Redhat ENTERPRISE LINUX User Manual

Red Hat Enterprise
Linux 5.5

Technical Notes

Detailed notes on the changes implemented
in Red Hat Enterprise Linux 5.5
Technical Notes
Red Hat Enterprise Linux 5.5 Technical Notes Detailed notes on the changes implemented in Red Hat Enterprise Linux 5.5 Edition 0
Author rhelv5-list@redhat.com
Copyright © 2010 Red Hat.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
All other trademarks are the property of their respective owners.
1801 Varsity Drive Raleigh, NC 27606-2072 USA Phone: +1 919 754 3700 Phone: 888 733 4281 Fax: +1 919 754 3701
The Red Hat Enterprise Linux 5.5 Technical Notes list and document the changes made to the Red Hat Enterprise Linux 5 operating system and its accompanying applications between minor release Red Hat Enterprise Linux 5.4 and minor release Red Hat Enterprise Linux 5.5.
Preface ix
1. Package Updates 1
1.1. acl ............................................................................................................................... 1
1.2. acpid ........................................................................................................................... 2
1.3. aide ............................................................................................................................. 3
1.4. anaconda ..................................................................................................................... 3
1.5. apr-util ......................................................................................................................... 8
1.6. at ................................................................................................................................ 8
1.7. audit ............................................................................................................................ 9
1.8. autofs ........................................................................................................................ 10
1.9. automake ................................................................................................................... 12
1.10. avahi ........................................................................................................................ 13
1.11. bind ......................................................................................................................... 13
1.12. binutils ..................................................................................................................... 15
1.13. bogl ......................................................................................................................... 16
1.14. bootparamd .............................................................................................................. 16
1.15. booty ....................................................................................................................... 17
1.16. brltty ........................................................................................................................ 17
1.17. checkpolicy .............................................................................................................. 18
1.18. chkconfig .................................................................................................................. 19
1.19. cman ....................................................................................................................... 20
1.20. cmirror ..................................................................................................................... 25
1.21. cmirror-kmod ............................................................................................................ 26
1.22. conga ....................................................................................................................... 26
1.23. coolkey .................................................................................................................... 28
1.24. coreutils ................................................................................................................... 29
1.25. cpio ......................................................................................................................... 30
1.26. cpuspeed ................................................................................................................. 30
1.27. crash ....................................................................................................................... 31
1.28. ctdb ......................................................................................................................... 32
1.29. cups ......................................................................................................................... 33
1.30. curl .......................................................................................................................... 36
1.31. cyrus-imapd .............................................................................................................. 37
1.32. cyrus-sasl ................................................................................................................. 37
1.33. dbus ........................................................................................................................ 38
1.34. dbus-python ............................................................................................................. 39
1.35. device-mapper .......................................................................................................... 39
1.36. device-mapper-multipath ........................................................................................... 40
1.37. dhcp ........................................................................................................................ 42
1.38. dhcpv6 ..................................................................................................................... 44
1.39. dmidecode ............................................................................................................... 45
1.40. dmraid ..................................................................................................................... 46
1.41. dogtail ...................................................................................................................... 47
1.42. dosfstools ................................................................................................................. 48
1.43. dstat ........................................................................................................................ 48
1.44. e4fsprogs ................................................................................................................. 49
1.45. elilo .......................................................................................................................... 49
1.46. elinks ....................................................................................................................... 50
1.47. esc .......................................................................................................................... 51
1.48. etherboot .................................................................................................................. 52
1.49. ethtool ...................................................................................................................... 52
iii
Technical Notes
1.50. evince ...................................................................................................................... 53
1.51. exim ......................................................................................................................... 54
1.52. fetchmail .................................................................................................................. 55
1.53. filesystem ................................................................................................................. 56
1.54. firefox ....................................................................................................................... 56
1.55. firstboot .................................................................................................................... 60
1.56. freeradius ................................................................................................................. 61
1.57. gail .......................................................................................................................... 62
1.58. gcc .......................................................................................................................... 62
1.59. gd ............................................................................................................................ 64
1.60. gdb .......................................................................................................................... 65
1.61. gfs-kmod .................................................................................................................. 66
1.62. gfs-utils .................................................................................................................... 67
1.63. gfs2-utils .................................................................................................................. 68
1.64. glibc ......................................................................................................................... 69
1.65. gnome-vfs2 .............................................................................................................. 70
1.66. gpart ........................................................................................................................ 72
1.67. gzip ......................................................................................................................... 73
1.68. hal ........................................................................................................................... 73
1.69. hmaccalc .................................................................................................................. 74
1.70. httpd ........................................................................................................................ 75
1.71. hwdata ..................................................................................................................... 77
1.72. ia32el ....................................................................................................................... 78
1.73. iasl ........................................................................................................................... 79
1.74. inn ........................................................................................................................... 80
1.75. iproute ..................................................................................................................... 80
1.76. iprutils ...................................................................................................................... 81
1.77. iptables .................................................................................................................... 81
1.78. iptstate ..................................................................................................................... 82
1.79. ipw2200-firmware ..................................................................................................... 82
1.80. iscsi-initiator-utils ...................................................................................................... 82
1.81. iwl3945-firmware ....................................................................................................... 84
1.82. iwl4965-firmware ....................................................................................................... 84
1.83. iwl5000-firmware ....................................................................................................... 85
1.84. java-1.6.0-ibm ........................................................................................................... 85
1.85. java-1.6.0-openjdk .................................................................................................... 86
1.86. java-1.6.0-sun ........................................................................................................... 87
1.87. kdelibs ..................................................................................................................... 88
1.88. kernel ....................................................................................................................... 89
1.89. kexec-tools ............................................................................................................. 128
1.90. krb5 ....................................................................................................................... 131
1.91. ksh ......................................................................................................................... 131
1.92. ktune ...................................................................................................................... 133
1.93. kudzu ..................................................................................................................... 135
1.94. kvm ........................................................................................................................ 135
1.95. less ........................................................................................................................ 143
1.96. libXi ....................................................................................................................... 144
1.97. libXrandr ................................................................................................................ 145
1.98. libXt ....................................................................................................................... 145
1.99. libaio ...................................................................................................................... 145
1.100. libcmpiutil ............................................................................................................. 146
iv
1.101. libevent ................................................................................................................ 146
1.102. libgnomecups ....................................................................................................... 147
1.103. libgtop2 ................................................................................................................ 147
1.104. libhugetlbfs ........................................................................................................... 148
1.105. libsepol ................................................................................................................. 148
1.106. libuser .................................................................................................................. 149
1.107. libvirt .................................................................................................................... 149
1.108. libvirt-cim .............................................................................................................. 154
1.109. libvorbis ................................................................................................................ 156
1.110. linuxwacom ........................................................................................................... 156
1.111. lm_sensors ........................................................................................................... 156
1.112. log4cpp ................................................................................................................. 157
1.113. logwatch ............................................................................................................... 158
1.114. lvm2 ..................................................................................................................... 159
1.115. lvm2-cluster .......................................................................................................... 161
1.116. man-pages ............................................................................................................ 163
1.117. man-pages-ja ........................................................................................................ 164
1.118. mcelog ................................................................................................................. 166
1.119. mdadm ................................................................................................................. 166
1.120. mesa .................................................................................................................... 167
1.121. metacity ................................................................................................................ 167
1.122. microcode_ctl ....................................................................................................... 169
1.123. mkinitrd ................................................................................................................ 170
1.124. module-init-tools .................................................................................................... 172
1.125. mtx ....................................................................................................................... 172
1.126. mysql ................................................................................................................... 173
1.127. nautilus-open-terminal ........................................................................................... 175
1.128. neon .................................................................................................................... 175
1.129. net-snmp .............................................................................................................. 176
1.130. net-tools ............................................................................................................... 178
1.131. NetworkManager ................................................................................................... 179
1.132. newt ..................................................................................................................... 180
1.133. nfs-utils ................................................................................................................ 181
1.134. nspluginwrapper .................................................................................................... 182
1.135. nss_ldap ............................................................................................................... 182
1.136. numactl ................................................................................................................ 184
1.137. openCryptoki ........................................................................................................ 185
1.138. openais ................................................................................................................ 186
1.139. OpenIPMI ............................................................................................................. 188
1.140. openib .................................................................................................................. 189
1.141. openldap .............................................................................................................. 191
1.142. openmotif ............................................................................................................. 192
1.143. openoffice.org ....................................................................................................... 193
1.144. openssh ............................................................................................................... 195
1.145. openssl ................................................................................................................ 197
1.146. openswan ............................................................................................................. 198
1.147. oprofile ................................................................................................................. 200
1.148. pam ..................................................................................................................... 201
1.149. pam_krb5 ............................................................................................................. 201
1.150. paps ..................................................................................................................... 202
1.151. parted .................................................................................................................. 202
v
Technical Notes
1.152. pax ....................................................................................................................... 203
1.153. pciutils .................................................................................................................. 204
1.154. pcsc-lite ................................................................................................................ 204
1.155. perl-Sys-Virt .......................................................................................................... 205
1.156. perl-XML-SAX ....................................................................................................... 206
1.157. pexpect ................................................................................................................ 207
1.158. php ...................................................................................................................... 207
1.159. pidgin ................................................................................................................... 209
1.160. piranha ................................................................................................................. 210
1.161. pirut ..................................................................................................................... 211
1.162. policycoreutils ....................................................................................................... 211
1.163. poppler ................................................................................................................. 212
1.164. postgresql ............................................................................................................. 213
1.165. ppc64-utils ............................................................................................................ 214
1.166. procps .................................................................................................................. 215
1.167. pykickstart ............................................................................................................ 216
1.168. python-virtinst ....................................................................................................... 217
1.169. PyXML ................................................................................................................. 218
1.170. qspice .................................................................................................................. 219
1.171. readahead ............................................................................................................ 221
1.172. redhat-artwork ....................................................................................................... 222
1.173. redhat-release ....................................................................................................... 222
1.174. redhat-release-notes ............................................................................................. 222
1.175. rgmanager ............................................................................................................ 223
1.176. rhn-client-tools ...................................................................................................... 226
1.177. rhnlib .................................................................................................................... 227
1.178. rhnsd .................................................................................................................... 228
1.179. rhpxl ..................................................................................................................... 228
1.180. rsyslog ................................................................................................................. 229
1.181. ruby ..................................................................................................................... 230
1.182. samba .................................................................................................................. 230
1.183. samba3x .............................................................................................................. 233
1.184. sblim .................................................................................................................... 234
1.185. screen .................................................................................................................. 235
1.186. scsi-target-utils ...................................................................................................... 236
1.187. selinux-policy ........................................................................................................ 237
1.188. sendmail ............................................................................................................... 242
1.189. shadow-utils ......................................................................................................... 243
1.190. sosreport .............................................................................................................. 244
1.191. squid .................................................................................................................... 248
1.192. squirrelmail ........................................................................................................... 249
1.193. star ...................................................................................................................... 250
1.194. strace ................................................................................................................... 250
1.195. sudo ..................................................................................................................... 251
1.196. sysklogd ............................................................................................................... 253
1.197. system-config-cluster ............................................................................................. 254
1.198. system-config-lvm ................................................................................................. 255
1.199. system-config-securitylevel .................................................................................... 256
1.200. system-config-services .......................................................................................... 257
1.201. systemtap ............................................................................................................. 258
1.202. tar ........................................................................................................................ 261
vi
1.203. taskjuggler ............................................................................................................ 263
1.204. tcpdump ............................................................................................................... 264
1.205. tcsh ...................................................................................................................... 264
1.206. tog-pegasus .......................................................................................................... 266
1.207. util-linux ................................................................................................................ 267
1.208. valgrind ................................................................................................................ 267
1.209. vconfig ................................................................................................................. 268
1.210. vino ...................................................................................................................... 268
1.211. virt-manager .......................................................................................................... 269
1.212. vixie-cron .............................................................................................................. 270
1.213. vsftpd ................................................................................................................... 271
1.214. wdaemon .............................................................................................................. 271
1.215. wget ..................................................................................................................... 271
1.216. wpa_supplicant ..................................................................................................... 272
1.217. xen ....................................................................................................................... 272
1.218. xerces-j2 .............................................................................................................. 277
1.219. xmlsec1 ................................................................................................................ 278
1.220. xorg-x11-drivers .................................................................................................... 278
1.221. xorg-x11-drv-ast .................................................................................................... 279
1.222. xorg-x11-drv-evdev ................................................................................................ 279
1.223. xorg-x11-drv-fbdev ................................................................................................ 279
1.224. xorg-x11-drv-i810 .................................................................................................. 280
1.225. xorg-x11-drv-mga .................................................................................................. 280
1.226. xorg-x11-drv-nv ..................................................................................................... 281
1.227. xorg-x11-drv-qxl .................................................................................................... 281
1.228. xorg-x11-drv-vesa ................................................................................................. 283
1.229. xorg-x11-server ..................................................................................................... 283
1.230. xorg-x11-xdm ........................................................................................................ 285
1.231. xterm .................................................................................................................... 285
1.232. yaboot .................................................................................................................. 286
1.233. yp-tools ................................................................................................................ 286
1.234. yum ...................................................................................................................... 287
1.235. yum-rhn-plugin ...................................................................................................... 288
2. New Packages 289
2.1. RHEA-2010:0305: freeradius2 .................................................................................. 289
2.2. RHEA-2010:0240: gpxe ........................................................................................... 289
2.3. RHEA-2010:0199: gsl .............................................................................................. 290
2.4. RHEA-2010:0217: iwl1000-firmware ......................................................................... 290
2.5. RHEA-2010:0220: iwl6000-firmware ......................................................................... 290
2.6. RHEA-2010:0276: postgresql84 ............................................................................... 290
2.7. RHEA-2010:0268: python-dmidecode ....................................................................... 291
2.8. RHEA-2010:0249: tunctl .......................................................................................... 292
2.9. RHEA-2010:0189: xz ............................................................................................... 292
3. Technology Previews 293
4. Capabilities and Limits 299
5. Known Issues 301
5.1. anaconda ................................................................................................................. 301
5.2. cmirror ..................................................................................................................... 304
5.3. compiz ..................................................................................................................... 304
vii
Technical Notes
5.4. ctdb ......................................................................................................................... 305
5.5. device-mapper-multipath ........................................................................................... 305
5.6. dmraid ..................................................................................................................... 306
5.7. dogtail ...................................................................................................................... 307
5.8. firstboot .................................................................................................................... 307
5.9. gfs2-utils .................................................................................................................. 308
5.10. gnome-volume-manager .......................................................................................... 308
5.11. initscripts ................................................................................................................ 309
5.12. iscsi-initiator-utils ..................................................................................................... 309
5.13. kernel-xen .............................................................................................................. 309
5.14. kernel ..................................................................................................................... 312
5.15. kexec-tools ............................................................................................................. 317
5.16. krb5 ....................................................................................................................... 318
5.17. kvm ........................................................................................................................ 318
5.18. less ........................................................................................................................ 322
5.19. libcmpiutil ............................................................................................................... 322
5.20. libvirt ...................................................................................................................... 322
5.21. lvm2 ....................................................................................................................... 322
5.22. mesa ...................................................................................................................... 323
5.23. mkinitrd .................................................................................................................. 323
5.24. openib .................................................................................................................... 323
5.25. openmpi ................................................................................................................. 324
5.26. qspice .................................................................................................................... 324
5.27. systemtap ............................................................................................................... 324
5.28. virtio-win ................................................................................................................. 325
5.29. xorg-x11-drv-i810 .................................................................................................... 325
5.30. xorg-x11-drv-nv ....................................................................................................... 326
5.31. xorg-x11-drv-vesa ................................................................................................... 326
5.32. yaboot .................................................................................................................... 327
5.33. xen ........................................................................................................................ 327
A. Package Manifest 329
A.1. Added Packages ..................................................................................................... 329
A.2. Dropped Packages .................................................................................................. 331
A.3. Updated Packages .................................................................................................. 331
B. Revision History 459
viii

Preface

The Red Hat Enterprise Linux 5.5 Technical Notes list and document the changes made to the Red Hat Enterprise Linux 5 operating system and its accompanying applications between minor release Red Hat Enterprise Linux 5.4 and minor release Red Hat Enterprise Linux 5.5.
For system administrators and others planning Red Hat Enterprise Linux 5.5 upgrades and deployments, the Technical Notes provide a single, organized record of the bugs fixed in, features added to, and Technology Previews included with this new release of Red Hat Enterprise Linux.
For auditors and compliance officers, the Red Hat Enterprise Linux 5.5 Technical Notes provide a single, organized source for change tracking and compliance testing.
For every user, the Red Hat Enterprise Linux 5.5 Technical Notes provide details of what has changed in this new release.
The Technical Notes also include, as an Appendix, the Red Hat Enterprise Linux Package Manifest: a listing of every changed package in this release.
ix
x
Chapter 1.
Package Updates

1.1. acl

1.1.1. RHBA-2009:1652: bug fix update

Note
This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1652
Updated acl packages that fix a bug are now available.
Access Control Lists (ACLs) are used to define finer-grained discretionary access rights for files and directories. The acl packages contain the getfacl and setfacl utilities needed for manipulating access control lists.
1
This update fixes the following bug:
* the "setfacl" command, which sets the access control lists for files, always returned an exit status of 0, even when the command failed and printed out error messages. With this update, setfacl exits with the correct exit status upon failure. (BZ#3684512)
* running "setfacl -- --test" caused setfacl to segmentation fault. This has been fixed in this update. (BZ#4304583)
* running the "setfacl" command with the '-P' flag, which is the short form of the '--physical' option, which is supposed to cause "setfacl" to skip over any symbolic links it encounters, did not work as expected: symbolic links were still followed. This update fixes this so that the '-P' flag works as expected and symbolic links are silently skipped over. (BZ#4360704)
* the "setfacl" command failed to resolve relative symbolic links when it encountered them unless they were specified with a trailing forward-slash character (in the case of relative symbolic links to directories), or the script or shell prompt's working directory was the directory which contained the relative symbolic link(s). With this update, relative symbolic links are handled correctly by setfacl regardless of where they are encountered or what their target is. (BZ#5000955)
* the "getfacl" and "setfacl" commands did not properly handle non-ASCII characters with the result that calling either command on a system with the correct locale settings still produced incorrect output, such as octal character representations. With this update, getfacl and setfacl are now able to produce correct output when using non-ASCII character sets. (BZ#5077476)
All users of Access Control Lists should upgrade to these updated packages, which resolve this issue.
2
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=368451
3
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=430458
4
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=436070
5
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=500095
6
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=507747
1
Chapter 1. Package Updates

1.2. acpid

1.2.1. RHBA-2010:0004: bug fix update

Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2010:0004
An updated acpid package that fixes a bug is now available.
acpid is a daemon that dispatches ACPI (Advanced Configuration and Power Interface) events to user-space programs.
This updated acpid package fixes the following bug:
* the acpid package that was included with the Red Hat Enterprise Linux 5.4 update contained a package update script that returned a non-zero exit code when the the /var/log/acpid log file did not exist. However, if the acpid daemon had never been started on the system, and therefore /var/log/ acpid did not exist, the faulty check caused the update process to fail, which could have resulted in two different acpid packages being installed on the same system and registered with the RPM database (rpmdb). This updated acpid package removes the spurious record from the rpmdb, thus resolving the problem. (BZ#5483748)
7
All users of acpid are advised to upgrade to this updated package, which resolves this issue.

1.2.2. RHSA-2009:1642: Important security update

Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1642
An updated acpid package that fixes one security issue is now available for Red Hat Enterprise Linux
5.
This update has been rated as having important security impact by the Red Hat Security Response Team.
acpid is a daemon that dispatches ACPI (Advanced Configuration and Power Interface) events to user-space programs.
It was discovered that acpid could create its log file ("/var/log/acpid") with random permissions on some systems. A local attacker could use this flaw to escalate their privileges if the log file was created as world-writable and with the setuid or setgid bit set. (CVE-2009-403310)
Please note that this flaw was due to a Red Hat-specific patch (acpid-1.0.4-fd.patch) included in the Red Hat Enterprise Linux 5 acpid package.
9
8
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=548374
10
https://www.redhat.com/security/data/cve/CVE-2009-4033.html
2
aide
Users are advised to upgrade to this updated package, which contains a backported patch to correct this issue.

1.3. aide

1.3.1. RHBA-2010:0036: bug fix update

Note
This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0036
An updated aide package that allows proper operation with the recently updated version of libgcrypt and makes minor man page changes is now available.
Advanced Intrusion Detection Environment (AIDE) is a program that creates a database of files on a system, and then uses that database to ensure file integrity and detect system intrusions.
11
This updated aide package includes the following fixes:
* the current version of libcgrypt includes a version-checking initialization step that aide was not doing. Running "aide -i" logged the following message to /var/log/messages:
aide: Libgcrypt warning: missing initialization - please fix the application
With this update, aide now includes the version-checking step required by libgcrypt and the libgcrypt warning is, consequently, no longer written to /var/log/messages. Note: although based on a proposed upstream patch, this update leaves secure memory enabled, unlike the proposed upstream change. (BZ#53048512)
* the FILES section of the aide man page previously listed the locations for aide.conf, aide.db.gz and aide.db.new.gz with a pre-pended "%prefix" variable. The updated aide man page removes this variable, listing the file locations as complete but plain paths (eg "/etc/aide.conf"). (No BZ#)
All aide users are advised to upgrade to this updated package, which includes this bug fix and man page change.

