Chapter 6. Updated Packages

Security Fixes

CVE-2012-4450

A flaw was found in the way 389 Directory Server enforced ACLs after performing an LDAP modify relative distinguished name (modrdn) operation. After modrdn was used to move part of a tree, the ACLs defined on the moved (Distinguished Name) were not properly enforced until the server was restarted. This could allow LDAP users to access information that should be restricted by the defined ACLs.

Bug Fixes

BZ#742054

Previously, 389 Directory Server did not support the Simple Authentication and Security Layer (SASL) PLAIN mechanism. This mechanism has been added to the list of supported SASL mechanisms.

BZ#742381

Due to certain changes under the cn=config suffix, when an attribute value was deleted and then added back in the same modify operation, error 53 was returned. Consequently, the configuration could not be reset. This update allows delete operations to succeed if the attribute is added back in the same modify operation and reset the configuration file as expected.

BZ#757836

Previously, the logconv.pl script used a connection number equal to 0 (conn=0) as a restart point, which caused the script to return incorrect restart statistics. The underlying source code has been modified and 389 Directory Server is now configured to use connection number equal to 1 (conn=1) as the restart point.

BZ#803873

The Windows Sync feature uses the name in a search filter to perform an internal search to find an entry. Parentheses, "(" and ")" are special characters in the LDAP protocol and therefore must be escaped. However, an attempt to synchronize an entry containing parentheses in the name from an Active Directory (AD) server failed with an error. With this update, 389 Directory Server properly escapes the parentheses and synchronization now proceeds correctly as expected.

BZ#818762

When having an entry in a directory server (DS) with the same user name, group name, or both as an entry in AD and simultaneously the entry in AD was out of scope of the Windows Sync feature, the DS entry was deleted. This update adds the new winSyncMoveAction DS attribute for the Windows Sync agreement entry, which allows the user to specify the behavior of out-of-scope AD entries. The value could be set to:

• none, which means that an out-of-scope AD entry does nothing to the corresponding DS entry;
• delete, which means that an out-of-scope AD entry deletes the corresponding DS entry;
• unsync, which means that an out-of-scope AD entry is unsynchronized with the corresponding DS entry and changes made to either entry are not synchronized.

By default, the value is set to none, which fixes this bug.

BZ#830334

Due to an incorrect interpretation of an error code, a directory server considered an invalid chaining configuration setting as the disk full error and shut down unexpectedly. This bug has been fixed by using the correct error code and a directory server now no longer terminates due to an invalid chaining of a configuration setting.

BZ#830335

Previously, restoring an ldif file from a replica, which had older changes that other servers did not see yet, could lead to these updates not being replicated to other replicas. With this update, 389 Directory Server checks the Change Sequence Numbers (CSNs) and allows the older updates to be replicated. As a result, all replicas remain synchronized.

BZ#830336

When a directory server was under a heavy read and write load, and an update request was processed, the following error message or other similar DB_LOCK_DEADLOCK error messages appeared in the error log:

entryrdn-index - _entryrdn_put_data: Adding the parent link (XXX) failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)

These errors are common under these circumstances and there is no need to report them in the error log. With this update, 389 Directory Server ensures that these errors are handled properly and no longer logs these messages in the error log.

BZ#830337

When a directory server was configured to use multi-master replication and the Entry USN plug-in, the delete operation was not replicated to the other masters. This update modifies the Entry USN plug-in to prevent it from changing the delete operation into a delete tombstone operation, and from removing the operation before it logs into the change log to replay to other servers. As a result, the delete operation is replicated to all servers as expected.

BZ#830338

Previously, 389 Directory Server did not refresh its Kerberos cache. Consequently, if a new Kerberos ticket was issued for a host that had already authenticated against a directory server, it would be rejected by this server until it was restarted. With this update, the Kerberos cache is flushed after an authentication failure and 389 Directory Server works as expected in the described scenario.

BZ#830343

Using the Managed Entry plug-in in conjunction with other plug-ins, such as Distributed Numeric Assignment (DNA), Member of, and Auto Member, led to problems with delete operations on entries that managed the Managed Entry plug-in. The manager entry was deleted, but the managed entry was not. The deadlock retry handling has been improved so that both entries are deleted during the same database operation.

BZ#830344

Previously, replication errors logged in the error log could contain incorrect information. With this update, the replication errors have been modified to be more useful in diagnosing and fixing problems.

BZ#830346

When audit logging in a directory server was enabled, LDAP ADD operations were ignored and were not logged. This update removes a regression in the audit log code that caused the ADD operation to be ignored, and LDAP ADD operations are now logged to the audit log as expected.

BZ#830348

389 Directory Server with a large number of replication agreements took a considerable amount of time to shut down due to a long sleep interval coded in the replication stop code. This sleep interval has been reduced to speed up the system termination.

BZ#830349

Previously, in a SASL map definition, using a compound search filter that included the "&" character failed because the "&" character was escaped. The underlying source code has been modified and searching with a filter that includes the "&" character works as expected.

BZ#830353

When 389 Directory Server used the Managed Entry plug-in or the DNA plug-in, the valgrind tool reported memory errors and leaks. With this update, a patch has been applied to prevent these problems, and memory is now used and deleted correctly.

BZ#832560

When replication was configured and a conflict occurred, under certain circumstances, an error check did not reveal this conflict, because a to-be-deleted attribute was already deleted by another master. Consequently, the conflict terminated the server. This update improves error checks to prevent replication conflicts from crashing the server.

