1. Package Updates

Bug Fixes

BZ#701554

Password changes did not replicate because the method used to pass the changes to consumer servers was rejected on the consumer. This issue has been corrected, and password changes now replicate as expected.

BZ#701556

Values could be lost when group memberships were synchronized between 389 Directory Server and Active Directory with the Windows Sync feature. The synchronization and modify operations have been altered to prevent this issue, allowing group updates to synchronize with Active Directory.

BZ#701558

The ldclt command-line testing tool crashed during LDAP ADD operations because an LDAP attribute was not set correctly, preventing the creation of entries that did not already exist. This update allows the LDAP ADD to proceed correctly.

BZ#701559

The server crashed if a long running task was started using the cn=tasks,cn=config interface and then the server was shut down before the task completed. This update prevents the server from crashing, but does not gracefully terminate the task, which can leave the server database in an inconsistent state. For example, the fixup-memberof.pl script invokes a tasks to fix up the memberOf attribute in group member entries. If the server is shut down before the task can complete, some entries may not have the correct memberOf values. Users should ensure that tasks are complete before shutting down the server to avoid inconsistency.

BZ#701560

When using the Entry USN feature, deleting an entry caused a memory leak via the entryusn attribute. This update fixes the memory leak.

BZ#576866

Prior to this update, the ABRT GUI did not warn the user when it could not connect to the Gnome keyring daemon (that is, could not save any of the user's settings). With this update, a warning message is displayed in such a case.

BZ#614486

The previous version of ABRT did not properly restore the core_pattern parameter (which is used to specify a coredump file pattern name) if it was too long. This update restores the core_pattern parameter to its previous value when the abrt daemon is stopped.

BZ#623142

If the TAINT_HARDWARE_UNSUPPORTED flag, which detecs hardware not officially supported by Red Hat, is set (in the /proc/sys/kernel/taint file), ABRT indicates that the flag is set in the created crash report.

BZ#649309

The abrt-addon-ccpp plugin crashed due to a segmentation fault if the /proc/[PID]/ directory did not exist. With this update, ABRT no longer crashes in case the /proc/[PID]/ directory does not exist.

BZ#665405

Content from various files in the /var/log/ directory is now included in the creation of an sosreport (which is created via the abrt-plugin-sosreport plugin).

BZ#666267

Prior to this update, the "Help" button in the ABRT GUI displayed the "About" window. With this update, a proper help page is displayed.

BZ#668875

Occasionally, ABRT did not send an attached core dump file along with a crash report. This was due to the large size of the core dump file which was consequently rejected by the server which was receiving the crash report. With this update, attachments and their sizes are listed in the crash report, making it easier to detect any problems caused by the large size of the attachments.

BZ#670492

Previously, ABRT was using "Strata-Message:" headers in server responses. However, servers no longer use these headers. With this update, the aforementioned headers are no longer used by ABRT.

BZ#678724

By default, in Red Hat Enterprise Linux 6, ABRT did not enable any reporters, causing environments which do not run an X server to not be notified of any crashes ABRT detected. With this update, the mailx plugin is enabled as the default reporter for every crash and the root user is now notified of any crashes via the root@localhost mailbox.

BZ#694410

The duplicate hash of a crash was computed from the package NVR (Name, Version, Release), path of the executable and the backtrace hash. This caused the hash to be different for the same bug which occurred in two versions of the same package. With this update, the component name and the backtrace hash are used when computing the duplicate hash.

BZ#680202

With a recent update, the OpenLDAP libraries have been moved to different directory. This update changes the way Adobe Reader links to these libraries.

BZ#593642

Auto-partitioning no longer clears immutable partitions.

BZ#593984

Anaconda no longer creates a new EFI system partition when one is not needed.

BZ#601862, BZ#614812

Anaconda now properly detects ext2's dirty/clean states.

BZ#609570

Anaconda no longer forgets IP method selection in the loader when returning to a previous menu.

BZ#611825

The "Proxy password" field in stage 2 now correctly displays asterisks instead of plain text.

BZ#612476

Text mode now allows IPv6 configuration.

BZ#626025

Anaconda no longer displays free regions of less than 1MB in extended partitions.

BZ#671017

Anaconda no longer loses focus on certain screens.

BZ#634655

".treeinfo" files are now properly fetched over a proxy.

BZ#635201

Anaconda now writes correct NFS (Network File System) repository information into the summary Kickstart file.

BZ#638734

The /boot/ directory can now reside on an ext4 partition.

BZ#654360

Anaconda no longer fails to detect a disk if its size exceeds 1TB.

BZ#678028

Anaconda is once again able to detect the file system on a previously-created RAID device.

BZ#692350

Anaconda now generates the correct, FIPS-enabled initramfs (initial RAM file system) when the kernel option "fips=1" is provided on the kernel command line.

BZ#640260

Anaconda incorrectly failed with a traceback when an attempt to unpack a driver disk to a pre-existing root partition.

BZ#676854

Fingerprint authentication has been disabled on IBM System z because it is not supported on that platform.

BZ#641324

Static IPv4 configuration is now used when requested in stage 2: Anaconda no longer falls back to using DHCP.

