Redhat ENTERPRISE LINUX User Manual

Download

Red Hat Enterprise

Linux 5.5

Technical Notes

Detailed notes on the changes implemented

in Red Hat Enterprise Linux 5.5

Technical Notes

Red Hat Enterprise Linux 5.5 Technical Notes Detailed notes on the changes implemented in Red Hat Enterprise Linux 5.5 Edition 0

Author rhelv5-list@redhat.com

The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.

Linux® is the registered trademark of Linus Torvalds in the United States and other countries.

Java® is a registered trademark of Oracle and/or its affiliates.

XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.

All other trademarks are the property of their respective owners.

1801 Varsity Drive Raleigh, NC 27606-2072 USA Phone: +1 919 754 3700 Phone: 888 733 4281 Fax: +1 919 754 3701

The Red Hat Enterprise Linux 5.5 Technical Notes list and document the changes made to the Red Hat Enterprise Linux 5 operating system and its accompanying applications between minor release Red Hat Enterprise Linux 5.4 and minor release Red Hat Enterprise Linux 5.5.

Preface ix

1. Package Updates 1

1.1. acl ............................................................................................................................... 1

1.2. acpid ........................................................................................................................... 2

1.3. aide ............................................................................................................................. 3

1.4. anaconda ..................................................................................................................... 3

1.5. apr-util ......................................................................................................................... 8

1.6. at ................................................................................................................................ 8

1.7. audit ............................................................................................................................ 9

1.8. autofs ........................................................................................................................ 10

1.9. automake ................................................................................................................... 12

1.10. avahi ........................................................................................................................ 13

1.11. bind ......................................................................................................................... 13

1.12. binutils ..................................................................................................................... 15

1.13. bogl ......................................................................................................................... 16

1.14. bootparamd .............................................................................................................. 16

1.15. booty ....................................................................................................................... 17

1.16. brltty ........................................................................................................................ 17

1.17. checkpolicy .............................................................................................................. 18

1.18. chkconfig .................................................................................................................. 19

1.19. cman ....................................................................................................................... 20

1.20. cmirror ..................................................................................................................... 25

1.21. cmirror-kmod ............................................................................................................ 26

1.22. conga ....................................................................................................................... 26

1.23. coolkey .................................................................................................................... 28

1.24. coreutils ................................................................................................................... 29

1.25. cpio ......................................................................................................................... 30

1.26. cpuspeed ................................................................................................................. 30

1.27. crash ....................................................................................................................... 31

1.28. ctdb ......................................................................................................................... 32

1.29. cups ......................................................................................................................... 33

1.30. curl .......................................................................................................................... 36

1.31. cyrus-imapd .............................................................................................................. 37

1.32. cyrus-sasl ................................................................................................................. 37

1.33. dbus ........................................................................................................................ 38

1.34. dbus-python ............................................................................................................. 39

1.35. device-mapper .......................................................................................................... 39

1.36. device-mapper-multipath ........................................................................................... 40

1.37. dhcp ........................................................................................................................ 42

1.38. dhcpv6 ..................................................................................................................... 44

1.39. dmidecode ............................................................................................................... 45

1.40. dmraid ..................................................................................................................... 46

1.41. dogtail ...................................................................................................................... 47

1.42. dosfstools ................................................................................................................. 48

1.43. dstat ........................................................................................................................ 48

1.44. e4fsprogs ................................................................................................................. 49

1.45. elilo .......................................................................................................................... 49

1.46. elinks ....................................................................................................................... 50

1.47. esc .......................................................................................................................... 51

1.48. etherboot .................................................................................................................. 52

1.49. ethtool ...................................................................................................................... 52

iii

Technical Notes

1.50. evince ...................................................................................................................... 53

1.51. exim ......................................................................................................................... 54

1.52. fetchmail .................................................................................................................. 55

1.53. filesystem ................................................................................................................. 56

1.54. firefox ....................................................................................................................... 56

1.55. firstboot .................................................................................................................... 60

1.56. freeradius ................................................................................................................. 61

1.57. gail .......................................................................................................................... 62

1.58. gcc .......................................................................................................................... 62

1.59. gd ............................................................................................................................ 64

1.60. gdb .......................................................................................................................... 65

1.61. gfs-kmod .................................................................................................................. 66

1.62. gfs-utils .................................................................................................................... 67

1.63. gfs2-utils .................................................................................................................. 68

1.64. glibc ......................................................................................................................... 69

1.65. gnome-vfs2 .............................................................................................................. 70

1.66. gpart ........................................................................................................................ 72

1.67. gzip ......................................................................................................................... 73

1.68. hal ........................................................................................................................... 73

1.69. hmaccalc .................................................................................................................. 74

1.70. httpd ........................................................................................................................ 75

1.71. hwdata ..................................................................................................................... 77

1.72. ia32el ....................................................................................................................... 78

1.73. iasl ........................................................................................................................... 79

1.74. inn ........................................................................................................................... 80

1.75. iproute ..................................................................................................................... 80

1.76. iprutils ...................................................................................................................... 81

1.77. iptables .................................................................................................................... 81

1.78. iptstate ..................................................................................................................... 82

1.79. ipw2200-firmware ..................................................................................................... 82

1.80. iscsi-initiator-utils ...................................................................................................... 82

1.81. iwl3945-firmware ....................................................................................................... 84

1.82. iwl4965-firmware ....................................................................................................... 84

1.83. iwl5000-firmware ....................................................................................................... 85

1.84. java-1.6.0-ibm ........................................................................................................... 85

1.85. java-1.6.0-openjdk .................................................................................................... 86

1.86. java-1.6.0-sun ........................................................................................................... 87

1.87. kdelibs ..................................................................................................................... 88

1.88. kernel ....................................................................................................................... 89

1.89. kexec-tools ............................................................................................................. 128

1.90. krb5 ....................................................................................................................... 131

1.91. ksh ......................................................................................................................... 131

1.92. ktune ...................................................................................................................... 133

1.93. kudzu ..................................................................................................................... 135

1.94. kvm ........................................................................................................................ 135

1.95. less ........................................................................................................................ 143

1.96. libXi ....................................................................................................................... 144

1.97. libXrandr ................................................................................................................ 145

1.98. libXt ....................................................................................................................... 145

1.99. libaio ...................................................................................................................... 145

1.100. libcmpiutil ............................................................................................................. 146

1.101. libevent ................................................................................................................ 146

1.102. libgnomecups ....................................................................................................... 147

1.103. libgtop2 ................................................................................................................ 147

1.104. libhugetlbfs ........................................................................................................... 148

1.105. libsepol ................................................................................................................. 148

1.106. libuser .................................................................................................................. 149

1.107. libvirt .................................................................................................................... 149

1.108. libvirt-cim .............................................................................................................. 154

1.109. libvorbis ................................................................................................................ 156

1.110. linuxwacom ........................................................................................................... 156

1.111. lm_sensors ........................................................................................................... 156

1.112. log4cpp ................................................................................................................. 157

1.113. logwatch ............................................................................................................... 158

1.114. lvm2 ..................................................................................................................... 159

1.115. lvm2-cluster .......................................................................................................... 161

1.116. man-pages ............................................................................................................ 163

1.117. man-pages-ja ........................................................................................................ 164

1.118. mcelog ................................................................................................................. 166

1.119. mdadm ................................................................................................................. 166

1.120. mesa .................................................................................................................... 167

1.121. metacity ................................................................................................................ 167

1.122. microcode_ctl ....................................................................................................... 169

1.123. mkinitrd ................................................................................................................ 170

1.124. module-init-tools .................................................................................................... 172

1.125. mtx ....................................................................................................................... 172

1.126. mysql ................................................................................................................... 173

1.127. nautilus-open-terminal ........................................................................................... 175

1.128. neon .................................................................................................................... 175

1.129. net-snmp .............................................................................................................. 176

1.130. net-tools ............................................................................................................... 178

1.131. NetworkManager ................................................................................................... 179

1.132. newt ..................................................................................................................... 180

1.133. nfs-utils ................................................................................................................ 181

1.134. nspluginwrapper .................................................................................................... 182

1.135. nss_ldap ............................................................................................................... 182

1.136. numactl ................................................................................................................ 184

1.137. openCryptoki ........................................................................................................ 185

1.138. openais ................................................................................................................ 186

1.139. OpenIPMI ............................................................................................................. 188

1.140. openib .................................................................................................................. 189

1.141. openldap .............................................................................................................. 191

1.142. openmotif ............................................................................................................. 192

1.143. openoffice.org ....................................................................................................... 193

1.144. openssh ............................................................................................................... 195

1.145. openssl ................................................................................................................ 197

1.146. openswan ............................................................................................................. 198

1.147. oprofile ................................................................................................................. 200

1.148. pam ..................................................................................................................... 201

1.149. pam_krb5 ............................................................................................................. 201

1.150. paps ..................................................................................................................... 202

1.151. parted .................................................................................................................. 202

Technical Notes

1.152. pax ....................................................................................................................... 203

1.153. pciutils .................................................................................................................. 204

1.154. pcsc-lite ................................................................................................................ 204

1.155. perl-Sys-Virt .......................................................................................................... 205

1.156. perl-XML-SAX ....................................................................................................... 206

1.157. pexpect ................................................................................................................ 207

1.158. php ...................................................................................................................... 207

1.159. pidgin ................................................................................................................... 209

1.160. piranha ................................................................................................................. 210

1.161. pirut ..................................................................................................................... 211

1.162. policycoreutils ....................................................................................................... 211

1.163. poppler ................................................................................................................. 212

1.164. postgresql ............................................................................................................. 213

1.165. ppc64-utils ............................................................................................................ 214

1.166. procps .................................................................................................................. 215

1.167. pykickstart ............................................................................................................ 216

1.168. python-virtinst ....................................................................................................... 217

1.169. PyXML ................................................................................................................. 218

1.170. qspice .................................................................................................................. 219

1.171. readahead ............................................................................................................ 221

1.172. redhat-artwork ....................................................................................................... 222

1.173. redhat-release ....................................................................................................... 222

1.174. redhat-release-notes ............................................................................................. 222

1.175. rgmanager ............................................................................................................ 223

1.176. rhn-client-tools ...................................................................................................... 226

1.177. rhnlib .................................................................................................................... 227

1.178. rhnsd .................................................................................................................... 228

1.179. rhpxl ..................................................................................................................... 228

1.180. rsyslog ................................................................................................................. 229

1.181. ruby ..................................................................................................................... 230

1.182. samba .................................................................................................................. 230

1.183. samba3x .............................................................................................................. 233

1.184. sblim .................................................................................................................... 234

1.185. screen .................................................................................................................. 235

1.186. scsi-target-utils ...................................................................................................... 236

1.187. selinux-policy ........................................................................................................ 237

1.188. sendmail ............................................................................................................... 242

1.189. shadow-utils ......................................................................................................... 243

1.190. sosreport .............................................................................................................. 244

1.191. squid .................................................................................................................... 248

1.192. squirrelmail ........................................................................................................... 249

1.193. star ...................................................................................................................... 250

1.194. strace ................................................................................................................... 250

1.195. sudo ..................................................................................................................... 251

1.196. sysklogd ............................................................................................................... 253

1.197. system-config-cluster ............................................................................................. 254

1.198. system-config-lvm ................................................................................................. 255

1.199. system-config-securitylevel .................................................................................... 256

1.200. system-config-services .......................................................................................... 257

1.201. systemtap ............................................................................................................. 258

1.202. tar ........................................................................................................................ 261

1.203. taskjuggler ............................................................................................................ 263

1.204. tcpdump ............................................................................................................... 264

1.205. tcsh ...................................................................................................................... 264

1.206. tog-pegasus .......................................................................................................... 266

1.207. util-linux ................................................................................................................ 267

1.208. valgrind ................................................................................................................ 267

1.209. vconfig ................................................................................................................. 268

1.210. vino ...................................................................................................................... 268

1.211. virt-manager .......................................................................................................... 269

1.212. vixie-cron .............................................................................................................. 270

1.213. vsftpd ................................................................................................................... 271

1.214. wdaemon .............................................................................................................. 271

1.215. wget ..................................................................................................................... 271

1.216. wpa_supplicant ..................................................................................................... 272

1.217. xen ....................................................................................................................... 272

1.218. xerces-j2 .............................................................................................................. 277

1.219. xmlsec1 ................................................................................................................ 278

1.220. xorg-x11-drivers .................................................................................................... 278

1.221. xorg-x11-drv-ast .................................................................................................... 279

1.222. xorg-x11-drv-evdev ................................................................................................ 279

1.223. xorg-x11-drv-fbdev ................................................................................................ 279

1.224. xorg-x11-drv-i810 .................................................................................................. 280

1.225. xorg-x11-drv-mga .................................................................................................. 280

1.226. xorg-x11-drv-nv ..................................................................................................... 281

1.227. xorg-x11-drv-qxl .................................................................................................... 281

1.228. xorg-x11-drv-vesa ................................................................................................. 283

1.229. xorg-x11-server ..................................................................................................... 283

1.230. xorg-x11-xdm ........................................................................................................ 285

1.231. xterm .................................................................................................................... 285

1.232. yaboot .................................................................................................................. 286

1.233. yp-tools ................................................................................................................ 286

1.234. yum ...................................................................................................................... 287

1.235. yum-rhn-plugin ...................................................................................................... 288

2. New Packages 289

2.1. RHEA-2010:0305: freeradius2 .................................................................................. 289

2.2. RHEA-2010:0240: gpxe ........................................................................................... 289

2.3. RHEA-2010:0199: gsl .............................................................................................. 290

2.4. RHEA-2010:0217: iwl1000-firmware ......................................................................... 290

2.5. RHEA-2010:0220: iwl6000-firmware ......................................................................... 290

2.6. RHEA-2010:0276: postgresql84 ............................................................................... 290

2.7. RHEA-2010:0268: python-dmidecode ....................................................................... 291

2.8. RHEA-2010:0249: tunctl .......................................................................................... 292

2.9. RHEA-2010:0189: xz ............................................................................................... 292

3. Technology Previews 293

4. Capabilities and Limits 299

5. Known Issues 301

5.1. anaconda ................................................................................................................. 301

5.2. cmirror ..................................................................................................................... 304

5.3. compiz ..................................................................................................................... 304

vii

Technical Notes

5.4. ctdb ......................................................................................................................... 305

5.5. device-mapper-multipath ........................................................................................... 305

5.6. dmraid ..................................................................................................................... 306

5.7. dogtail ...................................................................................................................... 307

5.8. firstboot .................................................................................................................... 307

5.9. gfs2-utils .................................................................................................................. 308

5.10. gnome-volume-manager .......................................................................................... 308

5.11. initscripts ................................................................................................................ 309

5.12. iscsi-initiator-utils ..................................................................................................... 309

5.13. kernel-xen .............................................................................................................. 309

5.14. kernel ..................................................................................................................... 312

5.15. kexec-tools ............................................................................................................. 317

5.16. krb5 ....................................................................................................................... 318

5.17. kvm ........................................................................................................................ 318

5.18. less ........................................................................................................................ 322

5.19. libcmpiutil ............................................................................................................... 322

5.20. libvirt ...................................................................................................................... 322

5.21. lvm2 ....................................................................................................................... 322

5.22. mesa ...................................................................................................................... 323

5.23. mkinitrd .................................................................................................................. 323

5.24. openib .................................................................................................................... 323

5.25. openmpi ................................................................................................................. 324

5.26. qspice .................................................................................................................... 324

5.27. systemtap ............................................................................................................... 324

5.28. virtio-win ................................................................................................................. 325

5.29. xorg-x11-drv-i810 .................................................................................................... 325

5.30. xorg-x11-drv-nv ....................................................................................................... 326

5.31. xorg-x11-drv-vesa ................................................................................................... 326

5.32. yaboot .................................................................................................................... 327

5.33. xen ........................................................................................................................ 327

A. Package Manifest 329

A.1. Added Packages ..................................................................................................... 329

A.2. Dropped Packages .................................................................................................. 331

A.3. Updated Packages .................................................................................................. 331

B. Revision History 459

viii

Preface

For system administrators and others planning Red Hat Enterprise Linux 5.5 upgrades and deployments, the Technical Notes provide a single, organized record of the bugs fixed in, features added to, and Technology Previews included with this new release of Red Hat Enterprise Linux.

For auditors and compliance officers, the Red Hat Enterprise Linux 5.5 Technical Notes provide a single, organized source for change tracking and compliance testing.

For every user, the Red Hat Enterprise Linux 5.5 Technical Notes provide details of what has changed in this new release.

The Technical Notes also include, as an Appendix, the Red Hat Enterprise Linux Package Manifest: a listing of every changed package in this release.

Chapter 1.

Package Updates

1.1. acl

1.1.1. RHBA-2009:1652: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1652

Updated acl packages that fix a bug are now available.

Access Control Lists (ACLs) are used to define finer-grained discretionary access rights for files and directories. The acl packages contain the getfacl and setfacl utilities needed for manipulating access control lists.

This update fixes the following bug:

* the "setfacl" command, which sets the access control lists for files, always returned an exit status of 0, even when the command failed and printed out error messages. With this update, setfacl exits with the correct exit status upon failure. (BZ#3684512)

* running "setfacl -- --test" caused setfacl to segmentation fault. This has been fixed in this update. (BZ#4304583)

* running the "setfacl" command with the '-P' flag, which is the short form of the '--physical' option, which is supposed to cause "setfacl" to skip over any symbolic links it encounters, did not work as expected: symbolic links were still followed. This update fixes this so that the '-P' flag works as expected and symbolic links are silently skipped over. (BZ#4360704)

* the "setfacl" command failed to resolve relative symbolic links when it encountered them unless they were specified with a trailing forward-slash character (in the case of relative symbolic links to directories), or the script or shell prompt's working directory was the directory which contained the relative symbolic link(s). With this update, relative symbolic links are handled correctly by setfacl regardless of where they are encountered or what their target is. (BZ#5000955)

* the "getfacl" and "setfacl" commands did not properly handle non-ASCII characters with the result that calling either command on a system with the correct locale settings still produced incorrect output, such as octal character representations. With this update, getfacl and setfacl are now able to produce correct output when using non-ASCII character sets. (BZ#5077476)

All users of Access Control Lists should upgrade to these updated packages, which resolve this issue.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=368451

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=430458

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=436070

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=500095

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=507747

Chapter 1. Package Updates

1.2. acpid

1.2.1. RHBA-2010:0004: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata

RHBA-2010:0004

An updated acpid package that fixes a bug is now available.

acpid is a daemon that dispatches ACPI (Advanced Configuration and Power Interface) events to user-space programs.

This updated acpid package fixes the following bug:

* the acpid package that was included with the Red Hat Enterprise Linux 5.4 update contained a package update script that returned a non-zero exit code when the the /var/log/acpid log file did not exist. However, if the acpid daemon had never been started on the system, and therefore /var/log/ acpid did not exist, the faulty check caused the update process to fail, which could have resulted in two different acpid packages being installed on the same system and registered with the RPM database (rpmdb). This updated acpid package removes the spurious record from the rpmdb, thus resolving the problem. (BZ#5483748)

All users of acpid are advised to upgrade to this updated package, which resolves this issue.

1.2.2. RHSA-2009:1642: Important security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1642

An updated acpid package that fixes one security issue is now available for Red Hat Enterprise Linux

This update has been rated as having important security impact by the Red Hat Security Response Team.

acpid is a daemon that dispatches ACPI (Advanced Configuration and Power Interface) events to user-space programs.

It was discovered that acpid could create its log file ("/var/log/acpid") with random permissions on some systems. A local attacker could use this flaw to escalate their privileges if the log file was created as world-writable and with the setuid or setgid bit set. (CVE-2009-403310)

Please note that this flaw was due to a Red Hat-specific patch (acpid-1.0.4-fd.patch) included in the Red Hat Enterprise Linux 5 acpid package.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=548374

https://www.redhat.com/security/data/cve/CVE-2009-4033.html

aide

Users are advised to upgrade to this updated package, which contains a backported patch to correct this issue.

1.3. aide

1.3.1. RHBA-2010:0036: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0036

An updated aide package that allows proper operation with the recently updated version of libgcrypt and makes minor man page changes is now available.

Advanced Intrusion Detection Environment (AIDE) is a program that creates a database of files on a system, and then uses that database to ensure file integrity and detect system intrusions.

This updated aide package includes the following fixes:

* the current version of libcgrypt includes a version-checking initialization step that aide was not doing. Running "aide -i" logged the following message to /var/log/messages:

aide: Libgcrypt warning: missing initialization - please fix the application

With this update, aide now includes the version-checking step required by libgcrypt and the libgcrypt warning is, consequently, no longer written to /var/log/messages. Note: although based on a proposed upstream patch, this update leaves secure memory enabled, unlike the proposed upstream change. (BZ#53048512)

* the FILES section of the aide man page previously listed the locations for aide.conf, aide.db.gz and aide.db.new.gz with a pre-pended "%prefix" variable. The updated aide man page removes this variable, listing the file locations as complete but plain paths (eg "/etc/aide.conf"). (No BZ#)

All aide users are advised to upgrade to this updated package, which includes this bug fix and man page change.

1.4. anaconda

1.4.1. RHBA-2010:0194: bug fix and enhancement update

Anaconda is the system installer.

