Bug 1170695
Summary: | krb5kdc crash in ldap_pvt_search | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Scott Poore <spoore> | ||||||||
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> | ||||||||
Severity: | unspecified | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | 7.1 | CC: | jcholast, mkosek, ovasik, pvoborni, rcritten, rmainz, sbose, spoore, ssorce, tscherf | ||||||||
Target Milestone: | rc | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | Unspecified | ||||||||||
OS: | Unspecified | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | ipa-4.1.0-13.el7 | Doc Type: | Bug Fix | ||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2015-03-05 10:18:48 UTC | Type: | Bug | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Description
Scott Poore
2014-12-04 15:51:55 UTC
Created attachment 964731 [details]
abrt output email for the crash
(In reply to Scott Poore from comment #1) > Created attachment 964731 [details] > abrt output email for the crash The "crash" is actually a failed |assert()| in libldap_r (libldap_r-2.4.so.2) code... but I can't reproduce it on my side... ;-( erno=ENEEDMOREDATA... Scott: Is there anything special in your ipa setup ? The component is wrong, it is a crash in FreeIPA's KDB driver, re-assigning to ipa component. Roland, No, nothing special. I think it may have occurred during debugging of bug #1167964 but, I don't know if that "caused" it. I don't think we've seen this in our automated tests. Thanks, Scott Can we get a backtrace with the exact version of ipa-debuginfo and openldap-debuginfo packages installed ? I can see where this is happening but w/o the debuginfo packages we got no stack contents in the printed backtrace. Scott, could you provide traceback which Simo requested in comment 8? Thanks Petr, Simo, Sorry for the delay. I thought I'd replied to this one a couple days ago. Unfortunately, we no longer have the servers available where this crash occurred. And, due to the yum repo configs used for the build, it's difficult to recreate. The debuginfo rpms for ipa and openldap should match versions with the normal rpms right? If that's right, can we extrapolate and get that from the abrt files I attached and if we get the right debuginfo rpms? I do still have the logs from the test job run showing rpm versions: openldap-2.4.39-5.el7.x86_64 ipa-server-4.1.0-10.el7.x86_64 Would that help at all? Would I just have to get a RHEL7 host with those versions installed, and their debuginfo to get the backtrace you're looking for? Created attachment 967364 [details]
backtrace
I generated this from another server built with what I think is the same versions of rpms as where we saw the crash.
Let me know if this helps.
Thank you Scott, now I know what happened, trying to find out why, and come up with a patch. We'll probably need an upstream ticket too. Created attachment 967807 [details]
Fix a crash bug in the ipa kdb driver
This patch should fix the problem, would you be able to test it ?
I think it should be easy to reproduce the problem.
Install ipa, run some test that keeps performing kerberos operations, for example run kinit as a user every 30 seconds.
Stop DS.
Let the test run for at least 2 minutes, after 2 minutes you should see a crash.
There is some caching involved that may prevent the problem from showing if the test has not crashed the KDC after a few minutes then we'll need to get a little more creative.
yeah let me take a look. I'll try that and the patch. Thanks well, I guess we might need to get more creative. I let it run for a while with DS off and I didn't see a crash.
[root@vm9 shared]# while true; do
> kdestroy -A
> echo Secret123 | kinit user1
> sleep 30
> done
Password for user1:
kinit: Generic error (see e-text) while getting initial credentials
kinit: Generic error (see e-text) while getting initial credentials
kinit: Generic error (see e-text) while getting initial credentials
...
