Braille Terminals for use with Red Hat Enterprise Linux, is optional. As
well, it did not come with a corresponding manual page. With this update, the file has been moved
to /usr/share/doc/brltty-3.7.2/BrailleDrivers/Papenmeier/. This directory also includes a README
document that explains the file's purpose and format. (BZ#530554
10099
)
* during the brltty packages installation, the message
was presented at the console. This was inadequate, especially during the initial install of the system.
These updated packages do not send any message to the console during installation. (BZ#529163
* although brltty contains ELF objects, the brltty-debuginfo package was empty. With this update, the debuginfo package contains valid debugging information as expected. (BZ#500545
102
)
101
* the MAX_NR_CONSOLES definition was acquired by brltty by #including linux/tty.h in Programs/
api_client.c. MAX_NR_CONSOLES has since moved to linux/vt.h but the #include in api_client.c
was not updated. Consequently, brltty could not be built from the source RPM against the Red Hat
Enterprise Linux 5 kernel. This update corrects the #include in api_client.c to linux/vt.h and brltty now
builds from source as expected. (BZ#456247
103
)
All brltty users are advised to upgrade to these updated packages, which resolve these issues.
1.17. checkpolicy
1.17.1. RHBA-2010:0184: bug fix update
An updated checkpolicy package that makes a man page correction, fixes help message and man
page omissions and allows the unknown access flag to be specified is now available.
checkpolicy is the policy compiler for Security-Enhanced Linux (SELinux). The checkpolicy utility is
required for building SELinux policies.
)
This updated checkpolicy package addresses the following issues:
* newer SELinux kernels have access checks that the shipping SELinux policy package does not
understand. The kernel currently denies these access checks by default. This updated checkpolicy
package can build an selinux-policy package that tells the kernel to "Allow" unknown access.
(BZ#531229
104
)
* the checkpolicy man page listed (but did not otherwise document) a "-m" switch. checkpolicy
supports a "-M" switch but not a "-m" switch. This update removes the "-m" option from the checkpolicy
SYNOPSIS. Note: the "-M" switch was and is documented in the OPTIONS section of the checkpolicy
man page. (BZ#533790
105
)
* checkmodule's "-d" switch (which switches the tool to debug mode) was documented in the
checkmodule man page but not in the output of checkmodule's help message (ie the output of
"checkmodule --help" or "checkmodule -h"). Also, the "-h" switch was not documented at all. With this
update, the "-d" switch is now included in help message output and the "-h" switch is documented in
both the checkmodule man page and the checkmodule help message. (BZ#533796
106
)
All SELinux users should install this updated package which resolves these issues.
1.18. chkconfig
1.18.1. RHBA-2009:1628: bug fix update
Note
This update has already been released (prior to the GA of this release) as FASTRACK
errata RHBA-2009:1628
Updated chkconfig packages that resolve several issues with the alternatives utility and provide
various man page corrections are now available.
The basic system utility chkconfig updates and queries runlevel information for system services.
These updated chkconfig packages provide fixes for the following bugs:
* when the "alternatives" utility was run and an error occurred, no contextual information such as the
line number of the error was provided. With this update, upon an error, "alternatives" now provides
the line number where the error occurred in the relevant file in the /var/lib/alternatives directory, which
helps to diagnose alternatives-related errors. (BZ#441443
* using the "alternatives" utility and selecting the last available option and then uninstalling the
program which provided that alternative did not result in the removal of the symbolic links for that
option. Because the previously-set alternative was no longer available and the symbolic link remained,
the program was then rendered unusable. With this update, when the aforementioned condition is met,
the "alternatives" program now recognizes that the program is no longer available and removes the
extraneous symbolic link, with the result that the next-best alternative is properly selected, and running
the program works as expected. (BZ#525051
* the chkconfig(8) man page contained a description of the syntax for running chkconfig that differed
from the correct description presented when running "chkconfig --help". The man page has been
corrected to correspond with the program's help information. (BZ#501225
110
)
* the chkconfig(8) man page contained an incorrect reference to runlevel 7, which does not exist
(runlevels extend from 0 to 6, inclusive). This update corrects the man page by removing all
references to "runlevel 7". (BZ#466740
111
)
* the ntsysv(8) man page referenced a non-existent man page, servicesconf. This reference has been
removed. (BZ#516599
112
)
All users of chkconfig are advised to upgrade to these updated packages, which resolve these issues.
1.19. cman
1.19.1. RHBA-2009:1435: bug fix update
Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1435
Updated cman packages that fix a bug and add an enhancement are now available.
The Cluster Manager (cman) utility provides user-level services for managing a Linux cluster.
This update applies the following bug fix:
* in several places internally, cman assumed a transition message meant the node in question (or
the sending node) was joining the cluster rather than just sending its current post-transition state. In
some circumstances, this could lead to cman killing the wrong nodes. With this update, cman now
checks the first_trans flag, which is set when a node first encounters another node in the cluster. Only
if first_trans is set does cman now consider the node as joining the cluster. (BZ#518061
113
114
)
Also, this update includes the following enhancement:
First, if a node was asked to remove a key (fence) for a device that it was not registered with, the node
attempted to register with that device on-the-fly. With this update, when nodes are asked to remove a
key from devices with which they are not registered, the fencing fails.
Second, for the common case of SAN environments with multiple Logical Unit Numbers (LUNs),
the devices (LUNs) that can be unregistered must be ordered consistently on all nodes. Consistent
ordering is not guaranteed by the Logical Volume Manager (LVM), however; device names can vary
from node to node to prevent interleaving of fence operation among devices. With this update, the
fence_scsi agent extracts the device name (pv_name) and Universally Unique Identifier (pv_uuid) and
builds a hash keyed on the UUID (which is consistent on all nodes). This ensures devices are ordered
consistently on each node.
Consequent to these two changes, the first node to fence removes the other node's key from the
device or devices. The second node, now not registered with the device, is not able to fence the first.
This allows fence_scsi to work in a 2-node cluster. (BZ#520823
115
)
All cman users should install this updated package, which fixes this bug and enables users to use
fence_scsi in a 2-node environment.
1.19.2. RHBA-2009:1516: bug-fix update
Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1516
Updated cman packages that fix a bug are now available.
The Cluster Manager (cman) utility provides user-level services for managing a Linux cluster.
This update applies the following bug fix:
116
Add support for power cycle command to fence_ipmi, which doesn't shut down the BMC controller.
Old behavior is still the default, so nothing changes without a configuration change. Now there is a
new method option that can have the value "cycle", which uses the ipmi power cycle command.
Users are advised to upgrade to these updated cman packages, which resolve this issue.
1.19.3. RHBA-2009:1598: bug fix update
Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1598
Updated cman packages that resolve several issues are now available.
[Updated 4 Jan 2009] This update provides improved descriptions of both bug fixes included in this
advisory, and especially the description for bug 529712. The packages included in this revised update
have not been changed in any way from those included in the original advisory.
117
The Cluster Manager (cman) utility provides user-level services for managing a Linux cluster.
These updated cman packages provide fixes for the following bugs:
* when using device-mapper-multipath devices, registrations were only sent to the active path,
which meant that, in the event of path failure, the node would be unable to access the device via the
secondary path or paths because the device would not be registered with the secondary path(s). With
this update, the presence of device-mapper-multipath devices is detected correctly, the right paths are
discovered, and each path is registered, including secondary paths. (BZ#529712
118
)
* when running the /etc/init.d/scsi_reserve init script to check for errors, such as an incorrect
cluster.conf configuration, among others, upon finding an error the script did not print "[FAILED]" to
standard output, as is convention for system services which encounter startup errors. With this update,
the scsi_reserve init script has been fixed so that it prints "[FAILED]" to standard output when an
error is encountered, and "[OK]" otherwise. Any errors encountered are logged to the system log.
(BZ#530400
119
)
All users of cman are advised to upgrade to these updated packages, which resolve these issues.
1.19.4. RHBA-2009:1622: bug-fix update
Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1622
120
Updated cman packages that fix bugs are now available.
The Cluster Manager (cman) utility provides user-level services for managing a Linux cluster.
This update fixes the following bugs:
* qdiskd erroneously writes the message "qdiskd: read (system call) has hung for X seconds". (BZ
537157)
* Crash in fence_ipmilan when -M switch was not present on the command-line. (BZ 537157)
Users are advised to upgrade to these updated cman packages, which resolve these issues.
1.19.5. RHBA-2010:0266: bug fix and enhancement update
Updated cman packages that fix bugs and add enhancements are now available.
The Cluster Manager (cman) utility provides user-level services for managing a Linux cluster.
Changes in this update:
* fence_rsa fails to login with new RSA II firmware. (BZ#549473
* fence_virsh reports vm status incorrectly. (BZ#544664
122
* improve error messages from ccsd if there is a network problem. (BZ#517399
* certain failure scenarios during cluster mirror device creation could lead to future kernel panics.
(BZ#544253
180
)
All cmirror users should install these updated packages which fix these bugs.
1.21. cmirror-kmod
1.21.1. RHBA-2010:0309: bug fix update
Updated kmod-cmirror packages that fix two bugs are now available.
The kmod-cmirror package is necessary for LVM-based mirroring (RAID1) in a cluster environment.
This update addresses the following issues:
* error processing logic failed to remove a list item before freeing the associated memory.
(BZ#544253
* added version number to the kernel/daemon communication structure. (BZ#544253
All kmod-mirror users should install these updated packages, which fix these bugs.
182181
)
184183
)
1.22. conga
1.22.1. RHBA-2009:1623: bug fix update
Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1623
Updated conga packages that fix a regression introduced between Red Hat Enterprise Linux 5.3 and
Red Hat Enterprise Linux 5.4 are now available.
The Conga project is a management system for remote workstations. It consists of luci, a secure webbased front-end, and ricci, a secure daemon that dispatches incoming messages to the underlying
management modules.
This update applies the following bug fix:
* the behavior of the virsh command changed between Red Hat Enterprise Linux 5.3 and Red Hat
Enterprise Linux 5.4. In Red Hat Enterprise Linux 5.4, non-root users must add a "--read-only" flag to
virsh commands for them to work correctly. The ricci component of conga runs the "virsh nodeinfo"
command to determine whether a node can host a Virtual Machine service and it does so as a nonroot user.
As a consequence, when run under Red Hat Enterprise Linux 5.4, running this command returned no
information and the luci front-end did not provide an "Add a virtual machine service" option to Services
in the Cluster tab for clusters that were expected to offer such services. With this update, ricci now
runs a "virsh nodeinfo --readonly" command, in line with the changed behavior, and the web-based
front end will provide options to add virtual machine services as expected. (BZ#537209
186
)
All conga users are advised to upgrade to these updated packages, which resolve this issue.
1.22.2. RHBA-2010:0289: bug fix and enhancement update
Updated Conga packages that fix numerous bugs (including a regression introduced between Red Hat
Enterprise Linux 5.3 and Red Hat Enterprise Linux 5.4) and add the ability to reset user passwords
when logged in to luci as an administrator are now available.
The Conga project is a management system for remote workstations. It consists of luci, which is a
secure web-based front-end, and ricci, which is a secure daemon that dispatches incoming messages
to underlying management modules.
This update applies the following bug fixes:
* The behavior of the virsh command changed between Red Hat Enterprise Linux 5.3 and Red Hat
Enterprise Linux 5.4. In Red Hat Enterprise Linux 5.4, non-root users must add a "--read-only" flag
to virsh commands. The ricci component runs the "virsh nodeinfo" command to determine whether a
node can host a Virtual Machine service and it does so as a non-root user. As a consequence, when
run under Red Hat Enterprise Linux 5.4, the "virsh nodeinfo" command returned no information and
luci did not provide an "Add a virtual machine service" option to Services in the Cluster tab for clusters
that were expected to offer such services. With this update, ricci now runs a "virsh nodeinfo --readonly"
command in line with the changed behavior, and luci provides options to add Virtual Machine services
as expected. (BZ#519252
* luci failed to start. (BZ#469881
* Conga doesn't run with SELinux. (BZ#476698
187
)
188
)
189
)
* Conga does not add the name of the managed system when adding an "LPAR Fencing" fence
device to a node. (BZ#508142
* fs resource will remount itself if any configuration changes are made to cluster.conf. (BZ#514051
* luci does not validate passwords and incorrect characters can be used. (BZ#519050
190
)
191
192
)
* previously, the shebang lines in luci's python executables pointed to "/usr/bin/env python" rather than
explicitly referencing the version of Python installed on the system. This broke those executables in
the case where a user was installing an alternative Python version. With this update, all shebang lines
point explicitly to the system version at /usr/bin/python. (BZ#521884
* Conga does not properly handle HA LVM types. (BZ#530129
* the ability to reset user passwords when logged in to luci as an administrator was added.
(BZ#519268
195
)
All Conga users are advised to upgrade to these updated packages, which resolve these issues and
add this enhancement.
1.23. coolkey
1.23.1. RHBA-2010:0068: bug fix update
Note
This update has already been released (prior to the GA of this release) as FASTRACK
errata RHBA-2010:0068
Updated coolkey packages that resolve several issues are now available.
The coolkey packages contain driver support for CoolKey and Common Access Card (CAC) smart
card products.
These updated coolkey packages provide fixes for the following bugs:
* the Department of Defense's alternative CAC tokens are now supported by CoolKey. (BZ#226790
196
197
)
* the libcoolkeypk11.so shared object library, when it was not linked with the pthreads library, became
unresponsive when the C_Initialize() function was called following a call to syslog(). This update
ensures that libcoolkeypk11.so does not hang when it is not linked with the pthreads threading library
and the aforementioned scenario occurs. (BZ#245529
* CoolKey's PKCS#11 module failed to initialize when the C_Initialize() function was called and the
CKF_OS_LOCKING flag was set. This issue is related to the fix for BZ#245529
the PKCS#11 module successfully initializes. (BZ#443127
199198
202
)
201200
. With this update,
)
* the Red Hat Enterprise Security Client (ESC) incorrectly identified CAC cards as CoolKey cards,
and mistakenly opened the Phone Home dialog after doing so. With this update, CoolKey correctly
identifies CAC cards and assigns the correct functionality to them.
With this fix, it is still possible to view certificates and diagnostics for CAC cards, though the
management functions are now disabled. Finally, note that the RHBA-2010:0066 esc update must be
installed in order to fully resolve this issue. (BZ#499976
* CoolKeys is now able to recognize smart cards that use the T1 protocol, such as the SafeNet 330J,
in addition to the T0-protocol cards supported previously. (BZ#514298
* CoolKey now correctly handles cryptographic operations such as digital signing when using cards
with 2048-bit keys. Previously, only 1024-bit keys were supported. (BZ#514299
205
)
All users of coolkey are advised to upgrade to these updated packages, which resolve these issues.
1.24. coreutils
1.24.1. RHBA-2009:1511: bug fix update
Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1511
An updated coreutils package that fixes a regression in the df command is now available.
The coreutils package contains core GNU utilities. It is a combination of the old GNU fileutils, sh-utils,
and textutils packages.
This update fixes the following bug:
206
* the coreutils update included with Red Hat Enterprise Linux 5.4 introduced a regression in the df
command. Running "df -l" with a specific device specified (for example, "df -l /dev/hda1") resulted in
a "Permission denied" message for regular users. This update corrects the regression: specifying
a device now works for regular users as it did previously. Note: running "df -l" to list all devices was
not affected by this bug: it worked as expected previously and continues to do so subsequent to this
update. (BZ#528641
207
)
All coreutils users should upgrade to this updated package, which addresses this regression.
1.24.2. RHBA-2010:0120: bug fix update
Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2010:0120
An updated coreutils package that fixes a bug in the readlink command is now available.
The coreutils package contains core GNU utilities. It is a combination of the old GNU fileutils, sh-utils,
and textutils packages.
This update fixes the following bug:
208
* when a directory contained a symbolic link to itself, the readlink command, which displays the value
of a symbolic link on standard output, incorrectly gave the following error message when attempting
to read the value of the symbolic link (or the value of the symbolic links when recursing through the
directory and its symlink): "Too many levels of symbolic links". With this update, readlink is once again
able to correctly resolve and output the value of the recursive symbolic links to containing directories,
or "directory loops", thus resolving the issue. (BZ#567545
209
)
All coreutils users should upgrade to this updated package, which addresses this regression.