1.4. anaconda

1.4.1. RHBA-2010:0194: bug fix and enhancement update

Anaconda is the system installer.
This updated anaconda package provides fixes for the following bugs:
• previously, when anaconda could not read the extended display identification data (EDID) of a monitor, it reverted to text mode. However, EDID information is frequently not available on systems connected to Keyboard–Video–Mouse (KVM) switches. Therefore, when installing Red Hat Enterprise Linux 5 on a system with a KVM switch, installation would be constrained to text mode. Anaconda no longer checks for bad or missing EDID, and allows graphical installation to proceed
12
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=530485
3
Chapter 1. Package Updates
even when this information is unavailable. Graphical installation on machines attached to KVM switches therefore continues as if them monitor were connected directly to the graphics adapter. (BZ#44548613)
• previously, anaconda expected storage devices to be available immediately when it probed for the location of a kickstart file. On systems where USB storage might not be available immedately (for example, IBM BladeCenter systems), anaconda would not find the kickstart file and would prompt the user for its location. This interaction negated the usefulness of kickstart, since the installation could not then complete unattended. Anaconda now waits until it has probed five times or for more than 31 seconds before prompting the user for the location of a kickstart file. This allows USB storage enough time to respond and for kickstart to proceed unattended. (BZ#46056614)
• previously, some user interface elements in the the Malayalam translation of anaconda overlapped. The overlapping elements disabled some buttons in the screen where anaconda lets users to choose a partitioning scheme for the system, and prevented installation from continuing. The text of the Malayalam translation has been shortened so that the interface elements no longer overlap. The buttons on the partitioning scheme screen now work correctly and allow installation to continue. (BZ#47935315)
• during installation, anaconda automatically examines any storage device that has the label OEMDRV for driver updates and applies any updates that it finds there. Previously, anaconda searched for this label on the devices listed in /proc/partitions. However, /proc/partitions does not identify CD or DVD media, so anaconda overlooked optical disks that had the correct label. Anaconda now examines the devices listed in /sys/block. Therefore, anaconda correctly identifies CDs and DVDs labelled OEMDRV as driver discs and automatically applies any driver updates contained on them. (BZ#48506016)
• previously, if anaconda required network access early in an installation (for example, to retrieve a kickstart file or driver disk image), it temporarily saved information about the network configuration while it enabled access to the network. However, if anaconda required network access again for a separate reason, it would not attempt to configure network access again, but would not be able to connect to the network either, because it no longer retained the configuration information that it had already used. Therefore, anaconda could not download both a kickstart file and a driver disk image over a network. Anaconda now retains the network configuration that it obtains early in the installation process, and can reuse this information multiple times. Therefore, anaconda can use more than one resource obtained over a network during installation. (BZ#49504217)
• previously, while upgrading a system, anaconda did not check whether packages marked for installation as dependencies were already installed on the system. Consequently, many packages would be reinstalled during an upgrade, wasting time and, in the case of network installations, bandwidth. Now, when performing an upgrade, anaconda matches the packages to be installed against the packages that are already installed. Any packages with the same Name, Arch, Epoch, Version, Release (NAEVR) as a package already on the system are skipped and not reinstalled. (BZ#49579618)
• previously, anaconda did not specify a value for HOTPLUG when writing the system's networking configuration files, although it did write a value for ONBOOT. Because HOTPLUG is enabled by default, the effect of disabling ONBOOT was limited because any interface not activated at boot time would be enabled anyway whenever probed by the system. Anaconda now writes a value for HOTPLUG, setting it to the same value as ONBOOT. Therefore, any network interface not meant to be enabled at boot time will not be automatically enabled by probing either. (BZ#49808619)
4
RHBA-2010:0194: bug fix and enhancement update
• the part kickstart command accepts an option called --label that allows a label to be applied to a disk partition during a kickstart installation. However, the code that implemented this option was previously missing from anaconda. Any label specified in a kickstart file was therefore ignored. Anaconda now includes code to transfer the specified label from the kickstart file to the disk partition. Users can now label disk partitions during kickstart installations. (BZ#49885620)
• when running in rescue mode, anaconda previously lacked the ability to identify partitions on logical volumes if the partitions were identified in fstab by label rather than by device name. Therefore, if the root (/) partition were identified in this way, the usefulness of rescue mode would be limited. Anaconda in rescue mode now uses the getLabels() method to find partitions and therefore properly detects root partition even if it resides on a logical volume and is identified by label in fstab. (BZ#50217821)
• previously, the help text available while configuring NETTYPE for IBM System z systems did not mention HiperSockets. Users new to System z might therefore not have known to choose qeth to configure HiperSocket interfaces on their hardware. The help text has now been updated to indicate the correct choice and users can select the appropriate option. (BZ#51196222)
• when the RUNKS was set to 0 in the CMSCONFFILE file on IBM System z systems, anaconda should have performed an installation in interactive mode. However, a rewrite of linuxrc.s390 changed the behavior of RUNKS and led to anaconda ignoring this variable. Installation would therefore proceed in non-interactive mode regardless of what value was set in CMSCONFFILE. A new test is now included in the version of linuxrc.s390 in Red Hat Enterprise Linux 5.5 so that anaconda honors RUNKS=0 and performs an interactive install if this value is set. (BZ#51395123)
• by design, anaconda recognizes any block device with the label OEMDRV as a driver disc and searches it for a driver update. However, anaconda previously failed to examine dev nodes and therefore, it would not recognize this label on USB storage devices mounted as a partitionless block devices. Anaconda now examines dev nodes for the label OEMDRV and treats them the same as partitions with this label. It is therefore possible to use a partitionless device as a driver disc. (BZ#51543724)
• previously, anaconda did not reinitialize its record of the partition layout on a system when users clicked the back button from the partitioning screen. Therefore, when a user selected a partition layout, went back to an earlier screen, and then went forward again to choose a different partition layout, anaconda would attempt to implement the new partition layout over the previously-selected partition layout instead of the partition layout actually present on the system. This would sometimes result in a crash. Now, when users step backwards from the partitioning screen. anaconda reinitializes its record of the partitions present on the system. Users can therefore change their minds about partitioning options without crashing anaconda. (BZ#51671525)
• systems store information about iSCSI targets to which they are connected in the iSCSI Boot Firmware Table (iBFT) in BIOS. Previously, however, when anaconda installed Red Hat Enterprise Linux 5 from a local installation source such as a CD, DVD, or hard disk, it would not initialize network connections before asking users to configure storage on the system. Therefore, on systems with iSCSI storage, users would have to configure a network connection manually before proceding with installation, even when this information was already available to anaconda in the system BIOS. Now, when anaconda detects a valid iBFT present on a system, it automatically loads the network configuration specified there and does not requre users to enter this information. Installation from local media on systems with iSCSI storage is therefore simpler and more reliable. (BZ#51776826)
• due to faulty logic, anaconda previously did not parse IPv6 addresses correctly and attempted to read the final byte of the address as a port number. It was therefore not possible, for example,
5
Chapter 1. Package Updates
to install on an iSCSI target specified by in IPv6 address. The logic by which anaconda parses IP addresses has now been corrected, but now requires IPv6 addresses to be specified in the [address]:port form to comply with the relevant RFCs. This form removes ambiguity, since IPv6 addresses are still valid if they omit a sequence of bytes with zero values. When IPv6 addresses are specified in this format, anaconda parses them correctly and installation continues as normal. (BZ#52505427)
• comments in kickstart files are marked with a pound symbol (#) at the start of the line. However, anaconda did not previously account for the possibility that users might mark a comment with multiple pound symbols (for example, #####). Anaconda would therefore attempt to parse lines that started with multiple pound symbols and installation would fail. Anaconda now recognizes lines that start with multiple pound symbols as comments and does not attempt to parse them. Users can now safely mark comments in kickstart files in this way. (BZ#52567628)
• to avoid a circular dependency that exists between the ghostscript and ghostscript-fonts packages, anaconda ignored ghostscript's dependency on ghostscript-fonts. However, ghostscript-fonts was not explicitly installed as part of the Printing package group. The usefulness of Ghostscript as installed by anaconda was therefore limited. Anaconda still avoids the circular dependency, but now specifically installs ghostscript-fonts when users select the Printing package group. (BZ#53054829)
• previously, anaconda did not automatically instruct the kernel to check for multipath devices when installing on IBM System z systems. Therefore, unless users booted with the mpath boot option, iSCSI devices detected on more than one path would be represented in the installer multiple times, one for each path. Anaconda now automatically loads the mpath boot option and therefore represents multipath devices correctly. (BZ#53812930)
• Dell PowerEdge servers equipped with the SAS6i/R integrated RAID controller use BIOS Enhanced Disk Drive Services (EDD) to identify the storage device from which to boot the operating system. Previously, anaconda did not parse EDD to identify the correct boot device. Consequently, with a RAID 0 and RAID 1 configured on the system, anaconda would choose the wrong device and the system would not be bootable. Anaconda now parses EDD to support the SAS6i/R integrated RAID controller, so that it selects the correct boot device for systems that use this device. (BZ#54063731)
• previously, anaconda would always attempt to reconstruct pre-existing Logical Volume Management (LVM) devices during installation. Anaconda would attempt to recreate the LVM device even when a user cleared the LVM partitions from one or more of the disks that held partitions that formed part of a volume group. In this case, installation would fail. Now, anaconda no longer attempts to reconstruct incomplete LVM devices. Users can therefore safely re­allocate storage that was once part of a volume group and installation will proceed as expected. (BZ#54586932)
• when ksdevice=link is set in a kickstart file, anaconda should automatically select the first available network interface and use it during installation. This avoids the need for user input and allows installation to proceed unattended. However, if interfaces were in a state where anaconda could not determine their status, anaconda would revert to interactive more and prompt the user to select a network interface, thus making unattended installation impossible on systems where network interfaces could be in such a state. Anaconda now forces the network interfaces on the system into IFF_UP and IFF_RUNNING states before it attempts to obtain link status. Because the interfaces are now in a state where they can report their link status to anaconda, Anaconda can automatically choose one to use during installation and kickstart installations can proceed unattended. (BZ#54975133)
6
RHBA-2010:0194: bug fix and enhancement update
• previously, when installing on IBM System z systems, anaconda assumed that the network gateway was unreachable if its attempt to ping the gateway timed out after 10 seconds. Anaconda would then prompt the user to select a gateway. However, if IPADDR in the conf file has changed recently, network interfaces take longer to respond. Anaconda now prompts the user only when three pings have failed and therefore avoids prompting the user for gateway information that is already correctly specified in the conf file. (BZ#50674234)
In addition, this updated package provides the following enhancements:
• after transferring installation files to a z/VM guest, a user must execute a series of Conversational Monitor System (CMS) commands to IPL the zLinux installation. These commands can be scripted, but no such script was previously included with Red Hat Enterprise Linux 5. The lack of a readymade script made installation more difficult for users unfamiliar with CMS commands. The CMS script for starting the install process on z/VM is now included in the Red Hat Enterprise Linux 5 images, simplifying installation. (BZ#47534335)
anaconda now loads the Brocade BNA Ethernet Controller driver, and supports Brocade Fibre Channel to PCIe Host Bus Adapters. (BZ#47570736)
• previously, anaconda did not offer users the opportunity to configure NFS options during interactive installation (although these could be configured in kickstart files). Users who needed to fine-tune NFS parameters for installation were therefore forced to run an unattended installation. Now, anaconda presents users who select NFS installation with a dialog in which they can configure NFS options to suit their needs. (BZ#49305237)
• previously, it was not possible to configure hypervisor parameters during a kickstart installation. As a result, users needed to specify hypervisor parameters manually after installation, negating the usefulness of kickstart as as a mechanism for unattended installations. Now, anaconda recognizes a new kickstart option, --hvargs and sets Hypervisor parameters accordingly. (BZ#50143838)
• previouisly, during a kickstart installation when multiple multipath LUNs were available, anaconda would automatically choose the LUN with the lowest ID number for the root device. Users had no ready way to customize this behavior. Now, anaconda supports a multipath kickstart command with --name and --device options that allow users to specify a LUN for root. (BZ#50276839)
anaconda can retrieve kickstart files from FTP servers. Previously, however, anaconda did not support users specifying authentication credentials to access an FTP server. Therefore, if access to the server were protected by a passphrase, anaconda could not retrieve the kickstart file. Now, when specifying the location of a kickstart file with the ks= boot option, users can provide a passphrase to allow anaconda to retrieve the kickstart files fom a protected server. (BZ#50542440)
• previously, troubleshooting errors that occurred while running %pre and %post kickstart scriptlets was very difficult because anaconda did not log the behavior of these scriptlets. Anaconda now copies %pre and %post kickstart scriptlets to /tmp together with a log. These records make troubleshooting kickstart installations easier. (BZ#51063641)
Reipl is a kernel feature that instructs IBM System z systems where to boot next, as these systems do not have a default boot location. Anaconda did not previously support Reipl, which meant that during installation, users had to specify a boot location manually between different phases of the installation. Anaconda now supports Reipl, so these reboots can happen automatically. (BZ#51219542)
7
Chapter 1. Package Updates
NPort ID Virtualization (NPIV) presents one physical Fibre Channel adapter port to the SAN as multiple WWNN/WWPN pairs. Anaconda now supports NPIV, which allows users on PowerPC systems to install to a NPIV LUN. (BZ#51223743)
• the Python executables that make up anaconda now all explicitly use the system Python (#! / usr/bin/python instead of #! /usr/bin/env python). This ensures that anaconda functions correctly when more than one Python stack is present on a system. (BZ#52133744)
anaconda now supports the Emulex OneConnect iSCSI network interface card. (BZ#52944245)
anaconda now supports PMC Sierra MaxRAID controller adapters. (BZ#53277746)
• although users have been able to specify package groups for installation in kickstart files, using the @ prefix, it was not possible to exclude package groups from installation, only individual packages. Anaconda now supports excluding package groups with the -@ prefix (BZ#55851647)
anaconda now loads the xorg-x11-qxl-drv and xorg-x11-ast-drv X11 video drivers as required. xorg-x11-qxl-drv supports the qemu QXL video accelerator when installing Red Hat Enterprise Linux 5 as a guest operating system. xorg-x11-ast-drv supports ASPEED Technologies video hardware. (BZ#56766648)

1.5. apr-util

1.5.1. RHEA-2010:0310: enhancement update

Updated apr-util packages that add support for MySQL are now available.
apr-util is a utility library used with the Apache Portable Runtime (APR). It aims to provide a free library of C data structures and routines. This library contains additional utility interfaces for APR; including support for XML, LDAP, database interfaces, URI parsing, and more.
In previous releases, the APR utility library DBD (database abstraction) interface did not include support for MySQL databases. This update adds the MySQL driver to the DBD interface. (BZ#25207349, BZ#49134250)
All users requiring MySQL support should install these newly released packages, which add this enhancement.

1.6. at

1.6.1. RHBA-2009:1654: bug fix and enhancement update

Note
This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1654
49
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=252073
50
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=491342
8
51
audit
An updated "at" package that adds and documents a configuration enhancement and corrects the ­debuginfo build is now available.
"At" and "Batch" read commands from standard input or from a specified file. At allows you to specify that a command will be run at a particular time. Batch will execute commands when the system load levels drop to a particular level. Both commands use /bin/sh.
This update addresses the following issue:
* although "at" contains ELF objects, the at-debuginfo package was empty. With this update the ­debuginfo package contains valid debugging information as expected. (BZ#50054252)
This update also adds the following enhancements:
* previously, the atd daemon ran with hard-coded options and could only be configured at the command-line. The atd daemon now reads a configuration file, /etc/sysconfig/atd, when it starts up, enabling easier configuration, particularly for load options and multiprocessor systems. (BZ#23225953)
* The DESCRIPTION section of the "at" man page has been updated to note the existence, location and purpose of the /etc/sysconfig/atd configuration file. Note: as the man page suggests, the sample configuration file included with this update is the primary source of information about atd configuration options. (BZ#53779254)
Users are advised to upgrade to this updated package, which fixes this bug and adds these enhancements.

1.7. audit

1.7.1. RHBA-2010:0228: bug fix update

An updated audit package that fixes various bugs and provides an enhancement is now available.
The audit package contains the user space utilities for storing and searching the audit records generate by the audit subsystem in the Linux 2.6 kernel.
This update includes the following fixes:
* The man page was ambiguous in explaining the structure of dates and the supplied examples often did not work because of different date formats in various locales. This caused some confusion amongst users. The page has been rewritten to clarify that the date format accepted by aureport and ausearch is influenced by the LC_TIME environmental variable, eliminating the confusion about this issue. (BZ#51397455)
* The audit package's libauparse function had a bug that meant it could not interpret IPC (inter-process communication) mode fields. When it attempted to do so, a segmentation fault would occur. The audit package has now been patched so that IPC mode fields are interpreted by the software without crashes resulting. (BZ#51979056)
This update also includes the following enhancement:
52
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=500542
53
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=232259
54
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=537792
55
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=513974
56
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=519790
9
Chapter 1. Package Updates
* The audit package has been rebased and, as a result, a number of new features have been added. These include:
1. Allowing ausearch/report to specify multiple node names (which are needed for remote logging).
2. auparse can now handle empty AUSOURCE_FILE_ARRAYs. 3. auditctl rules now allow a0-a3 to
be negative numbers. 4. An audit.rules man page has been added. 5. auditd resets syslog warnings if disk space becomes available. 6. The != operator in audit_rule_fieldpair_data is now checked. 7. A tcp_max_per_addr option has been added to auditd.conf in order to limit concurrent connections. 8. Many improvements to remote logging code.
As a result, these enhancements are now available for system administrators, making auditing options much more flexible. (BZ#52985157)

1.8. autofs

1.8.1. RHBA-2009:1468: bug fix update

Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1468
An updated autofs package that fixes two bugs is now available.
The autofs utility controls the operation of the automount daemon. The automount daemon automatically mounts file systems when you use them, and unmounts them when they are not busy.
This updated package fixes the following two autofs bugs:
* autofs was incorrectly using a non-thread-safe libxml2 function as though it was thread-safe. This sometimes resulted in autofs crashing. With this update the calls to xmlCleanupParser() and xmlInitParser() have been moved: these functions are now only called as autofs starts and exits, ensuring these libxml2 functions are not called more than once while autofs is running. (BZ#52318859)
* a recent correction related to autofs master map entry updating introduced a regression whereby it was possible to deadlock when requesting a map re-load when an entry in a direct map had been removed. This update adds a check that ensures such map re-load requests do not cause a deadlock. (BZ#52543160)
All autofs users should install this updated package which addresses these issues.
58

1.8.2. RHBA-2010:0265: bug fix update

The autofs utility controls the operation of the automount daemon. The automount daemon automatically mounts file systems when you use them, and unmounts them when they are not busy.
This updated package fixes the following bugs:
57
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529851
59
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=523188
60
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=525431
10
RHBA-2010:0265: bug fix update
• If an included map read failed, autofs returned an error and subsequent master map entries were not read. This update reports the failure in the log but master map reading no longer ceases. (BZ#50603461)
• autofs could segfault if it called xmlCleanupParser concurrently from multiple threads, as this function is not re-entrant. autofs has been changed to call this function only once from its main thread, when the application exits. (BZ#51328962)
• autofs could segfault at startup when using LDAP under certain circumstances. autofs would fail to try and retrieve a query dn if:
• LDAP is being used to store autofs maps and...
• The LDAP schema to be used for the maps is explicitly defined in the autofs configuration and...
• No master map entries exist in LDAP.
This set of conditions would return success instead of failure. This update fixes the get query dn failure. (BZ#57260363)
• If a master map entry is changed in any other way besides the map name (for example, map wide options) the system encountered two application data structures for the "same" map during a map re-read. If the contents of that map has also changed, a deadlock can occur.
Having the duplicate data structure also caused entries in the problem map to be umounted. Since direct mount maps have a distinct autofs mount for each entry direct mount they appeared to stop working. This update corrects this behaviour. (BZ#51441264)
• autofs would block for several minutes when attempting to mount from a server that was not available. A new mount_wait parameter has been added to prevent this block. This update requires SELinux policy 255 or later. (BZ#51734965)
• The autofs parser objected to locations containing the characters '@' and '#' (Lustre and sshfs mounts) causing the mount request to fail. This update allows autofs to parse these characters and mount successfully. (BZ#52074566)
• Due to an incorrect system call an error message stating "Operation not permitted" would be returned when attempting to mount an unknown hostname. This call has been corrected and autofs now returns "hostname lookup failed" as would be expected. (BZ#53332367)
• A typing error in the usage text of the autofs service script has been corrected. (BZ#53401268)
• When changing the timed wait from using select(2) to poll(2) in the non-blocking TCP connection function, to overcome the 1024 file handle limit of select(2), the wait timeout was not correctly converted from seconds to milliseconds. This update corrects the problem. (BZ#53974769)
• autofs failed to mount locations whose path depended on another local auto-mounted mount. Dependent mounts are triggered by calling access(2) on the mount location path prior to mounting the location. The check for whether a location was a local path was restrictive and didn't cater for all cases. This has now been fixed. (BZ#53740370)
• Inter-operability between autofs and some non-open source LDAP servers was impaired when a SASL authenticated connection was used over muliple bind and unbind operations. autofs has been updated use distinct authentication connection for each server it binds to. (BZ#53779371)
11
Chapter 1. Package Updates
• autofs failed to load its maps if all LDAP servers were down, or unreachable, when the daemon started. The dependency on an LDAP server being available at startup has been removed. This change resolved the issue of the map server being unreachable for some common usage cases. (BZ#54355472)
• The random selection option used with mount locations that have multiple servers was not being set correctly during the paring of master map entries. If specified as a mount option in master map entries the option is now used as has been requested. (BZ#54847673)
• Setting the expire timeout to 0 was causing autofs to constantly schedule expire runs leading to excessive resource usage and preature umounting of mounts. Setting the timeout to 0 should in fact disable expiry of mounts and this update fixes this incorrect behavior. (BZ#54827774)
• autofs would abort when using DIGEST-MD5 authentication under heavy concurrent access. This was caused by autofs not providing the locking functions required by the cyrus-sasl library. In addition the cyrus-sasl library locking functions contained a race which sometimes lead to a deadlock. This update adds the needed locking functions to autofs and passes them to cyrus-sasl at initialization. The bug in the cyrus-sasl library is fixed in cyrus-sasl-lib 2.1.22-5.el5.el5_4.3 and later which is required for the update to install if cyrus-sasl is also installed. (BZ#55943075)
All autofs users should upgrade to this updated package, which resolves these issues.

1.9. automake

1.9.1. RHSA-2010:0321: Low security update

Updated automake, automake14, automake15, automake16, and automake17 packages that fix one security issue are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
Automake is a tool for automatically generating Makefile.in files compliant with the GNU Coding Standards.
Automake-generated Makefiles made certain directories world-writable when preparing source archives, as was recommended by the GNU Coding Standards. If a malicious, local user could access the directory where a victim was creating distribution archives, they could use this flaw to modify the files being added to those archives. Makefiles generated by these updated automake packages no longer make distribution directories world-writable, as recommended by the updated GNU Coding Standards. (CVE-2009-402976)
Note: This issue affected Makefile targets used by developers to prepare distribution source archives. Those targets are not used when compiling programs from the source code.
All users of automake, automake14, automake15, automake16, and automake17 should upgrade to these updated packages, which resolve this issue.
76
https://www.redhat.com/security/data/cve/CVE-2009-4029.html
12

1.10. avahi

1.10.1. RHBA-2010:0034: bug fix update

Note
This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0034
Updated avahi packages that address two bugs are now available.
Avahi is an implementation of the DNS Service Discovery and Multicast DNS specifications for Zeroconf Networking. It facilitates service discovery on a local network. Avahi and Avahi-aware applications allow you to plug your computer into a network and, with no configuration, view other people to chat with, see printers to print to, and find shared files on other computers.
This update fixes the following two bugs:
77
avahi
* previously, avahi published a static SSH-SFTP service by default, regardless of the machine and regardless of whether an ssh server was running or not. As a result, all Red Hat Enterprise Linux instances also running Avahi appeared in the LAN listings of file browsers and file managers (eg "Places > Network" in Nautilus or "Go > Network Folders" in Konquerer) even if they were not acting as file servers. This update still includes a static SSH-SFTP service but it now ships as a deactivated example service (ie, is not published by default). The static SSH-FTP service can be activated manually, but systems running Avahi no longer appear in file manager LAN listings by default. (BZ#21914378)
* previously, running the Avahi init scripts with a "status" argument resulted in a return code of 0, regardless of whether the daemons are running or not. This update corrects that: a missing avahi daemon now results in a failure return code (1) as expected. (BZ#23216179)
All avahi users should install these updated packages, which address these issues.

1.11. bind

1.11.1. RHSA-2010:0062: Moderate security update

Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0062
80
Updated bind packages that fix two security issues are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
78
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219143
79
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=232161
13
Chapter 1. Package Updates
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.
A flaw was found in the BIND DNSSEC NSEC/NSEC3 validation code. If BIND was running as a DNSSEC-validating resolver, it could incorrectly cache NXDOMAIN responses, as if they were valid, for records proven by NSEC or NSEC3 to exist. A remote attacker could use this flaw to cause a BIND server to return the bogus, cached NXDOMAIN responses for valid records and prevent users from retrieving those records (denial of service). (CVE-2010-009781)
The original fix for CVE-2009-4022 was found to be incomplete. BIND was incorrectly caching certain responses without performing proper DNSSEC validation. CNAME and DNAME records could be cached, without proper DNSSEC validation, when received from processing recursive client queries that requested DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving such client queries. (CVE-2010-029082)
All BIND users are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues. After installing the update, the BIND daemon (named) will be restarted automatically.

1.11.2. RHSA-2009:1620: Moderate security update

Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1620
Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.
Michael Sinatra discovered that BIND was incorrectly caching responses without performing proper DNSSEC validation, when those responses were received during the resolution of a recursive client query that requested DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving such client queries. (CVE-2009-402284)
83
All BIND users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the update, the BIND daemon (named) will be restarted automatically.
81
https://www.redhat.com/security/data/cve/CVE-2010-0097.html
82
https://www.redhat.com/security/data/cve/CVE-2010-0290.html
84
https://www.redhat.com/security/data/cve/CVE-2009-4022.html
14
binutils

1.12. binutils

1.12.1. RHBA-2010:0304: bug fix update

Updated binutils packages that fix various bugs are now available.
Binutils is a collection of binary utilities, including ar (for creating, modifying and extracting from archives), as (a family of GNU assemblers), gprof (for displaying call graph profile data), ld (the GNU linker), nm (for listing symbols from object files), objcopy (for copying and translating object files), objdump (for displaying information from object files), ranlib (for generating an index for the contents of an archive), readelf (for displaying detailed information about binary files), size (for listing the section sizes of an object or archive file), strings (for listing printable strings from files), strip (for discarding symbols), and addr2line (for converting addresses to file and line).
These updated binutils packages provide fixes for the following bugs:
* The readelf debugging utility was placing subject error messages in the middle of the .debug_str in the stderr output. This meant that location lists in the .debug._info section that were not in ascending order could not be handled correctly and the debugger could pick the wrong function, leading to dropped debug information. A patch has now been added and, as a result, the location lists can now be handled correctly, irrespective of order. As a result, the debugger now picks the right function when looking up symbols and debug information is no longer dropped. (BZ#49916485,
BZ#50912486)
* The strings command was not parsing files correctly. When used with a multi-digit <NUM> argument (such as strings -10 filename.txt) an "invalid integer argument" error would occur because it regarded each numeral as a separate argument. The parsing has now been corrected via a patch to strings.c.multidigit_input so that multi-digit numerals are regarded as parts of a single argument. As a result, files are now parsed correctly. (BZ#50876587)
* There was a regression in binutils-devel that caused it to build "oprofile" files incorrectly. As a result, bfd_get_section_by_name() returned incorrect information about the debuginfo section and an "opreport" error would occur. The bfd.h header's API has now been fixed to match the BFD library's ABI. As a result, the per-symbol profile is now generated correctly and the opreport runs without error. (BZ#52902888)
* There was a link failure whereby when a symbol in a comdat/linkonce section had a different level of visibility in different files, the linker could not merge the visibility. As a consequence, after the ld command was run, a "final link failed: Bad value" error would occur. A patch has been added to elflink.c.sym_visibility to make sure that the visibility is kept. As a result, ld now can now merge different levels of visibility without error. (BZ#53126989)
Users are advised to upgrade to these updated binutils packages, which resolve these issues.
85
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=499164
86
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=509124
87
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=508765
88
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529028
89
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=531269
15
Chapter 1. Package Updates

1.13. bogl

1.13.1. RHBA-2009:1593: bug fix update

Note
This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1593
Updated bogl packages that fix a bug are now available.
Ben's Own Graphics Library (BOGL) is a small graphics library for Linux kernel frame buffers. It supports only very simple graphics. The bogl packages also include bterm, a Unicode-capable terminal program for the Linux frame buffer.
These updated packages provide a fix for the following bug:
90
* when editing a file with vi from within the bterm console, a SIGSEGV error could occur, causing both vi and bterm to crash. This update adds a check that keeps "yorig" from equaling -1, which prevents the underlying memory reference error occurring. (BZ#51795791)
All bogl users are advised to upgrade to these updated packages, which resolve this issue.

