The following topics are covered in this document:
Changes to the Red Hat Enterprise Linux installation program (Anaconda)
General information
Kernel-related information
Changes to drivers and hardware support
Changes to packages
The following section includes information specific to the Red Hat Enterprise Linux installation program, Anaconda.
In order to upgrade an already-installed Red Hat Enterprise Linux 3 system to Update 3, you must use Red Hat Network to update those packages that have changed. The use of Anaconda to upgrade to Update 3 is not supported.
Use Anaconda only to perform a fresh install of Red Hat Enterprise Linux 3 Update 3.
If you are copying the contents of the Red Hat Enterprise Linux 3 Update 3 CD-ROMs (in preparation for a network-based installation, for example) be sure you copy the CD-ROMs for the operating system only. Do not copy the Extras CD-ROM, or any of the layered product CD-ROMs, as this will overwrite files necessary for Anaconda's proper operation.
These CD-ROMs must be installed after Red Hat Enterprise Linux has been installed.
This section contains general information not specific to any other section of this document.
Red Hat Enterprise Linux 3 Update 3 adds the most recent version of the KornShell (ksh) to the Red Hat Enterprise Linux Extras CD. KornShell is a shell programming language for both interactive and shell script use, and is upward compatible with the Bourne Shell (sh).
The new ksh package is an optional alternative to pdksh, which is already included in the core distribution. It is useful in circumstances where precise compatibility with AT&T ksh semantics is required.
The autofs package, which controls the operation of the automount daemons running on Red Hat Enterprise Linux, has been updated to version 4. This update provides full backward compatibility with version 3. Additionally, it adds the following features:
Browsable mounts (ghosting) — Ghosting of map directories allows you to see the directories in the autofs map without mounting them. When they are accessed (such as when a directory listing is requested) the map entry is mounted so that it is seen.
Replicated Server support — Replicated server functionality allows the administrator to specify map entries that point to multiple, replicated servers. The automount daemon attempts to determine the best server to use for mounts by testing the latency of an rpc_ping to each available server. Weights may also be assigned to the servers, allowing for more administrator control. Refer to the /usr/share/doc/autofs-4.1.3/README.replicated-server file for additional map format information.
Executable maps — A map can now be marked as executable. The initscript that parses the auto.master map passes this as a program map to the auto-mounter. A program map is called as a script with the key as an argument. It may return no lines of output if there is an error, or one or more lines containing a map (with \ quoting line breaks). This feature is useful for implementing /net functionality.
Multi-mounts — This feature allows the automount daemon to seek multiple lookup methods in succession. For example, a lookup could query NIS and file maps.
Red Hat Enterprise Linux 3 Update 2 is currently "in evaluation" for Evaluated Assurance Level (EAL) 3+/Controlled Access Protection Profile (CAPP) on the following platforms:
Red Hat Enterprise Linux WS on the x86 architecture
Red Hat Enterprise Linux AS on the x86, AMD64, IBM zSeries, iSeries, and pSeries architectures
To get the latest Common Criteria evaluation status, refer to the following Web page:
http://www.redhat.com/solutions/industries/government/commoncriteria/
All the patches that were applied to the Red Hat Enterprise Linux 3 Update 2 code base to achieve EAL3 certification have been mirrored in the Red Hat Enterprise Linux 3 Update 3 release.
For additional information regarding the auditing subsystem, refer to the laus(7) man page.
Since its initial deployment in the Red Hat Enterprise Linux 3 Update 2 kernel, the kernel for Update 3 contains additional modifications that enable system-call auditing on additional architectures. When auditing is not in use, these modifications are performance-neutral. The kernel component provides access to the auditing facilities through the character-special device /dev/audit. Through this device, a user-space daemon (auditd) can enable or disable auditing and can provide the kernel with the rulesets to be used to determine when a system-call invocation must be logged. This device is also used by auditd to retrieve audit records from the kernel for transfer to the audit log. Refer to the audit(4) man page for information concerning supported ioctl calls and /proc/ interfaces for managing and tuning auditing behavior.