This updated anaconda package provides fixes for the following bugs:

• previously, when anaconda could not read the extended display identification data (EDID) of a monitor, it reverted to text mode. However, EDID information is frequently not available on systems connected to Keyboard–Video–Mouse (KVM) switches. Therefore, when installing Red Hat Enterprise Linux 5 on a system with a KVM switch, installation would be constrained to text mode. Anaconda no longer checks for bad or missing EDID, and allows graphical installation to proceed

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=530485

Chapter 1. Package Updates

even when this information is unavailable. Graphical installation on machines attached to KVM switches therefore continues as if them monitor were connected directly to the graphics adapter. (BZ#44548613)

• previously, anaconda expected storage devices to be available immediately when it probed for the location of a kickstart file. On systems where USB storage might not be available immedately (for example, IBM BladeCenter systems), anaconda would not find the kickstart file and would prompt the user for its location. This interaction negated the usefulness of kickstart, since the installation could not then complete unattended. Anaconda now waits until it has probed five times or for more than 31 seconds before prompting the user for the location of a kickstart file. This allows USB storage enough time to respond and for kickstart to proceed unattended. (BZ#46056614)

• previously, some user interface elements in the the Malayalam translation of anaconda overlapped. The overlapping elements disabled some buttons in the screen where anaconda lets users to choose a partitioning scheme for the system, and prevented installation from continuing. The text of the Malayalam translation has been shortened so that the interface elements no longer overlap. The buttons on the partitioning scheme screen now work correctly and allow installation to continue. (BZ#47935315)

• during installation, anaconda automatically examines any storage device that has the label OEMDRV for driver updates and applies any updates that it finds there. Previously, anaconda searched for this label on the devices listed in /proc/partitions. However, /proc/partitions does not identify CD or DVD media, so anaconda overlooked optical disks that had the correct label. Anaconda now examines the devices listed in /sys/block. Therefore, anaconda correctly identifies CDs and DVDs labelled OEMDRV as driver discs and automatically applies any driver updates contained on them. (BZ#48506016)

• previously, if anaconda required network access early in an installation (for example, to retrieve a kickstart file or driver disk image), it temporarily saved information about the network configuration while it enabled access to the network. However, if anaconda required network access again for a separate reason, it would not attempt to configure network access again, but would not be able to connect to the network either, because it no longer retained the configuration information that it had already used. Therefore, anaconda could not download both a kickstart file and a driver disk image over a network. Anaconda now retains the network configuration that it obtains early in the installation process, and can reuse this information multiple times. Therefore, anaconda can use more than one resource obtained over a network during installation. (BZ#49504217)

• previously, while upgrading a system, anaconda did not check whether packages marked for installation as dependencies were already installed on the system. Consequently, many packages would be reinstalled during an upgrade, wasting time and, in the case of network installations, bandwidth. Now, when performing an upgrade, anaconda matches the packages to be installed against the packages that are already installed. Any packages with the same Name, Arch, Epoch, Version, Release (NAEVR) as a package already on the system are skipped and not reinstalled. (BZ#49579618)

• previously, anaconda did not specify a value for HOTPLUG when writing the system's networking configuration files, although it did write a value for ONBOOT. Because HOTPLUG is enabled by default, the effect of disabling ONBOOT was limited because any interface not activated at boot time would be enabled anyway whenever probed by the system. Anaconda now writes a value for HOTPLUG, setting it to the same value as ONBOOT. Therefore, any network interface not meant to be enabled at boot time will not be automatically enabled by probing either. (BZ#49808619)

RHBA-2010:0194: bug fix and enhancement update

• the part kickstart command accepts an option called --label that allows a label to be applied to a disk partition during a kickstart installation. However, the code that implemented this option was previously missing from anaconda. Any label specified in a kickstart file was therefore ignored. Anaconda now includes code to transfer the specified label from the kickstart file to the disk partition. Users can now label disk partitions during kickstart installations. (BZ#49885620)

• when running in rescue mode, anaconda previously lacked the ability to identify partitions on logical volumes if the partitions were identified in fstab by label rather than by device name. Therefore, if the root (/) partition were identified in this way, the usefulness of rescue mode would be limited. Anaconda in rescue mode now uses the getLabels() method to find partitions and therefore properly detects root partition even if it resides on a logical volume and is identified by label in fstab. (BZ#50217821)

• previously, the help text available while configuring NETTYPE for IBM System z systems did not mention HiperSockets. Users new to System z might therefore not have known to choose qeth to configure HiperSocket interfaces on their hardware. The help text has now been updated to indicate the correct choice and users can select the appropriate option. (BZ#51196222)

• when the RUNKS was set to 0 in the CMSCONFFILE file on IBM System z systems, anaconda should have performed an installation in interactive mode. However, a rewrite of linuxrc.s390 changed the behavior of RUNKS and led to anaconda ignoring this variable. Installation would therefore proceed in non-interactive mode regardless of what value was set in CMSCONFFILE. A new test is now included in the version of linuxrc.s390 in Red Hat Enterprise Linux 5.5 so that anaconda honors RUNKS=0 and performs an interactive install if this value is set. (BZ#51395123)

• by design, anaconda recognizes any block device with the label OEMDRV as a driver disc and searches it for a driver update. However, anaconda previously failed to examine dev nodes and therefore, it would not recognize this label on USB storage devices mounted as a partitionless block devices. Anaconda now examines dev nodes for the label OEMDRV and treats them the same as partitions with this label. It is therefore possible to use a partitionless device as a driver disc. (BZ#51543724)

• previously, anaconda did not reinitialize its record of the partition layout on a system when users clicked the back button from the partitioning screen. Therefore, when a user selected a partition layout, went back to an earlier screen, and then went forward again to choose a different partition layout, anaconda would attempt to implement the new partition layout over the previously-selected partition layout instead of the partition layout actually present on the system. This would sometimes result in a crash. Now, when users step backwards from the partitioning screen. anaconda reinitializes its record of the partitions present on the system. Users can therefore change their minds about partitioning options without crashing anaconda. (BZ#51671525)

• systems store information about iSCSI targets to which they are connected in the iSCSI Boot Firmware Table (iBFT) in BIOS. Previously, however, when anaconda installed Red Hat Enterprise Linux 5 from a local installation source such as a CD, DVD, or hard disk, it would not initialize network connections before asking users to configure storage on the system. Therefore, on systems with iSCSI storage, users would have to configure a network connection manually before proceding with installation, even when this information was already available to anaconda in the system BIOS. Now, when anaconda detects a valid iBFT present on a system, it automatically loads the network configuration specified there and does not requre users to enter this information. Installation from local media on systems with iSCSI storage is therefore simpler and more reliable. (BZ#51776826)

• due to faulty logic, anaconda previously did not parse IPv6 addresses correctly and attempted to read the final byte of the address as a port number. It was therefore not possible, for example,

Chapter 1. Package Updates

to install on an iSCSI target specified by in IPv6 address. The logic by which anaconda parses IP addresses has now been corrected, but now requires IPv6 addresses to be specified in the [address]:port form to comply with the relevant RFCs. This form removes ambiguity, since IPv6 addresses are still valid if they omit a sequence of bytes with zero values. When IPv6 addresses are specified in this format, anaconda parses them correctly and installation continues as normal. (BZ#52505427)

• comments in kickstart files are marked with a pound symbol (#) at the start of the line. However, anaconda did not previously account for the possibility that users might mark a comment with multiple pound symbols (for example, #####). Anaconda would therefore attempt to parse lines that started with multiple pound symbols and installation would fail. Anaconda now recognizes lines that start with multiple pound symbols as comments and does not attempt to parse them. Users can now safely mark comments in kickstart files in this way. (BZ#52567628)

• to avoid a circular dependency that exists between the ghostscript and ghostscript-fonts packages, anaconda ignored ghostscript's dependency on ghostscript-fonts. However, ghostscript-fonts was not explicitly installed as part of the Printing package group. The usefulness of Ghostscript as installed by anaconda was therefore limited. Anaconda still avoids the circular dependency, but now specifically installs ghostscript-fonts when users select the Printing package group. (BZ#53054829)

• previously, anaconda did not automatically instruct the kernel to check for multipath devices when installing on IBM System z systems. Therefore, unless users booted with the mpath boot option, iSCSI devices detected on more than one path would be represented in the installer multiple times, one for each path. Anaconda now automatically loads the mpath boot option and therefore represents multipath devices correctly. (BZ#53812930)

• Dell PowerEdge servers equipped with the SAS6i/R integrated RAID controller use BIOS Enhanced Disk Drive Services (EDD) to identify the storage device from which to boot the operating system. Previously, anaconda did not parse EDD to identify the correct boot device. Consequently, with a RAID 0 and RAID 1 configured on the system, anaconda would choose the wrong device and the system would not be bootable. Anaconda now parses EDD to support the SAS6i/R integrated RAID controller, so that it selects the correct boot device for systems that use this device. (BZ#54063731)

• previously, anaconda would always attempt to reconstruct pre-existing Logical Volume Management (LVM) devices during installation. Anaconda would attempt to recreate the LVM device even when a user cleared the LVM partitions from one or more of the disks that held partitions that formed part of a volume group. In this case, installation would fail. Now, anaconda no longer attempts to reconstruct incomplete LVM devices. Users can therefore safely reallocate storage that was once part of a volume group and installation will proceed as expected. (BZ#54586932)

• when ksdevice=link is set in a kickstart file, anaconda should automatically select the first available network interface and use it during installation. This avoids the need for user input and allows installation to proceed unattended. However, if interfaces were in a state where anaconda could not determine their status, anaconda would revert to interactive more and prompt the user to select a network interface, thus making unattended installation impossible on systems where network interfaces could be in such a state. Anaconda now forces the network interfaces on the system into IFF_UP and IFF_RUNNING states before it attempts to obtain link status. Because the interfaces are now in a state where they can report their link status to anaconda, Anaconda can automatically choose one to use during installation and kickstart installations can proceed unattended. (BZ#54975133)

RHBA-2010:0194: bug fix and enhancement update

• previously, when installing on IBM System z systems, anaconda assumed that the network gateway was unreachable if its attempt to ping the gateway timed out after 10 seconds. Anaconda would then prompt the user to select a gateway. However, if IPADDR in the conf file has changed recently, network interfaces take longer to respond. Anaconda now prompts the user only when three pings have failed and therefore avoids prompting the user for gateway information that is already correctly specified in the conf file. (BZ#50674234)

In addition, this updated package provides the following enhancements:

• after transferring installation files to a z/VM guest, a user must execute a series of Conversational Monitor System (CMS) commands to IPL the zLinux installation. These commands can be scripted, but no such script was previously included with Red Hat Enterprise Linux 5. The lack of a readymade script made installation more difficult for users unfamiliar with CMS commands. The CMS script for starting the install process on z/VM is now included in the Red Hat Enterprise Linux 5 images, simplifying installation. (BZ#47534335)

• anaconda now loads the Brocade BNA Ethernet Controller driver, and supports Brocade Fibre Channel to PCIe Host Bus Adapters. (BZ#47570736)

• previously, anaconda did not offer users the opportunity to configure NFS options during interactive installation (although these could be configured in kickstart files). Users who needed to fine-tune NFS parameters for installation were therefore forced to run an unattended installation. Now, anaconda presents users who select NFS installation with a dialog in which they can configure NFS options to suit their needs. (BZ#49305237)

• previously, it was not possible to configure hypervisor parameters during a kickstart installation. As a result, users needed to specify hypervisor parameters manually after installation, negating the usefulness of kickstart as as a mechanism for unattended installations. Now, anaconda recognizes a new kickstart option, --hvargs and sets Hypervisor parameters accordingly. (BZ#50143838)

• previouisly, during a kickstart installation when multiple multipath LUNs were available, anaconda would automatically choose the LUN with the lowest ID number for the root device. Users had no ready way to customize this behavior. Now, anaconda supports a multipath kickstart command with --name and --device options that allow users to specify a LUN for root. (BZ#50276839)

• anaconda can retrieve kickstart files from FTP servers. Previously, however, anaconda did not support users specifying authentication credentials to access an FTP server. Therefore, if access to the server were protected by a passphrase, anaconda could not retrieve the kickstart file. Now, when specifying the location of a kickstart file with the ks= boot option, users can provide a passphrase to allow anaconda to retrieve the kickstart files fom a protected server. (BZ#50542440)

• previously, troubleshooting errors that occurred while running %pre and %post kickstart scriptlets was very difficult because anaconda did not log the behavior of these scriptlets. Anaconda now copies %pre and %post kickstart scriptlets to /tmp together with a log. These records make troubleshooting kickstart installations easier. (BZ#51063641)

• Reipl is a kernel feature that instructs IBM System z systems where to boot next, as these systems do not have a default boot location. Anaconda did not previously support Reipl, which meant that during installation, users had to specify a boot location manually between different phases of the installation. Anaconda now supports Reipl, so these reboots can happen automatically. (BZ#51219542)

Chapter 1. Package Updates

• NPort ID Virtualization (NPIV) presents one physical Fibre Channel adapter port to the SAN as multiple WWNN/WWPN pairs. Anaconda now supports NPIV, which allows users on PowerPC systems to install to a NPIV LUN. (BZ#51223743)

• the Python executables that make up anaconda now all explicitly use the system Python (#! / usr/bin/python instead of #! /usr/bin/env python). This ensures that anaconda functions correctly when more than one Python stack is present on a system. (BZ#52133744)

• anaconda now supports the Emulex OneConnect iSCSI network interface card. (BZ#52944245)

• anaconda now supports PMC Sierra MaxRAID controller adapters. (BZ#53277746)

• although users have been able to specify package groups for installation in kickstart files, using the @ prefix, it was not possible to exclude package groups from installation, only individual packages. Anaconda now supports excluding package groups with the -@ prefix (BZ#55851647)

• anaconda now loads the xorg-x11-qxl-drv and xorg-x11-ast-drv X11 video drivers as required. xorg-x11-qxl-drv supports the qemu QXL video accelerator when installing Red Hat Enterprise Linux 5 as a guest operating system. xorg-x11-ast-drv supports ASPEED Technologies video hardware. (BZ#56766648)

1.5. apr-util

1.5.1. RHEA-2010:0310: enhancement update

Updated apr-util packages that add support for MySQL are now available.

apr-util is a utility library used with the Apache Portable Runtime (APR). It aims to provide a free library of C data structures and routines. This library contains additional utility interfaces for APR; including support for XML, LDAP, database interfaces, URI parsing, and more.

In previous releases, the APR utility library DBD (database abstraction) interface did not include support for MySQL databases. This update adds the MySQL driver to the DBD interface. (BZ#25207349, BZ#49134250)

All users requiring MySQL support should install these newly released packages, which add this enhancement.

1.6. at

1.6.1. RHBA-2009:1654: bug fix and enhancement update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1654

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=252073

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=491342

audit

An updated "at" package that adds and documents a configuration enhancement and corrects the debuginfo build is now available.

"At" and "Batch" read commands from standard input or from a specified file. At allows you to specify that a command will be run at a particular time. Batch will execute commands when the system load levels drop to a particular level. Both commands use /bin/sh.

This update addresses the following issue:

* although "at" contains ELF objects, the at-debuginfo package was empty. With this update the debuginfo package contains valid debugging information as expected. (BZ#50054252)

This update also adds the following enhancements:

* previously, the atd daemon ran with hard-coded options and could only be configured at the command-line. The atd daemon now reads a configuration file, /etc/sysconfig/atd, when it starts up, enabling easier configuration, particularly for load options and multiprocessor systems. (BZ#23225953)

* The DESCRIPTION section of the "at" man page has been updated to note the existence, location and purpose of the /etc/sysconfig/atd configuration file. Note: as the man page suggests, the sample configuration file included with this update is the primary source of information about atd configuration options. (BZ#53779254)

Users are advised to upgrade to this updated package, which fixes this bug and adds these enhancements.

1.7. audit

1.7.1. RHBA-2010:0228: bug fix update

An updated audit package that fixes various bugs and provides an enhancement is now available.

The audit package contains the user space utilities for storing and searching the audit records generate by the audit subsystem in the Linux 2.6 kernel.

This update includes the following fixes:

* The man page was ambiguous in explaining the structure of dates and the supplied examples often did not work because of different date formats in various locales. This caused some confusion amongst users. The page has been rewritten to clarify that the date format accepted by aureport and ausearch is influenced by the LC_TIME environmental variable, eliminating the confusion about this issue. (BZ#51397455)

* The audit package's libauparse function had a bug that meant it could not interpret IPC (inter-process communication) mode fields. When it attempted to do so, a segmentation fault would occur. The audit package has now been patched so that IPC mode fields are interpreted by the software without crashes resulting. (BZ#51979056)

This update also includes the following enhancement:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=500542

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=232259

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=537792

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=513974

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=519790

Chapter 1. Package Updates

* The audit package has been rebased and, as a result, a number of new features have been added. These include:

1. Allowing ausearch/report to specify multiple node names (which are needed for remote logging).

2. auparse can now handle empty AUSOURCE_FILE_ARRAYs. 3. auditctl rules now allow a0-a3 to

be negative numbers. 4. An audit.rules man page has been added. 5. auditd resets syslog warnings if disk space becomes available. 6. The != operator in audit_rule_fieldpair_data is now checked. 7. A tcp_max_per_addr option has been added to auditd.conf in order to limit concurrent connections. 8. Many improvements to remote logging code.

As a result, these enhancements are now available for system administrators, making auditing options much more flexible. (BZ#52985157)

1.8. autofs

1.8.1. RHBA-2009:1468: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata

RHBA-2009:1468

An updated autofs package that fixes two bugs is now available.

The autofs utility controls the operation of the automount daemon. The automount daemon automatically mounts file systems when you use them, and unmounts them when they are not busy.

This updated package fixes the following two autofs bugs:

* autofs was incorrectly using a non-thread-safe libxml2 function as though it was thread-safe. This sometimes resulted in autofs crashing. With this update the calls to xmlCleanupParser() and xmlInitParser() have been moved: these functions are now only called as autofs starts and exits, ensuring these libxml2 functions are not called more than once while autofs is running. (BZ#52318859)

* a recent correction related to autofs master map entry updating introduced a regression whereby it was possible to deadlock when requesting a map re-load when an entry in a direct map had been removed. This update adds a check that ensures such map re-load requests do not cause a deadlock. (BZ#52543160)

All autofs users should install this updated package which addresses these issues.

1.8.2. RHBA-2010:0265: bug fix update

The autofs utility controls the operation of the automount daemon. The automount daemon automatically mounts file systems when you use them, and unmounts them when they are not busy.

This updated package fixes the following bugs:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529851

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=523188

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=525431

RHBA-2010:0265: bug fix update

• If an included map read failed, autofs returned an error and subsequent master map entries were not read. This update reports the failure in the log but master map reading no longer ceases. (BZ#50603461)

• autofs could segfault if it called xmlCleanupParser concurrently from multiple threads, as this function is not re-entrant. autofs has been changed to call this function only once from its main thread, when the application exits. (BZ#51328962)

• autofs could segfault at startup when using LDAP under certain circumstances. autofs would fail to try and retrieve a query dn if:

• LDAP is being used to store autofs maps and...

• The LDAP schema to be used for the maps is explicitly defined in the autofs configuration and...

• No master map entries exist in LDAP.

This set of conditions would return success instead of failure. This update fixes the get query dn failure. (BZ#57260363)

• If a master map entry is changed in any other way besides the map name (for example, map wide options) the system encountered two application data structures for the "same" map during a map re-read. If the contents of that map has also changed, a deadlock can occur.

Having the duplicate data structure also caused entries in the problem map to be umounted. Since direct mount maps have a distinct autofs mount for each entry direct mount they appeared to stop working. This update corrects this behaviour. (BZ#51441264)

• autofs would block for several minutes when attempting to mount from a server that was not available. A new mount_wait parameter has been added to prevent this block. This update requires SELinux policy 255 or later. (BZ#51734965)

• The autofs parser objected to locations containing the characters '@' and '#' (Lustre and sshfs mounts) causing the mount request to fail. This update allows autofs to parse these characters and mount successfully. (BZ#52074566)

• Due to an incorrect system call an error message stating "Operation not permitted" would be returned when attempting to mount an unknown hostname. This call has been corrected and autofs now returns "hostname lookup failed" as would be expected. (BZ#53332367)

• A typing error in the usage text of the autofs service script has been corrected. (BZ#53401268)

• When changing the timed wait from using select(2) to poll(2) in the non-blocking TCP connection function, to overcome the 1024 file handle limit of select(2), the wait timeout was not correctly converted from seconds to milliseconds. This update corrects the problem. (BZ#53974769)

• autofs failed to mount locations whose path depended on another local auto-mounted mount. Dependent mounts are triggered by calling access(2) on the mount location path prior to mounting the location. The check for whether a location was a local path was restrictive and didn't cater for all cases. This has now been fixed. (BZ#53740370)

• Inter-operability between autofs and some non-open source LDAP servers was impaired when a SASL authenticated connection was used over muliple bind and unbind operations. autofs has been updated use distinct authentication connection for each server it binds to. (BZ#53779371)

Chapter 1. Package Updates

• autofs failed to load its maps if all LDAP servers were down, or unreachable, when the daemon started. The dependency on an LDAP server being available at startup has been removed. This change resolved the issue of the map server being unreachable for some common usage cases. (BZ#54355472)

• The random selection option used with mount locations that have multiple servers was not being set correctly during the paring of master map entries. If specified as a mount option in master map entries the option is now used as has been requested. (BZ#54847673)

• Setting the expire timeout to 0 was causing autofs to constantly schedule expire runs leading to excessive resource usage and preature umounting of mounts. Setting the timeout to 0 should in fact disable expiry of mounts and this update fixes this incorrect behavior. (BZ#54827774)

• autofs would abort when using DIGEST-MD5 authentication under heavy concurrent access. This was caused by autofs not providing the locking functions required by the cyrus-sasl library. In addition the cyrus-sasl library locking functions contained a race which sometimes lead to a deadlock. This update adds the needed locking functions to autofs and passes them to cyrus-sasl at initialization. The bug in the cyrus-sasl library is fixed in cyrus-sasl-lib 2.1.22-5.el5.el5_4.3 and later which is required for the update to install if cyrus-sasl is also installed. (BZ#55943075)

All autofs users should upgrade to this updated package, which resolves these issues.

1.9. automake

1.9.1. RHSA-2010:0321: Low security update

Updated automake, automake14, automake15, automake16, and automake17 packages that fix one security issue are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Automake is a tool for automatically generating Makefile.in files compliant with the GNU Coding Standards.

Automake-generated Makefiles made certain directories world-writable when preparing source archives, as was recommended by the GNU Coding Standards. If a malicious, local user could access the directory where a victim was creating distribution archives, they could use this flaw to modify the files being added to those archives. Makefiles generated by these updated automake packages no longer make distribution directories world-writable, as recommended by the updated GNU Coding Standards. (CVE-2009-402976)

Note: This issue affected Makefile targets used by developers to prepare distribution source archives. Those targets are not used when compiling programs from the source code.

All users of automake, automake14, automake15, automake16, and automake17 should upgrade to these updated packages, which resolve this issue.

https://www.redhat.com/security/data/cve/CVE-2009-4029.html

1.10. avahi

1.10.1. RHBA-2010:0034: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0034

Updated avahi packages that address two bugs are now available.

Avahi is an implementation of the DNS Service Discovery and Multicast DNS specifications for Zeroconf Networking. It facilitates service discovery on a local network. Avahi and Avahi-aware applications allow you to plug your computer into a network and, with no configuration, view other people to chat with, see printers to print to, and find shared files on other computers.

This update fixes the following two bugs:

avahi

* previously, avahi published a static SSH-SFTP service by default, regardless of the machine and regardless of whether an ssh server was running or not. As a result, all Red Hat Enterprise Linux instances also running Avahi appeared in the LAN listings of file browsers and file managers (eg "Places > Network" in Nautilus or "Go > Network Folders" in Konquerer) even if they were not acting as file servers. This update still includes a static SSH-SFTP service but it now ships as a deactivated example service (ie, is not published by default). The static SSH-FTP service can be activated manually, but systems running Avahi no longer appear in file manager LAN listings by default. (BZ#21914378)

* previously, running the Avahi init scripts with a "status" argument resulted in a return code of 0, regardless of whether the daemons are running or not. This update corrects that: a missing avahi daemon now results in a failure return code (1) as expected. (BZ#23216179)

All avahi users should install these updated packages, which address these issues.

1.11. bind

1.11.1. RHSA-2010:0062: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0062

Updated bind packages that fix two security issues are now available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219143

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=232161

Chapter 1. Package Updates

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

A flaw was found in the BIND DNSSEC NSEC/NSEC3 validation code. If BIND was running as a DNSSEC-validating resolver, it could incorrectly cache NXDOMAIN responses, as if they were valid, for records proven by NSEC or NSEC3 to exist. A remote attacker could use this flaw to cause a BIND server to return the bogus, cached NXDOMAIN responses for valid records and prevent users from retrieving those records (denial of service). (CVE-2010-009781)

The original fix for CVE-2009-4022 was found to be incomplete. BIND was incorrectly caching certain responses without performing proper DNSSEC validation. CNAME and DNAME records could be cached, without proper DNSSEC validation, when received from processing recursive client queries that requested DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving such client queries. (CVE-2010-029082)

All BIND users are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues. After installing the update, the BIND daemon (named) will be restarted automatically.

1.11.2. RHSA-2009:1620: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1620

Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Michael Sinatra discovered that BIND was incorrectly caching responses without performing proper DNSSEC validation, when those responses were received during the resolution of a recursive client query that requested DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving such client queries. (CVE-2009-402284)

All BIND users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the update, the BIND daemon (named) will be restarted automatically.

https://www.redhat.com/security/data/cve/CVE-2010-0097.html

https://www.redhat.com/security/data/cve/CVE-2010-0290.html

https://www.redhat.com/security/data/cve/CVE-2009-4022.html

binutils

1.12. binutils

1.12.1. RHBA-2010:0304: bug fix update

Updated binutils packages that fix various bugs are now available.

Binutils is a collection of binary utilities, including ar (for creating, modifying and extracting from archives), as (a family of GNU assemblers), gprof (for displaying call graph profile data), ld (the GNU linker), nm (for listing symbols from object files), objcopy (for copying and translating object files), objdump (for displaying information from object files), ranlib (for generating an index for the contents of an archive), readelf (for displaying detailed information about binary files), size (for listing the section sizes of an object or archive file), strings (for listing printable strings from files), strip (for discarding symbols), and addr2line (for converting addresses to file and line).

These updated binutils packages provide fixes for the following bugs:

* The readelf debugging utility was placing subject error messages in the middle of the .debug_str in the stderr output. This meant that location lists in the .debug._info section that were not in ascending order could not be handled correctly and the debugger could pick the wrong function, leading to dropped debug information. A patch has now been added and, as a result, the location lists can now be handled correctly, irrespective of order. As a result, the debugger now picks the right function when looking up symbols and debug information is no longer dropped. (BZ#49916485,

BZ#50912486)

* The strings command was not parsing files correctly. When used with a multi-digit <NUM> argument (such as strings -10 filename.txt) an "invalid integer argument" error would occur because it regarded each numeral as a separate argument. The parsing has now been corrected via a patch to strings.c.multidigit_input so that multi-digit numerals are regarded as parts of a single argument. As a result, files are now parsed correctly. (BZ#50876587)

* There was a regression in binutils-devel that caused it to build "oprofile" files incorrectly. As a result, bfd_get_section_by_name() returned incorrect information about the debuginfo section and an "opreport" error would occur. The bfd.h header's API has now been fixed to match the BFD library's ABI. As a result, the per-symbol profile is now generated correctly and the opreport runs without error. (BZ#52902888)

* There was a link failure whereby when a symbol in a comdat/linkonce section had a different level of visibility in different files, the linker could not merge the visibility. As a consequence, after the ld command was run, a "final link failed: Bad value" error would occur. A patch has been added to elflink.c.sym_visibility to make sure that the visibility is kept. As a result, ld now can now merge different levels of visibility without error. (BZ#53126989)

Users are advised to upgrade to these updated binutils packages, which resolve these issues.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=499164

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=509124

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=508765

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529028

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=531269

Chapter 1. Package Updates

1.13. bogl

1.13.1. RHBA-2009:1593: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1593

Updated bogl packages that fix a bug are now available.