1.14. bootparamd

1.14.1. RHBA-2010:0057: bug fix update

Note
This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0057
An updated bootparamd package that fixes a bug is now available.
Bootparamd is a server process that provides information to diskless clients necessary for booting; consulting the /etc/bootparams file for required information.
92
When bootparamd is used for multihomed environment handling, it would previously evaluate the route to be returned to the first requesting client and re-evaluate the route to be returned for each client thereafter. Even though it re-evaluates what router IP to return for each following client, it would always send back the first route, due to it being the one that was cached. This updated package ensures that no re-evaluation occurs concerning the router IP to return for each client. (BZ#44610893)
All users of bootparamd are advised to upgrade to this updated package, which resolves this issue.
91
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=517957
93
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=446108
16
booty

1.15. booty

1.15.1. RHBA-2010:0185: bug fix and enhancement update

An updated booty package that fixes a bug and adds an enhancement is now available.
The booty package contains a python library which provides an interface for the creation of boot loader configuration files and the addition of stanzas to said configuration files. These boot loader configuration files are used by the anaconda installer.
This updated booty package fixes the following bug:
* early in the installation process, anaconda creates a ramdisk to hold files that it will need to complete the installation. Previously, when installing the debug kernel for Red Hat Enterprise Linux on IBM System z, the ramdisk was larger than the default memory address that ZIPL allocated to hold the ramdisk. Installation would therefore fail. The /etc/zipl.conf file that booty creates for anaconda now explicitly specifies a suitable address for the ramdisk so that ZIPL does not rely on the insufficient default address. With enough space to create the ramdisk, installation succeeds. (BZ#42990694)
In addition, this updated package provides the following enhancement:
* previously, there was no way to configure hypervisor parameters during a kickstart installation. Therefore, these parameters would have to be configured manually after installation. Red Hat Enterprise Linux now includes a new option for the "bootloader" command in kickstart, "--hvargs", which sets hypervisor parameters in grub.conf during installation. It is now possible to automate this part of the installation process. Refer to the Red Hat Enterprise Linux 5 Installation Guide for a description of the "--hvargs" option. (BZ#55295795)
Users of booty are advised to upgrade to this updated booty package, which resolves this issue and adds this enhancement.

1.16. brltty

1.16.1. RHSA-2010:0181: Low security and bug fix update

Updated brltty packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
brltty (Braille TTY) is a background process (daemon) which provides access to the Linux console (when in text mode) for a blind person using a refreshable braille display. It drives the braille display, and provides complete screen review functionality.
It was discovered that a brltty library had an insecure relative RPATH (runtime library search path) set in the ELF (Executable and Linking Format) header. A local user able to convince another user
94
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=429906
95
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=552957
17
Chapter 1. Package Updates
to run an application using brltty in an attacker-controlled directory, could run arbitrary code with the privileges of the victim. (CVE-2008-327996)
These updated packages also provide fixes for the following bugs:
* the brltty configuration file is documented in the brltty manual page, but there is no separate manual page for the /etc/brltty.conf configuration file: running "man brltty.conf" returned "No manual entry for brltty.conf" rather than opening the brltty manual entry. This update adds brltty.conf.5 as an alias to the brltty manual page. Consequently, running "man brltty.conf" now opens the manual entry documenting the brltty.conf specification. (BZ#530554
9897
)
* previously, the brltty-pm.conf configuration file was installed in the /etc/brltty/ directory. This file, which configures Papenmeier Braille Terminals for use with Red Hat Enterprise Linux, is optional. As well, it did not come with a corresponding manual page. With this update, the file has been moved to /usr/share/doc/brltty-3.7.2/BrailleDrivers/Papenmeier/. This directory also includes a README document that explains the file's purpose and format. (BZ#530554
10099
)
* during the brltty packages installation, the message
Creating screen inspection device /dev/vcsa...done.
was presented at the console. This was inadequate, especially during the initial install of the system. These updated packages do not send any message to the console during installation. (BZ#529163
* although brltty contains ELF objects, the brltty-debuginfo package was empty. With this update, the ­debuginfo package contains valid debugging information as expected. (BZ#500545
102
)
101
* the MAX_NR_CONSOLES definition was acquired by brltty by #including linux/tty.h in Programs/ api_client.c. MAX_NR_CONSOLES has since moved to linux/vt.h but the #include in api_client.c was not updated. Consequently, brltty could not be built from the source RPM against the Red Hat Enterprise Linux 5 kernel. This update corrects the #include in api_client.c to linux/vt.h and brltty now builds from source as expected. (BZ#456247
103
)
All brltty users are advised to upgrade to these updated packages, which resolve these issues.

1.17. checkpolicy

1.17.1. RHBA-2010:0184: bug fix update

An updated checkpolicy package that makes a man page correction, fixes help message and man page omissions and allows the unknown access flag to be specified is now available.
checkpolicy is the policy compiler for Security-Enhanced Linux (SELinux). The checkpolicy utility is required for building SELinux policies.
)
This updated checkpolicy package addresses the following issues:
96
https://www.redhat.com/security/data/cve/CVE-2008-3279.html
98
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=530554
97
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=530554
100
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=530554
99
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=530554
101
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529163
102
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=500545
103
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=456247
18
chkconfig
* newer SELinux kernels have access checks that the shipping SELinux policy package does not understand. The kernel currently denies these access checks by default. This updated checkpolicy package can build an selinux-policy package that tells the kernel to "Allow" unknown access. (BZ#531229
104
)
* the checkpolicy man page listed (but did not otherwise document) a "-m" switch. checkpolicy supports a "-M" switch but not a "-m" switch. This update removes the "-m" option from the checkpolicy SYNOPSIS. Note: the "-M" switch was and is documented in the OPTIONS section of the checkpolicy man page. (BZ#533790
105
)
* checkmodule's "-d" switch (which switches the tool to debug mode) was documented in the checkmodule man page but not in the output of checkmodule's help message (ie the output of "checkmodule --help" or "checkmodule -h"). Also, the "-h" switch was not documented at all. With this update, the "-d" switch is now included in help message output and the "-h" switch is documented in both the checkmodule man page and the checkmodule help message. (BZ#533796
106
)
All SELinux users should install this updated package which resolves these issues.

1.18. chkconfig

1.18.1. RHBA-2009:1628: bug fix update

Note
This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1628
Updated chkconfig packages that resolve several issues with the alternatives utility and provide various man page corrections are now available.
The basic system utility chkconfig updates and queries runlevel information for system services.
These updated chkconfig packages provide fixes for the following bugs:
* when the "alternatives" utility was run and an error occurred, no contextual information such as the line number of the error was provided. With this update, upon an error, "alternatives" now provides the line number where the error occurred in the relevant file in the /var/lib/alternatives directory, which helps to diagnose alternatives-related errors. (BZ#441443
* using the "alternatives" utility and selecting the last available option and then uninstalling the program which provided that alternative did not result in the removal of the symbolic links for that option. Because the previously-set alternative was no longer available and the symbolic link remained, the program was then rendered unusable. With this update, when the aforementioned condition is met, the "alternatives" program now recognizes that the program is no longer available and removes the extraneous symbolic link, with the result that the next-best alternative is properly selected, and running the program works as expected. (BZ#525051
107
109
108
)
)
104
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=531229
105
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=533790
106
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=533796
108
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=441443
109
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=525051
19
Chapter 1. Package Updates
* the chkconfig(8) man page contained a description of the syntax for running chkconfig that differed from the correct description presented when running "chkconfig --help". The man page has been corrected to correspond with the program's help information. (BZ#501225
110
)
* the chkconfig(8) man page contained an incorrect reference to runlevel 7, which does not exist (runlevels extend from 0 to 6, inclusive). This update corrects the man page by removing all references to "runlevel 7". (BZ#466740
111
)
* the ntsysv(8) man page referenced a non-existent man page, servicesconf. This reference has been removed. (BZ#516599
112
)
All users of chkconfig are advised to upgrade to these updated packages, which resolve these issues.

1.19. cman

1.19.1. RHBA-2009:1435: bug fix update

Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1435
Updated cman packages that fix a bug and add an enhancement are now available.
The Cluster Manager (cman) utility provides user-level services for managing a Linux cluster.
This update applies the following bug fix:
* in several places internally, cman assumed a transition message meant the node in question (or the sending node) was joining the cluster rather than just sending its current post-transition state. In some circumstances, this could lead to cman killing the wrong nodes. With this update, cman now checks the first_trans flag, which is set when a node first encounters another node in the cluster. Only if first_trans is set does cman now consider the node as joining the cluster. (BZ#518061
113
114
)
Also, this update includes the following enhancement:
First, if a node was asked to remove a key (fence) for a device that it was not registered with, the node attempted to register with that device on-the-fly. With this update, when nodes are asked to remove a key from devices with which they are not registered, the fencing fails.
Second, for the common case of SAN environments with multiple Logical Unit Numbers (LUNs), the devices (LUNs) that can be unregistered must be ordered consistently on all nodes. Consistent ordering is not guaranteed by the Logical Volume Manager (LVM), however; device names can vary from node to node to prevent interleaving of fence operation among devices. With this update, the fence_scsi agent extracts the device name (pv_name) and Universally Unique Identifier (pv_uuid) and builds a hash keyed on the UUID (which is consistent on all nodes). This ensures devices are ordered consistently on each node.
110
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=501225
111
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=466740
112
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=516599
114
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=518061
20
RHBA-2009:1516: bug-fix update
Consequent to these two changes, the first node to fence removes the other node's key from the device or devices. The second node, now not registered with the device, is not able to fence the first. This allows fence_scsi to work in a 2-node cluster. (BZ#520823
115
)
All cman users should install this updated package, which fixes this bug and enables users to use fence_scsi in a 2-node environment.

1.19.2. RHBA-2009:1516: bug-fix update

Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1516
Updated cman packages that fix a bug are now available.
The Cluster Manager (cman) utility provides user-level services for managing a Linux cluster.
This update applies the following bug fix:
116
Add support for power cycle command to fence_ipmi, which doesn't shut down the BMC controller.
Old behavior is still the default, so nothing changes without a configuration change. Now there is a new method option that can have the value "cycle", which uses the ipmi power cycle command.
Example of usage:...
<fencedevices> <fencedevice agent="fence_ipmilan_new" ipaddr="1.2.3.4" login="root" name="ipmifd1" passwd="password" method="cycle" /> ...
Users are advised to upgrade to these updated cman packages, which resolve this issue.

1.19.3. RHBA-2009:1598: bug fix update

Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1598
Updated cman packages that resolve several issues are now available.
[Updated 4 Jan 2009] This update provides improved descriptions of both bug fixes included in this advisory, and especially the description for bug 529712. The packages included in this revised update have not been changed in any way from those included in the original advisory.
117
The Cluster Manager (cman) utility provides user-level services for managing a Linux cluster.
These updated cman packages provide fixes for the following bugs:
* when using device-mapper-multipath devices, registrations were only sent to the active path, which meant that, in the event of path failure, the node would be unable to access the device via the
115
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=520823
21
Chapter 1. Package Updates
secondary path or paths because the device would not be registered with the secondary path(s). With this update, the presence of device-mapper-multipath devices is detected correctly, the right paths are discovered, and each path is registered, including secondary paths. (BZ#529712
118
)
* when running the /etc/init.d/scsi_reserve init script to check for errors, such as an incorrect cluster.conf configuration, among others, upon finding an error the script did not print "[FAILED]" to standard output, as is convention for system services which encounter startup errors. With this update, the scsi_reserve init script has been fixed so that it prints "[FAILED]" to standard output when an error is encountered, and "[OK]" otherwise. Any errors encountered are logged to the system log. (BZ#530400
119
)
All users of cman are advised to upgrade to these updated packages, which resolve these issues.

1.19.4. RHBA-2009:1622: bug-fix update

Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1622
120
Updated cman packages that fix bugs are now available.
The Cluster Manager (cman) utility provides user-level services for managing a Linux cluster.
This update fixes the following bugs:
* qdiskd erroneously writes the message "qdiskd: read (system call) has hung for X seconds". (BZ
537157)
* Crash in fence_ipmilan when -M switch was not present on the command-line. (BZ 537157)
Users are advised to upgrade to these updated cman packages, which resolve these issues.

1.19.5. RHBA-2010:0266: bug fix and enhancement update

Updated cman packages that fix bugs and add enhancements are now available.
The Cluster Manager (cman) utility provides user-level services for managing a Linux cluster.
Changes in this update:
* fence_rsa fails to login with new RSA II firmware. (BZ#549473
* fence_virsh reports vm status incorrectly. (BZ#544664
122
* improve error messages from ccsd if there is a network problem. (BZ#517399
* new fence agent for VMWare. (BZ#548577
124
)
121
)
)
123
)
Note: this is a Tech Preview only.
118
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529712
119
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=530400
121
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=549473
122
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=544664
123
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=517399
124
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=548577
22
RHBA-2010:0266: bug fix and enhancement update
* fence agent for HP iLO2 MP. (BZ#508722
* fence agent for RSB ends with traceback. (BZ#545054
* security feature for SNMP based agent: apc_snmp & ibmblade. (BZ#532922
* change default timeout values for various fence agents. (BZ#549124
* "Option -V" (show version) was not working in all fence agents. (BZ#549113
* automatically configure consensus based on token timeout. (BZ#544482
* add readconfig & dumpconfig to fence_tool. (BZ#514662
* make groupd handle partition merges. (BZ#546082
* groupd: clean up leaving failed node. (BZ#521817
* scsi_reserve should always echo after failure. (BZ#514260
* fence_scsi_test: add debug information. (BZ#516763
* fence_scsi_test should not allow -c & -s options together. (BZ#528832
* fix fence_ipmilan read from unitialized memory. (BZ#532138
* make qdiskd stop crying wolf. (BZ#532773
* fencing failed when used without telnet or ssh. (BZ#512343
125
138
)
126
)
127
)
128
)
129
)
130
)
131
)
132
)
133
)
134
)
135
)
136
)
137
)
)
139
)
* APC changed product name (MasterSwitch -> Switched Rack PDU). (BZ#447481
140
)
* fix invalid initalization introduced by retry-on option.
142
141
)
)
* broken device detection for DRAC3 ERA/O. (BZ#489809
* fix case sensitivities in action parameter. (BZ#528938
* fencing_snmp failed on all operations & traceback fix. (BZ#528916
* accept unknown options from standard input. (BZ#532920
125
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=508722
126
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=545054
127
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=532922
128
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=549124
129
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=549113
130
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=544482
131
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=514662
132
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=546082
133
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=521817
134
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=514260
135
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=516763
136
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528832
137
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=532138
138
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=532773
139
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=512343
140
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=447481
141
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=489809
142
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528938
143
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528916
144
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=532920
144
)
143
)
23
Chapter 1. Package Updates
* fence_apc unable to obtain plug status. (BZ#532916
* timeout options added. (BZ#507514
146
)
* better default timeout for bladecenter. (BZ#526806
* the LOGIN_TIMEOUT value was too short for fence_lpar & the SSH login timed out before the connection could be completed. (BZ#546340
148
* add missing-as-off option (missing blade/device is always OFF). (BZ#248006
* make qdiskd "master-wins" node work. (BZ#372901
* make qdisk self-fence system if write errors take longer than interval*tko. (BZ#511113
* make service_cman.lcrso executable, so RPM adds it to the debuginfo pkg. (BZ#511346
* don't check for xm command in cman init script: virsh is more appropriate. (BZ#516111
* allow re-registering of a quorum device. (BZ#525270
* fix fence_scsi, multipath & persistent reservations. (BZ#516625
* cman_tool leave remove reduces quorum when no services are connected. (BZ#515446
* fence_sanbox2 unable to retrieve status. (BZ#512947
145
)
147
)
)
149
)
150
)
151
)
152
)
153
)
154
)
155
)
156
)
157
)
* gfs_controld: GETLK should free unused resource. (BZ#513285
* allow IP addresses as node names. (BZ#504158
* fence_scsi man page contains invalid option. (BZ#515731
* fence_scsi support for 2 node clusters. (BZ#516085
* Support for power cycle in fence ipmi. (BZ#482913
* add option 'list devices' for fencing agents. (BZ#519697
* add support for switching IPv4/IPv6. (BZ#520458
145
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=532916
146
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=507514
147
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=526806
148
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=546340
149
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=248006
150
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=372901
151
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=511113
152
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=511346
153
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=516111
154
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=525270
155
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=516625
156
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=515446
157
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=512947
158
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=513285
159
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=504158
160
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=515731
161
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=516085
162
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=482913
163
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=519697
164
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=520458
159
164
)
162
161
)
160
)
)
)
163
)
158
)
24
cmirror
* fence agent ends with traceback if option is missing. (BZ#508262
* command line options to override default ports for different services, such as SSH & Telnet (i.e. -u option) were added. (BZ#506928
Note: "-u" does not currently work with fence_wti. Other agents honor the port override command line options properly, however. (BZ#506928
* force stdout close for fencing agents. (BZ#518622
* support for long options. (BZ#519670
167166
)
169168
171
)
170
)
)
* fix a situation where cman could kill the wrong nodes. (BZ#513260
* fix support for >100 gfs & gfs2 file systems. (BZ#561892
173
* fix a problem where 'dm suspend' would hang a withdrawn GFS file system. (BZ#570530
* fix a problem where fence_snmp returned success when the operation failed. (BZ#573834
* fencing support for the new iDRAC interface included with Dell PowerEdge R710 & R910 blade servers was added. (BZ#496748
176
)
165
)
172
)
)
174
)
175
)
All cman users should install this update which makes these changes.

1.20. cmirror

1.20.1. RHBA-2010:0307: bug fix update

Updated cmirror packages that fix various bugs are now available.
The cmirror package is necessary for LVM-based mirroring (RAID1) in a cluster environment.
This update addresses the following issues:
* the cmirror init script was reporting false errors in some 'stop' instances. (BZ#520915
* the cluster log daemon was unable to recover if the cluster was shutdown and restarted without also restarting the cluster log daemon. (BZ#518665
* communication structure used between nodes was not in a mixed-architecture or upgrade friendly format. (BZ#488102
165
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=508262
167
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=506928
166
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=506928
169
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=506928
168
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=506928
170
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=518622
171
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=519670
172
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=513260
173
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=561892
174
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=570530
175
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=573834
176
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=496748
177
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=520915
178
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=518665
179
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=488102
179
)
178
)
177
)
25
Chapter 1. Package Updates
* certain failure scenarios during cluster mirror device creation could lead to future kernel panics. (BZ#544253
180
)
All cmirror users should install these updated packages which fix these bugs.

1.21. cmirror-kmod

1.21.1. RHBA-2010:0309: bug fix update

Updated kmod-cmirror packages that fix two bugs are now available.
The kmod-cmirror package is necessary for LVM-based mirroring (RAID1) in a cluster environment.
This update addresses the following issues:
* error processing logic failed to remove a list item before freeing the associated memory. (BZ#544253
* added version number to the kernel/daemon communication structure. (BZ#544253
All kmod-mirror users should install these updated packages, which fix these bugs.
182181
)
184183
)

1.22. conga

1.22.1. RHBA-2009:1623: bug fix update

Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1623
Updated conga packages that fix a regression introduced between Red Hat Enterprise Linux 5.3 and Red Hat Enterprise Linux 5.4 are now available.
The Conga project is a management system for remote workstations. It consists of luci, a secure web­based front-end, and ricci, a secure daemon that dispatches incoming messages to the underlying management modules.
This update applies the following bug fix:
* the behavior of the virsh command changed between Red Hat Enterprise Linux 5.3 and Red Hat Enterprise Linux 5.4. In Red Hat Enterprise Linux 5.4, non-root users must add a "--read-only" flag to virsh commands for them to work correctly. The ricci component of conga runs the "virsh nodeinfo" command to determine whether a node can host a Virtual Machine service and it does so as a non­root user.
185
180
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=544253
182
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=544253
181
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=544253
184
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=544253
183
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=544253
26
RHBA-2010:0289: bug fix and enhancement update
As a consequence, when run under Red Hat Enterprise Linux 5.4, running this command returned no information and the luci front-end did not provide an "Add a virtual machine service" option to Services in the Cluster tab for clusters that were expected to offer such services. With this update, ricci now runs a "virsh nodeinfo --readonly" command, in line with the changed behavior, and the web-based front end will provide options to add virtual machine services as expected. (BZ#537209
186
)
All conga users are advised to upgrade to these updated packages, which resolve this issue.

1.22.2. RHBA-2010:0289: bug fix and enhancement update

Updated Conga packages that fix numerous bugs (including a regression introduced between Red Hat Enterprise Linux 5.3 and Red Hat Enterprise Linux 5.4) and add the ability to reset user passwords when logged in to luci as an administrator are now available.
The Conga project is a management system for remote workstations. It consists of luci, which is a secure web-based front-end, and ricci, which is a secure daemon that dispatches incoming messages to underlying management modules.
This update applies the following bug fixes:
* The behavior of the virsh command changed between Red Hat Enterprise Linux 5.3 and Red Hat Enterprise Linux 5.4. In Red Hat Enterprise Linux 5.4, non-root users must add a "--read-only" flag to virsh commands. The ricci component runs the "virsh nodeinfo" command to determine whether a node can host a Virtual Machine service and it does so as a non-root user. As a consequence, when run under Red Hat Enterprise Linux 5.4, the "virsh nodeinfo" command returned no information and luci did not provide an "Add a virtual machine service" option to Services in the Cluster tab for clusters that were expected to offer such services. With this update, ricci now runs a "virsh nodeinfo --readonly" command in line with the changed behavior, and luci provides options to add Virtual Machine services as expected. (BZ#519252
* luci failed to start. (BZ#469881
* Conga doesn't run with SELinux. (BZ#476698
187
)
188
)
189
)
* Conga does not add the name of the managed system when adding an "LPAR Fencing" fence device to a node. (BZ#508142
* fs resource will remount itself if any configuration changes are made to cluster.conf. (BZ#514051
* luci does not validate passwords and incorrect characters can be used. (BZ#519050
190
)
191
192
)
* previously, the shebang lines in luci's python executables pointed to "/usr/bin/env python" rather than explicitly referencing the version of Python installed on the system. This broke those executables in the case where a user was installing an alternative Python version. With this update, all shebang lines point explicitly to the system version at /usr/bin/python. (BZ#521884
* Conga does not properly handle HA LVM types. (BZ#530129
186
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=537209
187
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=519252
188
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=469881
189
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=476698
190
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=508142
191
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=514051
192
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=519050
193
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=521884
194
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=530129
194
193
)
)
)
27
Chapter 1. Package Updates
This update adds the following enhancement:
* the ability to reset user passwords when logged in to luci as an administrator was added. (BZ#519268
195
)
All Conga users are advised to upgrade to these updated packages, which resolve these issues and add this enhancement.

