Red Hat Enterprise Linux AS 3 Update 3 Release Notes

   Copyright (c) 2004 Red Hat, Inc.

   ---------------------------------------------------------------------------

Introduction

   The following topics are covered in this document:

     o Changes to the Red Hat Enterprise Linux installation program
       (Anaconda)

     o General information

     o Kernel-related information

     o Changes to drivers and hardware support

     o Changes to packages

Changes to the Red Hat Enterprise Linux Installation Program (Anaconda)

   The following section includes information specific to the Red Hat
   Enterprise Linux installation program, Anaconda.

  Note

   In order to upgrade an already-installed Red Hat Enterprise Linux 3 system
   to Update 3, you must use Red Hat Network to update those packages that
   have changed. The use of Anaconda to upgrade to Update 3 is not supported.

   Use Anaconda only to perform a fresh install of Red Hat Enterprise Linux 3
   Update 3.

     o If you are copying the contents of the Red Hat Enterprise Linux 3
       Update 3 CD-ROMs (in preparation for a network-based installation, for
       example) be sure you copy the CD-ROMs for the operating system only.
       Do not copy the Extras CD-ROM, or any of the layered product CD-ROMs,
       as this will overwrite files necessary for Anaconda's proper
       operation.

       These CD-ROMs must be installed after Red Hat Enterprise Linux has
       been installed.

General Information

   This section contains general information not specific to any other
   section of this document.

     o Red Hat Enterprise Linux 3 Update 3 adds the most recent version of
       the KornShell (ksh) to the Red Hat Enterprise Linux Extras CD.
       KornShell is a shell programming language for both interactive and
       shell script use, and is upward compatible with the Bourne Shell (sh).

       The new ksh package is an optional alternative to pdksh, which is
       already included in the core distribution. It is useful in
       circumstances where precise compatibility with AT&T ksh semantics is
       required.

     o The autofs package, which controls the operation of the automount
       daemons running on Red Hat Enterprise Linux, has been updated to
       version 4. This update provides full backward compatibility with
       version 3. Additionally, it adds the following features:

          o Browsable mounts (ghosting) -- Ghosting of map directories allows
            you to see the directories in the autofs map without mounting
            them. When they are accessed (such as when a directory listing is
            requested) the map entry is mounted so that it is seen.

          o Replicated Server support -- Replicated server functionality
            allows the administrator to specify map entries that point to
            multiple, replicated servers. The automount daemon attempts to
            determine the best server to use for mounts by testing the
            latency of an rpc_ping to each available server. Weights may also
            be assigned to the servers, allowing for more administrator
            control. Refer to the
            /usr/share/doc/autofs-4.1.3/README.replicated-server file for
            additional map format information.

          o Executable maps -- A map can now be marked as executable. The
            initscript that parses the auto.master map passes this as a
            program map to the auto-mounter. A program map is called as a
            script with the key as an argument. It may return no lines of
            output if there is an error, or one or more lines containing a
            map (with \ quoting line breaks). This feature is useful for
            implementing /net functionality.

          o Multi-mounts -- This feature allows the automount daemon to seek
            multiple lookup methods in succession. For example, a lookup
            could query NIS and file maps.

     o Red Hat Enterprise Linux 3 Update 2 is currently "in evaluation" for
       Evaluated Assurance Level (EAL) 3+/Controlled Access Protection
       Profile (CAPP) on the following platforms:

          o Red Hat Enterprise Linux WS on the x86 architecture

          o Red Hat Enterprise Linux AS on the x86, AMD64, IBM zSeries,
            iSeries, and pSeries architectures

       To get the latest Common Criteria evaluation status, refer to the
       following Web page:

       [1]http://www.redhat.com/solutions/industries/government/commoncriteria/

       All the patches that were applied to the Red Hat Enterprise Linux 3
       Update 2 code base to achieve EAL3 certification have been mirrored in
       the Red Hat Enterprise Linux 3 Update 3 release.

       For additional information regarding the auditing subsystem, refer to
       the laus(7) man page.