1.25. cpio
1.25.1. RHSA-2010:0144: Moderate security update
Important
This update has already been released (prior to the GA of this release) as the security
errata RHSA-2010:0144
An updated cpio package that fixes two security issues is now available for Red Hat Enterprise Linux
5.
210
This update has been rated as having moderate security impact by the Red Hat Security Response
Team.
GNU cpio copies files into or out of a cpio or tar archive.
A heap-based buffer overflow flaw was found in the way cpio expanded archive files. If a user were
tricked into expanding a specially-crafted archive, it could cause the cpio executable to crash or
execute arbitrary code with the privileges of the user running cpio. (CVE-2010-0624
Red Hat would like to thank Jakob Lell for responsibly reporting the CVE-2010-0624
A denial of service flaw was found in the way cpio expanded archive files. If a user expanded a
specially-crafted archive, it could cause the cpio executable to crash. (CVE-2007-4476
211
212
)
issue.
213
)
Users of cpio are advised to upgrade to this updated package, which contains backported patches to
correct these issues.
1.26. cpuspeed
1.26.1. RHBA-2010:0035: bug fix update
Note
This update has already been released (prior to the GA of this release) as FASTRACK
errata RHBA-2010:0035
An updated cpuspeed package that fixes some initscript exit statuses, avoids loading on problematic
CPUs, and starts only after syslogd is now available.
The cpuspeed package configures CPU frequency scaling.
This update fixes the following bugs:
* some exit status codes from the initscript were not in line with LSB standards. The codes were
updated, and are now compliant. (BZ#495049
215
)
* where Intel Xeon Processor 7100 series processors were used with Hyper-Threading Technology
enabled, cpuspeed loading could create system deadlocks. The cpuspeed settings were changed and
system deadlocks no longer occur on this hardware. (BZ#449004
216
)
* the cpuspeed initscript uses syslog to log important information about its status. However, cpuspeed
was being started before syslog on boot, and log messages generated by the cpuspeed init script
were not being captured. The cpuspeed init script now runs after the syslog init script, and all log
messages are now being recorded. (BZ#516224
217
)
Users should upgrade to this updated package, which resolves these issues.
1.27. crash
1.27.1. RHBA-2010:0230: bug fix update
Updated crash packages that fix various bugs and add enhancements are now available.
The crash package is a core analysis suite. It is a self-contained tool that can be used to investigate
either live systems, kernel core dumps created from the netdump, diskdump, and kdump packages
from Red Hat Linux, the mcore kernel patch offered by Mission Critical Linux, or the LKCD kernel
patch.
* if a kdump NMI was issued and the task kernel stack was changed, the backtrace would in some
cases fail and produce an error: "bt: cannot transition from exception stack to current process
stack". The crash package was updated to report task inconsistencies and change the active task as
appropriate. Additionally, a new set -a option was added to manually set tasks to be the active task on
its CPU. (BZ#504952
218
)
* if the kernel data structures in a non-matching vmlinux varied widely enough from the kernel
that generated the vmcore, erroneous data could be read and consumed. Several new defensive
mechanisms have been added and it now fails in a more reasonable manner. (BZ#508156
219
)
* running the bt -a command against a Xen hypervisor resulted in a "cannot resolve stack trace"
warning message if the CPU received its shutdown NMI while running in an interrupt handler. The bt
command was changed and the error no longer occurs. (BZ#510505
* added support for dumpfile format of virsh dump of KVM kernels. (BZ#510519
* if a dump was collected when there were one or more cpus offline in the system, an initialization-time
failure would occur and the crash would abort. A patch was backported from upstream and the failure
no longer occurs. (BZ#520506
222
)
* running the 64-bit bt command could potentially start the backtrace of an active non-crashing
task on its per-cpu IRQ stack, cause a faulty transition back to the process stack, the dumping of a
bogus exception frame and the message "bt: WARNING: possibly bogus exception frame". The bt
command was changed and it now starts from the NMI exception stack, the error no longer occurs.
(BZ#523512
223
)
* when the cpu_possible_map contains more CPUs than the cpu_online_map, the set, bt, runq
and ps commands would reflect the existing but unused swapper tasks on the non-existent CPUs.
The 64-bit PowerPC CPU count determination was fixed and the commands now run as expected.
(BZ#550419
224
)
* when INIT-generated pseudo-tasks were running in user-space and the kernel was unable to modify
the kernel stack, the backtrace would not identify the interrupted task and would display a "bt: unwind:
failed to locate return link" error message. The Itanium backtraces were fixed, and the backtrace now
offers information regarding the task that was interrupted. The error message is also suppressed. (BZ
#553353)
* using dump to analyze very large xendump core files with ELF sections located beyond a file offset
of 4GB resulted in errors. Changes were made to the xc_core_verify() initialization code and dump
now works as expected. (BZ #561767)
* The crash utility was rebased. See the changelog linked to in the references section below for full
details. (BZ#528184
225
)
All users of crash are advised to upgrade to these updated packages, which resolve these issues.
1.28. ctdb
1.28.1. RHEA-2010:0320: enhancement update
The ctdb package is now available on the ClusterStorage channel.
CTDB is a clustered database based on Samba's Trivial Database (TDB). The ctdb package is
a cluster implementation used to store temporary data. If an application is already using TBD for
temporary data storage, it can be very easily converted to be cluster-aware and use CTDB.
This update makes the following change:
* CTDB was previously available in the Supplementary channel and is now available in the
ClusterStorage channel. (BZ#558493
226
)
Note that CTDB is included as a Technology Preview. Technology Preview features are included
in Red Hat Enterprise Linux to provide the features with wide exposure, with the goal of supporting
these features in a future release of Red Hat Enterprise Linux. Technology Preview features are not
supported under Red Hat Enterprise Linux 5.5 subscription services, and may not be functionally
complete. Red Hat welcomes customer feedback and suggestions for Technology Previews.
Advisories will be provided for high-severity security issues in Technology Preview features.
All users requiring CTDB should install these newly released packages, which add this enhancement.
1.29. cups
1.29.1. RHBA-2010:0045: bug fix update
Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2010:0045
Updated cups packages that fix a severe memory leak in the CUPS scheduler are now available.
The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX and Unix-like
operating systems.
227
This update addresses the following issue:
* when adding or modifying many printer queues, cupsd, the CUPS scheduler leaked memory. For
example, running "lpstat" after creating several thousand printer queues caused cupsd to use all
available memory, eventually killing other processes and bringing the system down. With this update
cupsd no longer leaks memory when adding or modifying large numbers of printer queues and the
associated out-of-memory errors and crashes no longer occur. (BZ#552213
228
)
All cups users should upgrade to these updated packages, which resolves this issue.
1.29.2. RHSA-2010:0129: Moderate security update
Important
This update has already been released (prior to the GA of this release) as the security
errata RHSA-2010:0129
Updated cups packages that fix one security issue are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response
Team.
The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating
systems.
229
It was discovered that the Red Hat Security Advisory RHSA-2009:1595 did not fully correct the
use-after-free flaw in the way CUPS handled references in its file descriptors-handling interface.
A remote attacker could send specially-crafted queries to the CUPS server, causing it to crash.
(CVE-2010-0302
Users of cups are advised to upgrade to these updated packages, which contain a backported patch
to correct this issue. After installing the update, the cupsd daemon will be restarted automatically.
1.29.3. RHSA-2009:1595: Moderate security update
Important
This update has already been released (prior to the GA of this release) as the security
errata RHSA-2009:1595
Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise
Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response
Team.
[Updated 12th January 2010] The packages list in this erratum has been updated to include missing
i386 packages for Red Hat Enterprise Linux Desktop and RHEL Desktop Workstation.
231
The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating
systems.
A use-after-free flaw was found in the way CUPS handled references in its file descriptors-handling
interface. A remote attacker could, in a specially-crafted way, query for the list of current print jobs for a
specific printer, leading to a denial of service (cupsd crash). (CVE-2009-3553
232
)
Several cross-site scripting (XSS) flaws were found in the way the CUPS web server interface
processed HTML form content. If a remote attacker could trick a local user who is logged into the
CUPS web interface into visiting a specially-crafted HTML page, the attacker could retrieve and
potentially modify confidential CUPS administration data. (CVE-2009-2820
Red Hat would like to thank Aaron Sigel of Apple Product Security for responsibly reporting the
CVE-2009-2820
234
issue.
233
)
Users of cups are advised to upgrade to these updated packages, which contain backported patches
to correct these issues. After installing the update, the cupsd daemon will be restarted automatically.
1.29.4. RHSA-2009:1513: Moderate security update
Important
This update has already been released (prior to the GA of this release) as the security
errata RHSA-2009:1513
235
Updated cups packages that fix two security issues are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response
Team.
The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating
systems. The CUPS "pdftops" filter converts Portable Document Format (PDF) files to PostScript.
Two integer overflow flaws were found in the CUPS "pdftops" filter. An attacker could create a
malicious PDF file that would cause "pdftops" to crash or, potentially, execute arbitrary code as the "lp"
user if the file was printed. (CVE-2009-3608
Red Hat would like to thank Chris Rohlf for reporting the CVE-2009-3608
236
, CVE-2009-3609
237
)
238
issue.
Users of cups are advised to upgrade to these updated packages, which contain a backported patch
to correct these issues. After installing the update, the cupsd daemon will be restarted automatically.
1.29.5. RHBA-2010:0210: bug fix update
Updated cups packages that fix several bugs are now available.
The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating
systems.
These updated packages address the following bugs:
* landscape orientation jobs had incorrect page margins. This affects all landscape orientation PDF
files, including any landscape job printed from Mac OS X. (BZ#447987
* when running PHP files through the scheduler's web interface the wrong version PHP interpreter was
used, causing missing header lines. (BZ#460898
* the tmpwatch package is needed by cups but there was no package dependency on it.
(BZ#487495
241
)
240
)
* there was a memory leak in the scheduler's handling of "file:" device URIs. (BZ#496008
* setting quota limits using the lpadmin command did not work correctly. (BZ#496082
* there were several issues with CGI handling in the scheduler, causing custom CGI scripts not to work
as expected. (BZ#497632
* the dependencies between the various sub-packages were not made explicit in the package
requirements. (BZ#502205
* jobs with multiple files could be removed from a disabled queue when it is re-enabled.
(BZ#506257
247
)
* the cups-lpd daemon, for handling RFC 1179 clients, could fail under load due to incorrect temporary
file handling. (BZ#523152
* the CUPS PDF input filter is no longer a separate PDF handling implementation, and instead uses
the pdftops program from the poppler-utils package directly. (BZ#527429
* adding or modifying many queues could cause the scheduler to leak large amounts of memory.
(BZ#540646
250
)
249
)
All cups users should upgrade to these updated packages, which resolve these issues.
1.30. curl
1.30.1. RHSA-2010:0273: Moderate security, bug fix and
enhancement update
Updated curl packages that fix one security issue, various bugs, and add enhancements are now
available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. A
Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is
available from the CVE link in the References section.
cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and DICT servers, using any of the
supported protocols. cURL is designed to work without user interaction or any kind of interactivity.
Wesley Miaw discovered that when deflate compression was used, libcurl could call the registered
write callback function with data exceeding the documented limit. A malicious server could use this
flaw to crash an application using libcurl or, potentially, execute arbitrary code. Note: This issue only
affected applications using libcurl that rely on the documented data size limit, and that copy the data to
the insufficiently sized buffer. (CVE-2010-0734
251
)
This update also fixes the following bugs:
* when using curl to upload a file, if the connection was broken or reset by the server during the
transfer, curl immediately started using 100% CPU and failed to acknowledge that the transfer had
failed. With this update, curl displays an appropriate error message and exits when an upload fails
mid-transfer due to a broken or reset connection. (BZ#479967
252
)
* libcurl experienced a segmentation fault when attempting to reuse a connection after performing
GSS-negotiate authentication, which in turn caused the curl program to crash. This update fixes this
bug so that reused connections are able to be successfully established even after GSS-negotiate
authentication has been performed. (BZ#517199
253
)
As well, this update adds the following enhancements:
* curl now supports loading Certificate Revocation Lists (CRLs) from a Privacy Enhanced Mail (PEM)
file. When curl attempts to access sites that have had their certificate revoked in a CRL, curl refuses
access to those sites. (BZ#532069
* the curl(1) manual page has been updated to clarify that the "--socks4" and "--socks5" options do not
work with the IPv6, FTPS, or LDAP protocols. (BZ#473128
* the curl utility's program help, which is accessed by running "curl -h", has been updated with
descriptions for the "--ftp-account" and "--ftp-alternative-to-user" options. (BZ#517084
255
)
256
)
Users of curl should upgrade to these updated packages, which contain backported patches to correct
these issues and add these enhancements. All running applications using libcurl must be restarted for
the update to take effect.
1.31. cyrus-imapd
1.31.1. RHSA-2009:1459: Important security update
Important
This update has already been released (prior to the GA of this release) as the security
errata RHSA-2009:1459
Updated cyrus-imapd packages that fix several security issues are now available for Red Hat
Enterprise Linux 4 and 5.
257
This update has been rated as having important security impact by the Red Hat Security Response
Team.
The cyrus-imapd packages contain a high-performance mail server with IMAP, POP3, NNTP, and
Sieve support.
Multiple buffer overflow flaws were found in the Cyrus IMAP Sieve implementation. An authenticated
user able to create Sieve mail filtering rules could use these flaws to execute arbitrary code with the
privileges of the Cyrus IMAP server user. (CVE-2009-2632
258
, CVE-2009-3235
259
)
Users of cyrus-imapd are advised to upgrade to these updated packages, which contain backported
patches to resolve these issues. After installing the update, cyrus-imapd will be restarted
automatically.
1.32. cyrus-sasl
1.32.1. RHBA-2010:0151: bug fix update
Note
This update has already been released (prior to the GA of this release) as errata
Updated cyrus-sasl packages that resolve an issue are now available.
The cyrus-sasl packages contain the Cyrus implementation of SASL. SASL is the Simple
Authentication and Security Layer, a method for adding authentication support to connection-based
protocols.
These updated cyrus-sasl packages fix the following bug:
* multithreaded programs which used the Cyrus SASL libraries could have become unresponsive after
attempting to perform authentication routines. This was caused by a failure to release a mutex lock on
a data structure in the Cyrus SASL code, which resulted in a race condition, thus causing the program
using the library to hang. This race condition has been fixed so that it is thread-safe in this update.
(BZ#568084
261
)
All users of cyrus-sasl are advised to upgrade to these updated packages, which resolve this issue.
1.33. dbus
1.33.1. RHSA-2010:0018: Moderate security update
Important
This update has already been released (prior to the GA of this release) as the security
errata RHSA-2010:0018
Updated dbus packages that fix a security issue are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response
Team.
D-Bus is a system for sending messages between applications. It is used for the system-wide
message bus service and as a per-user-login-session messaging facility.
It was discovered that the Red Hat Security Advisory RHSA-2009:0008 did not correctly fix the denial
of service flaw in the system for sending messages between applications. A local user could use this
flaw to send a message with a malformed signature to the bus, causing the bus (and, consequently,
any process using libdbus to receive messages) to abort. (CVE-2009-1189
Note: Users running any application providing services over the system message bus are advised to
test this update carefully before deploying it in production environments.
All users are advised to upgrade to these updated packages, which contain a backported patch to
correct this issue. For the update to take effect, all running instances of dbus-daemon and all running
applications using the libdbus library must be restarted, or the system rebooted.
262
263
)
1.33.2. RHBA-2010:0236: bug fix update
Updated dbus packages that fix a multilib conflict that could cause installation failure on 64-bit
architectures are now available.
D-Bus is a system for sending messages between applications. It is used for the system-wide
message bus service, and as a per-user-login-session messaging facility.
* the dbus api help files (installed to /usr/share/devhelp/books/dbus/api/ by default) included with the
dbus-devel sub-package were previously automatically generated for each architecture. These autogenerated files contain different timestamps and internal links and, consequently, caused file conflicts
with multilib that could prevent dbus-devel installation on 64-bit architectures. With this update, a
pre-generated set of help files, dbus-1.1.2-pregen-doc-api-html.tar.bz2, has been added to the rpm.