1.23. coolkey

1.23.1. RHBA-2010:0068: bug fix update

Note
This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0068
Updated coolkey packages that resolve several issues are now available.
The coolkey packages contain driver support for CoolKey and Common Access Card (CAC) smart card products.
These updated coolkey packages provide fixes for the following bugs:
* the Department of Defense's alternative CAC tokens are now supported by CoolKey. (BZ#226790
196
197
)
* the libcoolkeypk11.so shared object library, when it was not linked with the pthreads library, became unresponsive when the C_Initialize() function was called following a call to syslog(). This update ensures that libcoolkeypk11.so does not hang when it is not linked with the pthreads threading library and the aforementioned scenario occurs. (BZ#245529
* CoolKey's PKCS#11 module failed to initialize when the C_Initialize() function was called and the CKF_OS_LOCKING flag was set. This issue is related to the fix for BZ#245529 the PKCS#11 module successfully initializes. (BZ#443127
199198
202
)
201200
. With this update,
)
* the Red Hat Enterprise Security Client (ESC) incorrectly identified CAC cards as CoolKey cards, and mistakenly opened the Phone Home dialog after doing so. With this update, CoolKey correctly identifies CAC cards and assigns the correct functionality to them.
With this fix, it is still possible to view certificates and diagnostics for CAC cards, though the management functions are now disabled. Finally, note that the RHBA-2010:0066 esc update must be installed in order to fully resolve this issue. (BZ#499976
* CoolKeys is now able to recognize smart cards that use the T1 protocol, such as the SafeNet 330J, in addition to the T0-protocol cards supported previously. (BZ#514298
195
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=519268
197
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=226790
199
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=245529
198
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=245529
201
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=245529
200
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=245529
202
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=443127
203
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=499976
204
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=514298
203
)
204
)
28
coreutils
* CoolKey now correctly handles cryptographic operations such as digital signing when using cards with 2048-bit keys. Previously, only 1024-bit keys were supported. (BZ#514299
205
)
All users of coolkey are advised to upgrade to these updated packages, which resolve these issues.

1.24. coreutils

1.24.1. RHBA-2009:1511: bug fix update

Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1511
An updated coreutils package that fixes a regression in the df command is now available.
The coreutils package contains core GNU utilities. It is a combination of the old GNU fileutils, sh-utils, and textutils packages.
This update fixes the following bug:
206
* the coreutils update included with Red Hat Enterprise Linux 5.4 introduced a regression in the df command. Running "df -l" with a specific device specified (for example, "df -l /dev/hda1") resulted in a "Permission denied" message for regular users. This update corrects the regression: specifying a device now works for regular users as it did previously. Note: running "df -l" to list all devices was not affected by this bug: it worked as expected previously and continues to do so subsequent to this update. (BZ#528641
207
)
All coreutils users should upgrade to this updated package, which addresses this regression.

1.24.2. RHBA-2010:0120: bug fix update

Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2010:0120
An updated coreutils package that fixes a bug in the readlink command is now available.
The coreutils package contains core GNU utilities. It is a combination of the old GNU fileutils, sh-utils, and textutils packages.
This update fixes the following bug:
208
* when a directory contained a symbolic link to itself, the readlink command, which displays the value of a symbolic link on standard output, incorrectly gave the following error message when attempting to read the value of the symbolic link (or the value of the symbolic links when recursing through the
205
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=514299
207
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528641
29
Chapter 1. Package Updates
directory and its symlink): "Too many levels of symbolic links". With this update, readlink is once again able to correctly resolve and output the value of the recursive symbolic links to containing directories, or "directory loops", thus resolving the issue. (BZ#567545
209
)
All coreutils users should upgrade to this updated package, which addresses this regression.

1.25. cpio

1.25.1. RHSA-2010:0144: Moderate security update

Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0144
An updated cpio package that fixes two security issues is now available for Red Hat Enterprise Linux
5.
210
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
GNU cpio copies files into or out of a cpio or tar archive.
A heap-based buffer overflow flaw was found in the way cpio expanded archive files. If a user were tricked into expanding a specially-crafted archive, it could cause the cpio executable to crash or execute arbitrary code with the privileges of the user running cpio. (CVE-2010-0624
Red Hat would like to thank Jakob Lell for responsibly reporting the CVE-2010-0624
A denial of service flaw was found in the way cpio expanded archive files. If a user expanded a specially-crafted archive, it could cause the cpio executable to crash. (CVE-2007-4476
211
212
)
issue.
213
)
Users of cpio are advised to upgrade to this updated package, which contains backported patches to correct these issues.

1.26. cpuspeed

1.26.1. RHBA-2010:0035: bug fix update

Note
This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0035
209
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=567545
211
https://www.redhat.com/security/data/cve/CVE-2010-0624.html
212
https://www.redhat.com/security/data/cve/CVE-2010-0624.html
213
https://www.redhat.com/security/data/cve/CVE-2007-4476.html
30
214
crash
An updated cpuspeed package that fixes some initscript exit statuses, avoids loading on problematic CPUs, and starts only after syslogd is now available.
The cpuspeed package configures CPU frequency scaling.
This update fixes the following bugs:
* some exit status codes from the initscript were not in line with LSB standards. The codes were updated, and are now compliant. (BZ#495049
215
)
* where Intel Xeon Processor 7100 series processors were used with Hyper-Threading Technology enabled, cpuspeed loading could create system deadlocks. The cpuspeed settings were changed and system deadlocks no longer occur on this hardware. (BZ#449004
216
)
* the cpuspeed initscript uses syslog to log important information about its status. However, cpuspeed was being started before syslog on boot, and log messages generated by the cpuspeed init script were not being captured. The cpuspeed init script now runs after the syslog init script, and all log messages are now being recorded. (BZ#516224
217
)
Users should upgrade to this updated package, which resolves these issues.

1.27. crash

1.27.1. RHBA-2010:0230: bug fix update

Updated crash packages that fix various bugs and add enhancements are now available.
The crash package is a core analysis suite. It is a self-contained tool that can be used to investigate either live systems, kernel core dumps created from the netdump, diskdump, and kdump packages from Red Hat Linux, the mcore kernel patch offered by Mission Critical Linux, or the LKCD kernel patch.
* if a kdump NMI was issued and the task kernel stack was changed, the backtrace would in some cases fail and produce an error: "bt: cannot transition from exception stack to current process stack". The crash package was updated to report task inconsistencies and change the active task as appropriate. Additionally, a new set -a option was added to manually set tasks to be the active task on its CPU. (BZ#504952
218
)
* if the kernel data structures in a non-matching vmlinux varied widely enough from the kernel that generated the vmcore, erroneous data could be read and consumed. Several new defensive mechanisms have been added and it now fails in a more reasonable manner. (BZ#508156
219
)
* running the bt -a command against a Xen hypervisor resulted in a "cannot resolve stack trace" warning message if the CPU received its shutdown NMI while running in an interrupt handler. The bt command was changed and the error no longer occurs. (BZ#510505
* added support for dumpfile format of virsh dump of KVM kernels. (BZ#510519
215
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=495049
216
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=449004
217
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=516224
218
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=504952
219
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=508156
220
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=510505
221
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=510519
220
)
221
)
31
Chapter 1. Package Updates
* if a dump was collected when there were one or more cpus offline in the system, an initialization-time failure would occur and the crash would abort. A patch was backported from upstream and the failure no longer occurs. (BZ#520506
222
)
* running the 64-bit bt command could potentially start the backtrace of an active non-crashing task on its per-cpu IRQ stack, cause a faulty transition back to the process stack, the dumping of a bogus exception frame and the message "bt: WARNING: possibly bogus exception frame". The bt command was changed and it now starts from the NMI exception stack, the error no longer occurs. (BZ#523512
223
)
* when the cpu_possible_map contains more CPUs than the cpu_online_map, the set, bt, runq and ps commands would reflect the existing but unused swapper tasks on the non-existent CPUs. The 64-bit PowerPC CPU count determination was fixed and the commands now run as expected. (BZ#550419
224
)
* when INIT-generated pseudo-tasks were running in user-space and the kernel was unable to modify the kernel stack, the backtrace would not identify the interrupted task and would display a "bt: unwind: failed to locate return link" error message. The Itanium backtraces were fixed, and the backtrace now offers information regarding the task that was interrupted. The error message is also suppressed. (BZ #553353)
* using dump to analyze very large xendump core files with ELF sections located beyond a file offset of 4GB resulted in errors. Changes were made to the xc_core_verify() initialization code and dump now works as expected. (BZ #561767)
* The crash utility was rebased. See the changelog linked to in the references section below for full details. (BZ#528184
225
)
All users of crash are advised to upgrade to these updated packages, which resolve these issues.

1.28. ctdb

1.28.1. RHEA-2010:0320: enhancement update

The ctdb package is now available on the ClusterStorage channel.
CTDB is a clustered database based on Samba's Trivial Database (TDB). The ctdb package is a cluster implementation used to store temporary data. If an application is already using TBD for temporary data storage, it can be very easily converted to be cluster-aware and use CTDB.
This update makes the following change:
* CTDB was previously available in the Supplementary channel and is now available in the ClusterStorage channel. (BZ#558493
226
)
Note that CTDB is included as a Technology Preview. Technology Preview features are included in Red Hat Enterprise Linux to provide the features with wide exposure, with the goal of supporting these features in a future release of Red Hat Enterprise Linux. Technology Preview features are not supported under Red Hat Enterprise Linux 5.5 subscription services, and may not be functionally
222
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=520506
223
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=523512
224
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=550419
225
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528184
226
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=558493
32
cups
complete. Red Hat welcomes customer feedback and suggestions for Technology Previews. Advisories will be provided for high-severity security issues in Technology Preview features.
All users requiring CTDB should install these newly released packages, which add this enhancement.

1.29. cups

1.29.1. RHBA-2010:0045: bug fix update

Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2010:0045
Updated cups packages that fix a severe memory leak in the CUPS scheduler are now available.
The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX and Unix-like operating systems.
227
This update addresses the following issue:
* when adding or modifying many printer queues, cupsd, the CUPS scheduler leaked memory. For example, running "lpstat" after creating several thousand printer queues caused cupsd to use all available memory, eventually killing other processes and bringing the system down. With this update cupsd no longer leaks memory when adding or modifying large numbers of printer queues and the associated out-of-memory errors and crashes no longer occur. (BZ#552213
228
)
All cups users should upgrade to these updated packages, which resolves this issue.

1.29.2. RHSA-2010:0129: Moderate security update

Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0129
Updated cups packages that fix one security issue are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems.
229
It was discovered that the Red Hat Security Advisory RHSA-2009:1595 did not fully correct the use-after-free flaw in the way CUPS handled references in its file descriptors-handling interface. A remote attacker could send specially-crafted queries to the CUPS server, causing it to crash. (CVE-2010-0302
228
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=552213
230
https://www.redhat.com/security/data/cve/CVE-2010-0302.html
230
)
33
Chapter 1. Package Updates
Users of cups are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the cupsd daemon will be restarted automatically.

1.29.3. RHSA-2009:1595: Moderate security update

Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1595
Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
[Updated 12th January 2010] The packages list in this erratum has been updated to include missing i386 packages for Red Hat Enterprise Linux Desktop and RHEL Desktop Workstation.
231
The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems.
A use-after-free flaw was found in the way CUPS handled references in its file descriptors-handling interface. A remote attacker could, in a specially-crafted way, query for the list of current print jobs for a specific printer, leading to a denial of service (cupsd crash). (CVE-2009-3553
232
)
Several cross-site scripting (XSS) flaws were found in the way the CUPS web server interface processed HTML form content. If a remote attacker could trick a local user who is logged into the CUPS web interface into visiting a specially-crafted HTML page, the attacker could retrieve and potentially modify confidential CUPS administration data. (CVE-2009-2820
Red Hat would like to thank Aaron Sigel of Apple Product Security for responsibly reporting the
CVE-2009-2820
234
issue.
233
)
Users of cups are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, the cupsd daemon will be restarted automatically.

1.29.4. RHSA-2009:1513: Moderate security update

Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1513
235
Updated cups packages that fix two security issues are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
232
https://www.redhat.com/security/data/cve/CVE-2009-3553.html
233
https://www.redhat.com/security/data/cve/CVE-2009-2820.html
234
https://www.redhat.com/security/data/cve/CVE-2009-2820.html
34
RHBA-2010:0210: bug fix update
The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. The CUPS "pdftops" filter converts Portable Document Format (PDF) files to PostScript.
Two integer overflow flaws were found in the CUPS "pdftops" filter. An attacker could create a malicious PDF file that would cause "pdftops" to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-3608
Red Hat would like to thank Chris Rohlf for reporting the CVE-2009-3608
236
, CVE-2009-3609
237
)
238
issue.
Users of cups are advised to upgrade to these updated packages, which contain a backported patch to correct these issues. After installing the update, the cupsd daemon will be restarted automatically.

1.29.5. RHBA-2010:0210: bug fix update

Updated cups packages that fix several bugs are now available.
The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems.
These updated packages address the following bugs:
* landscape orientation jobs had incorrect page margins. This affects all landscape orientation PDF files, including any landscape job printed from Mac OS X. (BZ#447987
* when running PHP files through the scheduler's web interface the wrong version PHP interpreter was used, causing missing header lines. (BZ#460898
* the tmpwatch package is needed by cups but there was no package dependency on it. (BZ#487495
241
)
240
)
* there was a memory leak in the scheduler's handling of "file:" device URIs. (BZ#496008
* setting quota limits using the lpadmin command did not work correctly. (BZ#496082
* there were several issues with CGI handling in the scheduler, causing custom CGI scripts not to work as expected. (BZ#497632
* the dependencies between the various sub-packages were not made explicit in the package requirements. (BZ#502205
* jobs with multiple files could be removed from a disabled queue when it is re-enabled. (BZ#506257
247
)
* the cups-lpd daemon, for handling RFC 1179 clients, could fail under load due to incorrect temporary file handling. (BZ#523152
236
https://www.redhat.com/security/data/cve/CVE-2009-3608.html
237
https://www.redhat.com/security/data/cve/CVE-2009-3609.html
238
https://www.redhat.com/security/data/cve/CVE-2009-3608.html
239
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=447987
240
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=460898
241
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=487495
242
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=496008
243
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=496082
244
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=497632
245
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=506316
246
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=502205
247
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=506257
248
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=523152
244
, BZ#506316
246
)
248
)
245
)
239
)
242
)
243
)
35
Chapter 1. Package Updates
* the CUPS PDF input filter is no longer a separate PDF handling implementation, and instead uses the pdftops program from the poppler-utils package directly. (BZ#527429
* adding or modifying many queues could cause the scheduler to leak large amounts of memory. (BZ#540646
250
)
249
)
All cups users should upgrade to these updated packages, which resolve these issues.

1.30. curl

1.30.1. RHSA-2010:0273: Moderate security, bug fix and
enhancement update
Updated curl packages that fix one security issue, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and DICT servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity.
Wesley Miaw discovered that when deflate compression was used, libcurl could call the registered write callback function with data exceeding the documented limit. A malicious server could use this flaw to crash an application using libcurl or, potentially, execute arbitrary code. Note: This issue only affected applications using libcurl that rely on the documented data size limit, and that copy the data to the insufficiently sized buffer. (CVE-2010-0734
251
)
This update also fixes the following bugs:
* when using curl to upload a file, if the connection was broken or reset by the server during the transfer, curl immediately started using 100% CPU and failed to acknowledge that the transfer had failed. With this update, curl displays an appropriate error message and exits when an upload fails mid-transfer due to a broken or reset connection. (BZ#479967
252
)
* libcurl experienced a segmentation fault when attempting to reuse a connection after performing GSS-negotiate authentication, which in turn caused the curl program to crash. This update fixes this bug so that reused connections are able to be successfully established even after GSS-negotiate authentication has been performed. (BZ#517199
253
)
As well, this update adds the following enhancements:
* curl now supports loading Certificate Revocation Lists (CRLs) from a Privacy Enhanced Mail (PEM) file. When curl attempts to access sites that have had their certificate revoked in a CRL, curl refuses access to those sites. (BZ#532069
254
)
249
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=527429
250
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=540646
251
https://www.redhat.com/security/data/cve/CVE-2010-0734.html
252
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=479967
253
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=517199
254
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=532069
36
cyrus-imapd
* the curl(1) manual page has been updated to clarify that the "--socks4" and "--socks5" options do not work with the IPv6, FTPS, or LDAP protocols. (BZ#473128
* the curl utility's program help, which is accessed by running "curl -h", has been updated with descriptions for the "--ftp-account" and "--ftp-alternative-to-user" options. (BZ#517084
255
)
256
)
Users of curl should upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. All running applications using libcurl must be restarted for the update to take effect.

1.31. cyrus-imapd

1.31.1. RHSA-2009:1459: Important security update

Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1459
Updated cyrus-imapd packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5.
257
This update has been rated as having important security impact by the Red Hat Security Response Team.
The cyrus-imapd packages contain a high-performance mail server with IMAP, POP3, NNTP, and Sieve support.
Multiple buffer overflow flaws were found in the Cyrus IMAP Sieve implementation. An authenticated user able to create Sieve mail filtering rules could use these flaws to execute arbitrary code with the privileges of the Cyrus IMAP server user. (CVE-2009-2632
258
, CVE-2009-3235
259
)
Users of cyrus-imapd are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the update, cyrus-imapd will be restarted automatically.

1.32. cyrus-sasl

1.32.1. RHBA-2010:0151: bug fix update

Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2010:0151
260
255
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=473128
256
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=517084
258
https://www.redhat.com/security/data/cve/CVE-2009-2632.html
259
https://www.redhat.com/security/data/cve/CVE-2009-3235.html
37
Chapter 1. Package Updates
Updated cyrus-sasl packages that resolve an issue are now available.
The cyrus-sasl packages contain the Cyrus implementation of SASL. SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols.
These updated cyrus-sasl packages fix the following bug:
* multithreaded programs which used the Cyrus SASL libraries could have become unresponsive after attempting to perform authentication routines. This was caused by a failure to release a mutex lock on a data structure in the Cyrus SASL code, which resulted in a race condition, thus causing the program using the library to hang. This race condition has been fixed so that it is thread-safe in this update. (BZ#568084
261
)
All users of cyrus-sasl are advised to upgrade to these updated packages, which resolve this issue.

1.33. dbus

1.33.1. RHSA-2010:0018: Moderate security update

Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0018
Updated dbus packages that fix a security issue are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
D-Bus is a system for sending messages between applications. It is used for the system-wide message bus service and as a per-user-login-session messaging facility.
It was discovered that the Red Hat Security Advisory RHSA-2009:0008 did not correctly fix the denial of service flaw in the system for sending messages between applications. A local user could use this flaw to send a message with a malformed signature to the bus, causing the bus (and, consequently, any process using libdbus to receive messages) to abort. (CVE-2009-1189
Note: Users running any application providing services over the system message bus are advised to test this update carefully before deploying it in production environments.
All users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all running instances of dbus-daemon and all running applications using the libdbus library must be restarted, or the system rebooted.
262
263
)

1.33.2. RHBA-2010:0236: bug fix update

Updated dbus packages that fix a multilib conflict that could cause installation failure on 64-bit architectures are now available.
261
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=568084
263
https://www.redhat.com/security/data/cve/CVE-2009-1189.html
38
dbus-python
D-Bus is a system for sending messages between applications. It is used for the system-wide message bus service, and as a per-user-login-session messaging facility.
* the dbus api help files (installed to /usr/share/devhelp/books/dbus/api/ by default) included with the dbus-devel sub-package were previously automatically generated for each architecture. These auto­generated files contain different timestamps and internal links and, consequently, caused file conflicts with multilib that could prevent dbus-devel installation on 64-bit architectures. With this update, a pre-generated set of help files, dbus-1.1.2-pregen-doc-api-html.tar.bz2, has been added to the rpm. This removes the multilib file conflicts and allows installation of the dbus-devel sub-package in all circumstances. (BZ#471359
264
)
All D-Bus users should install these updated packages which resolve this issue.

1.34. dbus-python

1.34.1. RHBA-2009:1559: bug fix available

Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1559
Updated dbus-python packages that fix an issue with the puplet package updater are now available for Red hat Enterprise Linux 5.
The dbus-python package provides a Python binding to the D-Bus system message bus.
This updated dbus-python package fixes the following bug:
* the puplet icon in the GNOME Notification Area displays notifications when updated packages are available. However, due to an error in the dbus-python bindings, when updates were available, puplet failed to display a notification. This update corrects the dbus-python bindings with the result that puplet is once again able to notify the user of available updates. (BZ#532142
All users are advised to upgrade to this updated package, which resolves this issue.
265
266
)

1.35. device-mapper

1.35.1. RHBA-2010:0296: bug fix and enhancement update

Updated device-mapper packages that include various bug fixes and enhancements are now available.
The device-mapper packages provide a library required by logical volume management utilities such as LVM2 and dmraid.
This update applies the following bug fixes(BZ#536814
264
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=471359
266
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=532142
267
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=536814
267
):
39
Chapter 1. Package Updates
* Fixes crash when hash keys compared are different lengths.
* Restores umask when device node creation fails.
* Does not fork daemon when dmeventd cannot be found.
This update adds the following enhancements:
* Adds splitname command which splits given device name into subsystem constituents.
* Adds y|--yes option to dmsetup for default 'yes' answer to prompts.
* Adds subsystem, vg_name, lv_name, lv_layer fields to dmsetup reports.
* Adds crypt target handling to libdevmapper tree nodes.
All users of device-mapper should upgrade to these updated packages, which resolve these issues and include these enhancements.

1.36. device-mapper-multipath

1.36.1. RHBA-2009:1645: bug fix update

Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1645
Updated device-mapper-multipath packages that fix two bugs are now available.
The device-mapper-multipath packages provide tools to manage multipath devices by giving the device-mapper multipath kernel module instructions on what to do, as well as by managing the creation and removal of partitions for device-mapper devices.
This update addresses the following bugs:
* the udev rules for device-mapper-multipath were causing device-mapper to occasionally create multipath devices without using the user specified uid, gid, or mode. They have been replaced with equivalent rules that do not cause this issue. (BZ#537761
* when LUNs were unmapped from LSI storage arrays, the multipath rdac path checker was not marking the paths as failed. This caused IO to the device to hang instead of fail. The rdac path checker now marks unmapped LUNs as failed. (BZ#538463
Users are advised to upgrade to these updated device-mapper-multipath packages, which resolve these issues.
268
269
)
270
)

1.36.2. RHBA-2010:0255: bug fix and enhancement update

Updated device-mapper-multipath packages that fix several bugs and add various enhancements are now available.
269
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=537761
270
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=538463
40
RHBA-2010:0255: bug fix and enhancement update
The device-mapper-multipath packages provide tools to manage multipath devices using the device­mapper multipath kernel module.
This update applies the following bug fixes:
* The kpartx utility creates device maps from partition tables. Device-mapper devices with minor numbers greater than 255 caused kpartx to use the UUID from the wrong device when trying to create partitions. If the device had pre-existing partitions, kpartx would fail to create the new partitions. With this update, kpartx is now able to handle device-mapper devices with minor numbers greater than 255. (BZ#526550
271
)
* The udev rules for device-mapper-multipath were causing device-mapper to occasionally create multipath devices without using the user specified uid, gid, or mode. They have been replaced with equivalent rules that do not cause this issue. (BZ#518575
272
)
* When LUNs were unmapped from LSI storage arrays, the multipath rdac path checker was not marking the paths as failed. This caused IO to the device to hang instead of fail. The rdac path checker now marks unmapped LUNs as failed. (BZ#531744
273
)
* The failover path grouping policy was not ordering the paths by priority, causing multipath to failover to the wrong path for devices with manual failback. The multipath paths are now correctly ordered with the failover path grouping policy. (BZ#537977
274
)
* On some storage devices, if a LUN is deleted from an existing multipathd device, and a new LUN is presented to the host, it may end up with the same LUN ID and name as the old LUN. In this case, multipath will assume that this is the old LUN and belongs to the existing multipath device. This cause cause corruption. A new path checker "hp_tur" has been added that verifies the WWID of the LUN when it checks the path, to avoid this problem. (BZ#437585
* The "tur" path checker was marking paths in standby mode as "failed". It now correctly marks them as "ghost". (BZ#473039
* Multipath wasn't correctly showing device renames in dry-run mode. This has been fixed. (BZ#501019
277
)
* Multipath was incorrectly setting the hardware handler for HP StorageWorks devices.This has been fixed. (BZ#475967
278
276
)
)
* On some storage devices, multipath would display incorrect path information the first time multipath listed the paths after recovery. This has been fixed. (BZ#499080
275
)
279
)
* If a path is removed while it is still part of a multipath device, it was taking multipath minutes to mark it as failed. This should now happen immediately at the end of the next path checking interval. (BZ#527754
271
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=526550
272
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=518575
273
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=531744
274
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=537977
275
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=437585
276
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=473039
277
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=501019
278
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=475967
279
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=499080
280
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=527754
280
)
41
Chapter 1. Package Updates
* the multipathd daemon needs constant access to /var/lib and /var/run. However it was not allowing any devices mounted under /var to be removed. Now it only keeps open what it needs. (BZ#532424
281
)
* the multipath checker functions were not using the default scsi timeouts. Instead, each checker set its own timeout. Now all checker functions with explicit timeouts use the scsi timeout set it /sys/block/ sd<x>/device/timeout by default. This can be changed by setting the "checker_timeout" option in /etc/ multipath.conf(BZ#553042
282
)
* Multipathd was printing extraneous error messages. This has been fixed. (BZ#472171
BZ#502128
* The multipath man page had some mistakes and missing information. This has been fixed. (BZ#481239
284
, BZ#524178
286
, BZ#510331
285
)
287
, BZ#554830
288
)
283
,
* A locking error could cause multipathd to deadlock if it failed to create a multipath device correctly. This has been fixed (BZ #537281)
This update adds the following enhancements:
* Default configurations were added for more IBM, HP, SUN, and DELL devices. (BZ#504619
BZ#512243
BZ#545882
290
, BZ#515171
294
)
291
, BZ#517896
292
, BZ#540882
293
,
* The kpartx utility now supports DASDs devices with more then 65520 cylinders. (BZ#524009
289
295
i,
)
All users are advised to upgrade to these updated packages, which resolve these issues and add these enhancements.

