Redhat ENTERPRISE LINUX User Manual

Red Hat Enterprise

Linux 5.5

Technical Notes

Detailed notes on the changes implemented

in Red Hat Enterprise Linux 5.5

Technical Notes

Red Hat Enterprise Linux 5.5 Technical Notes Detailed notes on the changes implemented in Red Hat Enterprise Linux 5.5 Edition 0

Author rhelv5-list@redhat.com

The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.

Linux® is the registered trademark of Linus Torvalds in the United States and other countries.

Java® is a registered trademark of Oracle and/or its affiliates.

XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.

All other trademarks are the property of their respective owners.

1801 Varsity Drive Raleigh, NC 27606-2072 USA Phone: +1 919 754 3700 Phone: 888 733 4281 Fax: +1 919 754 3701

The Red Hat Enterprise Linux 5.5 Technical Notes list and document the changes made to the Red Hat Enterprise Linux 5 operating system and its accompanying applications between minor release Red Hat Enterprise Linux 5.4 and minor release Red Hat Enterprise Linux 5.5.

Preface ix

1. Package Updates 1

1.1. acl ............................................................................................................................... 1

1.2. acpid ........................................................................................................................... 2

1.3. aide ............................................................................................................................. 3

1.4. anaconda ..................................................................................................................... 3

1.5. apr-util ......................................................................................................................... 8

1.6. at ................................................................................................................................ 8

1.7. audit ............................................................................................................................ 9

1.8. autofs ........................................................................................................................ 10

1.9. automake ................................................................................................................... 12

1.10. avahi ........................................................................................................................ 13

1.11. bind ......................................................................................................................... 13

1.12. binutils ..................................................................................................................... 15

1.13. bogl ......................................................................................................................... 16

1.14. bootparamd .............................................................................................................. 16

1.15. booty ....................................................................................................................... 17

1.16. brltty ........................................................................................................................ 17

1.17. checkpolicy .............................................................................................................. 18

1.18. chkconfig .................................................................................................................. 19

1.19. cman ....................................................................................................................... 20

1.20. cmirror ..................................................................................................................... 25

1.21. cmirror-kmod ............................................................................................................ 26

1.22. conga ....................................................................................................................... 26

1.23. coolkey .................................................................................................................... 28

1.24. coreutils ................................................................................................................... 29

1.25. cpio ......................................................................................................................... 30

1.26. cpuspeed ................................................................................................................. 30

1.27. crash ....................................................................................................................... 31

1.28. ctdb ......................................................................................................................... 32

1.29. cups ......................................................................................................................... 33

1.30. curl .......................................................................................................................... 36

1.31. cyrus-imapd .............................................................................................................. 37

1.32. cyrus-sasl ................................................................................................................. 37

1.33. dbus ........................................................................................................................ 38

1.34. dbus-python ............................................................................................................. 39

1.35. device-mapper .......................................................................................................... 39

1.36. device-mapper-multipath ........................................................................................... 40

1.37. dhcp ........................................................................................................................ 42

1.38. dhcpv6 ..................................................................................................................... 44

1.39. dmidecode ............................................................................................................... 45

1.40. dmraid ..................................................................................................................... 46

1.41. dogtail ...................................................................................................................... 47

1.42. dosfstools ................................................................................................................. 48

1.43. dstat ........................................................................................................................ 48

1.44. e4fsprogs ................................................................................................................. 49

1.45. elilo .......................................................................................................................... 49

1.46. elinks ....................................................................................................................... 50

1.47. esc .......................................................................................................................... 51

1.48. etherboot .................................................................................................................. 52

1.49. ethtool ...................................................................................................................... 52

iii

Technical Notes

1.50. evince ...................................................................................................................... 53

1.51. exim ......................................................................................................................... 54

1.52. fetchmail .................................................................................................................. 55

1.53. filesystem ................................................................................................................. 56

1.54. firefox ....................................................................................................................... 56

1.55. firstboot .................................................................................................................... 60

1.56. freeradius ................................................................................................................. 61

1.57. gail .......................................................................................................................... 62

1.58. gcc .......................................................................................................................... 62

1.59. gd ............................................................................................................................ 64

1.60. gdb .......................................................................................................................... 65

1.61. gfs-kmod .................................................................................................................. 66

1.62. gfs-utils .................................................................................................................... 67

1.63. gfs2-utils .................................................................................................................. 68

1.64. glibc ......................................................................................................................... 69

1.65. gnome-vfs2 .............................................................................................................. 70

1.66. gpart ........................................................................................................................ 72

1.67. gzip ......................................................................................................................... 73

1.68. hal ........................................................................................................................... 73

1.69. hmaccalc .................................................................................................................. 74

1.70. httpd ........................................................................................................................ 75

1.71. hwdata ..................................................................................................................... 77

1.72. ia32el ....................................................................................................................... 78

1.73. iasl ........................................................................................................................... 79

1.74. inn ........................................................................................................................... 80

1.75. iproute ..................................................................................................................... 80

1.76. iprutils ...................................................................................................................... 81

1.77. iptables .................................................................................................................... 81

1.78. iptstate ..................................................................................................................... 82

1.79. ipw2200-firmware ..................................................................................................... 82

1.80. iscsi-initiator-utils ...................................................................................................... 82

1.81. iwl3945-firmware ....................................................................................................... 84

1.82. iwl4965-firmware ....................................................................................................... 84

1.83. iwl5000-firmware ....................................................................................................... 85

1.84. java-1.6.0-ibm ........................................................................................................... 85

1.85. java-1.6.0-openjdk .................................................................................................... 86

1.86. java-1.6.0-sun ........................................................................................................... 87

1.87. kdelibs ..................................................................................................................... 88

1.88. kernel ....................................................................................................................... 89

1.89. kexec-tools ............................................................................................................. 128

1.90. krb5 ....................................................................................................................... 131

1.91. ksh ......................................................................................................................... 131

1.92. ktune ...................................................................................................................... 133

1.93. kudzu ..................................................................................................................... 135

1.94. kvm ........................................................................................................................ 135

1.95. less ........................................................................................................................ 143

1.96. libXi ....................................................................................................................... 144

1.97. libXrandr ................................................................................................................ 145

1.98. libXt ....................................................................................................................... 145

1.99. libaio ...................................................................................................................... 145

1.100. libcmpiutil ............................................................................................................. 146

1.101. libevent ................................................................................................................ 146

1.102. libgnomecups ....................................................................................................... 147

1.103. libgtop2 ................................................................................................................ 147

1.104. libhugetlbfs ........................................................................................................... 148

1.105. libsepol ................................................................................................................. 148

1.106. libuser .................................................................................................................. 149

1.107. libvirt .................................................................................................................... 149

1.108. libvirt-cim .............................................................................................................. 154

1.109. libvorbis ................................................................................................................ 156

1.110. linuxwacom ........................................................................................................... 156

1.111. lm_sensors ........................................................................................................... 156

1.112. log4cpp ................................................................................................................. 157

1.113. logwatch ............................................................................................................... 158

1.114. lvm2 ..................................................................................................................... 159

1.115. lvm2-cluster .......................................................................................................... 161

1.116. man-pages ............................................................................................................ 163

1.117. man-pages-ja ........................................................................................................ 164

1.118. mcelog ................................................................................................................. 166

1.119. mdadm ................................................................................................................. 166

1.120. mesa .................................................................................................................... 167

1.121. metacity ................................................................................................................ 167

1.122. microcode_ctl ....................................................................................................... 169

1.123. mkinitrd ................................................................................................................ 170

1.124. module-init-tools .................................................................................................... 172

1.125. mtx ....................................................................................................................... 172

1.126. mysql ................................................................................................................... 173

1.127. nautilus-open-terminal ........................................................................................... 175

1.128. neon .................................................................................................................... 175

