[El-errata] ELSA-2016-2597 Moderate: Oracle Linux 7 firewalld security, bug fix, and enhancement update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Thu Nov 10 11:12:30 PST 2016

Oracle Linux Security Advisory ELSA-2016-2597


The following updated rpms for Oracle Linux 7 have been uploaded to the 
Unbreakable Linux Network:



Description of changes:

- Exclude firewallctl (RHBZ#1374799)

- Tolerate ipv6_rpfilter fail (RHBZ#1285769)
- Fix set_rules to copy the rule before extracting the table (RHBZ#1373260)
- Translation update (RHBZ#1273296)
- Conflict with NetworkManager < 1:1.4.0-3.el7 (RHBZ#1366288)

- Do not use exit code 254 for {ALREADY,NOT}_ENABLED sequences 
- Fail with NOT_AUTHORIZED if authorization fails (RHBZ#1368549)
- firewall-cmd: Fix get and set description for permanent zones 
- Fix loading of service helpers in active zones (RHBZ#1371116)

- Print errors and warnings to stderr additional patch (RHBZ#1360894)
- Fixed trace back in firewallctl (RHBZ#1367155)
- Fix client crash if systembus can not be aquired (RHBZ#1367038)
- Make ALREADY_ENABLED a warning (RHBZ#1366654)
- Added conflict to old squid package providing the squid.service file
- Fixed firewall-cmd help typo (RHBZ#1367171)

- Fixed firewall-config gettext usage (RHBZ#1361612)
- Fixed ifcfg file reader and writer (RHBZ#1362171)
- Fixed loading ipset entries from file in commands (RHBZ#1365198)
- Added conflicts to old main package to sub packages (RHBZ#1361669)
- Do not show settings of zones etc. without authentication (RHBZ#1357098)
- Fixed CVE-2016-5410 (RHBZ#1359296)

- Fix test suite for command change (RHBZ#1360871)
- Fix test suite with stderr usage (RHBZ#1360894)
- Rebuild for wrong docdir without version (RHBZ#1057327#c7)

- Updated conflict for selinux-policy (RHBZ#1304723)
- Fixed exit codes in command line clients (RHBZ#1357050)
- Fixed traceback in firewall-cmd without args (RHBZ#1357063)
- Fixed source docs in man pages and help output (RHBZ#1357888)
- Fixed rebuild of changed man pages (RHBZ#1360362)
- Use stderr for errors and warnings in command line tools (RHBZ#1360894)
- Fixed lockdown not denying invalid commands (RHBZ#1360871)

- Rebase to
- Fix regression with unavailable optional commands
- All missing backend messages should be warnings
- Individual calls for missing restore commands
- Only one authenticate call for add and remove options and also sequences
- RH-Satellite-6 service now upstream
- Conflict for selinux-policy needed to be updated to newer release

- Rebase to
- firewall.command: Fix python3 DBusException message not interable error
- src/Makefile.am: Fix path in firewall-[offline-]cmd_test.sh while 
- firewallctl: Do not trace back on list command without further arguments
- firewallctl (man1): Added remaining sections zone, service, ..
- firewallctl: Added runtime-to-permanent, interface and source parser,
   IndividualCalls setting
- firewall.server.config: Allow to set IndividualCalls property in config
- Fix missing icmp rules for some zones
- runProg: Fix issue with running programs
- firewall-offline-cmd: Fix issues with missing system-config-firewall
- firewall.core.ipXtables: Split up source and dest addresses for 
- firewall.server.config: Log error in case of loading malformed files in
- Install and package the firewallctl man page

- Readding RH-Satellite-6 service

- Fixed typo in Requires(post)

- Rebase to 0.4.3
- Rebase to the new upstream and new release (RHBZ#1302802)
- New firewallctl command line utility (RHBZ#1147959)
- Adds radius TCP ports (RHBZ#1219717)
- XSD enhancements for conflicting tag specification (RHBZ#1296573)
- Adds port for corosync-qnetd to high-availability service (RHBZ#1347530)

- Rebase to 0.4.2
- Allows unspecifying zone binding for interfaces in firewall-config
- Adds improved management of zone binding for interfaces, connections and
   sources (RHBZ#1083626)
- Adds commands to showing details of zones, services, .. (RHBZ#1147500)
- Adds a default logging option (RHBZ#1147951)
- Adds quiet option for firewall-offline-cmd (RHBZ#1220467)
- Adds support for zone chain usage in direct rules (RHBZ#1136801,
- Adds source port support in zones, services and rich rules (RHBZ#1214770)
- Adds services imap and smtps (RHBZ#1220196)
- Fixes runtime to permanent migration(RHBZ#1237242)
- Fixes removal of destination addresses for services in permanent view in
   firewall-config (RHBZ#1278281)
- Fixes firewall-config usage over ssh (RHBZ#1281416)
- Fixes reload disconnects with existing connections (RHBZ#1287449)
- Fixes ICMP packet drops while reloading (RHBZ#1288177)
- Adds option to add a new zone, service, .. from existing file 
- Adds improved checks for file readers, fixes error reporting of strings
   containing illegal characters (RHBZ#1303026)
- Transforms direct.passthrough errors into warnings (RHBZ#1301573)
- Reduced getprotobyname and getservbyname calls for NIS use (RHBZ#1305434)
- Fixes (repeated) firewalld reload by sending SIGHUP signal (RHBZ#1313023)
- Adds After=dbus.service to service file to fix shutdown (RHBZ#1313845)
- Adds ICMP block inversion support (RHBZ#1325335)
- Fixes local traffic issue with masquerading in default zone (RHBZ#1326130)
- Adds destination rich rules without an element (RHBZ#1326462)
- Fixes reload after default zone change to newly introduced zone 
- Fixes start without ipv6_rpfilter module (RHBZ#1285769)
- Adds log of denied packets option (RHBZ#1322505)

More information about the El-errata mailing list