BZ#833202

Previously, internal entries that were in the cache were freed when retrying failed transactions due to a deadlock. This behavior caused problems in a directory server and this server could terminate under a heavy update load. With this update, the cached internal entries are no longer freed and directory servers do not crash in the described scenario.

BZ#833218

Due to improper deadlock handling, the database reported an error instead of retrying the transaction. Consequently, under a heavy load, the directory server got deadlock errors when attempting to write to the database. The deadlock handling has been fixed and 389 Directory Server works as expected in such a case.

BZ#834047

Internal access control prohibited deleting newly added or modified passwords. This update allows the user to delete any password if they have the modify rights.

BZ#834054

Certain operations, other than LDAP Modify operations, can cause the 389 Directory Server to modify internal attributes. For example, a BIND operation can cause updates to password failure counters. In these cases, 389 Directory Server was updating attributes that could only be updated during an explicit LDAP Modify operation, such as the modifyTimestamp attribute. This update adds a new internal flag to skip the update of these attributes on other than Modify operations.

BZ#834056

Due to an invalid configuration setup in the Auto Memmber plug-in, the directory server became unresponsive under certain circumstances. With this update, the configuration file is validated, invalid configurations are not allowed, and the server no longer hangs.

BZ#834057

When using SNMP monitoring, 389 Directory Server terminated at startup due to multiple ldap servers listed in the ldap-agent.conf file. With this update, the buffer between ldap servers no longer resets and 389 Directory Server starts up regardless of the number of ldap servers listed in the configuration file.

BZ#834064

Previously, the dnaNextValue counter was incremented in the pre-operation stage. Consequently, if the operation failed, the counter was still incremented. This bug has been fixed and the dnaNextValue counter is not incremented if the operation fails.

BZ#834065

When a replication agreement was added without the LDAP BIND credentials, the replication process failed with a number of errors. With this update, 389 Directory Server validates the replication configuration and ensures that all needed credentials are supplied. As a result, 389 Directory Server rejects invalid replication configuration before attempting to replicate with invalid credentials.

BZ#834075

Previously, the logconv.pl script did not grab the correct search base, and as a consequence, the searching statistics were invalid. A new hash has been created to store connections and operation numbers from search operations. As a result, logconv.pl now grabs the correct search base and no longer produces incorrect statistics.

BZ#838706

When using the Referential Integrity plug-in, renaming a user DN did not rename the user's DN in the user's groups, unless that case matched exactly. With this update, case-insensitive comparisons or DN normalizations are performed, so that the member attributes are updated when the user is renamed.

BZ#840153

Previously, the Attribute Uniqueness plug-in did comparisons of un-normalized values. Consequently, using this plug-in and performing the LDAP RENAME operation on an entry containing one of the attributes which were tested for uniqueness by this plug-in caused the LDAP RENAME operation to fail with the following error:

Constraint Violation - Another entry with the same attribute value already exists.

With this update, Attribute Uniqueness ensures that comparisons are performed between values which were normalized the same way, and LDAP RENAME works as expected in this situation.

BZ#841600

When the Referential Integrity plug-in was used with a delay time greater than 0, and the LDAP RENAME operation was performed on a user entry with DN specified by one or more group entries under the scope of the Referential Integrity plug-in, the user entry DN in the group entries did not change. The underlying source code has been modified and LDAP RENAME operations work as expected in the described scenario.

BZ#842437

Previously, the DNA plug-in could leak memory in certain cases for certain MODIFY operations. This update applies a patch to fix this bug and the modifications are freed as expected with no memory leaks.

BZ#842438

To improve the performance, the entry cache size is supposed to be larger then the primary database size if possible. Previously, 389 Directory Server did not alert the user that the size of the entry cache was too small. Consequently, the user could not notice that the size of the entry cache was too small and that they should enlarge it. With this update, the configured entry cache size and the primary database size are examined, and if the entry cache is too small, a warning is logged in the error log.

BZ#842440

Previously, the Memberof plug-in code executed redundant DN normalizations and therefore slowed down the system. The underlying source code has been modified to eliminate redundant DN normalizations.

BZ#842441

Previously, the directory server could disallow changes that were made to the nsds5ReplicaStripAttrs attribute using the ldapmodify operation. Consequently, the attribute could only be set manually in the dse.ldif file when the server was shut down. With this update, the user is now able to set the nsds5ReplicaStripAttrs attribute using the ldapmodify operation.

BZ#850683

Previously, 389 Directory Server did not check attribute values for the nsds5ReplicaEnabled feature which caused this feature to be disabled. With this update, 389 Directory Server checks if the attribute value for nsds5ReplicaEnabled is valid and reports an error if it is not.

BZ#852088

When multi-master replication or database chaining was used with the TLS/SSL protocol, a server using client certificate-based authentication was unable to connect and connection errors appeared in the error log. With this update, the internal TLS/SSL and certificate setup is performed correctly and communication between servers works as expected.

BZ#852202

Previously, there was a race condition in the replication code. When two or more suppliers were attempting to update a heavily loaded consumer at the same time, the consumer could, under certain circumstances, switch to total update mode, erase the database, and abort replication with an error. The underlying source code has been modified to prevent the race condition. As a result, the connection is now protected against access from multiple threads and multiple suppliers.

BZ#852839

Due to the use of an uninitialized variable, a heavily loaded server processing multiple simultaneous delete operations could terminate unexpectedly under certain circumstances. This update provides a patch that initializes the variable properly and the directory server no longer crashes under these circumstances.