This removes the multilib file conflicts and allows installation of the dbus-devel sub-package in all
circumstances. (BZ#471359
264
)
All D-Bus users should install these updated packages which resolve this issue.
1.34. dbus-python
1.34.1. RHBA-2009:1559: bug fix available
Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1559
Updated dbus-python packages that fix an issue with the puplet package updater are now available for
Red hat Enterprise Linux 5.
The dbus-python package provides a Python binding to the D-Bus system message bus.
This updated dbus-python package fixes the following bug:
* the puplet icon in the GNOME Notification Area displays notifications when updated packages are
available. However, due to an error in the dbus-python bindings, when updates were available, puplet
failed to display a notification. This update corrects the dbus-python bindings with the result that puplet
is once again able to notify the user of available updates. (BZ#532142
All users are advised to upgrade to this updated package, which resolves this issue.
265
266
)
1.35. device-mapper
1.35.1. RHBA-2010:0296: bug fix and enhancement update
Updated device-mapper packages that include various bug fixes and enhancements are now
available.
The device-mapper packages provide a library required by logical volume management utilities such
as LVM2 and dmraid.
This update applies the following bug fixes(BZ#536814
* Fixes crash when hash keys compared are different lengths.
* Restores umask when device node creation fails.
* Does not fork daemon when dmeventd cannot be found.
This update adds the following enhancements:
* Adds splitname command which splits given device name into subsystem constituents.
* Adds y|--yes option to dmsetup for default 'yes' answer to prompts.
* Adds subsystem, vg_name, lv_name, lv_layer fields to dmsetup reports.
* Adds crypt target handling to libdevmapper tree nodes.
All users of device-mapper should upgrade to these updated packages, which resolve these issues
and include these enhancements.
1.36. device-mapper-multipath
1.36.1. RHBA-2009:1645: bug fix update
Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1645
Updated device-mapper-multipath packages that fix two bugs are now available.
The device-mapper-multipath packages provide tools to manage multipath devices by giving the
device-mapper multipath kernel module instructions on what to do, as well as by managing the
creation and removal of partitions for device-mapper devices.
This update addresses the following bugs:
* the udev rules for device-mapper-multipath were causing device-mapper to occasionally create
multipath devices without using the user specified uid, gid, or mode. They have been replaced with
equivalent rules that do not cause this issue. (BZ#537761
* when LUNs were unmapped from LSI storage arrays, the multipath rdac path checker was not
marking the paths as failed. This caused IO to the device to hang instead of fail. The rdac path
checker now marks unmapped LUNs as failed. (BZ#538463
Users are advised to upgrade to these updated device-mapper-multipath packages, which resolve
these issues.
268
269
)
270
)
1.36.2. RHBA-2010:0255: bug fix and enhancement update
Updated device-mapper-multipath packages that fix several bugs and add various enhancements are
now available.
The device-mapper-multipath packages provide tools to manage multipath devices using the devicemapper multipath kernel module.
This update applies the following bug fixes:
* The kpartx utility creates device maps from partition tables. Device-mapper devices with minor
numbers greater than 255 caused kpartx to use the UUID from the wrong device when trying to create
partitions. If the device had pre-existing partitions, kpartx would fail to create the new partitions. With
this update, kpartx is now able to handle device-mapper devices with minor numbers greater than 255.
(BZ#526550
271
)
* The udev rules for device-mapper-multipath were causing device-mapper to occasionally create
multipath devices without using the user specified uid, gid, or mode. They have been replaced with
equivalent rules that do not cause this issue. (BZ#518575
272
)
* When LUNs were unmapped from LSI storage arrays, the multipath rdac path checker was not
marking the paths as failed. This caused IO to the device to hang instead of fail. The rdac path
checker now marks unmapped LUNs as failed. (BZ#531744
273
)
* The failover path grouping policy was not ordering the paths by priority, causing multipath to failover
to the wrong path for devices with manual failback. The multipath paths are now correctly ordered with
the failover path grouping policy. (BZ#537977
274
)
* On some storage devices, if a LUN is deleted from an existing multipathd device, and a new LUN
is presented to the host, it may end up with the same LUN ID and name as the old LUN. In this case,
multipath will assume that this is the old LUN and belongs to the existing multipath device. This cause
cause corruption. A new path checker "hp_tur" has been added that verifies the WWID of the LUN
when it checks the path, to avoid this problem. (BZ#437585
* The "tur" path checker was marking paths in standby mode as "failed". It now correctly marks them
as "ghost". (BZ#473039
* Multipath wasn't correctly showing device renames in dry-run mode. This has been fixed.
(BZ#501019
277
)
* Multipath was incorrectly setting the hardware handler for HP StorageWorks devices.This has been
fixed. (BZ#475967
278
276
)
)
* On some storage devices, multipath would display incorrect path information the first time multipath
listed the paths after recovery. This has been fixed. (BZ#499080
275
)
279
)
* If a path is removed while it is still part of a multipath device, it was taking multipath minutes to
mark it as failed. This should now happen immediately at the end of the next path checking interval.
(BZ#527754
* the multipathd daemon needs constant access to /var/lib and /var/run. However it was not
allowing any devices mounted under /var to be removed. Now it only keeps open what it needs.
(BZ#532424
281
)
* the multipath checker functions were not using the default scsi timeouts. Instead, each checker set
its own timeout. Now all checker functions with explicit timeouts use the scsi timeout set it /sys/block/
sd<x>/device/timeout by default. This can be changed by setting the "checker_timeout" option in /etc/
multipath.conf(BZ#553042
282
)
* Multipathd was printing extraneous error messages. This has been fixed. (BZ#472171
BZ#502128
* The multipath man page had some mistakes and missing information. This has been fixed.
(BZ#481239
284
, BZ#524178
286
, BZ#510331
285
)
287
, BZ#554830
288
)
283
,
* A locking error could cause multipathd to deadlock if it failed to create a multipath device correctly.
This has been fixed (BZ #537281)
This update adds the following enhancements:
* Default configurations were added for more IBM, HP, SUN, and DELL devices. (BZ#504619
BZ#512243
BZ#545882
290
, BZ#515171
294
)
291
, BZ#517896
292
, BZ#540882
293
,
* The kpartx utility now supports DASDs devices with more then 65520 cylinders. (BZ#524009
289
295
i,
)
All users are advised to upgrade to these updated packages, which resolve these issues and add
these enhancements.
1.37. dhcp
1.37.1. RHBA-2010:0042: bug fix update
Note
This update has already been released (prior to the GA of this release) as errata
A dhcp update that fixes one memory leak is now available.
The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP
network to get their own network configuration information, including an IP address, a subnet mask,
and a broadcast address. The dhcp package provides a relay agent and ISC DHCP service required
to enable and administer DHCP on a network.
This update applies the following updates:
* a memory leak in the load_balance_mine() function caused dhcpd, the dhcp server, to leak
approximately 20-30 octets per DHCPDISCOVER packet when the server was configured for
failover and failover was in a normal state. This particular leak has been closed with this update.
(BZ#552211
297
)
Note: depending on the specific DHCP setup on a given system, other memory leaks may still present.
Please file a separate bug if DHCP appears to leak memory after applying this update.
All dhcp users should to apply this update which closes this memory leak.
1.37.2. RHBA-2010:0223: bug fix update
A dhcp update that fixes bugs is now available.
DHCP (Dynamic Host Configuration Protocol) is a protocol which allows individual devices on an
IP network to get their own network configuration information (IP address, subnetmask, broadcast
address, etc.) from a DHCP server.
These updated packages address the following issues:
* When a system running a dhclient received a very short lease (e.g a few seconds), it would
constantly have to request a renewal of its lease. The system would spend so much time running
the dhclient-script every time it made a request that it would become almost unresponsive. A patch
has been added to the code, setting the minimum lease time to 60 seconds. By preventing very short
lease times, the server no longer becomes unresponsive from an overload of renewal requests.
(BZ#498658
298
)
* When the $localClockFudge variable was empty, the /sbin/dhclient-script added an empty line to
the /etc/ntp.conf file when renewing the DHCP lease. This caused the diff command to fail when
there was no meaningful difference between the old and new files, thus restarting the NTP daemon
unnecessarily. This put useless noise in the log files that get picked up by logwatch. This update
provides a slight code change that configures the NTP daemon differently. The /etc/ntp.conf file now
only runs if there is a useful value in the $localClockFudge variable. (BZ#532136
299
)
* A memory leak in the load_balance_mine() function caused 20-30 octets per DHCPDISCOVER
packet to be leaked when failover was in use and was in its normal state. This caused the
performance of the server to be significantly diminished. This update fixes the memory leak in the
load_balance_mine() function, allowing the server to perform correctly. (BZ#534117
300
)
Note: depending on the specific DHCP setup on a given system, other memory leaks may still present.
Please file a separate bug if DHCP appears to leak memory after applying this update.
* A syntax error was discovered in the code of the initscript for the dhcrelay. In the process of
restarting, the service would shutdown, but the initscript would fail when attempting to start the service
again. A patch has been added, correcting the syntax error in the code. This correction now allows the
service to restart correctly. (BZ#555672
301
)
Users are advised to upgrade to these updated dhcp packages which resolve these issues.
1.38. dhcpv6
1.38.1. RHBA-2010:0196: bug fix update
Updated dhcpv6 packages that resolve several issues are now available.
The dhcpv6 packages implement the Dynamic Host Configuration Protocol (DHCP) for Internet
Protocol version 6 (IPv6) networks, in accordance with RFC 3315: Dynamic Host Configuration
Protocol for IPv6 (DHCPv6). DHCP is a protocol that allows individual devices on an IP network to
get their own network configuration information. It consists of: dhcp6c(8), the DHCPv6 client daemon;
dhcp6s(8), the DHCPv6 server daemon; and dhcp6r(8), the DHCPv6 relay agent.
These updated packages fix the following bugs:
* previously, the DHCPv6 client was not removing the address assigned to an individual interface
after it disconnected. Consequently, the interface kept the same IPv6 address after reconnection.
In these updated packages a new IPv6 address is assigned to an interface after disconnecting and
reconnecting. (BZ#466251
302
)
* DHCPv6 request packets created by the DHCPv6 client did not contain the "IA" sub-field, which
should contain the address advertised by the server. Consequently the DHCPv6 client might have
encountered issues trying to interact with other DHCPv6 servers. With this update, the DHCPv6 client
now correctly inserts the "IA" field, resolving this issue. (BZ#476974
303
)
* previously, when the DHCPv6 client received the response after sending a "Confirm" message,
the client decided if it needed to apply Duplicate Address Dectection (DAD) based on the type of the
identity-association (IA) construct in the response. However, the reply from the DHCPv6 server does
not always contain an IA in the reply message. Consequently, when running the DHCPv6 client for
a second time, the client may have triggered a segmentation fault. In these updated packages, the
DHCPv6 client now checks if the reply has an IA before deciding if DAD needs to be applied, resolving
this issue. (BZ#515644
304
)
All users of dhcpv6 are advised to upgrade to these updated packages, which resolve this issue.
This update has already been released (prior to the GA of this release) as errata
RHEA-2009:1456
An updated dmidecode package that adds enhancements is now available.
The dmidecode package provides utilities for extracting x86 and ia64 hardware information from the
system BIOS or EFI, depending on the SMBIOS/DMI standard. This information typically includes
system manufacturer, model name, serial number, BIOS version, and asset tag.
It also often includes usage status for the CPU sockets, expansion slots (such as AGP, PCI, and ISA)
and memory module slots, and a list of input and output ports (such as serial, parallel and USB).
305
This updated package applies the following enhancement:
* the previous version of the dmidecode package was based on an upstream version (2.9), which
lacked support for various new hardware items. This updated package includes version 2.10, which
updates support for SMBIOS specification version 2.6 and improves DDR3 memory reporting. It adds
support for LGA1366 socket devices, decoding PCI-E Gen 2 slot IDs, and for a variety of processors,
including the Intel Core i7 and Dual-Core Celeron and Xeon Dual-, Quad- and Multi-Core 3xxx, 5xxx
and 7xxx series processors. (BZ#520123
306
)
Users of dmidecode are advised to upgrade to this updated package, which includes this enhanced
support.
1.39.2. RHEA-2010:0303: enhancement update
An updated dmidecode package that provides enhancements is now available.
The dmidecode package provides utilities for extracting x86 and Intel Itanium hardware information
from the system BIOS or EFI, depending on the SMBIOS/DMI standard. This information typically
includes system manufacturer, model name, serial number, BIOS version, and asset tag.
It also often includes usage status for the CPU sockets, expansion slots (such as AGP, PCI, and ISA)
and memory module slots, and a list of input and output ports (such as serial, parallel and USB).
This updated package applies the following enhancement:
* the previous version of the dmidecode package was based on an upstream version (2.9), which
lacked support for various new hardware items. This updated package provides version 2.10, which
updates support for SMBIOS specification version 2.6 and improves DDR3 memory reporting. It adds
support for LGA1366 socket devices, decoding PCI-E Gen 2 slot IDs, and for a variety of processors,
including the Intel Core i7 and Dual-Core Celeron and Xeon Dual-, Quad- and Multi-Core 3xxx, 5xxx
and 7xxx series processors. (BZ#518562
Users of dmidecode are advised to upgrade to this updated package, which includes this enhanced
support.
1.40. dmraid
1.40.1. RHBA-2010:0286: bug fix update
Updated dmraid packages that fix several bugs are now available.
The dmraid packages contain the ATARAID/DDF1 activation tool. The tool supports RAID device
discovery and RAID set activation, and displays properties for ATARAID/DDF1-formatted RAID sets on
Linux kernels using the device-mapper utility.
These updated dmraid packages fix the following bugs:
* the dmraid-events package was installing the dmevent_syslogpattern.txt file to the /etc/logwatch/
scripts/services directory. The dmevent_syslogpattern.txt file is used by the logwatch service to record
event logs. SELinux does not allow write access to the /etc/logwatch/scripts/services directory, and as
a result the logwatch service was prevented from updating the log file. The dmraid-events package
has now been updated to install the log file at /var/cache/logwatch/dmeventd/syslogpattern.txt, and the
log file is updated as expected. (BZ#513402
308
)
* after a hard disk drive rebuild has been completed using dmraid, the LED lights on each disk
belonging to the rebuilt RAID volume should turn off. Previously, if the rebuild was initiated manually
using the 'dmraid -R' command, the light on the spare disk would remain illuminated, incorrectly
indicating that the disk was still being built. When rebuilding automatically with the libdmraid-events
library, the light would not remain lit as expected. The dmraid packages have been updated to turn off
the light correctly after a manual disk rebuild, and the drive light now correctly indicates the drive state.
(BZ#514497
309
)
* dmraid binaries in the /sbin directory previously relied on libraries in the /usr directory. Since the /sbin
directory typically only contains programs executed by the root user, reliance on libraries in the /usr
directory could result in reference conflicts. The dmraid packages have been updated to no longer rely
on the /usr directory, and library references are now improved. (BZ#516852
310
)
* the dmraid-events-logwatch tool would take ownership of directories that were already owned by the
logwatch package. This included the following directories:
As a consequence, the dmraid-events-logwatch tool and the logwatch package would conflict. The
dmraid-events-logwatch package has been updated to own only /etc/logwatch/scripts/services/
dmeventd directory, and the conflict no longer arises with the logwatch package. (BZ#545876
311
)
* modifications to Intel support in the libdmraid tool caused the SONAME field to change. This caused
compatibility issues in python-pyblock symbolic links. The version number in the libdmraid tool's file
name has been updated, which caused the dependencies to be automatically re- generated during
the build process. The symbolic link is now repaired and there are no compatibility issues between
libdmraid and python-pyblock. (BZ#556254
312
)
* the pthread_mutex_trylock symbol was not being exported against the libpthread tool. As a
consequence, the libdmraid-events-isw.so object would not be loaded during activation of a RAID5
volume library, reporting that pthread_mutex_trylock was an undefined symbol. Linking has now been
added to the libpthread tool, and pthread_mutex_trylock is successfully referenced in the libdmraidevents-isw.so object. (BZ#567922
313
)
All dmraid users should upgrade to these updated packages, which resolve these issues.
1.41. dogtail
1.41.1. RHBA-2010:0009: bug fix update
Note
This update has already been released (prior to the GA of this release) as FASTRACK
errata RHBA-2010:0009
314
An updated dogtail package that fixes two bugs is now available.