1.129. net-snmp .............................................................................................................. 176

1.130. net-tools ............................................................................................................... 178

1.131. NetworkManager ................................................................................................... 179

1.132. newt ..................................................................................................................... 180

1.133. nfs-utils ................................................................................................................ 181

1.134. nspluginwrapper .................................................................................................... 182

1.135. nss_ldap ............................................................................................................... 182

1.136. numactl ................................................................................................................ 184

1.137. openCryptoki ........................................................................................................ 185

1.138. openais ................................................................................................................ 186

1.139. OpenIPMI ............................................................................................................. 188

1.140. openib .................................................................................................................. 189

1.141. openldap .............................................................................................................. 191

1.142. openmotif ............................................................................................................. 192

1.143. openoffice.org ....................................................................................................... 193

1.144. openssh ............................................................................................................... 195

1.145. openssl ................................................................................................................ 197

1.146. openswan ............................................................................................................. 198

1.147. oprofile ................................................................................................................. 200

1.148. pam ..................................................................................................................... 201

1.149. pam_krb5 ............................................................................................................. 201

1.150. paps ..................................................................................................................... 202

1.151. parted .................................................................................................................. 202

Technical Notes

1.152. pax ....................................................................................................................... 203

1.153. pciutils .................................................................................................................. 204

1.154. pcsc-lite ................................................................................................................ 204

1.155. perl-Sys-Virt .......................................................................................................... 205

1.156. perl-XML-SAX ....................................................................................................... 206

1.157. pexpect ................................................................................................................ 207

1.158. php ...................................................................................................................... 207

1.159. pidgin ................................................................................................................... 209

1.160. piranha ................................................................................................................. 210

1.161. pirut ..................................................................................................................... 211

1.162. policycoreutils ....................................................................................................... 211

1.163. poppler ................................................................................................................. 212

1.164. postgresql ............................................................................................................. 213

1.165. ppc64-utils ............................................................................................................ 214

1.166. procps .................................................................................................................. 215

1.167. pykickstart ............................................................................................................ 216

1.168. python-virtinst ....................................................................................................... 217

1.169. PyXML ................................................................................................................. 218

1.170. qspice .................................................................................................................. 219

1.171. readahead ............................................................................................................ 221

1.172. redhat-artwork ....................................................................................................... 222

1.173. redhat-release ....................................................................................................... 222

1.174. redhat-release-notes ............................................................................................. 222

1.175. rgmanager ............................................................................................................ 223

1.176. rhn-client-tools ...................................................................................................... 226

1.177. rhnlib .................................................................................................................... 227

1.178. rhnsd .................................................................................................................... 228

1.179. rhpxl ..................................................................................................................... 228

1.180. rsyslog ................................................................................................................. 229

1.181. ruby ..................................................................................................................... 230

1.182. samba .................................................................................................................. 230

1.183. samba3x .............................................................................................................. 233

1.184. sblim .................................................................................................................... 234

1.185. screen .................................................................................................................. 235

1.186. scsi-target-utils ...................................................................................................... 236

1.187. selinux-policy ........................................................................................................ 237

1.188. sendmail ............................................................................................................... 242

1.189. shadow-utils ......................................................................................................... 243

1.190. sosreport .............................................................................................................. 244

1.191. squid .................................................................................................................... 248

1.192. squirrelmail ........................................................................................................... 249

1.193. star ...................................................................................................................... 250

1.194. strace ................................................................................................................... 250

1.195. sudo ..................................................................................................................... 251

1.196. sysklogd ............................................................................................................... 253

1.197. system-config-cluster ............................................................................................. 254

1.198. system-config-lvm ................................................................................................. 255

1.199. system-config-securitylevel .................................................................................... 256

1.200. system-config-services .......................................................................................... 257

1.201. systemtap ............................................................................................................. 258

1.202. tar ........................................................................................................................ 261

1.203. taskjuggler ............................................................................................................ 263

1.204. tcpdump ............................................................................................................... 264

1.205. tcsh ...................................................................................................................... 264

1.206. tog-pegasus .......................................................................................................... 266

1.207. util-linux ................................................................................................................ 267

1.208. valgrind ................................................................................................................ 267

1.209. vconfig ................................................................................................................. 268

1.210. vino ...................................................................................................................... 268

1.211. virt-manager .......................................................................................................... 269

1.212. vixie-cron .............................................................................................................. 270

1.213. vsftpd ................................................................................................................... 271

1.214. wdaemon .............................................................................................................. 271

1.215. wget ..................................................................................................................... 271

1.216. wpa_supplicant ..................................................................................................... 272

1.217. xen ....................................................................................................................... 272

1.218. xerces-j2 .............................................................................................................. 277

1.219. xmlsec1 ................................................................................................................ 278

1.220. xorg-x11-drivers .................................................................................................... 278

1.221. xorg-x11-drv-ast .................................................................................................... 279

1.222. xorg-x11-drv-evdev ................................................................................................ 279

1.223. xorg-x11-drv-fbdev ................................................................................................ 279

1.224. xorg-x11-drv-i810 .................................................................................................. 280

1.225. xorg-x11-drv-mga .................................................................................................. 280

1.226. xorg-x11-drv-nv ..................................................................................................... 281

1.227. xorg-x11-drv-qxl .................................................................................................... 281

1.228. xorg-x11-drv-vesa ................................................................................................. 283

1.229. xorg-x11-server ..................................................................................................... 283

1.230. xorg-x11-xdm ........................................................................................................ 285

1.231. xterm .................................................................................................................... 285

1.232. yaboot .................................................................................................................. 286

1.233. yp-tools ................................................................................................................ 286

1.234. yum ...................................................................................................................... 287

1.235. yum-rhn-plugin ...................................................................................................... 288

2. New Packages 289

2.1. RHEA-2010:0305: freeradius2 .................................................................................. 289

2.2. RHEA-2010:0240: gpxe ........................................................................................... 289

2.3. RHEA-2010:0199: gsl .............................................................................................. 290

2.4. RHEA-2010:0217: iwl1000-firmware ......................................................................... 290

2.5. RHEA-2010:0220: iwl6000-firmware ......................................................................... 290

2.6. RHEA-2010:0276: postgresql84 ............................................................................... 290

2.7. RHEA-2010:0268: python-dmidecode ....................................................................... 291

2.8. RHEA-2010:0249: tunctl .......................................................................................... 292

2.9. RHEA-2010:0189: xz ............................................................................................... 292

3. Technology Previews 293

4. Capabilities and Limits 299

5. Known Issues 301

5.1. anaconda ................................................................................................................. 301

5.2. cmirror ..................................................................................................................... 304

5.3. compiz ..................................................................................................................... 304

vii

Technical Notes

5.4. ctdb ......................................................................................................................... 305

5.5. device-mapper-multipath ........................................................................................... 305

5.6. dmraid ..................................................................................................................... 306

5.7. dogtail ...................................................................................................................... 307

5.8. firstboot .................................................................................................................... 307

5.9. gfs2-utils .................................................................................................................. 308

5.10. gnome-volume-manager .......................................................................................... 308

5.11. initscripts ................................................................................................................ 309

5.12. iscsi-initiator-utils ..................................................................................................... 309

5.13. kernel-xen .............................................................................................................. 309

5.14. kernel ..................................................................................................................... 312

5.15. kexec-tools ............................................................................................................. 317

5.16. krb5 ....................................................................................................................... 318

5.17. kvm ........................................................................................................................ 318

5.18. less ........................................................................................................................ 322

5.19. libcmpiutil ............................................................................................................... 322

5.20. libvirt ...................................................................................................................... 322

5.21. lvm2 ....................................................................................................................... 322

5.22. mesa ...................................................................................................................... 323

5.23. mkinitrd .................................................................................................................. 323

5.24. openib .................................................................................................................... 323

5.25. openmpi ................................................................................................................. 324

5.26. qspice .................................................................................................................... 324

5.27. systemtap ............................................................................................................... 324

5.28. virtio-win ................................................................................................................. 325

5.29. xorg-x11-drv-i810 .................................................................................................... 325

5.30. xorg-x11-drv-nv ....................................................................................................... 326

5.31. xorg-x11-drv-vesa ................................................................................................... 326

5.32. yaboot .................................................................................................................... 327

5.33. xen ........................................................................................................................ 327

A. Package Manifest 329

A.1. Added Packages ..................................................................................................... 329

A.2. Dropped Packages .................................................................................................. 331

A.3. Updated Packages .................................................................................................. 331

B. Revision History 459

viii

Preface

For system administrators and others planning Red Hat Enterprise Linux 5.5 upgrades and deployments, the Technical Notes provide a single, organized record of the bugs fixed in, features added to, and Technology Previews included with this new release of Red Hat Enterprise Linux.