BZ#855438

Due to an incorrect attempt to send the cleanallruv task to the Windows WinSync replication agreements, the task became unresponsive. With this update, the WinSync replication agreements are ignored and the cleanallruv task no longer hangs in the described scenario.

BZ#856657

Previously, the dirsrv init script always returned 0, even when one or all the defined instances failed to start. This update applies a patch that improves the underlying source code and dirsrv no longer returns 0 if any of the defined instances failed.

BZ#858580

The schema reload task reloads schema files in the schema directory. Simultaneously, Directory server has several internal schemas which are not stored in the schema directory. These schemas were lost after the schema reload task was executed. Consequently, adding a posixAccount class failed. With this update, the internal schemas are stashed in a hash table and reloaded with external schemas. As result, adding a posixAccount is successful.

BZ#863576

When abandoning a Simple Paged Result request, 389 Directory Server tried to acquire a connection lock twice, and because the connection lock is not self reentrant, 389 Directory Server was waiting for the lock forever and stopped the server. This update provides a patch that eliminates the second lock and 389 Directory Server works as expected in the described scenario.

BZ#864594

Previously, Anonymous Resource Limits applied to the Directory Manager. However, the Directory Manager should never have any limits. With this update, Anonymous Resource Limits no longer apply to Directory Manager.

BZ#868841

Even if an entry in AD did not contain all the required attributes for the POSIX account entry, the entry was synchronized to the DS as a POSIX entry. Consequently, the synchronization failed due to a "missing attribute" error. With this update, if an entry does not have all the required attributes, the POSIX account related attributes are dropped and the entry is synchronized as an ordinary entry. As a result, the synchronization is successful.

BZ#868853

When enabling replication level logging, the Windows Sync feature prints out what version of Windows or AD it detects. Previously, if the feature detected Windows Server 2003 or later, it printed out the following message:

detected win2k3 peer

This message could be confusing for users who had a later version of Windows, such as Windows Server 2008. This update modifies the message and now the following message is printed out:

detected win2k3 or later peer

BZ#870158

When a directory server was under a heavy load, deleting entries using the Entry USN feature caused tombstone entry indexes to be processed incorrectly. Consequently, the server could become unresponsive. This update fixes 389 Directory Server to process tombstone indexes correctly, so that the server no longer hangs in this situation.

BZ#870162

Previously, the abandon request checked if the operation to abandon existed. When a search operation was already finished and an operation object had been released, a Simple Page Results request could fail due to this check. This update modifies 389 Directory Server to skip operation existence checking, so that Simple Paged Results requests are always successfully aborted.

BZ#875862

Previously, the DNA plug-in attempted to dereference a NULL pointer value for the dnaMagicRegen attribute. Consequently, if DNA was enabled with no dnamagicregen value specified in its configuration and an entry with an attribute that triggered the DNA value generation was added, the server could terminate unexpectedly. This update improves the 389 Directory Server to check for an empty dnamagicregen value before it attempts to dereference this value. As a result, 389 Directory Server no longer crashes if no dnamagicregen attribute is specified.

BZ#876694

Previously, the code to check if a new superior entry existed, returned the "No such object" error only when the operation was requested by the directory manager. Consequently, if an ordinary non-root user attempted to use the modrdn operation to move an entry to a non-existing parent, the server terminated unexpectedly. This update provides a patch that removes the operator condition so that the check returns the "No such object" error even if the requester is an ordinary user, and the modrdn operation performed to the non-existing parent successfully fails for any user.

BZ#876727

aIf a filter contained a range search, the search retrieved one ID per one idl_fetch attribute and merged it to the ID list using the idl_union() function. This process is slow, especially when the range search result size is large. With this update, 389 Directory Server switches to ALLID mode by using the nsslapd-rangelookthroughlimit switch instead of creating a complete ID list. As a result, the range search takes less time.

BZ#889083

Previously, if an entry was added or created without plug-in interference, the nsslapd-plugin-track-binddn feature filled the value of the internalModifiersname and internalCreatorsname attributes with the original bind DN instead of the name of the actual plug-in that modified or added the entry. This behavior is undesired; thus the nsslapd-plugin-track-binddn has been modified to always show the name of the actual plug-in that performed these operations.

BZ#891930

In previous versions of the 389-ds-base packages, an attempt to add a new entry to the DNA plug-in when the range of values was depleted caused the following error message to be returned:

ipa: ERROR: Operations error: Allocation of a new value for range cn=posixids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed!Unable to proceed.

This message was missing all additional information in recent versions of the 389-ds-base packages. With this update, a patch is applied to provide the returned error message with additional information.

BZ#896256

Previously, an upgrade of the 389-ds-base packages affected configuration files. Consequently, custom configuration files were reverted to by default. This update provides a patch to ensure that custom changes in configuration files are preserved during the upgrade process.

Enhancements

BZ#746642

This update allows the PAM Pass-through plug-in to pass through the authentication process to different PAM stacks, based on domain membership or some property of the user entry, or both. Users now can login to Red Hat Directory Server using the credentials and account data from the correct AD server.

BZ#768084

This enhancement improves the automember plug-in to check existing entries and writes out the changes which occur if these entries are added.

BZ#782975

Previously, certain BINDs could cause only entries with the modifiersname or modifystimestamp attribute to be updated. This behavior led to unnecessary replication traffic. This enhancement introduces the new replication feature to decrease replication traffic caused by BINDs.