Dogtail is an automation framework that uses accessibility technologies to communicate with desktop
applications. Dogtail exposes desktop elements in a hierarchical interface. The dogtail package
includes the GUI tools Script Recorder (dogtail-recorder) and AT-SPI Browser (sniff). Script Recorder
creates Python scripts based on user actions and AT-SPI Browser is a graphical browser of the
desktop elements hierarchy exposed by Dogtail.
This updated dogtail package fixes the following bugs:
* the destroyAbout function was undefined in the previous Dogtail release. Consequently, the Close
button in the AT-SPI Browser About window (Help > About) did not work. This function is now properly
defined; the showAbout function calls this function when the Close button is clicked; and the About
window closes. Note: the close box in the title bar of the About window worked in both the earlier and
current release. (BZ#250219
315
)
* previously, the shebang lines in Dogtail's python scripts pointed to "/usr/bin/env python" rather
than explicitly referencing the system-installed Python. This broke these scripts in the case of a user
installing an alternative version of Python. With this update, all Dogtail's python scripts point explicitly
to the system version at /usr/bin/python. (BZ#521339
316
)
All dogtail users should upgrade to this updated package, which resolves these issues.
This update has already been released (prior to the GA of this release) as FASTRACK
errata RHBA-2010:0007
An updated dosfstools package that fixes two bugs is now available.
The dosfstools package includes the mkdosfs and dosfsck utilities, which respectively make and check
File Allocation Table (FAT) file systems on hard drives or on floppies.
This updated package provides fixes for the following bugs:
* when a FAT file system was created on a device-mapper device, if the drive geometry was not
reported correctly to mkdosfs, the command printed it was "unable to get drive geometry" and
was using the default drive geometry (255/63) instead. Because of an error, it did not, in fact, do
this. Consequently, dosfslabel could not set a label for the newly-created file system. With this
update, the error in the mkdosfs command was corrected: when the drive geometry is not correctly
reported, mkdosfs now sets the drive geometry to the default values as per its message to STD OUT.
Consequently, FAT file systems created with mkdosfs are now correct and dosfslabel can set its label.
(BZ#249067
318
)
317
* although dosfstools contains ELF objects, the dosfstools-debuginfo package was empty. With this
update the -debuginfo package contains valid debugging information as expected. (BZ#469842
319
)
All dosfstools users should upgrade to this updated package, which resolves these issues.
1.43. dstat
1.43.1. RHSA-2009:1619: Moderate security update
Important
This update has already been released (prior to the GA of this release) as the security
errata RHSA-2009:1619
An updated dstat package that fixes one security issue is now available for Red Hat Enterprise Linux
5.
This update has been rated as having moderate security impact by the Red Hat Security Response
Team.
Dstat is a versatile replacement for the vmstat, iostat, and netstat tools. Dstat can be used for
performance tuning tests, benchmarks, and troubleshooting.
Robert Buchholz of the Gentoo Security Team reported a flaw in the Python module search path
used in dstat. If a local attacker could trick a local user into running dstat from a directory containing
a Python script that is named like an importable module, they could execute arbitrary code with the
privileges of the user running dstat. (CVE-2009-3894
321
)
All dstat users should upgrade to this updated package, which contains a backported patch to correct
this issue.
1.44. e4fsprogs
1.44.1. RHBA-2010:0239: bug fix and enhancement update
Enhanced e4fsprogs packages that fix a bug are now available.
The e4fsprogs packages contain a number of utilities for creating, checking, modifying, and correcting
inconsistencies in fourth extended (ext4 and ext4dev) file systems. e4fsprogs contains e4fsck (used
to repair file system inconsistencies after an unclean shutdown), mke4fs (used to initialize a partition
to contain an empty ext4 file system), tune4fs (used to modify file system parameters), and most other
core ext4fs file system utilities.
The e4fsprogs packages have been upgraded to upstream version 1.41.9 for Red Hat Enterprise
Linux 5.5. These updated packages contain several bug fixes over the previous version.
Important: These packages are now designed and intended to be installed alongside the original
e2fsprogs package in Red Hat Enterprise Linux. As such, certain binaries in the e4fsprogs packages
have been given new names. For example, the utility that checks ext4 file systems for consistency has
been renamed to "e4fsck", thus allowing the original "e2fsck" program from the e2fsprogs package to
coexist on the same system.
These updated e4fsprogs packages also include a fix for the following bug:
* pygrub did not understand fourth extended (ext4) /boot partitions, and so was unable to
paravirtualize guest domains. e4fsprogs-devel and ev4sprogs-libs packages are provided with this
update for pygrub and other applications that require the new ext4 capable e2fsprogs libraries.
(BZ#528055
322
)
All users of e4fsprogs are advised to upgrade to these updated packages, which resolve this issue.
1.45. elilo
1.45.1. RHEA-2010:0302: enhancement update
An updated elilo package that adds validation checks and error messages to the boot manager is now
available.
ELILO is a Linux boot loader for Extensible Firmware Interface (EFI)-based systems, such as those
running an Itanium CPU.RHSA-2009:1341
This update add the following enhancement:
* previously ELILO's boot manager, efibootmgr, returned only two error codes: "0" for success and
"1" for failure. There are multiple reasons for the boot manager to fail, however, and diagnosing such
failures was difficult with only one all-purpose error code. This update adds validation checks and error
messages to identify boot manager failures depending upon the error condition encountered. Error
messages now returned when efibootmgr fails include "partition is not valid"; "Failed to open extra
arguments"; "Invalid hex characters in boot order" and others. (BZ#250327
323
)
All elilo users should upgrade to this updated package, which adds this feature.
1.46. elinks
1.46.1. RHSA-2009:1471: Important security update
Important
This update has already been released (prior to the GA of this release) as the security
errata RHSA-2009:1471
An updated elinks package that fixes two security issues is now available for Red Hat Enterprise Linux
4 and 5.
This update has been rated as having important security impact by the Red Hat Security Response
Team.
ELinks is a text-based Web browser. ELinks does not display any images, but it does support frames,
tables, and most other HTML tags.
An off-by-one buffer overflow flaw was discovered in the way ELinks handled its internal cache of
string representations for HTML special entities. A remote attacker could use this flaw to create a
specially-crafted HTML file that would cause ELinks to crash or, possibly, execute arbitrary code when
rendered. (CVE-2008-7224
325
It was discovered that ELinks tried to load translation files using relative paths. A local attacker able
to trick a victim into running ELinks in a folder containing specially-crafted translation files could use
this flaw to confuse the victim via incorrect translations, or cause ELinks to crash and possibly execute
arbitrary code via embedded formatting sequences in translated messages. (CVE-2007-2027
324
)
326
)
All ELinks users are advised to upgrade to this updated package, which contains backported patches
to resolve these issues.
This update has already been released (prior to the GA of this release) as FASTRACK
errata RHBA-2010:0066
An updated esc package that fixes various bugs is now available.
The esc package contains the Smart Card Manager tool, which allows users to manage security smart
cards. The primary function of the tool is to enroll smart cards, so that they can be used for common
cryptographic operations, such as secure email and website access.
This updated esc package includes fixes for the following bugs:
327
* The Enterprise Security Client incorrectly identified CAC cards as CoolKey cards and mistakenly
opened the Phone Home connection dialog. With this update, CoolKey correctly identifies CAC cards
and assigns the correct functionality to them. With this fix, it is still possible to view certificates and
diagnostics for CAC cards, though the management functions are now disabled. RHBA-2010:9263, a
CoolKey update, must also be installed to fully resolve this issue. (BZ#467011
* The Enterprise Security Client did not open the Phone Home connection dialog when a blank token
was inserted. (BZ#514053
329
)
328
)
* Removing a smart card when the Enterprise Security Client was open could cause the Enterprise
Security Client to terminate abnormally. With this update, removing smart cards should no longer
cause the Enterprise Security Client to crash. (BZ#517414
330
)
* When creating a password for the Enterprise Security Client, using certain characters, such as the
dollar sign and exclamation point, could cause a failure to enroll when entering the password later.
This update fixes this problem so that using such symbols when creating passwords does not fail
when attempting to enroll. (BZ#549540
331
)
* When the Enterprise Security Client was using an external user interface for enrollment and the UI
page could not be downloaded because of a disconnected network or similar problem, then the user
could neither enroll nor was made aware of the source of the problem. With this update, when such a
situation occurs, a descriptive error message is sent to the user. (BZ#549542
332
)
* Inserting a CAC card into the computer causes the Enterprise Security Client to display an enabled
"Enroll" button to the user erroneously because all management functions should be disabled for
CAC cards. With this update, when a CAC card is entered, all management functions are disabled,
including the "Enroll" function. (BZ#553661
All users of the Enterprise Security Client are advised to upgrade to this updated package, which
resolves these issues.
1.48. etherboot
1.48.1. RHBA-2010:0227: bug fix update
Updated etherboot packages that fix several bugs are now available.
Etherboot is a software package for creating ROM images (zrom files) that can download code over an
Ethernet network to be executed on an x86 computer. Many network adapters have a socket where a
ROM chip can be installed. Etherboot is code that can be put in such a ROM.
* the zrom file for use with NE2000-compatible Ethernet cards used by etherboot when network
booting using such a card failed to obtain an IP address. Consequently network booting a system with
an NE2000-compatible Ethernet card failed, returning an error as follows:
Probing pci nic... Probing isa nic... [NE*000]
With this update the zrom file used by etherboot has been updated and network booting a KVM guest
via PXE using NE2000 network card emulation now succeeds as expected. (BZ#511912
* Change glibc32 BuildRequires to file-based BuildRequires. (BZ#521901
335
)
* Use update-alternatives to provide the common /usr/share/qemu-pxe-roms directory. (BZ#546016
* Use 0644 permission on all rom files. (BZ#547773
337
)
334
)
336
All etherboot users should install this update which addresses these issues.
1.49. ethtool
1.49.1. RHBA-2010:0279: bug fix and enhancement update
An enhanced ethtool package that fixes a number of minor issues is now available.
The ethtool utility allows the querying and changing of specific settings on network adapters. These
settings include speed, port, link auto-negotiation settings and PCI locations.
This updated package adds the following enhancements:
)
* ethtool can now display all NIC speeds, not just 10/100/1000. (BZ#450162
338
* the redundant INSTALL file has been removed from the package. (BZ#472034
* the ethtool usage message has been fixed to not state that -h requires a DEVNAME. (BZ#472038
* ethtool now recognizes 10000 as a valid speed and includes it as a supported link mode.
(BZ#524241
341
, BZ#529395
342
)
340
All ethtool users should upgrade to this updated package which provides these enhancements.
1.50. evince
1.50.1. RHBA-2010:0195: bug fix update
An updated evince package that resolves various issues is now available.
evince is a GNOME-based document viewer.
This updated package resolves the following issues:
* fullscreen mode allows a user to view (in a maximized window) just the document and a single
navigation toolbar. Previously, the function that handles the timeout of fullscreen mode was only
made aware of the window, rather than the workspace. Consequently, if a user switched to a different
workspace while fullscreen mode was enabled, the fullscreen toolbar would persist the top of the
screen. With this update, the evince fullscreen toolbar no longer remains after changing workspaces,
resolving this issue. (BZ#229173
343
)
)
* when searching for a string in a document, evince may have miscalculated the scope of the search
if a string appeared more than once on a single page. Consequently, if a user was stepping though
the search results using the "Find Next" button, evince would not step past the page with multiple
matches. With this update, evince now correctly searches the whole document, resolving this issue.
(BZ#469379
344
)
* previously, evince classified a single error dialog as a full running instance. Consequently, if an
instance of evince contained only an error dialog, any document opened would appear that instance.
This may have confused users, as documents were displayed in the workspace where the error dialog
is located, rather than the current workspace. In this updated package, evince no longer treats a single
error dialog as an opened document, resolving this issue. (BZ#504334
345
)
* when rendering a page of a PDF document, evince displays a blank page, with just the text
"Loading..." visible until the page is ready to be viewed. Previously, evince was not checking if
the drawing area for the loading page could be allocated. Consequently, if a PDF document with
large page dimensions was opened evince may have crashed, returning a segmentation fault. With
this update, the drawing area for the loading page is now correctly allocated, resolving this issue.
(BZ#499676
346
)
All evince users are advised to upgrade to this updated package, which resolves these issues.
This update has already been released (prior to the GA of this release) as FASTRACK
errata RHBA-2009:1627
Updated exim packages that resolve several issues are now available.
Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix
systems connected to the Internet. It is freely available under the terms of the GNU General Public
Licence. In style it is similar to Smail 3, but its facilities are more general. There is a great deal of
flexibility in the way mail can be routed, and there are extensive facilities for checking incoming mail.
Exim can be installed in place of sendmail, although the configuration of exim is quite different to that
of sendmail.
347
These updated exim packages provide fixes for the following bugs:
* The exim init script would return with error code 0 regardless of if the service had actually been
started. An incorrect return code would be issued concerning the exim init script because of
an unimplemented feature of the script. These bugs concerning the exim init script have been
corrected by modifying it to return a value of 2 on an unsupported command, a return of 1 when the
$NETWORKING parameter is set to no, returning the correct status error to the user and forcing the
script to restart (using condrestart) when the status is not equal to 0.
* The default configuration referred to an undefined domain list causing errors when trying to relay
email. The correct domain list of relay_to_domains is now utilized.
* Exim listened on all interfaces by default, whereas Sendmail and Postfix only listen on loopback
by default. Administrators who would assume exim had default settings configured the same as
Sendmail and Postfix may have introduced a security hole when installing exim. To correct this the
code segment local_interfaces = <; 127.0.0.1 ; ::1; has been added to the default configuration;
allowing Administrators to treat exim default settings the same as Sendmail and Postfix.
* Exim used to attempt generation of the certificate on installation instead of the first start, which could
cause the installation to fail when the certificate could not be generated. Certificate generation is now
undertaken upon the first start of exim after installation, allowing the installation to succeed.
All users of exim are advised to upgrade to these updated packages, which resolve these issues.
54
fetchmail
1.52. fetchmail
1.52.1. RHSA-2009:1427: Moderate security update
Important
This update has already been released (prior to the GA of this release) as the security
errata RHSA-2009:1427
An updated fetchmail package that fixes multiple security issues is now available for Red Hat
Enterprise Linux 3, 4, and 5.
This update has been rated as having moderate security impact by the Red Hat Security Response
Team.
Fetchmail is a remote mail retrieval and forwarding utility intended for use over on-demand TCP/IP
links, such as SLIP and PPP connections.
348
It was discovered that fetchmail is affected by the previously published "null prefix attack", caused by
incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefullycrafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate
during a man-in-the-middle attack and potentially confuse fetchmail into accepting it by mistake.
(CVE-2009-2666
349
)
A flaw was found in the way fetchmail handles rejections from a remote SMTP server when sending
warning mail to the postmaster. If fetchmail sent a warning mail to the postmaster of an SMTP server
and that SMTP server rejected it, fetchmail could crash. (CVE-2007-4565
350
)
A flaw was found in fetchmail. When fetchmail is run in double verbose mode ("-v -v"), it could
crash upon receiving certain, malformed mail messages with long headers. A remote attacker
could use this flaw to cause a denial of service if fetchmail was also running in daemon mode ("-d").
(CVE-2008-2711
351
)
Note: when using SSL-enabled services, it is recommended that the fetchmail "--sslcertck" option be
used to enforce strict SSL certificate checking.
All fetchmail users should upgrade to this updated package, which contains backported patches to
correct these issues. If fetchmail is running in daemon mode, it must be restarted for this update to
take effect (use the "fetchmail --quit" command to stop the fetchmail process).
This update has already been released (prior to the GA of this release) as FASTRACK
errata RHBA-2009:1481
An updated filesystem package that corrects the owners of certain directories is now available for Red
Hat Enterprise Linux 5.
The filesystem package is one of the basic packages that is installed on a Red Hat Linux system.
Filesystem contains the basic directory layout for the Linux operating system, including the correct
permissions for directories.