BZ#652874

Anaconda is now able to properly detect an md RAID array with a spare disk.

BZ#636533

Anaconda now correctly reports an error when a network-based certificate is specified in Kickstart with no networking setup.

BZ#621490

A custom value is now properly honored when shrinking a file system.

BZ#702430

The "list-harddrives" command output for CCISS devices is now valid input for Kickstart files.

BZ#683891

Anaconda now selects the new kernel after upgrade.

BZ#442980, BZ#529443

This update adds the cnic, bnx2i, and be2net drivers for better iSCSI support.

BZ#633307, 633319

This update adds drivers for the Emulex 10GbE PCI-E Gen2 and Chelsio T4 10GbE network adapters.

BZ#554874

Algorithms from the SHA-2 hash function family can now be used to encrypt the boot loader password.

BZ#607827

Anaconda now allows a username and password to be entered for iSCSI Discovery sessions.

BZ#354432, 614399

The "rdate", "which", "tty" and "ntpdate" commands have been added to the install image.

BZ#663411

The graphical installer now runs using the full display resolution.

BZ#667122, BZ#599042, BZ#678574

Anaconda now features improved SSL certificate-handling.

BZ#621349

It is now possible to specify additional packages when using the "@packages --default" Kickstart option.

BZ#618376

On IBM System z, the /boot/ directory can now be placed on an LVM logical volume.

BZ#644535

Anaconda now supports blacklisting to determine which modules can be loaded during installation.

Security Fix

CVE-2011-1928

The fix for CVE-2011-0419 (released via RHSA-2011:0507) introduced an infinite loop flaw in the apr_fnmatch() function when the APR_FNM_PATHNAME matching flag was used. A remote attacker could possibly use this flaw to cause a denial of service on an application using the apr_fnmatch() function.

Note: This problem affected httpd configurations using the "Location" directive with wildcard URLs. The denial of service could have been triggered during normal operation; it did not specifically require a malicious HTTP request.

This update also addresses additional problems introduced by the rewrite of the apr_fnmatch() function, which was necessary to address the CVE-2011-0419 flaw.

BZ#589099

Previously, the at daemon (atd) wrongly contained permissions 0755 for atd configuration. With this update, atd has the correct permissions 0644 as have all other such files.

BZ#615104

Previously, the initscript caused the "OK" message to be printed twice. With this update, the initscript behaves as expected and does no longer cause echos of messages.

BZ#630019

Previously, the PIE label was not compiled with -fpie/-fPIE. This update adds a PIE compile option for secure positions independently executable on targets.

BZ#595261

Prior to this update, authconfig unnecessarily restarted the user information and authentication services even though there were no configuration changes that would require the restart. With this update, services are no longer restarted unless explicitly required.

BZ#620475

The authentication configuration utility did not keep the "Require smart card for login" check box set when Kerberos was also enabled. When the check box was checked and the configuration was saved with the "Apply" button, the system would correctly require smart card for login. However, on the subsequent run of the authentication configuration utility the check box would be unchecked again and it was necessary to check it again to keep the option switched on. With this update, the "Require smart card for login" stays checked even after subsequent runs of the authentication configuration utility.

BZ#621632

The authentication configuration tool GUI incorrectly duplicated its window when the "Revert" button was pressed. This update fixes the duplicity problem.

BZ#624159

In some cases, when multiple configuration files with the same configuration settings contained different configuration values for a setting, the configuration files contents were not properly synchronized with authconfig. With this update, the synchronization works as expected.

BZ#639747

The authentication configuration tool GUI allowed to choose user identity and authentication schemes which require packages that are not installed on the system by default. With this update, certain identity and authentication schemes cannot be configured when they are not installed on the system.

BZ#663882

The authconfig textual user interface incorrectly required the nss-pam-ldap package to be installed when the configuration used SSSD for LDAP user identification. With this update, the nss-pam-ldap package is not required in such a case.

BZ#674844

Prior to this update, the authentication configuration tool overwrote the cache_credentials value to "True" in the SSSD configuration file (/etc/sssd/sssd.conf) if the configuration allowed using SSSD for the network user information and authentication services. With this update, the "cache_credentials" parameter is no longer overwritten in the aforementioned case.

BZ#676333

The "system-config-authentication" command crashed when executed in an environment without the X server running. With this update, a proper error message is printed in the aforementioned case.

Bug Fixes

BZ#670938

System processes - that is processes with an audit id (auid) of -1 - are logged by the audit subsystem. However, if the ausearch utility was used to locate events where the auid was -1, it would display all events. In this update, under these circumstances, ausearch only returns events with an auid of -1.

BZ#688664

A value of 'syslog' for the 'disk_error_action' parameter in 'auditd.conf' instructs auditd to issue a warning to syslog if an error is encountered when writing audit events to disk. If 'disk_error_action' was set to 'syslog', auditd always attempted to exec() a child process. Consequently, if a disk error was encountered (ie. a disk full error), auditd would attempt to exec() a null child process, and logging would not resume after the disk error was reported to syslog. In this update the child process is not called when the 'syslog' option is used, and logging continues as expected.

