NetworkManager allowed users to create completely insecure ad-hoc wireless networks and indeed, the default security setting for wifi sharing was "none". Because of this default setting and because NetworkManager did not warn users of the potential security risks, users could unwittingly compromise the security of their computers. Now, NetworkManager uses "WEP Passphrase" as the default security option for creating a new wifi network, and allows administrators to disable users' ability to share wifi connections without security in place, or their ability to share wifi connections at all. These measures make it less likely that a user could inadvertently compromise a sensitive system. (BZ#496247)

accessing the context (right-click) menu of the NetworkManager GNOME applet could trigger the GNOME Keyring Unlock dialog to appear, after which no X11 applications could receive keyboard or mouse events. Now, NetworkManager closes the context menu before requesting keyring items, and therefore avoids this situation. (BZ#476020)

NetworkManager did not export VPN configurations. When a user selected this function, NetworkManager would present an error message: "VPN setting invalid", even for a connection with valid settings. Network manager now exports VPN connections correctly. (BZ#485345)

due to faulty logic in the code, nm-applet would choose the lowest signal strength of all APs of the same SSID in the area and display this strength in the menu to represent the signal strength for that SSID. NetworkManager now correctly calculates wireless signal strength when multiple access points with the same SSID are present. (BZ#485477)

when NetworkManager fails to connect to a wifi network, it re-prompts the user for the passphrase for that network. Previously, NetworkManager did not retain the original text of the passphrase entered by the user. Therefore, when users selected the "Show password" option so that they could see what they had typed after a failed connection attempt, NetworkManager displayed the passphrase in hexadecimal form. NetworkManager now retains the original text of the passphrase and displays the original passphrase instead of a hexadecimal string when the user selects the "Show password" option. (BZ#466509)

NetworkManager has its own internal method of starting loopback devices, and does not use the configuration settings stored in /etc/sysconfig/network-scripts/ifcfg-lo. Previously, NetworkManager would produce an error, alerting users that the configuration settings were ignored. This error message could mislead users to think that a problem had occurred. Now, NetworkManager does not present this error message to the user, and avoids the potential confusion. (BZ#484060)

the NetworkManager package requires wpa_supplicant, but previously omitted the Epoch term for the wpa_supplicant package. Consequently, installing NetworkManager did not ensure that a suitable version of wpa_supplicant was installed on the system. Now, the NetworkManager package specifies the epoch for the version of wpa_supplicant that it requires. (BZ#468688)

NetworkManager displayed configuration options for VPN even when no VPN software was installed on the system. This could mislead users to think that they could make VPN connections in situations when it was not possible to make these connections. Now, the VPN submenu is hidden if no VPN services are installed on the system, avoiding the potential confusion. (BZ#464604)

some IPMI-enabled hardware makes use of UDP ports 623 (ASF Remote Management and Control Protocol) and 664 (ASF Secure Remote Management and Control Protocol), which corrupts other traffic on these ports, causing symptoms such as autofs mounts hanging. The OpenIPMI package provides a configuration file for xinetd that prevents other services from using these ports, so that they do not interfere with IPMI. On affected systems, the fix has to be enabled manually by setting "disabled = no" for the appropriate port(s) in /etc/xinetd.d/rmcp and (re)starting the xinetd service. (BZ#429329)

on the S/390 architecture, running "ipmicmd" to access the internal hash table of open connections caused the utility to segmentation fault. With this update, "ipmicmd" correctly handles the hash table and thus no longer crashes. (BZ#437013 )

the "rmcp_ping" utility did not perform checks on the arguments provided to it on the command line, and would accept invalid port numbers and/or start tags. (BZ#437256)

the ipmitool utility is shipped in the OpenIPMI-tools packages, and it was not possible to have other packages depend on "ipmitool" directly. These updated packages explicitly provide the "ipmitool" feature so that other packages are now able to reference it. (BZ#442784)

several libraries in the OpenIPMI packages contained unnecessary RPATH values, which have not been compiled in to these updated packages. (BZ#466119)

the OpenIPMI-devel packages contained manual pages which were already provided by the OpenIPMI packages and have therefore been removed from the OpenIPMI-devel packages. (BZ#466487)

the ipmievd daemon listens for events sent by the BMC to the SEL and logs those events to syslog. Previously, the OpenIPMI-tools package did not contain the init script for the "ipmievd" service. This init script is included in these updated packages. (BZ#469979)

previously, it was not possible to query "ipmitool" to determine whether SOL payloads were enabled or disabled for specific users. These updated packages introduce a new "ipmitool sol payload status" query that implements the "Gets User Payload Access Command" from the IPMI specification, thus allowing users' SOL payload access privileges to be queried. (BZ#470031)

the "ipmitool sel list" command displayed event IDs as hexadecimal numbers. However, it was not possible to then provide these values as parameters to other "ipmitool sel" commands. These packages include an updated ipmitool whose various "ipmitool sel" commands accept both decimal and hexadecimal ID values as parameters. (BZ#470805)

it was not possible to specify a Kg key with non-printable characters on the ipmitool command line. With this update, a Kg key can now be specified as a hexadecimal value using the '-y' command line option. (BZ#479252)

the "sensor list" section of the ipmitool(1) man page now describes each columnar value of the command "ipmitool sensors list". (BZ#479702)

new in this OpenIPMI 2.0.16 release is the OpenIPMI-gui package, which contains a GUI that provides a tree-structured view of the IPMI domains it is connected to. (BZ#504783)

the "ipmitool sol set" command now checks the values of arguments provided on the command line. (BZ#311231)

the ipmitool(1) man page has been updated to include descriptions for these commands: spd, picmg, hpm, firewall, fwum and kontronoem. (BZ#438539)

the /var/run/utmp configuration file is now correctly treated as a log file, and the hidden files (also known as "dot files") located in the root user's home directory are now checked for permission integrity only. These enhancements to AIDE should cause systems to produce fewer false alarms concerning files which have changed. (BZ#476542)

the "amtapetype" command had a bug in memory management: an invalid pointer was passed to the free() function. In some circumstances this caused amrecover to fail with a "Extractor child exited with status 2" error. The invalid pointer is no longer passed to free() and amrecover extracts files from a tape backup as expected. (BZ#476971)

previously, amanda sub-packages (including amanda-devel, amanda-server and amanda-client) were only required to be the same version as amanda: they did not check that their release was in sync with the base amanda package. This could cause the packages to go out-of-sync and malfunction if an attempt was made to update either the base amanda package or any of amanda's sub-packages. With this update, both the version and release are checked, ensuring all dependent packages remain in sync if either the base package or any sub-packages are updated. (BZ#497111)

a write-protected SD card could cause an installation failure even when the mount point was de-selected in the Disk Druid. (BZ#471883)

Anaconda occasionally attempted to delete nonexistent snapshots, which caused installation to fail. (BZ#433824)

if a boot file was retrieved via DHCP, Anaconda now saves it so that it can later be used to construct the default Kickstart file if the user boots with "ks" as a boot parameter. (BZ#448006)

driver disk locations can now be specified using the "dd=[URL]" option, where [URL] is an FTP, HTTP or NFS location. (BZ#454478)

the bootloader can now be located in the MBR on a software RAID1 boot partition. (BZ#475973)

Anaconda now installs multipath packages so that multipath devices work as expected following first reboot. (BZ#466614)

Anaconda prompted for the time zone even when the time zone was correctly specified in the Kickstart file. (BZ#481617)

on Itanium systems, the time stamps of installed files and directories were in the future. (BZ#485200)

the iSCSI Boot Firmware Table (iBFT) now works with Challenge-Handshake Authentication Protocol (CHAP) and reverse-CHAP setups. (BZ#497438)

Anaconda now correctly sets the umask on device nodes. (BZ#383531)

following a manual installation during which IPv6 was configured, the /etc/sysconfig/network-scripts/ifcfg-[interface] file (such as ifcfg-eth0) did not contain those IPv6 network details. (BZ#445394)

Anaconda now correctly handles LAN channel station (LCS) devices. (BZ#471101)

when using autostep mode with a Kickstart configuration file, Anaconda incorrectly prompted for a root password even when the root password was designated as encrypted. (BZ#471122)

empty repositories caused installation to fail. (BZ#476182)

large numbers of tape drives in the Kickstart file are now handled correctly. (BZ#476186)

hyphenated MAC address formats in the Kickstart file (e.g. "ksdevice=00-11-22-33-44-55") are now allowed. (BZ#480309)

an unexpected exception during Logical Unit Number (LUN) selection caused installation to fail. (BZ#475271)

when installing on a low-memory system or virtual machine over HTTP or FTP, a non-present "lspci" binary caused installation to fail. (BZ#476476)

Anaconda now correctly adds the user to the default group, and groups specified by "--groups", when performing a Kickstart installation. (BZ#454418)

the "cmdline" option, which specifies a non-Ncurses installation, is now honored in the Kickstart file. (BZ#456325)