Ben's Own Graphics Library (BOGL) is a small graphics library for Linux kernel frame buffers. It supports only very simple graphics. The bogl packages also include bterm, a Unicode-capable terminal program for the Linux frame buffer.

These updated packages provide a fix for the following bug:

* when editing a file with vi from within the bterm console, a SIGSEGV error could occur, causing both vi and bterm to crash. This update adds a check that keeps "yorig" from equaling -1, which prevents the underlying memory reference error occurring. (BZ#51795791)

All bogl users are advised to upgrade to these updated packages, which resolve this issue.

1.14. bootparamd

1.14.1. RHBA-2010:0057: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0057

An updated bootparamd package that fixes a bug is now available.

Bootparamd is a server process that provides information to diskless clients necessary for booting; consulting the /etc/bootparams file for required information.

When bootparamd is used for multihomed environment handling, it would previously evaluate the route to be returned to the first requesting client and re-evaluate the route to be returned for each client thereafter. Even though it re-evaluates what router IP to return for each following client, it would always send back the first route, due to it being the one that was cached. This updated package ensures that no re-evaluation occurs concerning the router IP to return for each client. (BZ#44610893)

All users of bootparamd are advised to upgrade to this updated package, which resolves this issue.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=517957

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=446108

booty

1.15. booty

1.15.1. RHBA-2010:0185: bug fix and enhancement update

An updated booty package that fixes a bug and adds an enhancement is now available.

The booty package contains a python library which provides an interface for the creation of boot loader configuration files and the addition of stanzas to said configuration files. These boot loader configuration files are used by the anaconda installer.

This updated booty package fixes the following bug:

* early in the installation process, anaconda creates a ramdisk to hold files that it will need to complete the installation. Previously, when installing the debug kernel for Red Hat Enterprise Linux on IBM System z, the ramdisk was larger than the default memory address that ZIPL allocated to hold the ramdisk. Installation would therefore fail. The /etc/zipl.conf file that booty creates for anaconda now explicitly specifies a suitable address for the ramdisk so that ZIPL does not rely on the insufficient default address. With enough space to create the ramdisk, installation succeeds. (BZ#42990694)

In addition, this updated package provides the following enhancement:

* previously, there was no way to configure hypervisor parameters during a kickstart installation. Therefore, these parameters would have to be configured manually after installation. Red Hat Enterprise Linux now includes a new option for the "bootloader" command in kickstart, "--hvargs", which sets hypervisor parameters in grub.conf during installation. It is now possible to automate this part of the installation process. Refer to the Red Hat Enterprise Linux 5 Installation Guide for a description of the "--hvargs" option. (BZ#55295795)

Users of booty are advised to upgrade to this updated booty package, which resolves this issue and adds this enhancement.

1.16. brltty

1.16.1. RHSA-2010:0181: Low security and bug fix update

Updated brltty packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5.

brltty (Braille TTY) is a background process (daemon) which provides access to the Linux console (when in text mode) for a blind person using a refreshable braille display. It drives the braille display, and provides complete screen review functionality.

It was discovered that a brltty library had an insecure relative RPATH (runtime library search path) set in the ELF (Executable and Linking Format) header. A local user able to convince another user

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=429906

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=552957

Chapter 1. Package Updates

to run an application using brltty in an attacker-controlled directory, could run arbitrary code with the privileges of the victim. (CVE-2008-327996)

These updated packages also provide fixes for the following bugs:

* the brltty configuration file is documented in the brltty manual page, but there is no separate manual page for the /etc/brltty.conf configuration file: running "man brltty.conf" returned "No manual entry for brltty.conf" rather than opening the brltty manual entry. This update adds brltty.conf.5 as an alias to the brltty manual page. Consequently, running "man brltty.conf" now opens the manual entry documenting the brltty.conf specification. (BZ#530554

9897

)

* previously, the brltty-pm.conf configuration file was installed in the /etc/brltty/ directory. This file, which configures Papenmeier Braille Terminals for use with Red Hat Enterprise Linux, is optional. As well, it did not come with a corresponding manual page. With this update, the file has been moved to /usr/share/doc/brltty-3.7.2/BrailleDrivers/Papenmeier/. This directory also includes a README document that explains the file's purpose and format. (BZ#530554

10099

)

* during the brltty packages installation, the message

Creating screen inspection device /dev/vcsa...done.

was presented at the console. This was inadequate, especially during the initial install of the system. These updated packages do not send any message to the console during installation. (BZ#529163

* although brltty contains ELF objects, the brltty-debuginfo package was empty. With this update, the debuginfo package contains valid debugging information as expected. (BZ#500545

102

)

101

* the MAX_NR_CONSOLES definition was acquired by brltty by #including linux/tty.h in Programs/ api_client.c. MAX_NR_CONSOLES has since moved to linux/vt.h but the #include in api_client.c was not updated. Consequently, brltty could not be built from the source RPM against the Red Hat Enterprise Linux 5 kernel. This update corrects the #include in api_client.c to linux/vt.h and brltty now builds from source as expected. (BZ#456247

103

)

All brltty users are advised to upgrade to these updated packages, which resolve these issues.

1.17. checkpolicy

1.17.1. RHBA-2010:0184: bug fix update

An updated checkpolicy package that makes a man page correction, fixes help message and man page omissions and allows the unknown access flag to be specified is now available.

checkpolicy is the policy compiler for Security-Enhanced Linux (SELinux). The checkpolicy utility is required for building SELinux policies.

)

This updated checkpolicy package addresses the following issues:

https://www.redhat.com/security/data/cve/CVE-2008-3279.html

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=530554

100

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=530554

101

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529163

102

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=500545

103

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=456247

chkconfig

* newer SELinux kernels have access checks that the shipping SELinux policy package does not understand. The kernel currently denies these access checks by default. This updated checkpolicy package can build an selinux-policy package that tells the kernel to "Allow" unknown access. (BZ#531229

104

)

* the checkpolicy man page listed (but did not otherwise document) a "-m" switch. checkpolicy supports a "-M" switch but not a "-m" switch. This update removes the "-m" option from the checkpolicy SYNOPSIS. Note: the "-M" switch was and is documented in the OPTIONS section of the checkpolicy man page. (BZ#533790

105

)

* checkmodule's "-d" switch (which switches the tool to debug mode) was documented in the checkmodule man page but not in the output of checkmodule's help message (ie the output of "checkmodule --help" or "checkmodule -h"). Also, the "-h" switch was not documented at all. With this update, the "-d" switch is now included in help message output and the "-h" switch is documented in both the checkmodule man page and the checkmodule help message. (BZ#533796

106

)

All SELinux users should install this updated package which resolves these issues.

1.18. chkconfig

1.18.1. RHBA-2009:1628: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1628

Updated chkconfig packages that resolve several issues with the alternatives utility and provide various man page corrections are now available.

The basic system utility chkconfig updates and queries runlevel information for system services.

These updated chkconfig packages provide fixes for the following bugs:

* when the "alternatives" utility was run and an error occurred, no contextual information such as the line number of the error was provided. With this update, upon an error, "alternatives" now provides the line number where the error occurred in the relevant file in the /var/lib/alternatives directory, which helps to diagnose alternatives-related errors. (BZ#441443

* using the "alternatives" utility and selecting the last available option and then uninstalling the program which provided that alternative did not result in the removal of the symbolic links for that option. Because the previously-set alternative was no longer available and the symbolic link remained, the program was then rendered unusable. With this update, when the aforementioned condition is met, the "alternatives" program now recognizes that the program is no longer available and removes the extraneous symbolic link, with the result that the next-best alternative is properly selected, and running the program works as expected. (BZ#525051

107

109

108

)

104

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=531229

105

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=533790

106

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=533796

108

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=441443

109

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=525051

Chapter 1. Package Updates

* the chkconfig(8) man page contained a description of the syntax for running chkconfig that differed from the correct description presented when running "chkconfig --help". The man page has been corrected to correspond with the program's help information. (BZ#501225

110

)

* the chkconfig(8) man page contained an incorrect reference to runlevel 7, which does not exist (runlevels extend from 0 to 6, inclusive). This update corrects the man page by removing all references to "runlevel 7". (BZ#466740

111

)

* the ntsysv(8) man page referenced a non-existent man page, servicesconf. This reference has been removed. (BZ#516599

112

)

All users of chkconfig are advised to upgrade to these updated packages, which resolve these issues.

1.19. cman

1.19.1. RHBA-2009:1435: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata

RHBA-2009:1435

Updated cman packages that fix a bug and add an enhancement are now available.

The Cluster Manager (cman) utility provides user-level services for managing a Linux cluster.

This update applies the following bug fix:

* in several places internally, cman assumed a transition message meant the node in question (or the sending node) was joining the cluster rather than just sending its current post-transition state. In some circumstances, this could lead to cman killing the wrong nodes. With this update, cman now checks the first_trans flag, which is set when a node first encounters another node in the cluster. Only if first_trans is set does cman now consider the node as joining the cluster. (BZ#518061

113

114

)

Also, this update includes the following enhancement:

First, if a node was asked to remove a key (fence) for a device that it was not registered with, the node attempted to register with that device on-the-fly. With this update, when nodes are asked to remove a key from devices with which they are not registered, the fencing fails.

Second, for the common case of SAN environments with multiple Logical Unit Numbers (LUNs), the devices (LUNs) that can be unregistered must be ordered consistently on all nodes. Consistent ordering is not guaranteed by the Logical Volume Manager (LVM), however; device names can vary from node to node to prevent interleaving of fence operation among devices. With this update, the fence_scsi agent extracts the device name (pv_name) and Universally Unique Identifier (pv_uuid) and builds a hash keyed on the UUID (which is consistent on all nodes). This ensures devices are ordered consistently on each node.

110

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=501225

111

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=466740

112

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=516599

114

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=518061

RHBA-2009:1516: bug-fix update

Consequent to these two changes, the first node to fence removes the other node's key from the device or devices. The second node, now not registered with the device, is not able to fence the first. This allows fence_scsi to work in a 2-node cluster. (BZ#520823

115

)

All cman users should install this updated package, which fixes this bug and enables users to use fence_scsi in a 2-node environment.

1.19.2. RHBA-2009:1516: bug-fix update

Note

This update has already been released (prior to the GA of this release) as errata

RHBA-2009:1516

Updated cman packages that fix a bug are now available.

The Cluster Manager (cman) utility provides user-level services for managing a Linux cluster.

This update applies the following bug fix:

116

Add support for power cycle command to fence_ipmi, which doesn't shut down the BMC controller.

Old behavior is still the default, so nothing changes without a configuration change. Now there is a new method option that can have the value "cycle", which uses the ipmi power cycle command.

Example of usage:...

<fencedevices> <fencedevice agent="fence_ipmilan_new" ipaddr="1.2.3.4" login="root" name="ipmifd1" passwd="password" method="cycle" /> ...

Users are advised to upgrade to these updated cman packages, which resolve this issue.

1.19.3. RHBA-2009:1598: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata

RHBA-2009:1598

Updated cman packages that resolve several issues are now available.

[Updated 4 Jan 2009] This update provides improved descriptions of both bug fixes included in this advisory, and especially the description for bug 529712. The packages included in this revised update have not been changed in any way from those included in the original advisory.

117

The Cluster Manager (cman) utility provides user-level services for managing a Linux cluster.

These updated cman packages provide fixes for the following bugs:

* when using device-mapper-multipath devices, registrations were only sent to the active path, which meant that, in the event of path failure, the node would be unable to access the device via the

115

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=520823

Chapter 1. Package Updates

secondary path or paths because the device would not be registered with the secondary path(s). With this update, the presence of device-mapper-multipath devices is detected correctly, the right paths are discovered, and each path is registered, including secondary paths. (BZ#529712

118

)

* when running the /etc/init.d/scsi_reserve init script to check for errors, such as an incorrect cluster.conf configuration, among others, upon finding an error the script did not print "[FAILED]" to standard output, as is convention for system services which encounter startup errors. With this update, the scsi_reserve init script has been fixed so that it prints "[FAILED]" to standard output when an error is encountered, and "[OK]" otherwise. Any errors encountered are logged to the system log. (BZ#530400

119

)

All users of cman are advised to upgrade to these updated packages, which resolve these issues.

1.19.4. RHBA-2009:1622: bug-fix update

Note

This update has already been released (prior to the GA of this release) as errata

RHBA-2009:1622

120

Updated cman packages that fix bugs are now available.

The Cluster Manager (cman) utility provides user-level services for managing a Linux cluster.

This update fixes the following bugs:

* qdiskd erroneously writes the message "qdiskd: read (system call) has hung for X seconds". (BZ

537157)

* Crash in fence_ipmilan when -M switch was not present on the command-line. (BZ 537157)

Users are advised to upgrade to these updated cman packages, which resolve these issues.

1.19.5. RHBA-2010:0266: bug fix and enhancement update

Updated cman packages that fix bugs and add enhancements are now available.

The Cluster Manager (cman) utility provides user-level services for managing a Linux cluster.

Changes in this update:

* fence_rsa fails to login with new RSA II firmware. (BZ#549473

* fence_virsh reports vm status incorrectly. (BZ#544664

122

* improve error messages from ccsd if there is a network problem. (BZ#517399

* new fence agent for VMWare. (BZ#548577

124

)

121

)

123

)

Note: this is a Tech Preview only.

118

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529712

119

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=530400

121

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=549473

122

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=544664

123

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=517399

124

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=548577

RHBA-2010:0266: bug fix and enhancement update

* fence agent for HP iLO2 MP. (BZ#508722

* fence agent for RSB ends with traceback. (BZ#545054

* security feature for SNMP based agent: apc_snmp & ibmblade. (BZ#532922

* change default timeout values for various fence agents. (BZ#549124

* "Option -V" (show version) was not working in all fence agents. (BZ#549113

* automatically configure consensus based on token timeout. (BZ#544482

* add readconfig & dumpconfig to fence_tool. (BZ#514662

* make groupd handle partition merges. (BZ#546082

* groupd: clean up leaving failed node. (BZ#521817

* scsi_reserve should always echo after failure. (BZ#514260

* fence_scsi_test: add debug information. (BZ#516763

* fence_scsi_test should not allow -c & -s options together. (BZ#528832

* fix fence_ipmilan read from unitialized memory. (BZ#532138

* make qdiskd stop crying wolf. (BZ#532773

* fencing failed when used without telnet or ssh. (BZ#512343

125

138

)

126

)

127

)

128

)

129

)

130

)

131

)

132

)

133

)

134

)

135

)

136

)

137

)

139

)

* APC changed product name (MasterSwitch -> Switched Rack PDU). (BZ#447481

140

)

* fix invalid initalization introduced by retry-on option.

142

141

)

* broken device detection for DRAC3 ERA/O. (BZ#489809

* fix case sensitivities in action parameter. (BZ#528938

* fencing_snmp failed on all operations & traceback fix. (BZ#528916

* accept unknown options from standard input. (BZ#532920

125

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=508722

126

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=545054

127

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=532922

128

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=549124

129

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=549113

130

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=544482

131

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=514662

132

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=546082

133

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=521817

134

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=514260

135

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=516763

136

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528832

137

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=532138

138

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=532773

139

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=512343

140

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=447481

141

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=489809

142

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528938

143

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528916

144

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=532920

144

)

143

)

Chapter 1. Package Updates

* fence_apc unable to obtain plug status. (BZ#532916

* timeout options added. (BZ#507514

146

)

* better default timeout for bladecenter. (BZ#526806

* the LOGIN_TIMEOUT value was too short for fence_lpar & the SSH login timed out before the connection could be completed. (BZ#546340

148

* add missing-as-off option (missing blade/device is always OFF). (BZ#248006

* make qdiskd "master-wins" node work. (BZ#372901

* make qdisk self-fence system if write errors take longer than interval*tko. (BZ#511113

* make service_cman.lcrso executable, so RPM adds it to the debuginfo pkg. (BZ#511346

* don't check for xm command in cman init script: virsh is more appropriate. (BZ#516111

* allow re-registering of a quorum device. (BZ#525270

* fix fence_scsi, multipath & persistent reservations. (BZ#516625

* cman_tool leave remove reduces quorum when no services are connected. (BZ#515446

* fence_sanbox2 unable to retrieve status. (BZ#512947

145

)

147

)

149

)

150

)

151

)

152

)

153

)

154

)

155

)

156

)

157

)

* gfs_controld: GETLK should free unused resource. (BZ#513285

* allow IP addresses as node names. (BZ#504158

* fence_scsi man page contains invalid option. (BZ#515731

* fence_scsi support for 2 node clusters. (BZ#516085

* Support for power cycle in fence ipmi. (BZ#482913

* add option 'list devices' for fencing agents. (BZ#519697

* add support for switching IPv4/IPv6. (BZ#520458

145

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=532916

146

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=507514

147

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=526806

148

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=546340

149

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=248006

150

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=372901

151

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=511113

152

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=511346

153

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=516111

154

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=525270

155

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=516625

156

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=515446

157

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=512947

158

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=513285

159

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=504158

160

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=515731

161

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=516085

162

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=482913

163

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=519697

164

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=520458

159

164

)

162

161

)

160

)

163

)

158

)

cmirror

* fence agent ends with traceback if option is missing. (BZ#508262

* command line options to override default ports for different services, such as SSH & Telnet (i.e. -u option) were added. (BZ#506928

Note: "-u" does not currently work with fence_wti. Other agents honor the port override command line options properly, however. (BZ#506928

* force stdout close for fencing agents. (BZ#518622

* support for long options. (BZ#519670

167166

)

169168

171

)

170

)

* fix a situation where cman could kill the wrong nodes. (BZ#513260

* fix support for >100 gfs & gfs2 file systems. (BZ#561892

173

* fix a problem where 'dm suspend' would hang a withdrawn GFS file system. (BZ#570530

* fix a problem where fence_snmp returned success when the operation failed. (BZ#573834

* fencing support for the new iDRAC interface included with Dell PowerEdge R710 & R910 blade servers was added. (BZ#496748

176

)

165

)

172

)

174

)

175

)

All cman users should install this update which makes these changes.

1.20. cmirror

1.20.1. RHBA-2010:0307: bug fix update

Updated cmirror packages that fix various bugs are now available.

The cmirror package is necessary for LVM-based mirroring (RAID1) in a cluster environment.

This update addresses the following issues:

* the cmirror init script was reporting false errors in some 'stop' instances. (BZ#520915

* the cluster log daemon was unable to recover if the cluster was shutdown and restarted without also restarting the cluster log daemon. (BZ#518665

* communication structure used between nodes was not in a mixed-architecture or upgrade friendly format. (BZ#488102

165

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=508262

167

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=506928

166

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=506928

169

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=506928

168

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=506928

170

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=518622

171

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=519670

172

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=513260

173

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=561892

174

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=570530

175

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=573834

176

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=496748

177

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=520915

178

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=518665

179

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=488102

179

)

178

)

177

)

Chapter 1. Package Updates

* certain failure scenarios during cluster mirror device creation could lead to future kernel panics. (BZ#544253

180

)

All cmirror users should install these updated packages which fix these bugs.

1.21. cmirror-kmod

1.21.1. RHBA-2010:0309: bug fix update

Updated kmod-cmirror packages that fix two bugs are now available.

The kmod-cmirror package is necessary for LVM-based mirroring (RAID1) in a cluster environment.

This update addresses the following issues:

* error processing logic failed to remove a list item before freeing the associated memory. (BZ#544253

* added version number to the kernel/daemon communication structure. (BZ#544253

All kmod-mirror users should install these updated packages, which fix these bugs.

182181

)

184183

)

1.22. conga

1.22.1. RHBA-2009:1623: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata

RHBA-2009:1623

Updated conga packages that fix a regression introduced between Red Hat Enterprise Linux 5.3 and Red Hat Enterprise Linux 5.4 are now available.

The Conga project is a management system for remote workstations. It consists of luci, a secure webbased front-end, and ricci, a secure daemon that dispatches incoming messages to the underlying management modules.

This update applies the following bug fix:

* the behavior of the virsh command changed between Red Hat Enterprise Linux 5.3 and Red Hat Enterprise Linux 5.4. In Red Hat Enterprise Linux 5.4, non-root users must add a "--read-only" flag to virsh commands for them to work correctly. The ricci component of conga runs the "virsh nodeinfo" command to determine whether a node can host a Virtual Machine service and it does so as a nonroot user.

185

180

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=544253

182

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=544253

181

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=544253

184

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=544253

183

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=544253

RHBA-2010:0289: bug fix and enhancement update

As a consequence, when run under Red Hat Enterprise Linux 5.4, running this command returned no information and the luci front-end did not provide an "Add a virtual machine service" option to Services in the Cluster tab for clusters that were expected to offer such services. With this update, ricci now runs a "virsh nodeinfo --readonly" command, in line with the changed behavior, and the web-based front end will provide options to add virtual machine services as expected. (BZ#537209

186

)

All conga users are advised to upgrade to these updated packages, which resolve this issue.

1.22.2. RHBA-2010:0289: bug fix and enhancement update

Updated Conga packages that fix numerous bugs (including a regression introduced between Red Hat Enterprise Linux 5.3 and Red Hat Enterprise Linux 5.4) and add the ability to reset user passwords when logged in to luci as an administrator are now available.

The Conga project is a management system for remote workstations. It consists of luci, which is a secure web-based front-end, and ricci, which is a secure daemon that dispatches incoming messages to underlying management modules.

This update applies the following bug fixes:

* The behavior of the virsh command changed between Red Hat Enterprise Linux 5.3 and Red Hat Enterprise Linux 5.4. In Red Hat Enterprise Linux 5.4, non-root users must add a "--read-only" flag to virsh commands. The ricci component runs the "virsh nodeinfo" command to determine whether a node can host a Virtual Machine service and it does so as a non-root user. As a consequence, when run under Red Hat Enterprise Linux 5.4, the "virsh nodeinfo" command returned no information and luci did not provide an "Add a virtual machine service" option to Services in the Cluster tab for clusters that were expected to offer such services. With this update, ricci now runs a "virsh nodeinfo --readonly" command in line with the changed behavior, and luci provides options to add Virtual Machine services as expected. (BZ#519252

* luci failed to start. (BZ#469881

* Conga doesn't run with SELinux. (BZ#476698

187

)

188

)

189

)

* Conga does not add the name of the managed system when adding an "LPAR Fencing" fence device to a node. (BZ#508142

* fs resource will remount itself if any configuration changes are made to cluster.conf. (BZ#514051

* luci does not validate passwords and incorrect characters can be used. (BZ#519050

190

)

191

192

)

* previously, the shebang lines in luci's python executables pointed to "/usr/bin/env python" rather than explicitly referencing the version of Python installed on the system. This broke those executables in the case where a user was installing an alternative Python version. With this update, all shebang lines point explicitly to the system version at /usr/bin/python. (BZ#521884

* Conga does not properly handle HA LVM types. (BZ#530129

186

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=537209

187

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=519252

188

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=469881

189

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=476698

190

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=508142

191

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=514051

192

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=519050

193

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=521884

194

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=530129

194

193

)

Chapter 1. Package Updates

This update adds the following enhancement:

* the ability to reset user passwords when logged in to luci as an administrator was added. (BZ#519268

195

)

All Conga users are advised to upgrade to these updated packages, which resolve these issues and add this enhancement.

1.23. coolkey

1.23.1. RHBA-2010:0068: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0068

Updated coolkey packages that resolve several issues are now available.

The coolkey packages contain driver support for CoolKey and Common Access Card (CAC) smart card products.

These updated coolkey packages provide fixes for the following bugs:

* the Department of Defense's alternative CAC tokens are now supported by CoolKey. (BZ#226790

196

197

)

* the libcoolkeypk11.so shared object library, when it was not linked with the pthreads library, became unresponsive when the C_Initialize() function was called following a call to syslog(). This update ensures that libcoolkeypk11.so does not hang when it is not linked with the pthreads threading library and the aforementioned scenario occurs. (BZ#245529

* CoolKey's PKCS#11 module failed to initialize when the C_Initialize() function was called and the CKF_OS_LOCKING flag was set. This issue is related to the fix for BZ#245529 the PKCS#11 module successfully initializes. (BZ#443127

199198

202

)

201200

. With this update,

)

* the Red Hat Enterprise Security Client (ESC) incorrectly identified CAC cards as CoolKey cards, and mistakenly opened the Phone Home dialog after doing so. With this update, CoolKey correctly identifies CAC cards and assigns the correct functionality to them.