BZ#695605

Previously if an audispd plug-in was restarted, the plug-in was not marked as active. Consequently, the remote logging plug-in (audisp-remote) was unable to bind to a privileged port on reconnect because all privileges had been dropped. In these updated packages, audispd plug-ins are marked as active after being restarted, and the audisp-remote plug-in functions as expected.

BZ#697463

Previously, the "autrace -r" command on the IBM System z architecture attempted to audit network syscalls not available on IBM System z. Consequently, an error similar to the following might have been returned:

Error inserting audit rule for pid=13163

With this update, "autrace -r" is now aware of system calls not available on this architecture, which resolves this issue.

BZ#640948

When an ignore directive was included in an audit.rules configuration file, the auditctl utility became unresponsive when attempting to load those rules. With this update, the issue is resolved.

BZ#647128

Previously, the audit_encode_nv_string() function was not checking if the memory allocation (malloc) it was performing succeeded. Consequently, if the malloc operation encountered an out of memory (OOM) error, audit_encode_nv_string() crashed attempting to reference a NULL pointer. With this update, audit_encode_nv_string() checks if the malloc is successful, which resolves this issue.

BZ#647131

Previously, the man page for the "audit_encode_nv_string" function incorrectly documented the return value type as an "int". The man page for "audit_encode_nv_string" now correctly displays return value type for the "audit_encode_nv_string" function as a "char *"

BZ#629480

When using client certificates with autofs, the certificate DN could not be used in LDAP ACLs. This prevented autofs from authenticating via SASL external. With this update, the SASL EXTERNAL authentication mechanism is used for mapping the certificate DN to an LDAP DN, allowing autofs to support SASL External authentication via TLS.

BZ#616426

The autfs initscript did not implement the functions force-reload and try-restart. Instead, the error try-restart and force-reload service action not supported was given and returned 3. This patch adds these initscript options so that the they are now implement and return appropriate values.

BZ#629359

Debugging output from autofs did not include IP addresses for mounts alongside hostname information which made it difficult to debug issues when using round-robin DNS. This update adds this feature, allowing logging output to show the IP address of a mount, rather than just the host name.

BZ#572608

Previously, automount woke up once per second to check for any scheduled tasks, despite the fact that adding a task triggered a wake up of that thread, which lead to a tight loop which used excessive CPU. This update removes these unnecessary wakeups.

BZ#520844

When an autofs map entry had multiple host names associated with it, there was no way to override the effect of the network proximity. This was a problem when a need existed to be able to rely on selection strictly by weight. With this patch, the server response time is also taken into consideration when selecting a server for the target of the mount. The pseudo option --use-weight-only was added that can only be used with master map entries or with individual map entries in order to provide this. For individual map entries, the option no-use-weight-only can also be used to override the master map option.

BZ#666340

If there were characters that matched isspace() (such as \t and \n) in a passed map entry key and there was no space in the key, these character were not properly preserved, which led to failed or incorrect mounts. This was caused by an incorrect attempt at optimization by using a check to see if a space was present in the passed key and only then processing each character of the key individually, escaping any isspace() characters. This patch adds a check for isspace() characters to the same check for a space, eliminating the problem.

BZ#630954

If the map type was explicitly specified for a map, then the map was not properly updated when a re-read was requested. This was because the map stale flag was incorrectly cleared after the lookup module read the map, instead of at the completion of the update procedure. In this patch, the map stale flag should only be cleared if the map read fails for some reason, otherwise it updates when the refresh is completed.

BZ#650009

Previously, when autofs was restarted with active mounts, due to a possible recursion when mounting multi-mount map entries, autofs would block indefinitely. This was caused by a cache readlock which was held when calling mount_subtree() from parse_mount () in parse_sun.c. This patch fixes remount locking which resolves the issue.

BZ#577099

The master map DN string parsing is quite strict and, previously, autofs could not use an automount LDAP DN using the l (localityName) attribute. This patch adds the allowable attribute 'l', the locality.

BZ#700691

A previous bug fix caused the state queue manager thread to stop processing events, and mounts expired and then stopped. This was caused when the state queue task manager transferred an automount point pending task to its task queue for execution. The state queue was then mistakenly being seen as empty when the completing task was the only task in the state queue. This patch adds a check to allow the queue manager thread to continue, resolving the issue.

BZ#700697

The autofs gave a segmentation fault on the next null cache look up in the auto.master file. This was due to a regression issue, where a function to clean the null map entry cache, added to avoid a race when re-reading the master map, mistakenly failed to clear the hash bracket array entries. This patch sets the hash bracket array entries to NULL, resolving the issue.

Security Fix

CVE-2011-1002

A flaw was found in the way the Avahi daemon (avahi-daemon) processed Multicast DNS (mDNS) packets with an empty payload. An attacker on the local network could use this flaw to cause avahi-daemon on a target system to enter an infinite loop via an empty mDNS UDP packet.