BZ#830331

This enhancement adds the new Disk Monitoring plug-in. When disk partitions fill up, Disk Monitoring returns a warning.

BZ#830340

Previously, two tasks were needed to be performed to clean an entire replication environment, the clean task and the release task. With this update, these tasks are incorporated in the Cleanallruv feature.

BZ#830347

Previously, the Paged Results search was allowed to perform only one request per connection. If the user used one connection, multiple Paged Results requests were not supported. This update adds support for multiple Paged Results requests.

BZ#830355

With this enhancement, obsolete elements in the Database Replica Update Vector (RUV) can be removed with the CLEANRUV operation, which removes them on a single supplier or master.

BZ#833222

This enhancement improves the memberOf plug-in to work across multiple back ends or suffixes.

BZ#834046

With this update, the Directory Server schema has been updated with the nsTLS1 attribute to make TLS/SSL configuration easier.

BZ#834049

With this update, the Directory Server schema has been updated to include the DNA plug-in attributes.

BZ#834052

This enhancement improves the Access Control feature to control the Directory Manager account.

BZ#834053

This enhancement adds the ability to execute internal modification operations without changing the operational modifiersname attribute.

BZ#834058

With this update, the logconv.pl script has been enhanced with the getopts() function.

BZ#834060

Previously, the password lockout process was triggered not when maximum the number of tries was reached, but the time after. This behavior was not consistent with other vendors' LDAP servers. This enhancement adds the new option which allows users to specify the behavior of password lockout.

BZ#834061

Previously, DS did not include the SO_KEEPALIVE settings and connections could not be closed properly. This enhancement implements the SO_KEEPALIVE settings to the DS connections.

BZ#834063

With this update, the new passwordTrackUpdateTime attribute has been added. This attribute records a timestamp when the password was last changed.

BZ#834074

This enhancement adds the new nsds5ReplicaEnabled attribute to the replication agreement. If the replication agreement is disabled, it appears to be removed, but can be easily re-enabled and resumed.

BZ#847868

Previously, the Windows Sync plug-in did not support the RFC 2307 and 2307bis types of POSIX schema which supports Windows Active Directory (AD). Under these circumstances, users had to synchronize data between AD and DS manually which could return errors. This enhancement changes the POSIX attributes to prevent these consequences.

Note

Note, that for the initial release, when adding new user and group entries to the DS, the POSIX attributes are not synchronized with AD. Adding new user and group entries to AD synchronizes to DS, and modifying attributes synchronizes both ways.

BZ#852087

This enhancement improves the Directory Server schema to allow setting up an access control for the nsslapd-readonly attribute.

Bug Fixes

BZ#799909

When the user attempted to remove a non-existing problem directory using the abrt-cli utility, abrt-cli emitted a confusing error message, such as in the following example:

# abrt-cli rm sdfsdf'sdfsdf' does not existCan't connect to '/var/run/abrt/abrt.socket': Connection refused

With this update, abrt-cli has been modified to display only a message informing that such a problem directory does not exist.

BZ#808721, BZ#814594

When multiple kernel oopses occur in a short period of time, ABRT saves only the first oops because the later oopses are mostly only consequences of the first problem. However, ABRT sorted the processed oopses incorrectly so that the last oops that occurred was saved instead of the first oops. With this update, ABRT has been modified to process multiple kernel oopses in the correct order so that ABRT now saves the first oops as expected.

BZ#810309

Due to incorrect configuration, ABRT attempted to use the abrt-bodhi command, which is not available in Red Hat Enterprise Linux, while analyzing a backtrace. As a consequence, the user could see the following error message in the problem backtrace:

/bin/sh: line 6: abrt-bodhi: command not found

However, the error message had no influence on the problem reporting process. This update corrects the ABRT configuration so that the abrt-bodhi command is removed from the analyzer events and the error message no longer occurs.

BZ#811901

Previously, ABRT expected the dbus-send command to be always present on a system. However, ABRT does not depend on the related dbus package so there is no guarantee that the command is installed on the system. Therefore, when processing events that use the dbus-send command and the dbus package was not installed, ABRT emitted the following error message to the system log:

abrtd: /bin/sh: dbus-send: command not found

With this update, ABRT has been modified to verify the existence of dbus-send before attempting to call this command. The aforementioned error messages no longer occur in the system log.

BZ#813283

Previously, when running the report-gtk command with a non-existing problem directory, ABRT GUI attempted to process the problem directory. As a consequence, the terminal was flooded with GTK error messages. With this update, the ABRT GUI has been modified to no longer process non-existing problem directories. GUI now only prints a message informing that the processed directory does not exist and exits gracefully.

BZ#817051

The report tool always had to be executed from a problem directory even to perform actions which do not require the problem directory, such as adding an attachment to the existing bug report. When running from a directory that was not a problem directory, the report tool failed with the following error message:

'.' is not a problem directory

With this update, the report tool has been modified to not require a problem directory if the "-t" option is specified. The report tool can now be used to update existing bug reports without a need to run inside a problem directory.

BZ#815339, BZ#828673

Due to an error in the default libreport configuration, ABRT attempted to run the reporter-bugzilla command, which is not installed by default. This caused the following warning message to appear during problem reporting:

/bin/sh: line 4: reporter-bugzilla: command not found

However, the reporting process was not affected by this warning message. With this update, the default configuration of libreport has been corrected and reporter-bugzilla is no longer called by ABRT in the default configuration. The aforementioned warning message is no longer displayed during the reporting process.