With this fix, it is still possible to view certificates and diagnostics for CAC cards, though the management functions are now disabled. Finally, note that the RHBA-2010:0066 esc update must be installed in order to fully resolve this issue. (BZ#499976

* CoolKeys is now able to recognize smart cards that use the T1 protocol, such as the SafeNet 330J, in addition to the T0-protocol cards supported previously. (BZ#514298

195

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=519268

197

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=226790

199

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=245529

198

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=245529

201

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=245529

200

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=245529

202

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=443127

203

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=499976

204

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=514298

203

)

204

)

coreutils

* CoolKey now correctly handles cryptographic operations such as digital signing when using cards with 2048-bit keys. Previously, only 1024-bit keys were supported. (BZ#514299

205

)

All users of coolkey are advised to upgrade to these updated packages, which resolve these issues.

1.24. coreutils

1.24.1. RHBA-2009:1511: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata

RHBA-2009:1511

An updated coreutils package that fixes a regression in the df command is now available.

The coreutils package contains core GNU utilities. It is a combination of the old GNU fileutils, sh-utils, and textutils packages.

This update fixes the following bug:

206

* the coreutils update included with Red Hat Enterprise Linux 5.4 introduced a regression in the df command. Running "df -l" with a specific device specified (for example, "df -l /dev/hda1") resulted in a "Permission denied" message for regular users. This update corrects the regression: specifying a device now works for regular users as it did previously. Note: running "df -l" to list all devices was not affected by this bug: it worked as expected previously and continues to do so subsequent to this update. (BZ#528641

207

)

All coreutils users should upgrade to this updated package, which addresses this regression.

1.24.2. RHBA-2010:0120: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata

RHBA-2010:0120

An updated coreutils package that fixes a bug in the readlink command is now available.

The coreutils package contains core GNU utilities. It is a combination of the old GNU fileutils, sh-utils, and textutils packages.

This update fixes the following bug:

208

* when a directory contained a symbolic link to itself, the readlink command, which displays the value of a symbolic link on standard output, incorrectly gave the following error message when attempting to read the value of the symbolic link (or the value of the symbolic links when recursing through the

205

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=514299

207

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528641

Chapter 1. Package Updates

directory and its symlink): "Too many levels of symbolic links". With this update, readlink is once again able to correctly resolve and output the value of the recursive symbolic links to containing directories, or "directory loops", thus resolving the issue. (BZ#567545

209

)

All coreutils users should upgrade to this updated package, which addresses this regression.

1.25. cpio

1.25.1. RHSA-2010:0144: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0144

An updated cpio package that fixes two security issues is now available for Red Hat Enterprise Linux

210

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

GNU cpio copies files into or out of a cpio or tar archive.

A heap-based buffer overflow flaw was found in the way cpio expanded archive files. If a user were tricked into expanding a specially-crafted archive, it could cause the cpio executable to crash or execute arbitrary code with the privileges of the user running cpio. (CVE-2010-0624

Red Hat would like to thank Jakob Lell for responsibly reporting the CVE-2010-0624

A denial of service flaw was found in the way cpio expanded archive files. If a user expanded a specially-crafted archive, it could cause the cpio executable to crash. (CVE-2007-4476

211

212

)

issue.

213

)

Users of cpio are advised to upgrade to this updated package, which contains backported patches to correct these issues.

1.26. cpuspeed

1.26.1. RHBA-2010:0035: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0035

209

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=567545

211

https://www.redhat.com/security/data/cve/CVE-2010-0624.html

212

https://www.redhat.com/security/data/cve/CVE-2010-0624.html

213

https://www.redhat.com/security/data/cve/CVE-2007-4476.html

214

crash

An updated cpuspeed package that fixes some initscript exit statuses, avoids loading on problematic CPUs, and starts only after syslogd is now available.

The cpuspeed package configures CPU frequency scaling.

This update fixes the following bugs:

* some exit status codes from the initscript were not in line with LSB standards. The codes were updated, and are now compliant. (BZ#495049

215

)

* where Intel Xeon Processor 7100 series processors were used with Hyper-Threading Technology enabled, cpuspeed loading could create system deadlocks. The cpuspeed settings were changed and system deadlocks no longer occur on this hardware. (BZ#449004

216

)

* the cpuspeed initscript uses syslog to log important information about its status. However, cpuspeed was being started before syslog on boot, and log messages generated by the cpuspeed init script were not being captured. The cpuspeed init script now runs after the syslog init script, and all log messages are now being recorded. (BZ#516224

217

)

Users should upgrade to this updated package, which resolves these issues.

1.27. crash

1.27.1. RHBA-2010:0230: bug fix update

Updated crash packages that fix various bugs and add enhancements are now available.

The crash package is a core analysis suite. It is a self-contained tool that can be used to investigate either live systems, kernel core dumps created from the netdump, diskdump, and kdump packages from Red Hat Linux, the mcore kernel patch offered by Mission Critical Linux, or the LKCD kernel patch.

* if a kdump NMI was issued and the task kernel stack was changed, the backtrace would in some cases fail and produce an error: "bt: cannot transition from exception stack to current process stack". The crash package was updated to report task inconsistencies and change the active task as appropriate. Additionally, a new set -a option was added to manually set tasks to be the active task on its CPU. (BZ#504952

218

)

* if the kernel data structures in a non-matching vmlinux varied widely enough from the kernel that generated the vmcore, erroneous data could be read and consumed. Several new defensive mechanisms have been added and it now fails in a more reasonable manner. (BZ#508156

219

)

* running the bt -a command against a Xen hypervisor resulted in a "cannot resolve stack trace" warning message if the CPU received its shutdown NMI while running in an interrupt handler. The bt command was changed and the error no longer occurs. (BZ#510505

* added support for dumpfile format of virsh dump of KVM kernels. (BZ#510519

215

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=495049

216

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=449004

217

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=516224

218

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=504952

219

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=508156

220

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=510505

221

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=510519

220

)

221

)

Chapter 1. Package Updates

* if a dump was collected when there were one or more cpus offline in the system, an initialization-time failure would occur and the crash would abort. A patch was backported from upstream and the failure no longer occurs. (BZ#520506

222

)

* running the 64-bit bt command could potentially start the backtrace of an active non-crashing task on its per-cpu IRQ stack, cause a faulty transition back to the process stack, the dumping of a bogus exception frame and the message "bt: WARNING: possibly bogus exception frame". The bt command was changed and it now starts from the NMI exception stack, the error no longer occurs. (BZ#523512

223

)

* when the cpu_possible_map contains more CPUs than the cpu_online_map, the set, bt, runq and ps commands would reflect the existing but unused swapper tasks on the non-existent CPUs. The 64-bit PowerPC CPU count determination was fixed and the commands now run as expected. (BZ#550419

224

)

* when INIT-generated pseudo-tasks were running in user-space and the kernel was unable to modify the kernel stack, the backtrace would not identify the interrupted task and would display a "bt: unwind: failed to locate return link" error message. The Itanium backtraces were fixed, and the backtrace now offers information regarding the task that was interrupted. The error message is also suppressed. (BZ #553353)

* using dump to analyze very large xendump core files with ELF sections located beyond a file offset of 4GB resulted in errors. Changes were made to the xc_core_verify() initialization code and dump now works as expected. (BZ #561767)

* The crash utility was rebased. See the changelog linked to in the references section below for full details. (BZ#528184

225

)

All users of crash are advised to upgrade to these updated packages, which resolve these issues.

1.28. ctdb

1.28.1. RHEA-2010:0320: enhancement update

The ctdb package is now available on the ClusterStorage channel.

CTDB is a clustered database based on Samba's Trivial Database (TDB). The ctdb package is a cluster implementation used to store temporary data. If an application is already using TBD for temporary data storage, it can be very easily converted to be cluster-aware and use CTDB.

This update makes the following change:

* CTDB was previously available in the Supplementary channel and is now available in the ClusterStorage channel. (BZ#558493

226

)

Note that CTDB is included as a Technology Preview. Technology Preview features are included in Red Hat Enterprise Linux to provide the features with wide exposure, with the goal of supporting these features in a future release of Red Hat Enterprise Linux. Technology Preview features are not supported under Red Hat Enterprise Linux 5.5 subscription services, and may not be functionally

222

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=520506

223

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=523512

224

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=550419

225

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528184

226

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=558493

cups

complete. Red Hat welcomes customer feedback and suggestions for Technology Previews. Advisories will be provided for high-severity security issues in Technology Preview features.

All users requiring CTDB should install these newly released packages, which add this enhancement.

1.29. cups

1.29.1. RHBA-2010:0045: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata

RHBA-2010:0045

Updated cups packages that fix a severe memory leak in the CUPS scheduler are now available.

The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX and Unix-like operating systems.

227

This update addresses the following issue:

* when adding or modifying many printer queues, cupsd, the CUPS scheduler leaked memory. For example, running "lpstat" after creating several thousand printer queues caused cupsd to use all available memory, eventually killing other processes and bringing the system down. With this update cupsd no longer leaks memory when adding or modifying large numbers of printer queues and the associated out-of-memory errors and crashes no longer occur. (BZ#552213

228

)

All cups users should upgrade to these updated packages, which resolves this issue.

1.29.2. RHSA-2010:0129: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0129

Updated cups packages that fix one security issue are now available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems.

229

It was discovered that the Red Hat Security Advisory RHSA-2009:1595 did not fully correct the use-after-free flaw in the way CUPS handled references in its file descriptors-handling interface. A remote attacker could send specially-crafted queries to the CUPS server, causing it to crash. (CVE-2010-0302

228

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=552213

230

https://www.redhat.com/security/data/cve/CVE-2010-0302.html

230

)

Chapter 1. Package Updates

Users of cups are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the cupsd daemon will be restarted automatically.

1.29.3. RHSA-2009:1595: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1595

Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

[Updated 12th January 2010] The packages list in this erratum has been updated to include missing i386 packages for Red Hat Enterprise Linux Desktop and RHEL Desktop Workstation.

231

The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems.

A use-after-free flaw was found in the way CUPS handled references in its file descriptors-handling interface. A remote attacker could, in a specially-crafted way, query for the list of current print jobs for a specific printer, leading to a denial of service (cupsd crash). (CVE-2009-3553

232

)

Several cross-site scripting (XSS) flaws were found in the way the CUPS web server interface processed HTML form content. If a remote attacker could trick a local user who is logged into the CUPS web interface into visiting a specially-crafted HTML page, the attacker could retrieve and potentially modify confidential CUPS administration data. (CVE-2009-2820

Red Hat would like to thank Aaron Sigel of Apple Product Security for responsibly reporting the

CVE-2009-2820

234

issue.

233

)

Users of cups are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, the cupsd daemon will be restarted automatically.

1.29.4. RHSA-2009:1513: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1513

235

Updated cups packages that fix two security issues are now available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

232

https://www.redhat.com/security/data/cve/CVE-2009-3553.html

233

https://www.redhat.com/security/data/cve/CVE-2009-2820.html

234

https://www.redhat.com/security/data/cve/CVE-2009-2820.html

RHBA-2010:0210: bug fix update

The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. The CUPS "pdftops" filter converts Portable Document Format (PDF) files to PostScript.

Two integer overflow flaws were found in the CUPS "pdftops" filter. An attacker could create a malicious PDF file that would cause "pdftops" to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-3608

Red Hat would like to thank Chris Rohlf for reporting the CVE-2009-3608

236

, CVE-2009-3609

237

)

238

issue.

Users of cups are advised to upgrade to these updated packages, which contain a backported patch to correct these issues. After installing the update, the cupsd daemon will be restarted automatically.

1.29.5. RHBA-2010:0210: bug fix update

Updated cups packages that fix several bugs are now available.

The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems.

These updated packages address the following bugs:

* landscape orientation jobs had incorrect page margins. This affects all landscape orientation PDF files, including any landscape job printed from Mac OS X. (BZ#447987

* when running PHP files through the scheduler's web interface the wrong version PHP interpreter was used, causing missing header lines. (BZ#460898

* the tmpwatch package is needed by cups but there was no package dependency on it. (BZ#487495

241

)

240

)

* there was a memory leak in the scheduler's handling of "file:" device URIs. (BZ#496008

* setting quota limits using the lpadmin command did not work correctly. (BZ#496082

* there were several issues with CGI handling in the scheduler, causing custom CGI scripts not to work as expected. (BZ#497632

* the dependencies between the various sub-packages were not made explicit in the package requirements. (BZ#502205

* jobs with multiple files could be removed from a disabled queue when it is re-enabled. (BZ#506257

247

)

* the cups-lpd daemon, for handling RFC 1179 clients, could fail under load due to incorrect temporary file handling. (BZ#523152

236

https://www.redhat.com/security/data/cve/CVE-2009-3608.html

237

https://www.redhat.com/security/data/cve/CVE-2009-3609.html

238

https://www.redhat.com/security/data/cve/CVE-2009-3608.html

239

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=447987

240

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=460898

241

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=487495

242

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=496008

243

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=496082

244

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=497632

245

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=506316

246

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=502205

247

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=506257

248

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=523152

244

, BZ#506316

246

)

248

)

245

)

239

)

242

)

243

)

Chapter 1. Package Updates

* the CUPS PDF input filter is no longer a separate PDF handling implementation, and instead uses the pdftops program from the poppler-utils package directly. (BZ#527429

* adding or modifying many queues could cause the scheduler to leak large amounts of memory. (BZ#540646

250

)

249

)

All cups users should upgrade to these updated packages, which resolve these issues.

1.30. curl

1.30.1. RHSA-2010:0273: Moderate security, bug fix and

enhancement update

Updated curl packages that fix one security issue, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and DICT servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity.

Wesley Miaw discovered that when deflate compression was used, libcurl could call the registered write callback function with data exceeding the documented limit. A malicious server could use this flaw to crash an application using libcurl or, potentially, execute arbitrary code. Note: This issue only affected applications using libcurl that rely on the documented data size limit, and that copy the data to the insufficiently sized buffer. (CVE-2010-0734

251

)

This update also fixes the following bugs:

* when using curl to upload a file, if the connection was broken or reset by the server during the transfer, curl immediately started using 100% CPU and failed to acknowledge that the transfer had failed. With this update, curl displays an appropriate error message and exits when an upload fails mid-transfer due to a broken or reset connection. (BZ#479967

252

)

* libcurl experienced a segmentation fault when attempting to reuse a connection after performing GSS-negotiate authentication, which in turn caused the curl program to crash. This update fixes this bug so that reused connections are able to be successfully established even after GSS-negotiate authentication has been performed. (BZ#517199

253

)

As well, this update adds the following enhancements:

* curl now supports loading Certificate Revocation Lists (CRLs) from a Privacy Enhanced Mail (PEM) file. When curl attempts to access sites that have had their certificate revoked in a CRL, curl refuses access to those sites. (BZ#532069

254

)

249

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=527429

250

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=540646

251

https://www.redhat.com/security/data/cve/CVE-2010-0734.html

252

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=479967

253

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=517199

254

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=532069

cyrus-imapd

* the curl(1) manual page has been updated to clarify that the "--socks4" and "--socks5" options do not work with the IPv6, FTPS, or LDAP protocols. (BZ#473128

* the curl utility's program help, which is accessed by running "curl -h", has been updated with descriptions for the "--ftp-account" and "--ftp-alternative-to-user" options. (BZ#517084

255

)

256

)

Users of curl should upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. All running applications using libcurl must be restarted for the update to take effect.

1.31. cyrus-imapd

1.31.1. RHSA-2009:1459: Important security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1459

Updated cyrus-imapd packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5.

257

This update has been rated as having important security impact by the Red Hat Security Response Team.

The cyrus-imapd packages contain a high-performance mail server with IMAP, POP3, NNTP, and Sieve support.

Multiple buffer overflow flaws were found in the Cyrus IMAP Sieve implementation. An authenticated user able to create Sieve mail filtering rules could use these flaws to execute arbitrary code with the privileges of the Cyrus IMAP server user. (CVE-2009-2632

258

, CVE-2009-3235

259

)

Users of cyrus-imapd are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the update, cyrus-imapd will be restarted automatically.

1.32. cyrus-sasl

1.32.1. RHBA-2010:0151: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata

RHBA-2010:0151

260

255

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=473128

256

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=517084

258

https://www.redhat.com/security/data/cve/CVE-2009-2632.html

259

https://www.redhat.com/security/data/cve/CVE-2009-3235.html

Chapter 1. Package Updates

Updated cyrus-sasl packages that resolve an issue are now available.

The cyrus-sasl packages contain the Cyrus implementation of SASL. SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols.

These updated cyrus-sasl packages fix the following bug:

* multithreaded programs which used the Cyrus SASL libraries could have become unresponsive after attempting to perform authentication routines. This was caused by a failure to release a mutex lock on a data structure in the Cyrus SASL code, which resulted in a race condition, thus causing the program using the library to hang. This race condition has been fixed so that it is thread-safe in this update. (BZ#568084

261

)

All users of cyrus-sasl are advised to upgrade to these updated packages, which resolve this issue.

1.33. dbus

1.33.1. RHSA-2010:0018: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0018

Updated dbus packages that fix a security issue are now available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

D-Bus is a system for sending messages between applications. It is used for the system-wide message bus service and as a per-user-login-session messaging facility.

It was discovered that the Red Hat Security Advisory RHSA-2009:0008 did not correctly fix the denial of service flaw in the system for sending messages between applications. A local user could use this flaw to send a message with a malformed signature to the bus, causing the bus (and, consequently, any process using libdbus to receive messages) to abort. (CVE-2009-1189

Note: Users running any application providing services over the system message bus are advised to test this update carefully before deploying it in production environments.

All users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all running instances of dbus-daemon and all running applications using the libdbus library must be restarted, or the system rebooted.

262

263

)

1.33.2. RHBA-2010:0236: bug fix update

Updated dbus packages that fix a multilib conflict that could cause installation failure on 64-bit architectures are now available.

261

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=568084

263

https://www.redhat.com/security/data/cve/CVE-2009-1189.html

dbus-python

D-Bus is a system for sending messages between applications. It is used for the system-wide message bus service, and as a per-user-login-session messaging facility.

* the dbus api help files (installed to /usr/share/devhelp/books/dbus/api/ by default) included with the dbus-devel sub-package were previously automatically generated for each architecture. These autogenerated files contain different timestamps and internal links and, consequently, caused file conflicts with multilib that could prevent dbus-devel installation on 64-bit architectures. With this update, a pre-generated set of help files, dbus-1.1.2-pregen-doc-api-html.tar.bz2, has been added to the rpm. This removes the multilib file conflicts and allows installation of the dbus-devel sub-package in all circumstances. (BZ#471359

264

)

All D-Bus users should install these updated packages which resolve this issue.

1.34. dbus-python

1.34.1. RHBA-2009:1559: bug fix available

Note

This update has already been released (prior to the GA of this release) as errata

RHBA-2009:1559

Updated dbus-python packages that fix an issue with the puplet package updater are now available for Red hat Enterprise Linux 5.

The dbus-python package provides a Python binding to the D-Bus system message bus.

This updated dbus-python package fixes the following bug:

* the puplet icon in the GNOME Notification Area displays notifications when updated packages are available. However, due to an error in the dbus-python bindings, when updates were available, puplet failed to display a notification. This update corrects the dbus-python bindings with the result that puplet is once again able to notify the user of available updates. (BZ#532142

All users are advised to upgrade to this updated package, which resolves this issue.

265

266

)

1.35. device-mapper

1.35.1. RHBA-2010:0296: bug fix and enhancement update

Updated device-mapper packages that include various bug fixes and enhancements are now available.

The device-mapper packages provide a library required by logical volume management utilities such as LVM2 and dmraid.

This update applies the following bug fixes(BZ#536814

264

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=471359

266

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=532142

267

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=536814

267

Chapter 1. Package Updates

* Fixes crash when hash keys compared are different lengths.

* Restores umask when device node creation fails.

* Does not fork daemon when dmeventd cannot be found.

This update adds the following enhancements:

* Adds splitname command which splits given device name into subsystem constituents.

* Adds y|--yes option to dmsetup for default 'yes' answer to prompts.

* Adds subsystem, vg_name, lv_name, lv_layer fields to dmsetup reports.

* Adds crypt target handling to libdevmapper tree nodes.

All users of device-mapper should upgrade to these updated packages, which resolve these issues and include these enhancements.

1.36. device-mapper-multipath

1.36.1. RHBA-2009:1645: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata

RHBA-2009:1645

Updated device-mapper-multipath packages that fix two bugs are now available.

The device-mapper-multipath packages provide tools to manage multipath devices by giving the device-mapper multipath kernel module instructions on what to do, as well as by managing the creation and removal of partitions for device-mapper devices.

This update addresses the following bugs:

* the udev rules for device-mapper-multipath were causing device-mapper to occasionally create multipath devices without using the user specified uid, gid, or mode. They have been replaced with equivalent rules that do not cause this issue. (BZ#537761

* when LUNs were unmapped from LSI storage arrays, the multipath rdac path checker was not marking the paths as failed. This caused IO to the device to hang instead of fail. The rdac path checker now marks unmapped LUNs as failed. (BZ#538463

Users are advised to upgrade to these updated device-mapper-multipath packages, which resolve these issues.

268

269

)

270

)

1.36.2. RHBA-2010:0255: bug fix and enhancement update

Updated device-mapper-multipath packages that fix several bugs and add various enhancements are now available.

269

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=537761

270

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=538463

RHBA-2010:0255: bug fix and enhancement update

The device-mapper-multipath packages provide tools to manage multipath devices using the devicemapper multipath kernel module.

This update applies the following bug fixes:

* The kpartx utility creates device maps from partition tables. Device-mapper devices with minor numbers greater than 255 caused kpartx to use the UUID from the wrong device when trying to create partitions. If the device had pre-existing partitions, kpartx would fail to create the new partitions. With this update, kpartx is now able to handle device-mapper devices with minor numbers greater than 255. (BZ#526550

271

)

* The udev rules for device-mapper-multipath were causing device-mapper to occasionally create multipath devices without using the user specified uid, gid, or mode. They have been replaced with equivalent rules that do not cause this issue. (BZ#518575

272

)

* When LUNs were unmapped from LSI storage arrays, the multipath rdac path checker was not marking the paths as failed. This caused IO to the device to hang instead of fail. The rdac path checker now marks unmapped LUNs as failed. (BZ#531744

273

)

* The failover path grouping policy was not ordering the paths by priority, causing multipath to failover to the wrong path for devices with manual failback. The multipath paths are now correctly ordered with the failover path grouping policy. (BZ#537977

274

)

* On some storage devices, if a LUN is deleted from an existing multipathd device, and a new LUN is presented to the host, it may end up with the same LUN ID and name as the old LUN. In this case, multipath will assume that this is the old LUN and belongs to the existing multipath device. This cause cause corruption. A new path checker "hp_tur" has been added that verifies the WWID of the LUN when it checks the path, to avoid this problem. (BZ#437585

* The "tur" path checker was marking paths in standby mode as "failed". It now correctly marks them as "ghost". (BZ#473039

* Multipath wasn't correctly showing device renames in dry-run mode. This has been fixed. (BZ#501019

277

)

* Multipath was incorrectly setting the hardware handler for HP StorageWorks devices.This has been fixed. (BZ#475967

278

276

)

* On some storage devices, multipath would display incorrect path information the first time multipath listed the paths after recovery. This has been fixed. (BZ#499080

275

)

279

)

* If a path is removed while it is still part of a multipath device, it was taking multipath minutes to mark it as failed. This should now happen immediately at the end of the next path checking interval. (BZ#527754

271

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=526550

272

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=518575

273

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=531744

274

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=537977

275

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=437585

276

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=473039

277

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=501019

278

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=475967

279

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=499080

280

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=527754

280

)

Chapter 1. Package Updates

* the multipathd daemon needs constant access to /var/lib and /var/run. However it was not allowing any devices mounted under /var to be removed. Now it only keeps open what it needs. (BZ#532424

281

)

* the multipath checker functions were not using the default scsi timeouts. Instead, each checker set its own timeout. Now all checker functions with explicit timeouts use the scsi timeout set it /sys/block/ sd<x>/device/timeout by default. This can be changed by setting the "checker_timeout" option in /etc/ multipath.conf(BZ#553042

282

)

* Multipathd was printing extraneous error messages. This has been fixed. (BZ#472171

BZ#502128

* The multipath man page had some mistakes and missing information. This has been fixed. (BZ#481239

284

, BZ#524178

286

, BZ#510331

285

)

287

, BZ#554830

288

)

283

* A locking error could cause multipathd to deadlock if it failed to create a multipath device correctly. This has been fixed (BZ #537281)

This update adds the following enhancements:

* Default configurations were added for more IBM, HP, SUN, and DELL devices. (BZ#504619

BZ#512243

BZ#545882

290

, BZ#515171

294

)

291

, BZ#517896

292

, BZ#540882

293

* The kpartx utility now supports DASDs devices with more then 65520 cylinders. (BZ#524009

289

295

)

All users are advised to upgrade to these updated packages, which resolve these issues and add these enhancements.