BZ#629954, BZ#684276

Previously, the avahi packages in Red Hat Enterprise Linux 6 were not compiled with standard RPM CFLAGS; therefore, the Stack Protector and Fortify Source protections were not enabled, and the debuginfo packages did not contain the information required for debugging. This update corrects this issue by using proper CFLAGS when compiling the packages.

BZ#618289

When using arithmetic evaluation on an associative array with integer values, an attempt to provide an invalid subscript caused Bash to terminate unexpectedly with a segmentation fault. This update applies a patch that corrects this error, and providing an invalid subscript no longer causes the bash interpreter to crash.

BZ#664468

Prior to this update, the Bash interpreter reported broken pipe errors for both external and built-in commands. Since these errors are only relevant for external commands, this update adapts the underlying source code to suppress the broken pipe error messages for built-in commands. As a result, only relevant messages are now presented to user.

BZ#619704

Previous version of the bash(1) manual page did not provide a clear description of the "break", "continue", and "suspend" built-in commands. This update corrects this error, and extends the manual page to provide accurate and complete descriptions of these commands.

Security fix

CVE-2011-1910

An off-by-one flaw was found in the way BIND processed negative responses with large resource record sets (RRSets). An attacker able to send recursive queries to a BIND server that is configured as a caching resolver could use this flaw to cause named to exit with an assertion failure.

Security Fix

CVE-2011-2464

A flaw was discovered in the way BIND handled certain DNS requests. A remote attacker could use this flaw to send a specially-crafted DNS request packet to BIND, causing it to exit unexpectedly due to a failed assertion.

Security Fix

CVE-2011-4313

A flaw was discovered in the way BIND handled certain DNS queries, which caused it to cache an invalid record. A remote attacker could use this flaw to send repeated queries for this invalid record, causing the resolvers to exit unexpectedly due to a failed assertion.

BZ#623638

previously, bind on the 64-bit PowerPC architecture used emulated atomic operations rather than native instructions. In this updated package bind on the 64-bit PowerPC architecture uses the same native atomic operations as the PowerPC architecture.

BZ#677381

previously, the bind package generated the /etc/rndc.key file. However, generating this file used entropy from /dev/random. Consequently, installation of the bind package might have hung. The rndc.key is used by rndc utility for advanced administration commands and is no longer automatically generated during installation of the bind package. Users requiring the rndc utility should generate key themselves, via the "rndc-confgen -a" command.

BZ#623122

under certain circumstances, "named" was entering a deadlock. Consequently, "named" could not be stopped using the "/etc/init.d/named stop". In this updated package, the deadlock no longer occurs, resolving this issue.

BZ#623190

previously, the named_sdb PostgreSQL database backend failed to reconnect to the database when the connection failed during named_sdb startup. With this update, named writes error message to the system log and tries to reconnect during every lookup.

BZ#658045

previously, file conflicts prevented the i686 and x86_64 versions of bind-devel from being installed on the same machine. In this update, the file conflict is resolved and both the i686 and x86_64 bind-devel packages can be installed on the same system.

BZ#622785

previously, initscript killed all processes with the name "named" when stopping the named daemon. With this update, initscript kills only the selected one.

BZ#640538

the return codes of the "dig" utility are documented in the dig man page.

BZ#660676

previously the named.8 manpage mentioned the system-config-bind utility. This utility is not included with Red Hat Enterprise Linux 6. The man page is updated to remove the reference to the system-config-bind utility.

BZ#661663, BZ#672777

the "status" action of the named initscript would not complete when bind-sdb package was installed. These updated packages resolve this issue.

BZ#669163

when resolv.conf contained "search" keyword with no arguments host/nslookup/dig utilities failed to parse it correctly. In these updated packages, such lines are ignored.

BZ#672819

previously, the nsupdate man page incorrectly listed HMAC-MD5 as the only TSIG algorithm. In this updated package, the list of encryption algorithms was removed from the nsupdate man page. The the dnssec-keygen man page contains a complete list of usable encryption algorithms.

BZ#622764

the host utility now honors "debug", "attempts" and "timeout" options in resolv.conf.

BZ#623673

a new option, called DISABLE_ZONE_CHECKING, has been added to /etc/sysconfig/named. This option adds the possibility to bypass zone validation via the named-checkzone utility in initscript and allows to start named with misconfigured zones.

BZ#646932

with this update, size, MD5 and the modification time of /etc/sysconfig/named configuration file is no longer checked via the "rpm -V bind" command.

BZ#667375

Root zone DNSKEY is now included in the bind package, in the /etc/named.root.key file.

BZ#658286

the plugin didn't load child zones correctly. The plugin has been fixed and now loads child zones well.

BZ#662930

named aborted when attempting to connect to a local LDAP server during boot. Now it does not abort but the administrator must call "rndc reload" when LDAP server starts to correctly fetch zones.

BZ#666244

the plugin flooded logs with too many messages. Now those messages are logged only when named is started with the "-d" (debug) parameter.

BZ#667704

the plugin was rebased to 0.2.0 bugfix release.

BZ#667727

queries for ANY type were not handled correctly, only SOA records were returned. The plugin was fixed and now all records are returned when asked.

BZ#667730

the plugin failed to reconnect to the LDAP server when SASL authentication was used. The plugin was fixed and reconnection now works.