This updated filesystem package fixes the following bug:
* a number of file system directories were unowned. This update corrects the ownership of the
following directories: /usr/src/debug, /usr/src/kernels, several directories in /usr/share/man, /usr/share/
locale and, under it, the LC_MESSAGES subdirectory for several locales. In addition, for the sake of
consistency this updated filesystem package now owns, but does not create, the locale-specific man
page directories located under /usr/share/man/[locale]. (BZ#487568
352
353
)
All users of filesystem are advised to upgrade to this updated package, which resolves this issue.
1.54. firefox
1.54.1. RHSA-2010:0112: Critical security update
Important
This update has already been released (prior to the GA of this release) as the security
errata RHSA-2010:0112
Updated firefox packages that fix several security issues are now available for Red Hat Enterprise
Linux 4 and 5.
This update has been rated as having critical security impact by the Red Hat Security Response
Team.
Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment
for Mozilla Firefox.
A use-after-free flaw was found in Firefox. Under low memory conditions, visiting a web page
containing malicious content could result in Firefox executing arbitrary code with the privileges of the
user running Firefox. (CVE-2009-1571
Several flaws were found in the processing of malformed web content. A web page containing
malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges
of the user running Firefox. (CVE-2010-0159
356
, CVE-2010-0160
357
)
Two flaws were found in the way certain content was processed. An attacker could use these flaws
to create a malicious web page that could bypass the same-origin policy, or possibly run untrusted
JavaScript. (CVE-2009-3988
358
, CVE-2010-0162
359
)
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.18.
You can find a link to the Mozilla advisories in the References section of this errata.
All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.18,
which corrects these issues. After installing the update, Firefox must be restarted for the changes to
take effect.
1.54.2. RHSA-2009:1674: Critical security update
Important
This update has already been released (prior to the GA of this release) as the security
errata RHSA-2009:1674
360
Updated firefox packages that fix several security issues are now available for Red Hat Enterprise
Linux 4 and 5.
This update has been rated as having critical security impact by the Red Hat Security Response
Team.
Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment
for Mozilla Firefox.
Several flaws were found in the processing of malformed web content. A web page containing
malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges
of the user running Firefox. (CVE-2009-3979
361
, CVE-2009-3981
362
, CVE-2009-3986
363
)
A flaw was found in the Firefox NT Lan Manager (NTLM) authentication protocol implementation. If
an attacker could trick a local user that has NTLM credentials into visiting a specially-crafted web
page, they could send arbitrary requests, authenticated with the user's NTLM credentials, to other
applications on the user's system. (CVE-2009-3983
364
)
A flaw was found in the way Firefox displayed the SSL location bar indicator. An attacker could create
an unencrypted web page that appears to be encrypted, possibly tricking the user into believing they
are visiting a secure page. (CVE-2009-3984
A flaw was found in the way Firefox displayed blank pages after a user navigates to an invalid
address. If a user visits an attacker-controlled web page that results in a blank page, the attacker
could inject content into that blank page, possibly tricking the user into believing they are viewing a
legitimate page. (CVE-2009-3985
366
)
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.16.
You can find a link to the Mozilla advisories in the References section of this errata.
All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.16,
which corrects these issues. After installing the update, Firefox must be restarted for the changes to
take effect.
1.54.3. RHSA-2009:1530: Critical security update
Important
This update has already been released (prior to the GA of this release) as the security
errata RHSA-2009:1530
367
Updated firefox packages that fix several security issues are now available for Red Hat Enterprise
Linux 4 and 5.
This update has been rated as having critical security impact by the Red Hat Security Response
Team.
Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment
for Mozilla Firefox. nspr provides the Netscape Portable Runtime (NSPR).
A flaw was found in the way Firefox handles form history. A malicious web page could steal saved
form data by synthesizing input events, causing the browser to auto-fill form fields (which could then
be read by an attacker). (CVE-2009-3370
368
)
A flaw was found in the way Firefox creates temporary file names for downloaded files. If a local
attacker knows the name of a file Firefox is going to download, they can replace the contents of that
file with arbitrary contents. (CVE-2009-3274
369
)
A flaw was found in the Firefox Proxy Auto-Configuration (PAC) file processor. If Firefox loads a
malicious PAC file, it could crash Firefox or, potentially, execute arbitrary code with the privileges of the
user running Firefox. (CVE-2009-3372
370
)
A heap-based buffer overflow flaw was found in the Firefox GIF image processor. A malicious GIF
image could crash Firefox or, potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2009-3373
371
)
A heap-based buffer overflow flaw was found in the Firefox string to floating point conversion routines.
A web page containing malicious JavaScript could crash Firefox or, potentially, execute arbitrary code
with the privileges of the user running Firefox. (CVE-2009-1563
A flaw was found in the way Firefox handles text selection. A malicious website may be able to read
highlighted text in a different domain (e.g. another website the user is viewing), bypassing the sameorigin policy. (CVE-2009-3375
373
)
A flaw was found in the way Firefox displays a right-to-left override character when downloading a file.
In these cases, the name displayed in the title bar differs from the name displayed in the dialog body.
An attacker could use this flaw to trick a user into downloading a file that has a file name or extension
that differs from what the user expected. (CVE-2009-3376
374
)
Several flaws were found in the processing of malformed web content. A web page containing
malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges
of the user running Firefox. (CVE-2009-3374
375
, CVE-2009-3380
376
, CVE-2009-3382
377
)
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.15.
You can find a link to the Mozilla advisories in the References section of this errata.
All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.15,
which corrects these issues. After installing the update, Firefox must be restarted for the changes to
take effect.
1.54.4. RHSA-2009:1430: Critical security update
Important
This update has already been released (prior to the GA of this release) as the security
errata RHSA-2009:1430
Updated firefox packages that fix several security issues are now available for Red Hat Enterprise
Linux 4 and 5.
This update has been rated as having critical security impact by the Red Hat Security Response
Team.
Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment
for Mozilla Firefox. nspr provides the Netscape Portable Runtime (NSPR).
Several flaws were found in the processing of malformed web content. A web page containing
malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the
privileges of the user running Firefox. (CVE-2009-3070
CVE-2009-3074
382
, CVE-2009-3075
A use-after-free flaw was found in Firefox. An attacker could use this flaw to crash Firefox or,
potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3077
A flaw was found in the way Firefox handles malformed JavaScript. A website with an object
containing malicious JavaScript could execute that JavaScript with the privileges of the user running
Firefox. (CVE-2009-3079
385
)
Descriptions in the dialogs when adding and removing PKCS #11 modules were not informative. An
attacker able to trick a user into installing a malicious PKCS #11 module could use this flaw to install
their own Certificate Authority certificates on a user's machine, making it possible to trick the user into
believing they are viewing a trusted site or, potentially, execute arbitrary code with the privileges of the
user running Firefox. (CVE-2009-3076
386
)
A flaw was found in the way Firefox displays the address bar when window.open() is called in a certain
way. An attacker could use this flaw to conceal a malicious URL, possibly tricking a user into believing
they are viewing a trusted site. (CVE-2009-2654
387
)
A flaw was found in the way Firefox displays certain Unicode characters. An attacker could use this
flaw to conceal a malicious URL, possibly tricking a user into believing they are viewing a trusted site.
(CVE-2009-3078
388
)
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.14.
You can find a link to the Mozilla advisories in the References section of this errata.
All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.14,
which corrects these issues. After installing the update, Firefox must be restarted for the changes to
take effect.
1.55. firstboot
1.55.1. RHBA-2010:0314: bug fix update
Updated firstboot packages that fix a bug are now available.
The firstboot utility runs after installation. It guides the user through a series of steps that allows for
easier configuration of the machine.
These updated packages address the following issue:
* Clicking [Change Network Configuration] from firstboot's network configuration page launched a
separate network configuration window. If the user then clicked [Forward] on the still-visible main
window, the separate configuration window became hidden behind the full-screen main window.
Further mouse-clicks would be ineffectual and it could appear to the user that the system had become
unresponsive. It was necessary to use the alt+tab keys to reveal the hidden configuration window.
Code has been added to the networking.py source file to modify the behavior of the network
configuration and main windows. Now the configuration window will stay on top if the user clicks
outside its boundary. (BZ#511984
389
)
Users are advised to upgrade to these updated packages, which resolve this issue.
This update has already been released (prior to the GA of this release) as the security
errata RHSA-2009:1451
Updated freeradius packages that fix a security issue are now available for Red Hat Enterprise Linux
5.
This update has been rated as having moderate security impact by the Red Hat Security Response
Team.
FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User
Service (RADIUS) server, designed to allow centralized authentication and authorization for a network.
390
An input validation flaw was discovered in the way FreeRADIUS decoded specific RADIUS attributes
from RADIUS packets. A remote attacker could use this flaw to crash the RADIUS daemon (radiusd)
via a specially-crafted RADIUS packet. (CVE-2009-3111
Users of FreeRADIUS are advised to upgrade to these updated packages, which contain a backported
patch to correct this issue. After installing the update, radiusd will be restarted automatically.
391
)
1.56.2. RHBA-2009:1678: bug fix update
Note
This update has already been released (prior to the GA of this release) as FASTRACK
errata RHBA-2009:1678
Updated freeradius packages that fix a bug are now available.
FreeRADIUS is an Internet authentication daemon, which implements the RADIUS protocol, as
defined in RFC 2865 (and others). It allows Network Access Servers (NAS boxes) to perform
authentication for dial-up users. There are also RADIUS clients available for Web servers, firewalls,
Unix logins, and more. Using RADIUS allows authentication and authorization for a network to be
centralized, and minimizes the amount of re-configuration which has to be done when adding or
deleting new users.
392
This update addresses the following bug:
* an error in the EAP authentication module could cause memory corruption. Running the radeapclient
utility would typically expose the problem. An error message including text such as this
presented and radeapclient would then abort abnormally. This update corrects the error in the EAP
authentication module. The module no longer corrupts memory and applications such as radeapclient
that use this module work as expected. (BZ#476513
393
)
All freeradius users should install these updated packages, which fix this problem.
1.57. gail
1.57.1. RHBA-2009:1594: bug fix update
Note
This update has already been released (prior to the GA of this release) as FASTRACK
errata RHBA-2009:1594
Updated gail packages that resolve an issue are now available.
GAIL, the GNOME Accessbility Implementation Library, implements the abstract interfaces found
in the Accessibility Toolkit (ATK) for GTK+ and GNOME libraries, and thereby enables accessibility
technologies such as AT-SPI (the Assistive Technology Service Provider Interface) to access GUI
elements.
394
These updated gail packages fix the following bug:
* when starting a GNOME application at the shell prompt, the GAIL library incorrectly printed the
following spurious error message when the "GNOME_ACCESSIBILITY" environment variable was set
to "0", which disables GNOME accessibility support: "GTK Accessibility Module initialized". With this
update, this message no longer appears when the "GNOME_ACCESSIBILITY" environment variable
is set to "0". (BZ#506561
395
)
All users of gail are advised to upgrade to these updated packages, which resolve this issue.
1.58. gcc
1.58.1. RHBA-2009:1533: bug fix update
Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1533
A gcc update that resolves an option handling bug where only the last "-fno-builtin-*" option specified
on the command line was honored is now available.
396
The gcc packages include C, C++, Java, Fortran, Objective C, and Ada 95 GNU compilers, along with
related support libraries.
* if multiple "-fno-builtin-*" options were specified on the command line (for example, "-fno-builtiniswalpha -fno-builtin-iswalnum") only the last option was honored (in the example, -fno-builtiniswalnum). With this update, joined switches are no longer pruned, ensuring all such options are
honored, as expected. (BZ#526421
397
)
Users are advised to install this gcc update, which applies this fix.
1.58.2. RHSA-2010:0039: Moderate and gcc4 security update
Important
This update has already been released (prior to the GA of this release) as the security
errata RHSA-2010:0039
Updated gcc and gcc4 packages that fix one security issue are now available for Red Hat Enterprise
Linux 3, 4, and 5.
398
This update has been rated as having moderate security impact by the Red Hat Security Response
Team.
The gcc and gcc4 packages include, among others, C, C++, and Java GNU compilers and related
support libraries. libgcj contains a copy of GNU Libtool's libltdl library.
A flaw was found in the way GNU Libtool's libltdl library looked for libraries to load. It was possible
for libltdl to load a malicious library from the current working directory. In certain configurations, if a
local attacker is able to trick a local user into running a Java application (which uses a function to load
native libraries, such as System.loadLibrary) from within an attacker-controlled directory containing a
malicious library or module, the attacker could possibly execute arbitrary code with the privileges of
the user running the Java application. (CVE-2009-3736
399
)
All gcc and gcc4 users should upgrade to these updated packages, which contain a backported patch
to correct this issue. All running Java applications using libgcj must be restarted for this update to take
effect.
1.58.3. RHBA-2010:0232: bug fix update
A gcc update that resolves several compiler bugs is now available.
The gcc packages include C, C++, Java, Fortran, Objective C, and Ada 95 GNU compilers, along with
related support libraries.
This update applies the following bug fixes:
* when compiling a debug version of a C++ program, it was possible for gcc to lose debug information
for some local variables in C++ constructors or destructors. This was because gcc incorrectly released
information on abstract functions (specifically, contents of the DECL_INITIAL() function), which
are needed for creating debug information. With this release, nodes containing abstract functions
are flagged accordingly to prevent gcc from prematurely discarding needed debug information.
(BZ#513184
* when issuing multiple -fno-builtin-* switches to gcc, gcc only registered the last switch. With this
release, gcc can now register multiple -fno-builtin-* switches correctly. (BZ#515799
400
)
401
)
* in some cases, aggregates returned by value could cause reload failures in the caller function,
resulting in an internal compiler error. This was caused by a bug in the combining code that incorrectly
lengthens the lifetime of a hard register. This update applies a patch to expand_call function in gcc/
calls.c that resolves the issue. (BZ#516028
402
)
* using g++ to compile code containing virtual inheritances could result in a segmentation fault.
This was because the dynamic_cast code in gcc did not use src2dst hints as expected; as a result,
g++ could search an unnecessarily large address list for possible bases. With this release, the
dynamic_cast code now uses src2dst hints; this allows g++ to defer searching bases that don't overlap
with a virtual inheritance's address. (BZ#519519
403
)
* On PowerPC, it was possible for DWARF access to function parameters to fail. This was caused
by a bug in the GCC instruction set for PowerPC, where compiling with -mno-sched-prolog could
discard debug location lists. This update fixes the bug, ensuring consistent DWARF access to function
parameters on PowerPC. (BZ#528792
404
)
* The libgcc undwinder now supports DW_OP_swap handling. This update also fixes bugs
in the way unwinding code handled unwind information from DW_OP_{gt,ge,lt,le} and
DW_CFA_{remember,restore}_state. (BZ#555731
405
)
All GCC users are advised to install this update.
1.59. gd
1.59.1. RHSA-2010:0003: Moderate security update
Important
This update has already been released (prior to the GA of this release) as the security
errata RHSA-2010:0003
Updated gd packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5.
This update has been rated as having moderate security impact by the Red Hat Security Response
Team.
The gd packages provide a graphics library used for the dynamic creation of images, such as PNG
and JPEG.
A missing input sanitization flaw, leading to a buffer overflow, was discovered in the gd library. A
specially-crafted GD image file could cause an application using the gd library to crash or, possibly,
execute arbitrary code when opened. (CVE-2009-3546
407
)
Users of gd should upgrade to these updated packages, which contain a backported patch to resolve
this issue.
1.60. gdb
1.60.1. RHBA-2010:0285: bug fix update
An updated gdb package that fixes various bugs is now available.
The GNU Project debugger, GDB, debugs programs written in C, C++, and other languages by
executing them in a controlled fashion, and then printing out their data.