       Since its initial deployment in the Red Hat Enterprise Linux 3 Update
       2 kernel, the kernel for Update 3 contains additional modifications
       that enable system-call auditing on additional architectures. When
       auditing is not in use, these modifications are performance-neutral.
       The kernel component provides access to the auditing facilities
       through the character-special device /dev/audit. Through this device,
       a user-space daemon (auditd) can enable or disable auditing and can
       provide the kernel with the rulesets to be used to determine when a
       system-call invocation must be logged. This device is also used by
       auditd to retrieve audit records from the kernel for transfer to the
       audit log. Refer to the audit(4) man page for information concerning
       supported ioctl calls and /proc/ interfaces for managing and tuning
       auditing behavior.

     o The version of the httpd Web server included as part of Red Hat
       Enterprise Linux 3 Update 3 includes several significant changes:

          o The mod_cgi module has been enhanced to correctly handle
            concurrent output on stderr and stdout

          o SSL environment variables defined by mod_ssl can be used directly
            from mod_rewrite using the %{SSL:...} syntax. For example,
            "%{SSL:SSL_CIPHER_USEKEYSIZE}" may expand to "128".

            Similarly, SSL environment variables can be used directly from
            mod_headers using the %{...}s syntax.

          o The mod_ext_filter module is now included

          o The minimal acceptable group id that will be used by suexec has
            been lowered from 500 to 100. This allows the use of suexec with
            users belonging to the "users" group.

Kernel-Related Information

   This section contains information related to the Red Hat Enterprise Linux
   3 Update 3 kernel.

     o AMD64 workstations with motherboards based on certain NVIDIA or VIA
       chipsets (for example, the ASUS SK8N) have been known to hang when
       attempting to access IDE or Serial ATA devices. This is a known issue
       for which there is currently no vendor-supported fix. As a workaround,
       append the "noapic" parameter to the boot command line.

     o Hardware IRQ balancing is enabled for Lindenhurst (Intel(R) E7520 and
       Intel(R) E7320) and Tumwater (Intel(R) E7525) based chipset platforms.
       Therefore, software IRQ balancing is disabled for these platforms in
       the Red Hat Enterprise Linux 3 Update 3 kernel.

     o The Red Hat Enterprise Linux 3 Update 3 kernel includes a new security
       feature known as Exec-shield. Exec-shield is a security-enhancing
       modification to the Linux kernel that makes large parts of
       specially-marked programs -- including their stack -- not executable.
       This can reduce the potential damage of some security holes, such as
       buffer overflow exploits.

       Exec-shield can also randomize the virtual memory addresses at which
       certain binaries are loaded. This randomized VM mapping makes it more
       difficult for a malicious application to improperly access code or
       data based on knowledge of the code or data's virtual address.

       Exec-shield's behavior can be controlled via the proc file system. Two
       files are used:

          o /proc/sys/kernel/exec-shield

          o /proc/sys/kernel/exec-shield-randomize

       The /proc/sys/kernel/exec-shield file controls overall Exec-shield
       functionality, and can be manipulated using the following command:


 echo <value> > /proc/sys/kernel/exec-shield
        

       Where <value> is one of the following:

          o 0 -- Exec-shield (including randomized VM mapping) is disabled
            for all binaries, marked or not

          o 1 -- Exec-shield is enabled for all marked binaries

          o 2 -- Exec-shield is enabled for all binaries, regardless of
            marking (To be used for testing purposes ONLY)

       The default value for /proc/sys/kernel/exec-shield is 1.

       The /proc/sys/kernel/exec-shield-randomize file controls whether
       Exec-shield randomizes VM mapping, and can be manipulated using the
       following command:


 echo <value> > /proc/sys/kernel/exec-shield-randomize
        

       Where <value> is one of the following:

          o 0 -- Randomized VM mapping is disabled

          o 1 -- Randomized VM mapping is enabled

       The default value for /proc/sys/kernel/exec-shield-randomize is 1.