BZ#667732

the plugin failed to delete nodes from the LDAP database when all resource records associated with the node were removed. Now the plugin deletes the empty nodes.

BZ#667733

the plugin did not emit enough information when it was configured to use invalid credentials. Now it emits enough details.

BZ#667729

It is now possible to specify allow-query and allow-transfer ACLs for zones.

BZ#667734

It is now possible to set timeout for queries to the LDAP server.

BZ#697703

fix occasional crash in linker

BZ#614443

fix strip to keep the address of an empty section consistent with its offset in the object

BZ#680143

if one of the input files is of a non-ELF format the linker may crash

BZ#578661

add support for ELF objects with more then 65535 program headers

BZ#663587

add support for the large code model on PowerPC

BZ#633448

add support for ELF core dump notes sections for extra s390 registers

BZ#631540

add support for the new instructions in the System

BZ#721079

Prior to this update, an input object file could have a non-empty .toc section but no references to the .toc entries because of a problem in the 64-bit PowerPC linker TOC editing code. As a result, various utilities of the binutils package terminated unexpectedly with a segmentation fault under certain conditions. This update handles local symbols in .toc sections correctly. Now, no more crashes occur.

BZ#583615

When the device list contained the same device as supplied on the command line, blktrace stopped immediately and further I/O tracing was impossible. This occurred when an error returned in BLKTRACESETUP ioctl caused the program to terminate whenever a device was duplicated in the devpaths. This patch ensures devices are not duplicated in the devpaths pool, thus fixing the problem.

BZ#619201

When blktrace was run without parameters, it incorrectly included the version number in its usage message. This resulted in the false assumption that the version number was a required parameter. This update edits the usage message so that the version number is not printed when running blktrace, blkparce or btt without parameters, avoiding any confusion.

BZ#650229

Previously, btreplay would give a 'No such file or directory' error when attempting to execute with /dev/cciss/foo because of the long path name. This was caused by missing the back conversion of underscores to slashes. This update converts the underscores to slashes to restore the device names with longer paths.

BZ#583624

Running 'blktrace -d <device> -k' once did not kill a running background trace. Running it a second time resulted in a 'BLKTRACETEARDOWN: Invalid argument' message, after which any further attempt to run it returned 'BLKTRACESETUP: No such file or directory'. This was caused by the option -k clobbering information about running a trace by the kernel (that is, blk_trace_remove), while files opened in debugfs by blktrace running in the background were not released. In this patch, the documentation is updated to remove the faulty 'kill' option. It advices to send a SIGINT signal via kill(1) to the running background blktrace for its correct termination.

BZ#650243

The documentation falsely gave the impression that blkiomon was not giving the correct output when working with a logical volume device. When working on a logical volume device, blkiomon does not understand the output of blktrace,as a logical volume device is quiet. While working with a physical device, it prints I/O statistics as expected. This patch updates the documentation to reflect this.

BZ#583695

When blkparse was run with a non-existent file as an argument, it returned no errors and the exit-code was zero. This update provides a warning message when a non-existent file is used as an argument and exits with a non-zero status.

BZ#595356

Previously, blktrace would not end after 30 seconds. Instead it would remain running until the user killed it, after which any further attempts to run it failed with an error. This was because when open_ios() failed, tracer_wait_unblock() in thread_main() waits for an event that will never occur. Because the event never occurs, any future attempts to run blktrace failed with an error. This update makes sure that unblock_tracers() is also called when an unsuccessful event occurs, (that is, when nthreads_running != ncpus).

BZ#595413

There was a mistake in the man page for btrecord. It incorrectly documented the option --input-base, which is unsupported, and the supported --max-bunch-time was undocumented. This update replaces --input-base with --input-directory, and adds the option --max-bunch to the btrecord man page.

BZ#595419

The blkiomon man page was missing elements. The options -d and --dump-lldd were not recorded. This patch adds these and a drv_data mast description to the blktrace man page.

BZ#595615

The blkparce man page was missing six elements. These were -A, --set-mask, -a, --act-mask, -D, and --input-directory. These options are now added to the blkparce man page.

BZ#595620

The blktrace man page was missing sixteen elements. These were:

• -d <dev> | --dev=<dev>
• -r <debugfs path> | --relay=<debugfs path>
• -o <file> | --output=<file>
• -D <dir> | --output-dir=<dir>
• -w <time> | --stopwatch=<time>
• -a <action field> | --act-mask=<action field>
• -A <action mask> | --set-mask=<action mask>
• -b <size> | --buffer-size
• -n <number> | --num-sub-buffers=<number>
• -l | --listen
• -h <hostname> | --host=<hostname>
• -p <port number> | --port=<port number>
• -s | --no-sendfile
• -I <devs file> | --input-devs=<devs file>
• -v <version> | --versio
• -V <version> | --version

These options are now added to the blktrace man page.

BZ#595623

The btreplay man page was missing three elements. These were -t, -x, and --acc-factor. These options are now added to the btreplay man page.