With this update, GDB is now re-based to upstream version 7.0.1 (BZ#526533
408
). This applies
several bug fixes and enhancements not listed here. For a full description of this version, refer to
the following link: http://sourceware.org/cgi-bin/cvsweb.cgi/src/gdb/NEWS.diff?cvsroot=src&r1=t
ext&tr1=1.259.2.1&r2=text&tr2=1.331.2.2&f=u
This update applies the following bug fixes:
* Printing values from a debugged program by dereferencing a pointer to an object of dynamic type
printed out an error stating "Cannot resolve DW_OP_push_object_address for a missing object". Such
pointers are produced by an unsupported iFort compiler, not by gfortran. With this update, GDB can
now dereference pointers to objects of dynamic type, thereby correctly printing the dynamic Fortran
arrays dereferenced from such pointers (as produced by the iFort compiler). (BZ#514287
409
)
* Debugging a program with thousands of set breakpoints was unacceptably slow. This was
because a previous patch introduced a mechanism that hid breakpoint instructions and returned
"shadow" content whenever target_read_memory() accessed memory. The aforementioned patch
was implemented upstream to be used with a "breakpoint always-inserted" option, which was not
implemented in Red Hat Enterprise Linux version of GDB. But Red Hat Enterprise Linux version
backported it to solve a problem on Itanium where instruction (and thus even breakpoint instruction)
boundaries are not byte-aligned. This update reimplements the shadowing functionality using more
optimal log(n) algorithm instead, which consequently prevents any unnecessary slowdown when
processing programs with numerous set breakpoints. (BZ#520618
410
)
* GDB incorrectly skipped OpenMP parallel sections (instead of entering them as expected) when
using the "next" command. This was caused by missing DWARF annotations from GCC that made
it possible for OpenMP parallel sections to be incorrectly classified as function calls. To address this,
GDB contains special instructions to make OpenMP parallel sections indifferent to normal code,
allowing GDB to step into parallel sections with "next" correctly. (BZ#533176
* The GDB version banner now correctly displays "Red Hat Enterprise Linux" instead of "Fedora".
(BZ#537788
* GDB no longer obsoletes the pstack package. (BZ#550786
413
)
* Loading symbols in STABS debug format could crash GDB. The STABS format is no longer
supported, as Red Hat Enterprise Linux uses the debug format DWARF. With this update, loading
symbols in STABS format no longer crashes GDB; instead, such symbols are simply loaded
incorrectly. (BZ#553672
414
)
* Adding GDB support for Fortran modules in previous releases introduced a regression which
prevented GDB from setting breakpoints on a Fortran program's name. This was caused by a bug in
the search routines used when "set language fortran" is enabled. This update fixes the regression.
(BZ#559291
415
)
* The Red Hat Enterprise Linux 5.5 version of GDB also contains a fix for an upstream GDB
regression that prevented users from setting rwatch and awatch breakpoints before a program
starts. This version of GDB implements a compatibility fix from GDB 6.8 to address the regression.
(BZ#562770
416
)
* A "break-by-name on inlined functions" feature introduced in Fedora GDB made it possible for
parameters of inlined functions to be incorrectly hidden. Whenever this occurred during debugging,
GDB printed "<optimized out>" in backtraces or upon entering such functions. In some cases, stepping
through inlined functions could also abort GDB with an internal error. This release resolves the issue
by removing the "break-by-name on inlined functions" feature altogether. (BZ#565601
417
)
All GDB users should apply this update.
1.61. gfs-kmod
1.61.1. RHSA-2010:0291: Moderate security, bug fix and
enhancement update
Updated gfs-kmod packages that fix one security issue, numerous bugs, and add one enhancement
are now available for Red Hat Enterprise Linux 5.5, kernel release 2.6.18-194.el5.
The Red Hat Security Response Team has rated this update as having moderate security impact. A
Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is
available from the CVE link in the References section.
The gfs-kmod packages contain modules that provide the ability to mount and use GFS file systems.
A flaw was found in the gfs_lock() implementation. The GFS locking code could skip the lock operation
for files that have the S_ISGID bit (set-group-ID on execution) in their mode set. A local, unprivileged
user on a system that has a GFS file system mounted could use this flaw to cause a kernel panic.
(CVE-2010-0727
These updated gfs-kmod packages are in sync with the latest kernel (2.6.18-194.el5). The modules
in earlier gfs-kmod packages failed to load because they did not match the running kernel. It was
possible to force-load the modules. With this update, however, users no longer need to.
These updated gfs-kmod packages also fix the following bugs:
* when SELinux was in permissive mode, a race condition during file creation could have caused one
or more cluster nodes to be fenced and lock the remaining nodes out of the GFS file system. This race
condition no longer occurs with this update. (BZ#471258
419
)
* when ACLs (Access Control Lists) are enabled on a GFS file system, if a transaction that has started
to do a write request does not have enough spare blocks for the operation it causes a kernel panic.
This update ensures that there are enough blocks for the write request before starting the operation.
(BZ#513885
420
)
* requesting a "flock" on a file in GFS in either read-only or read-write mode would sometimes cause a
"Resource temporarily unavailable" state error (error 11 for EWOULDBLOCK) to occur. In these cases,
a flock could not be obtained on the file in question. This has been fixed with this update so that flocks
can successfully be obtained on GFS files without this error occurring. (BZ#515717
421
)
* the GFS withdraw function is a data integrity feature of GFS file systems in a cluster. If the GFS
kernel module detects an inconsistency in a GFS file system following an I/O operation, the file system
becomes unavailable to the cluster. The GFS withdraw function is less severe than a kernel panic,
which would cause another node to fence the node. With this update, you can override the GFS
withdraw function by mounting the file system with the "-o errors=panic" option specified. When this
option is specified, any errors that would normally cause the system to withdraw cause the system to
panic instead. This stops the node's cluster communications, which causes the node to be fenced.
(BZ#517145
422
)
Finally, these updated gfs-kmod packages provide the following enhancement:
* the GFS kernel modules have been updated to use the new generic freeze and unfreeze ioctl
interface that is also supported by the following file systems: ext3, ext4, GFS2, JFS and ReiserFS.
With this update, GFS supports freeze/unfreeze through the VFS-level FIFREEZE/FITHAW ioctl
interface. (BZ#487610
423
)
Users are advised to upgrade to these latest gfs-kmod packages, updated for use with the
2.6.18-194.el5 kernel, which contain backported patches to correct these issues, fix these bugs, and
add this enhancement.
1.62. gfs-utils
1.62.1. RHBA-2010:0290: bug fix update
Updated gfs-utils packages that fix various bugs are now available.
The gfs-utils packages provide the user-space tools necessary to mount, create, maintain and test
GFS file systems.
The updated gfs-utils packages apply the following bug fixes:
* GFS: gfs_fsck sometimes needs to be run twice (BZ#509225
problems when directly on block device (BZ#512722
found (BZ#508978
426
)
425
) * gfs_fsck -n always returns 0 even if error is
424
) * gfs_fsck cannot repair rindex
All users of gfs-utils should upgrade to these updated packages, which resolve these issues.
1.63. gfs2-utils
1.63.1. RHBA-2010:0287: bug fix update
Updated gfs2-utils packages that fix various bugs are now available.
The gfs2-utils packages provide the user-space tools necessary to mount, create, maintain and test
GFS2 file systems.
The updated gfs2-utils packages apply the following bug fixes:
gfs2_edit segfault (BZ#503485
Message printed to stderr instead of stdout (BZ#506682
gfs2_mount (BZ#514939
"fsck.gfs2: invalid option -- a" on boot when mounting root formatted as gfs2 (BZ#507596
GFS2: gfs2_fsck bugs found in rindex repair code (BZ#514018
(BZ#503529
434
) gfs2-utils fails rebuild test (BZ#515370
offset on gfs1 and segfaults on gfs2 (BZ#506343
for block size < 4K (BZ#520762
(BZ#527770
438
) GFS2: fsck.gfs2 should fix the system statfs file (BZ#539337
savemeta bugs (BZ#528786
interrupted rgrp conversion does not allow re-converts (BZ#548585
are of different metatree heights in gfs and gfs2 is incorrect (BZ#548588
RO mounted file systems (BZ#557128
gfs2_convert doesn't convert jdata files correctly (BZ#545602
after gfs2_grow (BZ#546683
427
) gfs2_edit produces unaligned access (BZ#503530
430
) GFS2: fsck.gfs2 sometimes needs to be run twice (BZ#500483
436
437
) GFS2: gfs2_edit savemeta not saving all extended attribute data
440
) quota file size not a multiple of struct gfs2_quota(BZ#536902
444
) GFS2: gfs2_convert should fix statfs file (BZ#556961
All users of gfs2-utils should upgrade to these updated packages, which resolve these issues.
1.64. glibc
1.64.1. RHBA-2009:1634: bug fix update
Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1634
Updated glibc packages that resolve several issues are now available.
The glibc packages contain the standard C libraries used by multiple programs on the system. These
packages contains the standard C and the standard math libraries. Without these two libraries, the
Linux system cannot function properly.
448
These updated glibc packages provide fixes for the following bugs:
* when a thread calls the setuid() function, the change of credentials needs to be performed in every
thread as per POSIX requirements. This update corrects the implementation to avoid a race condition
which occurred when a thread terminated or a new thread was created while the credential change
was performed. (BZ#533213
449
)
* the implementation of the seg_timedwait() function, in assembler, incorrectly decremented the
number of waiting threads stored in a block of memory when an invalid nanosecond value was passed
through its second argument. This error is corrected in this update. (BZ#540475
450
)
All users of glibc are advised to upgrade to these updated packages, which resolve these issues.
1.64.2. RHBA-2010:0050: bug fix update
Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2010:0050
Updated glibc packages that fix a race condition while loading shared libraries are now available
451
The glibc packages contain the standard C libraries used by multiple programs on the system. These
packages contains the standard C and the standard math libraries. Without these two libraries, the
Linux system cannot function properly.
These updated glibc packages provide a fix for the following bug:
* a rarely-encountered and difficult-to-reproduce race condition existed between resolving dynamic
symbols and loading shared libraries that could have resulted in library dependencies not being
resolved. This update provides a fix that avoids the potential race condition. (BZ#548692
452
)
All users are advised to upgrade to these updated packages, which resolve this issue.
1.64.3. RHBA-2010:0306: bug fix and enhancement update
Updated glibc packages that fix several bugs and add an enhancement are now available.
The glibc packages contain the standard C libraries used by multiple programs on the system. These
packages contain the standard C and the standard math libraries. Without these two libraries, the
Linux system cannot function properly.
This update applies the following bug fixes:
* a race condition with seteuid() occured between the threads that run on starting the program,
presenting the error "EUID is already set!" within 10 to 15 seconds. These updates provide exclusive
processes running with no error on startup. (BZ#491995
* assembler implementation of sem_timedwait() on x86/x86_64 wrongly decrements the number
of waiting threads stored in block of memory pointed to by (sem_t *) when an invalid nanosecond
argument is used. This fix allows the correct nanosecond argument to be passed through the second
argument. (BZ#529997
455
)
453
and BZ#522528
454
)
* a race condition in glibc, between _dl_lookup_symbol_x() and dlopen/dlclose/etc, resulted in a failure
in resolving dependencies. These updates provide for processes that are exclusive. (BZ#547631
456
)
This update also adds the following enhancement:
* glibc: incorporates a number of tests to detect corruption in data structures used for heap memory
allocation (malloc/free). This corruption can be caused deliberately by attackers exploiting buffer
overflow vulnerabilities. This enhancement provides additional corruption tests. (BZ#530107
457
)
All users are advised to upgrade to this updated package, which resolves these issues and adds this
enhancement.
1.65. gnome-vfs2
1.65.1. RHBA-2010:0317: bug fix update
An updated gnome-vfs2 package that fixes a bug is now available.
GNOME VFS is the GNOME virtual file system. It is the foundation of the Nautilus file manager.
It provides a modular architecture and ships with several modules that implement support for file
systems, http, ftp, and others. It provides a URI-based API, backend supporting asynchronous file
operations, a MIME type manipulation library, and other features.
* the gnome-vfs2 package would only work correctly on a system running Samba 3.0 packages, and
could not be installed on a system running Samba 3.3 packages. The version of gnome-vfs provided
with this advisory depends only on a small Samba subpackage, which is independent from other
Samba packages. The gnome-vfs2 package can now be installed on a system running Samba 3.3
packages. (BZ#555642
458
)
Users are advised to check the parallel Samba advisory RHBA-2009:9287.
Users are advised to upgrade to this updated gnome-vfs2 package, which resolves this issue.
1.65.2. RHBA-2010:0032: bug fix update
Note
This update has already been released (prior to the GA of this release) as FASTRACK
errata RHBA-2010:0032
Updated gnome-vfs2 packages that resolve several issues are now available.
459
GNOME VFS is the GNOME virtual file system. It is the foundation of the Nautilus file manager.
It provides a modular architecture, and ships with several modules that implement support for file
systems and protocols such as HTTP and FTP, among others.
These updated gnome-vfs2 packages provide fixes for the following bugs:
* an unresolved symbol in the gnome-vfs2 library caused the system-config-network GUI application to
be unable to start. (BZ#247522
460
)
* client applications which used the gnome-vfs2 library were unable to search for certain paths
because the search process ended as soon as it encountered a file or directory which it was unable
to read. This update fixes this bug in gnome-vfs2 so that searches skip over unreadable files or
directories and continue as expected.
Note: a future nautilus update will be released that properly fixes this bug in the Nautilus file manager.
(BZ#432764
461
)
* when attempting to move one or more files between two NFS mounts, the Nautilus file manager
displayed a dialog box that stated: Error: "Not on the same file system." This error was caused by an
EXDEV error in the gnome-vfs2 file module due to rename semantics. With this update, moving a file
from one NFS mount to another succeeds as expected due to the implementation of a proper copyand-delete fallback routine. (BZ#438116
462
)
* attempting to open a supported document type represented by a symbolic link on an NFS share with
the Evince document viewer failed with the following error message:
Unable to open document Unhandled MIME type: “application/octet-stream”
This update improves this behavior with a symbolic link check so that Evince is now able to
successfully open a link to a supported document type when both the link and actual file are located
on an NFS share. (BZ#481593
463
)
* the gnome-vfs-daemon service reads the list of mounted devices at /proc/mounts upon startup. If
one of the device paths was not valid UTF-8, gnome-vfs-daemon was disconnected by D-Bus when it
attempted to communicate the path over the system message bus, at which time it exited. However,
other GNOME applications would then attempt to restart gnome-vfs-daemon, at which time the same
sequence of events reoccurred, leading to a potentially infinite loop and much extraneous CPU usage.
With this update, gnome-vfs-daemon correctly converts the information provided by /proc/mounts into
valid UTF-8 before communicating it via D-Bus, which prevents the possibility of gnome-vfs-daemon
being disconnected, exiting, and being restarted in a continuous fashion. (BZ#486286
464
)
* accessing a WebDAV share which contained a comma in its path name with the Nautilus file
manager resulted in a "File not found" error. This update ensures that reserved characters in
path names are properly escaped, and thus Nautilus is able to access such paths as expected.
(BZ#503112
465
)
All GNOME users are advised to upgrade to these updated packages, which resolve these issues.
Running GNOME sessions must be restarted for the update to take effect.
1.66. gpart
1.66.1. RHBA-2009:1606: bug fix update
Note
This update has already been released (prior to the GA of this release) as FASTRACK
errata RHBA-2009:1606
A gpart update that fixes a bug in the -debuginfo package is now available.
Gpart is a small tool which tries to guess what partitions are on a PC type harddisk in case the primary
partition table was damaged.
This update addresses the following issue:
* although gpart contains ELF objects, the gpart-debuginfo package was empty. With this update the debuginfo package contains valid debugging information as expected. (BZ#500598
gpart users needing the gpart debuginfo package should install this upgraded package which fixes this
problem.
This update has already been released (prior to the GA of this release) as the security
errata RHSA-2010:0061
An updated gzip package that fixes one security issue is now available for Red Hat Enterprise Linux 3,
4, and 5.
This update has been rated as having moderate security impact by the Red Hat Security Response
Team.
The gzip package provides the GNU gzip data compression program.
An integer underflow flaw, leading to an array index error, was found in the way gzip expanded archive
files compressed with the Lempel-Ziv-Welch (LZW) compression algorithm. If a victim expanded a
specially-crafted archive, it could cause gzip to crash or, potentially, execute arbitrary code with the
privileges of the user running gzip. This flaw only affects 64-bit systems. (CVE-2010-0001
468
469
)
Red Hat would like to thank Aki Helin of the Oulu University Secure Programming Group for
responsibly reporting this flaw.
Users of gzip should upgrade to this updated package, which contains a backported patch to correct
this issue.
1.68. hal
1.68.1. RHBA-2010:0256: bug fix update
Updated hal packages that fix various bugs are now available.