       It is also possible to configure Exec-shield by including one (or
       both) of the following lines in the /etc/sysctl.conf file:


 kernel.exec-shield=<value>
 kernel.exec-shield-randomize=<value>
        

       (Where <value> is as previously described.)

       Exec-shield can also be disabled at a system level by means of a
       kernel boot option. Appending the following parameter to the "kernel"
       line(s) in the /etc/grub.conf file will disable Exec-shield:


 exec-shield=0
        

  Note

       Exec-shield functionality is available only to binaries that have been
       built (and marked) using the toolchain (compiler, assembler, linker)
       available with Red Hat Enterprise Linux 3 Update 3. Binaries that have
       been built using a different version of the toolchain can still be
       used, but since they will not be marked, they will not take advantage
       of Exec-shield.

       Application developers should keep in mind that, in the majority of
       cases, GCC correctly marks its generated code as being capable of
       using Exec-shield. In the few instances (usually caused by inline
       assembler or other nonportable code) where GCC non-optimally (or, more
       rarely, incorrectly) marks generated code, it is possible to pass GCC
       options to obtain the desired result.

       The options controlling binary marking at the assembler level are:


 -Wa,--execstack
 -Wa,--noexecstack
        

       The options controlling binary marking at the linker level are:


 -Wl,-z,execstack
 -Wl,-z,noexecstack
        

       It is also possible to exert more fine-grained control by explicitly
       disabling Exec-shield for a specific binary at run time. This is done
       using the setarch command:


 setarch i386 <binary>
        

       (Where <binary> represents the binary to be run.) The binary is then
       run without Exec-shield functionality.

       The proc file /proc/self/maps can be used to observe Exec-shield's
       effects. By using cat to display the current process's VM mapping, you
       can see Exec-shield at work. Similarly, you can use setarch in
       conjunction with cat to see how normal VM mapping differs from
       Exec-shield's mapping.

     o Red Hat Enterprise Linux 3 Update 3 includes a new security-related
       feature -- kernel support for certain new Intel CPUs that include the
       NX (No eXecute) capability. NX technology restricts execution of
       program code, making it significantly more difficult for hackers to
       insert malicious code into the system by means of a buffer overrun.
       When specific pages are marked as nonexecutable, the CPU is prevented
       from executing code in those pages. This can be used to mark areas of
       memory such as the stack or the heap (typical places where buffers are
       stored.)

  Note

       Red Hat Enterprise Linux 3 (originally available 22-October-2003)
       included NX support for the AMD64 platform.

Changes to Drivers and Hardware Support

   This update includes bug fixes for a number of drivers. The more
   significant driver updates are listed below. In some cases, the original
   driver has been preserved under a different name, and is available as a
   non-default alternative for organizations that wish to migrate their
   driver configuration to the latest versions at a later time.

  Note

   The migration to the latest drivers should be completed before the next
   Red Hat Enterprise Linux update is applied, because in most cases only one
   older-revision driver will be preserved for each update.

   These release notes also indicate which older-revision drivers have been
   removed from this kernel update. These drivers have the base driver name
   with the revision digits appended; for example, megaraid_2002.o. You must
   remove these drivers from /etc/modules.conf before installing this kernel
   update.

   Keep in mind that the only definitive way to determine what drivers are
   being used is to review the contents of /etc/modules.conf. Use of the
   lsmod command is not a substitute for examining this file.

   Adaptec RAID (aacraid driver)

     o The aacraid driver has been updated from 1.1.2 to 1.1.5-2339

     o The new driver is scsi/aacraid/aacraid.o

     o The older driver has been preserved as
       addon/aacraid_10102/aacraid_10102.o

   LSI Logic RAID (megaraid driver)

  Note

   The megaraid2 driver includes support for a number of new host bus
   adapters (certain PERC4 and Serial ATA products) that are not supported by
   the megaraid driver. If your system contains these newer products
   exclusively, the megaraid2 driver is loaded by default. If you have the
   older products exclusively, the megaraid driver will continue to be the
   default.