Kickstart file download from an anonymous FTP site is now possible. (BZ#477536)

default configuration values are now suggested during System z installation. (BZ#475350)

hardware device descriptions have been enhanced to reflect expanded hardware support. (BZ#498511)

the Mellanox ConnectX mt26448 10Gb/E driver is now supported. (BZ#514971)

the mpt2sas driver is now supported. (BZ#475671)

the Emulex Tiger Shark converged network adatper is now supported. (BZ#496875)

the Marvell RAID bus controller MV64460/64461/64462 and Emulex OneConnect 10GbE NIC devices are now supported. (BZ#493179)

the IGB Virtual Function driver is now supported. (BZ#502875)

installation on RAID10 devices is now supported. (BZ#467996)

non-fatal errors and conditions are now ignored when installing from a Kickstart file. (BZ#455465)

stale LVM metadata can now be removed with the "--clearpart" option. (BZ#462615)

to aid in identifying the network card, an option to blink its LED for 5 minutes is now present. (BZ#473747)

IPv6 address validation on S/390 installations has been improved. (BZ#460579)

the previous aspell-nl update provided also an empty aspell-nl-debuginfo package. The dictionary packages for Aspell do not require debuginfo packages; this update therefore removes the extraneous aspell-nl-debuginfo package. (BZ#500540)

ausearch was unable to interpret tty audit records. tty records are specially-encoded, and the ausearch program could not decode them, which resulted in their being displayed in encoded form. These updated packages enable ausearch to interpret (i.e. decode correctly) TTY records, thus resolving the issue. ( BZ#497518 )

The aureport program was enhanced to add a '--tty' report option. This is a new report that was recently added to audit in order to aid in the review of TTY audit events. ( BZ#497518 )

when the log_format parameter was set to "NOLOG" in the auditd.conf configuration file, audit events which were queued in the internal message queue were not cleared after being written to dispatchers. This caused the internal message queue to grow over time, causing an auditd memory leak. With these updated packages the audit events in the internal message queue are properly cleared after being written, thus plugging the memory leak.

certain audit rules failed parser checks even though they were specified correctly, which prevented those rules from being loaded into the kernel. With this update, all correctly-specified audit rules pass parser checks and can be loaded into the kernel, thus resolving the problem.

the user-space audit tools use ausearch to search audit records. Ausearch does not contain logic to handle event-linked lists and previously, could not find records if they were out of chronological order. The logic to link these lists together and evaluate whether the list is complete is now available in the auparse library. Ausearch now uses auparse to handle these lists so that it can find records even when they are out of order. (BZ#235898)

the manual page for ausyscall did not document use of the "--exact" option. A description of "--exact" is now included. (BZ#471383)

due to a logic error, the "local_port = any" option for the audisp-remote plugin did not work as described in the manual page. When executed with this option, the plugin would display the error "Value any should only be numbers" and terminate. With the error corrected, the plugin works as documented. (BZ#474466)

previously, audisp would read not only its configuration file (in /etc/audisp/plugins.d/) but any files with names simlar to its configuration file found in the same directory, for example, backups of the configuration file. As a result, if a plugin were listed in more than one configuration file, it would be activated multiple times. audisp now reads only its configuration file and therefore avoids activating multiple copies of plugins. (BZ#476189)

previously, TTY audit results were reported in ausearch in their raw hexadecimal form. This format was not easily readable by humans, so ausearch now converts the hexadecimal strings and presents them as their corresponding keystrokes. Note that the "--tty" option has now been added to aureport to provide a convenient way of accessing the TTY audit report. (BZ#483086)

previously, when setting the output log format to "NOLOG", audit events would be added to the internal message queue but not removed from the queue when written to the dispatchers. The queue would therefore grow to consume available memory. Audit events are now removed from the internal queue to avoid this memory leak. (BZ#487237)

due to a logic error, auditctl was not correctly parsing options that included non-numeric characters. For example, the "-F a0!=-1" option would result in an error saying "-F value should be number for a0!=-1". With the error corrected, auditctl parses this rule correctly. (BZ#497542)

remote logging is a technology preview item and as such had some bugs. Robustness of this facility was improved.

on busy systems, pam had problems communicating with the audit system, which resulted in a timeout and being denied access to the system. We now loop a few times when checking for the event ACK.

On biarch system, a warning is emitted if audit rules don't cover both 64 & 32 bit syscalls of the same name.

Fix regression where msgtype couldn't be used for a range of types.

New aulast program helps analyse login session information.

If log rotation fails, auditd now leaves the old log writable.

A tcp_wrappers config option was added to auditd for remote logging.

Fix problem where negative uids in audit rules on 32 bit systems resulted in the wrong uid and therefore incorrect event logging.

when disabling caching using the system-config-authentication graphical interface or with the "authconfig --update --disablecache" command, authconfig did not properly stop ncsd, the name service cache daemon, which could have caused timeouts and delays during authentication or when user information was requested by applications. (BZ#471642)

on 64-bit architectures, a size mismatch between data structures led to an endlessly repeating pattern of output, though no error. This size mismatch has been fixed in this updated package so that authd works as expected.

attempting to connect to a Postgresql database using identd authentication resulted in error messages similar to the following in Postgresql's pg_log, where [user] is the username of the user attempting to connect:

CESTLOG:  invalidly formatted response from Ident server: "49795 ,
5432 : ERROR :[user]

This authd error has been corrected so that users are now able to log in successfully, thus resolving the issue.

previously, installing the authd package resulted in the creation of a user named "ident" with a home directory of /home/ident. With this updated package, the "ident" user is still created, but, by convention, ident's home directory is the root ("/") directory.

when connecting to an LDAP server while using SASL authentication, autofs occasionally failed with a segmentation fault, forcing users to restart the autofs service. This failure was caused by a double-free error in the cyrus-sasl module, which has been fixed in this updated package. Connecting to an LDAP server while using SASL authentication now works as expected. (BZ#504566)

Previously, automount did not return its status to its parent while it waited for the autofs daemon to complete its startup. As a result, the init script did not always report success when the service started sucessfully. Automount now returns its status and accurately reports when the service has started. (BZ#244177)

Autofs uses "umount -l" to clear active mounts at restart. This method results in getcwd() failing because the point from which the path is constructed has been detached from the mount tree. To resolve this a miscellaneous device node for routing ioctl commands to these mount points has been implemented in the autofs4 kernel module and a library added to autofs. This provides the ability to re-construct a mount tree from existing mounts and then re-connect them. (BZ#452122)

Previously, the version of autofs shipped with Red Hat Enterprise Linux 5 used the "-hosts" method as its default way to handle /net mounts. Using this method, it was necessary to reboot the client to release processes if if the connection to the server was lost. Now, autofs uses the "intr" option as its default, which allows the mount to be unmounted forcibly if necessary. (BZ#466673)

By default, autofs waits 60 seconds for a server to respond while performing a YP lookup. Previously, repeated attempts to perform lookups for non-existent directories could result in all available ports becoming congested. Autofs now maintains a cache of failed lookups and avoids repeated failures occupying the available ports. (BZ#469387)

The %{dist?} tag that is used by rpm spec files is defined in ~/.rpmmacros for the user building the package. However, this is not a reliable method of providing the "Release:" tag in a package, because the {%dist?} tag might not be defined for the user building the package. Previously, autofs relied on the {%dist?} tag to define "Release:" in its spec file, which meant that building it correctly depended on the user's ~/.rpmmacros file being set up appropriately. "Release:" is now defined directly in the autofs file system, which makes it more likely to build correctly on a greater number of systems. (BZ#471385)

Previously, the LDAP module lacked the ability to lock the server list. When used in SASL authenticated environments, this could cause autofs to fail if the credential for the connection became stale. The LDAP module can now lock a server list, and autofs refreshes and retries failed SASL connections. Autofs therefore performs more reliably when used in authenticated environments. (BZ#481139)

Submounts are detached threads that do not belong to the master map entry list. Previously, autofs did not release mount resources when a mount thread for a submount was terminated. With these resources not released, a segmentation fault during a shutdown or reboot of the system could result. Resources allocated to submounts are now explictly released in the code and the segmentation fault is therefore avoided. (BZ#482988)

Previously, autofs contained an an incorrect %token declaration in the master map parser. In some rare cases this could cause the timeout sent from the tokenizer to the parser to always be zero, which is interpreted as "never". As a result, indirect mounts would never expire, no matter how long they had been inactive. The %token declaration is now corrected, meaning that mounts expire as they should. (BZ#487151)

Previously, autofs used the select() function to process direct-mount maps and was therefore limited by the file descriptor limit (by default, 1024). As a consequence, autofs was not able to use direct-mount maps with numbers of entries larger than the limit, and would stop responding when it used up all available file descriptors. Now, autofs uses poll() instead of select() and is therefore no longer limited by the available file descriptors. Freed of this limitation, autofs can use large direct-mount maps. (BZ#487653)

Previously, autofs reported an incorrect buffer size internally when passing the startup status from the autofs daemon to the parent process. Although no specific consequences of this inaccuracy are known, the buffer size is now reported correctly to avoid any consequences arising in the future. (BZ#487656)

Previously, the additive hashing algorithm used by autofs to generate hash values would result in a clustering of values that favoured a small range of hash indexes and led to reduced performance in large maps. Autofs now uses a "one-at-a-time" hash function which gives a better distribution of hash values in large hash tables. Use of the "one-at-a-time" hash function safeguards lookup performance as maps increase to 8,000 entries and beyond. (BZ#487985)