The version of the httpd Web server included as part of Red Hat Enterprise Linux 3 Update 3 includes several significant changes:
The mod_cgi module has been enhanced to correctly handle concurrent output on stderr and stdout
SSL environment variables defined by mod_ssl can be used directly from mod_rewrite using the %{SSL:...} syntax. For example, "%{SSL:SSL_CIPHER_USEKEYSIZE}" may expand to "128".
Similarly, SSL environment variables can be used directly from mod_headers using the %{...}s syntax.
The mod_ext_filter module is now included
The minimal acceptable group id that will be used by suexec has been lowered from 500 to 100. This allows the use of suexec with users belonging to the "users" group.
This section contains information related to the Red Hat Enterprise Linux 3 Update 3 kernel.
Red Hat Enterprise Linux 3 Update 3 includes a new kernel feature that can ease the process of diagnosing system hangs. It uses the hardware's NMI (Non-Maskable Interrupt) capability to force a kernel panic.
To enable this feature, set the following system control parameter as follows:
kernel.unknown_nmi_panic = 1
This can be done using the sysctl command (sysctl -w kernel.unknown_nmi_panic=1) or by adding the above line to /etc/sysctl.conf.
Once this feature is enabled (and the system is rebooted), a panic can be forced by pressing the system's NMI button.
Systems that lack a button capable of generating a NMI can continue to use the NMI watchdog, which will generate a NMI if the system should lock up.
This feature is not compatible with OProfile; should OProfile be active, pressing the NMI button (or the use of the NMI watchdog) will not result in a panic.
Hardware IRQ balancing is enabled for Lindenhurst (Intel® E7520 and Intel® E7320) and Tumwater (Intel® E7525) based chipset platforms. Therefore, software IRQ balancing is disabled for these platforms in the Red Hat Enterprise Linux 3 Update 3 kernel.
The Red Hat Enterprise Linux 3 Update 3 kernel includes a new security feature known as Exec-shield. Exec-shield is a security-enhancing modification to the Linux kernel that makes large parts of specially-marked programs — including their stack — not executable. This can reduce the potential damage of some security holes, such as buffer overflow exploits.
Exec-shield can also randomize the virtual memory addresses at which certain binaries are loaded. This randomized VM mapping makes it more difficult for a malicious application to improperly access code or data based on knowledge of the code or data's virtual address.
Exec-shield's behavior can be controlled via the proc file system. Two files are used:
/proc/sys/kernel/exec-shield
/proc/sys/kernel/exec-shield-randomize
The /proc/sys/kernel/exec-shield file controls overall Exec-shield functionality, and can be manipulated using the following command:
echo <value> > /proc/sys/kernel/exec-shield
Where <value> is one of the following:
0 — Exec-shield (including randomized VM mapping) is disabled for all binaries, marked or not
1 — Exec-shield is enabled for all marked binaries
2 — Exec-shield is enabled for all binaries, regardless of marking (To be used for testing purposes ONLY)
The default value for /proc/sys/kernel/exec-shield is 1.
The /proc/sys/kernel/exec-shield-randomize file controls whether Exec-shield randomizes VM mapping, and can be manipulated using the following command:
echo <value> > /proc/sys/kernel/exec-shield-randomize
Where <value> is one of the following:
0 — Randomized VM mapping is disabled
1 — Randomized VM mapping is enabled
The default value for /proc/sys/kernel/exec-shield-randomize is 1.
It is also possible to configure Exec-shield by including one (or both) of the following lines in the /etc/sysctl.conf file:
kernel.exec-shield=<value>
kernel.exec-shield-randomize=<value>
(Where <value> is as previously described.)