BZ#820475

Previously, the abrt-ccpp init script did not emit any status message so that the service abrt-ccpp status command did not display any output. This update corrects the abrt-ccpp init script so that if the abrt-ccpp service is running the "abrt-ccpp hook is installed" message is displayed. If abrt-ccpp is stopped, the "abrt-ccpp hook is not installed" message appears.

BZ#826745

Certain ABRT libraries were previously built with wrong linker parameters and when running prelink on these libraries, the process returned error messages that the library contains "undefined non-weak symbols". With this update, the related makefiles have been corrected and the aforementioned errors no longer occur during prelink phase.

BZ#826924

ABRT ran the sosreport utility whenever a problem was detected. However, if the detected problem was caused by sosreport, ABRT could run sosreport in an infinite loop. Consequently, abrtd became unresponsive with extensive consumption of system resources. This update modifies ABRT to ignore consequent crashes in the same component that occur within a 20-second time period. The abrtd daemon no longer hangs if sosreport crashes.

BZ#847227

ABRT previously moved captured vmcore files from the default location in the /var/crash/ directory to the /var/spool/abrt/ directory. This affected the functioning of various tools that expected a vmcore file to be present in the /var/crash/ directory. This update modifies ABRT to use the CopyVMcore configuration option to specify whether to copy or move the core file. By default, ABRT no longer moves vmcore from the /var/crash/ directory but copies it.

BZ#847291

When disk space usage of the /var/spool/abrt/ directory reaches the specified disk space quota, ABRT finds and removes the largest problem directory. However, ABRT was previously unable to handle situations when the largest directory in /var/spool/abrt/ was not a problem directory. ABRT could not remove this directory and entered an infinite loop while searching for the largest directory to be removed. This update modifies ABRT to exclude unknown directories when determining which problem directory needs to be removed. The abrtd daemon no longer hangs in this scenario.

BZ#856960

When configured for centralized crash collection, ABRT previously printed logging credentials in plain text into the /var/log/messages log file on a dedicated system while uploading a crash report. This was a security risk, and so ABRT has been modified to no longer print the libreport-plugin-reportuploader plug-in credentials in log messages.

BZ#873815

When processing a large amount of problems, the inotify handling code could become out of sync, causing abrtd to be unable to read inotify events. Eventually, abrtd became unresponsive while trying to read an inotify event. If this happened and a Python application attempted to communicate with ABRT, abrtd and the Python application entered a deadlock situation. The daemon was busy trying to read an incoming inotify event and the Python script was waiting for a response from abrtd, which caused the application to become unresponsive as well. With this update, the ABRT exception handler sets timeout on a socket used for communication between abrtd and Python scripts, and also the inotify handling code has been modified. The abrtd daemon and Python applications no longer hang, however under heavy load, the inotify handling code can still become out of sync, which would cause abrtd to stop accepting new problems. If abrtd stops accepting new problems, it has to be restarted to work correctly again.

Enhancement

BZ#814832

The alsa-utils package has been enhanced to work better with the GNOME volume control applet and sound preferences user interface.

Bug Fix

BZ#752096

Previously, the amandad daemon, which is required for successful running of AMANDA, was located in the amanda-client package; however, this package was not required during installation of the amanda-server package. Consequently, AMANDA did not work properly. The amanda-client package has been added to the amanda-server dependencies and AMANDA works correctly now.

Bug fixes

BZ#803883

Due to a bug in the multipath output parsing code, when installing Red Hat Enterprise Linux 6 on an IBM Power system with JBOD (Joined Body Of Disks - more than one hard drive attached to the same SAS controller), Anaconda could detect these multiple hard drives as a multipath device. This in turn caused the partitioning of the hard drive to fail, causing the installation of the system to fail as well. This update fixes the parsing code and the system is installed correctly.

BZ#848741

The Anaconda installer did not wait for BIOS storage devices to initialize when booted with the ks:bd:<bios disk>:/ks.cfg command-line option. As a consequence, BIOS storage devices could not be found and the installation could fail. To fix this bug, a delay algorithm for BIOS devices has been added to the code path used when booting with ks:bd:<bios disk>:/ks.cfg. As a result, Anaconda tries to wait for BIOS devices to initialize.

BZ#828650

The file system migration from ext2 to ext3 did not work because Anaconda did not modify the /etc/fstab file with the new ext3 file system type. Consequently, after the installation, the file system was mounted as an ext2 file system. With this update, Anaconda properly sets the migrated file system type in /etc/fstab. Thus, the file system is mounted as expected after installation.

BZ#886150

When installing Red Hat Enterprise Linux 6.4 Beta using the kickstart file, which included the partition scheme, LVM incorrectly removed the dashes from Logical Volume and Volume Group names. This caused the names to be malformed. This update fixes the aforementioned function to correctly format Logical Volume and Volume Group names during the installation process.

BZ#819486

Using IPv6 to install Red Hat Enterprise Linux 6.3 (both Alpha and Beta) on a z/VM guest enabled the user to SSH to the system and proceed with the language selection screen. However, after this step, the installation stopped and the SSH session was closed. With this update, the IPv6 installation on a z/VM guest is successful on Red Hat Enterprise Linux 6.4.

BZ#824963

A kickstart installation on unsupported hardware resulted in a dialog box asking for confirmation before proceeding with the installation process. As a consequence, it was not possible to perform a kickstart installation on unsupported hardware without any user input. To fix this bug, a new unsupported_hardware kickstart command has been added, which skips the interactive dialog warning when installing a system on unsupported hardware without user input.