Previously, autofs would not always read file maps. If a map had been loaded into cache, autofs would rely on checks to determine whether the map was up to date before reading the map. Because file maps require a linear search through the file, large maps consume significant resources to process. Now, autofs automatically loads file-based maps when it starts, and uses the map file mtime parameter to detemine whether the cache needs to be refresed. This avoids the processing overhead of checking a map before deciding whether to load it. (BZ#487986)

Previously, the autofs code contained a logic error that resulted in a crash under conditions of heavy load. When autofs was not able to create a new pthread, it would double free a value. Now, with the error corrected, when heavily loaded, autofs will fail to create a new pthread safely. It reports the failure, but does not crash. (BZ#489658)

Previously, autofs could use the LDAP server on a network only if the location of the LDAP server were specified manually. Now, if no LDAP server is specified, autofs can look up domain SRV server records to make LDAP connections. This functionality simplifies the use of autofs on networks where an LDAP server is available. (BZ#490476)

Previously, if a name lookup failed while creating a TCP or UDP client, automount would destroy the client, but would not set the rpc client to NULL. Therefore, subsequent lookup attempts would attempt to use the invalid rpc client, which would lead to a segmentation fault. Now, when a name lookup fails, autofs sets the rpc client to NULL, and therefore avoids the segmentation fault on subsequent lookup attempts. (BZ#491351)

Previously, in LDAP environments were both Red Hat Enterprise Linux and Solaris were in use, autofs would not correctly interpret master map keys added by Solaris. The auto_master file would therefore contain duplicate entries, where '%' symbols were interspersed between the characters of the map key names. Autofs now correctly parses the Solaris key names and does not create duplicate entries. (BZ#493074)

Previously, a stack variable was not initialized on entry to the create_udp_client() or create_tcp_client() functions. During an error exit, the stack variable was checked, and the corresponding file descriptor was closed if the variable had a value other than -1. This could result in incorrectly closing a file descriptor still in use. The stack variable is now initialized and descriptors currently in use should not be closed. (BZ#493223)

Due to a number of logic errors in the code, autofs could not remount a direct-mount NFS if the mount had expired following a map reload. The mount request would never complete, and "can't find map entry" would appear in the log. The logic errors are now fixed, and autofs can successfully remount an expired direct-mount NFS after a map reload. (BZ#493791)

Previously, thread locking was missing from the st_remove_tasks() function, which meant in turn that its calling function could not get the locks that it required. This could result in a segmentation fault and a crash of autofs. Now, with the thread locking properly in place, the segmentation fault is avoided. (BZ#494319)

Previously, when autofs looked up a host name where when one NFS server name was associated with multiple IP adresses, autofs would repeat the query many times. As a consequence of these multiple queries, the mount would take a long time. Now, redundant queries have been removed, so that autofs performs the mount more quickly. (BZ#495895)

When connecting to an LDAP server while using SASL authentication, autofs occasionally failed with a segmentation fault, forcing users to restart the autofs service. This failure was caused by a double-free error in the cyrus-sasl module, which has been fixed in this updated package. Connecting to an LDAP server while using SASL authentication now works as expected. (BZ#501612)

Previously, the method used by autofs to clean up pthreads was not reliable and could result in a memory leak. If the memory leak occurred, autofs would gradually consume all available memory and then crash. A small semantic change in the code prevents this memory leak from occurring now. (BZ#510530)

DNSSEC, the Domain Name System Security Extensions, are a set of specifications used to secure information provided by the domain name system. One of the specifications, DNSSEC Lookaside Validation (DLV), failed to handle unknown algorithms, which caused the name resolution of "gov" and "org" top-level domains to fail. DLV in these updated packages is now able to handle unknown algorithms, and thus the validation and resolution of top-level domains (such as "org" and "gov") succeeds, thus resolving the issue. (BZ#504794)

named occasionally crashed due to an assertion failure, and logged this error message to the system log:

named[PID]: socket.c:1649: INSIST(!sock->pending_recv) failed
named[PID]: exiting

This crash was caused by sockets being closed too early. With these updated packages, this assertion failure no longer occurs. (BZ#455802)

when using the '-4' option with the "host" and "dig" utilities to force them to use an IPv4 transport, the order in which IPv4 and IPv6 nameservers were listed in the /etc/resolv.conf configuration file affected whether the command would fail or succeed. This has been fixed so that these utilities continue to look for an IPv4 address, even past listed IPv6 addresses, when the '-4' option is supplied. (BZ#469441)

the "named-checkconf" utility ignored the "check-names" option in the /etc/named.conf configuration file, which caused the named daemon to fail to start, even if the configuration was valid. With these updated packages, "named-checkconf" no longer ignores the "check-names" option, and named starts up as expected. (BZ#491400)

the named init script did not handle the named_write_master_zones SELinux boolean or the permissions on the /var/named/ directory as documented. (BZ#494370)

a new configuration directive which informs secondary servers not to send DNS notify messages, "notify master-only", is now supported. (BZ#477651)

dynamic loading of database back-ends is now supported with these updated packages. (BZ#479273)

the "allow-query-cache" option, which allows control over access to non-authoritative data (such as cached data and root hints), is now supported. (BZ#483708)

the sample /etc/named.conf configuration file provided with these packages has been improved. (BZ#485393)

the "objdump" and "size" utilities were not recognizing ELF64-i386 object files. Such files are not normally produced on 32-bit x86 architectures. However, the kdump utility does produce such files on Physical Address Extension (PAE)-enabled kernels. With these updated packages, it is now possible to use the objdump and size utilities on ELF64-i386 object files. (BZ#457189)

due to a rare linking error, producing certain executables caused multi-megabyte zero-filled gaps in the executables. This did not affect the running of excutables affected by this bug. This linker error has been corrected in these updated packages so that executables do not contain spurious zero-filled gaps. (BZ#458301)

the error message for the "strings -n [non-number]" command were less clear than in the previous package release, and therefore has been reverted and clarified. (BZ#480009)

the c++filt(1) man page contained a typo when giving the syntax for the recognized '--strip-underscore' option. (BZ#485194)

the c++filt(1) man page incorrectly mentioned the '-j' and '--java' options, which are not available when running c++filt. These mentionings have been removed from the man page. (BZ#495196)

busybox provides a diff utility that is used extensively during installation. When this diff utility was called using the '-q' option, which reports only whether the files differ and not the details of how they differ, it always exited with an exit status of 0, indicating success. With this busybox update, the command "diff -q" correctly returns an exit status that corresponds to the same exit status returned when calling "diff" without the '-q' option, thus resolving the issue. (BZ#385661)

invoking the "uname -p" command resulted in the processor type being listed as "unknown" when it should have been listed, for example, as "x86_64", or "i686". With these updated packages, "uname -p" either prints the processor type if known, or, if it is unknown, then the command is silent. This behavior now corresponds to the behavior of the uname command in coreutils. (BZ#480105)

using BusyBox's rpm applet to install an rpm caused busybox to exit due to a segmentation fault caused by a memory corruption error. This has been fixed in these updated packages so that installing rpms using the "busybox rpm" command works as expected and does not fail with a segmentation fault. (BZ#466896)

the busybox packages also contained empty debuginfo packages. These have been removed from this update. (BZ#500547)

Removing a node from the cluster using the 'cman_tool leave remove' command now properly reduces the expected_votes and quorum.

Quickly starting and stopping the cman service no longer causes the cluster membership to become inconsistent across the cluster.

'group_tool ls fence' no longer exits with return code '1' when the group exists but has an id of zero.

Connections to openais are now allowed from an unprivileged CPG clients with the user 'ais' or an initial login group of 'ais'.

Nodes are no longer ejected from the cluster that were quorate on their own if they do not have a state.

a buffer could overflow if cluster.conf had more than 52 entries per block inside the <cman> block. The limit is now 1024.

the output of the group_tool dump subcommands were NULL padded.

using device="" instead of label="" no longer causes qdiskd to incorrectly exit.

the IPMI fencing agent has been modified to time out after 10 seconds. It is also now possible to specify a different timeout value with the '-t' option.

the IPMI fencing agent now allows punctuation in passwords.

quickly starting and stopping the cman service no longer causes the cluster membership to become inconsistent across the cluster.

an issue with lock syncing caused 'receive_own from' errors to be logged to '/var/log/messages'.

an issue which caused gfs_controld to segfault when mounting hundreds of file systems has been fixed.

the LPAR fencing agent now properly reports status when an LPAR is in Open Firmware mode.

the LPAR fencing agent now works properly with systems using the Integrated Virtualization Manager (IVM).

the APC SNMP fencing agent now properly recognizes outletStatusOn and outletStatusOff return codes from the SNMP agent.

the WTI fencing agent can now connect to fencing devices with no password.

the rps-10 fencing agent now properly performs a reboot when run with no options.

the IPMI fencing agent now supports different cipher types with the '-C' option.

qdisk now properly scans devices and partitions.

cman now checks to see if a new node has state to prevent killing the first node during cluster setup.