For auditors and compliance officers, the Red Hat Enterprise Linux 5.5 Technical Notes provide a single, organized source for change tracking and compliance testing.

For every user, the Red Hat Enterprise Linux 5.5 Technical Notes provide details of what has changed in this new release.

The Technical Notes also include, as an Appendix, the Red Hat Enterprise Linux Package Manifest: a listing of every changed package in this release.

Chapter 1.

Package Updates

1.1. acl

1.1.1. RHBA-2009:1652: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1652

Updated acl packages that fix a bug are now available.

Access Control Lists (ACLs) are used to define finer-grained discretionary access rights for files and directories. The acl packages contain the getfacl and setfacl utilities needed for manipulating access control lists.

This update fixes the following bug:

* the "setfacl" command, which sets the access control lists for files, always returned an exit status of 0, even when the command failed and printed out error messages. With this update, setfacl exits with the correct exit status upon failure. (BZ#3684512)

* running "setfacl -- --test" caused setfacl to segmentation fault. This has been fixed in this update. (BZ#4304583)

* running the "setfacl" command with the '-P' flag, which is the short form of the '--physical' option, which is supposed to cause "setfacl" to skip over any symbolic links it encounters, did not work as expected: symbolic links were still followed. This update fixes this so that the '-P' flag works as expected and symbolic links are silently skipped over. (BZ#4360704)

* the "setfacl" command failed to resolve relative symbolic links when it encountered them unless they were specified with a trailing forward-slash character (in the case of relative symbolic links to directories), or the script or shell prompt's working directory was the directory which contained the relative symbolic link(s). With this update, relative symbolic links are handled correctly by setfacl regardless of where they are encountered or what their target is. (BZ#5000955)

* the "getfacl" and "setfacl" commands did not properly handle non-ASCII characters with the result that calling either command on a system with the correct locale settings still produced incorrect output, such as octal character representations. With this update, getfacl and setfacl are now able to produce correct output when using non-ASCII character sets. (BZ#5077476)

All users of Access Control Lists should upgrade to these updated packages, which resolve this issue.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=368451

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=430458

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=436070

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=500095

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=507747

Chapter 1. Package Updates

1.2. acpid

1.2.1. RHBA-2010:0004: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata

RHBA-2010:0004

An updated acpid package that fixes a bug is now available.

acpid is a daemon that dispatches ACPI (Advanced Configuration and Power Interface) events to user-space programs.

This updated acpid package fixes the following bug:

* the acpid package that was included with the Red Hat Enterprise Linux 5.4 update contained a package update script that returned a non-zero exit code when the the /var/log/acpid log file did not exist. However, if the acpid daemon had never been started on the system, and therefore /var/log/ acpid did not exist, the faulty check caused the update process to fail, which could have resulted in two different acpid packages being installed on the same system and registered with the RPM database (rpmdb). This updated acpid package removes the spurious record from the rpmdb, thus resolving the problem. (BZ#5483748)

All users of acpid are advised to upgrade to this updated package, which resolves this issue.

1.2.2. RHSA-2009:1642: Important security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1642

An updated acpid package that fixes one security issue is now available for Red Hat Enterprise Linux

This update has been rated as having important security impact by the Red Hat Security Response Team.

acpid is a daemon that dispatches ACPI (Advanced Configuration and Power Interface) events to user-space programs.

It was discovered that acpid could create its log file ("/var/log/acpid") with random permissions on some systems. A local attacker could use this flaw to escalate their privileges if the log file was created as world-writable and with the setuid or setgid bit set. (CVE-2009-403310)

Please note that this flaw was due to a Red Hat-specific patch (acpid-1.0.4-fd.patch) included in the Red Hat Enterprise Linux 5 acpid package.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=548374

https://www.redhat.com/security/data/cve/CVE-2009-4033.html

aide

Users are advised to upgrade to this updated package, which contains a backported patch to correct this issue.

1.3. aide

1.3.1. RHBA-2010:0036: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0036

An updated aide package that allows proper operation with the recently updated version of libgcrypt and makes minor man page changes is now available.

Advanced Intrusion Detection Environment (AIDE) is a program that creates a database of files on a system, and then uses that database to ensure file integrity and detect system intrusions.

This updated aide package includes the following fixes:

* the current version of libcgrypt includes a version-checking initialization step that aide was not doing. Running "aide -i" logged the following message to /var/log/messages:

aide: Libgcrypt warning: missing initialization - please fix the application

With this update, aide now includes the version-checking step required by libgcrypt and the libgcrypt warning is, consequently, no longer written to /var/log/messages. Note: although based on a proposed upstream patch, this update leaves secure memory enabled, unlike the proposed upstream change. (BZ#53048512)

* the FILES section of the aide man page previously listed the locations for aide.conf, aide.db.gz and aide.db.new.gz with a pre-pended "%prefix" variable. The updated aide man page removes this variable, listing the file locations as complete but plain paths (eg "/etc/aide.conf"). (No BZ#)

All aide users are advised to upgrade to this updated package, which includes this bug fix and man page change.

1.4. anaconda

1.4.1. RHBA-2010:0194: bug fix and enhancement update

Anaconda is the system installer.

This updated anaconda package provides fixes for the following bugs:

• previously, when anaconda could not read the extended display identification data (EDID) of a monitor, it reverted to text mode. However, EDID information is frequently not available on systems connected to Keyboard–Video–Mouse (KVM) switches. Therefore, when installing Red Hat Enterprise Linux 5 on a system with a KVM switch, installation would be constrained to text mode. Anaconda no longer checks for bad or missing EDID, and allows graphical installation to proceed

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=530485

Chapter 1. Package Updates

even when this information is unavailable. Graphical installation on machines attached to KVM switches therefore continues as if them monitor were connected directly to the graphics adapter. (BZ#44548613)

• previously, anaconda expected storage devices to be available immediately when it probed for the location of a kickstart file. On systems where USB storage might not be available immedately (for example, IBM BladeCenter systems), anaconda would not find the kickstart file and would prompt the user for its location. This interaction negated the usefulness of kickstart, since the installation could not then complete unattended. Anaconda now waits until it has probed five times or for more than 31 seconds before prompting the user for the location of a kickstart file. This allows USB storage enough time to respond and for kickstart to proceed unattended. (BZ#46056614)

• previously, some user interface elements in the the Malayalam translation of anaconda overlapped. The overlapping elements disabled some buttons in the screen where anaconda lets users to choose a partitioning scheme for the system, and prevented installation from continuing. The text of the Malayalam translation has been shortened so that the interface elements no longer overlap. The buttons on the partitioning scheme screen now work correctly and allow installation to continue. (BZ#47935315)