   However, if you have a mix of old and new MegaRAID adapters, then the
   driver that is selected depends on the order in which the adapters are
   scanned. (Note that you cannot have both the megaraid and megaraid2
   drivers loaded at the same time.) If the default driver on your system is
   not the desired one, take one of the following actions:

     o If you are installing the system, type the following command at the
       boot prompt:

 expert noprobe
          

       Next, select the desired driver from the subsequent menu.

     o If the system is already installed, edit /etc/modules.conf and change
       the "alias scsi_hostadapter" lines referring to the megaraid or the
       megaraid2 driver to the desired driver. Note that after making any
       changes to /etc/modules.conf you must rebuild the initrd image; refer
       to the mkinitrd man page for further details.

     o The megaraid2 driver has been updated from v2.10.1.1 to v2.10.6-RH1

     o The new driver is scsi/megaraid2.o

     o The older driver has been preserved as
       addon/megaraid_2101/megaraid2101.o

     o The v2.00.9 driver has been removed

     o The default driver remains the v1.18k driver (megaraid.o)

   IBM ServeRAID (ips driver)

     o The ips driver has been updated from 6.11.07 to 7.00.15

     o The new driver is scsi/ips.o

     o The older driver has been preserved as addon/ips_61107/ips_61107.o

     o The ips 6.10.52 driver (ips_61052.o) has been removed

   LSI Logic MPT Fusion (mpt* drivers)

     o These drivers have been updated from 2.05.11.03 to 2.05.16

     o The new drivers are located in message/fusion/

     o The older drivers have been preserved in addon/fusion_20511

     o The 2.05.05+ drivers (mpt*_20505.o) have been removed

   Compaq SA53xx Controllers (cciss driver)

     o The cciss driver has been updated from 2.4.50.RH1 to v2.4.52.RH1

   QLogic Fibre Channel (qla2xxx driver)

     o These drivers have been updated from 6.07.02-RH2 to 7.00.03-RH1

     o The new drivers are located in addon/qla2200

     o The older driver has been preserved in addon/qla2200_60702RH2

     o The 6.06.00b11 drivers (qla2*00_60600b11.o) have been removed

  Note

   The QLA2100 adapter has been retired by QLogic. This adapter is no longer
   supported by QLogic or Red Hat. Therefore, the driver is located in the
   kernel-unsupported package.

   Emulex Fibre Channel (lpfc driver)

     o This driver has been added to the distribution. The version is 7.0.3

     o The driver is located in addon/lpfc

   Intel PRO/1000 (e1000 driver)

     o This driver has been updated from 5.2.30.1-k1 to 5.2.52-k3

   Intel PRO/100 (e100 driver)

     o This driver has been updated from version 2.3.30-k1 to 2.3.43-k1

   Broadcom Tigon3 (tg3 driver)

     o This driver has been updated from v3.1 to v3.6RH

Changes to Packages

   This section contains listings of packages that have been updated, added,
   or removed from Red Hat Enterprise Linux 3 as part of Update 3. Packages
   that have been built for multiple architectures are listed with the target
   architecture in parentheses.

  Note

   These package lists include packages from all variants of Red Hat
   Enterprise Linux 3. Your system may not include every one of the packages
   listed here.

   The following packages have been updated from Red Hat Enterprise Linux 3
   Update 2:

     o ImageMagick

     o ImageMagick-c++

     o ImageMagick-c++-devel

     o ImageMagick-devel

     o ImageMagick-perl

     o MAKEDEV

     o XFree86

     o XFree86-100dpi-fonts

     o XFree86-75dpi-fonts

     o XFree86-ISO8859-14-100dpi-fonts

     o XFree86-ISO8859-14-75dpi-fonts

     o XFree86-ISO8859-15-100dpi-fonts

     o XFree86-ISO8859-15-75dpi-fonts

     o XFree86-ISO8859-2-100dpi-fonts

     o XFree86-ISO8859-2-75dpi-fonts

     o XFree86-ISO8859-9-100dpi-fonts

     o XFree86-ISO8859-9-75dpi-fonts

     o XFree86-Mesa-libGL (i386)