'service qdiskd start' now works properly.

the McData fence agent now works properly with the McData Sphereon 4500 Fabric Switch.

the Egenera fence agent can now specify an SSH login name.

the APC fence agent now works with non-admin accounts when using the 3.5.x firmware.

fence_xvmd now tries two methods to reboot a virtual machine.

connections to OpenAIS are now allowed from unprivileged CPG clients with the user and group of 'ais'.

groupd no longer allows the default fence domain to be '0', which previously caused rgmanager to hang. Now, rgmanager no longer hangs.

the RSA fence agent now supports SSH enabled RSA II devices.

the DRAC fence agent now works with the Integrated Dell Remote Access Controller (iDRAC) on Dell PowerEdge M600 blade servers.

fixed a memory leak in cman.

qdisk now displays a warning if more than one label is found with the same name.

the DRAC5 fencing agent now shows proper usage instructions for the '-D' option.

cman no longer uses the wrong node name when getnameinfo() fails.

the SCSI fence agent now verifies that sg_persist is installed.

the DRAC5 fencing agent now properly handles modulename.

QDisk now logs warning messages if it appears its I/O to shared storage is hung.

fence_apc no longer fails with a pexpect exception.

removing a node from the cluster using 'cman_tool leave remove' now properly reduces the expected_votes and quorum.

a semaphore leak in cman has been fixed.

'cman_tool nodes -F name' no longer segfaults when a node is out of membership.

support for: ePowerSwitch 8+ and LPAR/HMC v3 devices, Cisco MDS 9124 and MDS 9134 SAN switches, the virsh fencing agent, and broadcast communication with cman.

fence_scsi limitations added to fence_scsi man page.

Copy percentage of corelog mirror no longer hangs due to stale checkpoint data.

A segfault in clogd was fixed; the segfault was caused by mirrors being suspended too quickly after being started.

The large number of dm-log-clustered timeouts generated by a pvmove no longer causes a cluster deadlock.

Remnants of a moved device no longer remain in a volume group.

Device-mapper userspace logs now have a local unique identifier to prevent issues when two logs have the same UUID.

kmod-cmirror packages now use symbols that are on the kernel ABI whitelist. (BZ#481689)

A bug that prevented Microsoft Internet Explorer from working correctly with the Luci server has been fixed.

A bug that caused some operations to fail when accessing Conga via Microsoft Internet Explorer was fixed.

A bug that caused quorum disk heuristics to be lost after changing quorum disk main properties was fixed.

A bug that made it impossible to set failover domains for virtual machine services was fixed.

A bug that required that a fence device password be provided when a password script has been defined was fixed.

A bug that caused the "run exclusive" cluster service attribute to always be shown as having been selected was fixed.

A bug that caused adding existing Red Hat Enterprise Linux 4 clusters to the management interface to fail was fixed.

A bug that caused updating existing fence devices to fail in some circumstances was fixed.

A bug that caused the ricci storage module to fail to read mdadm device information was fixed.

Support for configuration of LPAR fencing.

Support for configuring NFS locking workarounds for cluster services.

Support for choosing between the Xen and KVM hypervisors for virtual machine services.

previously, it was not possible to compile coreutils without SELinux support. This has been fixed so that removing the "--enable-selinux" option from the spec file allows coreutils to compile successfully. (BZ#488730)

the "join" utility, which joins two text files, or a file and standard input, on a line-by-line basis, could experience a segmentation fault when running under a multibyte locale. In addition, multibyte locales could cause "join" to produce unexpected results. With this updated package, these coding errors have been corrected so that "join" completes correctly and successfully when run under a multibyte locale. (BZ#497368)

the "df" utility reports the disk usage of a directory within a file system. Using "df" on a directory which contained autofs mount points under it did not cause autofs to mount those directories, which resulted in "df" not factoring in the disk usage of those automount directories. With this update, invoking the "df" command does trigger automount, which in turn results in a correct disk usage count. (BZ#497830)

several other utilities in the coreutils package possessed undocumented options, which could have led to user confusion. Those undocumented options have been removed from their respective utilities, thus reducing the possibility for confusion. (BZ#468030)

the "chmod", "chown" and "chgrp" commands all take the following options, which have the same effect: "-f", "--silent" and "--quiet". These flags cause the command to suppress most error messages. However, calling the command with one of these options on a non-existent file caued the command to output the following message: "No such file or directory". These options now suppress error messages when called on non-existent files. (BZ#474220)

the tail(1) man page contained a formatting error and a typo, both of which have been rectified. (BZ#470788)

the rm(1) man page stated that the "rm" command possessed a "--directory" ('-d') option, whose purpose was to allow the removal of directories, including non-empty directories. However, invoking "rm --directory [dir]" always resulted in the following error message: "rm: cannot remove `some_dir': Is a directory". The rm(1) man page has been corrected and no longer lists "--directory" as an option. The recommended switch for recursively removing a directory and its contents is "--recursive" ('-r'). (BZ#473472)

the coreutils package's locale directories were not owned by the coreutils package. This has been corrected by ensuring that all locale directories are owned by the package. (BZ#481804)

the '-v' option of the "ls" command sorts directory listings based upon version numbers. However, "ls -v" did not sort vmlinuz-[version] files from the /boot/ directory in the correct order. This updated coreutils package enhances both "ls -v" and "sort -V" so that they are now able to sort /boot/vmlinuz-[version] files correctly. (BZ#253817)

the "install" command now supports the "--compare" ('-c') flag, which causes "install" to compare each pair of source and destination files and, if the destination file's content is identical to the source (and disregarding any discrepancy between the owner, group, permissions and possibly SELinux context) then the destination file is not modified and the modification time is left unchanged. (BZ#453447)

the "cp" and "mv" utilities now support the preservation of extended attributes on files and directories. In addition, Access Control Lists (ACLs) are now preserved when copying or moving files (with "cp" or "mv") to or from NFSv4-mounted file systems. (BZ#454072)

when called with the "--pass-through" ('-p') option, which enables copy-pass mode, cpio did not always set the permissions of copied directories correctly. In certain circumstances, cpio always created directories with a permissions mode of 700 and did not respect the system umask. With this updated package, cpio copies directories while honoring the umask setting when using copy-pass mode, which resolves the issue.

cpio was unable to write to a file on a remote system when using the "-O [archive]" option along with "--rsh-command". With this update, cpio is once again able to write files to remote systems. Note that the default remote shell is defined as /usr/bin/rsh.

the cpuspeed init script loaded the speedstep-centrino driver on Intel systems, even when the acpi-cpufreq driver had already loaded successfully. With both these drivers loaded, the system would not handle P-states correctly. The cpuspeed init script now attempts to load the speedstep-centrino driver only as a fallback for situations where it has not been able to load the acpi-cpufreq driver. Intel systems that can use the acpi-cpufreq driver no longer load the speedstep-centrino driver, and now handle P-states correctly. (BZ#485480)

a development version of this package attempted to make cpuspeed run reliably on Xen kernels by only allowing cpuspeed to start on Xen kernels if the number of virtual CPUs in dom0 equalled the number of physical CPUs in the system. However, this condition can never be true until xend starts, and xend starts after cpuspeed. Therefore, cpuspeed would only run properly on Xen kernels if cpuspeed were restarted after the system completed the boot process. The restriction that cpuspeed can only start if the number of virtual and physical kernels are equal has therefore been removed, allowing cpuspeed to start on Xen kernels even when xend has not yet started. (BZ#488924 , BZ#498406 , BZ#492139)

The bt command displays a task's kernel-stack backtrace. When running this command against an x86 Xen kernel vmcore, crash did not correctly handle the transition from the IRQ stack back to the process stack, leading to a segmentation fault. The version of crash provided with this advisory contains a patch that corrects this issue, allowing users to analyze a vmcore file from a system with an x86 Xen kernel.

if entered alone on the command line, the "set" command would cause a segmentation violation, because there is no concept of a "context" in the Xen hypervisor. Crash now prompts the user to provide an option with "set", and provides more meaningful error messages if the option selected is not applicable. (BZ#462819)

crash would indicate "irq: invalid structure size: gate_struct" and dump a stack trace leading to x86_64_display_idt_table() when the "irq -d" option was run on AMD64 and Intel 64 Xen kernels. Now it will indicate that the -d option is not applicable. (BZ#464116)

the "bt" command did not work correctly when running against the Xen hypervisor binary. The "bt -o" option, and setting it to run by default with "bt -O", would fail with the vmlinux-specific error message "bt: invalid structure size: desc_struct" with a stack trace leading to read_idt_table(). Now, it will display the generic error message "bt: -o option not supported or applicable on this architecture or kernel". The "bt -e" or "bt -E" will also display the same error message, as opposed to the command usage message. Lastly, the "bt -R" option would cause a segmentation violation; it has been fixed to work as it was designed. (BZ#464288)

when run on a Xen hypervisor in which the backtrace leads to either "process_softirqs" or "page_fault", the "bt" command backtrace would indicate: "bt: cannot resolve stack trace". The recovery code would then terminate the command with the nonsensical error message: "bt: invalid structure size: task_struct". The command now properly terminates the backtrace. (BZ#474712 , BZ#466724)

when run against the Xen hypervisor where the number of physical cpus outnumber the MAX_VIRT_CPUS value for the processor type, the "bt -a" command would fail after displaying backtraces for the first 32 (MAX_VIRT_CPUS) pcpus with the the error message: "bt: invalid vcpu". The command now shows backtraces for all pcpus. (BZ#471790)

the "mod -[sS]" command would fail with the error message: "mod: cannot find or load object file for <name> module" if the target module object filename contains both underscore and dash characters. Crash now parses these filenames correctly. (BZ#480136)

an existing Itanium INIT and MCA handler bug incorrectly writes the pseudo task's command name in its comm[] name string such that the CPU number may not be part of the string. The "bt" command could not link back to a PID 0 swapper task that was interrupted by an Itanium INIT or MCA exception, and displayed the error message: "bt: unwind: failed to locate return link (ip=0x0)!" Crash now uses a different method to obtain the CPU number for the interrupted task, and the backtrace correctly transitions back to the interrupted task. (BZ#487429)

the starting backtrace location of active, non-crashing, xen dom0 tasks are not available in kdump dumpfiles, nor is there anything that can be searched for in their respective stacks. Therefore, for these tasks, the "bt" command would show either an empty backtrace or an invalid backtrace starting at the last location where schedule() had been called. Instead, the "bt" command now provides an error message for these tasks that indicated "bt: starting backtrace locations of the active (non-crashing) xen tasks cannot be determined: try -t or -T options". (BZ#495586)