BZ#595628

The btt man page was missing four elements. These were -X, -m, --easy-parse-avgs, and --seeks-per-second. These options are now added to the btt man page.

BZ#723503

Prior to this update, the cyclic redundancy check (CRC) was not correctly computed on 64-bit architectures during decompression of gzip archives. In this update, constant-width integer types are used to compute CRC to make the results stable across all architectures.

BZ#645741

The btrfs-progs package has been updated to the latest upstream version, and newly includes the btrfs utility for easier administration of Btrfs file systems.

BZ#615391

Previously, the cpio applet included with busybox printed summary messages to stdout instead of stderr as the stand alone cpio does. Consequently nothing was returned to the shell when the busybox cpio applet ran. The updated applet include a patch that corrects this: the busybox cpio applet now prints summary messages to stderr, returning information to the shell as the standalone utility does.

BZ#621853

As initially released, the "busybox hwclock" utility included with Red Hat Enterprise Linux 6 honored the current Filesystem Hierarchy Standard (FHS 2.3) and assumed the adjtime state file was at /var/lib/hwclock/adjtime. If kexec was invoked to load a second kernel over a crashed kernel, this caused "busybox hwclock" to return incorrect and inconsistent values when compared with the same command running in the first kernel prior to the crash. With this update, the config file for busybox hwclock was reverted to its old behavior. It now assumes the adjtime state file is at /etc/adjtime, as was the case in FHS 2.1, and "busybox hwclock" behaves as expected when run in an initial or reloaded kernel.

BZ#633961

The "busybox awk" utility incorrectly treated all strings of digits with leading zeros as octal integer constants. This meant strings such as "0xffff" and "07777" were handled correctly but strings such as "0.531" were not. As a consequence, awk operations that correctly manipulated such strings as numbers were not handled correctly by busybox awk. With this update, the awk utility included with busybox correctly differentiates between hexadecimal and floating decimal strings and handles manipulations of the latter as expected.

BZ#624142

If the certmonger service failed to contact a CA, the subprocess that submitted the request became defunct. This occurred because the parent process did not read the subprocess status. With this update, the parent process reads the subprocess status and there is no defunct process after a CA contact failure.

BZ#636894

Previously, after installing the certmonger utility, the certmonger service failed to start. This occurred because the package installation did not signal the system bus daemon that it needed to re-read its configuration as to allow the certmonger daemon to connect to the bus. This update fixes the bug and the certmonger service can be started right after the installation.

BZ#652047

Previously, the certmonger utility did not display a user-friendly error message when the user ran the ipa-getcert command with privileges that were insufficient for the system bus to allow it to communicate with the certmonger service. With this update, certmonger suppresses the original error message if a user-friendly message is available. The user can display both messages with the -v option.

BZ#652049

Prior to this update, the ipa-getcert list command did not return any output if certmonger was not tracking any certificates. With this update, the command returns a message that the certificate list is empty.

BZ#687899

Due to inappropriate SELinux policy settings, the certmonger daemon could not execute some of its helper processes. The updated policy now allows certmonger to run these processes and the certmonger libraries create temporary files in a location that certmonger can access.

BZ#688229

The certmonger service accepted a non-existent PIN (Personal Identification Number) file for the NSS (Network Security Services) database if the user ran the ipa-getcert request command with the -p option. This occurred because certmonger failed to detect reading errors in the file with the PIN and proceeded with an empty PIN value. With this update, such reading errors are logged and certmonger proceeded as if it had read an empty PIN value.

BZ#689776

Previously, the certmonger service terminated unexpectedly if the user attempted to use a certificate database stored in a non-existent directory. While preparing an error message to return to its client, the daemon attempted to use already-freed memory, which could have caused a segmentation fault. With this update, certmonger displays a message that the directory does not exist and remains stable in these circumstances.

BZ#690886

After installation of the ipa-client package, the ipa-client-install script runs the ipa-getcert command. As a consequence, the certmonger daemon runs its ipa-submit helper. The helper contacts the IPA server. Previously, if it received a fault message response from the server, it terminated with a segmentation fault and created a core dump; the installation failed. This happened because it attempted to dereference an uninitialized pointer while processing the fault message. With this update, the helper handles the fault message correctly and the enrollment process completes successfully.

BZ#691351

Previously, running the getcert command with an invalid Extended Key Usage parameter caused a segmentation fault. This happened because the command attempted to dereference a NULL pointer while attempting to report that the parameter value was not a valid OID (Object Identifier). With this update, certmonger reports that the OID validation failed and prints a message that the provided Extended Key Usage is invalid.

BZ#695672

Prior to this update, certmonger could have seemingly ignored the attempts to resubmit a certificate with changed Subject and Principal names. This occurred because the certificate changes were not saved if a certificate with the same nickname already existed in the certificate database. With this update, the certmonger utility removes the certificates with the respective nickname before storing the new certificate and the resubmit command works as expected.

BZ#695675

Previously, the certmonger service could have failed to resubmit certificates. This happened if the SELinux policy did not allow certmonger to write to the defined location for storing keys. With this update, the service reads information about the keys to verify that the keys had been generated and stored properly. If the reading fails, the keys are generated again.