• during installation, anaconda automatically examines any storage device that has the label OEMDRV for driver updates and applies any updates that it finds there. Previously, anaconda searched for this label on the devices listed in /proc/partitions. However, /proc/partitions does not identify CD or DVD media, so anaconda overlooked optical disks that had the correct label. Anaconda now examines the devices listed in /sys/block. Therefore, anaconda correctly identifies CDs and DVDs labelled OEMDRV as driver discs and automatically applies any driver updates contained on them. (BZ#48506016)

• previously, if anaconda required network access early in an installation (for example, to retrieve a kickstart file or driver disk image), it temporarily saved information about the network configuration while it enabled access to the network. However, if anaconda required network access again for a separate reason, it would not attempt to configure network access again, but would not be able to connect to the network either, because it no longer retained the configuration information that it had already used. Therefore, anaconda could not download both a kickstart file and a driver disk image over a network. Anaconda now retains the network configuration that it obtains early in the installation process, and can reuse this information multiple times. Therefore, anaconda can use more than one resource obtained over a network during installation. (BZ#49504217)

• previously, while upgrading a system, anaconda did not check whether packages marked for installation as dependencies were already installed on the system. Consequently, many packages would be reinstalled during an upgrade, wasting time and, in the case of network installations, bandwidth. Now, when performing an upgrade, anaconda matches the packages to be installed against the packages that are already installed. Any packages with the same Name, Arch, Epoch, Version, Release (NAEVR) as a package already on the system are skipped and not reinstalled. (BZ#49579618)

• previously, anaconda did not specify a value for HOTPLUG when writing the system's networking configuration files, although it did write a value for ONBOOT. Because HOTPLUG is enabled by default, the effect of disabling ONBOOT was limited because any interface not activated at boot time would be enabled anyway whenever probed by the system. Anaconda now writes a value for HOTPLUG, setting it to the same value as ONBOOT. Therefore, any network interface not meant to be enabled at boot time will not be automatically enabled by probing either. (BZ#49808619)

RHBA-2010:0194: bug fix and enhancement update

• the part kickstart command accepts an option called --label that allows a label to be applied to a disk partition during a kickstart installation. However, the code that implemented this option was previously missing from anaconda. Any label specified in a kickstart file was therefore ignored. Anaconda now includes code to transfer the specified label from the kickstart file to the disk partition. Users can now label disk partitions during kickstart installations. (BZ#49885620)

• when running in rescue mode, anaconda previously lacked the ability to identify partitions on logical volumes if the partitions were identified in fstab by label rather than by device name. Therefore, if the root (/) partition were identified in this way, the usefulness of rescue mode would be limited. Anaconda in rescue mode now uses the getLabels() method to find partitions and therefore properly detects root partition even if it resides on a logical volume and is identified by label in fstab. (BZ#50217821)

• previously, the help text available while configuring NETTYPE for IBM System z systems did not mention HiperSockets. Users new to System z might therefore not have known to choose qeth to configure HiperSocket interfaces on their hardware. The help text has now been updated to indicate the correct choice and users can select the appropriate option. (BZ#51196222)

• when the RUNKS was set to 0 in the CMSCONFFILE file on IBM System z systems, anaconda should have performed an installation in interactive mode. However, a rewrite of linuxrc.s390 changed the behavior of RUNKS and led to anaconda ignoring this variable. Installation would therefore proceed in non-interactive mode regardless of what value was set in CMSCONFFILE. A new test is now included in the version of linuxrc.s390 in Red Hat Enterprise Linux 5.5 so that anaconda honors RUNKS=0 and performs an interactive install if this value is set. (BZ#51395123)

• by design, anaconda recognizes any block device with the label OEMDRV as a driver disc and searches it for a driver update. However, anaconda previously failed to examine dev nodes and therefore, it would not recognize this label on USB storage devices mounted as a partitionless block devices. Anaconda now examines dev nodes for the label OEMDRV and treats them the same as partitions with this label. It is therefore possible to use a partitionless device as a driver disc. (BZ#51543724)

• previously, anaconda did not reinitialize its record of the partition layout on a system when users clicked the back button from the partitioning screen. Therefore, when a user selected a partition layout, went back to an earlier screen, and then went forward again to choose a different partition layout, anaconda would attempt to implement the new partition layout over the previously-selected partition layout instead of the partition layout actually present on the system. This would sometimes result in a crash. Now, when users step backwards from the partitioning screen. anaconda reinitializes its record of the partitions present on the system. Users can therefore change their minds about partitioning options without crashing anaconda. (BZ#51671525)

• systems store information about iSCSI targets to which they are connected in the iSCSI Boot Firmware Table (iBFT) in BIOS. Previously, however, when anaconda installed Red Hat Enterprise Linux 5 from a local installation source such as a CD, DVD, or hard disk, it would not initialize network connections before asking users to configure storage on the system. Therefore, on systems with iSCSI storage, users would have to configure a network connection manually before proceding with installation, even when this information was already available to anaconda in the system BIOS. Now, when anaconda detects a valid iBFT present on a system, it automatically loads the network configuration specified there and does not requre users to enter this information. Installation from local media on systems with iSCSI storage is therefore simpler and more reliable. (BZ#51776826)

• due to faulty logic, anaconda previously did not parse IPv6 addresses correctly and attempted to read the final byte of the address as a port number. It was therefore not possible, for example,

Chapter 1. Package Updates

to install on an iSCSI target specified by in IPv6 address. The logic by which anaconda parses IP addresses has now been corrected, but now requires IPv6 addresses to be specified in the [address]:port form to comply with the relevant RFCs. This form removes ambiguity, since IPv6 addresses are still valid if they omit a sequence of bytes with zero values. When IPv6 addresses are specified in this format, anaconda parses them correctly and installation continues as normal. (BZ#52505427)

• comments in kickstart files are marked with a pound symbol (#) at the start of the line. However, anaconda did not previously account for the possibility that users might mark a comment with multiple pound symbols (for example, #####). Anaconda would therefore attempt to parse lines that started with multiple pound symbols and installation would fail. Anaconda now recognizes lines that start with multiple pound symbols as comments and does not attempt to parse them. Users can now safely mark comments in kickstart files in this way. (BZ#52567628)

• to avoid a circular dependency that exists between the ghostscript and ghostscript-fonts packages, anaconda ignored ghostscript's dependency on ghostscript-fonts. However, ghostscript-fonts was not explicitly installed as part of the Printing package group. The usefulness of Ghostscript as installed by anaconda was therefore limited. Anaconda still avoids the circular dependency, but now specifically installs ghostscript-fonts when users select the Printing package group. (BZ#53054829)

• previously, anaconda did not automatically instruct the kernel to check for multipath devices when installing on IBM System z systems. Therefore, unless users booted with the mpath boot option, iSCSI devices detected on more than one path would be represented in the installer multiple times, one for each path. Anaconda now automatically loads the mpath boot option and therefore represents multipath devices correctly. (BZ#53812930)

• Dell PowerEdge servers equipped with the SAS6i/R integrated RAID controller use BIOS Enhanced Disk Drive Services (EDD) to identify the storage device from which to boot the operating system. Previously, anaconda did not parse EDD to identify the correct boot device. Consequently, with a RAID 0 and RAID 1 configured on the system, anaconda would choose the wrong device and the system would not be bootable. Anaconda now parses EDD to support the SAS6i/R integrated RAID controller, so that it selects the correct boot device for systems that use this device. (BZ#54063731)

• previously, anaconda would always attempt to reconstruct pre-existing Logical Volume Management (LVM) devices during installation. Anaconda would attempt to recreate the LVM device even when a user cleared the LVM partitions from one or more of the disks that held partitions that formed part of a volume group. In this case, installation would fail. Now, anaconda no longer attempts to reconstruct incomplete LVM devices. Users can therefore safely reallocate storage that was once part of a volume group and installation will proceed as expected. (BZ#54586932)