Running the "bt" command against an x86 Xen kernel vmcore, the transition from the IRQ stack back to the process stack led to a segmentation fault. (BZ#478904)

the cryptsetup luksFormat command now properly wipes old filesystem signatures. (BZ#468910)

the exit code for cryptsetup status command is no longer incorrect. (BZ#439191)

the cryptsetup password entry message now includes the device name for which the user is being prompted. (BZ#437261)

the libcups library's HTTP state machine could get into a busy loop when a connection was closed at an unexpected point. (BZ#474323)

web interface template files and translated template files were not marked as configuration files so local modifications to them would be lost when applying updates. This update will also cause local modifications to those files to be lost, but will prevent the same situation occurring with future updates. (BZ#474769)

the "compression" job option was encoded with the wrong IPP tag, preventing the "document-format" job option from overriding automatic MIME type detection of compressed job files . (BZ#474814)

the "mailto" CUPS notifier used the wrong line ending when transferring messages to an SMTP server, causing it not to send any notifications. (BZ#474920)

automatic MIME type detection would fail when the document name was required by the relevant rule but only one file was present in the job. MIME detection would also fail with some rules using "+" (e.g. application/x-shell). (BZ#479635)

incorrect web interface URLs would be given when the server's domain name resolved to a local loopback address on the server. (BZ#479809)

the CUPS configuration file directive "Satisfy Any" was not correctly implemented, causing access to be restricted in situations where it should not have been. (BZ#481303)

an optimization in the libcups library for fetching details of a print queue when its name is known caused problems with obtaining the name of the default printer when "lpoptions" files listed a non-existent queue as the default. (BZ#481481)

RPM verification would fail on configuration files even though content changes were expected. (BZ#487161)

the CUPS scheduler requires an updated version of the krb5 package in order to function correctly but this was not an RPM dependency. (BZ#489714)

the text-only filter would not send form-feed characters correctly. (BZ#491190)

incorrect IPP-Get-Jobs requests, accepted by CUPS in current versions of Red Hat Enterprise Linux but rejected in newer versions of the upstream package, were generated by the cupsGetJobs2() API function and by the lpstat and lpq commands. (BZ#497529)

mismatches between hosts sometimes caused the CVS client to present incorrect credentials to servers with gserver authentication. This update ensures the correct credentials are supplied by confirming the IP address of the currently-connected server so that host mismatch does not occur. (BZ#473245)

attempting to process large numbers of files with long names caused problems with some scripts due to lengthy command line arguments. This problem has been resolved by adding the possibility of passing arguments through standard input. (BZ#462062)

attempting to connect to the update server failed and resulted in the following error messages being logged to /var/log/maillog:

connect(192.168.11.110) failed: Invalid argument
couldn't connect to MUPDATE server
[IP address]: no connection to server
FATAL: error connecting with MUPDATE server

These updated packages correct this problem so that connecting to the update server now works as expected. (BZ#326511)

on systems with 64-bit architectures, cyrus-imapd experienced a segmentation fault when replication was enabled. (BZ#484377)

more detailed information has been added to the ctl_cyrusdb(8) man page, which explains how to perform operations common to Cyrus databases. (BZ#463230)

the shadow authentication method was not working properly on 64 bit architectures. The saslauthd might randomly crash if it was configured to authenticate against the shadow file. (BZ#433583)

the rimap authentication method was not working properly when user passwords contain double quote characters. The saslauthd process would hang when it was configured to authenticate with the rimap method and user password contained such characters. (BZ#438533)

the saslauthd init script did not support a reload command although it was mentioned in the init script usage instructions. The reload is now implemented as a conditional restart of the saslauthd daemon. (BZ#448154)

the pluginviewer command did not display plugins which were not statically linked into it. The pluginviewer command is now linked dynamically so it can display any cyrus-sasl plugins which are installed on the system. (BZ#473197)

the ldap authentication method had very long timeout for network failure detection. The saslauthd now sets a network failure timeout based on the ldap_timeout configuration option. (BZ#475726)

These updated db4 packages fix a bug which, in certain circumstances, could have caused database environment recovery to fail.

Fixes crash when dmsetup -U, -G, and -M options are used.

Enforces device name length and character limitations.

Adds "all" field to "-o fields" option, expanding to all fields of report type. That is, you can add -o <field_name> to specify which fields to print in certain commands; "-o all" expands to all possible fields known to report.

Library now exports dm_tree_node_size_changed function and correctly propagates table size change up the device tree.

Prints warning message if application releases the library and a memory pool is still in use (indicating a possible memory leak).

Library is now compiled from merged device-mapper LVM2 tree (device-mapper library is now part of LVM2 source code tree).

there was a race condition in the shutdown code for multipathd wherein a lock could be destroyed before all threads were finished using it. This could cause the machine to become unresponsive on multipathd shutdown. The multipathd daemon now waits for all threads to finish using the lock before destroying it, thus removing the race and resolving the issue.

when adding a new multipath-capable block device, a race condition existed between the multipathd daemon and udev to multipath the new device. If udev--through multipath--updated the multipath devices first, then the multipathd daemon would not use the device-specific configurations for the device when it started monitoring the path. With this update, multipathd now correctly configures the device, even when udev notices it first, thus resolving the issue.

multipath must be able to open a file descriptor for each path that it monitors, plus 32 other file descriptors. By default, multipath can open 1024 file descriptors, which is sufficient for it to monitor 992 paths. If multipath is not able to open all the file descriptors that it needs, the multipath daemon will not function correctly, and in Red Hat Enterprise Linux 5.3, this situation exposes a kernel memory leak that can cause a system to stop responding. Previously, multipath would not warn users that it could not open enough file descriptors. Now, when multipath runs out of file descriptors, it prints an error message. System administrators can allow multipath to open more file descriptors by setting "max_fds" in the multipath.conf file to a sufficiently high number, or by setting "max_fds" to "max" to allow multipath to open as many file descriptors as the system allows.

Occasionally multipathd was ignoring a device's hardware type when configuring it after a path was added.

Multiple documentation errors were fixed.

Multipathd would occasionally hang or crash while shutting down.

Multipath would always return a failure exit code when removing a device with multipath -f/-F.

Multipathd wouldn't free its resources when it failed to execute a callout.

Multipathd would always return a success exit code for interactive commands, even if the command failed or was invalid.

The mpath_prio_alua pritority callout was failing on some setups because a buffer was too small.

Multipathd was holding mount points in the /etc directory busy, even after they were unmounted.

Multipath and multipathd were racing to create the mulitpath devices for newly added block devices. This was causing device creation to take a long time on some systems, and could even cause devices to have incorrect configurations.

Default configurations were added for the Compellent Storage Center and the IBM DS3200, DS3300, DS4700, and DS5000.

It is now possible to set the verbosity level for the multipath and multipathd commands in /etc/multipath.conf.

The TUR path checker retries on more transient errors, so that multipathd will not fail a path due to a transient error.

There is a new priority callout mpath_prio_intel to support the Intel Modular Server.

There is now a multipath.conf.5 man page that explains the /etc/multipath.conf configuration file.

Supplying an interface name (on the command line) that was longer than the size declared by the IFNAMSIZ macro caused an unexpected segmentation fault. This update contains an added process that properly checks the validity of interface names, which resolves this issue. (BZ#441524)

This update corrects a bug in the way the dhclient-script file processed the $localClockFudge variable. In previous releases, this bug caused the NTPD daemon to restart unexpectedly at times. (BZ#450301)

dhclient now retains relay agent options when it enters the INIT and REBIND states. (BZ#450545)

A bug in the network shutdown code prevented dhclient from correctly honoring the PEERNTP and PEERDNS variables in /etc/sysconfig/network-scripts/ifcfg-* files. This caused dhcp to replace a modified /etc/ntp.conf file with a default version during a network service restart. This update fixes the bug, ensuring that dhclient-script no longer replaces the /etc/ntp.conf file upon network service restart if PEERNTP and PEERDNS are both set to 'yes'. (BZ#471543)

The dhcpd and dhcrelay init scripts do not support the 'try-restart' and 'reload' arguments. In previous releases, however, using these arguments did not output any error messages to inform the user that the restart/reload attempt failed. With this release, using the unsupported 'try-restart' or 'reload' arguments with the dhcpd or dhcrelay init scripts will correctly display the usage screen and exit the script with a status code 3. (BZ#491868)

the previous version of the dmidecode package was based on upstream version 2.7 and lacked support for a variety of newer hardware. The package now provides version 2.9, which: ( BZ#459048 )

the default method used by dmidecode to retrieve entries from the DMI table produces unaligned access errors when used on Itanium systems. When built for the Itanium architecture, this version of the package includes a workaround that avoids these errors. ( BZ#459048 ).