1.37. dhcp

1.37.1. RHBA-2010:0042: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata

RHBA-2010:0042

281

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=532424

282

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=553042

283

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=472171

284

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=502128

285

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=524178

286

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=481239

287

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=510331

288

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=554830

289

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=504619

290

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=512243

291

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=515171

292

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=517896

293

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=540882

294

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=545882

295

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=524009

296

RHBA-2010:0223: bug fix update

A dhcp update that fixes one memory leak is now available.

The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp package provides a relay agent and ISC DHCP service required to enable and administer DHCP on a network.

This update applies the following updates:

* a memory leak in the load_balance_mine() function caused dhcpd, the dhcp server, to leak approximately 20-30 octets per DHCPDISCOVER packet when the server was configured for failover and failover was in a normal state. This particular leak has been closed with this update. (BZ#552211

297

)

Note: depending on the specific DHCP setup on a given system, other memory leaks may still present. Please file a separate bug if DHCP appears to leak memory after applying this update.

All dhcp users should to apply this update which closes this memory leak.

1.37.2. RHBA-2010:0223: bug fix update

A dhcp update that fixes bugs is now available.

DHCP (Dynamic Host Configuration Protocol) is a protocol which allows individual devices on an IP network to get their own network configuration information (IP address, subnetmask, broadcast address, etc.) from a DHCP server.

These updated packages address the following issues:

* When a system running a dhclient received a very short lease (e.g a few seconds), it would constantly have to request a renewal of its lease. The system would spend so much time running the dhclient-script every time it made a request that it would become almost unresponsive. A patch has been added to the code, setting the minimum lease time to 60 seconds. By preventing very short lease times, the server no longer becomes unresponsive from an overload of renewal requests. (BZ#498658

298

)

* When the $localClockFudge variable was empty, the /sbin/dhclient-script added an empty line to the /etc/ntp.conf file when renewing the DHCP lease. This caused the diff command to fail when there was no meaningful difference between the old and new files, thus restarting the NTP daemon unnecessarily. This put useless noise in the log files that get picked up by logwatch. This update provides a slight code change that configures the NTP daemon differently. The /etc/ntp.conf file now only runs if there is a useful value in the $localClockFudge variable. (BZ#532136

299

)

* A memory leak in the load_balance_mine() function caused 20-30 octets per DHCPDISCOVER packet to be leaked when failover was in use and was in its normal state. This caused the performance of the server to be significantly diminished. This update fixes the memory leak in the load_balance_mine() function, allowing the server to perform correctly. (BZ#534117

300

)

Note: depending on the specific DHCP setup on a given system, other memory leaks may still present. Please file a separate bug if DHCP appears to leak memory after applying this update.

297

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=552211

298

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=498658

299

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=532136

300

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=534117

Chapter 1. Package Updates

* A syntax error was discovered in the code of the initscript for the dhcrelay. In the process of restarting, the service would shutdown, but the initscript would fail when attempting to start the service again. A patch has been added, correcting the syntax error in the code. This correction now allows the service to restart correctly. (BZ#555672

301

)

Users are advised to upgrade to these updated dhcp packages which resolve these issues.

1.38. dhcpv6

1.38.1. RHBA-2010:0196: bug fix update

Updated dhcpv6 packages that resolve several issues are now available.

The dhcpv6 packages implement the Dynamic Host Configuration Protocol (DHCP) for Internet Protocol version 6 (IPv6) networks, in accordance with RFC 3315: Dynamic Host Configuration Protocol for IPv6 (DHCPv6). DHCP is a protocol that allows individual devices on an IP network to get their own network configuration information. It consists of: dhcp6c(8), the DHCPv6 client daemon; dhcp6s(8), the DHCPv6 server daemon; and dhcp6r(8), the DHCPv6 relay agent.

These updated packages fix the following bugs:

* previously, the DHCPv6 client was not removing the address assigned to an individual interface after it disconnected. Consequently, the interface kept the same IPv6 address after reconnection. In these updated packages a new IPv6 address is assigned to an interface after disconnecting and reconnecting. (BZ#466251

302

)

* DHCPv6 request packets created by the DHCPv6 client did not contain the "IA" sub-field, which should contain the address advertised by the server. Consequently the DHCPv6 client might have encountered issues trying to interact with other DHCPv6 servers. With this update, the DHCPv6 client now correctly inserts the "IA" field, resolving this issue. (BZ#476974

303

)

* previously, when the DHCPv6 client received the response after sending a "Confirm" message, the client decided if it needed to apply Duplicate Address Dectection (DAD) based on the type of the identity-association (IA) construct in the response. However, the reply from the DHCPv6 server does not always contain an IA in the reply message. Consequently, when running the DHCPv6 client for a second time, the client may have triggered a segmentation fault. In these updated packages, the DHCPv6 client now checks if the reply has an IA before deciding if DAD needs to be applied, resolving this issue. (BZ#515644

304

)

All users of dhcpv6 are advised to upgrade to these updated packages, which resolve this issue.

301

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=555672

302

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=466251

303

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=476974

304

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=515644

dmidecode

1.39. dmidecode

1.39.1. RHEA-2009:1456: enhancement update

Note

This update has already been released (prior to the GA of this release) as errata

RHEA-2009:1456

An updated dmidecode package that adds enhancements is now available.

The dmidecode package provides utilities for extracting x86 and ia64 hardware information from the system BIOS or EFI, depending on the SMBIOS/DMI standard. This information typically includes system manufacturer, model name, serial number, BIOS version, and asset tag.

It also often includes usage status for the CPU sockets, expansion slots (such as AGP, PCI, and ISA) and memory module slots, and a list of input and output ports (such as serial, parallel and USB).

305

This updated package applies the following enhancement:

* the previous version of the dmidecode package was based on an upstream version (2.9), which lacked support for various new hardware items. This updated package includes version 2.10, which updates support for SMBIOS specification version 2.6 and improves DDR3 memory reporting. It adds support for LGA1366 socket devices, decoding PCI-E Gen 2 slot IDs, and for a variety of processors, including the Intel Core i7 and Dual-Core Celeron and Xeon Dual-, Quad- and Multi-Core 3xxx, 5xxx and 7xxx series processors. (BZ#520123

306

)

Users of dmidecode are advised to upgrade to this updated package, which includes this enhanced support.

1.39.2. RHEA-2010:0303: enhancement update

An updated dmidecode package that provides enhancements is now available.

The dmidecode package provides utilities for extracting x86 and Intel Itanium hardware information from the system BIOS or EFI, depending on the SMBIOS/DMI standard. This information typically includes system manufacturer, model name, serial number, BIOS version, and asset tag.

It also often includes usage status for the CPU sockets, expansion slots (such as AGP, PCI, and ISA) and memory module slots, and a list of input and output ports (such as serial, parallel and USB).

This updated package applies the following enhancement:

* the previous version of the dmidecode package was based on an upstream version (2.9), which lacked support for various new hardware items. This updated package provides version 2.10, which updates support for SMBIOS specification version 2.6 and improves DDR3 memory reporting. It adds support for LGA1366 socket devices, decoding PCI-E Gen 2 slot IDs, and for a variety of processors, including the Intel Core i7 and Dual-Core Celeron and Xeon Dual-, Quad- and Multi-Core 3xxx, 5xxx and 7xxx series processors. (BZ#518562

306

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=520123

307

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=518562

307

)

Chapter 1. Package Updates

Users of dmidecode are advised to upgrade to this updated package, which includes this enhanced support.

1.40. dmraid

1.40.1. RHBA-2010:0286: bug fix update

Updated dmraid packages that fix several bugs are now available.

The dmraid packages contain the ATARAID/DDF1 activation tool. The tool supports RAID device discovery and RAID set activation, and displays properties for ATARAID/DDF1-formatted RAID sets on Linux kernels using the device-mapper utility.

These updated dmraid packages fix the following bugs:

* the dmraid-events package was installing the dmevent_syslogpattern.txt file to the /etc/logwatch/ scripts/services directory. The dmevent_syslogpattern.txt file is used by the logwatch service to record event logs. SELinux does not allow write access to the /etc/logwatch/scripts/services directory, and as a result the logwatch service was prevented from updating the log file. The dmraid-events package has now been updated to install the log file at /var/cache/logwatch/dmeventd/syslogpattern.txt, and the log file is updated as expected. (BZ#513402

308

)

* after a hard disk drive rebuild has been completed using dmraid, the LED lights on each disk belonging to the rebuilt RAID volume should turn off. Previously, if the rebuild was initiated manually using the 'dmraid -R' command, the light on the spare disk would remain illuminated, incorrectly indicating that the disk was still being built. When rebuilding automatically with the libdmraid-events library, the light would not remain lit as expected. The dmraid packages have been updated to turn off the light correctly after a manual disk rebuild, and the drive light now correctly indicates the drive state. (BZ#514497

309

)

* dmraid binaries in the /sbin directory previously relied on libraries in the /usr directory. Since the /sbin directory typically only contains programs executed by the root user, reliance on libraries in the /usr directory could result in reference conflicts. The dmraid packages have been updated to no longer rely on the /usr directory, and library references are now improved. (BZ#516852

310

)

* the dmraid-events-logwatch tool would take ownership of directories that were already owned by the logwatch package. This included the following directories:

* /etc/logwatch/conf * /etc/logwatch/conf/services * /etc/logwatch/scripts * /etc/logwatch/scripts/ services

As a consequence, the dmraid-events-logwatch tool and the logwatch package would conflict. The dmraid-events-logwatch package has been updated to own only /etc/logwatch/scripts/services/ dmeventd directory, and the conflict no longer arises with the logwatch package. (BZ#545876

311

)

* modifications to Intel support in the libdmraid tool caused the SONAME field to change. This caused compatibility issues in python-pyblock symbolic links. The version number in the libdmraid tool's file name has been updated, which caused the dependencies to be automatically re- generated during

308

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=513402

309

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=514497

310

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=516852

311

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=545876

dogtail

the build process. The symbolic link is now repaired and there are no compatibility issues between libdmraid and python-pyblock. (BZ#556254

312

)

* the pthread_mutex_trylock symbol was not being exported against the libpthread tool. As a consequence, the libdmraid-events-isw.so object would not be loaded during activation of a RAID5 volume library, reporting that pthread_mutex_trylock was an undefined symbol. Linking has now been added to the libpthread tool, and pthread_mutex_trylock is successfully referenced in the libdmraidevents-isw.so object. (BZ#567922

313

)

All dmraid users should upgrade to these updated packages, which resolve these issues.

1.41. dogtail

1.41.1. RHBA-2010:0009: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0009

314

An updated dogtail package that fixes two bugs is now available.

Dogtail is an automation framework that uses accessibility technologies to communicate with desktop applications. Dogtail exposes desktop elements in a hierarchical interface. The dogtail package includes the GUI tools Script Recorder (dogtail-recorder) and AT-SPI Browser (sniff). Script Recorder creates Python scripts based on user actions and AT-SPI Browser is a graphical browser of the desktop elements hierarchy exposed by Dogtail.

This updated dogtail package fixes the following bugs:

* the destroyAbout function was undefined in the previous Dogtail release. Consequently, the Close button in the AT-SPI Browser About window (Help > About) did not work. This function is now properly defined; the showAbout function calls this function when the Close button is clicked; and the About window closes. Note: the close box in the title bar of the About window worked in both the earlier and current release. (BZ#250219

315

)

* previously, the shebang lines in Dogtail's python scripts pointed to "/usr/bin/env python" rather than explicitly referencing the system-installed Python. This broke these scripts in the case of a user installing an alternative version of Python. With this update, all Dogtail's python scripts point explicitly to the system version at /usr/bin/python. (BZ#521339

316

)

All dogtail users should upgrade to this updated package, which resolves these issues.

312

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=556254

313

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=567922

315

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=250219

316

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=521339

Chapter 1. Package Updates

1.42. dosfstools

1.42.1. RHBA-2010:0007: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0007

An updated dosfstools package that fixes two bugs is now available.

The dosfstools package includes the mkdosfs and dosfsck utilities, which respectively make and check File Allocation Table (FAT) file systems on hard drives or on floppies.

This updated package provides fixes for the following bugs:

* when a FAT file system was created on a device-mapper device, if the drive geometry was not reported correctly to mkdosfs, the command printed it was "unable to get drive geometry" and was using the default drive geometry (255/63) instead. Because of an error, it did not, in fact, do this. Consequently, dosfslabel could not set a label for the newly-created file system. With this update, the error in the mkdosfs command was corrected: when the drive geometry is not correctly reported, mkdosfs now sets the drive geometry to the default values as per its message to STD OUT. Consequently, FAT file systems created with mkdosfs are now correct and dosfslabel can set its label. (BZ#249067

318

)

317

* although dosfstools contains ELF objects, the dosfstools-debuginfo package was empty. With this update the -debuginfo package contains valid debugging information as expected. (BZ#469842

319

)

All dosfstools users should upgrade to this updated package, which resolves these issues.

1.43. dstat

1.43.1. RHSA-2009:1619: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1619

An updated dstat package that fixes one security issue is now available for Red Hat Enterprise Linux

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

320

318

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=249067

319

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=469842

e4fsprogs

Dstat is a versatile replacement for the vmstat, iostat, and netstat tools. Dstat can be used for performance tuning tests, benchmarks, and troubleshooting.

Robert Buchholz of the Gentoo Security Team reported a flaw in the Python module search path used in dstat. If a local attacker could trick a local user into running dstat from a directory containing a Python script that is named like an importable module, they could execute arbitrary code with the privileges of the user running dstat. (CVE-2009-3894

321

)

All dstat users should upgrade to this updated package, which contains a backported patch to correct this issue.

1.44. e4fsprogs

1.44.1. RHBA-2010:0239: bug fix and enhancement update

Enhanced e4fsprogs packages that fix a bug are now available.

The e4fsprogs packages contain a number of utilities for creating, checking, modifying, and correcting inconsistencies in fourth extended (ext4 and ext4dev) file systems. e4fsprogs contains e4fsck (used to repair file system inconsistencies after an unclean shutdown), mke4fs (used to initialize a partition to contain an empty ext4 file system), tune4fs (used to modify file system parameters), and most other core ext4fs file system utilities.

The e4fsprogs packages have been upgraded to upstream version 1.41.9 for Red Hat Enterprise Linux 5.5. These updated packages contain several bug fixes over the previous version.

Important: These packages are now designed and intended to be installed alongside the original e2fsprogs package in Red Hat Enterprise Linux. As such, certain binaries in the e4fsprogs packages have been given new names. For example, the utility that checks ext4 file systems for consistency has been renamed to "e4fsck", thus allowing the original "e2fsck" program from the e2fsprogs package to coexist on the same system.

These updated e4fsprogs packages also include a fix for the following bug:

* pygrub did not understand fourth extended (ext4) /boot partitions, and so was unable to paravirtualize guest domains. e4fsprogs-devel and ev4sprogs-libs packages are provided with this update for pygrub and other applications that require the new ext4 capable e2fsprogs libraries. (BZ#528055

322

)

All users of e4fsprogs are advised to upgrade to these updated packages, which resolve this issue.

1.45. elilo

1.45.1. RHEA-2010:0302: enhancement update

An updated elilo package that adds validation checks and error messages to the boot manager is now available.

321

https://www.redhat.com/security/data/cve/CVE-2009-3894.html

322

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528055

Chapter 1. Package Updates

ELILO is a Linux boot loader for Extensible Firmware Interface (EFI)-based systems, such as those running an Itanium CPU.RHSA-2009:1341

This update add the following enhancement:

* previously ELILO's boot manager, efibootmgr, returned only two error codes: "0" for success and "1" for failure. There are multiple reasons for the boot manager to fail, however, and diagnosing such failures was difficult with only one all-purpose error code. This update adds validation checks and error messages to identify boot manager failures depending upon the error condition encountered. Error messages now returned when efibootmgr fails include "partition is not valid"; "Failed to open extra arguments"; "Invalid hex characters in boot order" and others. (BZ#250327

323

)

All elilo users should upgrade to this updated package, which adds this feature.

1.46. elinks

1.46.1. RHSA-2009:1471: Important security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1471

An updated elinks package that fixes two security issues is now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

ELinks is a text-based Web browser. ELinks does not display any images, but it does support frames, tables, and most other HTML tags.

An off-by-one buffer overflow flaw was discovered in the way ELinks handled its internal cache of string representations for HTML special entities. A remote attacker could use this flaw to create a specially-crafted HTML file that would cause ELinks to crash or, possibly, execute arbitrary code when rendered. (CVE-2008-7224

325

It was discovered that ELinks tried to load translation files using relative paths. A local attacker able to trick a victim into running ELinks in a folder containing specially-crafted translation files could use this flaw to confuse the victim via incorrect translations, or cause ELinks to crash and possibly execute arbitrary code via embedded formatting sequences in translated messages. (CVE-2007-2027

324

)

326

)

All ELinks users are advised to upgrade to this updated package, which contains backported patches to resolve these issues.

323

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=250327

325

https://www.redhat.com/security/data/cve/CVE-2008-7224.html

326

https://www.redhat.com/security/data/cve/CVE-2007-2027.html

esc

1.47. esc

1.47.1. RHBA-2010:0066: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0066

An updated esc package that fixes various bugs is now available.

The esc package contains the Smart Card Manager tool, which allows users to manage security smart cards. The primary function of the tool is to enroll smart cards, so that they can be used for common cryptographic operations, such as secure email and website access.

This updated esc package includes fixes for the following bugs:

327

* The Enterprise Security Client incorrectly identified CAC cards as CoolKey cards and mistakenly opened the Phone Home connection dialog. With this update, CoolKey correctly identifies CAC cards and assigns the correct functionality to them. With this fix, it is still possible to view certificates and diagnostics for CAC cards, though the management functions are now disabled. RHBA-2010:9263, a CoolKey update, must also be installed to fully resolve this issue. (BZ#467011

* The Enterprise Security Client did not open the Phone Home connection dialog when a blank token was inserted. (BZ#514053

329

)

328

)

* Removing a smart card when the Enterprise Security Client was open could cause the Enterprise Security Client to terminate abnormally. With this update, removing smart cards should no longer cause the Enterprise Security Client to crash. (BZ#517414

330

)

* When creating a password for the Enterprise Security Client, using certain characters, such as the dollar sign and exclamation point, could cause a failure to enroll when entering the password later. This update fixes this problem so that using such symbols when creating passwords does not fail when attempting to enroll. (BZ#549540

331

)

* When the Enterprise Security Client was using an external user interface for enrollment and the UI page could not be downloaded because of a disconnected network or similar problem, then the user could neither enroll nor was made aware of the source of the problem. With this update, when such a situation occurs, a descriptive error message is sent to the user. (BZ#549542

332

)

* Inserting a CAC card into the computer causes the Enterprise Security Client to display an enabled "Enroll" button to the user erroneously because all management functions should be disabled for CAC cards. With this update, when a CAC card is entered, all management functions are disabled, including the "Enroll" function. (BZ#553661

328

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=467011

329

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=514053

330

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=517414

331

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=549540

332

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=549542

333

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=553661

333

)

Chapter 1. Package Updates

All users of the Enterprise Security Client are advised to upgrade to this updated package, which resolves these issues.

1.48. etherboot

1.48.1. RHBA-2010:0227: bug fix update

Updated etherboot packages that fix several bugs are now available.

Etherboot is a software package for creating ROM images (zrom files) that can download code over an Ethernet network to be executed on an x86 computer. Many network adapters have a socket where a ROM chip can be installed. Etherboot is code that can be put in such a ROM.

* the zrom file for use with NE2000-compatible Ethernet cards used by etherboot when network booting using such a card failed to obtain an IP address. Consequently network booting a system with an NE2000-compatible Ethernet card failed, returning an error as follows:

Probing pci nic... Probing isa nic... [NE*000]

With this update the zrom file used by etherboot has been updated and network booting a KVM guest via PXE using NE2000 network card emulation now succeeds as expected. (BZ#511912

* Change glibc32 BuildRequires to file-based BuildRequires. (BZ#521901

335

)

* Use update-alternatives to provide the common /usr/share/qemu-pxe-roms directory. (BZ#546016

* Use 0644 permission on all rom files. (BZ#547773

337

)

334

)

336

All etherboot users should install this update which addresses these issues.

1.49. ethtool

1.49.1. RHBA-2010:0279: bug fix and enhancement update

An enhanced ethtool package that fixes a number of minor issues is now available.

The ethtool utility allows the querying and changing of specific settings on network adapters. These settings include speed, port, link auto-negotiation settings and PCI locations.

This updated package adds the following enhancements:

)

* ethtool can now display all NIC speeds, not just 10/100/1000. (BZ#450162

338

* the redundant INSTALL file has been removed from the package. (BZ#472034

334

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=511912

335

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=521901

336

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=546016

337

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=547773

338

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=450162

339

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=472034

)

339

)

evince

* the ethtool usage message has been fixed to not state that -h requires a DEVNAME. (BZ#472038

* ethtool now recognizes 10000 as a valid speed and includes it as a supported link mode. (BZ#524241

341

, BZ#529395

342

)

340

All ethtool users should upgrade to this updated package which provides these enhancements.

1.50. evince

1.50.1. RHBA-2010:0195: bug fix update

An updated evince package that resolves various issues is now available.

evince is a GNOME-based document viewer.

This updated package resolves the following issues:

* fullscreen mode allows a user to view (in a maximized window) just the document and a single navigation toolbar. Previously, the function that handles the timeout of fullscreen mode was only made aware of the window, rather than the workspace. Consequently, if a user switched to a different workspace while fullscreen mode was enabled, the fullscreen toolbar would persist the top of the screen. With this update, the evince fullscreen toolbar no longer remains after changing workspaces, resolving this issue. (BZ#229173

343

)

* when searching for a string in a document, evince may have miscalculated the scope of the search if a string appeared more than once on a single page. Consequently, if a user was stepping though the search results using the "Find Next" button, evince would not step past the page with multiple matches. With this update, evince now correctly searches the whole document, resolving this issue. (BZ#469379

344

)

* previously, evince classified a single error dialog as a full running instance. Consequently, if an instance of evince contained only an error dialog, any document opened would appear that instance. This may have confused users, as documents were displayed in the workspace where the error dialog is located, rather than the current workspace. In this updated package, evince no longer treats a single error dialog as an opened document, resolving this issue. (BZ#504334

345

)

* when rendering a page of a PDF document, evince displays a blank page, with just the text "Loading..." visible until the page is ready to be viewed. Previously, evince was not checking if the drawing area for the loading page could be allocated. Consequently, if a PDF document with large page dimensions was opened evince may have crashed, returning a segmentation fault. With this update, the drawing area for the loading page is now correctly allocated, resolving this issue. (BZ#499676

346

)

All evince users are advised to upgrade to this updated package, which resolves these issues.

340

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=472038

341

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=524241

342

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529395

343

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229173

344

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=469379

345

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=504334

346

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=499676

Chapter 1. Package Updates

1.51. exim

1.51.1. RHBA-2009:1627: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1627

Updated exim packages that resolve several issues are now available.

Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. It is freely available under the terms of the GNU General Public Licence. In style it is similar to Smail 3, but its facilities are more general. There is a great deal of flexibility in the way mail can be routed, and there are extensive facilities for checking incoming mail. Exim can be installed in place of sendmail, although the configuration of exim is quite different to that of sendmail.

347

These updated exim packages provide fixes for the following bugs:

* The exim init script would return with error code 0 regardless of if the service had actually been started. An incorrect return code would be issued concerning the exim init script because of an unimplemented feature of the script. These bugs concerning the exim init script have been corrected by modifying it to return a value of 2 on an unsupported command, a return of 1 when the $NETWORKING parameter is set to no, returning the correct status error to the user and forcing the script to restart (using condrestart) when the status is not equal to 0.

* The default configuration referred to an undefined domain list causing errors when trying to relay email. The correct domain list of relay_to_domains is now utilized.

* Exim listened on all interfaces by default, whereas Sendmail and Postfix only listen on loopback by default. Administrators who would assume exim had default settings configured the same as Sendmail and Postfix may have introduced a security hole when installing exim. To correct this the code segment local_interfaces = <; 127.0.0.1 ; ::1; has been added to the default configuration; allowing Administrators to treat exim default settings the same as Sendmail and Postfix.