BZ#811197

When a /boot partition was on a RAID device, inconsistent messages were returned because it was not supported to have this partition on such a device. These varied messages were confusing. To fix this bug, the error messages have been corrected to make sense and to not duplicate each other.

BZ#834689

Kernel modules containing Microsoft paravirtualized drivers were missing in the installation environment. To fix this bug, kernel modules with Microsoft PV have been added to the installation environment. As a result, better support for Microsoft virtualization is provided.

BZ#837835

Modules with VMware PV drivers were not included in the installation environment. This update adds the modules with VMware PV drivers to provide better virtualization support.

BZ#809641

The udev device manager was not used to resolve kickstart raid --onpart disk references. As a consequence, the /dev/disk/by-id/ path could not be used properly. With this update, the udev_resolve_devspec() function is used to resolve the --onpart command option. As a result, the raid --onpart command can now use the /dev/disk/by-id/ paths as expected.

BZ#809640

The Anaconda installer did not use the udev device manager to resolve /dev/disk/by-id/ names. This meant the kickstart installation method did not work with /dev/disk/by-id/ names. To fix this bug, Anaconda is now using udev to resolve /dev/disk/by-id/ names. As a result, kickstart installations using /dev/disk/by-id/ names work as expected.

BZ#804557

When installing a system using the text mode on a machine which already had Red Hat Enterprise Linux installed on it, a traceback error occurred when the Back button was used to go back from any dialog after the time zone dialog. With this update, disks are rescanned when moving back through the upgrade dialog, thus preventing this bug.

BZ#840723

The Anaconda installer called the modprobe tool without the -b argument that enabled blacklists. Consequently, modules were not blacklisted. To fix this bug, the required argument has been added to modprobe call. As a result, modules are blacklisted as expected.

BZ#851249

The Anaconda installer appended the boot= parameter on the command line whenever the fips=1 parameter was used. With this update, Anaconda appends the boot= parameter only when the fips=1 parameter is used and /boot is on a separate partition.

BZ#828029

This update fixes a typographical error in Korean version of a warning message used to alert users of a root password that is too simple.

BZ#681224

The Anaconda installer did not verify package checksums against the checksum in the repository metadata. A package which did not match the repo metadata checksum could be installed by the Yum utility. As a consequence, an incorrect package could be installed with no errors returned. This update adds verification of the package checksum against the checksum in the repository metadata.

BZ#656315

IPv6 configuration options of the installer's text UI (user interface) were using descriptions suggesting misleading meaning. Consequently, the description could mislead the users with DHCPv6 configured to use Dynamic IPv6 configuration (DHCPv6) which used DHCPv6 exclusively without using SLAAC automatic configuration. To fix this bug, the first option (Automatic neighbor discovery) has been renamed to Automatic; it is the (SLAAC) automatic configuration with the option of using a DHCPv6 server based on RA server configuration. The second option (Dynamic IP configuration (DHCPv6)) was renamed to Automatic, DHCP only, which describes the actual configuration to be used more accurately. These descriptions are now the same as those used by Network Manager. As a result, it is now clearer that the third option (Automatic, DHCP only) is using the DHCPv6 server exclusively.

BZ#836321

The command-line interface of the fcoe-utils package in Red Hat Enterprise Linux 6.3 was changed but the installer did not adapt to this change correctly. As a consequence, FCoE initiators were not able to log in to remote storages, which could then not be used for installation. To fix this bug, the fipvlan command arguments have been fixed to use the new -f option correctly. As a result, the installer now logs in to a FCoE remote storage correctly, and can be used for installation purposes.

BZ#823690

Repositories without size data caused a divide-by-zero error. Consequently, the installation failed. With this update, repositories without size data do not cause a divide-by-zero error and the installation succeeds.

BZ#848818

Support for the --hibernation option was only added to the part command. Consequently, --hibernation did not work with the logvol command. To fix this bug, support for --hibernation has been added to the logvol command. As a result, --hibernation now works with the logvol command.

BZ#784001

The linksleep option used to be applied only for the ksdevice= boot parameter using the value link. Consequently, when the ksdevice boot parameter was supplied a value containing a device name or a MAC address, the linksleep boot parameter did not take effect. Without waiting for the link, as required by the linksleep boot parameter, the installer could fail. To fix this bug, the linksleep boot parameter has been added to code paths where the to-be-activated device is specified. As a result, the linksleep boot parameter is honored also for installation where the ksdevice boot parameter is supplied a value containing a device name or a MAC address.

BZ#747278

The Anaconda installer did not check lengths of Logical Volume Manager (LVM) Volume Group names or Logical Volume names. As a consequence, an error occurred when creating disk partitions. To fix this bug, the length of LVM Volume Group names has been truncated to 32 characters and Logical Volume names to 16 characters. As a result, the installation completes successfully.

BZ#746925

Previously, Anaconda failed to enable add-on repositories when upgrading the system. Consequently, packages from the add-on repositories were not upgraded. This update allows Anaconda to enable add-on repositories when the system is upgrading and packages from the add-on repositories are upgraded as expected.

Bug Fixes

BZ#862195

Prior to this update, the authconfig utility used old syntax for configuring the idmap mapping in the smb.conf file when started with the "--smbidmapuid" and "--smbidmapgid" command line options. Consequently, Samba 3.6 ignored the configuration. This update adapts authconfig to use the new syntax of the idmap range configuration so that Samba 3.6 can read it.