• when ksdevice=link is set in a kickstart file, anaconda should automatically select the first available network interface and use it during installation. This avoids the need for user input and allows installation to proceed unattended. However, if interfaces were in a state where anaconda could not determine their status, anaconda would revert to interactive more and prompt the user to select a network interface, thus making unattended installation impossible on systems where network interfaces could be in such a state. Anaconda now forces the network interfaces on the system into IFF_UP and IFF_RUNNING states before it attempts to obtain link status. Because the interfaces are now in a state where they can report their link status to anaconda, Anaconda can automatically choose one to use during installation and kickstart installations can proceed unattended. (BZ#54975133)

RHBA-2010:0194: bug fix and enhancement update

• previously, when installing on IBM System z systems, anaconda assumed that the network gateway was unreachable if its attempt to ping the gateway timed out after 10 seconds. Anaconda would then prompt the user to select a gateway. However, if IPADDR in the conf file has changed recently, network interfaces take longer to respond. Anaconda now prompts the user only when three pings have failed and therefore avoids prompting the user for gateway information that is already correctly specified in the conf file. (BZ#50674234)

In addition, this updated package provides the following enhancements:

• after transferring installation files to a z/VM guest, a user must execute a series of Conversational Monitor System (CMS) commands to IPL the zLinux installation. These commands can be scripted, but no such script was previously included with Red Hat Enterprise Linux 5. The lack of a readymade script made installation more difficult for users unfamiliar with CMS commands. The CMS script for starting the install process on z/VM is now included in the Red Hat Enterprise Linux 5 images, simplifying installation. (BZ#47534335)

• anaconda now loads the Brocade BNA Ethernet Controller driver, and supports Brocade Fibre Channel to PCIe Host Bus Adapters. (BZ#47570736)

• previously, anaconda did not offer users the opportunity to configure NFS options during interactive installation (although these could be configured in kickstart files). Users who needed to fine-tune NFS parameters for installation were therefore forced to run an unattended installation. Now, anaconda presents users who select NFS installation with a dialog in which they can configure NFS options to suit their needs. (BZ#49305237)

• previously, it was not possible to configure hypervisor parameters during a kickstart installation. As a result, users needed to specify hypervisor parameters manually after installation, negating the usefulness of kickstart as as a mechanism for unattended installations. Now, anaconda recognizes a new kickstart option, --hvargs and sets Hypervisor parameters accordingly. (BZ#50143838)

• previouisly, during a kickstart installation when multiple multipath LUNs were available, anaconda would automatically choose the LUN with the lowest ID number for the root device. Users had no ready way to customize this behavior. Now, anaconda supports a multipath kickstart command with --name and --device options that allow users to specify a LUN for root. (BZ#50276839)

• anaconda can retrieve kickstart files from FTP servers. Previously, however, anaconda did not support users specifying authentication credentials to access an FTP server. Therefore, if access to the server were protected by a passphrase, anaconda could not retrieve the kickstart file. Now, when specifying the location of a kickstart file with the ks= boot option, users can provide a passphrase to allow anaconda to retrieve the kickstart files fom a protected server. (BZ#50542440)

• previously, troubleshooting errors that occurred while running %pre and %post kickstart scriptlets was very difficult because anaconda did not log the behavior of these scriptlets. Anaconda now copies %pre and %post kickstart scriptlets to /tmp together with a log. These records make troubleshooting kickstart installations easier. (BZ#51063641)

• Reipl is a kernel feature that instructs IBM System z systems where to boot next, as these systems do not have a default boot location. Anaconda did not previously support Reipl, which meant that during installation, users had to specify a boot location manually between different phases of the installation. Anaconda now supports Reipl, so these reboots can happen automatically. (BZ#51219542)

Chapter 1. Package Updates

• NPort ID Virtualization (NPIV) presents one physical Fibre Channel adapter port to the SAN as multiple WWNN/WWPN pairs. Anaconda now supports NPIV, which allows users on PowerPC systems to install to a NPIV LUN. (BZ#51223743)

• the Python executables that make up anaconda now all explicitly use the system Python (#! / usr/bin/python instead of #! /usr/bin/env python). This ensures that anaconda functions correctly when more than one Python stack is present on a system. (BZ#52133744)

• anaconda now supports the Emulex OneConnect iSCSI network interface card. (BZ#52944245)

• anaconda now supports PMC Sierra MaxRAID controller adapters. (BZ#53277746)

• although users have been able to specify package groups for installation in kickstart files, using the @ prefix, it was not possible to exclude package groups from installation, only individual packages. Anaconda now supports excluding package groups with the -@ prefix (BZ#55851647)

• anaconda now loads the xorg-x11-qxl-drv and xorg-x11-ast-drv X11 video drivers as required. xorg-x11-qxl-drv supports the qemu QXL video accelerator when installing Red Hat Enterprise Linux 5 as a guest operating system. xorg-x11-ast-drv supports ASPEED Technologies video hardware. (BZ#56766648)

1.5. apr-util

1.5.1. RHEA-2010:0310: enhancement update

Updated apr-util packages that add support for MySQL are now available.

apr-util is a utility library used with the Apache Portable Runtime (APR). It aims to provide a free library of C data structures and routines. This library contains additional utility interfaces for APR; including support for XML, LDAP, database interfaces, URI parsing, and more.

In previous releases, the APR utility library DBD (database abstraction) interface did not include support for MySQL databases. This update adds the MySQL driver to the DBD interface. (BZ#25207349, BZ#49134250)

All users requiring MySQL support should install these newly released packages, which add this enhancement.

1.6. at

1.6.1. RHBA-2009:1654: bug fix and enhancement update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1654

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=252073

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=491342

audit

An updated "at" package that adds and documents a configuration enhancement and corrects the debuginfo build is now available.

"At" and "Batch" read commands from standard input or from a specified file. At allows you to specify that a command will be run at a particular time. Batch will execute commands when the system load levels drop to a particular level. Both commands use /bin/sh.

This update addresses the following issue:

* although "at" contains ELF objects, the at-debuginfo package was empty. With this update the debuginfo package contains valid debugging information as expected. (BZ#50054252)

This update also adds the following enhancements:

* previously, the atd daemon ran with hard-coded options and could only be configured at the command-line. The atd daemon now reads a configuration file, /etc/sysconfig/atd, when it starts up, enabling easier configuration, particularly for load options and multiprocessor systems. (BZ#23225953)

* The DESCRIPTION section of the "at" man page has been updated to note the existence, location and purpose of the /etc/sysconfig/atd configuration file. Note: as the man page suggests, the sample configuration file included with this update is the primary source of information about atd configuration options. (BZ#53779254)

Users are advised to upgrade to this updated package, which fixes this bug and adds these enhancements.

1.7. audit

1.7.1. RHBA-2010:0228: bug fix update

An updated audit package that fixes various bugs and provides an enhancement is now available.

The audit package contains the user space utilities for storing and searching the audit records generate by the audit subsystem in the Linux 2.6 kernel.

This update includes the following fixes:

* The man page was ambiguous in explaining the structure of dates and the supplied examples often did not work because of different date formats in various locales. This caused some confusion amongst users. The page has been rewritten to clarify that the date format accepted by aureport and ausearch is influenced by the LC_TIME environmental variable, eliminating the confusion about this issue. (BZ#51397455)

* The audit package's libauparse function had a bug that meant it could not interpret IPC (inter-process communication) mode fields. When it attempted to do so, a segmentation fault would occur. The audit package has now been patched so that IPC mode fields are interpreted by the software without crashes resulting. (BZ#51979056)

This update also includes the following enhancement:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=500542

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=232259

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=537792

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=513974

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=519790

Chapter 1. Package Updates

* The audit package has been rebased and, as a result, a number of new features have been added. These include:

1. Allowing ausearch/report to specify multiple node names (which are needed for remote logging).

2. auparse can now handle empty AUSOURCE_FILE_ARRAYs. 3. auditctl rules now allow a0-a3 to

be negative numbers. 4. An audit.rules man page has been added. 5. auditd resets syslog warnings if disk space becomes available. 6. The != operator in audit_rule_fieldpair_data is now checked. 7. A tcp_max_per_addr option has been added to auditd.conf in order to limit concurrent connections. 8. Many improvements to remote logging code.