* Exim used to attempt generation of the certificate on installation instead of the first start, which could cause the installation to fail when the certificate could not be generated. Certificate generation is now undertaken upon the first start of exim after installation, allowing the installation to succeed.

All users of exim are advised to upgrade to these updated packages, which resolve these issues.

fetchmail

1.52. fetchmail

1.52.1. RHSA-2009:1427: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1427

An updated fetchmail package that fixes multiple security issues is now available for Red Hat Enterprise Linux 3, 4, and 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Fetchmail is a remote mail retrieval and forwarding utility intended for use over on-demand TCP/IP links, such as SLIP and PPP connections.

348

It was discovered that fetchmail is affected by the previously published "null prefix attack", caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefullycrafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse fetchmail into accepting it by mistake. (CVE-2009-2666

349

)

A flaw was found in the way fetchmail handles rejections from a remote SMTP server when sending warning mail to the postmaster. If fetchmail sent a warning mail to the postmaster of an SMTP server and that SMTP server rejected it, fetchmail could crash. (CVE-2007-4565

350

)

A flaw was found in fetchmail. When fetchmail is run in double verbose mode ("-v -v"), it could crash upon receiving certain, malformed mail messages with long headers. A remote attacker could use this flaw to cause a denial of service if fetchmail was also running in daemon mode ("-d"). (CVE-2008-2711

351

)

Note: when using SSL-enabled services, it is recommended that the fetchmail "--sslcertck" option be used to enforce strict SSL certificate checking.

All fetchmail users should upgrade to this updated package, which contains backported patches to correct these issues. If fetchmail is running in daemon mode, it must be restarted for this update to take effect (use the "fetchmail --quit" command to stop the fetchmail process).

349

https://www.redhat.com/security/data/cve/CVE-2009-2666.html

350

https://www.redhat.com/security/data/cve/CVE-2007-4565.html

351

https://www.redhat.com/security/data/cve/CVE-2008-2711.html

Chapter 1. Package Updates

1.53. filesystem

1.53.1. RHBA-2009:1481: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1481

An updated filesystem package that corrects the owners of certain directories is now available for Red Hat Enterprise Linux 5.

The filesystem package is one of the basic packages that is installed on a Red Hat Linux system. Filesystem contains the basic directory layout for the Linux operating system, including the correct permissions for directories.

This updated filesystem package fixes the following bug:

* a number of file system directories were unowned. This update corrects the ownership of the following directories: /usr/src/debug, /usr/src/kernels, several directories in /usr/share/man, /usr/share/ locale and, under it, the LC_MESSAGES subdirectory for several locales. In addition, for the sake of consistency this updated filesystem package now owns, but does not create, the locale-specific man page directories located under /usr/share/man/[locale]. (BZ#487568

352

353

)

All users of filesystem are advised to upgrade to this updated package, which resolves this issue.

1.54. firefox

1.54.1. RHSA-2010:0112: Critical security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0112

Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

A use-after-free flaw was found in Firefox. Under low memory conditions, visiting a web page containing malicious content could result in Firefox executing arbitrary code with the privileges of the user running Firefox. (CVE-2009-1571

354

355

)

353

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=487568

355

https://www.redhat.com/security/data/cve/CVE-2009-1571.html

RHSA-2009:1674: Critical security update

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-0159

356

, CVE-2010-0160

357

)

Two flaws were found in the way certain content was processed. An attacker could use these flaws to create a malicious web page that could bypass the same-origin policy, or possibly run untrusted JavaScript. (CVE-2009-3988

358

, CVE-2010-0162

359

)

For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.18. You can find a link to the Mozilla advisories in the References section of this errata.

All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.18, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

1.54.2. RHSA-2009:1674: Critical security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1674

360

Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

361

, CVE-2009-3981

362

, CVE-2009-3986

363

)

A flaw was found in the Firefox NT Lan Manager (NTLM) authentication protocol implementation. If an attacker could trick a local user that has NTLM credentials into visiting a specially-crafted web page, they could send arbitrary requests, authenticated with the user's NTLM credentials, to other applications on the user's system. (CVE-2009-3983

364

)

A flaw was found in the way Firefox displayed the SSL location bar indicator. An attacker could create an unencrypted web page that appears to be encrypted, possibly tricking the user into believing they are visiting a secure page. (CVE-2009-3984

356

https://www.redhat.com/security/data/cve/CVE-2010-0159.html

357

https://www.redhat.com/security/data/cve/CVE-2010-0160.html

358

https://www.redhat.com/security/data/cve/CVE-2009-3988.html

359

https://www.redhat.com/security/data/cve/CVE-2010-0162.html

361

https://www.redhat.com/security/data/cve/CVE-2009-3979.html

362

https://www.redhat.com/security/data/cve/CVE-2009-3981.html

363

https://www.redhat.com/security/data/cve/CVE-2009-3986.html

364

https://www.redhat.com/security/data/cve/CVE-2009-3983.html

365

https://www.redhat.com/security/data/cve/CVE-2009-3984.html

365

)

Chapter 1. Package Updates

A flaw was found in the way Firefox displayed blank pages after a user navigates to an invalid address. If a user visits an attacker-controlled web page that results in a blank page, the attacker could inject content into that blank page, possibly tricking the user into believing they are viewing a legitimate page. (CVE-2009-3985

366

)

For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.16. You can find a link to the Mozilla advisories in the References section of this errata.

All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.16, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

1.54.3. RHSA-2009:1530: Critical security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1530

367

Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. nspr provides the Netscape Portable Runtime (NSPR).

A flaw was found in the way Firefox handles form history. A malicious web page could steal saved form data by synthesizing input events, causing the browser to auto-fill form fields (which could then be read by an attacker). (CVE-2009-3370

368

)

A flaw was found in the way Firefox creates temporary file names for downloaded files. If a local attacker knows the name of a file Firefox is going to download, they can replace the contents of that file with arbitrary contents. (CVE-2009-3274

369

)

A flaw was found in the Firefox Proxy Auto-Configuration (PAC) file processor. If Firefox loads a malicious PAC file, it could crash Firefox or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3372

370

)

A heap-based buffer overflow flaw was found in the Firefox GIF image processor. A malicious GIF image could crash Firefox or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3373

371

)

A heap-based buffer overflow flaw was found in the Firefox string to floating point conversion routines. A web page containing malicious JavaScript could crash Firefox or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-1563

366

https://www.redhat.com/security/data/cve/CVE-2009-3985.html

368

https://www.redhat.com/security/data/cve/CVE-2009-3370.html

369

https://www.redhat.com/security/data/cve/CVE-2009-3274.html

370

https://www.redhat.com/security/data/cve/CVE-2009-3372.html

371

https://www.redhat.com/security/data/cve/CVE-2009-3373.html

372

https://www.redhat.com/security/data/cve/CVE-2009-1563.html

372

)

RHSA-2009:1430: Critical security update

A flaw was found in the way Firefox handles text selection. A malicious website may be able to read highlighted text in a different domain (e.g. another website the user is viewing), bypassing the sameorigin policy. (CVE-2009-3375

373

)

A flaw was found in the way Firefox displays a right-to-left override character when downloading a file. In these cases, the name displayed in the title bar differs from the name displayed in the dialog body. An attacker could use this flaw to trick a user into downloading a file that has a file name or extension that differs from what the user expected. (CVE-2009-3376

374

)

375

, CVE-2009-3380

376

, CVE-2009-3382

377

)

For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.15. You can find a link to the Mozilla advisories in the References section of this errata.

All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.15, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

1.54.4. RHSA-2009:1430: Critical security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1430

Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. nspr provides the Netscape Portable Runtime (NSPR).

CVE-2009-3074

382

, CVE-2009-3075

A use-after-free flaw was found in Firefox. An attacker could use this flaw to crash Firefox or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3077

378

383

379

, CVE-2009-3071

380

, CVE-2009-3072

381

)

384

)

373

https://www.redhat.com/security/data/cve/CVE-2009-3375.html

374

https://www.redhat.com/security/data/cve/CVE-2009-3376.html

375

https://www.redhat.com/security/data/cve/CVE-2009-3374.html

376

https://www.redhat.com/security/data/cve/CVE-2009-3380.html

377

https://www.redhat.com/security/data/cve/CVE-2009-3382.html

379

https://www.redhat.com/security/data/cve/CVE-2009-3070.html

380

https://www.redhat.com/security/data/cve/CVE-2009-3071.html

381

https://www.redhat.com/security/data/cve/CVE-2009-3072.html

382

https://www.redhat.com/security/data/cve/CVE-2009-3074.html

383

https://www.redhat.com/security/data/cve/CVE-2009-3075.html

384

https://www.redhat.com/security/data/cve/CVE-2009-3077.html

Chapter 1. Package Updates

A flaw was found in the way Firefox handles malformed JavaScript. A website with an object containing malicious JavaScript could execute that JavaScript with the privileges of the user running Firefox. (CVE-2009-3079

385

)

Descriptions in the dialogs when adding and removing PKCS #11 modules were not informative. An attacker able to trick a user into installing a malicious PKCS #11 module could use this flaw to install their own Certificate Authority certificates on a user's machine, making it possible to trick the user into believing they are viewing a trusted site or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3076

386

)

A flaw was found in the way Firefox displays the address bar when window.open() is called in a certain way. An attacker could use this flaw to conceal a malicious URL, possibly tricking a user into believing they are viewing a trusted site. (CVE-2009-2654

387

)

A flaw was found in the way Firefox displays certain Unicode characters. An attacker could use this flaw to conceal a malicious URL, possibly tricking a user into believing they are viewing a trusted site. (CVE-2009-3078

388

)

For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.14. You can find a link to the Mozilla advisories in the References section of this errata.

All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.14, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

1.55. firstboot

1.55.1. RHBA-2010:0314: bug fix update

Updated firstboot packages that fix a bug are now available.

The firstboot utility runs after installation. It guides the user through a series of steps that allows for easier configuration of the machine.

These updated packages address the following issue:

* Clicking [Change Network Configuration] from firstboot's network configuration page launched a separate network configuration window. If the user then clicked [Forward] on the still-visible main window, the separate configuration window became hidden behind the full-screen main window.

Further mouse-clicks would be ineffectual and it could appear to the user that the system had become unresponsive. It was necessary to use the alt+tab keys to reveal the hidden configuration window.

Code has been added to the networking.py source file to modify the behavior of the network configuration and main windows. Now the configuration window will stay on top if the user clicks outside its boundary. (BZ#511984

389

)

Users are advised to upgrade to these updated packages, which resolve this issue.

385

https://www.redhat.com/security/data/cve/CVE-2009-3079.html

386

https://www.redhat.com/security/data/cve/CVE-2009-3076.html

387

https://www.redhat.com/security/data/cve/CVE-2009-2654.html

388

https://www.redhat.com/security/data/cve/CVE-2009-3078.html

389

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=511984

freeradius

1.56. freeradius

1.56.1. RHSA-2009:1451: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1451

Updated freeradius packages that fix a security issue are now available for Red Hat Enterprise Linux

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service (RADIUS) server, designed to allow centralized authentication and authorization for a network.

390

An input validation flaw was discovered in the way FreeRADIUS decoded specific RADIUS attributes from RADIUS packets. A remote attacker could use this flaw to crash the RADIUS daemon (radiusd) via a specially-crafted RADIUS packet. (CVE-2009-3111

Users of FreeRADIUS are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, radiusd will be restarted automatically.

391

)

1.56.2. RHBA-2009:1678: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1678

Updated freeradius packages that fix a bug are now available.

FreeRADIUS is an Internet authentication daemon, which implements the RADIUS protocol, as defined in RFC 2865 (and others). It allows Network Access Servers (NAS boxes) to perform authentication for dial-up users. There are also RADIUS clients available for Web servers, firewalls, Unix logins, and more. Using RADIUS allows authentication and authorization for a network to be centralized, and minimizes the amount of re-configuration which has to be done when adding or deleting new users.

392

This update addresses the following bug:

* an error in the EAP authentication module could cause memory corruption. Running the radeapclient utility would typically expose the problem. An error message including text such as this

*** glibc detected *** radeapclient: free(): invalid pointer:

391

https://www.redhat.com/security/data/cve/CVE-2009-3111.html

Chapter 1. Package Updates

presented and radeapclient would then abort abnormally. This update corrects the error in the EAP authentication module. The module no longer corrupts memory and applications such as radeapclient that use this module work as expected. (BZ#476513

393

)

All freeradius users should install these updated packages, which fix this problem.

1.57. gail

1.57.1. RHBA-2009:1594: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1594

Updated gail packages that resolve an issue are now available.

GAIL, the GNOME Accessbility Implementation Library, implements the abstract interfaces found in the Accessibility Toolkit (ATK) for GTK+ and GNOME libraries, and thereby enables accessibility technologies such as AT-SPI (the Assistive Technology Service Provider Interface) to access GUI elements.

394

These updated gail packages fix the following bug:

* when starting a GNOME application at the shell prompt, the GAIL library incorrectly printed the following spurious error message when the "GNOME_ACCESSIBILITY" environment variable was set to "0", which disables GNOME accessibility support: "GTK Accessibility Module initialized". With this update, this message no longer appears when the "GNOME_ACCESSIBILITY" environment variable is set to "0". (BZ#506561

395

)

All users of gail are advised to upgrade to these updated packages, which resolve this issue.

1.58. gcc

1.58.1. RHBA-2009:1533: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata

RHBA-2009:1533

A gcc update that resolves an option handling bug where only the last "-fno-builtin-*" option specified on the command line was honored is now available.

396

The gcc packages include C, C++, Java, Fortran, Objective C, and Ada 95 GNU compilers, along with related support libraries.

393

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=476513

395

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=506561

RHSA-2010:0039: Moderate and gcc4 security update

This update fixes the following bug:

* if multiple "-fno-builtin-*" options were specified on the command line (for example, "-fno-builtiniswalpha -fno-builtin-iswalnum") only the last option was honored (in the example, -fno-builtiniswalnum). With this update, joined switches are no longer pruned, ensuring all such options are honored, as expected. (BZ#526421

397

)

Users are advised to install this gcc update, which applies this fix.

1.58.2. RHSA-2010:0039: Moderate and gcc4 security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0039

Updated gcc and gcc4 packages that fix one security issue are now available for Red Hat Enterprise Linux 3, 4, and 5.

398

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

The gcc and gcc4 packages include, among others, C, C++, and Java GNU compilers and related support libraries. libgcj contains a copy of GNU Libtool's libltdl library.

A flaw was found in the way GNU Libtool's libltdl library looked for libraries to load. It was possible for libltdl to load a malicious library from the current working directory. In certain configurations, if a local attacker is able to trick a local user into running a Java application (which uses a function to load native libraries, such as System.loadLibrary) from within an attacker-controlled directory containing a malicious library or module, the attacker could possibly execute arbitrary code with the privileges of the user running the Java application. (CVE-2009-3736

399

)

All gcc and gcc4 users should upgrade to these updated packages, which contain a backported patch to correct this issue. All running Java applications using libgcj must be restarted for this update to take effect.

1.58.3. RHBA-2010:0232: bug fix update

A gcc update that resolves several compiler bugs is now available.

The gcc packages include C, C++, Java, Fortran, Objective C, and Ada 95 GNU compilers, along with related support libraries.

This update applies the following bug fixes:

* when compiling a debug version of a C++ program, it was possible for gcc to lose debug information for some local variables in C++ constructors or destructors. This was because gcc incorrectly released information on abstract functions (specifically, contents of the DECL_INITIAL() function), which are needed for creating debug information. With this release, nodes containing abstract functions

397

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=526421

399

https://www.redhat.com/security/data/cve/CVE-2009-3736.html

Chapter 1. Package Updates

are flagged accordingly to prevent gcc from prematurely discarding needed debug information. (BZ#513184

* when issuing multiple -fno-builtin-* switches to gcc, gcc only registered the last switch. With this release, gcc can now register multiple -fno-builtin-* switches correctly. (BZ#515799

400

)

401

)

* in some cases, aggregates returned by value could cause reload failures in the caller function, resulting in an internal compiler error. This was caused by a bug in the combining code that incorrectly lengthens the lifetime of a hard register. This update applies a patch to expand_call function in gcc/ calls.c that resolves the issue. (BZ#516028

402

)

* using g++ to compile code containing virtual inheritances could result in a segmentation fault. This was because the dynamic_cast code in gcc did not use src2dst hints as expected; as a result, g++ could search an unnecessarily large address list for possible bases. With this release, the dynamic_cast code now uses src2dst hints; this allows g++ to defer searching bases that don't overlap with a virtual inheritance's address. (BZ#519519

403

)

* On PowerPC, it was possible for DWARF access to function parameters to fail. This was caused by a bug in the GCC instruction set for PowerPC, where compiling with -mno-sched-prolog could discard debug location lists. This update fixes the bug, ensuring consistent DWARF access to function parameters on PowerPC. (BZ#528792

404

)

* The libgcc undwinder now supports DW_OP_swap handling. This update also fixes bugs in the way unwinding code handled unwind information from DW_OP_{gt,ge,lt,le} and DW_CFA_{remember,restore}_state. (BZ#555731

405

)

All GCC users are advised to install this update.

1.59. gd

1.59.1. RHSA-2010:0003: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0003

Updated gd packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

The gd packages provide a graphics library used for the dynamic creation of images, such as PNG and JPEG.

400

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=513184

401

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=515799

402

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=516028

403

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=519519

404

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528792

405

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=555731

406

gdb

A missing input sanitization flaw, leading to a buffer overflow, was discovered in the gd library. A specially-crafted GD image file could cause an application using the gd library to crash or, possibly, execute arbitrary code when opened. (CVE-2009-3546

407

)

Users of gd should upgrade to these updated packages, which contain a backported patch to resolve this issue.

1.60. gdb

1.60.1. RHBA-2010:0285: bug fix update

An updated gdb package that fixes various bugs is now available.

The GNU Project debugger, GDB, debugs programs written in C, C++, and other languages by executing them in a controlled fashion, and then printing out their data.

With this update, GDB is now re-based to upstream version 7.0.1 (BZ#526533

408

). This applies several bug fixes and enhancements not listed here. For a full description of this version, refer to the following link: http://sourceware.org/cgi-bin/cvsweb.cgi/src/gdb/NEWS.diff?cvsroot=src&r1=t ext&tr1=1.259.2.1&r2=text&tr2=1.331.2.2&f=u

This update applies the following bug fixes:

* Printing values from a debugged program by dereferencing a pointer to an object of dynamic type printed out an error stating "Cannot resolve DW_OP_push_object_address for a missing object". Such pointers are produced by an unsupported iFort compiler, not by gfortran. With this update, GDB can now dereference pointers to objects of dynamic type, thereby correctly printing the dynamic Fortran arrays dereferenced from such pointers (as produced by the iFort compiler). (BZ#514287

409

)

* Debugging a program with thousands of set breakpoints was unacceptably slow. This was because a previous patch introduced a mechanism that hid breakpoint instructions and returned "shadow" content whenever target_read_memory() accessed memory. The aforementioned patch was implemented upstream to be used with a "breakpoint always-inserted" option, which was not implemented in Red Hat Enterprise Linux version of GDB. But Red Hat Enterprise Linux version backported it to solve a problem on Itanium where instruction (and thus even breakpoint instruction) boundaries are not byte-aligned. This update reimplements the shadowing functionality using more optimal log(n) algorithm instead, which consequently prevents any unnecessary slowdown when processing programs with numerous set breakpoints. (BZ#520618

410

)

* GDB incorrectly skipped OpenMP parallel sections (instead of entering them as expected) when using the "next" command. This was caused by missing DWARF annotations from GCC that made it possible for OpenMP parallel sections to be incorrectly classified as function calls. To address this, GDB contains special instructions to make OpenMP parallel sections indifferent to normal code, allowing GDB to step into parallel sections with "next" correctly. (BZ#533176

* The GDB version banner now correctly displays "Red Hat Enterprise Linux" instead of "Fedora". (BZ#537788

407

https://www.redhat.com/security/data/cve/CVE-2009-3546.html

408

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=526533

409

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=514287

410

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=520618

411

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=533176

412

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=537788

412

)

411

)

Chapter 1. Package Updates

* GDB no longer obsoletes the pstack package. (BZ#550786

413

)

* Loading symbols in STABS debug format could crash GDB. The STABS format is no longer supported, as Red Hat Enterprise Linux uses the debug format DWARF. With this update, loading symbols in STABS format no longer crashes GDB; instead, such symbols are simply loaded incorrectly. (BZ#553672

414

)

* Adding GDB support for Fortran modules in previous releases introduced a regression which prevented GDB from setting breakpoints on a Fortran program's name. This was caused by a bug in the search routines used when "set language fortran" is enabled. This update fixes the regression. (BZ#559291

415

)

* The Red Hat Enterprise Linux 5.5 version of GDB also contains a fix for an upstream GDB regression that prevented users from setting rwatch and awatch breakpoints before a program starts. This version of GDB implements a compatibility fix from GDB 6.8 to address the regression. (BZ#562770

416

)

* A "break-by-name on inlined functions" feature introduced in Fedora GDB made it possible for parameters of inlined functions to be incorrectly hidden. Whenever this occurred during debugging, GDB printed "<optimized out>" in backtraces or upon entering such functions. In some cases, stepping through inlined functions could also abort GDB with an internal error. This release resolves the issue by removing the "break-by-name on inlined functions" feature altogether. (BZ#565601

417

)

All GDB users should apply this update.

1.61. gfs-kmod

1.61.1. RHSA-2010:0291: Moderate security, bug fix and enhancement update

Updated gfs-kmod packages that fix one security issue, numerous bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5.5, kernel release 2.6.18-194.el5.

The gfs-kmod packages contain modules that provide the ability to mount and use GFS file systems.

A flaw was found in the gfs_lock() implementation. The GFS locking code could skip the lock operation for files that have the S_ISGID bit (set-group-ID on execution) in their mode set. A local, unprivileged user on a system that has a GFS file system mounted could use this flaw to cause a kernel panic. (CVE-2010-0727

These updated gfs-kmod packages are in sync with the latest kernel (2.6.18-194.el5). The modules in earlier gfs-kmod packages failed to load because they did not match the running kernel. It was possible to force-load the modules. With this update, however, users no longer need to.

413

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=550786

414

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=553672

415

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=559291

416

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=562770

417

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=565601

418

https://www.redhat.com/security/data/cve/CVE-2010-0727.html

418

)

gfs-utils

These updated gfs-kmod packages also fix the following bugs:

* when SELinux was in permissive mode, a race condition during file creation could have caused one or more cluster nodes to be fenced and lock the remaining nodes out of the GFS file system. This race condition no longer occurs with this update. (BZ#471258

419

)

* when ACLs (Access Control Lists) are enabled on a GFS file system, if a transaction that has started to do a write request does not have enough spare blocks for the operation it causes a kernel panic. This update ensures that there are enough blocks for the write request before starting the operation. (BZ#513885

420

)

* requesting a "flock" on a file in GFS in either read-only or read-write mode would sometimes cause a "Resource temporarily unavailable" state error (error 11 for EWOULDBLOCK) to occur. In these cases, a flock could not be obtained on the file in question. This has been fixed with this update so that flocks can successfully be obtained on GFS files without this error occurring. (BZ#515717

421

)

* the GFS withdraw function is a data integrity feature of GFS file systems in a cluster. If the GFS kernel module detects an inconsistency in a GFS file system following an I/O operation, the file system becomes unavailable to the cluster. The GFS withdraw function is less severe than a kernel panic, which would cause another node to fence the node. With this update, you can override the GFS withdraw function by mounting the file system with the "-o errors=panic" option specified. When this option is specified, any errors that would normally cause the system to withdraw cause the system to panic instead. This stops the node's cluster communications, which causes the node to be fenced. (BZ#517145

422

)

Finally, these updated gfs-kmod packages provide the following enhancement:

* the GFS kernel modules have been updated to use the new generic freeze and unfreeze ioctl interface that is also supported by the following file systems: ext3, ext4, GFS2, JFS and ReiserFS. With this update, GFS supports freeze/unfreeze through the VFS-level FIFREEZE/FITHAW ioctl interface. (BZ#487610

423

)

Users are advised to upgrade to these latest gfs-kmod packages, updated for use with the

2.6.18-194.el5 kernel, which contain backported patches to correct these issues, fix these bugs, and add this enhancement.

1.62. gfs-utils

1.62.1. RHBA-2010:0290: bug fix update

Updated gfs-utils packages that fix various bugs are now available.

The gfs-utils packages provide the user-space tools necessary to mount, create, maintain and test GFS file systems.