1.37. dhcp

1.37.1. RHBA-2010:0042: bug fix update

Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2010:0042
281
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=532424
282
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=553042
283
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=472171
284
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=502128
285
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=524178
286
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=481239
287
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=510331
288
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=554830
289
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=504619
290
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=512243
291
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=515171
292
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=517896
293
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=540882
294
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=545882
295
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=524009
296
42
RHBA-2010:0223: bug fix update
A dhcp update that fixes one memory leak is now available.
The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp package provides a relay agent and ISC DHCP service required to enable and administer DHCP on a network.
This update applies the following updates:
* a memory leak in the load_balance_mine() function caused dhcpd, the dhcp server, to leak approximately 20-30 octets per DHCPDISCOVER packet when the server was configured for failover and failover was in a normal state. This particular leak has been closed with this update. (BZ#552211
297
)
Note: depending on the specific DHCP setup on a given system, other memory leaks may still present. Please file a separate bug if DHCP appears to leak memory after applying this update.
All dhcp users should to apply this update which closes this memory leak.

1.37.2. RHBA-2010:0223: bug fix update

A dhcp update that fixes bugs is now available.
DHCP (Dynamic Host Configuration Protocol) is a protocol which allows individual devices on an IP network to get their own network configuration information (IP address, subnetmask, broadcast address, etc.) from a DHCP server.
These updated packages address the following issues:
* When a system running a dhclient received a very short lease (e.g a few seconds), it would constantly have to request a renewal of its lease. The system would spend so much time running the dhclient-script every time it made a request that it would become almost unresponsive. A patch has been added to the code, setting the minimum lease time to 60 seconds. By preventing very short lease times, the server no longer becomes unresponsive from an overload of renewal requests. (BZ#498658
298
)
* When the $localClockFudge variable was empty, the /sbin/dhclient-script added an empty line to the /etc/ntp.conf file when renewing the DHCP lease. This caused the diff command to fail when there was no meaningful difference between the old and new files, thus restarting the NTP daemon unnecessarily. This put useless noise in the log files that get picked up by logwatch. This update provides a slight code change that configures the NTP daemon differently. The /etc/ntp.conf file now only runs if there is a useful value in the $localClockFudge variable. (BZ#532136
299
)
* A memory leak in the load_balance_mine() function caused 20-30 octets per DHCPDISCOVER packet to be leaked when failover was in use and was in its normal state. This caused the performance of the server to be significantly diminished. This update fixes the memory leak in the load_balance_mine() function, allowing the server to perform correctly. (BZ#534117
300
)
Note: depending on the specific DHCP setup on a given system, other memory leaks may still present. Please file a separate bug if DHCP appears to leak memory after applying this update.
297
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=552211
298
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=498658
299
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=532136
300
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=534117
43
Chapter 1. Package Updates
* A syntax error was discovered in the code of the initscript for the dhcrelay. In the process of restarting, the service would shutdown, but the initscript would fail when attempting to start the service again. A patch has been added, correcting the syntax error in the code. This correction now allows the service to restart correctly. (BZ#555672
301
)
Users are advised to upgrade to these updated dhcp packages which resolve these issues.

1.38. dhcpv6

1.38.1. RHBA-2010:0196: bug fix update

Updated dhcpv6 packages that resolve several issues are now available.
The dhcpv6 packages implement the Dynamic Host Configuration Protocol (DHCP) for Internet Protocol version 6 (IPv6) networks, in accordance with RFC 3315: Dynamic Host Configuration Protocol for IPv6 (DHCPv6). DHCP is a protocol that allows individual devices on an IP network to get their own network configuration information. It consists of: dhcp6c(8), the DHCPv6 client daemon; dhcp6s(8), the DHCPv6 server daemon; and dhcp6r(8), the DHCPv6 relay agent.
These updated packages fix the following bugs:
* previously, the DHCPv6 client was not removing the address assigned to an individual interface after it disconnected. Consequently, the interface kept the same IPv6 address after reconnection. In these updated packages a new IPv6 address is assigned to an interface after disconnecting and reconnecting. (BZ#466251
302
)
* DHCPv6 request packets created by the DHCPv6 client did not contain the "IA" sub-field, which should contain the address advertised by the server. Consequently the DHCPv6 client might have encountered issues trying to interact with other DHCPv6 servers. With this update, the DHCPv6 client now correctly inserts the "IA" field, resolving this issue. (BZ#476974
303
)
* previously, when the DHCPv6 client received the response after sending a "Confirm" message, the client decided if it needed to apply Duplicate Address Dectection (DAD) based on the type of the identity-association (IA) construct in the response. However, the reply from the DHCPv6 server does not always contain an IA in the reply message. Consequently, when running the DHCPv6 client for a second time, the client may have triggered a segmentation fault. In these updated packages, the DHCPv6 client now checks if the reply has an IA before deciding if DAD needs to be applied, resolving this issue. (BZ#515644
304
)
All users of dhcpv6 are advised to upgrade to these updated packages, which resolve this issue.
301
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=555672
302
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=466251
303
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=476974
304
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=515644
44
dmidecode

1.39. dmidecode

1.39.1. RHEA-2009:1456: enhancement update

Note
This update has already been released (prior to the GA of this release) as errata
RHEA-2009:1456
An updated dmidecode package that adds enhancements is now available.
The dmidecode package provides utilities for extracting x86 and ia64 hardware information from the system BIOS or EFI, depending on the SMBIOS/DMI standard. This information typically includes system manufacturer, model name, serial number, BIOS version, and asset tag.
It also often includes usage status for the CPU sockets, expansion slots (such as AGP, PCI, and ISA) and memory module slots, and a list of input and output ports (such as serial, parallel and USB).
305
This updated package applies the following enhancement:
* the previous version of the dmidecode package was based on an upstream version (2.9), which lacked support for various new hardware items. This updated package includes version 2.10, which updates support for SMBIOS specification version 2.6 and improves DDR3 memory reporting. It adds support for LGA1366 socket devices, decoding PCI-E Gen 2 slot IDs, and for a variety of processors, including the Intel Core i7 and Dual-Core Celeron and Xeon Dual-, Quad- and Multi-Core 3xxx, 5xxx and 7xxx series processors. (BZ#520123
306
)
Users of dmidecode are advised to upgrade to this updated package, which includes this enhanced support.

1.39.2. RHEA-2010:0303: enhancement update

An updated dmidecode package that provides enhancements is now available.
The dmidecode package provides utilities for extracting x86 and Intel Itanium hardware information from the system BIOS or EFI, depending on the SMBIOS/DMI standard. This information typically includes system manufacturer, model name, serial number, BIOS version, and asset tag.
It also often includes usage status for the CPU sockets, expansion slots (such as AGP, PCI, and ISA) and memory module slots, and a list of input and output ports (such as serial, parallel and USB).
This updated package applies the following enhancement:
* the previous version of the dmidecode package was based on an upstream version (2.9), which lacked support for various new hardware items. This updated package provides version 2.10, which updates support for SMBIOS specification version 2.6 and improves DDR3 memory reporting. It adds support for LGA1366 socket devices, decoding PCI-E Gen 2 slot IDs, and for a variety of processors, including the Intel Core i7 and Dual-Core Celeron and Xeon Dual-, Quad- and Multi-Core 3xxx, 5xxx and 7xxx series processors. (BZ#518562
306
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=520123
307
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=518562
307
)
45
Chapter 1. Package Updates
Users of dmidecode are advised to upgrade to this updated package, which includes this enhanced support.

1.40. dmraid

1.40.1. RHBA-2010:0286: bug fix update

Updated dmraid packages that fix several bugs are now available.
The dmraid packages contain the ATARAID/DDF1 activation tool. The tool supports RAID device discovery and RAID set activation, and displays properties for ATARAID/DDF1-formatted RAID sets on Linux kernels using the device-mapper utility.
These updated dmraid packages fix the following bugs:
* the dmraid-events package was installing the dmevent_syslogpattern.txt file to the /etc/logwatch/ scripts/services directory. The dmevent_syslogpattern.txt file is used by the logwatch service to record event logs. SELinux does not allow write access to the /etc/logwatch/scripts/services directory, and as a result the logwatch service was prevented from updating the log file. The dmraid-events package has now been updated to install the log file at /var/cache/logwatch/dmeventd/syslogpattern.txt, and the log file is updated as expected. (BZ#513402
308
)
* after a hard disk drive rebuild has been completed using dmraid, the LED lights on each disk belonging to the rebuilt RAID volume should turn off. Previously, if the rebuild was initiated manually using the 'dmraid -R' command, the light on the spare disk would remain illuminated, incorrectly indicating that the disk was still being built. When rebuilding automatically with the libdmraid-events library, the light would not remain lit as expected. The dmraid packages have been updated to turn off the light correctly after a manual disk rebuild, and the drive light now correctly indicates the drive state. (BZ#514497
309
)
* dmraid binaries in the /sbin directory previously relied on libraries in the /usr directory. Since the /sbin directory typically only contains programs executed by the root user, reliance on libraries in the /usr directory could result in reference conflicts. The dmraid packages have been updated to no longer rely on the /usr directory, and library references are now improved. (BZ#516852
310
)
* the dmraid-events-logwatch tool would take ownership of directories that were already owned by the logwatch package. This included the following directories:
* /etc/logwatch/conf * /etc/logwatch/conf/services * /etc/logwatch/scripts * /etc/logwatch/scripts/ services
As a consequence, the dmraid-events-logwatch tool and the logwatch package would conflict. The dmraid-events-logwatch package has been updated to own only /etc/logwatch/scripts/services/ dmeventd directory, and the conflict no longer arises with the logwatch package. (BZ#545876
311
)
* modifications to Intel support in the libdmraid tool caused the SONAME field to change. This caused compatibility issues in python-pyblock symbolic links. The version number in the libdmraid tool's file name has been updated, which caused the dependencies to be automatically re- generated during
308
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=513402
309
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=514497
310
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=516852
311
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=545876
46
dogtail
the build process. The symbolic link is now repaired and there are no compatibility issues between libdmraid and python-pyblock. (BZ#556254
312
)
* the pthread_mutex_trylock symbol was not being exported against the libpthread tool. As a consequence, the libdmraid-events-isw.so object would not be loaded during activation of a RAID5 volume library, reporting that pthread_mutex_trylock was an undefined symbol. Linking has now been added to the libpthread tool, and pthread_mutex_trylock is successfully referenced in the libdmraid­events-isw.so object. (BZ#567922
313
)
All dmraid users should upgrade to these updated packages, which resolve these issues.

1.41. dogtail

1.41.1. RHBA-2010:0009: bug fix update

Note
This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0009
314
An updated dogtail package that fixes two bugs is now available.
Dogtail is an automation framework that uses accessibility technologies to communicate with desktop applications. Dogtail exposes desktop elements in a hierarchical interface. The dogtail package includes the GUI tools Script Recorder (dogtail-recorder) and AT-SPI Browser (sniff). Script Recorder creates Python scripts based on user actions and AT-SPI Browser is a graphical browser of the desktop elements hierarchy exposed by Dogtail.
This updated dogtail package fixes the following bugs:
* the destroyAbout function was undefined in the previous Dogtail release. Consequently, the Close button in the AT-SPI Browser About window (Help > About) did not work. This function is now properly defined; the showAbout function calls this function when the Close button is clicked; and the About window closes. Note: the close box in the title bar of the About window worked in both the earlier and current release. (BZ#250219
315
)
* previously, the shebang lines in Dogtail's python scripts pointed to "/usr/bin/env python" rather than explicitly referencing the system-installed Python. This broke these scripts in the case of a user installing an alternative version of Python. With this update, all Dogtail's python scripts point explicitly to the system version at /usr/bin/python. (BZ#521339
316
)
All dogtail users should upgrade to this updated package, which resolves these issues.
312
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=556254
313
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=567922
315
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=250219
316
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=521339
47
Chapter 1. Package Updates

1.42. dosfstools

1.42.1. RHBA-2010:0007: bug fix update

Note
This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0007
An updated dosfstools package that fixes two bugs is now available.
The dosfstools package includes the mkdosfs and dosfsck utilities, which respectively make and check File Allocation Table (FAT) file systems on hard drives or on floppies.
This updated package provides fixes for the following bugs:
* when a FAT file system was created on a device-mapper device, if the drive geometry was not reported correctly to mkdosfs, the command printed it was "unable to get drive geometry" and was using the default drive geometry (255/63) instead. Because of an error, it did not, in fact, do this. Consequently, dosfslabel could not set a label for the newly-created file system. With this update, the error in the mkdosfs command was corrected: when the drive geometry is not correctly reported, mkdosfs now sets the drive geometry to the default values as per its message to STD OUT. Consequently, FAT file systems created with mkdosfs are now correct and dosfslabel can set its label. (BZ#249067
318
)
317
* although dosfstools contains ELF objects, the dosfstools-debuginfo package was empty. With this update the -debuginfo package contains valid debugging information as expected. (BZ#469842
319
)
All dosfstools users should upgrade to this updated package, which resolves these issues.

1.43. dstat

1.43.1. RHSA-2009:1619: Moderate security update

Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1619
An updated dstat package that fixes one security issue is now available for Red Hat Enterprise Linux
5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
320
318
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=249067
319
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=469842
48
e4fsprogs
Dstat is a versatile replacement for the vmstat, iostat, and netstat tools. Dstat can be used for performance tuning tests, benchmarks, and troubleshooting.
Robert Buchholz of the Gentoo Security Team reported a flaw in the Python module search path used in dstat. If a local attacker could trick a local user into running dstat from a directory containing a Python script that is named like an importable module, they could execute arbitrary code with the privileges of the user running dstat. (CVE-2009-3894
321
)
All dstat users should upgrade to this updated package, which contains a backported patch to correct this issue.

1.44. e4fsprogs

1.44.1. RHBA-2010:0239: bug fix and enhancement update

Enhanced e4fsprogs packages that fix a bug are now available.
The e4fsprogs packages contain a number of utilities for creating, checking, modifying, and correcting inconsistencies in fourth extended (ext4 and ext4dev) file systems. e4fsprogs contains e4fsck (used to repair file system inconsistencies after an unclean shutdown), mke4fs (used to initialize a partition to contain an empty ext4 file system), tune4fs (used to modify file system parameters), and most other core ext4fs file system utilities.
The e4fsprogs packages have been upgraded to upstream version 1.41.9 for Red Hat Enterprise Linux 5.5. These updated packages contain several bug fixes over the previous version.
Important: These packages are now designed and intended to be installed alongside the original e2fsprogs package in Red Hat Enterprise Linux. As such, certain binaries in the e4fsprogs packages have been given new names. For example, the utility that checks ext4 file systems for consistency has been renamed to "e4fsck", thus allowing the original "e2fsck" program from the e2fsprogs package to coexist on the same system.
These updated e4fsprogs packages also include a fix for the following bug:
* pygrub did not understand fourth extended (ext4) /boot partitions, and so was unable to paravirtualize guest domains. e4fsprogs-devel and ev4sprogs-libs packages are provided with this update for pygrub and other applications that require the new ext4 capable e2fsprogs libraries. (BZ#528055
322
)
All users of e4fsprogs are advised to upgrade to these updated packages, which resolve this issue.

1.45. elilo

1.45.1. RHEA-2010:0302: enhancement update

An updated elilo package that adds validation checks and error messages to the boot manager is now available.
321
https://www.redhat.com/security/data/cve/CVE-2009-3894.html
322
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528055
49
Chapter 1. Package Updates
ELILO is a Linux boot loader for Extensible Firmware Interface (EFI)-based systems, such as those running an Itanium CPU.RHSA-2009:1341
This update add the following enhancement:
* previously ELILO's boot manager, efibootmgr, returned only two error codes: "0" for success and "1" for failure. There are multiple reasons for the boot manager to fail, however, and diagnosing such failures was difficult with only one all-purpose error code. This update adds validation checks and error messages to identify boot manager failures depending upon the error condition encountered. Error messages now returned when efibootmgr fails include "partition is not valid"; "Failed to open extra arguments"; "Invalid hex characters in boot order" and others. (BZ#250327
323
)
All elilo users should upgrade to this updated package, which adds this feature.

1.46. elinks

1.46.1. RHSA-2009:1471: Important security update

Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1471
An updated elinks package that fixes two security issues is now available for Red Hat Enterprise Linux 4 and 5.
This update has been rated as having important security impact by the Red Hat Security Response Team.
ELinks is a text-based Web browser. ELinks does not display any images, but it does support frames, tables, and most other HTML tags.
An off-by-one buffer overflow flaw was discovered in the way ELinks handled its internal cache of string representations for HTML special entities. A remote attacker could use this flaw to create a specially-crafted HTML file that would cause ELinks to crash or, possibly, execute arbitrary code when rendered. (CVE-2008-7224
325
It was discovered that ELinks tried to load translation files using relative paths. A local attacker able to trick a victim into running ELinks in a folder containing specially-crafted translation files could use this flaw to confuse the victim via incorrect translations, or cause ELinks to crash and possibly execute arbitrary code via embedded formatting sequences in translated messages. (CVE-2007-2027
324
)
326
)
All ELinks users are advised to upgrade to this updated package, which contains backported patches to resolve these issues.
323
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=250327
325
https://www.redhat.com/security/data/cve/CVE-2008-7224.html
326
https://www.redhat.com/security/data/cve/CVE-2007-2027.html
50
esc

1.47. esc

1.47.1. RHBA-2010:0066: bug fix update

Note
This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0066
An updated esc package that fixes various bugs is now available.
The esc package contains the Smart Card Manager tool, which allows users to manage security smart cards. The primary function of the tool is to enroll smart cards, so that they can be used for common cryptographic operations, such as secure email and website access.
This updated esc package includes fixes for the following bugs:
327
* The Enterprise Security Client incorrectly identified CAC cards as CoolKey cards and mistakenly opened the Phone Home connection dialog. With this update, CoolKey correctly identifies CAC cards and assigns the correct functionality to them. With this fix, it is still possible to view certificates and diagnostics for CAC cards, though the management functions are now disabled. RHBA-2010:9263, a CoolKey update, must also be installed to fully resolve this issue. (BZ#467011
* The Enterprise Security Client did not open the Phone Home connection dialog when a blank token was inserted. (BZ#514053
329
)
328
)
* Removing a smart card when the Enterprise Security Client was open could cause the Enterprise Security Client to terminate abnormally. With this update, removing smart cards should no longer cause the Enterprise Security Client to crash. (BZ#517414
330
)
* When creating a password for the Enterprise Security Client, using certain characters, such as the dollar sign and exclamation point, could cause a failure to enroll when entering the password later. This update fixes this problem so that using such symbols when creating passwords does not fail when attempting to enroll. (BZ#549540
331
)
* When the Enterprise Security Client was using an external user interface for enrollment and the UI page could not be downloaded because of a disconnected network or similar problem, then the user could neither enroll nor was made aware of the source of the problem. With this update, when such a situation occurs, a descriptive error message is sent to the user. (BZ#549542
332
)
* Inserting a CAC card into the computer causes the Enterprise Security Client to display an enabled "Enroll" button to the user erroneously because all management functions should be disabled for CAC cards. With this update, when a CAC card is entered, all management functions are disabled, including the "Enroll" function. (BZ#553661
328
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=467011
329
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=514053
330
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=517414
331
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=549540
332
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=549542
333
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=553661
333
)
51
Chapter 1. Package Updates
All users of the Enterprise Security Client are advised to upgrade to this updated package, which resolves these issues.

1.48. etherboot

1.48.1. RHBA-2010:0227: bug fix update

Updated etherboot packages that fix several bugs are now available.
Etherboot is a software package for creating ROM images (zrom files) that can download code over an Ethernet network to be executed on an x86 computer. Many network adapters have a socket where a ROM chip can be installed. Etherboot is code that can be put in such a ROM.
* the zrom file for use with NE2000-compatible Ethernet cards used by etherboot when network booting using such a card failed to obtain an IP address. Consequently network booting a system with an NE2000-compatible Ethernet card failed, returning an error as follows:
Probing pci nic... Probing isa nic... [NE*000]
With this update the zrom file used by etherboot has been updated and network booting a KVM guest via PXE using NE2000 network card emulation now succeeds as expected. (BZ#511912
* Change glibc32 BuildRequires to file-based BuildRequires. (BZ#521901
335
)
* Use update-alternatives to provide the common /usr/share/qemu-pxe-roms directory. (BZ#546016
* Use 0644 permission on all rom files. (BZ#547773
337
)
334
)
336
All etherboot users should install this update which addresses these issues.

1.49. ethtool

1.49.1. RHBA-2010:0279: bug fix and enhancement update

An enhanced ethtool package that fixes a number of minor issues is now available.
The ethtool utility allows the querying and changing of specific settings on network adapters. These settings include speed, port, link auto-negotiation settings and PCI locations.
This updated package adds the following enhancements:
)
* ethtool can now display all NIC speeds, not just 10/100/1000. (BZ#450162
338
* the redundant INSTALL file has been removed from the package. (BZ#472034
334
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=511912
335
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=521901
336
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=546016
337
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=547773
338
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=450162
339
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=472034
52
)
339
)
evince
* the ethtool usage message has been fixed to not state that -h requires a DEVNAME. (BZ#472038
* ethtool now recognizes 10000 as a valid speed and includes it as a supported link mode. (BZ#524241
341
, BZ#529395
342
)
340
All ethtool users should upgrade to this updated package which provides these enhancements.