As a result, these enhancements are now available for system administrators, making auditing options much more flexible. (BZ#52985157)

1.8. autofs

1.8.1. RHBA-2009:1468: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata

RHBA-2009:1468

An updated autofs package that fixes two bugs is now available.

The autofs utility controls the operation of the automount daemon. The automount daemon automatically mounts file systems when you use them, and unmounts them when they are not busy.

This updated package fixes the following two autofs bugs:

* autofs was incorrectly using a non-thread-safe libxml2 function as though it was thread-safe. This sometimes resulted in autofs crashing. With this update the calls to xmlCleanupParser() and xmlInitParser() have been moved: these functions are now only called as autofs starts and exits, ensuring these libxml2 functions are not called more than once while autofs is running. (BZ#52318859)

* a recent correction related to autofs master map entry updating introduced a regression whereby it was possible to deadlock when requesting a map re-load when an entry in a direct map had been removed. This update adds a check that ensures such map re-load requests do not cause a deadlock. (BZ#52543160)

All autofs users should install this updated package which addresses these issues.

1.8.2. RHBA-2010:0265: bug fix update

The autofs utility controls the operation of the automount daemon. The automount daemon automatically mounts file systems when you use them, and unmounts them when they are not busy.

This updated package fixes the following bugs:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529851

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=523188

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=525431

RHBA-2010:0265: bug fix update

• If an included map read failed, autofs returned an error and subsequent master map entries were not read. This update reports the failure in the log but master map reading no longer ceases. (BZ#50603461)

• autofs could segfault if it called xmlCleanupParser concurrently from multiple threads, as this function is not re-entrant. autofs has been changed to call this function only once from its main thread, when the application exits. (BZ#51328962)

• autofs could segfault at startup when using LDAP under certain circumstances. autofs would fail to try and retrieve a query dn if:

• LDAP is being used to store autofs maps and...

• The LDAP schema to be used for the maps is explicitly defined in the autofs configuration and...

• No master map entries exist in LDAP.

This set of conditions would return success instead of failure. This update fixes the get query dn failure. (BZ#57260363)

• If a master map entry is changed in any other way besides the map name (for example, map wide options) the system encountered two application data structures for the "same" map during a map re-read. If the contents of that map has also changed, a deadlock can occur.

Having the duplicate data structure also caused entries in the problem map to be umounted. Since direct mount maps have a distinct autofs mount for each entry direct mount they appeared to stop working. This update corrects this behaviour. (BZ#51441264)

• autofs would block for several minutes when attempting to mount from a server that was not available. A new mount_wait parameter has been added to prevent this block. This update requires SELinux policy 255 or later. (BZ#51734965)

• The autofs parser objected to locations containing the characters '@' and '#' (Lustre and sshfs mounts) causing the mount request to fail. This update allows autofs to parse these characters and mount successfully. (BZ#52074566)

• Due to an incorrect system call an error message stating "Operation not permitted" would be returned when attempting to mount an unknown hostname. This call has been corrected and autofs now returns "hostname lookup failed" as would be expected. (BZ#53332367)

• A typing error in the usage text of the autofs service script has been corrected. (BZ#53401268)

• When changing the timed wait from using select(2) to poll(2) in the non-blocking TCP connection function, to overcome the 1024 file handle limit of select(2), the wait timeout was not correctly converted from seconds to milliseconds. This update corrects the problem. (BZ#53974769)

• autofs failed to mount locations whose path depended on another local auto-mounted mount. Dependent mounts are triggered by calling access(2) on the mount location path prior to mounting the location. The check for whether a location was a local path was restrictive and didn't cater for all cases. This has now been fixed. (BZ#53740370)

• Inter-operability between autofs and some non-open source LDAP servers was impaired when a SASL authenticated connection was used over muliple bind and unbind operations. autofs has been updated use distinct authentication connection for each server it binds to. (BZ#53779371)

Chapter 1. Package Updates

• autofs failed to load its maps if all LDAP servers were down, or unreachable, when the daemon started. The dependency on an LDAP server being available at startup has been removed. This change resolved the issue of the map server being unreachable for some common usage cases. (BZ#54355472)

• The random selection option used with mount locations that have multiple servers was not being set correctly during the paring of master map entries. If specified as a mount option in master map entries the option is now used as has been requested. (BZ#54847673)

• Setting the expire timeout to 0 was causing autofs to constantly schedule expire runs leading to excessive resource usage and preature umounting of mounts. Setting the timeout to 0 should in fact disable expiry of mounts and this update fixes this incorrect behavior. (BZ#54827774)

• autofs would abort when using DIGEST-MD5 authentication under heavy concurrent access. This was caused by autofs not providing the locking functions required by the cyrus-sasl library. In addition the cyrus-sasl library locking functions contained a race which sometimes lead to a deadlock. This update adds the needed locking functions to autofs and passes them to cyrus-sasl at initialization. The bug in the cyrus-sasl library is fixed in cyrus-sasl-lib 2.1.22-5.el5.el5_4.3 and later which is required for the update to install if cyrus-sasl is also installed. (BZ#55943075)

All autofs users should upgrade to this updated package, which resolves these issues.

1.9. automake

1.9.1. RHSA-2010:0321: Low security update

Updated automake, automake14, automake15, automake16, and automake17 packages that fix one security issue are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Automake is a tool for automatically generating Makefile.in files compliant with the GNU Coding Standards.

Automake-generated Makefiles made certain directories world-writable when preparing source archives, as was recommended by the GNU Coding Standards. If a malicious, local user could access the directory where a victim was creating distribution archives, they could use this flaw to modify the files being added to those archives. Makefiles generated by these updated automake packages no longer make distribution directories world-writable, as recommended by the updated GNU Coding Standards. (CVE-2009-402976)

Note: This issue affected Makefile targets used by developers to prepare distribution source archives. Those targets are not used when compiling programs from the source code.

All users of automake, automake14, automake15, automake16, and automake17 should upgrade to these updated packages, which resolve this issue.

https://www.redhat.com/security/data/cve/CVE-2009-4029.html

1.10. avahi

1.10.1. RHBA-2010:0034: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0034

Updated avahi packages that address two bugs are now available.

Avahi is an implementation of the DNS Service Discovery and Multicast DNS specifications for Zeroconf Networking. It facilitates service discovery on a local network. Avahi and Avahi-aware applications allow you to plug your computer into a network and, with no configuration, view other people to chat with, see printers to print to, and find shared files on other computers.

This update fixes the following two bugs:

avahi

* previously, avahi published a static SSH-SFTP service by default, regardless of the machine and regardless of whether an ssh server was running or not. As a result, all Red Hat Enterprise Linux instances also running Avahi appeared in the LAN listings of file browsers and file managers (eg "Places > Network" in Nautilus or "Go > Network Folders" in Konquerer) even if they were not acting as file servers. This update still includes a static SSH-SFTP service but it now ships as a deactivated example service (ie, is not published by default). The static SSH-FTP service can be activated manually, but systems running Avahi no longer appear in file manager LAN listings by default. (BZ#21914378)

* previously, running the Avahi init scripts with a "status" argument resulted in a return code of 0, regardless of whether the daemons are running or not. This update corrects that: a missing avahi daemon now results in a failure return code (1) as expected. (BZ#23216179)

All avahi users should install these updated packages, which address these issues.