The updated gfs-utils packages apply the following bug fixes:

419

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=471258

420

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=513885

421

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=515717

422

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=517145

423

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=487610

Chapter 1. Package Updates

* GFS: gfs_fsck sometimes needs to be run twice (BZ#509225 problems when directly on block device (BZ#512722 found (BZ#508978

426

)

425

) * gfs_fsck -n always returns 0 even if error is

424

) * gfs_fsck cannot repair rindex

All users of gfs-utils should upgrade to these updated packages, which resolve these issues.

1.63. gfs2-utils

1.63.1. RHBA-2010:0287: bug fix update

Updated gfs2-utils packages that fix various bugs are now available.

The gfs2-utils packages provide the user-space tools necessary to mount, create, maintain and test GFS2 file systems.

The updated gfs2-utils packages apply the following bug fixes:

gfs2_edit segfault (BZ#503485 Message printed to stderr instead of stdout (BZ#506682 gfs2_mount (BZ#514939 "fsck.gfs2: invalid option -- a" on boot when mounting root formatted as gfs2 (BZ#507596 GFS2: gfs2_fsck bugs found in rindex repair code (BZ#514018 (BZ#503529

434

) gfs2-utils fails rebuild test (BZ#515370 offset on gfs1 and segfaults on gfs2 (BZ#506343 for block size < 4K (BZ#520762 (BZ#527770

438

) GFS2: fsck.gfs2 should fix the system statfs file (BZ#539337 savemeta bugs (BZ#528786 interrupted rgrp conversion does not allow re-converts (BZ#548585 are of different metatree heights in gfs and gfs2 is incorrect (BZ#548588 RO mounted file systems (BZ#557128 gfs2_convert doesn't convert jdata files correctly (BZ#545602 after gfs2_grow (BZ#546683

427

) gfs2_edit produces unaligned access (BZ#503530

430

) GFS2: fsck.gfs2 sometimes needs to be run twice (BZ#500483

436

437

) GFS2: gfs2_edit savemeta not saving all extended attribute data

440

) quota file size not a multiple of struct gfs2_quota(BZ#536902

444

) GFS2: gfs2_convert should fix statfs file (BZ#556961

447

)

429

) gfs2_tool man page incorrectly references

433

435

) gfs2_edit -p block# shows wrong height/

) GFS2: gfs2_edit fixes for 5.5

) fsck.gfs2 unable to fix some rindex corruption

439

442

) Conversion of inodes that

443

) Allow fsck.gfs2 to check

446

) GFS2: fatal: invalid metadata block

428

) fsck.gfs2:

431

)

432

)

) GFS2: gfs2_edit

441

)

445

)

424

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=509225

425

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=512722

426

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=508978

427

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=503485

428

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=503530

429

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=506682

430

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=514939

431

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=500483

432

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=507596

433

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=514018

434

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=503529

435

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=515370

436

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=506343

437

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=520762

438

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=527770

439

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=539337

440

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528786

441

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=536902

442

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=548585

443

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=548588

444

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=557128

445

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=556961

446

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=545602

glibc

All users of gfs2-utils should upgrade to these updated packages, which resolve these issues.

1.64. glibc

1.64.1. RHBA-2009:1634: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata

RHBA-2009:1634

Updated glibc packages that resolve several issues are now available.

The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contains the standard C and the standard math libraries. Without these two libraries, the Linux system cannot function properly.

448

These updated glibc packages provide fixes for the following bugs:

* when a thread calls the setuid() function, the change of credentials needs to be performed in every thread as per POSIX requirements. This update corrects the implementation to avoid a race condition which occurred when a thread terminated or a new thread was created while the credential change was performed. (BZ#533213

449

)

* the implementation of the seg_timedwait() function, in assembler, incorrectly decremented the number of waiting threads stored in a block of memory when an invalid nanosecond value was passed through its second argument. This error is corrected in this update. (BZ#540475

450

)

All users of glibc are advised to upgrade to these updated packages, which resolve these issues.

1.64.2. RHBA-2010:0050: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata

RHBA-2010:0050

Updated glibc packages that fix a race condition while loading shared libraries are now available

451

These updated glibc packages provide a fix for the following bug:

447

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=546683

449

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=533213

450

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=540475

Chapter 1. Package Updates

* a rarely-encountered and difficult-to-reproduce race condition existed between resolving dynamic symbols and loading shared libraries that could have resulted in library dependencies not being resolved. This update provides a fix that avoids the potential race condition. (BZ#548692

452

)

All users are advised to upgrade to these updated packages, which resolve this issue.

1.64.3. RHBA-2010:0306: bug fix and enhancement update

Updated glibc packages that fix several bugs and add an enhancement are now available.

The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, the Linux system cannot function properly.

This update applies the following bug fixes:

* a race condition with seteuid() occured between the threads that run on starting the program, presenting the error "EUID is already set!" within 10 to 15 seconds. These updates provide exclusive processes running with no error on startup. (BZ#491995

* assembler implementation of sem_timedwait() on x86/x86_64 wrongly decrements the number of waiting threads stored in block of memory pointed to by (sem_t *) when an invalid nanosecond argument is used. This fix allows the correct nanosecond argument to be passed through the second argument. (BZ#529997

455

)

453

and BZ#522528

454

)

* a race condition in glibc, between _dl_lookup_symbol_x() and dlopen/dlclose/etc, resulted in a failure in resolving dependencies. These updates provide for processes that are exclusive. (BZ#547631

456

)

This update also adds the following enhancement:

* glibc: incorporates a number of tests to detect corruption in data structures used for heap memory allocation (malloc/free). This corruption can be caused deliberately by attackers exploiting buffer overflow vulnerabilities. This enhancement provides additional corruption tests. (BZ#530107

457

)

All users are advised to upgrade to this updated package, which resolves these issues and adds this enhancement.

1.65. gnome-vfs2

1.65.1. RHBA-2010:0317: bug fix update

An updated gnome-vfs2 package that fixes a bug is now available.

GNOME VFS is the GNOME virtual file system. It is the foundation of the Nautilus file manager. It provides a modular architecture and ships with several modules that implement support for file systems, http, ftp, and others. It provides a URI-based API, backend supporting asynchronous file operations, a MIME type manipulation library, and other features.

452

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=548692

453

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=491995

454

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=522528

455

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529997

456

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=547631

457

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=530107

RHBA-2010:0032: bug fix update

* the gnome-vfs2 package would only work correctly on a system running Samba 3.0 packages, and could not be installed on a system running Samba 3.3 packages. The version of gnome-vfs provided with this advisory depends only on a small Samba subpackage, which is independent from other Samba packages. The gnome-vfs2 package can now be installed on a system running Samba 3.3 packages. (BZ#555642

458

)

Users are advised to check the parallel Samba advisory RHBA-2009:9287.

Users are advised to upgrade to this updated gnome-vfs2 package, which resolves this issue.

1.65.2. RHBA-2010:0032: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0032

Updated gnome-vfs2 packages that resolve several issues are now available.

459

GNOME VFS is the GNOME virtual file system. It is the foundation of the Nautilus file manager. It provides a modular architecture, and ships with several modules that implement support for file systems and protocols such as HTTP and FTP, among others.

These updated gnome-vfs2 packages provide fixes for the following bugs:

* an unresolved symbol in the gnome-vfs2 library caused the system-config-network GUI application to be unable to start. (BZ#247522

460

)

* client applications which used the gnome-vfs2 library were unable to search for certain paths because the search process ended as soon as it encountered a file or directory which it was unable to read. This update fixes this bug in gnome-vfs2 so that searches skip over unreadable files or directories and continue as expected.

Note: a future nautilus update will be released that properly fixes this bug in the Nautilus file manager. (BZ#432764

461

)

* when attempting to move one or more files between two NFS mounts, the Nautilus file manager displayed a dialog box that stated: Error: "Not on the same file system." This error was caused by an EXDEV error in the gnome-vfs2 file module due to rename semantics. With this update, moving a file from one NFS mount to another succeeds as expected due to the implementation of a proper copyand-delete fallback routine. (BZ#438116

462

)

* attempting to open a supported document type represented by a symbolic link on an NFS share with the Evince document viewer failed with the following error message:

Unable to open document Unhandled MIME type: “application/octet-stream”

458

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=555642

460

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=247522

461

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=432764

462

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=438116

Chapter 1. Package Updates

This update improves this behavior with a symbolic link check so that Evince is now able to successfully open a link to a supported document type when both the link and actual file are located on an NFS share. (BZ#481593

463

)

* the gnome-vfs-daemon service reads the list of mounted devices at /proc/mounts upon startup. If one of the device paths was not valid UTF-8, gnome-vfs-daemon was disconnected by D-Bus when it attempted to communicate the path over the system message bus, at which time it exited. However, other GNOME applications would then attempt to restart gnome-vfs-daemon, at which time the same sequence of events reoccurred, leading to a potentially infinite loop and much extraneous CPU usage. With this update, gnome-vfs-daemon correctly converts the information provided by /proc/mounts into valid UTF-8 before communicating it via D-Bus, which prevents the possibility of gnome-vfs-daemon being disconnected, exiting, and being restarted in a continuous fashion. (BZ#486286

464

)

* accessing a WebDAV share which contained a comma in its path name with the Nautilus file manager resulted in a "File not found" error. This update ensures that reserved characters in path names are properly escaped, and thus Nautilus is able to access such paths as expected. (BZ#503112

465

)

All GNOME users are advised to upgrade to these updated packages, which resolve these issues. Running GNOME sessions must be restarted for the update to take effect.

1.66. gpart

1.66.1. RHBA-2009:1606: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1606

A gpart update that fixes a bug in the -debuginfo package is now available.

Gpart is a small tool which tries to guess what partitions are on a PC type harddisk in case the primary partition table was damaged.

This update addresses the following issue:

* although gpart contains ELF objects, the gpart-debuginfo package was empty. With this update the debuginfo package contains valid debugging information as expected. (BZ#500598

gpart users needing the gpart debuginfo package should install this upgraded package which fixes this problem.

466

467

)

463

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=481593

464

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=486286

465

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=503112

467

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=500598

gzip

1.67. gzip

1.67.1. RHSA-2010:0061: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0061

An updated gzip package that fixes one security issue is now available for Red Hat Enterprise Linux 3, 4, and 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

The gzip package provides the GNU gzip data compression program.

An integer underflow flaw, leading to an array index error, was found in the way gzip expanded archive files compressed with the Lempel-Ziv-Welch (LZW) compression algorithm. If a victim expanded a specially-crafted archive, it could cause gzip to crash or, potentially, execute arbitrary code with the privileges of the user running gzip. This flaw only affects 64-bit systems. (CVE-2010-0001

468

469

)

Red Hat would like to thank Aki Helin of the Oulu University Secure Programming Group for responsibly reporting this flaw.

Users of gzip should upgrade to this updated package, which contains a backported patch to correct this issue.

1.68. hal

1.68.1. RHBA-2010:0256: bug fix update

Updated hal packages that fix various bugs are now available.

HAL is a daemon for collecting and maintaining information relating to hardware from several system sources.

The updated packages fix the following bugs:

* a sanity check in the HAL init script was incorrectly exiting with error code 0 when the script could not locate /usr/sbin/hald. The updated packages now contain a stronger sanity check, which returns the correct error code for a given condition. (BZ#238113

* a missing FDI quirk parameter for IBM X31 laptops prevented the laptop monitor from switching off during suspension. The updated packages add an extra "merge" element to the X40/X30 FDI definition, which correctly sets the dpms_suspend power management attribute. (BZ#395991

470

)

471

)

* a suspend hotkey combination (Fn+F1) used on Dell Latitude hardware was not mapped correctly. While the keycode sequence could be set manually, owners of Dell Latitude equipment experienced

469

https://www.redhat.com/security/data/cve/CVE-2010-0001.html

470

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=238113

471

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=395991

Chapter 1. Package Updates

unnecessary inconvenience when attempting to suspend using the hotkey combination. The updated packages add the correct mapping rules, which enable the Fn+F1 key combination. (BZ#450326

472

)

* when HAL checked for ttyS devices, it would abend if /sys/class/tty/ttyS* existed but /dev/ttyS* was removed or modified. Customers using two or more PCI serial port boards (with port extension) often implemented scripts to rename the port labels on the hardware to match the /dev/ttyS* node. HAL checks did not correctly cater for this scenario. The updated packages check whether serial device nodes have been manually removed. (BZ#486427

473

)

* a missing HAL video quirk setting prevented IBM 4838-310 POS units from resuming correctly from S3 suspend state. The updated packages include a vbe_post quirk that corrects the suspend issue. (BZ#501726

474

)

* an incorrect parameter in /etc/udev/rules.d/90-dm.rules prevented LUKS-formatted (encrypted) USB disks from automounting using GNOME. Customers had to mount the drive manually, or comment out the ignore_device line in 90-dm.rules to effect the change. The updated packages fully implement this workaround solution. (BZ#519645

475

)

* a missing HAL suspend quirk parameter prevented owners of Lenovo ThinkPad T400 laptops (product key 2768A96) suspending and resuming a session from a previously suspended system. The issue presented on laptops with ATI Mobility Radeon HD 3400 Series chipsets (1002:95c4), or Intel Mobile 4 Series chipsets (8086:2a42). The updated packages fix the suspend issue by correctly specifying the --quirk-vbe-post option for T400 machines. (BZ#571925

476

)

All hal users are advised to upgrade to these updated packages, which resolve these issues.

1.69. hmaccalc

1.69.1. RHBA-2010:0055: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0055

An updated hmaccalc package that fixes a self-test bug related to binary prelinking is now available.

The hmaccalc package contains tools to calculate HMAC (Hash-based Message Authentication Code) values for files. The names and interfaces were designed to mimic those of the sha1sum, sha256sum, sha384sum and sha512sum tools provided by the coreutils package.

This updated hmaccalc package fixes the following bug:

* each time one of the tools in the hmaccalc package is used, it performs a self-test by comparing the checksum of its own binary with the value which was computed when the binary package was built. However, if an hmaccalc binary had been prelinked using the "prelink" command, and that command was not located in one of the directories listed in the PATH environment variable, then that binary

472

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=450326

473

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=486427

474

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=501726

475

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=519645

476

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=571925

477

would be unable to use the prelink tool to verify the checksum against an unmodified copy of itself. This update contains a backported fix that allows hmaccalc to remember the location of the prelink command that was available at build time, and to be able to use it if necessary.

httpd

Note that this fix is required in order to build the Linux kernel with FIPS-compliance (Federal Information Processing Standards) enabled. (BZ#512275

478

)

All users of hmaccalc are advised to upgrade to this updated package, which resolves this issue.

1.70. httpd

1.70.1. RHSA-2010:0168: Moderate security and enhancement update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0168

Updated httpd packages that fix two security issues and add an enhancement are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

479

The Apache HTTP Server is a popular web server.

It was discovered that mod_proxy_ajp incorrectly returned an "Internal Server Error" response when processing certain malformed requests, which caused the back-end server to be marked as failed in configurations where mod_proxy is used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period (60 seconds by default) by sending specially-crafted requests. (CVE-2010-0408

480

)

A use-after-free flaw was discovered in the way the Apache HTTP Server handled request headers in subrequests. In configurations where subrequests are used, a multithreaded MPM (Multi-Processing Module) could possibly leak information from other requests in request replies. (CVE-2010-0434

481

)

This update also adds the following enhancement:

* with the updated openssl packages from RHSA-2010:0162 installed, mod_ssl will refuse to renegotiate a TLS/SSL connection with an unpatched client that does not support RFC 5746. This update adds the "SSLInsecureRenegotiation" configuration directive. If this directive is enabled, mod_ssl will renegotiate insecurely with unpatched clients. (BZ#567980

482

)

Refer to the following Red Hat Knowledgebase article for more details about the changed mod_ssl behavior: http://kbase.redhat.com/faq/docs/DOC-20491

478

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=512275

480

https://www.redhat.com/security/data/cve/CVE-2010-0408.html

481

https://www.redhat.com/security/data/cve/CVE-2010-0434.html

482

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=567980

Chapter 1. Package Updates

All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

1.70.2. RHSA-2009:1579: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1579

Updated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

The Apache HTTP Server is a popular Web server.

483

A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update partially mitigates this flaw for SSL sessions to HTTP servers using mod_ssl by rejecting client-requested renegotiation. (CVE-2009-3555

484

)

Note: This update does not fully resolve the issue for HTTPS servers. An attack is still possible in configurations that require a server-initiated renegotiation. Refer to the following Knowledgebase article for further information: http://kbase.redhat.com/faq/docs/DOC-20491

A NULL pointer dereference flaw was found in the Apache mod_proxy_ftp module. A malicious FTP server to which requests are being proxied could use this flaw to crash an httpd child process via a malformed reply to the EPSV or PASV commands, resulting in a limited denial of service. (CVE-2009-3094

485

)

A second flaw was found in the Apache mod_proxy_ftp module. In a reverse proxy configuration, a remote attacker could use this flaw to bypass intended access restrictions by creating a carefullycrafted HTTP Authorization header, allowing the attacker to send arbitrary commands to the FTP server. (CVE-2009-3095

486

)

All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

1.70.3. RHBA-2010:0252: bug fix and enhancement update

Updated httpd packages that fix bugs and add enhancements are now available.

The Apache HTTP Server is a popular and freely-available Web server.

484

https://www.redhat.com/security/data/cve/CVE-2009-3555.html

485

https://www.redhat.com/security/data/cve/CVE-2009-3094.html

486

https://www.redhat.com/security/data/cve/CVE-2009-3095.html

These updated httpd packages provide fixes for the following bugs:

hwdata

* the mod_authnz_ldap module did not allow other modules to handle authorization if no LDAPspecific requirements were used in the "Require" directive. (BZ#448350

* the httpd "init" script did not work correctly if the PidFile directive was removed from httpd.conf. (BZ#505002

488

)

* mod_ssl would fail to complete a handshake if more the 85 CAs were configured using SSLCACertificateFile and/or SSLCACertificatePath. (BZ#510515

* the "X-Pad" header used for compatibility with old browser implementations has been removed. (BZ#526110

* mod_proxy_ajp could fail if uploading large files. (BZ#528640

* .NET clients using the "Expect: 100-continue" header could cause spurious responses. (BZ#533407

* the OID() function supported in mod_ssl's SSLRequire directive could not evaluate some extension types. (BZ#552942

490

492

)

491

)

493

)

489

)

487

)

The following enhancements have also been made:

* the "DiscardPathInfo" flag (or "DPI") has been added to mod_rewrite. (BZ#517500

* the AuthLDAPRemoteUserAttribute directive has been added to mod_authnz_ldap. (BZ#520838

494

)

495

)

* the AuthLDAPDynamicGroups directive has been added to mod_authnz_ldap, to enable support for dynamic groups. (BZ#252038

* the mod_substitute module is now included. (BZ#539256

496

)

497

)

All Apache users should install these updated packages which address these issues.

1.71. hwdata

1.71.1. RHEA-2010:0197: enhancement update

An updated hwdata package that adds various enhancements is now available.

The hwdata package contains tools for accessing and displaying hardware identification and configuration data.

This updated package adds entries for the following devices to the Red Hat Enterprise Linux 5.4 pci.ids and usb.ids databases:

487

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=448350

488

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=505002

489

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=510515

490

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=526110

491

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528640

492

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=533407

493

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=552942

494

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=517500

495

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=520838

496

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=252038

497

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=539256

Chapter 1. Package Updates

* Brocade 10G PCIe Ethernet Controller. (BZ#475712

* Sequel Imaging Calibrator. (BZ#512050

499

)

* Intel SerDes Gigabit Network Connection. (BZ#517100

* Intel 10 Gigabit Dual Port Backplane Connection. (BZ#517131

* Emulex OneConnect 10Gb iSCSI Initiator. (BZ#529449

* Emulex OneConnect 10Gb NIC. (BZ#529453

503

* Emulex OneConnect 10Gb FCoE Initiator. (BZ#529455

* Mellanox Infiniband NICs. (BZ#529458

* Intel Cougar Point. (BZ#566852

506

505

)

* NC375T PCI Express Quad Port Gigabit Server Adapter. (BZ#569910

498

)

500

)

501

)

502

)

504

)

507

)

Users of hwdata are advised to upgrade to this updated package, which adds these enhancements.

1.72. ia32el

1.72.1. RHBA-2010:0250: bug fix update

An ia32el update that fixes several bugs is now available.

ia32el is the IA-32 Execution Layer platform, which allows the emulation of IA-32 binaries on IA-64.

This updated package addresses the following issues:

* When using the -D_FILE_OFFSET_BITS=64 compile option, the platform would try to call syscall statfs64 (syscall id=268). Unfortunately, this was unsupported by the previous package. Instead, the platform would resort to statfs(), and the case would fail. This package adds support for syscall statfs64. The platform no longer resorts to statfs(), and works correctly. (BZ#514938

* When SIGALRM invokes the signal handler, the ia32el application that installed the signal handler stops executing system calls in the correct order. This package adds a patch to the code that changes the conditions for the order of executing system calls, preventing the signal handler from affecting it. (BZ#515165

509

)

* The ia32el did not pass the second, third and fourth offset arguments of the fadvise64() or fadvise64_64() system call methods to the kernel correctly because it was unable to handle 64-bit

498

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=475712

499

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=512050

500

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=517100

501

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=517131

502

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529449

503

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529453

504

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529455

505

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529458

506

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=566852

507

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=569910

508

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=514938

509

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=515165

508

)

iasl

arguments for that system call. This meant that the offset arguments were not recognized as valid by the kernel. Support for 64-bit arguments has now been added. (BZ#528590

511510

)

* The clock_nanosleep() system call method's fourth argument (remaining time) retained old values when interrupted by signal (EINTR). This caused invalid values to return for this argument. This patch adds a validity check before the values are returned. (BZ#528590

513512

)

* The ia32el would not perform operations on the third argument of the sendfile() system call method correctly. As a result, after a successful system call, the offset argument would not be set to the value of the byte following the last byte read. This updated package contains a patch to correctly set the offset argument (during the system call). (BZ#528596

514

)

* The ia32el previously broke the arguments of the sync_file_range() syscall. When the syscall was run, it would respond with an 'Invalid argument' error. A patch has been created that fixes the syntax error in the code. The ia32el now reads the sync_file_range() arguments correctly. (BZ#528597

515

)

* When a NULL pointer was specified for the 2nd argument of the timer_create() syscall, the ia32el would pass the kernel a non-NULL pointer to uninitialized data instead, and the syscall would fail. This package provides a patch that adjusts the syntax of the code for the timer_create() syscall, so that the ia32el correctly interprets the NULL pointer. (BZ#528598

516

)

* The NOTE offset and filesize of some core dumps of i386 processes running under ia32el were greater than the first LOAD offset according to 'readelf -l'. When this happened, the gdb couldn't read the core file. This package includes a patch that adjusts the size of the offset to greater than that of the NOTE offset and filesize. The gdb can now succesfully read the core file. (BZ#533269

517

)

Users are advised to upgrade to this updated ia32el package which resolves these issues.

1.73. iasl

1.73.1. RHBA-2010:0226: bug fix and enhancement update

An updated iasl package that fixes a bug and introduces a feature enhancement is now available.

iasl compiles ASL (ACPI Source Language) into AML (ACPI Machine Language), which is suitable for inclusion as a DSDT in system firmware. It also can disassemble AML, for debugging purposes.

* the default version of iasl was old, and could not properly decode DMAR tables. This sometimes resulted in incorrect decoding. Updating to the latest version of the iasl package has corrected this behavior, and DMAR tables are now decoded correctly. (BZ#518109

* the iasl package has been updated to the latest version. (BZ#518209

Users are advised to upgrade to this updated iasl package, which resolves this issue.

511

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528590

510

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528590

513

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528590

512

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528590

514

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528596

515

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528597

516

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528598

517

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=533269

518

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=518109

519

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=518209

518

)

519

)

Chapter 1. Package Updates

1.74. inn

1.74.1. RHBA-2009:1509: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1509

Updated inn packages that resolve an issue are now available.

INN (InterNetNews) is a complete system for serving Usenet news and private newsfeeds. INN includes innd, an NNTP (NetNews Transport Protocol) server, and nnrpd, a newsreader that is spawned for each client. Both innd and nnrpd vary slightly from the NNTP protocol, but not in ways that are easily noticed.

These updated packages address the following issue:

520

* a PID file -- /var/run/news/innd.pid -- is created by the Internet News NNTP server, innd, at startup. If this file was not present when an attempt to stop innd was made, the service did not stop. With this update, the innd init script adds logic to stop innd with the killproc command if a "service innd stop" command is issued and innd.pid cann to be found. The updated init script also returns a message, "Stopping INND service (PID not found, the hard way)", in this case. (BZ#464916

521

)

All inn users are advised to upgrade to these updated packages, which resolve this issue.