Exec-shield can also be disabled at a system level by means of a kernel boot option. Appending the following parameter to the "kernel" line(s) in the /etc/grub.conf file will disable Exec-shield:
exec-shield=0
Exec-shield functionality is available only to binaries that have been built (and marked) using the toolchain (compiler, assembler, linker) available with Red Hat Enterprise Linux 3 Update 3. Binaries that have been built using a different version of the toolchain can still be used, but since they will not be marked, they will not take advantage of Exec-shield.
Application developers should keep in mind that, in the majority of cases, GCC correctly marks its generated code as being capable of using Exec-shield. In the few instances (usually caused by inline assembler or other nonportable code) where GCC non-optimally (or, more rarely, incorrectly) marks generated code, it is possible to pass GCC options to obtain the desired result.
The options controlling binary marking at the assembler level are:
-Wa,--execstack
-Wa,--noexecstack
The options controlling binary marking at the linker level are:
-Wl,-z,execstack
-Wl,-z,noexecstack
It is also possible to exert more fine-grained control by explicitly disabling Exec-shield for a specific binary at run time. This is done using the setarch command:
setarch i386 <binary>
(Where <binary> represents the binary to be run.) The binary is then run without Exec-shield functionality.
The proc file /proc/self/maps can be used to observe Exec-shield's effects. By using cat to display the current process's VM mapping, you can see Exec-shield at work. Similarly, you can use setarch in conjunction with cat to see how normal VM mapping differs from Exec-shield's mapping.
Red Hat Enterprise Linux 3 Update 3 includes a new security-related feature — kernel support for certain new Intel CPUs that include the NX (No eXecute) capability. NX technology restricts execution of program code, making it significantly more difficult for hackers to insert malicious code into the system by means of a buffer overrun. When specific pages are marked as nonexecutable, the CPU is prevented from executing code in those pages. This can be used to mark areas of memory such as the stack or the heap (typical places where buffers are stored.)
Red Hat Enterprise Linux 3 (originally available 22-October-2003) included NX support for the AMD64 platform.
This update includes bug fixes for a number of drivers. The more significant driver updates are listed below. In some cases, the original driver has been preserved under a different name, and is available as a non-default alternative for organizations that wish to migrate their driver configuration to the latest versions at a later time.
The migration to the latest drivers should be completed before the next Red Hat Enterprise Linux update is applied, because in most cases only one older-revision driver will be preserved for each update.
These release notes also indicate which older-revision drivers have been removed from this kernel update. These drivers have the base driver name with the revision digits appended; for example, megaraid_2002.o. You must remove these drivers from /etc/modules.conf before installing this kernel update.
Keep in mind that the only definitive way to determine what drivers are being used is to review the contents of /etc/modules.conf. Use of the lsmod command is not a substitute for examining this file.
Adaptec RAID (aacraid driver)
The aacraid driver has been updated from 1.1.2 to 1.1.5-2339
The new driver is scsi/aacraid/aacraid.o
The older driver has been preserved as addon/aacraid_10102/aacraid_10102.o
LSI Logic RAID (megaraid driver)
The megaraid2 driver includes support for a number of new host bus adapters (certain PERC4 and Serial ATA products) that are not supported by the megaraid driver. If your system contains these newer products exclusively, the megaraid2 driver is loaded by default. If you have the older products exclusively, the megaraid driver will continue to be the default.
However, if you have a mix of old and new MegaRAID adapters, then the driver that is selected depends on the order in which the adapters are scanned. (Note that you cannot have both the megaraid and megaraid2 drivers loaded at the same time.) If the default driver on your system is not the desired one, take one of the following actions:
If you are installing the system, type the following command at the boot prompt:
expert noprobe
Next, select the desired driver from the subsequent menu.
If the system is already installed, edit /etc/modules.conf and change the "alias scsi_hostadapter" lines referring to the megaraid or the megaraid2 driver to the desired driver. Note that after making any changes to /etc/modules.conf you must rebuild the initrd image; refer to the mkinitrd man page for further details.