BZ#874527

Prior to this update, the authconfig utility could write an incomplete sssd.conf file when using the options "--enablesssd" or "--enablesssdauth". As a consequence, the sssd daemon did not start. With this update, authconfig no longer tries to create the sssd.conf file without complete information, and the sssd daemon can now start as expected.

Bug Fixes

BZ#585059

When the automount daemon managed a large number of mount points, unmounting all active mount points could take a longer period of time than expected. If the daemon failed to exit within 45 seconds, the autofs init script timed out and returned a false-positive shutdown failure. To resolve this problem, the init script restart behavior has been modified. If the init script repeatedly fails to stop the daemon, the script terminates the daemon by sending the SIGKILL signal, which allows autofs to be restarted correctly.

BZ#819703

The automount interface matching code was able to detect only IPv4 interfaces. As a consequence, mount points were mounted with an incorrect mount type when using IPv6. To fix this problem, the automount interface matching code has been modified to use the getifaddrs() function insted of ioctl(). The automount interface matching code now properly recognizes IPv6 interfaces and both, IPv4 and IPv6 mounts are now mounted as expected.

BZ#827024, BZ#846852, BZ#847873

Previously, automount could terminate unexpectedly with a segmentation fault when using the internal hosts map. This could happen due to a function name collision between autofs and the libtirpc library. Both utilities called a debug logging function of the same name but with a different call signature. This update applies a series of patches that fix this problem by redefining the internal debug logging function in autofs. Also, several other bugs related to the autofs RPC function have been fixed. The automount daemon no longer crashes when using the internal hosts map and the libtirpc library is installed on the system.

BZ#834641

Due to an incorrectly placed port test in the get_nfs_info() function, autofs attempted to contact the portmap service when mounting NFSv4 file systems. Consequently, if the portmap service was disabled on the server, automount failed to mount the NFSv4 file systems with the following error message:

mount(nfs): no hosts available

With this update, the port check has been moved to the correct location in the code so that automount no longer contacts the server's port mapper when mounting NFSv4 file systems. NFSv4 file systems are mounted as expected in this scenario.

BZ#836422

Previously, the autofs internal hosts map could not be refreshed until all entries in the map had been unmounted. Consequently, users could not access newly exported NFS shares and any attempt to access such shares failed with the "No such file or directory" error message. This update allows the server export list to be updated by sending a HUP signal to the automount daemon. This causes automount to request server exports so the hosts map and associated automounts can be updated. Newly exported NFS shares can now be accessed as expected.

BZ#845512

Previously, the usage message displayed by the autofs init script did not contain the "usage" command entry. This update corrects the init script so it now displays all commands that can be used with the autofs service as expected.

BZ#856296

When stopping the autofs service, autofs did not correctly handle situations where a null map entry appeared after a corresponding indirect map entry in the autofs master map. As a consequence, automount attempted to unmount a unmount a non-existing automount point and became unresponsive. This update modifies autofs to process null map entries correctly so it no longer attempts to unmount non-existing automount points. The autofs service now stops gracefully as expected.

BZ#860184

Previously, the autofs init script did not allow any commands to be run by unprivileged users. However, it is desirable to let a non-root user check the status of autofs for example for monitoring purposes. Therefore, this update modifies the autofs init script to allow unprivileged users to execute the service autofs status command.

BZ#865311

Previous versions of autofs contained several typographical errors and misleading information in the auto.master(5) man page, and autofs.sysconfig and autofs.conf configuration files. This update corrects these bugs including the description of the MOUNT_NFS_DEFAULT_PROTOCOL and MOUNT_WAIT options.

BZ#868973

When attempting to mount an NFSv4 share from an unreachable NFSv4 server, autofs did not close IPv6 UDP sockets. This could eventually lead to depletion of free file descriptors and an automount failure. This update modifies autofs to close IPv6 UDP sockets as expected, and automount no longer fails due to too many open files in the described scenario.

BZ#892846

When using autofs with LDAP, the code used to perform a base DN search allowed a race between two threads executing the same function simultaneously to occur. As a result of this race, autofs could attempt to access already freed memory and terminate unexpectedly with a segmentation fault. With this update, the code used to perform base DN searches has been moved to the function protected by a mutex, which prevents the race from occurring. The base DN searches are now performed only when refreshing settings of the map lookup modules.

Enhancements

BZ#846870

This update modifies autofs to allow configuring of separate timeout values for individual direct map entries in the autofs master map.

BZ#859947

With this update, the auto.master(5) man page has been updated to document the "-t, --timeout" option in the FORMAT options section.

BZ#866338

The auto.master(5) man page has been updated to clarify description of the "nobind" option when it is used with direct mount maps.

BZ#866396

The autofs.spec file has been modified to update build dependency of the autofs sss interface library. The library now requires the libsss_autofs package instead of sssd.

BZ#822733

This update improves debug logging of autofs. With debug logging set on, automount now reports whether it needs to read a mount map or not.

Security Fix

CVE-2012-3386

It was found that the distcheck rule in Automake-generated Makefiles made a directory world-writable when preparing source archives. If a malicious, local user could access this directory, they could execute arbitrary code with the privileges of the user running "make distcheck".

Bug Fix

BZ#599435

Previously, the Avahi library packages required the Avahi daemon packages as a dependency. Consequently, whenever installing some of the Avahi libraries, the Avahi daemon was installed as well, which could pose a security risk in certain environments. This update removes these dependencies so that the Avahi libraries are now installed without the Avahi daemon.