1.75. iproute

1.75.1. RHBA-2009:1520: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1520

An updated iproute package that fixes a bug is now available.

The iproute package contains networking utilities such as ip and rtmon, which use the advanced networking capabilities of the Linux 2.4 and 2.6 kernels.

522

This update addresses the following problem:

* if IPv6 was disabled, running the "ss" command resulted in a segmentation fault. A workaround was to run "ss -f inet". With this update the return value checks for net_*_open were fixed and the workaround is no longer necessary. The ss command again returns socket statistics as expected. (BZ#493578

521

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=464916

523

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=493578

523

)

iprutils

All iproute users are advised to upgrade to this updated package, which resolves this issue.

1.76. iprutils

1.76.1. RHEA-2010:0229: enhancement update

An enhanced iprutils package is now available.

The iprutils package provides utilities to manage and configure SCSI devices that are supported by the ipr SCSI storage device driver.

This package upgrades iprutils to version 2.2.18, which includes:

* support for the Generation 2 SAS (serial attached SCSI) PCI-E card with SSD (solid-state drive) has been added to systems with the PowerPC 64 architecture. (BZ#512246

524

)

* iprconfig is a utility for configuring and recovering IBM Power RAID storage adapters. The iprconfig utility previously reported an incorrect firmware level for enclosures when called from a command line on systems with the PowerPC 64 architecture. The firmware level was reported correctly in the iprconfig graphical user interface (GUI). The iprconfig utility has been updated to handle SES (SCSI enclosure services) devices the same in both the command line and GUI, and the firmware level for enclosures is now reported correctly. (BZ#532544

525

)

Users with PowerPC 64 systems are advised to upgrade to this updated iprutils package, which adds these enhancements.

1.77. iptables

1.77.1. RHBA-2009:1539: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata

RHBA-2009:1539

526

Updated iptables packages that fix a bug are now available.

The iptables utility controls the network packet filtering code in the Linux kernel.

These updated packages fix the following bug:

* the memory alignment of ipt_connlimit_data was incorrect on x86-based systems. This update adds an explicit aligned attribute to the ipt_connlimit_data struct to correct this. (BZ#529687

527

)

Users are advised to upgrade to these updated iptables packages, which resolve this issue.

524

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=512246

525

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=532544

527

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529687

Chapter 1. Package Updates

1.78. iptstate

1.78.1. RHBA-2009:1676: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1676

An updated iptstate package that resolves an issue is now available.

The iptstate utility displays the states held by your stateful firewall in a top-like manner.

This updated iptstate package fixes the following bug:

* iptstate used a curses output function in single-run mode where curses is not used. Running "ipstate

-s -S [address] -D [address]" caused ipstate to crash with a Segmentation Fault error. Note: running the command without the single-run mode switch (-s) did not crash. With this update, the bug is fixed and iptstate runs in single-run mode correctly, as expected. (BZ#474381

528

529

)

All iptstate users should upgrade to this updated package, which resolves this issue.

1.79. ipw2200-firmware

1.79.1. RHEA-2010:0218: enhancement update

An enhanced ipw2200-firmware package is now available.

The ipw2200-firmware package contains the firmware files required by Intel PRO/Wireless 2200 network adapters.

The enhancement contains new open source 802.11a/bg drivers, which are compatible with ipw2200 drivers in the latest Red Hat Enterprise Linux kernels. (BZ#494492

Users with hardware containing Intel PRO/Wireless 2220 network adapters are advised to install this enhancement.

530

)

1.80. iscsi-initiator-utils

1.80.1. RHBA-2010:0078: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata

RHBA-2010:0078

529

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=474381

530

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=494492

531

RHBA-2010:0293: bug fix and enhancement update

An updated iscsi-initiator-utils package that fixes a bug is now available.

The iscsi-initiator-utils package provides the server daemon for the iSCSI protocol, as well as the utility programs used to manage it. iSCSI is a protocol for distributed disk access using SCSI commands sent over Internet Protocol networks.

This updated iscsi-initiator-utils package fixes the following bug:

* removing the bnx2i module from the kernel, or running ifdown on the network interface being used by the bnx2i driver, and then reloading the kernel module or running ifup, did not result in automatic reconnection to SCSI sessions. As a workaround, the iscsid service had to be stopped and then restarted. With this update, SCSI sessions are automatically reconnected to after removing and reloading the bnx2i kernel module, or bringing the network interface down and then up again with ifdown and ifup. (BZ#549629

532

)

All users of iscsi-initiator-utils are advised to upgrade to this updated package, which resolves this issue.

1.80.2. RHBA-2010:0293: bug fix and enhancement update

An updated iscsi-initiator-utils package that fixes various bugs and provides new enhancements is now available.

The iscsi package provides the server daemon for the iSCSI protocol, as well as the utility programs used to manage it. iSCSI is a protocol for distributed disk access using SCSI commands sent over Internet Protocol networks.

The following bugs have been fixed in this release:

* There was a problem with the discovery mechanism when iSCSI ifaces were used with different initiator names. The sendtarget discovery feature was using the default name (/etc/iscsi/ initiatorname.iscsi) instead of the iname in the iface. As a consequence, the wrong name was being used. The discovery mechanism has now been fixed so that it uses the iname in the iface. As a result, they are discovered correctly and the right names are used. (BZ#504666

533

)

* chkconfig was being run on service start to enable and disable services. This was causing a number of problems, as it was broken on read-only root systems and it also recalculated dependencies, causing a change of ordering in /etc/rc whilst the system is running. To fix this issue, chkconfig has been removed from the package so these issues will no longer occur as a result. (BZ#511271

534

)

* Removing the bnx2 modules or running ifdown on the network interface being used by bnx2i driver would result in the iSCSI sessions being disconnected. Reloading the module or running ifup would not reconnect the SCSI sessions. A patch has been added and, as a result, the iSCSI session now recovers after iconfig is brought down and back up. (BZ#514926

535

)

* The iscsi initiator would fail to connect to a target when the bnx2i transport was being used. As a consequence, the log-in attempt would time out and fail. A fix has been made to the way in which MAC addresses are handled. As a result, users can now successfully log in. (BZ#520508

536

)

532

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=549629

533

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=504666

534

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=511271

535

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=514926

536

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=520508

Chapter 1. Package Updates

* There was a small typographical error in the /usr/session_info.c print out, where "REOPEN" was incorrectly spelled as "REPOEN". This has now been corrected and the correctly spelled version of the word is output as a result. (BZ#531748

537

The following enhancements have also been added in this release:

* The Broadcom iSCSI user-space components have been updated to support ipv6 and 10G components. As a result, a broader range of hardware is now supported. (BZ#517380

* The /etc/init.d/iscsid file has been patched in order to support the ServerEngines be2iscsi driver As a result, this hardware is now available for utilization. (BZ#556984

539

)

538

)

Users are advised to upgrade to this updated iscsi-initiator-utils package, which resolve these issues.

1.81. iwl3945-firmware

1.81.1. RHEA-2010:0219: enhancement update

An enhanced iwl3945-firmware package that works with the iwlwifi-3945 driver in the latest Red Hat Enterprise Linux kernel to enable support for the Intel PRO/Wireless 3945ABG/BG Network Connection Adapter is now available.

iwlwifi-3945 is a kernel driver module for the Intel PRO/Wireless 3945ABG/BG Network Connection Adapter (aka iwl3945 hardware). The iwlwifi-3945 driver requires firmware loaded on the device in order to function. The iwl3945-firmware package provides the iwl3945 driver with this required firmware and enables the driver to function correctly with iwl3945 hardware.

This updated iwl3945-firmware package adds the following enhancement:

* it is best to pair equivalent versions of these components in order to provide maximum compatibility between them. This update brings the firmware into line with the kernel driver included in the latest Red Hat Enterprise Linux kernel. (BZ#534100

540

)

Intel PRO/Wireless 3945ABG/BG Network Connection Adapter users using the iwl3945 driver should upgrade to this updated package, which adds this enhancement.

1.82. iwl4965-firmware

1.82.1. RHEA-2010:0215: enhancement update

An enhanced iwl4965-firmware package is now available.

This package contains the firmware required by the iwl4965 driver for Linux.

* The firmware package has been enhanced to synchronize it with the latest version of the upstream Intel Wireless Wi-Fi Link 4965AGN driver (version 228.61.2.24). This upgrade brings about the following new functionality:

537

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=531748

538

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=517380

539

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=556984

540

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=534100

iwl5000-firmware

More graceful handling of Rx hangs (NMI) More reliable scanning A ten second pauses after association before power-down Receiver is now reset via re-tune after it misses beacons TGK measurement is now disabled when it receives a packet More reliable Tx with ACK/BA/CTS

As a result, the driver is now more reliable in a range of areas, scanning more efficiently and handling problems and interruptions better. (BZ#510757

541

)

Users are advised to upgrade to this updated iwl4965-firmware package, which resolves this issue.

1.83. iwl5000-firmware

1.83.1. RHEA-2010:0216: enhancement update

An updated iwl5000-firmware package is now available.

The iwl5000-firmware package provides the iwlagn wireless driver with the firmware it requires in order to function correctly with iwlagn hardware.

This updated iwl5000-firmware package adds the following enhancement:

* the iwlagn driver and the iwl5000 firmware work together to provide proper wireless functionality. It is best to pair equivalent versions of these components in order to provide maximum compatibility between them, which this updated package provides. (BZ#501609

Users of wireless devices which use iwl5000 firmware are advised to upgrade to this updated package, which adds this enhancement.

542

)

1.84. java-1.6.0-ibm

1.84.1. RHBA-2010:0327: bug fix update

Updated java-1.6.0-ibm packages that fix an issue with time zone information are now available for Red Hat Enterprise Linux 5 Supplementary.

IBM's 1.6.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit.

These updated java-1.6.0-ibm packages fix a bug where the IBM Java 6 Runtime Environment did not recognize several time zones. (BZ#569623

All users of java-1.6.0-ibm are advised to upgrade to these updated packages, which contain new time zone data and therefore resolve this issue.

541

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=510757

542

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=501609

543

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=569623

543

)

Chapter 1. Package Updates

1.85. java-1.6.0-openjdk

1.85.1. RHSA-2009:1584: Important security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1584

Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. The Java Runtime Environment (JRE) contains the software and tools that users need to run applications written using the Java programming language.

544

An integer overflow flaw and buffer overflow flaws were found in the way the JRE processed image files. An untrusted applet or application could use these flaws to extend its privileges, allowing it to read and write local files, as well as to execute local applications with the privileges of the user running the applet or application. (CVE-2009-3869

CVE-2009-3874

548

)

545

, CVE-2009-3871

546

, CVE-2009-3873

547

An information leak was found in the JRE. An untrusted applet or application could use this flaw to extend its privileges, allowing it to read and write local files, as well as to execute local applications with the privileges of the user running the applet or application. (CVE-2009-3881

549

)

It was discovered that the JRE still accepts certificates with MD2 hash signatures, even though MD2 is no longer considered a cryptographically strong algorithm. This could make it easier for an attacker to create a malicious certificate that would be treated as trusted by the JRE. With this update, the JRE disables the use of the MD2 algorithm inside signatures by default. (CVE-2009-2409

A timing attack flaw was found in the way the JRE processed HMAC digests. This flaw could aid an attacker using forged digital signatures to bypass authentication checks. (CVE-2009-3875

Two denial of service flaws were found in the JRE. These could be exploited in server-side application scenarios that process DER-encoded (Distinguished Encoding Rules) data. (CVE-2009-3876

CVE-2009-3877

553

)

An information leak was found in the way the JRE handled color profiles. An attacker could use this flaw to discover the existence of files outside of the color profiles directory. (CVE-2009-3728

550

)

551

)

552

554

)

545

https://www.redhat.com/security/data/cve/CVE-2009-3869.html

546

https://www.redhat.com/security/data/cve/CVE-2009-3871.html

547

https://www.redhat.com/security/data/cve/CVE-2009-3873.html

548

https://www.redhat.com/security/data/cve/CVE-2009-3874.html

549

https://www.redhat.com/security/data/cve/CVE-2009-3881.html

550

https://www.redhat.com/security/data/cve/CVE-2009-2409.html

551

https://www.redhat.com/security/data/cve/CVE-2009-3875.html

552

https://www.redhat.com/security/data/cve/CVE-2009-3876.html

553

https://www.redhat.com/security/data/cve/CVE-2009-3877.html

554

https://www.redhat.com/security/data/cve/CVE-2009-3728.html

java-1.6.0-sun

A flaw in the JRE with passing arrays to the X11GraphicsDevice API was found. An untrusted applet or application could use this flaw to access and modify the list of supported graphics configurations. This flaw could also lead to sensitive information being leaked to unprivileged code. (CVE-2009-3879

555

)

It was discovered that the JRE passed entire objects to the logging API. This could lead to sensitive information being leaked to either untrusted or lower-privileged code from an attacker-controlled applet which has access to the logging API and is therefore able to manipulate (read and/or call) the passed objects. (CVE-2009-3880

556

)

Potential information leaks were found in various mutable static variables. These could be exploited in application scenarios that execute untrusted scripting code. (CVE-2009-3882

557

, CVE-2009-3883

558

)

An information leak was found in the way the TimeZone.getTimeZone method was handled. This method could load time zone files that are outside of the [JRE_HOME]/lib/zi/ directory, allowing a remote attacker to probe the local file system. (CVE-2009-3884

Note: The flaws concerning applets in this advisory, CVE-2009-3869

CVE-2009-3873

and CVE-2009-3884

562

, CVE-2009-3874

567

, can only be triggered in java-1.6.0-openjdk by calling the "appletviewer"

563

, CVE-2009-3879

564

559

)

560

, CVE-2009-3871

, CVE-2009-3880

561

565

, CVE-2009-3881

566

application.

All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.

1.86. java-1.6.0-sun

1.86.1. RHBA-2010:0072: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata

RHBA-2010:0072

568

Updated java-1.6.0-sun packages are now available for Red Hat Enterprise Linux 5.4 Supplementary.

The java-1.6.0-sun packages include the Sun Java 6 Runtime Environment, Sun Java 6 Software Development Kit (SDK), the source code for the Sun Java class libraries, the Sun Java browser plugin and Web Start, the Sun JDBC/ODBC bridge driver, and demonstration files for the Sun Java 6 SDK.

555

https://www.redhat.com/security/data/cve/CVE-2009-3879.html

556

https://www.redhat.com/security/data/cve/CVE-2009-3880.html

557

https://www.redhat.com/security/data/cve/CVE-2009-3882.html

558

https://www.redhat.com/security/data/cve/CVE-2009-3883.html

559

https://www.redhat.com/security/data/cve/CVE-2009-3884.html

560

https://www.redhat.com/security/data/cve/CVE-2009-3869.html

561

https://www.redhat.com/security/data/cve/CVE-2009-3871.html

562

https://www.redhat.com/security/data/cve/CVE-2009-3873.html

563

https://www.redhat.com/security/data/cve/CVE-2009-3874.html

564

https://www.redhat.com/security/data/cve/CVE-2009-3879.html

565

https://www.redhat.com/security/data/cve/CVE-2009-3880.html

566

https://www.redhat.com/security/data/cve/CVE-2009-3881.html

567

https://www.redhat.com/security/data/cve/CVE-2009-3884.html

Chapter 1. Package Updates

These updated java-1.6.0-sun packages upgrade Sun's Java 6 SDK from version 1.6.0_17 to version 1.6.0_18, which provides fixes for a number of bugs. To view the release notes for the bug fixes included in this update, refer to the URL provided in the "References" section of this errata. (BZ#557418

569

)

All users of java-1.6.0-sun are advised to upgrade to these updated packages, which resolve these issues.

1.87. kdelibs

1.87.1. RHBA-2009:1464: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata

RHBA-2009:1464

570

Updated kdelibs packages that fix the bugs are now available.

The kdelibs packages contain a set of common libraries used by all applications written for the K Desktop Environment (KDE). kdelibs includes kdecore (KDE core library); kdeui (user interface); kfm (file manager); khtmlw (HTML widget); kio (input/output and networking); kspell (spelling checker); jscript (javascript); kab (addressbook); and kimgio (image manipulation).

This update addresses the following issue:

* the kde.sh shell script used the keyword "source". The pdksh (Public Domain Korn SHell) package, a new package in Red Hat Enterprise Linux 5.4, does not recognize the "source" keyword in shell scripts. Consequently, if pdksh was used as the shell on systems with KDE installed, the following error message was returned in login shells:

ksh: /etc/profile.d/kde.sh[7]: source: not found

The kde.sh shell script in this update has been edited with "source" replaced by "." The full stop keyword (.) is an alias for "source" in Bourne-compatible shells, including pdksh. Once installed, KDE users running the pdksh shell will no longer get the above error message. (BZ#523968

571

)

Note: this bug was a known issue at the release of Red Hat Enterprise Linux 5.4 and a manual version of the fix included in this update was documented in the Red Hat Enterprise Linux 5.4 Technical Notes:

http://redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Technical_No tes/Known_Issuespdksh.html

If /etc/profile.d/kde.sh already exists, the new version included with this update is installed as /etc/ profile.d/kde.sh.rpmnew.

Therefore, on systems where an extant kde.sh has been manually edited as per the Red Hat Enterprise Linux 5.4 Technical Notes, the manual fix is retained.

569

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=557418

571

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=523968

RHSA-2009:1601: Critical security update

On systems where kde.sh already exists and the workaround has not been applied, however, installing this update does not, of itself, implement the fix. After installation on such systems, renaming kde.sh and kde.sh.rpmnew as follows will implement the fix:

cp /etc/profile.d/kde.sh /etc/profile.d/kde.sh.bak cp /etc/profile.d/kde.sh.rpmnew /etc/profile.d/kde.sh

All KDE and pdksh users should install this updated package which fixes this bug.

1.87.2. RHSA-2009:1601: Critical security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1601

Updated kdelibs packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5.

572

This update has been rated as having critical security impact by the Red Hat Security Response Team.

The kdelibs packages provide libraries for the K Desktop Environment (KDE).

A buffer overflow flaw was found in the kdelibs string to floating point conversion routines. A web page containing malicious JavaScript could crash Konqueror or, potentially, execute arbitrary code with the privileges of the user running Konqueror. (CVE-2009-0689

Users should upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect.

573

)

1.88. kernel

1.88.1. RHSA-2010:0147: Important security and bug fix update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0147

574

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

573

https://www.redhat.com/security/data/cve/CVE-2009-0689.html

Chapter 1. Package Updates

Security fixes:

* a NULL pointer dereference flaw was found in the sctp_rcv_ootb() function in the Linux kernel Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could send a specially-crafted SCTP packet to a target system, resulting in a denial of service. (CVE-2010-0008

575

Important)

* a missing boundary check was found in the do_move_pages() function in the memory migration functionality in the Linux kernel. A local user could use this flaw to cause a local denial of service or an information leak. (CVE-2010-0415

576

, Important)

* a NULL pointer dereference flaw was found in the ip6_dst_lookup_tail() function in the Linux kernel. An attacker on the local network could trigger this flaw by sending IPv6 traffic to a target system, leading to a system crash (kernel OOPS) if dst->neighbour is NULL on the target system when receiving an IPv6 packet. (CVE-2010-0437

577

, Important)

* a NULL pointer dereference flaw was found in the ext4 file system code in the Linux kernel. A local attacker could use this flaw to trigger a local denial of service by mounting a specially-crafted, journalless ext4 file system, if that file system forced an EROFS error. (CVE-2009-4308

578

, Moderate)

* an information leak was found in the print_fatal_signal() implementation in the Linux kernel. When "/ proc/sys/kernel/print-fatal-signals" is set to 1 (the default value is 0), memory that is reachable by the kernel could be leaked to user-space. This issue could also result in a system crash. Note that this flaw only affected the i386 architecture. (CVE-2010-0003

579

, Moderate)

* missing capability checks were found in the ebtables implementation, used for creating an Ethernet bridge firewall. This could allow a local, unprivileged user to bypass intended capability restrictions and modify ebtables rules. (CVE-2010-0007

580

, Low)

Bug fixes:

* a bug prevented Wake on LAN (WoL) being enabled on certain Intel hardware. (BZ#543449

* a race issue in the Journaling Block Device. (BZ#553132

* programs compiled on x86, and that also call sched_rr_get_interval(), were silently corrupted when run on 64-bit systems. (BZ#557684

* the RHSA-2010:0019 update introduced a regression, preventing WoL from working for network devices using the e1000e driver. (BZ#559335

583

)

584

)

582

)

* adding a bonding interface in mode balance-alb to a bridge was not functional. (BZ#560588

* some KVM (Kernel-based Virtual Machine) guests experienced slow performance (and possibly a crash) after suspend/resume. (BZ#560640

575

https://www.redhat.com/security/data/cve/CVE-2010-0008.html

576

https://www.redhat.com/security/data/cve/CVE-2010-0415.html

577

https://www.redhat.com/security/data/cve/CVE-2010-0437.html

578

https://www.redhat.com/security/data/cve/CVE-2009-4308.html

579

https://www.redhat.com/security/data/cve/CVE-2010-0003.html

580

https://www.redhat.com/security/data/cve/CVE-2010-0007.html

581

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=543449

582

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=553132

583

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=557684

584

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=559335

585

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=560588

586

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=560640

586

)

581

585

)

Redhat ENTERPRISE LINUX User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Technical Notes

Preface

1.1. acl

1.1.1. RHBA-2009:1652: bug fix update

1.2. acpid

1.2.1. RHBA-2010:0004: bug fix update

1.2.2. RHSA-2009:1642: Important security update

1.3. aide

1.3.1. RHBA-2010:0036: bug fix update

1.4. anaconda

1.4.1. RHBA-2010:0194: bug fix and enhancement update

1.5. apr-util

1.5.1. RHEA-2010:0310: enhancement update

1.6. at

1.6.1. RHBA-2009:1654: bug fix and enhancement update

1.7. audit

1.7.1. RHBA-2010:0228: bug fix update

1.8. autofs

1.8.1. RHBA-2009:1468: bug fix update

1.8.2. RHBA-2010:0265: bug fix update

1.9. automake

1.9.1. RHSA-2010:0321: Low security update

1.10. avahi

1.10.1. RHBA-2010:0034: bug fix update

1.11. bind

1.11.1. RHSA-2010:0062: Moderate security update

1.11.2. RHSA-2009:1620: Moderate security update

1.12. binutils

1.12.1. RHBA-2010:0304: bug fix update

1.13. bogl

1.13.1. RHBA-2009:1593: bug fix update

1.14. bootparamd

1.14.1. RHBA-2010:0057: bug fix update

1.15. booty

1.15.1. RHBA-2010:0185: bug fix and enhancement update

1.16. brltty

1.16.1. RHSA-2010:0181: Low security and bug fix update

1.17. checkpolicy

1.17.1. RHBA-2010:0184: bug fix update

1.18. chkconfig

1.18.1. RHBA-2009:1628: bug fix update

1.19. cman

1.19.1. RHBA-2009:1435: bug fix update

1.19.2. RHBA-2009:1516: bug-fix update

1.19.3. RHBA-2009:1598: bug fix update

1.19.4. RHBA-2009:1622: bug-fix update

1.19.5. RHBA-2010:0266: bug fix and enhancement update

1.20. cmirror

1.20.1. RHBA-2010:0307: bug fix update

1.21. cmirror-kmod

1.21.1. RHBA-2010:0309: bug fix update

1.22. conga

1.22.1. RHBA-2009:1623: bug fix update

1.22.2. RHBA-2010:0289: bug fix and enhancement update

1.23. coolkey

1.23.1. RHBA-2010:0068: bug fix update

1.24. coreutils

1.24.1. RHBA-2009:1511: bug fix update

1.24.2. RHBA-2010:0120: bug fix update

1.25. cpio

1.25.1. RHSA-2010:0144: Moderate security update

1.26. cpuspeed

1.26.1. RHBA-2010:0035: bug fix update

1.27. crash

1.27.1. RHBA-2010:0230: bug fix update

1.28. ctdb

1.28.1. RHEA-2010:0320: enhancement update

1.29. cups

1.29.1. RHBA-2010:0045: bug fix update

1.29.2. RHSA-2010:0129: Moderate security update

1.29.3. RHSA-2009:1595: Moderate security update

1.29.4. RHSA-2009:1513: Moderate security update

1.29.5. RHBA-2010:0210: bug fix update

1.30. curl

1.31. cyrus-imapd

1.31.1. RHSA-2009:1459: Important security update