     o XFree86-Mesa-libGL (x86_64)

     o XFree86-Mesa-libGLU (i386)

     o XFree86-Mesa-libGLU (x86_64)

     o XFree86-Xnest

     o XFree86-Xvfb

     o XFree86-base-fonts

     o XFree86-cyrillic-fonts

     o XFree86-devel (i386)

     o XFree86-devel (x86_64)

     o XFree86-doc

     o XFree86-font-utils

     o XFree86-libs (i386)

     o XFree86-libs (x86_64)

     o XFree86-libs-data

     o XFree86-sdk

     o XFree86-syriac-fonts

     o XFree86-tools

     o XFree86-truetype-fonts

     o XFree86-twm

     o XFree86-xauth

     o XFree86-xdm

     o XFree86-xfs

     o anaconda

     o anaconda-runtime

     o arpwatch

     o at

     o autofs

     o bash

     o bind

     o bind-chroot

     o bind-devel

     o bind-utils

     o bison

     o cdda2wav

     o cdrecord

     o cdrecord-devel

     o chkconfig

     o comps

     o control-center

     o cpp

     o cups

     o cups-devel

     o cups-libs (i386)

     o cups-libs (x86_64)

     o cvs

     o dev

     o dhclient

     o dhcp

     o dhcp-devel

     o eclipse

     o elfutils

     o elfutils-devel

     o elfutils-libelf

     o elfutils-libelf-devel

     o ethereal

     o ethereal-gnome

     o ethtool

     o expect

     o expect-devel

     o expectk

     o file-roller

     o gcc

     o gcc-c++

     o gcc-g77

     o gcc-gnat

     o gcc-java

     o gcc-objc

     o gdb (i386)

     o gdb (x86_64)

     o glibc (i686)

     o glibc (x86_64)

     o glibc-common

     o glibc-debug

     o glibc-devel (i386)

     o glibc-devel (x86_64)

     o glibc-headers

     o glibc-kernheaders

     o glibc-profile

     o glibc-utils

     o gnome-panel

     o grep

     o grub

     o gtk+

     o gtk+-devel

     o gtkhtml3

     o gtkhtml3-devel

     o httpd

     o httpd-devel

     o hwdata

     o imap

     o imap-devel

     o imap-utils

     o initscripts

     o itcl

     o jpackage-utils

     o kdelibs

     o kdelibs-devel

     o kernel (ia32e)

     o kernel (x86_64)

     o kernel-doc

     o kernel-smp

     o kernel-smp-unsupported

     o kernel-source

     o kernel-unsupported (ia32e)

     o kernel-unsupported (x86_64)

     o kernel-utils

     o krb5-devel

     o krb5-libs (i386)

     o krb5-libs (x86_64)

     o krb5-server

     o krb5-workstation

     o laus (x86_64)

     o laus-devel

     o lha

     o libcap

     o libcap-devel

     o libf2c

     o libgcc (i386)

     o libgcc (x86_64)

     o libgcj (i386)

     o libgcj (x86_64)

     o libgcj-devel

     o libgnat

     o libgtop2

     o libgtop2-devel

     o libobjc (i386)

     o libobjc (x86_64)

     o libpcap

     o libpng (i386)

     o libpng (x86_64)

     o libpng-devel

     o libpng10

     o libpng10-devel

     o libstdc++ (i386)

     o libstdc++ (x86_64)

     o libstdc++-devel (i386)

     o libstdc++-devel (x86_64)

     o lvm

     o mdadm

     o metacity

     o mkisofs

     o mod_auth_pgsql

     o mod_authz_ldap

     o mod_ssl

     o modutils

     o modutils-devel

     o ncompress

     o net-snmp

     o net-snmp-devel

     o net-snmp-perl

     o net-snmp-utils

     o nfs-utils

     o nptl-devel

     o nscd

     o nss_ldap (i386)