BZ#696185

Previously, the getcert tool terminated unexpectedly with a segmentation fault if the user issued the getcert start-tracking command with changed values of the parameters Extended Key Usage, DNS, Email and Principal name. The command caused a buffer overflow in the getcert tool because the internal buffer in the getcert command was too small to hold four new values. This update enlarges the internal buffer of the command and the bug no longer occurs.

BZ#624143

The ipa-getcert and getcert commands did not accept the location of a passphrase, which could provide the encrypted keying material and allow monitoring of an already-issued certificate or key pair. This update adds the -p and -P options to the getcert start-tracking command, which allows the user to pass the utility a PIN either in a file or directly.

BZ#683926

Previously, the certmonger service did not support a verbose mode for the ipa-getcert command. This update adds the --verbose option to the command.

BZ#729803

When submitting a signing request to a Red Hat IPA (Identity, Policy, Audit) CA, certmonger is expected to authenticate using the client's host credentials, and to delegate the client's credentials to the server. Recent updates to libraries on which certmonger depends changed delegation of client credentials from a mandatory operation to an optional operation that is no longer enabled by default, which effectively broke certmonger's support for IPA CAs. This update gives certmonger the ability to explicitly request credential delegation when used with newer versions of these libraries, which introduce an API that allows certmonger to explicitly request that credential delegation be performed.

BZ#797844

When installing multiple Linux Standard Base (LSB) services which only had LSB headers, the stop priority of the related LSB init scripts could have been miscalculated and set to "-1". With this update, the LSB init script ordering mechanism has been fixed, and the stop priority of the LSB init scripts is now set correctly.

BZ#797843

When an LSB init script requiring the "$local_fs" facility was installed with the "install_initd" command, the installation of the script could fail under certain circumstances. With this update, the underlying code has been modified to ignore this requirement because the "$local_fs" facility is always implicitly provided. LSB init scripts with requirements on "$local_fs" are now installed correctly.

Bug Fixes

BZ#645127

While trying to mount a share (DFS or 'classic') with Kerberos, a "mount error(5): Input/output error" occurred due to a problem with the MIT krb5 libraries. cifs.upcall now sets the GSSAPI checksum properly in SPNEGO blobs. This is necessary for proper interoperability with EMC servers when using krb5 authentication, and allows for a successful mount .

BZ#667382

When mounting a share as root with kerberos, cifs.upcall used the ticket of root (/tmp/krb5cc_0) instead the one of the user specified with 'uid=' or 'user='. This was due to the --legacy-uid command line option for cifs.upcall not properly implementing. This patch ensures that it properly implements, allowing successful mounting of a share as root with kerberos.

BZ#669377

When two CIFS shares were mounted on the same server, each for a different user who had valid krb5 credentials, only the one mounted first could access the data. This was because cifs had a built in design limitation of a single set of credentials per mount. That limitation caused the implementation of a number of hacks to deal with it. With this patch mount.cifs now supports the 'cruid=' mount option, fixing this issue.

BZ#696951

mount.cifs did not handle numeric uid=, gid=, or cuid= options correctly, and would often return an error when they were specified. With this patch, a check is run to see if any error occurred by setting errno to 0 before the conversion. If one did then it will attempt to treat the value as a name, allowing them to be correctly handled.

Bug Fix

BZ#849047

Previously, it was not possible to specify start-up options to the dlm_controld daemon. As a consequence, certain features were not working as expected. With this update, it is possible to use the /etc/sysconfig/cman configuration file to specify dlm_controld start-up options, thus fixing this bug.

Bug Fixes

BZ#688201

cman quorum timeout is too short

BZ#595725

CMAN init script race condition has been fixed

BZ#617306

plock owner synchronization has been fixed

BZ#623810

plocks are now ignored until they written to their checkpoint

BZ#623816

plock signatures are now re-sent after a new totem ring forms

BZ#624844

post_join_delay now works after a loss and subsequent regain of quorum

BZ#634718

"service cman stop remove" now functions correctly

BZ#639018

Active cluster nodes with higher configuration version numbers are no longer killed when they join the cluster

BZ#577874

The ccs_tool man page no longer shows 'update' and 'upgrade' subcommands

BZ#614885

ccs_tool cluster configuration editing has been dropped

BZ#617234

The interaction between corosync and cman restarting independently of one another has been improved

BZ#617247

reporting of corosync's exit code has been improved

BZ#619874

cman_tool manual page no longer talks about "config version" as an argument to -r

BZ#620679

Qdiskd now stops voting and exits if removed from the configuration

BZ#624822

gfs_controld: fix plock owner in unmount

BZ#635413

Qdiskd now reports to users when the quorumd "label" attribute overrides the "device" attribute

BZ#636243

Qdiskd now has a hard limit on heuristic timeouts

BZ#649021

Pacemaker-specific versions of dlm_controld and gfs_controld have been removed since they are no longer required

BZ#657041

cman now allows users to select udpu (UDP unicast) corosync transport mechanism

BZ#663433

Qdiskd now assumes votes for each cluster node are 1 when not specified in cluster.conf