The dmraid logwatch-based email reporting feature has been moved from the dmraid-events package into the new dmraid-events-logwatch package. Consequently, systems that use this dmraid feature need to complete the following manual procedure: 1. Ensure the new 'dmraid-events-logwatch' package is installed. 2. Un-comment the functional portion of the "/etc/cron.d/dmeventd-logwatch" crontab file.

The sgpio and dmevent_tool applications get installed with the dmraid package now.

The drive order for isw RAID01 sets is now identical with the OROM order.

Various issues with wrong LED rebuild and metadata states have been fixed.

Device Failure Monitoring, using the tools dmraid and dmevent_tool, is now included in Red Hat Enterprise Linux 5.4 as a Technology Preview. Device Failure Monitoring provides the ability to watch and report device failures on component devices of RAID sets.

dmraid now automatically activates device event monitoring for the isw metadata format (Intel IMSM). The dmevent_tool is still available to allow for manual (de)registration.

dmraid now supports an "--rm_partitions" option to allow for removing partition devices for RAID set component devices.

Activation of isw RAID sets on disks with long serial numbers is now supported.

dos2unix did not allow for instances where a user specified the -c option without a conversion mode name following it. An input in this format would therefore result in a segmentation fault. Dos2unix now exits safely with a message to the user that option -c requires an argument.

when dos2unix created a new file as the output of its conversion (when run with the -n option), the new file would always have its permission mode set as 600, regardless of the permission mode of the original file. Dos2unix now sets the permission mode for the new file to be the same as the mode of the old file, filtered through the user's umask.

when running the dump command without specifying a dump level, then neither did dump's output indicate the dump level, as in the following example output:

DUMP: Date of this level  dump: Thu Apr  2 09:05:09 2009
DUMP: Date of this level  dump: Thu Apr  2 09:05:09 2009

This has been corrected in these updated packages so that the dump level is no longer missing in output in which it is shown.

When the dump command was called without a default dump level specified on the command line, then the dump level defaulted to 0, while the dump(8) man page stated that the default level was 9. The actual default dump level that is used when this is not specified in arguments to dump is 0, and the man page has been changed to reflect this.

the restore(8) man page, as well as the program's help information, incorrectly implied that the '-P [file]' option could be used in conjunction with the '-A [archive_file]', which is not the case. Attempting to use both options results in the following error message: "restore: A option is not valid for P command". The restore(8) man page and restore's help has been corrected so that it is clear that the '-A' and '-P' options cannot be used together.

several typos in the dump(8) man page were corrected.

on some systems with manually-operated DVD drive trays (ie drives that cannot be closed mechanically, such as most slim-line drive trays), burning data to DVD media would produce an erroneous "Error writing to disk" alert. The data was, in fact, successfully burnt to the DVD and the newly burnt DVD was then ejected. The inability of the drive tray to close mechanically, however, caused dvd+rw-tools to return an "unable to reload tray" message which, in turn, caused the 'writing to disk' error to present. With this update, dvd+rw-tools treats the underlying "START_STOP_UNIT" message properly and, consequently, the misleading alert does not present. (BZ#390961)

a typo in the dvd+rw-tools.spec file was corrected. The "%{dist}" tag on the "Release" line was corrected to "%{?dist}". The correction ensures an rpm can be built from the dvd+rw-tools source even if a distribution is not defined in either the Makefile or your local ~/.rpmmacros file. (BZ#440621)

when mke2fs or resize2fs was run on a device of exactly 2^32 file system blocks (16 terabytes for 4 kilobit blocks), these commands would fail with a "File too large" error, because the maximum file system size was 2^32-1 blocks. mke2fs and resize2fs now round down by one block to allow the commands to succeed for devices of exactly 2^32 blocks, and the error no longer presents. ( BZ#241285 )

the German localization of an e2fsprogs process contained a typographical error. This has been corrected and the correct line now displays. (BZ#488960)

the e2fsck method, pass3, would use a pointer regardless of whether it contained a null value. This would result in a segfault. The method has been corrected and the problem no longer presents. ( BZ#505110 )

the ismounted method was set to use two arguments when it required three. This has been corrected, and the method now works as expected. ( BZ#505110 )

the debugfs method, logdump, performed a call to fclose without checking that the value being passed was not null. This would result in segfault. The method now checks for a null before attempting to pass the value, and does not call fclose if a null is present. (BZ#505110)

a typographical error in the uuidd initscript that caused an incorrect status to me set has been corrected. (BZ#506080)

running mke2fs on devices larger than 8 terabytes required the "-F" (force) option to succeed. This update removes that requirement. (BZ#241285)

invoking the "stats" command while at the "debuge4fs" prompt could cause "debuge4fs" to segmentation fault due to a missing check to see whether the file system was currently open. This has been fixed in this updated package so that calling "stats" is now safe. (BZ#482894)

a new package, ecryptfs-utils-gui, has been added to this update. This package depends on the pygtk2 and pygtk2-libglade packages and provides the eCryptfs Mount Helper GUI program. To install the GUI, first install encryptfs-utils and then issue the following command:

yum install ecryptfs-utils-gui

(BZ#500997)

the "ecryptfs-rewrite-file" utility is now more intelligent when dealing with non-existent files and with filtering special files such as the "." directory. In addition, the progress output from "ecryptfs-rewrite-file" has been improved and is now more explicit about the success status of each target. (BZ#500813)

descriptions of the "verbose" flag and the "verbosity=[x]" option, where [x] is either 0 or 1, were missing from a number of eCryptfs manual pages, and have been added. Refer to the eCryptfs man pages for important information regarding using the verbose and/or verbosity options. (BZ#470444)

mounting a directory using the eCryptfs mount helper with an RSA key that was too small did not allow the eCryptfs mount helper to encrypt the entire key. When this situation occurred, the mount helper did not display an error message alerting the user to the fact that the key size was too small, possibly leading to corrupted files. The eCryptfs mount helper now refuses RSA keys which are to small to encrypt the eCryptfs key. (BZ#499175)

when standard input was redirected from /dev/null or was unavailable, attempting to mount a directory with the eCryptfs mount helper caused it to become unresponsive and eventually crash, or an "invalid value" error message, depending on if the "--verbosity=[value]" option was provided as an argument, and, if so, its value. With these updated packages, attempting to mount a directory using "mount.ecryptfs" under the same conditions results in either the mount helper attempting to use default values (if "verbosity=0" is supplied), or an "invalid value" error message (instead of the mount helper hanging) if standard input is redirected and "--verbosity=1" is supplied, or that option is omitted entirely. (BZ#499367)

attempting to use the eCryptfs mount helper with an OpenSSL key when the keyring did not contain enough space for the key resulted in an unhelpful error message. The user is now alerted when this situation occurs. (BZ#501460)

the eCryptfs mount helper no longer fails upon receiving an incorrect or empty answer to "yes/no" questions. (BZ#466210)

If a smart card were inserted when the esc daemon was already running then there could be odd behaviors when the ESC GUI was opened. For example, if the smart card was blank, then the Phone Home configuration dialog would not open. When the smart card was removed, then esc could crash. (BZ#496410)

If a user attempted to re-enroll a formatted token when the RE_ENROLL value was set to NO, then the ESC wrongly gave an error that the token was suspended, not that re-enrollment wasn't allowed. This message has been corrected. (BZ#494981)

Certificate System previously supported re-enrollment for tokens, which allows a formatted token to be re-formatted with new certificates. This enhancement also allows smart cards to have renewal operations, so existing certificates can have renewed.

This release includes enhancements to streamline the security officer mode for ESC. Security officer mode allows designated users to perform in-person token enrollments, as added security. This simplifies launching the ESC GUI in security officer mode.

generic receive offload (GRO) has been added to some network drivers in Red Hat Enterprise Linux 5.4. GRO aggregates packets before they're processed by the rest of the stack. This allows TCP performance to be greatly enhanced at high speeds. In particular, it's crucial for good 10GbE performance. With GRO enabled, you should observe higher throughput, lower CPU utilization of network traffic, or both; especially with smaller message sizes.