The megaraid2 driver has been updated from v2.10.1.1 to v2.10.6-RH1
The new driver is scsi/megaraid2.o
The older driver has been preserved as addon/megaraid_2101/megaraid2101.o
The v2.00.9 driver has been removed
The default driver remains the v1.18k driver (megaraid.o)
IBM ServeRAID (ips driver)
The ips driver has been updated from 6.11.07 to 7.00.15
The new driver is scsi/ips.o
The older driver has been preserved as addon/ips_61107/ips_61107.o
The ips 6.10.52 driver (ips_61052.o) has been removed
LSI Logic MPT Fusion (mpt* drivers)
These drivers have been updated from 2.05.11.03 to 2.05.16
The new drivers are located in message/fusion/
The older drivers have been preserved in addon/fusion_20511
The 2.05.05+ drivers (mpt*_20505.o) have been removed
Compaq SA53xx Controllers (cciss driver)
The cciss driver has been updated from 2.4.50.RH1 to v2.4.52.RH1
QLogic Fibre Channel (qla2xxx driver)
These drivers have been updated from 6.07.02-RH2 to 7.00.03-RH1
The new drivers are located in addon/qla2200
The older driver has been preserved in addon/qla2200_60702RH2
The 6.06.00b11 drivers (qla2*00_60600b11.o) have been removed
The QLA2100 adapter has been retired by QLogic. This adapter is no longer supported by QLogic or Red Hat. Therefore, the driver is located in the kernel-unsupported package.
Emulex Fibre Channel (lpfc driver)
This driver has been added to the distribution. The version is 7.0.3
The driver is located in addon/lpfc
Intel PRO/1000 (e1000 driver)
This driver has been updated from 5.2.30.1-k1 to 5.2.52-k3
Intel PRO/100 (e100 driver)
This driver has been updated from version 2.3.30-k1 to 2.3.43-k1
Broadcom Tigon3 (tg3 driver)
This driver has been updated from v3.1 to v3.6RH
This section contains listings of packages that have been updated, added, or removed from Red Hat Enterprise Linux 3 as part of Update 3. Packages that have been built for multiple architectures are listed with the target architecture in parentheses.
These package lists include packages from all variants of Red Hat Enterprise Linux 3. Your system may not include every one of the packages listed here.
The following packages have been updated from Red Hat Enterprise Linux 3 Update 2:
ImageMagick
ImageMagick-c++
ImageMagick-c++-devel
ImageMagick-devel
ImageMagick-perl
MAKEDEV
XFree86
XFree86-100dpi-fonts
XFree86-75dpi-fonts
XFree86-ISO8859-14-100dpi-fonts
XFree86-ISO8859-14-75dpi-fonts
XFree86-ISO8859-15-100dpi-fonts
XFree86-ISO8859-15-75dpi-fonts
XFree86-ISO8859-2-100dpi-fonts
XFree86-ISO8859-2-75dpi-fonts
XFree86-ISO8859-9-100dpi-fonts
XFree86-ISO8859-9-75dpi-fonts
XFree86-Mesa-libGL
XFree86-Mesa-libGLU
XFree86-Xnest
XFree86-Xvfb
XFree86-base-fonts
XFree86-cyrillic-fonts
XFree86-devel
XFree86-doc
XFree86-font-utils
XFree86-libs
XFree86-libs-data
XFree86-sdk
XFree86-syriac-fonts
XFree86-tools
XFree86-truetype-fonts
XFree86-twm
XFree86-xauth
XFree86-xdm
XFree86-xfs
anaconda
anaconda-runtime
arpwatch
at
autofs
bash
bind
bind-chroot
bind-devel
bind-utils
bison
cdda2wav
cdrecord