1.50. evince

1.50.1. RHBA-2010:0195: bug fix update

An updated evince package that resolves various issues is now available.
evince is a GNOME-based document viewer.
This updated package resolves the following issues:
* fullscreen mode allows a user to view (in a maximized window) just the document and a single navigation toolbar. Previously, the function that handles the timeout of fullscreen mode was only made aware of the window, rather than the workspace. Consequently, if a user switched to a different workspace while fullscreen mode was enabled, the fullscreen toolbar would persist the top of the screen. With this update, the evince fullscreen toolbar no longer remains after changing workspaces, resolving this issue. (BZ#229173
343
)
)
* when searching for a string in a document, evince may have miscalculated the scope of the search if a string appeared more than once on a single page. Consequently, if a user was stepping though the search results using the "Find Next" button, evince would not step past the page with multiple matches. With this update, evince now correctly searches the whole document, resolving this issue. (BZ#469379
344
)
* previously, evince classified a single error dialog as a full running instance. Consequently, if an instance of evince contained only an error dialog, any document opened would appear that instance. This may have confused users, as documents were displayed in the workspace where the error dialog is located, rather than the current workspace. In this updated package, evince no longer treats a single error dialog as an opened document, resolving this issue. (BZ#504334
345
)
* when rendering a page of a PDF document, evince displays a blank page, with just the text "Loading..." visible until the page is ready to be viewed. Previously, evince was not checking if the drawing area for the loading page could be allocated. Consequently, if a PDF document with large page dimensions was opened evince may have crashed, returning a segmentation fault. With this update, the drawing area for the loading page is now correctly allocated, resolving this issue. (BZ#499676
346
)
All evince users are advised to upgrade to this updated package, which resolves these issues.
340
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=472038
341
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=524241
342
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529395
343
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229173
344
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=469379
345
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=504334
346
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=499676
53
Chapter 1. Package Updates

1.51. exim

1.51.1. RHBA-2009:1627: bug fix update

Note
This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1627
Updated exim packages that resolve several issues are now available.
Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. It is freely available under the terms of the GNU General Public Licence. In style it is similar to Smail 3, but its facilities are more general. There is a great deal of flexibility in the way mail can be routed, and there are extensive facilities for checking incoming mail. Exim can be installed in place of sendmail, although the configuration of exim is quite different to that of sendmail.
347
These updated exim packages provide fixes for the following bugs:
* The exim init script would return with error code 0 regardless of if the service had actually been started. An incorrect return code would be issued concerning the exim init script because of an unimplemented feature of the script. These bugs concerning the exim init script have been corrected by modifying it to return a value of 2 on an unsupported command, a return of 1 when the $NETWORKING parameter is set to no, returning the correct status error to the user and forcing the script to restart (using condrestart) when the status is not equal to 0.
* The default configuration referred to an undefined domain list causing errors when trying to relay email. The correct domain list of relay_to_domains is now utilized.
* Exim listened on all interfaces by default, whereas Sendmail and Postfix only listen on loopback by default. Administrators who would assume exim had default settings configured the same as Sendmail and Postfix may have introduced a security hole when installing exim. To correct this the code segment local_interfaces = <; 127.0.0.1 ; ::1; has been added to the default configuration; allowing Administrators to treat exim default settings the same as Sendmail and Postfix.
* Exim used to attempt generation of the certificate on installation instead of the first start, which could cause the installation to fail when the certificate could not be generated. Certificate generation is now undertaken upon the first start of exim after installation, allowing the installation to succeed.
All users of exim are advised to upgrade to these updated packages, which resolve these issues.
54
fetchmail

1.52. fetchmail

1.52.1. RHSA-2009:1427: Moderate security update

Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1427
An updated fetchmail package that fixes multiple security issues is now available for Red Hat Enterprise Linux 3, 4, and 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
Fetchmail is a remote mail retrieval and forwarding utility intended for use over on-demand TCP/IP links, such as SLIP and PPP connections.
348
It was discovered that fetchmail is affected by the previously published "null prefix attack", caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully­crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse fetchmail into accepting it by mistake. (CVE-2009-2666
349
)
A flaw was found in the way fetchmail handles rejections from a remote SMTP server when sending warning mail to the postmaster. If fetchmail sent a warning mail to the postmaster of an SMTP server and that SMTP server rejected it, fetchmail could crash. (CVE-2007-4565
350
)
A flaw was found in fetchmail. When fetchmail is run in double verbose mode ("-v -v"), it could crash upon receiving certain, malformed mail messages with long headers. A remote attacker could use this flaw to cause a denial of service if fetchmail was also running in daemon mode ("-d"). (CVE-2008-2711
351
)
Note: when using SSL-enabled services, it is recommended that the fetchmail "--sslcertck" option be used to enforce strict SSL certificate checking.
All fetchmail users should upgrade to this updated package, which contains backported patches to correct these issues. If fetchmail is running in daemon mode, it must be restarted for this update to take effect (use the "fetchmail --quit" command to stop the fetchmail process).
349
https://www.redhat.com/security/data/cve/CVE-2009-2666.html
350
https://www.redhat.com/security/data/cve/CVE-2007-4565.html
351
https://www.redhat.com/security/data/cve/CVE-2008-2711.html
55
Chapter 1. Package Updates

1.53. filesystem

1.53.1. RHBA-2009:1481: bug fix update

Note
This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1481
An updated filesystem package that corrects the owners of certain directories is now available for Red Hat Enterprise Linux 5.
The filesystem package is one of the basic packages that is installed on a Red Hat Linux system. Filesystem contains the basic directory layout for the Linux operating system, including the correct permissions for directories.
This updated filesystem package fixes the following bug:
* a number of file system directories were unowned. This update corrects the ownership of the following directories: /usr/src/debug, /usr/src/kernels, several directories in /usr/share/man, /usr/share/ locale and, under it, the LC_MESSAGES subdirectory for several locales. In addition, for the sake of consistency this updated filesystem package now owns, but does not create, the locale-specific man page directories located under /usr/share/man/[locale]. (BZ#487568
352
353
)
All users of filesystem are advised to upgrade to this updated package, which resolves this issue.

1.54. firefox

1.54.1. RHSA-2010:0112: Critical security update

Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0112
Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5.
This update has been rated as having critical security impact by the Red Hat Security Response Team.
Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.
A use-after-free flaw was found in Firefox. Under low memory conditions, visiting a web page containing malicious content could result in Firefox executing arbitrary code with the privileges of the user running Firefox. (CVE-2009-1571
354
355
)
353
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=487568
355
https://www.redhat.com/security/data/cve/CVE-2009-1571.html
56
RHSA-2009:1674: Critical security update
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-0159
356
, CVE-2010-0160
357
)
Two flaws were found in the way certain content was processed. An attacker could use these flaws to create a malicious web page that could bypass the same-origin policy, or possibly run untrusted JavaScript. (CVE-2009-3988
358
, CVE-2010-0162
359
)
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.18. You can find a link to the Mozilla advisories in the References section of this errata.
All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.18, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

1.54.2. RHSA-2009:1674: Critical security update

Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1674
360
Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5.
This update has been rated as having critical security impact by the Red Hat Security Response Team.
Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3979
361
, CVE-2009-3981
362
, CVE-2009-3986
363
)
A flaw was found in the Firefox NT Lan Manager (NTLM) authentication protocol implementation. If an attacker could trick a local user that has NTLM credentials into visiting a specially-crafted web page, they could send arbitrary requests, authenticated with the user's NTLM credentials, to other applications on the user's system. (CVE-2009-3983
364
)
A flaw was found in the way Firefox displayed the SSL location bar indicator. An attacker could create an unencrypted web page that appears to be encrypted, possibly tricking the user into believing they are visiting a secure page. (CVE-2009-3984
356
https://www.redhat.com/security/data/cve/CVE-2010-0159.html
357
https://www.redhat.com/security/data/cve/CVE-2010-0160.html
358
https://www.redhat.com/security/data/cve/CVE-2009-3988.html
359
https://www.redhat.com/security/data/cve/CVE-2010-0162.html
361
https://www.redhat.com/security/data/cve/CVE-2009-3979.html
362
https://www.redhat.com/security/data/cve/CVE-2009-3981.html
363
https://www.redhat.com/security/data/cve/CVE-2009-3986.html
364
https://www.redhat.com/security/data/cve/CVE-2009-3983.html
365
https://www.redhat.com/security/data/cve/CVE-2009-3984.html
365
)
57
Chapter 1. Package Updates
A flaw was found in the way Firefox displayed blank pages after a user navigates to an invalid address. If a user visits an attacker-controlled web page that results in a blank page, the attacker could inject content into that blank page, possibly tricking the user into believing they are viewing a legitimate page. (CVE-2009-3985
366
)
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.16. You can find a link to the Mozilla advisories in the References section of this errata.
All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.16, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

1.54.3. RHSA-2009:1530: Critical security update

Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1530
367
Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5.
This update has been rated as having critical security impact by the Red Hat Security Response Team.
Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. nspr provides the Netscape Portable Runtime (NSPR).
A flaw was found in the way Firefox handles form history. A malicious web page could steal saved form data by synthesizing input events, causing the browser to auto-fill form fields (which could then be read by an attacker). (CVE-2009-3370
368
)
A flaw was found in the way Firefox creates temporary file names for downloaded files. If a local attacker knows the name of a file Firefox is going to download, they can replace the contents of that file with arbitrary contents. (CVE-2009-3274
369
)
A flaw was found in the Firefox Proxy Auto-Configuration (PAC) file processor. If Firefox loads a malicious PAC file, it could crash Firefox or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3372
370
)
A heap-based buffer overflow flaw was found in the Firefox GIF image processor. A malicious GIF image could crash Firefox or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3373
371
)
A heap-based buffer overflow flaw was found in the Firefox string to floating point conversion routines. A web page containing malicious JavaScript could crash Firefox or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-1563
366
https://www.redhat.com/security/data/cve/CVE-2009-3985.html
368
https://www.redhat.com/security/data/cve/CVE-2009-3370.html
369
https://www.redhat.com/security/data/cve/CVE-2009-3274.html
370
https://www.redhat.com/security/data/cve/CVE-2009-3372.html
371
https://www.redhat.com/security/data/cve/CVE-2009-3373.html
372
https://www.redhat.com/security/data/cve/CVE-2009-1563.html
372
)
58
RHSA-2009:1430: Critical security update
A flaw was found in the way Firefox handles text selection. A malicious website may be able to read highlighted text in a different domain (e.g. another website the user is viewing), bypassing the same­origin policy. (CVE-2009-3375
373
)
A flaw was found in the way Firefox displays a right-to-left override character when downloading a file. In these cases, the name displayed in the title bar differs from the name displayed in the dialog body. An attacker could use this flaw to trick a user into downloading a file that has a file name or extension that differs from what the user expected. (CVE-2009-3376
374
)
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3374
375
, CVE-2009-3380
376
, CVE-2009-3382
377
)
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.15. You can find a link to the Mozilla advisories in the References section of this errata.
All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.15, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

1.54.4. RHSA-2009:1430: Critical security update

Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1430
Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5.
This update has been rated as having critical security impact by the Red Hat Security Response Team.
Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. nspr provides the Netscape Portable Runtime (NSPR).
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3070
CVE-2009-3074
382
, CVE-2009-3075
A use-after-free flaw was found in Firefox. An attacker could use this flaw to crash Firefox or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3077
378
383
379
, CVE-2009-3071
380
, CVE-2009-3072
381
,
)
384
)
373
https://www.redhat.com/security/data/cve/CVE-2009-3375.html
374
https://www.redhat.com/security/data/cve/CVE-2009-3376.html
375
https://www.redhat.com/security/data/cve/CVE-2009-3374.html
376
https://www.redhat.com/security/data/cve/CVE-2009-3380.html
377
https://www.redhat.com/security/data/cve/CVE-2009-3382.html
379
https://www.redhat.com/security/data/cve/CVE-2009-3070.html
380
https://www.redhat.com/security/data/cve/CVE-2009-3071.html
381
https://www.redhat.com/security/data/cve/CVE-2009-3072.html
382
https://www.redhat.com/security/data/cve/CVE-2009-3074.html
383
https://www.redhat.com/security/data/cve/CVE-2009-3075.html
384
https://www.redhat.com/security/data/cve/CVE-2009-3077.html
59
Chapter 1. Package Updates
A flaw was found in the way Firefox handles malformed JavaScript. A website with an object containing malicious JavaScript could execute that JavaScript with the privileges of the user running Firefox. (CVE-2009-3079
385
)
Descriptions in the dialogs when adding and removing PKCS #11 modules were not informative. An attacker able to trick a user into installing a malicious PKCS #11 module could use this flaw to install their own Certificate Authority certificates on a user's machine, making it possible to trick the user into believing they are viewing a trusted site or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3076
386
)
A flaw was found in the way Firefox displays the address bar when window.open() is called in a certain way. An attacker could use this flaw to conceal a malicious URL, possibly tricking a user into believing they are viewing a trusted site. (CVE-2009-2654
387
)
A flaw was found in the way Firefox displays certain Unicode characters. An attacker could use this flaw to conceal a malicious URL, possibly tricking a user into believing they are viewing a trusted site. (CVE-2009-3078
388
)
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.14. You can find a link to the Mozilla advisories in the References section of this errata.
All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.14, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

1.55. firstboot

1.55.1. RHBA-2010:0314: bug fix update

Updated firstboot packages that fix a bug are now available.
The firstboot utility runs after installation. It guides the user through a series of steps that allows for easier configuration of the machine.
These updated packages address the following issue:
* Clicking [Change Network Configuration] from firstboot's network configuration page launched a separate network configuration window. If the user then clicked [Forward] on the still-visible main window, the separate configuration window became hidden behind the full-screen main window.
Further mouse-clicks would be ineffectual and it could appear to the user that the system had become unresponsive. It was necessary to use the alt+tab keys to reveal the hidden configuration window.
Code has been added to the networking.py source file to modify the behavior of the network configuration and main windows. Now the configuration window will stay on top if the user clicks outside its boundary. (BZ#511984
389
)
Users are advised to upgrade to these updated packages, which resolve this issue.
385
https://www.redhat.com/security/data/cve/CVE-2009-3079.html
386
https://www.redhat.com/security/data/cve/CVE-2009-3076.html
387
https://www.redhat.com/security/data/cve/CVE-2009-2654.html
388
https://www.redhat.com/security/data/cve/CVE-2009-3078.html
389
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=511984
60
freeradius

1.56. freeradius

1.56.1. RHSA-2009:1451: Moderate security update

Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1451
Updated freeradius packages that fix a security issue are now available for Red Hat Enterprise Linux
5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service (RADIUS) server, designed to allow centralized authentication and authorization for a network.
390
An input validation flaw was discovered in the way FreeRADIUS decoded specific RADIUS attributes from RADIUS packets. A remote attacker could use this flaw to crash the RADIUS daemon (radiusd) via a specially-crafted RADIUS packet. (CVE-2009-3111
Users of FreeRADIUS are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, radiusd will be restarted automatically.
391
)

1.56.2. RHBA-2009:1678: bug fix update

Note
This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1678
Updated freeradius packages that fix a bug are now available.
FreeRADIUS is an Internet authentication daemon, which implements the RADIUS protocol, as defined in RFC 2865 (and others). It allows Network Access Servers (NAS boxes) to perform authentication for dial-up users. There are also RADIUS clients available for Web servers, firewalls, Unix logins, and more. Using RADIUS allows authentication and authorization for a network to be centralized, and minimizes the amount of re-configuration which has to be done when adding or deleting new users.
392
This update addresses the following bug:
* an error in the EAP authentication module could cause memory corruption. Running the radeapclient utility would typically expose the problem. An error message including text such as this
*** glibc detected *** radeapclient: free(): invalid pointer:
391
https://www.redhat.com/security/data/cve/CVE-2009-3111.html
61
Chapter 1. Package Updates
presented and radeapclient would then abort abnormally. This update corrects the error in the EAP authentication module. The module no longer corrupts memory and applications such as radeapclient that use this module work as expected. (BZ#476513
393
)
All freeradius users should install these updated packages, which fix this problem.

1.57. gail

1.57.1. RHBA-2009:1594: bug fix update

Note
This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1594
Updated gail packages that resolve an issue are now available.
GAIL, the GNOME Accessbility Implementation Library, implements the abstract interfaces found in the Accessibility Toolkit (ATK) for GTK+ and GNOME libraries, and thereby enables accessibility technologies such as AT-SPI (the Assistive Technology Service Provider Interface) to access GUI elements.
394
These updated gail packages fix the following bug:
* when starting a GNOME application at the shell prompt, the GAIL library incorrectly printed the following spurious error message when the "GNOME_ACCESSIBILITY" environment variable was set to "0", which disables GNOME accessibility support: "GTK Accessibility Module initialized". With this update, this message no longer appears when the "GNOME_ACCESSIBILITY" environment variable is set to "0". (BZ#506561
395
)
All users of gail are advised to upgrade to these updated packages, which resolve this issue.

1.58. gcc

1.58.1. RHBA-2009:1533: bug fix update

Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1533
A gcc update that resolves an option handling bug where only the last "-fno-builtin-*" option specified on the command line was honored is now available.
396
The gcc packages include C, C++, Java, Fortran, Objective C, and Ada 95 GNU compilers, along with related support libraries.
393
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=476513
395
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=506561
62
RHSA-2010:0039: Moderate and gcc4 security update
This update fixes the following bug:
* if multiple "-fno-builtin-*" options were specified on the command line (for example, "-fno-builtin­iswalpha -fno-builtin-iswalnum") only the last option was honored (in the example, -fno-builtin­iswalnum). With this update, joined switches are no longer pruned, ensuring all such options are honored, as expected. (BZ#526421
397
)
Users are advised to install this gcc update, which applies this fix.

1.58.2. RHSA-2010:0039: Moderate and gcc4 security update

Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0039
Updated gcc and gcc4 packages that fix one security issue are now available for Red Hat Enterprise Linux 3, 4, and 5.
398
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
The gcc and gcc4 packages include, among others, C, C++, and Java GNU compilers and related support libraries. libgcj contains a copy of GNU Libtool's libltdl library.
A flaw was found in the way GNU Libtool's libltdl library looked for libraries to load. It was possible for libltdl to load a malicious library from the current working directory. In certain configurations, if a local attacker is able to trick a local user into running a Java application (which uses a function to load native libraries, such as System.loadLibrary) from within an attacker-controlled directory containing a malicious library or module, the attacker could possibly execute arbitrary code with the privileges of the user running the Java application. (CVE-2009-3736
399
)
All gcc and gcc4 users should upgrade to these updated packages, which contain a backported patch to correct this issue. All running Java applications using libgcj must be restarted for this update to take effect.

1.58.3. RHBA-2010:0232: bug fix update

A gcc update that resolves several compiler bugs is now available.
The gcc packages include C, C++, Java, Fortran, Objective C, and Ada 95 GNU compilers, along with related support libraries.
This update applies the following bug fixes:
* when compiling a debug version of a C++ program, it was possible for gcc to lose debug information for some local variables in C++ constructors or destructors. This was because gcc incorrectly released information on abstract functions (specifically, contents of the DECL_INITIAL() function), which are needed for creating debug information. With this release, nodes containing abstract functions
397
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=526421
399
https://www.redhat.com/security/data/cve/CVE-2009-3736.html
63
Chapter 1. Package Updates
are flagged accordingly to prevent gcc from prematurely discarding needed debug information. (BZ#513184
* when issuing multiple -fno-builtin-* switches to gcc, gcc only registered the last switch. With this release, gcc can now register multiple -fno-builtin-* switches correctly. (BZ#515799
400
)
401
)
* in some cases, aggregates returned by value could cause reload failures in the caller function, resulting in an internal compiler error. This was caused by a bug in the combining code that incorrectly lengthens the lifetime of a hard register. This update applies a patch to expand_call function in gcc/ calls.c that resolves the issue. (BZ#516028
402
)
* using g++ to compile code containing virtual inheritances could result in a segmentation fault. This was because the dynamic_cast code in gcc did not use src2dst hints as expected; as a result, g++ could search an unnecessarily large address list for possible bases. With this release, the dynamic_cast code now uses src2dst hints; this allows g++ to defer searching bases that don't overlap with a virtual inheritance's address. (BZ#519519
403
)
* On PowerPC, it was possible for DWARF access to function parameters to fail. This was caused by a bug in the GCC instruction set for PowerPC, where compiling with -mno-sched-prolog could discard debug location lists. This update fixes the bug, ensuring consistent DWARF access to function parameters on PowerPC. (BZ#528792
404
)
* The libgcc undwinder now supports DW_OP_swap handling. This update also fixes bugs in the way unwinding code handled unwind information from DW_OP_{gt,ge,lt,le} and DW_CFA_{remember,restore}_state. (BZ#555731
405
)
All GCC users are advised to install this update.

1.59. gd

1.59.1. RHSA-2010:0003: Moderate security update

Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0003
Updated gd packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
The gd packages provide a graphics library used for the dynamic creation of images, such as PNG and JPEG.
400
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=513184
401
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=515799
402
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=516028
403
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=519519
404
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528792
405
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=555731
406
64
gdb
A missing input sanitization flaw, leading to a buffer overflow, was discovered in the gd library. A specially-crafted GD image file could cause an application using the gd library to crash or, possibly, execute arbitrary code when opened. (CVE-2009-3546
407
)
Users of gd should upgrade to these updated packages, which contain a backported patch to resolve this issue.

1.60. gdb

1.60.1. RHBA-2010:0285: bug fix update

An updated gdb package that fixes various bugs is now available.
The GNU Project debugger, GDB, debugs programs written in C, C++, and other languages by executing them in a controlled fashion, and then printing out their data.
With this update, GDB is now re-based to upstream version 7.0.1 (BZ#526533
408
). This applies several bug fixes and enhancements not listed here. For a full description of this version, refer to the following link: http://sourceware.org/cgi-bin/cvsweb.cgi/src/gdb/NEWS.diff?cvsroot=src&r1=t ext&tr1=1.259.2.1&r2=text&tr2=1.331.2.2&f=u
This update applies the following bug fixes:
* Printing values from a debugged program by dereferencing a pointer to an object of dynamic type printed out an error stating "Cannot resolve DW_OP_push_object_address for a missing object". Such pointers are produced by an unsupported iFort compiler, not by gfortran. With this update, GDB can now dereference pointers to objects of dynamic type, thereby correctly printing the dynamic Fortran arrays dereferenced from such pointers (as produced by the iFort compiler). (BZ#514287
409
)
* Debugging a program with thousands of set breakpoints was unacceptably slow. This was because a previous patch introduced a mechanism that hid breakpoint instructions and returned "shadow" content whenever target_read_memory() accessed memory. The aforementioned patch was implemented upstream to be used with a "breakpoint always-inserted" option, which was not implemented in Red Hat Enterprise Linux version of GDB. But Red Hat Enterprise Linux version backported it to solve a problem on Itanium where instruction (and thus even breakpoint instruction) boundaries are not byte-aligned. This update reimplements the shadowing functionality using more optimal log(n) algorithm instead, which consequently prevents any unnecessary slowdown when processing programs with numerous set breakpoints. (BZ#520618
410
)
* GDB incorrectly skipped OpenMP parallel sections (instead of entering them as expected) when using the "next" command. This was caused by missing DWARF annotations from GCC that made it possible for OpenMP parallel sections to be incorrectly classified as function calls. To address this, GDB contains special instructions to make OpenMP parallel sections indifferent to normal code, allowing GDB to step into parallel sections with "next" correctly. (BZ#533176
* The GDB version banner now correctly displays "Red Hat Enterprise Linux" instead of "Fedora". (BZ#537788
407
https://www.redhat.com/security/data/cve/CVE-2009-3546.html
408
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=526533
409
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=514287
410
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=520618
411
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=533176
412
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=537788
412
)
411
)
65
Chapter 1. Package Updates
* GDB no longer obsoletes the pstack package. (BZ#550786
413
)
* Loading symbols in STABS debug format could crash GDB. The STABS format is no longer supported, as Red Hat Enterprise Linux uses the debug format DWARF. With this update, loading symbols in STABS format no longer crashes GDB; instead, such symbols are simply loaded incorrectly. (BZ#553672
414
)
* Adding GDB support for Fortran modules in previous releases introduced a regression which prevented GDB from setting breakpoints on a Fortran program's name. This was caused by a bug in the search routines used when "set language fortran" is enabled. This update fixes the regression. (BZ#559291
415
)
* The Red Hat Enterprise Linux 5.5 version of GDB also contains a fix for an upstream GDB regression that prevented users from setting rwatch and awatch breakpoints before a program starts. This version of GDB implements a compatibility fix from GDB 6.8 to address the regression. (BZ#562770
416
)
* A "break-by-name on inlined functions" feature introduced in Fedora GDB made it possible for parameters of inlined functions to be incorrectly hidden. Whenever this occurred during debugging, GDB printed "<optimized out>" in backtraces or upon entering such functions. In some cases, stepping through inlined functions could also abort GDB with an internal error. This release resolves the issue by removing the "break-by-name on inlined functions" feature altogether. (BZ#565601
417
)
All GDB users should apply this update.