BZ#669340

The cman init script can no longer include an incorrect sysconf file

BZ#645830, BZ#618705, BZ#684020, BZ#629017, BZ#680172

The cluster.rng schema has been updated

BZ#680155

A memory leak in the XML parser has been fixed

BZ#688154

Heuristic checks are unreliable

BZ#688734

gfs2_convert no longer exits success without doing anything

BZ#628013

fsck.gfs2 was truncating directories with more than 100,000 entries

BZ#621313

fsck.gfs2 was processing some files twice

BZ#622576

fsck.gfs2 no longer crashes if journals are missing

BZ#632595

When mounting a gfs2 file system, the same device requested on the command line now appears in /proc/mounts and /etc/mtab

BZ#637913

gfs2_convert now resumes after an interrupted conversion

BZ#576640

fsck.gfs2 can now repair rgrps resulting from gfs_grow->gfs2_convert

BZ#624535

mkfs.gfs2 no longer segfaults with 18.55TB and -b512

BZ#656956

mkfs.gfs2 now supports discard request generation

BZ#663037

fsck.gfs2: reports master/root inodes as unused and fixes the bitmap

BZ#630005

gfs2_convert no longer corrupts the file system if the di_height is too large.

BZ#592964

Fenced now sends notifications over DBus

BZ#634623

gfs2_edit now outputs hexadecimal values in lower-case

BZ#634623

gfs2_edit now prints continuation blocks

BZ#634623

gfs2_edit's savemeta and restoremeta functions now report progress

BZ#674843

gfs2_edit has improved handling of corrupt file systems and enhanced

BZ#563901

It is now possible to prevent the cluster software from starting at boot using the kernel command line

BZ#560700

It is now possible to prevent the cluster software from starting at boot using the kernel command line

BZ#728247

Prior to this update, the "suborg" option was not allowed by the cluster configuration schema defined in the /usr/share/cluster/cluster.rng file. As a consequence, when the "suborg" option was specified for the fence_cisco_ucs agent, the cluster refused to validate the configuration schema. The "suborg" option is now properly recognized, which fixes the problem.

BZ#720100

Previously, when a custom multicast address was configured, the configuration parser incorrectly set the default value of the time-to-live (TTL) variable for multicast packet to 0. Consequently, cluster nodes could not communicate with each other. With this update, the default TTL value is set to 1, thus fixing this bug.

Bug Fix

635155

Fixes an issue in which, under certain error conditions, dapl could fail to properly clean up its internal state, potentially resulting in subsequent incorrect operation.

BZ#210200

Previous versions of coolkey would fail to operate correctly if the pcscd daemon in the pcsc-lite package was restarted. Proper operation could be restored by restarting the application which was using coolkey, for example, the Gnome screensaver or the Gnome login screen when used with a smart card login. With this update, applications no longer need to be restarted to function properly when the pcscd daemon is restarted.

BZ#630017

The su utility was previously not built with PIE and RELRO enabled, as they were in Red Hat Enterprise Linux 5. In this update, it is built as a PIE executable and is using RELRO protection.

BZ#628212

Previously, when reading a line longer than 16KiB, the tac utility reallocated its primary buffer. Before exiting, the tac utility tried to free the already freed original buffer, which caused a utility crash after a double free error displayed. This was fixed and the tac utility no longer frees an already freed buffer.

BZ#598631

Previously, the hardware control flow, DTRDSR, was implemented via TC{SG}ETX. This was changed to TC{SG}ET ioctl, which caused the CDTRDSR support in stty to fail. This was fixed to allow stty to correctly handle CDTRDSR control flow.

BZ#683799

Previously, the internalization patch for coreutils had an unsafe initialization of char* bufops that left bufops uninitialized or initialized to NULL on the first usage. This behavior called memmove from an incorrect address, namely from address 0 and size 0. This is now fixed and bufops is correctly initialized for the first use.

BZ#649224

Previously, when the multibyte LC_TIME differed from LC_CTYPE, an assertion failure caused the sort utility to crash irrespective of the parameters provided to it. This is fixed to prevent a crash when the sort utility is run and now works as expected.

BZ#660033

Previously, the information page about 8-bit octal values did not mention checking if the value was lower than 256. Due to this, when a command like "/bin/echo -e '\0610'" was used, the results were not accurate. This is now fixed to provide more accurate information about the behavior of octal values.

BZ#614605

Previously, when the dd utility used pipes, it read and wrote partial blocks. When the size of the block written was shorter than the specified maximum output block size, the "oflag=direct" would turn off, which resulted in degraded I/O performance. The workaround for this behavior, which involves the addition of "iflag=fullblock" is now available in the information documentation.

BZ#662900

Previously, documentation for tail command's --sleep-interval option did not outline the results of inotify support. This is now fixed and the documentation states that with inotify support, the --sleep-interval option is only relevant when the tail command reverts to the old polling-based method.

BZ#609262

Previously, the coreutils information page was not sufficiently clear about behavior when multiple parent and leaf node directories are created. This is now fixed to incorporate additional information in the coreutils information page about the @option mode and its behavior when combined with the --parents option.