HAL is a daemon for collecting and maintaining information relating to hardware from several system
sources.
The updated packages fix the following bugs:
* a sanity check in the HAL init script was incorrectly exiting with error code 0 when the script could not
locate /usr/sbin/hald. The updated packages now contain a stronger sanity check, which returns the
correct error code for a given condition. (BZ#238113
* a missing FDI quirk parameter for IBM X31 laptops prevented the laptop monitor from switching
off during suspension. The updated packages add an extra "merge" element to the X40/X30 FDI
definition, which correctly sets the dpms_suspend power management attribute. (BZ#395991
470
)
471
)
* a suspend hotkey combination (Fn+F1) used on Dell Latitude hardware was not mapped correctly.
While the keycode sequence could be set manually, owners of Dell Latitude equipment experienced
unnecessary inconvenience when attempting to suspend using the hotkey combination. The updated
packages add the correct mapping rules, which enable the Fn+F1 key combination. (BZ#450326
472
)
* when HAL checked for ttyS devices, it would abend if /sys/class/tty/ttyS* existed but /dev/ttyS* was
removed or modified. Customers using two or more PCI serial port boards (with port extension) often
implemented scripts to rename the port labels on the hardware to match the /dev/ttyS* node. HAL
checks did not correctly cater for this scenario. The updated packages check whether serial device
nodes have been manually removed. (BZ#486427
473
)
* a missing HAL video quirk setting prevented IBM 4838-310 POS units from resuming correctly from
S3 suspend state. The updated packages include a vbe_post quirk that corrects the suspend issue.
(BZ#501726
474
)
* an incorrect parameter in /etc/udev/rules.d/90-dm.rules prevented LUKS-formatted (encrypted) USB
disks from automounting using GNOME. Customers had to mount the drive manually, or comment out
the ignore_device line in 90-dm.rules to effect the change. The updated packages fully implement this
workaround solution. (BZ#519645
475
)
* a missing HAL suspend quirk parameter prevented owners of Lenovo ThinkPad T400 laptops
(product key 2768A96) suspending and resuming a session from a previously suspended system.
The issue presented on laptops with ATI Mobility Radeon HD 3400 Series chipsets (1002:95c4), or
Intel Mobile 4 Series chipsets (8086:2a42). The updated packages fix the suspend issue by correctly
specifying the --quirk-vbe-post option for T400 machines. (BZ#571925
476
)
All hal users are advised to upgrade to these updated packages, which resolve these issues.
1.69. hmaccalc
1.69.1. RHBA-2010:0055: bug fix update
Note
This update has already been released (prior to the GA of this release) as FASTRACK
errata RHBA-2010:0055
An updated hmaccalc package that fixes a self-test bug related to binary prelinking is now available.
The hmaccalc package contains tools to calculate HMAC (Hash-based Message Authentication Code)
values for files. The names and interfaces were designed to mimic those of the sha1sum, sha256sum,
sha384sum and sha512sum tools provided by the coreutils package.
This updated hmaccalc package fixes the following bug:
* each time one of the tools in the hmaccalc package is used, it performs a self-test by comparing the
checksum of its own binary with the value which was computed when the binary package was built.
However, if an hmaccalc binary had been prelinked using the "prelink" command, and that command
was not located in one of the directories listed in the PATH environment variable, then that binary
would be unable to use the prelink tool to verify the checksum against an unmodified copy of itself.
This update contains a backported fix that allows hmaccalc to remember the location of the prelink
command that was available at build time, and to be able to use it if necessary.
httpd
Note that this fix is required in order to build the Linux kernel with FIPS-compliance (Federal
Information Processing Standards) enabled. (BZ#512275
478
)
All users of hmaccalc are advised to upgrade to this updated package, which resolves this issue.
1.70. httpd
1.70.1. RHSA-2010:0168: Moderate security and enhancement
update
Important
This update has already been released (prior to the GA of this release) as the security
errata RHSA-2010:0168
Updated httpd packages that fix two security issues and add an enhancement are now available for
Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact.
Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are
available for each vulnerability from the CVE links in the References section.
479
The Apache HTTP Server is a popular web server.
It was discovered that mod_proxy_ajp incorrectly returned an "Internal Server Error" response when
processing certain malformed requests, which caused the back-end server to be marked as failed
in configurations where mod_proxy is used in load balancer mode. A remote attacker could cause
mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry
timeout period (60 seconds by default) by sending specially-crafted requests. (CVE-2010-0408
480
)
A use-after-free flaw was discovered in the way the Apache HTTP Server handled request headers in
subrequests. In configurations where subrequests are used, a multithreaded MPM (Multi-Processing
Module) could possibly leak information from other requests in request replies. (CVE-2010-0434
481
)
This update also adds the following enhancement:
* with the updated openssl packages from RHSA-2010:0162 installed, mod_ssl will refuse to
renegotiate a TLS/SSL connection with an unpatched client that does not support RFC 5746. This
update adds the "SSLInsecureRenegotiation" configuration directive. If this directive is enabled,
mod_ssl will renegotiate insecurely with unpatched clients. (BZ#567980
482
)
Refer to the following Red Hat Knowledgebase article for more details about the changed mod_ssl
behavior: http://kbase.redhat.com/faq/docs/DOC-20491
All httpd users should upgrade to these updated packages, which contain backported patches to
correct these issues and add this enhancement. After installing the updated packages, the httpd
daemon must be restarted for the update to take effect.
1.70.2. RHSA-2009:1579: Moderate security update
Important
This update has already been released (prior to the GA of this release) as the security
errata RHSA-2009:1579
Updated httpd packages that fix multiple security issues are now available for Red Hat Enterprise
Linux 3 and 5.
This update has been rated as having moderate security impact by the Red Hat Security Response
Team.
The Apache HTTP Server is a popular Web server.
483
A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols
handle session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain
text to a client's session (for example, an HTTPS connection to a website). This could force the server
to process an attacker's request as if authenticated using the victim's credentials. This update partially
mitigates this flaw for SSL sessions to HTTP servers using mod_ssl by rejecting client-requested
renegotiation. (CVE-2009-3555
484
)
Note: This update does not fully resolve the issue for HTTPS servers. An attack is still possible in
configurations that require a server-initiated renegotiation. Refer to the following Knowledgebase
article for further information: http://kbase.redhat.com/faq/docs/DOC-20491
A NULL pointer dereference flaw was found in the Apache mod_proxy_ftp module. A malicious
FTP server to which requests are being proxied could use this flaw to crash an httpd child process
via a malformed reply to the EPSV or PASV commands, resulting in a limited denial of service.
(CVE-2009-3094
485
)
A second flaw was found in the Apache mod_proxy_ftp module. In a reverse proxy configuration, a
remote attacker could use this flaw to bypass intended access restrictions by creating a carefullycrafted HTTP Authorization header, allowing the attacker to send arbitrary commands to the FTP
server. (CVE-2009-3095
486
)
All httpd users should upgrade to these updated packages, which contain backported patches to
correct these issues. After installing the updated packages, the httpd daemon must be restarted for the
update to take effect.
1.70.3. RHBA-2010:0252: bug fix and enhancement update
Updated httpd packages that fix bugs and add enhancements are now available.
The Apache HTTP Server is a popular and freely-available Web server.
These updated httpd packages provide fixes for the following bugs:
hwdata
* the mod_authnz_ldap module did not allow other modules to handle authorization if no LDAPspecific requirements were used in the "Require" directive. (BZ#448350
* the httpd "init" script did not work correctly if the PidFile directive was removed from httpd.conf.
(BZ#505002
488
)
* mod_ssl would fail to complete a handshake if more the 85 CAs were configured using
SSLCACertificateFile and/or SSLCACertificatePath. (BZ#510515
* the "X-Pad" header used for compatibility with old browser implementations has been removed.
(BZ#526110
* mod_proxy_ajp could fail if uploading large files. (BZ#528640
* .NET clients using the "Expect: 100-continue" header could cause spurious responses.
(BZ#533407
* the OID() function supported in mod_ssl's SSLRequire directive could not evaluate some extension
types. (BZ#552942
490
492
)
491
)
493
)
489
)
487
)
)
The following enhancements have also been made:
* the "DiscardPathInfo" flag (or "DPI") has been added to mod_rewrite. (BZ#517500
* the AuthLDAPRemoteUserAttribute directive has been added to mod_authnz_ldap. (BZ#520838
494
)
495
)
* the AuthLDAPDynamicGroups directive has been added to mod_authnz_ldap, to enable support for
dynamic groups. (BZ#252038
* the mod_substitute module is now included. (BZ#539256
496
)
497
)
All Apache users should install these updated packages which address these issues.
1.71. hwdata
1.71.1. RHEA-2010:0197: enhancement update
An updated hwdata package that adds various enhancements is now available.
The hwdata package contains tools for accessing and displaying hardware identification and
configuration data.
This updated package adds entries for the following devices to the Red Hat Enterprise Linux 5.4
pci.ids and usb.ids databases:
* NC375T PCI Express Quad Port Gigabit Server Adapter. (BZ#569910
498
)
500
)
501
)
502
)
)
504
)
507
)
Users of hwdata are advised to upgrade to this updated package, which adds these enhancements.
1.72. ia32el
1.72.1. RHBA-2010:0250: bug fix update
An ia32el update that fixes several bugs is now available.
ia32el is the IA-32 Execution Layer platform, which allows the emulation of IA-32 binaries on IA-64.
This updated package addresses the following issues:
* When using the -D_FILE_OFFSET_BITS=64 compile option, the platform would try to call syscall
statfs64 (syscall id=268). Unfortunately, this was unsupported by the previous package. Instead,
the platform would resort to statfs(), and the case would fail. This package adds support for syscall
statfs64. The platform no longer resorts to statfs(), and works correctly. (BZ#514938
* When SIGALRM invokes the signal handler, the ia32el application that installed the signal handler
stops executing system calls in the correct order. This package adds a patch to the code that changes
the conditions for the order of executing system calls, preventing the signal handler from affecting it.
(BZ#515165
509
)
* The ia32el did not pass the second, third and fourth offset arguments of the fadvise64() or
fadvise64_64() system call methods to the kernel correctly because it was unable to handle 64-bit
arguments for that system call. This meant that the offset arguments were not recognized as valid by
the kernel. Support for 64-bit arguments has now been added. (BZ#528590
511510
)
* The clock_nanosleep() system call method's fourth argument (remaining time) retained old values
when interrupted by signal (EINTR). This caused invalid values to return for this argument. This patch
adds a validity check before the values are returned. (BZ#528590
513512
)
* The ia32el would not perform operations on the third argument of the sendfile() system call method
correctly. As a result, after a successful system call, the offset argument would not be set to the value
of the byte following the last byte read. This updated package contains a patch to correctly set the
offset argument (during the system call). (BZ#528596
514
)
* The ia32el previously broke the arguments of the sync_file_range() syscall. When the syscall was
run, it would respond with an 'Invalid argument' error. A patch has been created that fixes the syntax
error in the code. The ia32el now reads the sync_file_range() arguments correctly. (BZ#528597
515
)
* When a NULL pointer was specified for the 2nd argument of the timer_create() syscall, the ia32el
would pass the kernel a non-NULL pointer to uninitialized data instead, and the syscall would fail. This
package provides a patch that adjusts the syntax of the code for the timer_create() syscall, so that the
ia32el correctly interprets the NULL pointer. (BZ#528598
516
)
* The NOTE offset and filesize of some core dumps of i386 processes running under ia32el were
greater than the first LOAD offset according to 'readelf -l'. When this happened, the gdb couldn't read
the core file. This package includes a patch that adjusts the size of the offset to greater than that of the
NOTE offset and filesize. The gdb can now succesfully read the core file. (BZ#533269
517
)
Users are advised to upgrade to this updated ia32el package which resolves these issues.
1.73. iasl
1.73.1. RHBA-2010:0226: bug fix and enhancement update
An updated iasl package that fixes a bug and introduces a feature enhancement is now available.
iasl compiles ASL (ACPI Source Language) into AML (ACPI Machine Language), which is suitable for
inclusion as a DSDT in system firmware. It also can disassemble AML, for debugging purposes.
* the default version of iasl was old, and could not properly decode DMAR tables. This sometimes
resulted in incorrect decoding. Updating to the latest version of the iasl package has corrected this
behavior, and DMAR tables are now decoded correctly. (BZ#518109
* the iasl package has been updated to the latest version. (BZ#518209
Users are advised to upgrade to this updated iasl package, which resolves this issue.
This update has already been released (prior to the GA of this release) as FASTRACK
errata RHBA-2009:1509
Updated inn packages that resolve an issue are now available.
INN (InterNetNews) is a complete system for serving Usenet news and private newsfeeds. INN
includes innd, an NNTP (NetNews Transport Protocol) server, and nnrpd, a newsreader that is
spawned for each client. Both innd and nnrpd vary slightly from the NNTP protocol, but not in ways
that are easily noticed.
These updated packages address the following issue:
520
* a PID file -- /var/run/news/innd.pid -- is created by the Internet News NNTP server, innd, at startup.
If this file was not present when an attempt to stop innd was made, the service did not stop. With this
update, the innd init script adds logic to stop innd with the killproc command if a "service innd stop"
command is issued and innd.pid cann to be found. The updated init script also returns a message,
"Stopping INND service (PID not found, the hard way)", in this case. (BZ#464916
521
)
All inn users are advised to upgrade to these updated packages, which resolve this issue.
1.75. iproute
1.75.1. RHBA-2009:1520: bug fix update
Note
This update has already been released (prior to the GA of this release) as FASTRACK
errata RHBA-2009:1520
An updated iproute package that fixes a bug is now available.
The iproute package contains networking utilities such as ip and rtmon, which use the advanced
networking capabilities of the Linux 2.4 and 2.6 kernels.
522
This update addresses the following problem:
* if IPv6 was disabled, running the "ss" command resulted in a segmentation fault. A workaround
was to run "ss -f inet". With this update the return value checks for net_*_open were fixed and the
workaround is no longer necessary. The ss command again returns socket statistics as expected.
(BZ#493578
All iproute users are advised to upgrade to this updated package, which resolves this issue.
1.76. iprutils
1.76.1. RHEA-2010:0229: enhancement update
An enhanced iprutils package is now available.
The iprutils package provides utilities to manage and configure SCSI devices that are supported by the
ipr SCSI storage device driver.
This package upgrades iprutils to version 2.2.18, which includes:
* support for the Generation 2 SAS (serial attached SCSI) PCI-E card with SSD (solid-state drive) has
been added to systems with the PowerPC 64 architecture. (BZ#512246
524
)
* iprconfig is a utility for configuring and recovering IBM Power RAID storage adapters. The iprconfig
utility previously reported an incorrect firmware level for enclosures when called from a command
line on systems with the PowerPC 64 architecture. The firmware level was reported correctly in the
iprconfig graphical user interface (GUI). The iprconfig utility has been updated to handle SES (SCSI
enclosure services) devices the same in both the command line and GUI, and the firmware level for
enclosures is now reported correctly. (BZ#532544
525
)
Users with PowerPC 64 systems are advised to upgrade to this updated iprutils package, which adds
these enhancements.
1.77. iptables
1.77.1. RHBA-2009:1539: bug fix update
Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1539
526
Updated iptables packages that fix a bug are now available.
The iptables utility controls the network packet filtering code in the Linux kernel.
These updated packages fix the following bug:
* the memory alignment of ipt_connlimit_data was incorrect on x86-based systems. This update adds
an explicit aligned attribute to the ipt_connlimit_data struct to correct this. (BZ#529687
527
)
Users are advised to upgrade to these updated iptables packages, which resolve this issue.
This update has already been released (prior to the GA of this release) as FASTRACK
errata RHBA-2009:1676
An updated iptstate package that resolves an issue is now available.
The iptstate utility displays the states held by your stateful firewall in a top-like manner.
This updated iptstate package fixes the following bug:
* iptstate used a curses output function in single-run mode where curses is not used. Running "ipstate
-s -S [address] -D [address]" caused ipstate to crash with a Segmentation Fault error. Note: running
the command without the single-run mode switch (-s) did not crash. With this update, the bug is fixed
and iptstate runs in single-run mode correctly, as expected. (BZ#474381
528
529
)
All iptstate users should upgrade to this updated package, which resolves this issue.