1.61. gfs-kmod

1.61.1. RHSA-2010:0291: Moderate security, bug fix and enhancement update

Updated gfs-kmod packages that fix one security issue, numerous bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5.5, kernel release 2.6.18-194.el5.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
The gfs-kmod packages contain modules that provide the ability to mount and use GFS file systems.
A flaw was found in the gfs_lock() implementation. The GFS locking code could skip the lock operation for files that have the S_ISGID bit (set-group-ID on execution) in their mode set. A local, unprivileged user on a system that has a GFS file system mounted could use this flaw to cause a kernel panic. (CVE-2010-0727
These updated gfs-kmod packages are in sync with the latest kernel (2.6.18-194.el5). The modules in earlier gfs-kmod packages failed to load because they did not match the running kernel. It was possible to force-load the modules. With this update, however, users no longer need to.
413
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=550786
414
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=553672
415
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=559291
416
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=562770
417
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=565601
418
https://www.redhat.com/security/data/cve/CVE-2010-0727.html
418
)
66
gfs-utils
These updated gfs-kmod packages also fix the following bugs:
* when SELinux was in permissive mode, a race condition during file creation could have caused one or more cluster nodes to be fenced and lock the remaining nodes out of the GFS file system. This race condition no longer occurs with this update. (BZ#471258
419
)
* when ACLs (Access Control Lists) are enabled on a GFS file system, if a transaction that has started to do a write request does not have enough spare blocks for the operation it causes a kernel panic. This update ensures that there are enough blocks for the write request before starting the operation. (BZ#513885
420
)
* requesting a "flock" on a file in GFS in either read-only or read-write mode would sometimes cause a "Resource temporarily unavailable" state error (error 11 for EWOULDBLOCK) to occur. In these cases, a flock could not be obtained on the file in question. This has been fixed with this update so that flocks can successfully be obtained on GFS files without this error occurring. (BZ#515717
421
)
* the GFS withdraw function is a data integrity feature of GFS file systems in a cluster. If the GFS kernel module detects an inconsistency in a GFS file system following an I/O operation, the file system becomes unavailable to the cluster. The GFS withdraw function is less severe than a kernel panic, which would cause another node to fence the node. With this update, you can override the GFS withdraw function by mounting the file system with the "-o errors=panic" option specified. When this option is specified, any errors that would normally cause the system to withdraw cause the system to panic instead. This stops the node's cluster communications, which causes the node to be fenced. (BZ#517145
422
)
Finally, these updated gfs-kmod packages provide the following enhancement:
* the GFS kernel modules have been updated to use the new generic freeze and unfreeze ioctl interface that is also supported by the following file systems: ext3, ext4, GFS2, JFS and ReiserFS. With this update, GFS supports freeze/unfreeze through the VFS-level FIFREEZE/FITHAW ioctl interface. (BZ#487610
423
)
Users are advised to upgrade to these latest gfs-kmod packages, updated for use with the
2.6.18-194.el5 kernel, which contain backported patches to correct these issues, fix these bugs, and add this enhancement.

1.62. gfs-utils

1.62.1. RHBA-2010:0290: bug fix update

Updated gfs-utils packages that fix various bugs are now available.
The gfs-utils packages provide the user-space tools necessary to mount, create, maintain and test GFS file systems.
The updated gfs-utils packages apply the following bug fixes:
419
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=471258
420
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=513885
421
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=515717
422
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=517145
423
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=487610
67
Chapter 1. Package Updates
* GFS: gfs_fsck sometimes needs to be run twice (BZ#509225 problems when directly on block device (BZ#512722 found (BZ#508978
426
)
425
) * gfs_fsck -n always returns 0 even if error is
424
) * gfs_fsck cannot repair rindex
All users of gfs-utils should upgrade to these updated packages, which resolve these issues.

1.63. gfs2-utils

1.63.1. RHBA-2010:0287: bug fix update

Updated gfs2-utils packages that fix various bugs are now available.
The gfs2-utils packages provide the user-space tools necessary to mount, create, maintain and test GFS2 file systems.
The updated gfs2-utils packages apply the following bug fixes:
gfs2_edit segfault (BZ#503485 Message printed to stderr instead of stdout (BZ#506682 gfs2_mount (BZ#514939 "fsck.gfs2: invalid option -- a" on boot when mounting root formatted as gfs2 (BZ#507596 GFS2: gfs2_fsck bugs found in rindex repair code (BZ#514018 (BZ#503529
434
) gfs2-utils fails rebuild test (BZ#515370 offset on gfs1 and segfaults on gfs2 (BZ#506343 for block size < 4K (BZ#520762 (BZ#527770
438
) GFS2: fsck.gfs2 should fix the system statfs file (BZ#539337 savemeta bugs (BZ#528786 interrupted rgrp conversion does not allow re-converts (BZ#548585 are of different metatree heights in gfs and gfs2 is incorrect (BZ#548588 RO mounted file systems (BZ#557128 gfs2_convert doesn't convert jdata files correctly (BZ#545602 after gfs2_grow (BZ#546683
427
) gfs2_edit produces unaligned access (BZ#503530
430
) GFS2: fsck.gfs2 sometimes needs to be run twice (BZ#500483
436
437
) GFS2: gfs2_edit savemeta not saving all extended attribute data
440
) quota file size not a multiple of struct gfs2_quota(BZ#536902
444
) GFS2: gfs2_convert should fix statfs file (BZ#556961
447
)
429
) gfs2_tool man page incorrectly references
433
435
) gfs2_edit -p block# shows wrong height/
) GFS2: gfs2_edit fixes for 5.5
) fsck.gfs2 unable to fix some rindex corruption
439
442
) Conversion of inodes that
443
) Allow fsck.gfs2 to check
446
) GFS2: fatal: invalid metadata block
428
) fsck.gfs2:
431
)
432
)
) GFS2: gfs2_edit
441
)
445
)
424
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=509225
425
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=512722
426
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=508978
427
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=503485
428
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=503530
429
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=506682
430
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=514939
431
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=500483
432
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=507596
433
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=514018
434
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=503529
435
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=515370
436
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=506343
437
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=520762
438
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=527770
439
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=539337
440
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528786
441
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=536902
442
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=548585
443
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=548588
444
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=557128
445
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=556961
446
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=545602
68
glibc
All users of gfs2-utils should upgrade to these updated packages, which resolve these issues.

1.64. glibc

1.64.1. RHBA-2009:1634: bug fix update

Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1634
Updated glibc packages that resolve several issues are now available.
The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contains the standard C and the standard math libraries. Without these two libraries, the Linux system cannot function properly.
448
These updated glibc packages provide fixes for the following bugs:
* when a thread calls the setuid() function, the change of credentials needs to be performed in every thread as per POSIX requirements. This update corrects the implementation to avoid a race condition which occurred when a thread terminated or a new thread was created while the credential change was performed. (BZ#533213
449
)
* the implementation of the seg_timedwait() function, in assembler, incorrectly decremented the number of waiting threads stored in a block of memory when an invalid nanosecond value was passed through its second argument. This error is corrected in this update. (BZ#540475
450
)
All users of glibc are advised to upgrade to these updated packages, which resolve these issues.

1.64.2. RHBA-2010:0050: bug fix update

Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2010:0050
Updated glibc packages that fix a race condition while loading shared libraries are now available
451
The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contains the standard C and the standard math libraries. Without these two libraries, the Linux system cannot function properly.
These updated glibc packages provide a fix for the following bug:
447
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=546683
449
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=533213
450
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=540475
69
Chapter 1. Package Updates
* a rarely-encountered and difficult-to-reproduce race condition existed between resolving dynamic symbols and loading shared libraries that could have resulted in library dependencies not being resolved. This update provides a fix that avoids the potential race condition. (BZ#548692
452
)
All users are advised to upgrade to these updated packages, which resolve this issue.

1.64.3. RHBA-2010:0306: bug fix and enhancement update

Updated glibc packages that fix several bugs and add an enhancement are now available.
The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, the Linux system cannot function properly.
This update applies the following bug fixes:
* a race condition with seteuid() occured between the threads that run on starting the program, presenting the error "EUID is already set!" within 10 to 15 seconds. These updates provide exclusive processes running with no error on startup. (BZ#491995
* assembler implementation of sem_timedwait() on x86/x86_64 wrongly decrements the number of waiting threads stored in block of memory pointed to by (sem_t *) when an invalid nanosecond argument is used. This fix allows the correct nanosecond argument to be passed through the second argument. (BZ#529997
455
)
453
and BZ#522528
454
)
* a race condition in glibc, between _dl_lookup_symbol_x() and dlopen/dlclose/etc, resulted in a failure in resolving dependencies. These updates provide for processes that are exclusive. (BZ#547631
456
)
This update also adds the following enhancement:
* glibc: incorporates a number of tests to detect corruption in data structures used for heap memory allocation (malloc/free). This corruption can be caused deliberately by attackers exploiting buffer overflow vulnerabilities. This enhancement provides additional corruption tests. (BZ#530107
457
)
All users are advised to upgrade to this updated package, which resolves these issues and adds this enhancement.

1.65. gnome-vfs2

1.65.1. RHBA-2010:0317: bug fix update

An updated gnome-vfs2 package that fixes a bug is now available.
GNOME VFS is the GNOME virtual file system. It is the foundation of the Nautilus file manager. It provides a modular architecture and ships with several modules that implement support for file systems, http, ftp, and others. It provides a URI-based API, backend supporting asynchronous file operations, a MIME type manipulation library, and other features.
452
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=548692
453
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=491995
454
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=522528
455
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529997
456
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=547631
457
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=530107
70
RHBA-2010:0032: bug fix update
* the gnome-vfs2 package would only work correctly on a system running Samba 3.0 packages, and could not be installed on a system running Samba 3.3 packages. The version of gnome-vfs provided with this advisory depends only on a small Samba subpackage, which is independent from other Samba packages. The gnome-vfs2 package can now be installed on a system running Samba 3.3 packages. (BZ#555642
458
)
Users are advised to check the parallel Samba advisory RHBA-2009:9287.
Users are advised to upgrade to this updated gnome-vfs2 package, which resolves this issue.

1.65.2. RHBA-2010:0032: bug fix update

Note
This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0032
Updated gnome-vfs2 packages that resolve several issues are now available.
459
GNOME VFS is the GNOME virtual file system. It is the foundation of the Nautilus file manager. It provides a modular architecture, and ships with several modules that implement support for file systems and protocols such as HTTP and FTP, among others.
These updated gnome-vfs2 packages provide fixes for the following bugs:
* an unresolved symbol in the gnome-vfs2 library caused the system-config-network GUI application to be unable to start. (BZ#247522
460
)
* client applications which used the gnome-vfs2 library were unable to search for certain paths because the search process ended as soon as it encountered a file or directory which it was unable to read. This update fixes this bug in gnome-vfs2 so that searches skip over unreadable files or directories and continue as expected.
Note: a future nautilus update will be released that properly fixes this bug in the Nautilus file manager. (BZ#432764
461
)
* when attempting to move one or more files between two NFS mounts, the Nautilus file manager displayed a dialog box that stated: Error: "Not on the same file system." This error was caused by an EXDEV error in the gnome-vfs2 file module due to rename semantics. With this update, moving a file from one NFS mount to another succeeds as expected due to the implementation of a proper copy­and-delete fallback routine. (BZ#438116
462
)
* attempting to open a supported document type represented by a symbolic link on an NFS share with the Evince document viewer failed with the following error message:
Unable to open document Unhandled MIME type: “application/octet-stream”
458
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=555642
460
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=247522
461
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=432764
462
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=438116
71
Chapter 1. Package Updates
This update improves this behavior with a symbolic link check so that Evince is now able to successfully open a link to a supported document type when both the link and actual file are located on an NFS share. (BZ#481593
463
)
* the gnome-vfs-daemon service reads the list of mounted devices at /proc/mounts upon startup. If one of the device paths was not valid UTF-8, gnome-vfs-daemon was disconnected by D-Bus when it attempted to communicate the path over the system message bus, at which time it exited. However, other GNOME applications would then attempt to restart gnome-vfs-daemon, at which time the same sequence of events reoccurred, leading to a potentially infinite loop and much extraneous CPU usage. With this update, gnome-vfs-daemon correctly converts the information provided by /proc/mounts into valid UTF-8 before communicating it via D-Bus, which prevents the possibility of gnome-vfs-daemon being disconnected, exiting, and being restarted in a continuous fashion. (BZ#486286
464
)
* accessing a WebDAV share which contained a comma in its path name with the Nautilus file manager resulted in a "File not found" error. This update ensures that reserved characters in path names are properly escaped, and thus Nautilus is able to access such paths as expected. (BZ#503112
465
)
All GNOME users are advised to upgrade to these updated packages, which resolve these issues. Running GNOME sessions must be restarted for the update to take effect.

1.66. gpart

1.66.1. RHBA-2009:1606: bug fix update

Note
This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1606
A gpart update that fixes a bug in the -debuginfo package is now available.
Gpart is a small tool which tries to guess what partitions are on a PC type harddisk in case the primary partition table was damaged.
This update addresses the following issue:
* although gpart contains ELF objects, the gpart-debuginfo package was empty. With this update the ­debuginfo package contains valid debugging information as expected. (BZ#500598
gpart users needing the gpart debuginfo package should install this upgraded package which fixes this problem.
466
467
)
463
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=481593
464
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=486286
465
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=503112
467
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=500598
72
gzip

1.67. gzip

1.67.1. RHSA-2010:0061: Moderate security update

Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0061
An updated gzip package that fixes one security issue is now available for Red Hat Enterprise Linux 3, 4, and 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
The gzip package provides the GNU gzip data compression program.
An integer underflow flaw, leading to an array index error, was found in the way gzip expanded archive files compressed with the Lempel-Ziv-Welch (LZW) compression algorithm. If a victim expanded a specially-crafted archive, it could cause gzip to crash or, potentially, execute arbitrary code with the privileges of the user running gzip. This flaw only affects 64-bit systems. (CVE-2010-0001
468
469
)
Red Hat would like to thank Aki Helin of the Oulu University Secure Programming Group for responsibly reporting this flaw.
Users of gzip should upgrade to this updated package, which contains a backported patch to correct this issue.

1.68. hal

1.68.1. RHBA-2010:0256: bug fix update

Updated hal packages that fix various bugs are now available.
HAL is a daemon for collecting and maintaining information relating to hardware from several system sources.
The updated packages fix the following bugs:
* a sanity check in the HAL init script was incorrectly exiting with error code 0 when the script could not locate /usr/sbin/hald. The updated packages now contain a stronger sanity check, which returns the correct error code for a given condition. (BZ#238113
* a missing FDI quirk parameter for IBM X31 laptops prevented the laptop monitor from switching off during suspension. The updated packages add an extra "merge" element to the X40/X30 FDI definition, which correctly sets the dpms_suspend power management attribute. (BZ#395991
470
)
471
)
* a suspend hotkey combination (Fn+F1) used on Dell Latitude hardware was not mapped correctly. While the keycode sequence could be set manually, owners of Dell Latitude equipment experienced
469
https://www.redhat.com/security/data/cve/CVE-2010-0001.html
470
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=238113
471
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=395991
73
Chapter 1. Package Updates
unnecessary inconvenience when attempting to suspend using the hotkey combination. The updated packages add the correct mapping rules, which enable the Fn+F1 key combination. (BZ#450326
472
)
* when HAL checked for ttyS devices, it would abend if /sys/class/tty/ttyS* existed but /dev/ttyS* was removed or modified. Customers using two or more PCI serial port boards (with port extension) often implemented scripts to rename the port labels on the hardware to match the /dev/ttyS* node. HAL checks did not correctly cater for this scenario. The updated packages check whether serial device nodes have been manually removed. (BZ#486427
473
)
* a missing HAL video quirk setting prevented IBM 4838-310 POS units from resuming correctly from S3 suspend state. The updated packages include a vbe_post quirk that corrects the suspend issue. (BZ#501726
474
)
* an incorrect parameter in /etc/udev/rules.d/90-dm.rules prevented LUKS-formatted (encrypted) USB disks from automounting using GNOME. Customers had to mount the drive manually, or comment out the ignore_device line in 90-dm.rules to effect the change. The updated packages fully implement this workaround solution. (BZ#519645
475
)
* a missing HAL suspend quirk parameter prevented owners of Lenovo ThinkPad T400 laptops (product key 2768A96) suspending and resuming a session from a previously suspended system. The issue presented on laptops with ATI Mobility Radeon HD 3400 Series chipsets (1002:95c4), or Intel Mobile 4 Series chipsets (8086:2a42). The updated packages fix the suspend issue by correctly specifying the --quirk-vbe-post option for T400 machines. (BZ#571925
476
)
All hal users are advised to upgrade to these updated packages, which resolve these issues.

1.69. hmaccalc

1.69.1. RHBA-2010:0055: bug fix update

Note
This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0055
An updated hmaccalc package that fixes a self-test bug related to binary prelinking is now available.
The hmaccalc package contains tools to calculate HMAC (Hash-based Message Authentication Code) values for files. The names and interfaces were designed to mimic those of the sha1sum, sha256sum, sha384sum and sha512sum tools provided by the coreutils package.
This updated hmaccalc package fixes the following bug:
* each time one of the tools in the hmaccalc package is used, it performs a self-test by comparing the checksum of its own binary with the value which was computed when the binary package was built. However, if an hmaccalc binary had been prelinked using the "prelink" command, and that command was not located in one of the directories listed in the PATH environment variable, then that binary
472
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=450326
473
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=486427
474
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=501726
475
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=519645
476
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=571925
477
74
would be unable to use the prelink tool to verify the checksum against an unmodified copy of itself. This update contains a backported fix that allows hmaccalc to remember the location of the prelink command that was available at build time, and to be able to use it if necessary.
httpd
Note that this fix is required in order to build the Linux kernel with FIPS-compliance (Federal Information Processing Standards) enabled. (BZ#512275
478
)
All users of hmaccalc are advised to upgrade to this updated package, which resolves this issue.

1.70. httpd

1.70.1. RHSA-2010:0168: Moderate security and enhancement update

Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0168
Updated httpd packages that fix two security issues and add an enhancement are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
479
The Apache HTTP Server is a popular web server.
It was discovered that mod_proxy_ajp incorrectly returned an "Internal Server Error" response when processing certain malformed requests, which caused the back-end server to be marked as failed in configurations where mod_proxy is used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period (60 seconds by default) by sending specially-crafted requests. (CVE-2010-0408
480
)
A use-after-free flaw was discovered in the way the Apache HTTP Server handled request headers in subrequests. In configurations where subrequests are used, a multithreaded MPM (Multi-Processing Module) could possibly leak information from other requests in request replies. (CVE-2010-0434
481
)
This update also adds the following enhancement:
* with the updated openssl packages from RHSA-2010:0162 installed, mod_ssl will refuse to renegotiate a TLS/SSL connection with an unpatched client that does not support RFC 5746. This update adds the "SSLInsecureRenegotiation" configuration directive. If this directive is enabled, mod_ssl will renegotiate insecurely with unpatched clients. (BZ#567980
482
)
Refer to the following Red Hat Knowledgebase article for more details about the changed mod_ssl behavior: http://kbase.redhat.com/faq/docs/DOC-20491
478
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=512275
480
https://www.redhat.com/security/data/cve/CVE-2010-0408.html
481
https://www.redhat.com/security/data/cve/CVE-2010-0434.html
482
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=567980
75
Chapter 1. Package Updates
All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

1.70.2. RHSA-2009:1579: Moderate security update

Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1579
Updated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
The Apache HTTP Server is a popular Web server.
483
A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update partially mitigates this flaw for SSL sessions to HTTP servers using mod_ssl by rejecting client-requested renegotiation. (CVE-2009-3555
484
)
Note: This update does not fully resolve the issue for HTTPS servers. An attack is still possible in configurations that require a server-initiated renegotiation. Refer to the following Knowledgebase article for further information: http://kbase.redhat.com/faq/docs/DOC-20491
A NULL pointer dereference flaw was found in the Apache mod_proxy_ftp module. A malicious FTP server to which requests are being proxied could use this flaw to crash an httpd child process via a malformed reply to the EPSV or PASV commands, resulting in a limited denial of service. (CVE-2009-3094
485
)
A second flaw was found in the Apache mod_proxy_ftp module. In a reverse proxy configuration, a remote attacker could use this flaw to bypass intended access restrictions by creating a carefully­crafted HTTP Authorization header, allowing the attacker to send arbitrary commands to the FTP server. (CVE-2009-3095
486
)
All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

1.70.3. RHBA-2010:0252: bug fix and enhancement update

Updated httpd packages that fix bugs and add enhancements are now available.
The Apache HTTP Server is a popular and freely-available Web server.
484
https://www.redhat.com/security/data/cve/CVE-2009-3555.html
485
https://www.redhat.com/security/data/cve/CVE-2009-3094.html
486
https://www.redhat.com/security/data/cve/CVE-2009-3095.html
76
These updated httpd packages provide fixes for the following bugs:
hwdata
* the mod_authnz_ldap module did not allow other modules to handle authorization if no LDAP­specific requirements were used in the "Require" directive. (BZ#448350
* the httpd "init" script did not work correctly if the PidFile directive was removed from httpd.conf. (BZ#505002
488
)
* mod_ssl would fail to complete a handshake if more the 85 CAs were configured using SSLCACertificateFile and/or SSLCACertificatePath. (BZ#510515
* the "X-Pad" header used for compatibility with old browser implementations has been removed. (BZ#526110
* mod_proxy_ajp could fail if uploading large files. (BZ#528640
* .NET clients using the "Expect: 100-continue" header could cause spurious responses. (BZ#533407
* the OID() function supported in mod_ssl's SSLRequire directive could not evaluate some extension types. (BZ#552942
490
492
)
491
)
493
)
489
)
487
)
)
The following enhancements have also been made:
* the "DiscardPathInfo" flag (or "DPI") has been added to mod_rewrite. (BZ#517500
* the AuthLDAPRemoteUserAttribute directive has been added to mod_authnz_ldap. (BZ#520838
494
)
495
)
* the AuthLDAPDynamicGroups directive has been added to mod_authnz_ldap, to enable support for dynamic groups. (BZ#252038
* the mod_substitute module is now included. (BZ#539256
496
)
497
)
All Apache users should install these updated packages which address these issues.

1.71. hwdata

1.71.1. RHEA-2010:0197: enhancement update

An updated hwdata package that adds various enhancements is now available.
The hwdata package contains tools for accessing and displaying hardware identification and configuration data.
This updated package adds entries for the following devices to the Red Hat Enterprise Linux 5.4 pci.ids and usb.ids databases:
487
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=448350
488
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=505002
489
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=510515
490
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=526110
491
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528640
492
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=533407
493
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=552942
494
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=517500
495
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=520838
496
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=252038
497
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=539256
77
Chapter 1. Package Updates
* Brocade 10G PCIe Ethernet Controller. (BZ#475712
* Sequel Imaging Calibrator. (BZ#512050
499
)
* Intel SerDes Gigabit Network Connection. (BZ#517100
* Intel 10 Gigabit Dual Port Backplane Connection. (BZ#517131
* Emulex OneConnect 10Gb iSCSI Initiator. (BZ#529449
* Emulex OneConnect 10Gb NIC. (BZ#529453
503
* Emulex OneConnect 10Gb FCoE Initiator. (BZ#529455
* Mellanox Infiniband NICs. (BZ#529458
* Intel Cougar Point. (BZ#566852
506
505
)
)
* NC375T PCI Express Quad Port Gigabit Server Adapter. (BZ#569910
498
)
500
)
501
)
502
)
)
504
)
507
)
Users of hwdata are advised to upgrade to this updated package, which adds these enhancements.

1.72. ia32el

1.72.1. RHBA-2010:0250: bug fix update

An ia32el update that fixes several bugs is now available.
ia32el is the IA-32 Execution Layer platform, which allows the emulation of IA-32 binaries on IA-64.
This updated package addresses the following issues:
* When using the -D_FILE_OFFSET_BITS=64 compile option, the platform would try to call syscall statfs64 (syscall id=268). Unfortunately, this was unsupported by the previous package. Instead, the platform would resort to statfs(), and the case would fail. This package adds support for syscall statfs64. The platform no longer resorts to statfs(), and works correctly. (BZ#514938
* When SIGALRM invokes the signal handler, the ia32el application that installed the signal handler stops executing system calls in the correct order. This package adds a patch to the code that changes the conditions for the order of executing system calls, preventing the signal handler from affecting it. (BZ#515165
509
)
* The ia32el did not pass the second, third and fourth offset arguments of the fadvise64() or fadvise64_64() system call methods to the kernel correctly because it was unable to handle 64-bit
498
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=475712
499
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=512050
500
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=517100
501
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=517131
502
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529449
503
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529453
504
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529455
505
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529458
506
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=566852
507
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=569910
508
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=514938
509
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=515165
508
)
78
iasl
arguments for that system call. This meant that the offset arguments were not recognized as valid by the kernel. Support for 64-bit arguments has now been added. (BZ#528590
511510
)
* The clock_nanosleep() system call method's fourth argument (remaining time) retained old values when interrupted by signal (EINTR). This caused invalid values to return for this argument. This patch adds a validity check before the values are returned. (BZ#528590
513512
)
* The ia32el would not perform operations on the third argument of the sendfile() system call method correctly. As a result, after a successful system call, the offset argument would not be set to the value of the byte following the last byte read. This updated package contains a patch to correctly set the offset argument (during the system call). (BZ#528596
514
)
* The ia32el previously broke the arguments of the sync_file_range() syscall. When the syscall was run, it would respond with an 'Invalid argument' error. A patch has been created that fixes the syntax error in the code. The ia32el now reads the sync_file_range() arguments correctly. (BZ#528597
515
)
* When a NULL pointer was specified for the 2nd argument of the timer_create() syscall, the ia32el would pass the kernel a non-NULL pointer to uninitialized data instead, and the syscall would fail. This package provides a patch that adjusts the syntax of the code for the timer_create() syscall, so that the ia32el correctly interprets the NULL pointer. (BZ#528598
516
)
* The NOTE offset and filesize of some core dumps of i386 processes running under ia32el were greater than the first LOAD offset according to 'readelf -l'. When this happened, the gdb couldn't read the core file. This package includes a patch that adjusts the size of the offset to greater than that of the NOTE offset and filesize. The gdb can now succesfully read the core file. (BZ#533269
517
)
Users are advised to upgrade to this updated ia32el package which resolves these issues.