BZ#728693

Prior to this update, the logwatch tool did not check the "/var/log/bacula*" file. As a consequence, the logwatch report was incomplete. This update adds all log files to the logwatch configuration file. Now, the logwatch report is complete.

BZ#728697

Prior to this update, the bacula tool itself created the "/var/spool/bacula/log" file. As a consequence, this log file used an incorrect SELinux context. This update modifies the underlying code to create the /var/spool/bacula/log file in the bacula package. Now, this log file has the correct SELinux context.

BZ#729008

Prior to this update, the bacula packages were built without the CFLAGS variable "$RPM_OPT_FLAGS". As a consequence, the debug information was not generated. This update modifies the underlying code to build the packages with CFLAGS="$RPM_OPT_FLAGS. Now, the debug information is generated as expected.

BZ#756803

Prior to this update, the perl script which generates the my.conf file contained a misprint. As a consequence, the port variable was not set correctly. This update corrects the misprint. Now, the port variable is set as expected.

BZ#802158

Prior to this update, values for the "show pool" command was obtained from the "res->res_client" item. As a consequence, the output displayed incorrect job and file retention values. This update uses the "res->res_pool" item to obtain the correct values.

BZ#862240

Prior to this update, bacula-storage-common utility wrongly removed alternatives for the bcopy function during the update. As a consequence, the Link to bcop.{mysql,sqlite,postgresql} disappeared after updating. This update modifies the underlying code to remove these links directly in storage-{mysql,sqlite,postgresql} and not in bacula-storage-common.

Bug Fixes

BZ#695656

Prior to this update, the trap handler could, under certain circumstances, lose signals during another trap initialization. This update blocks the signal while the trap string and handler are being modified. Now, the signals are no longer lost.

BZ#799958

Prior to this update, the manual page for trap in Bash did not mention that signals ignored upon entry cannot be listed later. This is now fixed and the manual page entry text is amended to "Signals ignored upon entry to the shell cannot be trapped, reset or listed".

BZ#800473

Prior to this update, the Bash shell called the trap handler within a signal handler when a SIGCHLD signal was received in job control mode and a handler for the signal was installed. This was a security risk and could cause Bash to enter a deadlock or to terminate unexpectedly with a segmentation fault due to memory corruption. With this update, the trap handler is now called outside of the signal handler, and Bash no longer enters a deadlock.

Enhancement

BZ#677439

This update enables the system-wide "/etc/bash.bash_logout" file. This allows administrators to write system-wide logout actions for all users.

Bug Fixes

BZ#767496

When persistent search was in use, the plug-in sometimes terminated unexpectedly due to an assertion failure when the "rndc reload" command was issued and the LDAP server was not reachable. With this update, the code has been improved so that connection failures and reconnects are now handled more robustly. As a result, the plug-in no longer crashes in the scenario described.

BZ#829388

Previously, some relative domain names were not expanded correctly to FQDNs. Consequently, zone transfers sometimes contained relative domain names although they should only contain FQDNs (for example, they contained "name." record instead of "name.example.com."). The plug-in has been patched, and as a result, zone transfers now contain the correct domain names.

BZ#840381

Due to a bug in bind-dyndb-ldap, the named process sometimes terminated unexpectedly when a connection to LDAP timed out. Consequently, when a connection to LDAP timed out (or failed), the named process was sometimes aborted and DNS service was unavailable. The plug-in has been fixed and as a result, the plug-in now handles situations when a connection to LDAP fails gracefully.

BZ#856269

Due to a race condition, the plug-in sometimes caused the named process to terminate unexpectedly when it received a request to reload. Consequently, the DNS service was sometimes unavailable. A patch has been applied and as a result, the race condition during reload no longer occurs.

Enhancements

BZ#733711

LDAP in Red Hat Enterprise Linux 6.4 includes support for persistent search for both zones and their resource records. Persistent search allows the bind-dyndb-ldap plug-in to be immediately informed about all changes in an LDAP database. It also decreases network bandwidth usage required by repeated polling.

BZ#829340

Previously, it was only possible to configure IPv4 forwarders in LDAP. With this update, a patch has been added to the plug-in, and as a result, the plug-in is now able to parse and use IPv6 forwarders. BIND9 syntax for "forwarders" is required.

BZ#829385

Previously, it was impossible to share one LDAP database between multiple master servers; only one master server could be used. A new bind-dyndb-ldap option "fake_mname" which allows for overriding the master server name in the SOA record has been added. With this option it is now possible to override the master server name in the SOA record so that multiple servers can act as master server for one LDAP database.

BZ#840383

When multiple named processes shared one LDAP database and dynamically updated DNS records (via DDNS), they did not update the SOA serial numbers so it was impossible to serve such zones on secondary servers correctly (that is to say, they were not updated on slave servers). With this update, the plug-in can now update SOA serial numbers automatically, if configured to do so. Refer to the new "serial_autoincrement" option in the /usr/share/doc/bind-dyndb-ldap/README file for more details.

BZ#869323

This update provides support for the per-zone disabling of forwarding. Some setups require the disabling of forwarding per-zone. For example, company servers are configured as authoritative for a non-public zone and have global forwarding turned on. When the non-public zone contains delegation for a non-public subdomain, the zone must have explicitly disabled forwarding otherwise the glue records will not be returned. As a result, a server can now return delegation glue records for private zones when global forwarding is turned on. Refer to /usr/share/doc/bind-dyndb-ldap/README for detailed information.