     o nss_ldap (x86_64)

     o ntp

     o ntsysv

     o openldap (i386)

     o openldap (x86_64)

     o openldap-clients

     o openldap-devel

     o openldap-servers

     o openmotif

     o openmotif-devel

     o openoffice.org

     o openoffice.org-i18n

     o openoffice.org-libs

     o openssl (i686)

     o openssl (x86_64)

     o openssl-devel

     o openssl-perl

     o pam (i386)

     o pam (x86_64)

     o pam-devel (i386)

     o pam-devel (x86_64)

     o parted

     o parted-devel

     o passwd

     o perl

     o perl-CGI

     o perl-CPAN

     o perl-DB_File

     o perl-suidperl

     o php

     o php-devel

     o php-imap

     o php-ldap

     o php-mysql

     o php-odbc

     o php-pgsql

     o popt (i386)

     o popt (x86_64)

     o postfix

     o ppp

     o prelink

     o procps

     o pvm

     o pvm-gui

     o qt

     o qt-MySQL

     o qt-ODBC

     o qt-PostgreSQL

     o qt-designer

     o qt-devel

     o rdist

     o readline

     o readline-devel

     o redhat-config-bind

     o redhat-config-kickstart

     o redhat-config-network

     o redhat-config-network-tui

     o redhat-config-proc

     o redhat-config-securitylevel

     o redhat-config-securitylevel-tui

     o rh-postgresql

     o rh-postgresql-contrib

     o rh-postgresql-devel

     o rh-postgresql-docs

     o rh-postgresql-jdbc

     o rh-postgresql-libs

     o rh-postgresql-pl

     o rh-postgresql-python

     o rh-postgresql-server

     o rh-postgresql-tcl

     o rh-postgresql-test

     o rhnlib

     o rhpl

     o rp-pppoe

     o rpm

     o rpm-build

     o rpm-devel

     o rpm-python

     o rpmdb-redhat

     o rsync

     o rusers

     o rusers-server

     o samba (i386)

     o samba (x86_64)

     o samba-client

     o samba-common

     o samba-swat

     o schedutils

     o sendmail

     o sendmail-cf

     o sendmail-devel

     o sendmail-doc

     o shadow-utils

     o squid

     o squirrelmail

     o strace

     o sysklogd

     o sysstat

     o tcl (i386)

     o tcl (x86_64)

     o tcl-devel

     o tcl-html

     o tcllib

     o tclx (i386)

     o tclx (x86_64)

     o tcpdump

     o tix

     o tk (i386)

     o tk (x86_64)

     o tk-devel

     o tux

     o unixODBC

     o unixODBC-devel

     o unixODBC-kde

     o up2date

     o up2date-gnome

     o utempter

     o vixie-cron

     o xemacs

     o xemacs-el

     o xemacs-info

     o xinetd

     o xscreensaver

     o ypserv

   The following packages have been added to Red Hat Enterprise Linux 3
   Update 3:

     o amtu

     o anacron

     o authd

     o bash (i386)

     o bind-libs

     o bootparamd

     o bridge-utils (i386)

     o compat-db (i386)

     o crash

     o diskdumputils

     o eal3-certification

     o eal3-certification-doc

     o elfutils-libelf (i386)

     o evolution-connector

     o laus-libs (i386)

     o laus-libs (x86_64)

     o libcap (i386)

     o libcap-devel (i386)

     o ltrace

     o nss_db (i386)

     o nss_db (x86_64)

     o openmotif (i386)

     o openssl096b (i386)

     o qt-config

     o readline (i386)

     o strace (i386)

   The following packages have been removed from Red Hat Enterprise Linux 3
   Update 3:

     o crash

     o java-javadoc

     o laus (i386)

     o mozilla (i386)

     o mozilla-nspr (i386)

     o mozilla-nss (i386)

   ( x86-64 )

References

   Visible links
   1. http://www.redhat.com/solutions/industries/government/commoncriteria/