1.73. iasl

1.73.1. RHBA-2010:0226: bug fix and enhancement update

An updated iasl package that fixes a bug and introduces a feature enhancement is now available.
iasl compiles ASL (ACPI Source Language) into AML (ACPI Machine Language), which is suitable for inclusion as a DSDT in system firmware. It also can disassemble AML, for debugging purposes.
* the default version of iasl was old, and could not properly decode DMAR tables. This sometimes resulted in incorrect decoding. Updating to the latest version of the iasl package has corrected this behavior, and DMAR tables are now decoded correctly. (BZ#518109
* the iasl package has been updated to the latest version. (BZ#518209
Users are advised to upgrade to this updated iasl package, which resolves this issue.
511
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528590
510
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528590
513
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528590
512
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528590
514
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528596
515
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528597
516
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=528598
517
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=533269
518
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=518109
519
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=518209
518
)
519
)
79
Chapter 1. Package Updates

1.74. inn

1.74.1. RHBA-2009:1509: bug fix update

Note
This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1509
Updated inn packages that resolve an issue are now available.
INN (InterNetNews) is a complete system for serving Usenet news and private newsfeeds. INN includes innd, an NNTP (NetNews Transport Protocol) server, and nnrpd, a newsreader that is spawned for each client. Both innd and nnrpd vary slightly from the NNTP protocol, but not in ways that are easily noticed.
These updated packages address the following issue:
520
* a PID file -- /var/run/news/innd.pid -- is created by the Internet News NNTP server, innd, at startup. If this file was not present when an attempt to stop innd was made, the service did not stop. With this update, the innd init script adds logic to stop innd with the killproc command if a "service innd stop" command is issued and innd.pid cann to be found. The updated init script also returns a message, "Stopping INND service (PID not found, the hard way)", in this case. (BZ#464916
521
)
All inn users are advised to upgrade to these updated packages, which resolve this issue.

1.75. iproute

1.75.1. RHBA-2009:1520: bug fix update

Note
This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1520
An updated iproute package that fixes a bug is now available.
The iproute package contains networking utilities such as ip and rtmon, which use the advanced networking capabilities of the Linux 2.4 and 2.6 kernels.
522
This update addresses the following problem:
* if IPv6 was disabled, running the "ss" command resulted in a segmentation fault. A workaround was to run "ss -f inet". With this update the return value checks for net_*_open were fixed and the workaround is no longer necessary. The ss command again returns socket statistics as expected. (BZ#493578
521
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=464916
523
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=493578
523
)
80
iprutils
All iproute users are advised to upgrade to this updated package, which resolves this issue.

1.76. iprutils

1.76.1. RHEA-2010:0229: enhancement update

An enhanced iprutils package is now available.
The iprutils package provides utilities to manage and configure SCSI devices that are supported by the ipr SCSI storage device driver.
This package upgrades iprutils to version 2.2.18, which includes:
* support for the Generation 2 SAS (serial attached SCSI) PCI-E card with SSD (solid-state drive) has been added to systems with the PowerPC 64 architecture. (BZ#512246
524
)
* iprconfig is a utility for configuring and recovering IBM Power RAID storage adapters. The iprconfig utility previously reported an incorrect firmware level for enclosures when called from a command line on systems with the PowerPC 64 architecture. The firmware level was reported correctly in the iprconfig graphical user interface (GUI). The iprconfig utility has been updated to handle SES (SCSI enclosure services) devices the same in both the command line and GUI, and the firmware level for enclosures is now reported correctly. (BZ#532544
525
)
Users with PowerPC 64 systems are advised to upgrade to this updated iprutils package, which adds these enhancements.

1.77. iptables

1.77.1. RHBA-2009:1539: bug fix update

Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1539
526
Updated iptables packages that fix a bug are now available.
The iptables utility controls the network packet filtering code in the Linux kernel.
These updated packages fix the following bug:
* the memory alignment of ipt_connlimit_data was incorrect on x86-based systems. This update adds an explicit aligned attribute to the ipt_connlimit_data struct to correct this. (BZ#529687
527
)
Users are advised to upgrade to these updated iptables packages, which resolve this issue.
524
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=512246
525
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=532544
527
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529687
81
Chapter 1. Package Updates

1.78. iptstate

1.78.1. RHBA-2009:1676: bug fix update

Note
This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1676
An updated iptstate package that resolves an issue is now available.
The iptstate utility displays the states held by your stateful firewall in a top-like manner.
This updated iptstate package fixes the following bug:
* iptstate used a curses output function in single-run mode where curses is not used. Running "ipstate
-s -S [address] -D [address]" caused ipstate to crash with a Segmentation Fault error. Note: running the command without the single-run mode switch (-s) did not crash. With this update, the bug is fixed and iptstate runs in single-run mode correctly, as expected. (BZ#474381
528
529
)
All iptstate users should upgrade to this updated package, which resolves this issue.

1.79. ipw2200-firmware

1.79.1. RHEA-2010:0218: enhancement update

An enhanced ipw2200-firmware package is now available.
The ipw2200-firmware package contains the firmware files required by Intel PRO/Wireless 2200 network adapters.
The enhancement contains new open source 802.11a/bg drivers, which are compatible with ipw2200 drivers in the latest Red Hat Enterprise Linux kernels. (BZ#494492
Users with hardware containing Intel PRO/Wireless 2220 network adapters are advised to install this enhancement.
530
)

1.80. iscsi-initiator-utils

1.80.1. RHBA-2010:0078: bug fix update

Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2010:0078
529
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=474381
530
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=494492
82
531
RHBA-2010:0293: bug fix and enhancement update
An updated iscsi-initiator-utils package that fixes a bug is now available.
The iscsi-initiator-utils package provides the server daemon for the iSCSI protocol, as well as the utility programs used to manage it. iSCSI is a protocol for distributed disk access using SCSI commands sent over Internet Protocol networks.
This updated iscsi-initiator-utils package fixes the following bug:
* removing the bnx2i module from the kernel, or running ifdown on the network interface being used by the bnx2i driver, and then reloading the kernel module or running ifup, did not result in automatic reconnection to SCSI sessions. As a workaround, the iscsid service had to be stopped and then restarted. With this update, SCSI sessions are automatically reconnected to after removing and reloading the bnx2i kernel module, or bringing the network interface down and then up again with ifdown and ifup. (BZ#549629
532
)
All users of iscsi-initiator-utils are advised to upgrade to this updated package, which resolves this issue.

1.80.2. RHBA-2010:0293: bug fix and enhancement update

An updated iscsi-initiator-utils package that fixes various bugs and provides new enhancements is now available.
The iscsi package provides the server daemon for the iSCSI protocol, as well as the utility programs used to manage it. iSCSI is a protocol for distributed disk access using SCSI commands sent over Internet Protocol networks.
The following bugs have been fixed in this release:
* There was a problem with the discovery mechanism when iSCSI ifaces were used with different initiator names. The sendtarget discovery feature was using the default name (/etc/iscsi/ initiatorname.iscsi) instead of the iname in the iface. As a consequence, the wrong name was being used. The discovery mechanism has now been fixed so that it uses the iname in the iface. As a result, they are discovered correctly and the right names are used. (BZ#504666
533
)
* chkconfig was being run on service start to enable and disable services. This was causing a number of problems, as it was broken on read-only root systems and it also recalculated dependencies, causing a change of ordering in /etc/rc whilst the system is running. To fix this issue, chkconfig has been removed from the package so these issues will no longer occur as a result. (BZ#511271
534
)
* Removing the bnx2 modules or running ifdown on the network interface being used by bnx2i driver would result in the iSCSI sessions being disconnected. Reloading the module or running ifup would not reconnect the SCSI sessions. A patch has been added and, as a result, the iSCSI session now recovers after iconfig is brought down and back up. (BZ#514926
535
)
* The iscsi initiator would fail to connect to a target when the bnx2i transport was being used. As a consequence, the log-in attempt would time out and fail. A fix has been made to the way in which MAC addresses are handled. As a result, users can now successfully log in. (BZ#520508
536
)
532
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=549629
533
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=504666
534
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=511271
535
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=514926
536
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=520508
83
Chapter 1. Package Updates
* There was a small typographical error in the /usr/session_info.c print out, where "REOPEN" was incorrectly spelled as "REPOEN". This has now been corrected and the correctly spelled version of the word is output as a result. (BZ#531748
537
).
The following enhancements have also been added in this release:
* The Broadcom iSCSI user-space components have been updated to support ipv6 and 10G components. As a result, a broader range of hardware is now supported. (BZ#517380
* The /etc/init.d/iscsid file has been patched in order to support the ServerEngines be2iscsi driver As a result, this hardware is now available for utilization. (BZ#556984
539
)
538
)
Users are advised to upgrade to this updated iscsi-initiator-utils package, which resolve these issues.

1.81. iwl3945-firmware

1.81.1. RHEA-2010:0219: enhancement update

An enhanced iwl3945-firmware package that works with the iwlwifi-3945 driver in the latest Red Hat Enterprise Linux kernel to enable support for the Intel PRO/Wireless 3945ABG/BG Network Connection Adapter is now available.
iwlwifi-3945 is a kernel driver module for the Intel PRO/Wireless 3945ABG/BG Network Connection Adapter (aka iwl3945 hardware). The iwlwifi-3945 driver requires firmware loaded on the device in order to function. The iwl3945-firmware package provides the iwl3945 driver with this required firmware and enables the driver to function correctly with iwl3945 hardware.
This updated iwl3945-firmware package adds the following enhancement:
* it is best to pair equivalent versions of these components in order to provide maximum compatibility between them. This update brings the firmware into line with the kernel driver included in the latest Red Hat Enterprise Linux kernel. (BZ#534100
540
)
Intel PRO/Wireless 3945ABG/BG Network Connection Adapter users using the iwl3945 driver should upgrade to this updated package, which adds this enhancement.

1.82. iwl4965-firmware

1.82.1. RHEA-2010:0215: enhancement update

An enhanced iwl4965-firmware package is now available.
This package contains the firmware required by the iwl4965 driver for Linux.
* The firmware package has been enhanced to synchronize it with the latest version of the upstream Intel Wireless Wi-Fi Link 4965AGN driver (version 228.61.2.24). This upgrade brings about the following new functionality:
537
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=531748
538
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=517380
539
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=556984
540
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=534100
84
iwl5000-firmware
More graceful handling of Rx hangs (NMI) More reliable scanning A ten second pauses after association before power-down Receiver is now reset via re-tune after it misses beacons TGK measurement is now disabled when it receives a packet More reliable Tx with ACK/BA/CTS
As a result, the driver is now more reliable in a range of areas, scanning more efficiently and handling problems and interruptions better. (BZ#510757
541
)
Users are advised to upgrade to this updated iwl4965-firmware package, which resolves this issue.

1.83. iwl5000-firmware

1.83.1. RHEA-2010:0216: enhancement update

An updated iwl5000-firmware package is now available.
The iwl5000-firmware package provides the iwlagn wireless driver with the firmware it requires in order to function correctly with iwlagn hardware.
This updated iwl5000-firmware package adds the following enhancement:
* the iwlagn driver and the iwl5000 firmware work together to provide proper wireless functionality. It is best to pair equivalent versions of these components in order to provide maximum compatibility between them, which this updated package provides. (BZ#501609
Users of wireless devices which use iwl5000 firmware are advised to upgrade to this updated package, which adds this enhancement.
542
)

1.84. java-1.6.0-ibm

1.84.1. RHBA-2010:0327: bug fix update

Updated java-1.6.0-ibm packages that fix an issue with time zone information are now available for Red Hat Enterprise Linux 5 Supplementary.
IBM's 1.6.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit.
These updated java-1.6.0-ibm packages fix a bug where the IBM Java 6 Runtime Environment did not recognize several time zones. (BZ#569623
All users of java-1.6.0-ibm are advised to upgrade to these updated packages, which contain new time zone data and therefore resolve this issue.
541
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=510757
542
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=501609
543
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=569623
543
)
85
Chapter 1. Package Updates

1.85. java-1.6.0-openjdk

1.85.1. RHSA-2009:1584: Important security update

Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1584
Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 5.
This update has been rated as having important security impact by the Red Hat Security Response Team.
These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. The Java Runtime Environment (JRE) contains the software and tools that users need to run applications written using the Java programming language.
544
An integer overflow flaw and buffer overflow flaws were found in the way the JRE processed image files. An untrusted applet or application could use these flaws to extend its privileges, allowing it to read and write local files, as well as to execute local applications with the privileges of the user running the applet or application. (CVE-2009-3869
CVE-2009-3874
548
)
545
, CVE-2009-3871
546
, CVE-2009-3873
547
,
An information leak was found in the JRE. An untrusted applet or application could use this flaw to extend its privileges, allowing it to read and write local files, as well as to execute local applications with the privileges of the user running the applet or application. (CVE-2009-3881
549
)
It was discovered that the JRE still accepts certificates with MD2 hash signatures, even though MD2 is no longer considered a cryptographically strong algorithm. This could make it easier for an attacker to create a malicious certificate that would be treated as trusted by the JRE. With this update, the JRE disables the use of the MD2 algorithm inside signatures by default. (CVE-2009-2409
A timing attack flaw was found in the way the JRE processed HMAC digests. This flaw could aid an attacker using forged digital signatures to bypass authentication checks. (CVE-2009-3875
Two denial of service flaws were found in the JRE. These could be exploited in server-side application scenarios that process DER-encoded (Distinguished Encoding Rules) data. (CVE-2009-3876
CVE-2009-3877
553
)
An information leak was found in the way the JRE handled color profiles. An attacker could use this flaw to discover the existence of files outside of the color profiles directory. (CVE-2009-3728
550
)
551
)
552
,
554
)
545
https://www.redhat.com/security/data/cve/CVE-2009-3869.html
546
https://www.redhat.com/security/data/cve/CVE-2009-3871.html
547
https://www.redhat.com/security/data/cve/CVE-2009-3873.html
548
https://www.redhat.com/security/data/cve/CVE-2009-3874.html
549
https://www.redhat.com/security/data/cve/CVE-2009-3881.html
550
https://www.redhat.com/security/data/cve/CVE-2009-2409.html
551
https://www.redhat.com/security/data/cve/CVE-2009-3875.html
552
https://www.redhat.com/security/data/cve/CVE-2009-3876.html
553
https://www.redhat.com/security/data/cve/CVE-2009-3877.html
554
https://www.redhat.com/security/data/cve/CVE-2009-3728.html
86
java-1.6.0-sun
A flaw in the JRE with passing arrays to the X11GraphicsDevice API was found. An untrusted applet or application could use this flaw to access and modify the list of supported graphics configurations. This flaw could also lead to sensitive information being leaked to unprivileged code. (CVE-2009-3879
555
)
It was discovered that the JRE passed entire objects to the logging API. This could lead to sensitive information being leaked to either untrusted or lower-privileged code from an attacker-controlled applet which has access to the logging API and is therefore able to manipulate (read and/or call) the passed objects. (CVE-2009-3880
556
)
Potential information leaks were found in various mutable static variables. These could be exploited in application scenarios that execute untrusted scripting code. (CVE-2009-3882
557
, CVE-2009-3883
558
)
An information leak was found in the way the TimeZone.getTimeZone method was handled. This method could load time zone files that are outside of the [JRE_HOME]/lib/zi/ directory, allowing a remote attacker to probe the local file system. (CVE-2009-3884
Note: The flaws concerning applets in this advisory, CVE-2009-3869
CVE-2009-3873
and CVE-2009-3884
562
, CVE-2009-3874
567
, can only be triggered in java-1.6.0-openjdk by calling the "appletviewer"
563
, CVE-2009-3879
564
559
)
560
, CVE-2009-3871
, CVE-2009-3880
561
565
, CVE-2009-3881
,
566
application.
All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.

1.86. java-1.6.0-sun

1.86.1. RHBA-2010:0072: bug fix update

Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2010:0072
568
Updated java-1.6.0-sun packages are now available for Red Hat Enterprise Linux 5.4 Supplementary.
The java-1.6.0-sun packages include the Sun Java 6 Runtime Environment, Sun Java 6 Software Development Kit (SDK), the source code for the Sun Java class libraries, the Sun Java browser plug­in and Web Start, the Sun JDBC/ODBC bridge driver, and demonstration files for the Sun Java 6 SDK.
555
https://www.redhat.com/security/data/cve/CVE-2009-3879.html
556
https://www.redhat.com/security/data/cve/CVE-2009-3880.html
557
https://www.redhat.com/security/data/cve/CVE-2009-3882.html
558
https://www.redhat.com/security/data/cve/CVE-2009-3883.html
559
https://www.redhat.com/security/data/cve/CVE-2009-3884.html
560
https://www.redhat.com/security/data/cve/CVE-2009-3869.html
561
https://www.redhat.com/security/data/cve/CVE-2009-3871.html
562
https://www.redhat.com/security/data/cve/CVE-2009-3873.html
563
https://www.redhat.com/security/data/cve/CVE-2009-3874.html
564
https://www.redhat.com/security/data/cve/CVE-2009-3879.html
565
https://www.redhat.com/security/data/cve/CVE-2009-3880.html
566
https://www.redhat.com/security/data/cve/CVE-2009-3881.html
567
https://www.redhat.com/security/data/cve/CVE-2009-3884.html
87
Chapter 1. Package Updates
These updated java-1.6.0-sun packages upgrade Sun's Java 6 SDK from version 1.6.0_17 to version 1.6.0_18, which provides fixes for a number of bugs. To view the release notes for the bug fixes included in this update, refer to the URL provided in the "References" section of this errata. (BZ#557418
569
)
All users of java-1.6.0-sun are advised to upgrade to these updated packages, which resolve these issues.

1.87. kdelibs

1.87.1. RHBA-2009:1464: bug fix update

Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1464
570
Updated kdelibs packages that fix the bugs are now available.
The kdelibs packages contain a set of common libraries used by all applications written for the K Desktop Environment (KDE). kdelibs includes kdecore (KDE core library); kdeui (user interface); kfm (file manager); khtmlw (HTML widget); kio (input/output and networking); kspell (spelling checker); jscript (javascript); kab (addressbook); and kimgio (image manipulation).
This update addresses the following issue:
* the kde.sh shell script used the keyword "source". The pdksh (Public Domain Korn SHell) package, a new package in Red Hat Enterprise Linux 5.4, does not recognize the "source" keyword in shell scripts. Consequently, if pdksh was used as the shell on systems with KDE installed, the following error message was returned in login shells:
ksh: /etc/profile.d/kde.sh[7]: source: not found
The kde.sh shell script in this update has been edited with "source" replaced by "." The full stop keyword (.) is an alias for "source" in Bourne-compatible shells, including pdksh. Once installed, KDE users running the pdksh shell will no longer get the above error message. (BZ#523968
571
)
Note: this bug was a known issue at the release of Red Hat Enterprise Linux 5.4 and a manual version of the fix included in this update was documented in the Red Hat Enterprise Linux 5.4 Technical Notes:
http://redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Technical_No tes/Known_Issues­pdksh.html
If /etc/profile.d/kde.sh already exists, the new version included with this update is installed as /etc/ profile.d/kde.sh.rpmnew.
Therefore, on systems where an extant kde.sh has been manually edited as per the Red Hat Enterprise Linux 5.4 Technical Notes, the manual fix is retained.
569
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=557418
571
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=523968
88
RHSA-2009:1601: Critical security update
On systems where kde.sh already exists and the workaround has not been applied, however, installing this update does not, of itself, implement the fix. After installation on such systems, renaming kde.sh and kde.sh.rpmnew as follows will implement the fix:
cp /etc/profile.d/kde.sh /etc/profile.d/kde.sh.bak cp /etc/profile.d/kde.sh.rpmnew /etc/profile.d/kde.sh
All KDE and pdksh users should install this updated package which fixes this bug.

1.87.2. RHSA-2009:1601: Critical security update

Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1601
Updated kdelibs packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5.
572
This update has been rated as having critical security impact by the Red Hat Security Response Team.
The kdelibs packages provide libraries for the K Desktop Environment (KDE).
A buffer overflow flaw was found in the kdelibs string to floating point conversion routines. A web page containing malicious JavaScript could crash Konqueror or, potentially, execute arbitrary code with the privileges of the user running Konqueror. (CVE-2009-0689
Users should upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect.
573
)

1.88. kernel

1.88.1. RHSA-2010:0147: Important security and bug fix update

Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0147
574
Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
The kernel packages contain the Linux kernel, the core of any Linux operating system.
573
https://www.redhat.com/security/data/cve/CVE-2009-0689.html
89
Chapter 1. Package Updates
Security fixes:
* a NULL pointer dereference flaw was found in the sctp_rcv_ootb() function in the Linux kernel Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could send a specially-crafted SCTP packet to a target system, resulting in a denial of service. (CVE-2010-0008
575
Important)
* a missing boundary check was found in the do_move_pages() function in the memory migration functionality in the Linux kernel. A local user could use this flaw to cause a local denial of service or an information leak. (CVE-2010-0415
576
, Important)
* a NULL pointer dereference flaw was found in the ip6_dst_lookup_tail() function in the Linux kernel. An attacker on the local network could trigger this flaw by sending IPv6 traffic to a target system, leading to a system crash (kernel OOPS) if dst->neighbour is NULL on the target system when receiving an IPv6 packet. (CVE-2010-0437
577
, Important)
* a NULL pointer dereference flaw was found in the ext4 file system code in the Linux kernel. A local attacker could use this flaw to trigger a local denial of service by mounting a specially-crafted, journal­less ext4 file system, if that file system forced an EROFS error. (CVE-2009-4308
578
, Moderate)
* an information leak was found in the print_fatal_signal() implementation in the Linux kernel. When "/ proc/sys/kernel/print-fatal-signals" is set to 1 (the default value is 0), memory that is reachable by the kernel could be leaked to user-space. This issue could also result in a system crash. Note that this flaw only affected the i386 architecture. (CVE-2010-0003
579
, Moderate)
,
* missing capability checks were found in the ebtables implementation, used for creating an Ethernet bridge firewall. This could allow a local, unprivileged user to bypass intended capability restrictions and modify ebtables rules. (CVE-2010-0007
580
, Low)
Bug fixes:
* a bug prevented Wake on LAN (WoL) being enabled on certain Intel hardware. (BZ#543449
* a race issue in the Journaling Block Device. (BZ#553132
* programs compiled on x86, and that also call sched_rr_get_interval(), were silently corrupted when run on 64-bit systems. (BZ#557684
* the RHSA-2010:0019 update introduced a regression, preventing WoL from working for network devices using the e1000e driver. (BZ#559335
583
)
584
)
582
)
* adding a bonding interface in mode balance-alb to a bridge was not functional. (BZ#560588
* some KVM (Kernel-based Virtual Machine) guests experienced slow performance (and possibly a crash) after suspend/resume. (BZ#560640
575
https://www.redhat.com/security/data/cve/CVE-2010-0008.html
576
https://www.redhat.com/security/data/cve/CVE-2010-0415.html
577
https://www.redhat.com/security/data/cve/CVE-2010-0437.html
578
https://www.redhat.com/security/data/cve/CVE-2009-4308.html
579
https://www.redhat.com/security/data/cve/CVE-2010-0003.html
580
https://www.redhat.com/security/data/cve/CVE-2010-0007.html
581
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=543449
582
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=553132
583
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=557684
584
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=559335
585
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=560588
586
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=560640
586
)
581
585
)
)
90
Loading...