1.11. bind

1.11.1. RHSA-2010:0062: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0062

Updated bind packages that fix two security issues are now available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219143

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=232161

Chapter 1. Package Updates

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

A flaw was found in the BIND DNSSEC NSEC/NSEC3 validation code. If BIND was running as a DNSSEC-validating resolver, it could incorrectly cache NXDOMAIN responses, as if they were valid, for records proven by NSEC or NSEC3 to exist. A remote attacker could use this flaw to cause a BIND server to return the bogus, cached NXDOMAIN responses for valid records and prevent users from retrieving those records (denial of service). (CVE-2010-009781)

The original fix for CVE-2009-4022 was found to be incomplete. BIND was incorrectly caching certain responses without performing proper DNSSEC validation. CNAME and DNAME records could be cached, without proper DNSSEC validation, when received from processing recursive client queries that requested DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving such client queries. (CVE-2010-029082)

All BIND users are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues. After installing the update, the BIND daemon (named) will be restarted automatically.

1.11.2. RHSA-2009:1620: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1620

Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Michael Sinatra discovered that BIND was incorrectly caching responses without performing proper DNSSEC validation, when those responses were received during the resolution of a recursive client query that requested DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving such client queries. (CVE-2009-402284)

All BIND users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the update, the BIND daemon (named) will be restarted automatically.

https://www.redhat.com/security/data/cve/CVE-2010-0097.html

https://www.redhat.com/security/data/cve/CVE-2010-0290.html

https://www.redhat.com/security/data/cve/CVE-2009-4022.html

binutils

1.12. binutils

1.12.1. RHBA-2010:0304: bug fix update

Updated binutils packages that fix various bugs are now available.

Binutils is a collection of binary utilities, including ar (for creating, modifying and extracting from archives), as (a family of GNU assemblers), gprof (for displaying call graph profile data), ld (the GNU linker), nm (for listing symbols from object files), objcopy (for copying and translating object files), objdump (for displaying information from object files), ranlib (for generating an index for the contents of an archive), readelf (for displaying detailed information about binary files), size (for listing the section sizes of an object or archive file), strings (for listing printable strings from files), strip (for discarding symbols), and addr2line (for converting addresses to file and line).

These updated binutils packages provide fixes for the following bugs:

* The readelf debugging utility was placing subject error messages in the middle of the .debug_str in the stderr output. This meant that location lists in the .debug._info section that were not in ascending order could not be handled correctly and the debugger could pick the wrong function, leading to dropped debug information. A patch has now been added and, as a result, the location lists can now be handled correctly, irrespective of order. As a result, the debugger now picks the right function when looking up symbols and debug information is no longer dropped. (BZ#49916485,

BZ#50912486)

* The strings command was not parsing files correctly. When used with a multi-digit <NUM> argument (such as strings -10 filename.txt) an "invalid integer argument" error would occur because it regarded each numeral as a separate argument. The parsing has now been corrected via a patch to strings.c.multidigit_input so that multi-digit numerals are regarded as parts of a single argument. As a result, files are now parsed correctly. (BZ#50876587)

* There was a regression in binutils-devel that caused it to build "oprofile" files incorrectly. As a result, bfd_get_section_by_name() returned incorrect information about the debuginfo section and an "opreport" error would occur. The bfd.h header's API has now been fixed to match the BFD library's ABI. As a result, the per-symbol profile is now generated correctly and the opreport runs without error. (BZ#52902888)

* There was a link failure whereby when a symbol in a comdat/linkonce section had a different level of visibility in different files, the linker could not merge the visibility. As a consequence, after the ld command was run, a "final link failed: Bad value" error would occur. A patch has been added to elflink.c.sym_visibility to make sure that the visibility is kept. As a result, ld now can now merge different levels of visibility without error. (BZ#53126989)

Users are advised to upgrade to these updated binutils packages, which resolve these issues.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=499164

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=509124

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=508765

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529028

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=531269

Chapter 1. Package Updates

1.13. bogl

1.13.1. RHBA-2009:1593: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1593

Updated bogl packages that fix a bug are now available.

Ben's Own Graphics Library (BOGL) is a small graphics library for Linux kernel frame buffers. It supports only very simple graphics. The bogl packages also include bterm, a Unicode-capable terminal program for the Linux frame buffer.

These updated packages provide a fix for the following bug:

* when editing a file with vi from within the bterm console, a SIGSEGV error could occur, causing both vi and bterm to crash. This update adds a check that keeps "yorig" from equaling -1, which prevents the underlying memory reference error occurring. (BZ#51795791)

All bogl users are advised to upgrade to these updated packages, which resolve this issue.

1.14. bootparamd

1.14.1. RHBA-2010:0057: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0057

An updated bootparamd package that fixes a bug is now available.

Bootparamd is a server process that provides information to diskless clients necessary for booting; consulting the /etc/bootparams file for required information.

When bootparamd is used for multihomed environment handling, it would previously evaluate the route to be returned to the first requesting client and re-evaluate the route to be returned for each client thereafter. Even though it re-evaluates what router IP to return for each following client, it would always send back the first route, due to it being the one that was cached. This updated package ensures that no re-evaluation occurs concerning the router IP to return for each client. (BZ#44610893)

All users of bootparamd are advised to upgrade to this updated package, which resolves this issue.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=517957

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=446108

booty

1.15. booty

1.15.1. RHBA-2010:0185: bug fix and enhancement update

An updated booty package that fixes a bug and adds an enhancement is now available.

The booty package contains a python library which provides an interface for the creation of boot loader configuration files and the addition of stanzas to said configuration files. These boot loader configuration files are used by the anaconda installer.

This updated booty package fixes the following bug:

* early in the installation process, anaconda creates a ramdisk to hold files that it will need to complete the installation. Previously, when installing the debug kernel for Red Hat Enterprise Linux on IBM System z, the ramdisk was larger than the default memory address that ZIPL allocated to hold the ramdisk. Installation would therefore fail. The /etc/zipl.conf file that booty creates for anaconda now explicitly specifies a suitable address for the ramdisk so that ZIPL does not rely on the insufficient default address. With enough space to create the ramdisk, installation succeeds. (BZ#42990694)

In addition, this updated package provides the following enhancement:

* previously, there was no way to configure hypervisor parameters during a kickstart installation. Therefore, these parameters would have to be configured manually after installation. Red Hat Enterprise Linux now includes a new option for the "bootloader" command in kickstart, "--hvargs", which sets hypervisor parameters in grub.conf during installation. It is now possible to automate this part of the installation process. Refer to the Red Hat Enterprise Linux 5 Installation Guide for a description of the "--hvargs" option. (BZ#55295795)

Users of booty are advised to upgrade to this updated booty package, which resolves this issue and adds this enhancement.

1.16. brltty

1.16.1. RHSA-2010:0181: Low security and bug fix update

Updated brltty packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5.

brltty (Braille TTY) is a background process (daemon) which provides access to the Linux console (when in text mode) for a blind person using a refreshable braille display. It drives the braille display, and provides complete screen review functionality.