The kernel in Red Hat Enterprise Linux 5.4 allows users to manually control whether GRO is enabled for supported ethernet adapters. This updated ethtool provides a command-line interface -- "ethtool -k" -- for setting and querying that flag. (BZ#509398)

when printing "n" copies of a non-postscript document, "n times n" copies were printed instead. (That is, if two copies were requested, four copies -- 2 x 2 -- were printed.) This flaw has been corrected. Note: the underlying cause of this problem also influenced collated printing, reversed printing and printing of sets of pages. (BZ#439937)

when adding a new Exchange account, a Mailbox name separate from the user name can now be specified. (BZ#205787)

pasting text into an event summary by issuing the Ctrl+V control code did not work as expected. (BZ#208356)

running Evolution in a different language caused it to not display certain translations such as "On This Computer", "Personal" and specific calendar and address book names. (BZ#210858)

when attempting to import a certificate from the Edit Preferences -> Certificates menu, the subsequent Trust dialog box appeared below the file selector window, forcing users to manually move both windows in order to accomplish the task. (BZ#212206)

Evolution crashed due to a segmentation fault when reading certain email messages when accessibility was enabled. (BZ#212481)

attempting to import a vCard File containing contacts into a new address book created during the import process failed, and no contacts were imported. All contacts imported in this way are now present in the new address book. (BZ#215470)

selecting the "On This Computer" folder and then clicking Folder -> Properties produced no result. The "Properties" menu item is now correctly grayed-out. (BZ#215479)

Evolution did not honor the selected day when adding a memo while in calendar view: the user had to manually alter the memo's date afterward. (BZ#217541)

searching an address book using the "any field" option when no results were found caused Evolution to display all contacts instead of none. This behavior is now more intuitive: no contacts are displayed when none are found. (BZ#217714)

while in Mail view, deselecting a previously-selected group of messages by clicking on one of those selected did not result in that message being shown in the preview pane. (BZ#227710)

when accessibility was enabled, specific combinations of calender-viewing actions caused Evolution to crash. (BZ#428817)

when starting Evolution for the first time with a German (de_DE) locale, the setup wizard window was too large for some monitors to display. (BZ#432322)

dragging-and-dropping messages into the "Personal Folders" caused those messages to be irretrievably lost. Dropping messages into "Personal Folders" is now disallowed. (BZ#437768)

Evolution's account editor did not strip whitespace characters in hostnames, which caused a failure to connect when attempting to retrieve email. (BZ#446945)

sorting email by subject did not always result in the expected alphabetical sorting. (BZ#449797)

the Contact Quick-Add window allowed users to click "OK" without selecting an address book, which did not result in the contact being added to any address book. (BZ#449983)

attempting to download Exchange messages for offline use caused Evolution to segmentation fault. Evolution no longer crashes, and downloading Exchange messages works as expected, allowing for offline use. (BZ#472872)

it was not possible to create a new folder from the New Search Folder dialog box and related menus. Also, attempting to name a new folder and then clicking the "Create" button caused Evolution to crash under certain circumstances. (BZ#473024)

moving an Exchange folder containing subfolders to a different location resulted in the loss of all subfolders and their emails. With this update, all subfolders and their contents are copied or moved correctly and without any loss of data. (BZ#480849)

improved support for CalDAV. (BZ#484252)

the cursor now conveniently moves to the new rule when it is created in the "Add Rule" dialog box. (BZ#218539)

when adding a new Exchange account, a Mailbox name separate from the user name can now be specified. (BZ#205787)

a memory leak related to using Exchange accounts has been plugged. (BZ#393761)

dragging-and-dropping messages into the "Personal Folders" caused those messages to be irretrievably lost. Dropping messages into "Personal Folders" is now disallowed. (BZ#437768)

incoming mail filters had no effect on messages received by Exchange-based email accounts. This has been fixed in this updated package so that incoming mail filters work as expected with Exchange accounts. (BZ#446095)

in certain situations, notifications were not shown for calendar events stored on an Exchange Server. With this updated package, notifications work correctly as long as Evolution is configured to remember Exchange Server passwords. Otherwise, notifications fail to be shown. (BZ#480164)

moving an Exchange folder containing subfolders to a different location resulted in the loss of all subfolders and their emails. With this update, all subfolders and their contents are copied or moved correctly and without any loss of data. (BZ#480849)

occasionally, a "?" appeared as the last result of the list obtained when viewing the "Select Contacts from Address Book" dialog. With these updated packages, this incorrect entry no longer occurs in the dialog window when selecting contacts. (BZ#220431)

The IMAP mail protocol distinguishes between messages which are "new" on the server and messages which are "new" for a mail client. This dichotomy led Evolution Data Server to only apply filters to one of the "new" groups and not to the other, which meant that email filters were not applied to certain messages. With these updated packages, filters now apply to all IMAP messages which are new for the client, with the result that all messages can now be successfully filtered. (BZ#247779)

when attempting to connect to an Exchange 2007 server, the server's response sometimes caused Evolution to segmentation fault. Although the possibility of an Exchange 2007 server's response causing Evolution to crash has been fixed with these updated packages, it is still not possible for Evolution to communicate successfully with an Exchange 2007 server. (BZ#433648)

when Evolution was configured with two IMAP accounts, deleting one of those accounts could have caused Evolution to segmentation fault. These updated packages fix a variable referencing error with the result that disabling a mail account no longer causes Evolution to crash. (BZ#437758)

Evolution Data Server could segmentation fault when provided a malformed CalDAV calendar URL. With these updated packages, Evolution performs better error-checking on calendar URLs, which prevents this issue from occurring. (BZ#440232)

the Exchange connector for Evolution Data Server contained several memory leaks which have been plugged in these updated packages. (BZ#460669)

when adding a new Exchange account, a Mailbox name separate from the user name can now be specified. (BZ#460671)

when reading a calendar via the CalDAV protocol, Evolution failed to correctly adjust the time of events based on timezone information. (BZ#462007)

improved support for CalDAV. (BZ#484232)

attempting to download Exchange messages for offline use caused Evolution to segmentation fault. Evolution no longer crashes, and downloading Exchange messages works as expected, allowing for offline use. (BZ#489869)

Evolution incorrectly switched to Daylight Saving Time (DST) one week later than the time when DST should have started. With these updated packages, DST now takes effect at the correct time. (BZ#490218)

Evolution did not provide notifications for events located on a foreign Exchange calendar. This update ensures that Evolution is able to notify based on foreign Exchange calendar events in the same way as for local calendars. (BZ#494847)

A core file, which is created when a program crashes, contains the name of the crashed program. The file command did not report the correct program name on some core files. The file command reports the correct name with this updated package.

when using the "find" utility to search a directory hierarchy which contained autofs mounts, it dutifully triggered the aufofs mounts so that they could be searched, even when "find" had been directed to exclude NFS shares. With these updated packages, "find" possesses an additional exclusionary flag, "-xautofs", that prevents "find" from searching all autofs direct mounts in the searched directory hierarchy. (BZ#485672)

previously, the fipscheck libraries and binaries were installed in / (root). However, because they are not required by anything in /, they are now relocated to /usr. (BZ#475800)

previously, the fipscheck libraries were packaged in the main fipscheck package. This would lead to a file conflict when installing fipscheck on architectures with multilib support. The fipscheck libraries are now shipped in fipscheck-lib subpackages for each architecture, therefore avoiding the file conflict. (BZ#502676)

fipscheck now includes a runtime integrity self-test which is necessary for FIPS 140-2 level 1 validation of Red Hat Enterprise Linux 5 cryptography modules.

the FIPSCHECK_DEBUG environment variable adds improved debugging. Error messages can be saved to the syslog or sent to stderr.

fipscheck can now compute HMACs on multiple files at the same time.

previously, PostScript Printer Descriptions (PPDs) created for printers for which no page margin information was available used ImageableArea settings that equated to zero-width margins (ie, foomatic over-optimistically assumed edge-to-edge printing capability in the absence of specific information to the contrary). With this update, PPDs created for printers with no included margin information are set to 127mm (36 points or 0.5") by default. This avoids problems with print jobs being cropped at the edges of the page. (BZ#244348)

spooler auto-detection is not part of foomatic and, previously, foomatic did not set a default spooler. Consequently, the foomatic-configure command failed to detect that CUPS was present if a default spooler was not set in /etc/foomatic/defaultspooler (which was not created by default during foomatic installation). With this update, /etc/foomatic/defaultspooler is created during installation and the default spooler is set to CUPS, ensuring foomatic-configure is aware of CUPS. (BZ#454684)

64-bit multiplication by constant on the x86 platform caused unexpected aborts when compiling code that used 'unsigned long long' variables. This was because the compiler did not check whether CONST_DOUBLE_LOW was positive when multiplying constants. With this update, the compiler now check if CONST_DOUBLE_LOW is positive, ensuring that 'unsigned long long' variables are processed correctly during compiles. (BZ#465807)

A bug in the way the GFortran compiler processed unique symtrees could have prevented some valid GFortran code from compiling if the code contained symbols defined by USE and ONLY clauses. Whenever this occurred, the compile attempt would fail with a segmentation fault. This update adds a special function that correctly reconciles symbols with unique symtrees, which resolves this bug. (BZ#483845)

Using the -fabi-version=1 option prevented some valid C++ code from compiling. This was because Version 1 of the C++ ABI did not properly substitute template parameters. This release corrects this behavior, adding a function that correctly sets the processing_template_decl to 0 when performing substitutions. (BZ#492011)