cdrecord-devel
chkconfig
comps
control-center
cpp
crash
cups
cups-devel
cups-libs
cvs
dev
dhclient
dhcp
dhcp-devel
eclipse
eclipse-lomboz
elfutils
elfutils-devel
elfutils-libelf
elfutils-libelf-devel
ethereal
ethereal-gnome
ethtool
expect
expect-devel
expectk
file-roller
gcc
gcc-c++
gcc-g77
gcc-gnat
gcc-java
gcc-objc
gdb
glibc (i386)
glibc (i686)
glibc-common
glibc-debug
glibc-devel
glibc-headers
glibc-kernheaders
glibc-profile
glibc-utils
gnome-panel
grep
grub
gtk+
gtk+-devel
gtkhtml3
gtkhtml3-devel
httpd
httpd-devel
hwdata
imap
imap-devel
imap-utils
initscripts
itcl
jpackage-utils
kdelibs
kdelibs-devel
kernel (athlon)
kernel (i686)
kernel-BOOT
kernel-doc
kernel-hugemem
kernel-hugemem-unsupported
kernel-smp (athlon)
kernel-smp (i686)
kernel-smp-unsupported (athlon)
kernel-smp-unsupported (i686)
kernel-source
kernel-unsupported (athlon)
kernel-unsupported (i686)
kernel-utils
krb5-devel
krb5-libs
krb5-server
krb5-workstation
laus
laus-devel
lha
libcap
libcap-devel
libf2c
libgcc
libgcj
libgcj-devel
libgnat
libgtop2
libgtop2-devel
libobjc
libpcap
libpng
libpng-devel
libpng10
libpng10-devel
libstdc++
libstdc++-devel
ltrace
lvm
mdadm
metacity
mkisofs
mod_auth_pgsql
mod_authz_ldap
mod_ssl
modutils
modutils-devel
ncompress
net-snmp
net-snmp-devel
net-snmp-perl
net-snmp-utils
nfs-utils
nptl-devel
nscd
nss_ldap
ntp
ntsysv
openldap
openldap-clients
openldap-devel
openldap-servers
openmotif
openmotif-devel
openoffice.org
openoffice.org-i18n
openoffice.org-libs
openssl (i386)
openssl (i686)
openssl-devel
openssl-perl
pam
pam-devel
parted
parted-devel
passwd
perl
perl-CGI
perl-CPAN
perl-DB_File
perl-suidperl
php
php-devel
php-imap
php-ldap
php-mysql
php-odbc
php-pgsql
popt
postfix
ppp
prelink
procps
pvm
pvm-gui
qt
qt-MySQL
qt-ODBC
qt-PostgreSQL
qt-designer
qt-devel
rdist
readline
readline-devel
redhat-config-bind
redhat-config-kickstart
redhat-config-network
redhat-config-network-tui
redhat-config-proc
redhat-config-securitylevel
redhat-config-securitylevel-tui
rh-postgresql
rh-postgresql-contrib
rh-postgresql-devel
rh-postgresql-docs
rh-postgresql-jdbc
rh-postgresql-libs
rh-postgresql-pl
rh-postgresql-python
rh-postgresql-server
rh-postgresql-tcl
rh-postgresql-test
rhnlib
rhpl
rp-pppoe
rpm
rpm-build
rpm-devel
rpm-python
rpmdb-redhat
rsync
rusers
rusers-server
samba
samba-client
samba-common
samba-swat
schedutils
sendmail
sendmail-cf
sendmail-devel
sendmail-doc
shadow-utils
squid
squirrelmail
strace
sysklogd
sysstat
tcl
tcl-devel
tcl-html
tcllib
tclx
tcpdump
tix
tk
tk-devel
tux
unixODBC
unixODBC-devel
unixODBC-kde
up2date
up2date-gnome
utempter
vixie-cron
xemacs
xemacs-el
xemacs-info
xinetd
xscreensaver
ypserv
The following packages have been added to Red Hat Enterprise Linux 3 Update 3:
amtu
anacron
authd
bind-libs
bootparamd
diskdumputils
eal3-certification
eal3-certification-doc
eclipse-rhaps-develserver
evolution-connector
laus-libs
nss_db
nss_db-compat
qt-config
The following packages have been removed from Red Hat Enterprise Linux 3 Update 3:
java-javadoc
( x86 )