It was discovered that a brltty library had an insecure relative RPATH (runtime library search path) set in the ELF (Executable and Linking Format) header. A local user able to convince another user

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=429906

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=552957

Chapter 1. Package Updates

to run an application using brltty in an attacker-controlled directory, could run arbitrary code with the privileges of the victim. (CVE-2008-327996)

These updated packages also provide fixes for the following bugs:

* the brltty configuration file is documented in the brltty manual page, but there is no separate manual page for the /etc/brltty.conf configuration file: running "man brltty.conf" returned "No manual entry for brltty.conf" rather than opening the brltty manual entry. This update adds brltty.conf.5 as an alias to the brltty manual page. Consequently, running "man brltty.conf" now opens the manual entry documenting the brltty.conf specification. (BZ#530554

9897

)

* previously, the brltty-pm.conf configuration file was installed in the /etc/brltty/ directory. This file, which configures Papenmeier Braille Terminals for use with Red Hat Enterprise Linux, is optional. As well, it did not come with a corresponding manual page. With this update, the file has been moved to /usr/share/doc/brltty-3.7.2/BrailleDrivers/Papenmeier/. This directory also includes a README document that explains the file's purpose and format. (BZ#530554

10099

)

* during the brltty packages installation, the message

Creating screen inspection device /dev/vcsa...done.

was presented at the console. This was inadequate, especially during the initial install of the system. These updated packages do not send any message to the console during installation. (BZ#529163

* although brltty contains ELF objects, the brltty-debuginfo package was empty. With this update, the debuginfo package contains valid debugging information as expected. (BZ#500545

102

)

101

* the MAX_NR_CONSOLES definition was acquired by brltty by #including linux/tty.h in Programs/ api_client.c. MAX_NR_CONSOLES has since moved to linux/vt.h but the #include in api_client.c was not updated. Consequently, brltty could not be built from the source RPM against the Red Hat Enterprise Linux 5 kernel. This update corrects the #include in api_client.c to linux/vt.h and brltty now builds from source as expected. (BZ#456247

103

)

All brltty users are advised to upgrade to these updated packages, which resolve these issues.

1.17. checkpolicy

1.17.1. RHBA-2010:0184: bug fix update

An updated checkpolicy package that makes a man page correction, fixes help message and man page omissions and allows the unknown access flag to be specified is now available.

checkpolicy is the policy compiler for Security-Enhanced Linux (SELinux). The checkpolicy utility is required for building SELinux policies.

)

This updated checkpolicy package addresses the following issues:

https://www.redhat.com/security/data/cve/CVE-2008-3279.html

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=530554

100

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=530554

101

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529163

102

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=500545

103

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=456247

chkconfig

* newer SELinux kernels have access checks that the shipping SELinux policy package does not understand. The kernel currently denies these access checks by default. This updated checkpolicy package can build an selinux-policy package that tells the kernel to "Allow" unknown access. (BZ#531229

104

)

* the checkpolicy man page listed (but did not otherwise document) a "-m" switch. checkpolicy supports a "-M" switch but not a "-m" switch. This update removes the "-m" option from the checkpolicy SYNOPSIS. Note: the "-M" switch was and is documented in the OPTIONS section of the checkpolicy man page. (BZ#533790

105

)

* checkmodule's "-d" switch (which switches the tool to debug mode) was documented in the checkmodule man page but not in the output of checkmodule's help message (ie the output of "checkmodule --help" or "checkmodule -h"). Also, the "-h" switch was not documented at all. With this update, the "-d" switch is now included in help message output and the "-h" switch is documented in both the checkmodule man page and the checkmodule help message. (BZ#533796

106

)

All SELinux users should install this updated package which resolves these issues.

1.18. chkconfig

1.18.1. RHBA-2009:1628: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1628

Updated chkconfig packages that resolve several issues with the alternatives utility and provide various man page corrections are now available.

The basic system utility chkconfig updates and queries runlevel information for system services.

These updated chkconfig packages provide fixes for the following bugs:

* when the "alternatives" utility was run and an error occurred, no contextual information such as the line number of the error was provided. With this update, upon an error, "alternatives" now provides the line number where the error occurred in the relevant file in the /var/lib/alternatives directory, which helps to diagnose alternatives-related errors. (BZ#441443

* using the "alternatives" utility and selecting the last available option and then uninstalling the program which provided that alternative did not result in the removal of the symbolic links for that option. Because the previously-set alternative was no longer available and the symbolic link remained, the program was then rendered unusable. With this update, when the aforementioned condition is met, the "alternatives" program now recognizes that the program is no longer available and removes the extraneous symbolic link, with the result that the next-best alternative is properly selected, and running the program works as expected. (BZ#525051

107

109

108

)

104

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=531229

105

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=533790

106

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=533796

108

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=441443

109

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=525051

Chapter 1. Package Updates

* the chkconfig(8) man page contained a description of the syntax for running chkconfig that differed from the correct description presented when running "chkconfig --help". The man page has been corrected to correspond with the program's help information. (BZ#501225

110

)

* the chkconfig(8) man page contained an incorrect reference to runlevel 7, which does not exist (runlevels extend from 0 to 6, inclusive). This update corrects the man page by removing all references to "runlevel 7". (BZ#466740

111

)

* the ntsysv(8) man page referenced a non-existent man page, servicesconf. This reference has been removed. (BZ#516599

112

)

All users of chkconfig are advised to upgrade to these updated packages, which resolve these issues.

1.19. cman

1.19.1. RHBA-2009:1435: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata

RHBA-2009:1435

Updated cman packages that fix a bug and add an enhancement are now available.

The Cluster Manager (cman) utility provides user-level services for managing a Linux cluster.

This update applies the following bug fix:

* in several places internally, cman assumed a transition message meant the node in question (or the sending node) was joining the cluster rather than just sending its current post-transition state. In some circumstances, this could lead to cman killing the wrong nodes. With this update, cman now checks the first_trans flag, which is set when a node first encounters another node in the cluster. Only if first_trans is set does cman now consider the node as joining the cluster. (BZ#518061

113

114

)

Also, this update includes the following enhancement:

First, if a node was asked to remove a key (fence) for a device that it was not registered with, the node attempted to register with that device on-the-fly. With this update, when nodes are asked to remove a key from devices with which they are not registered, the fencing fails.

Second, for the common case of SAN environments with multiple Logical Unit Numbers (LUNs), the devices (LUNs) that can be unregistered must be ordered consistently on all nodes. Consistent ordering is not guaranteed by the Logical Volume Manager (LVM), however; device names can vary from node to node to prevent interleaving of fence operation among devices. With this update, the fence_scsi agent extracts the device name (pv_name) and Universally Unique Identifier (pv_uuid) and builds a hash keyed on the UUID (which is consistent on all nodes). This ensures devices are ordered consistently on each node.

110

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=501225

111

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=466740

112

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=516599

114

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=518061

+ 440 hidden pages

Redhat ENTERPRISE LINUX User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Technical Notes

Preface

1.1. acl

1.1.1. RHBA-2009:1652: bug fix update

1.2. acpid

1.2.1. RHBA-2010:0004: bug fix update

1.2.2. RHSA-2009:1642: Important security update

1.3. aide

1.3.1. RHBA-2010:0036: bug fix update

1.4. anaconda

1.4.1. RHBA-2010:0194: bug fix and enhancement update

1.5. apr-util

1.5.1. RHEA-2010:0310: enhancement update

1.6. at

1.6.1. RHBA-2009:1654: bug fix and enhancement update

1.7. audit

1.7.1. RHBA-2010:0228: bug fix update

1.8. autofs

1.8.1. RHBA-2009:1468: bug fix update

1.8.2. RHBA-2010:0265: bug fix update

1.9. automake

1.9.1. RHSA-2010:0321: Low security update

1.10. avahi

1.10.1. RHBA-2010:0034: bug fix update

1.11. bind

1.11.1. RHSA-2010:0062: Moderate security update

1.11.2. RHSA-2009:1620: Moderate security update

1.12. binutils

1.12.1. RHBA-2010:0304: bug fix update

1.13. bogl

1.13.1. RHBA-2009:1593: bug fix update

1.14. bootparamd

1.14.1. RHBA-2010:0057: bug fix update

1.15. booty

1.15.1. RHBA-2010:0185: bug fix and enhancement update

1.16. brltty

1.16.1. RHSA-2010:0181: Low security and bug fix update

1.17. checkpolicy

1.17.1. RHBA-2010:0184: bug fix update

1.18. chkconfig

1.18.1. RHBA-2009:1628: bug fix update

1.19. cman

1.19.1. RHBA-2009:1435: bug fix update