A bug in the way gcc optimized code could have prevented some samples of valid C code from compiling (resulting in an internal compiler error) whenever the -O1 option was used. This was because during optimized compiles, the C compiler did not properly process bounds; this resulted in incorrect computations for loop iterations. With this update, the compiler now processes bounds correctly, ensuring that valid C code compiles correctly with the -O1 option set. (BZ#490513)

The GFortran compiler did not handle FMT= character array arguments properly. This prevented some samples of valid GFortran code from compiling; whenever this occurred, the compile attempt would fail with a segmentation fault. This update adds new functions to correct how FMT= character array arguments are handled, thereby resolving this bug. (BZ#492209)

The expand_expr_real_1() function of the C compiler did not handle TRUTH_ANDIF_EXPR and TRUTH_ORIF_EXPR cases correctly. As a result, a compile attempt could fail with an internal compiler error on the PowerPC platform. This update applies an upstream fix for this issue. (BZ#495469)

GFortran provided improper DWARF definitions for array parameters (i.e. missing upper bounds). This was caused by a bug in gcc/fortran/trans-decl.c that provided incorrect debugging information for variable-length, non-desc Fortran arrays. With this release, Gfortran now provides proper DWARF definitions for arrays parameters. (BZ#459374)

A bug in GFortran made it possible for an internal compiler error to incorrectly escalate to a segmentation fault (instead of terminating the compilation gracefully). An upstream fix for this bug is now included with this release. (BZ#466928)

Whenever gcc is used with the option -march=z9-ec or -march=z10, hardware decimal floating point (DFP) support is used by default. (BZ#474367)

An improper option (i.e. %global _use_internal_dependency_generator 0) used during the build of libgomp in previous releases disabled "file coloring". This caused RPM to erroneously detect a file conflict on /usr/lib/libgomp.so.1.0.0 when installing libgomp from the Itanium compatibility layer. This release includes a properly-built libgomp, which resolves this issue. (BZ#503725)

Normally, static variables always have the same debugging information for each possible constructor/destructor implementation kind, which allows the compiler to keep their DIE (debugging information entry) only in the single abstract instance of the constructor. However, GDB did not automatically inherit whole DIEs from the abstract instances to the concrete instances. As such, the static variables in C++ constructors were not visible from GDB. With this update, GDB now inherits whole DIEs to ensure that static variables do not become inaccessible. (BZ#445912)

GDB now supports the use of 64-bit ELF files for 32-bit platforms (i.e. elf64-i386). (BZ#457187)

It was possible for GDB to print an error when trying to access an allocatable or otherwise dynamic array or string variable in Fortran. This was because GDB did not account for the fact that the lower bound for Fortran arrays was 1 (rather than 0). This made it possible for array size calculations to result in invalid values (i.e. too high) when allocating unbound or dynamically-bound Fortran arrays. This release corrects the way GDB processes Fortran arrays; it also adds functions to verify the validity of a calculated array size first before attempting to allocate it. (BZ#459380)

Variables imported from Fortran modules can be now accessed from GDB with the same scope as the program being debugged. (BZ#466118 , BZ #457793)

Variables shared by Fortran "common blocks" can be now accessed from GDB with the same scope as the program being debugged. Further, common blocks valid in the current program scope can be printed using the GDB command 'info common'. (BZ#459762)

Allocatable arrays, objects with assumed size, and pointers to objects can be now accessed from GDB in the same manner that they are accessed from the program being debugged. (BZ#460250 , BZ#459952 , BZ#465301 , BZ#505333)

Variables of type 'logical (kind=8)' can be now accessed from GDB. (BZ#465310)

For external references, GCC does not produce DWARF debug information. As a result, GDB could not access Thread Local Storage (TLS) variables from a local source file if those variables were defined in a different source file. This made it possible for certain memory addresses to become unaccessible to GDB. With this release, GDB can now process TLS variables using ELF structures instead of DWARF; as such, GDB can now access TLS variables regardless of where those variables were defined. (BZ#494412)

Running gcore (or any 'attach' or 'detach' command sequence) on a multi-threaded process that was halted with 'kill -STOP' could unexpectedly resume some of that process's threads. This behavior was caused by a kernel bug (present in upstream version 2.6.29) that remained unfixed in Red Hat Enterprise Linux 5 kernels to maintain backward compatibility. While this update does not fix the kernel bug, it applies a GDB workaround that ensures threads from a halted multi-threaded process do not unexpectedly resume. (BZ#498595)

the GDM Reference Manual is now included with the gdm packages. The gdm-docs package installs this document in HTML format in "/usr/share/doc/". (BZ#196054)

GDM appeared in English on systems using Telugu (te_IN). With this update, GDM has been localized in te_IN. (BZ#226931)

the Ctrl+Alt+Backspace sequence resets the X server when in runlevel 5. In previous releases, however, repeated use of this sequence prevented GDM from starting the X server as part of the reset process. This was because GDM sometimes did not notice the X server shutdown properly and would subsequently fail to complete the reset process. This update contains an added check to explicitly notify GDM whenever the X server is terminated, ensuring that resets are executed reliably. (BZ#441971)

the "gdm" user is now part of the "audio" group by default. This enables audio support at the login screen. (BZ#458331)

the gui/modules/dwellmouselistener.c source code contained incorrect XInput code that prevented tablet devices from working properly. This update removes the errant code, ensuring that tablet devices work as expected. (BZ#473262)

a bug in the XOpenDevice() function prevented the X server from starting whenever a device defined in "/etc/X11/xorg.conf" was not actually plugged in. This update wraps XOpenDevice() in the gdk_error_trap_pop() and gdk_error_trap_push() functions, which resolves this bug. This ensures that the X server can start properly even when devices defined in "/etc/X11/xorg.conf" are not plugged in. (BZ#474588)

A bug which did not flush the journal after a fsync to a stuffed inode has been fixed.

A potential deadlock causing gfs to hang in 'wait_for_completion' was fixed by prefaulting buffer pages.

Applications using sendfile on files with the inherit_jdata flag are now notified that sendfile will not work on those files instead of failing.

A bug that could potentially cause a page allocation failure has been fixed.

A bug that caused fsyncs to stuffed inodes fail to flush the journal has been fixed.

An issue was fixed which caused gfs_fsck to attempt to fix the wrong bitmap.

gfs_fsck's ability to fix damaged resource groups has been improved.

A human readable option has been added to to gfs_tool df.

Fixed an issue which could potentially cause gfs_fsck to remove everything in a corrupt filesystem.

gfs_grow performance has been improved on 1k block size filesystems.

Fix a segfault in gfs_fsck when fixing a 'EA leaf block type' problem.

The gfs service is no longer disabled after an upgrade.

A segfault was fixed in gfs2_fsck which can be triggered by a stuffed directory inode block also being listed as a data block.

In certain cases a conversion between gfs1 and gfs2 filesystem could cause corruption; this bug has been fixed.

Other mount options will now be properly recognized when using 'noatime' or 'nodiratime'.

gfs2_grow now works with block sizes other than 4k.

gfs2_fsck now properly detects and repairs problems with sequence numbers on GFS2 file systems.

GFS2 user utilities now use the file system UUID.

gfs2_grow now properly updates the file system size during operation.

gfs2_fsck now returns the proper exit codes.

gfs2_convert now properly frees blocks when removing free blocks up to height 2.

the gfs2_fsck manual page has been renamed to fsck.gfs2 to match current standards.

the 'gfs2_tool df' command now provides human-readable output.

mounting GFS2 file systems with the noatime or noquota option now works properly.

new capabilities have been added to the gfs2_edit tool to help in testing and debugging GFS and GFS2 issues.

the 'gfs2_tool df' command no longer segfaults on file systems with a block size other than 4k.

the gfs2_grow manual page no longer references the '-r' option, which has been removed.

the 'gfs2_tool unfreeze' command no longer hangs during use.

gfs2_convert no longer corrupts file systems when converting from GFS to GFS2.

gfs2_fsck no longer segfaults when encountering a block which is listed as both a data and stuffed directory inode.

gfs2_fsck can now fix file systems even if the journal is already locked for use.

a GFS2 file system's metadata is now properly copied with 'gfs2_edit savemeta' and 'gfs2_edit restoremeta'.

the gfs2_edit savemeta function now properly saves blocks of type 2.

'gfs2_convert -vy' now works properly on the PowerPC architecture.

when mounting a GFS2 file system as '/', mount_gfs2 no longer fails after being unable to find the file system in '/proc/mounts'.

gfs2_fsck no longer segfaults when fixing 'EA leaf block type' problems.

an incorrect offset computation that occurred when handling subglyphs made it possible for ghostscript to read uninitialized data. When this occurred, ghostscript would crash with a segmentation fault. This update corrects the offset computation, preventing ghostscript from reading uninitialized data. (BZ#450717)

the way that the Ghostscript source code used pointer aliasing could produce unexpected results when strict aliasing optimizations are in use. To avoid problems, this ghostscript update was built using the -fno-strict-aliasing option, which disables strict aliasing optimization. (BZ#465960)

a typographical error in the gsiparam.h header file made it possible for some PDF files to cause ghostscript to fall into an infinite loop. This update fixes the error. (BZ#473889)