1.79. ipw2200-firmware
1.79.1. RHEA-2010:0218: enhancement update
An enhanced ipw2200-firmware package is now available.
The ipw2200-firmware package contains the firmware files required by Intel PRO/Wireless 2200
network adapters.
The enhancement contains new open source 802.11a/bg drivers, which are compatible with ipw2200
drivers in the latest Red Hat Enterprise Linux kernels. (BZ#494492
Users with hardware containing Intel PRO/Wireless 2220 network adapters are advised to install this
enhancement.
530
)
1.80. iscsi-initiator-utils
1.80.1. RHBA-2010:0078: bug fix update
Note
This update has already been released (prior to the GA of this release) as errata
An updated iscsi-initiator-utils package that fixes a bug is now available.
The iscsi-initiator-utils package provides the server daemon for the iSCSI protocol, as well as the utility
programs used to manage it. iSCSI is a protocol for distributed disk access using SCSI commands
sent over Internet Protocol networks.
This updated iscsi-initiator-utils package fixes the following bug:
* removing the bnx2i module from the kernel, or running ifdown on the network interface being used
by the bnx2i driver, and then reloading the kernel module or running ifup, did not result in automatic
reconnection to SCSI sessions. As a workaround, the iscsid service had to be stopped and then
restarted. With this update, SCSI sessions are automatically reconnected to after removing and
reloading the bnx2i kernel module, or bringing the network interface down and then up again with
ifdown and ifup. (BZ#549629
532
)
All users of iscsi-initiator-utils are advised to upgrade to this updated package, which resolves this
issue.
1.80.2. RHBA-2010:0293: bug fix and enhancement update
An updated iscsi-initiator-utils package that fixes various bugs and provides new enhancements is now
available.
The iscsi package provides the server daemon for the iSCSI protocol, as well as the utility programs
used to manage it. iSCSI is a protocol for distributed disk access using SCSI commands sent over
Internet Protocol networks.
The following bugs have been fixed in this release:
* There was a problem with the discovery mechanism when iSCSI ifaces were used with
different initiator names. The sendtarget discovery feature was using the default name (/etc/iscsi/
initiatorname.iscsi) instead of the iname in the iface. As a consequence, the wrong name was being
used. The discovery mechanism has now been fixed so that it uses the iname in the iface. As a result,
they are discovered correctly and the right names are used. (BZ#504666
533
)
* chkconfig was being run on service start to enable and disable services. This was causing a number
of problems, as it was broken on read-only root systems and it also recalculated dependencies,
causing a change of ordering in /etc/rc whilst the system is running. To fix this issue, chkconfig has
been removed from the package so these issues will no longer occur as a result. (BZ#511271
534
)
* Removing the bnx2 modules or running ifdown on the network interface being used by bnx2i driver
would result in the iSCSI sessions being disconnected. Reloading the module or running ifup would
not reconnect the SCSI sessions. A patch has been added and, as a result, the iSCSI session now
recovers after iconfig is brought down and back up. (BZ#514926
535
)
* The iscsi initiator would fail to connect to a target when the bnx2i transport was being used. As a
consequence, the log-in attempt would time out and fail. A fix has been made to the way in which MAC
addresses are handled. As a result, users can now successfully log in. (BZ#520508
* There was a small typographical error in the /usr/session_info.c print out, where "REOPEN" was
incorrectly spelled as "REPOEN". This has now been corrected and the correctly spelled version of the
word is output as a result. (BZ#531748
537
).
The following enhancements have also been added in this release:
* The Broadcom iSCSI user-space components have been updated to support ipv6 and 10G
components. As a result, a broader range of hardware is now supported. (BZ#517380
* The /etc/init.d/iscsid file has been patched in order to support the ServerEngines be2iscsi driver As a
result, this hardware is now available for utilization. (BZ#556984
539
)
538
)
Users are advised to upgrade to this updated iscsi-initiator-utils package, which resolve these issues.
1.81. iwl3945-firmware
1.81.1. RHEA-2010:0219: enhancement update
An enhanced iwl3945-firmware package that works with the iwlwifi-3945 driver in the latest Red
Hat Enterprise Linux kernel to enable support for the Intel PRO/Wireless 3945ABG/BG Network
Connection Adapter is now available.
iwlwifi-3945 is a kernel driver module for the Intel PRO/Wireless 3945ABG/BG Network Connection
Adapter (aka iwl3945 hardware). The iwlwifi-3945 driver requires firmware loaded on the device
in order to function. The iwl3945-firmware package provides the iwl3945 driver with this required
firmware and enables the driver to function correctly with iwl3945 hardware.
This updated iwl3945-firmware package adds the following enhancement:
* it is best to pair equivalent versions of these components in order to provide maximum compatibility
between them. This update brings the firmware into line with the kernel driver included in the latest
Red Hat Enterprise Linux kernel. (BZ#534100
540
)
Intel PRO/Wireless 3945ABG/BG Network Connection Adapter users using the iwl3945 driver should
upgrade to this updated package, which adds this enhancement.
1.82. iwl4965-firmware
1.82.1. RHEA-2010:0215: enhancement update
An enhanced iwl4965-firmware package is now available.
This package contains the firmware required by the iwl4965 driver for Linux.
* The firmware package has been enhanced to synchronize it with the latest version of the upstream
Intel Wireless Wi-Fi Link 4965AGN driver (version 228.61.2.24). This upgrade brings about the
following new functionality:
More graceful handling of Rx hangs (NMI) More reliable scanning A ten second pauses after
association before power-down Receiver is now reset via re-tune after it misses beacons TGK
measurement is now disabled when it receives a packet More reliable Tx with ACK/BA/CTS
As a result, the driver is now more reliable in a range of areas, scanning more efficiently and handling
problems and interruptions better. (BZ#510757
541
)
Users are advised to upgrade to this updated iwl4965-firmware package, which resolves this issue.
1.83. iwl5000-firmware
1.83.1. RHEA-2010:0216: enhancement update
An updated iwl5000-firmware package is now available.
The iwl5000-firmware package provides the iwlagn wireless driver with the firmware it requires in order
to function correctly with iwlagn hardware.
This updated iwl5000-firmware package adds the following enhancement:
* the iwlagn driver and the iwl5000 firmware work together to provide proper wireless functionality.
It is best to pair equivalent versions of these components in order to provide maximum compatibility
between them, which this updated package provides. (BZ#501609
Users of wireless devices which use iwl5000 firmware are advised to upgrade to this updated
package, which adds this enhancement.
542
)
1.84. java-1.6.0-ibm
1.84.1. RHBA-2010:0327: bug fix update
Updated java-1.6.0-ibm packages that fix an issue with time zone information are now available for
Red Hat Enterprise Linux 5 Supplementary.
IBM's 1.6.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software
Development Kit.
These updated java-1.6.0-ibm packages fix a bug where the IBM Java 6 Runtime Environment did not
recognize several time zones. (BZ#569623
All users of java-1.6.0-ibm are advised to upgrade to these updated packages, which contain new time
zone data and therefore resolve this issue.
This update has already been released (prior to the GA of this release) as the security
errata RHSA-2009:1584
Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat
Enterprise Linux 5.
This update has been rated as having important security impact by the Red Hat Security Response
Team.
These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software
Development Kit. The Java Runtime Environment (JRE) contains the software and tools that users
need to run applications written using the Java programming language.
544
An integer overflow flaw and buffer overflow flaws were found in the way the JRE processed image
files. An untrusted applet or application could use these flaws to extend its privileges, allowing it
to read and write local files, as well as to execute local applications with the privileges of the user
running the applet or application. (CVE-2009-3869
CVE-2009-3874
548
)
545
, CVE-2009-3871
546
, CVE-2009-3873
547
,
An information leak was found in the JRE. An untrusted applet or application could use this flaw to
extend its privileges, allowing it to read and write local files, as well as to execute local applications
with the privileges of the user running the applet or application. (CVE-2009-3881
549
)
It was discovered that the JRE still accepts certificates with MD2 hash signatures, even though MD2
is no longer considered a cryptographically strong algorithm. This could make it easier for an attacker
to create a malicious certificate that would be treated as trusted by the JRE. With this update, the JRE
disables the use of the MD2 algorithm inside signatures by default. (CVE-2009-2409
A timing attack flaw was found in the way the JRE processed HMAC digests. This flaw could aid an
attacker using forged digital signatures to bypass authentication checks. (CVE-2009-3875
Two denial of service flaws were found in the JRE. These could be exploited in server-side application
scenarios that process DER-encoded (Distinguished Encoding Rules) data. (CVE-2009-3876
CVE-2009-3877
553
)
An information leak was found in the way the JRE handled color profiles. An attacker could use this
flaw to discover the existence of files outside of the color profiles directory. (CVE-2009-3728
A flaw in the JRE with passing arrays to the X11GraphicsDevice API was found. An untrusted
applet or application could use this flaw to access and modify the list of supported graphics
configurations. This flaw could also lead to sensitive information being leaked to unprivileged code.
(CVE-2009-3879
555
)
It was discovered that the JRE passed entire objects to the logging API. This could lead to sensitive
information being leaked to either untrusted or lower-privileged code from an attacker-controlled applet
which has access to the logging API and is therefore able to manipulate (read and/or call) the passed
objects. (CVE-2009-3880
556
)
Potential information leaks were found in various mutable static variables. These could be exploited in
application scenarios that execute untrusted scripting code. (CVE-2009-3882
557
, CVE-2009-3883
558
)
An information leak was found in the way the TimeZone.getTimeZone method was handled. This
method could load time zone files that are outside of the [JRE_HOME]/lib/zi/ directory, allowing a
remote attacker to probe the local file system. (CVE-2009-3884
Note: The flaws concerning applets in this advisory, CVE-2009-3869
CVE-2009-3873
and CVE-2009-3884
562
, CVE-2009-3874
567
, can only be triggered in java-1.6.0-openjdk by calling the "appletviewer"
563
, CVE-2009-3879
564
559
)
560
, CVE-2009-3871
, CVE-2009-3880
561
565
, CVE-2009-3881
,
566
application.
All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve
these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
1.86. java-1.6.0-sun
1.86.1. RHBA-2010:0072: bug fix update
Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2010:0072
568
Updated java-1.6.0-sun packages are now available for Red Hat Enterprise Linux 5.4 Supplementary.
The java-1.6.0-sun packages include the Sun Java 6 Runtime Environment, Sun Java 6 Software
Development Kit (SDK), the source code for the Sun Java class libraries, the Sun Java browser plugin and Web Start, the Sun JDBC/ODBC bridge driver, and demonstration files for the Sun Java 6 SDK.
These updated java-1.6.0-sun packages upgrade Sun's Java 6 SDK from version 1.6.0_17 to
version 1.6.0_18, which provides fixes for a number of bugs. To view the release notes for the bug
fixes included in this update, refer to the URL provided in the "References" section of this errata.
(BZ#557418
569
)
All users of java-1.6.0-sun are advised to upgrade to these updated packages, which resolve these
issues.
1.87. kdelibs
1.87.1. RHBA-2009:1464: bug fix update
Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1464
570
Updated kdelibs packages that fix the bugs are now available.
The kdelibs packages contain a set of common libraries used by all applications written for the K
Desktop Environment (KDE). kdelibs includes kdecore (KDE core library); kdeui (user interface); kfm
(file manager); khtmlw (HTML widget); kio (input/output and networking); kspell (spelling checker);
jscript (javascript); kab (addressbook); and kimgio (image manipulation).
This update addresses the following issue:
* the kde.sh shell script used the keyword "source". The pdksh (Public Domain Korn SHell) package,
a new package in Red Hat Enterprise Linux 5.4, does not recognize the "source" keyword in shell
scripts. Consequently, if pdksh was used as the shell on systems with KDE installed, the following
error message was returned in login shells:
ksh: /etc/profile.d/kde.sh[7]: source: not found
The kde.sh shell script in this update has been edited with "source" replaced by "." The full stop
keyword (.) is an alias for "source" in Bourne-compatible shells, including pdksh. Once installed, KDE
users running the pdksh shell will no longer get the above error message. (BZ#523968
571
)
Note: this bug was a known issue at the release of Red Hat Enterprise Linux 5.4 and a manual version
of the fix included in this update was documented in the Red Hat Enterprise Linux 5.4 Technical Notes:
If /etc/profile.d/kde.sh already exists, the new version included with this update is installed as /etc/
profile.d/kde.sh.rpmnew.
Therefore, on systems where an extant kde.sh has been manually edited as per the Red Hat
Enterprise Linux 5.4 Technical Notes, the manual fix is retained.
On systems where kde.sh already exists and the workaround has not been applied, however, installing
this update does not, of itself, implement the fix. After installation on such systems, renaming kde.sh
and kde.sh.rpmnew as follows will implement the fix:
All KDE and pdksh users should install this updated package which fixes this bug.
1.87.2. RHSA-2009:1601: Critical security update
Important
This update has already been released (prior to the GA of this release) as the security
errata RHSA-2009:1601
Updated kdelibs packages that fix one security issue are now available for Red Hat Enterprise Linux 4
and 5.
572
This update has been rated as having critical security impact by the Red Hat Security Response
Team.
The kdelibs packages provide libraries for the K Desktop Environment (KDE).
A buffer overflow flaw was found in the kdelibs string to floating point conversion routines. A web page
containing malicious JavaScript could crash Konqueror or, potentially, execute arbitrary code with the
privileges of the user running Konqueror. (CVE-2009-0689
Users should upgrade to these updated packages, which contain a backported patch to correct this
issue. The desktop must be restarted (log out, then log back in) for this update to take effect.
573
)
1.88. kernel
1.88.1. RHSA-2010:0147: Important security and bug fix update
Important
This update has already been released (prior to the GA of this release) as the security
errata RHSA-2010:0147
574
Updated kernel packages that fix multiple security issues and several bugs are now available for Red
Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact.
Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are
available for each vulnerability from the CVE links in the References section.
The kernel packages contain the Linux kernel, the core of any Linux operating system.
* a NULL pointer dereference flaw was found in the sctp_rcv_ootb() function in the Linux kernel
Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could send a
specially-crafted SCTP packet to a target system, resulting in a denial of service. (CVE-2010-0008
575
Important)
* a missing boundary check was found in the do_move_pages() function in the memory migration
functionality in the Linux kernel. A local user could use this flaw to cause a local denial of service or an
information leak. (CVE-2010-0415
576
, Important)
* a NULL pointer dereference flaw was found in the ip6_dst_lookup_tail() function in the Linux kernel.
An attacker on the local network could trigger this flaw by sending IPv6 traffic to a target system,
leading to a system crash (kernel OOPS) if dst->neighbour is NULL on the target system when
receiving an IPv6 packet. (CVE-2010-0437
577
, Important)
* a NULL pointer dereference flaw was found in the ext4 file system code in the Linux kernel. A local
attacker could use this flaw to trigger a local denial of service by mounting a specially-crafted, journalless ext4 file system, if that file system forced an EROFS error. (CVE-2009-4308
578
, Moderate)
* an information leak was found in the print_fatal_signal() implementation in the Linux kernel. When "/
proc/sys/kernel/print-fatal-signals" is set to 1 (the default value is 0), memory that is reachable by the
kernel could be leaked to user-space. This issue could also result in a system crash. Note that this
flaw only affected the i386 architecture. (CVE-2010-0003
579
, Moderate)
,
* missing capability checks were found in the ebtables implementation, used for creating an Ethernet
bridge firewall. This could allow a local, unprivileged user to bypass intended capability restrictions and
modify ebtables rules. (CVE-2010-0007
580
, Low)
Bug fixes:
* a bug prevented Wake on LAN (WoL) being enabled on certain Intel hardware. (BZ#543449
* a race issue in the Journaling Block Device. (BZ#553132
* programs compiled on x86, and that also call sched_rr_get_interval(), were silently corrupted when
run on 64-bit systems. (BZ#557684
* the RHSA-2010:0019 update introduced a regression, preventing WoL from working for network
devices using the e1000e driver. (BZ#559335
583
)
584
)
582
)
* adding a bonding interface in mode balance-alb to a bridge was not functional. (BZ#560588
* some KVM (Kernel-based Virtual Machine) guests experienced slow performance (and possibly a
crash) after suspend/resume. (BZ#560640