And in /var/log/krb5kdc.log:
Dec 12 19:22:47 vm9.example.test krb5kdc[4130](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.209: LOOKING_UP_CLIENT: user1 for krbtgt/EXAMPLE.TEST, Server error
Let's try one more test, restart krb5kdc while DS is down. And then do the kinit stuff for a few minutes. Given it is already confirmed this is a bug in FreeIPA (and we have a patch candidate), I will clone an upstream ticket. Upstream ticket: https://fedorahosted.org/freeipa/ticket/4810 Simo, I can't restart krb5kdc when dirsrv is down. Or did I misunderstand? [root@vm9 x86_64]# systemctl restart krb5kdc Job for krb5kdc.service failed. See 'systemctl status krb5kdc.service' and 'journalctl -xn' for details. [root@vm9 x86_64]# systemctl status krb5kdc.service -l krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled) Active: failed (Result: exit-code) since Thu 2014-12-18 15:50:51 CST; 30s ago Process: 4521 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE) Main PID: 2089 (code=exited, status=0/SUCCESS) Dec 18 15:50:51 vm9.example.test systemd[1]: Starting Kerberos 5 KDC... Dec 18 15:50:51 vm9.example.test krb5kdc[4521]: krb5kdc: cannot initialize realm EXAMPLE.TEST - see log file for details Dec 18 15:50:51 vm9.example.test systemd[1]: krb5kdc.service: control process exited, code=exited status=1 Dec 18 15:50:51 vm9.example.test systemd[1]: Failed to start Kerberos 5 KDC. Dec 18 15:50:51 vm9.example.test systemd[1]: Unit krb5kdc.service entered failed state. Thanks, Scott (In reply to Scott Poore from comment #20) > Simo, > > I can't restart krb5kdc when dirsrv is down. Or did I misunderstand? Uhmm, I forgot that we cannot start without DS being up ... it is possible this can be triggered only during a small race condition window when setting up IPA. Not helpful, I know, but at least the patch definitely should deal with this specific crash. Not sure if there may be any other lurking, but seems unlikely. Unless we can reproduce easily on ipa setup, I guess we'll need to do sanity only validation. I think this occurred on a server after IPA was setup. Yes, I think at this point it's going to be sanity only. Verified. Version :: ipa-server-4.1.0-13.el7.x86_64 Results :: Marking this one sanity only since we are unable to reproduce the crash. I tested just now with two scenarios. One rhel7.1 replica with rhel6.6 master as where this was originally seen as mentioned in comment #7. The second scenario was a standard master install test. Scenario 1: RHEL6.6 master and RHEL7.1 replica: [root@rhel7-1 ~]# scp /usr/share/ipa/copy-schema-to-ca.py root@rhel6-1:/root The authenticity of host 'rhel6-1 (192.168.122.61)' can't be established. RSA key fingerprint is eb:ba:02:b8:ca:50:f6:36:41:43:d9:ee:4a:69:6f:a2. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'rhel6-1,192.168.122.61' (RSA) to the list of known hosts. root@rhel6-1's password: copy-schema-to-ca.py 100% 2612 2.6KB/s 00:00 [root@rhel7-1 ~]# ssh root@rhel6-1 "python /root/copy-schema-to-ca.py" root@rhel6-1's password: ipa : INFO Installed /etc/dirsrv/slapd-PKI-IPA//schema/60kerberos.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI-IPA//schema/60samba.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI-IPA//schema/60ipaconfig.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI-IPA//schema/60basev2.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI-IPA//schema/60basev3.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI-IPA//schema/60ipadns.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI-IPA//schema/61kerberos-ipav3.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI-IPA//schema/65ipasudo.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI-IPA//schema/05rfc2247.ldif ipa : INFO Restarting CA DS ipa : INFO Schema updated successfully [root@rhel7-1 ~]# ipa-replica-install --setup-ca --setup-dns --forwarder=192.168.122.1 -p Secret123 -w Secret123 /root/replica-info-rhel7-1.example.com.gpg Checking forwarders, please wait ... WARNING: DNS forwarder 192.168.122.1 does not return DNSSEC signatures in answers Please fix forwarder configuration to enable DNSSEC support. (For BIND 9 add directive "dnssec-enable yes;" to "options {}") WARNING: DNSSEC validation will be disabled Run connection check to master Check connection from replica to remote master 'rhel6-1.example.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master Check SSH connection to remote master Execute check on remote master Check connection from master to remote replica 'rhel7-1.example.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Connection from master to replica is OK. Connection check OK Using reverse zone(s) 122.168.192.in-addr.arpa. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/35]: creating directory server user [2/35]: creating directory server instance [3/35]: adding default schema [4/35]: enabling memberof plugin [5/35]: enabling winsync plugin [6/35]: configuring replication version plugin [7/35]: enabling IPA enrollment plugin [8/35]: enabling ldapi [9/35]: configuring uniqueness plugin [10/35]: configuring uuid plugin [11/35]: configuring modrdn plugin [12/35]: configuring DNS plugin [13/35]: enabling entryUSN plugin [14/35]: configuring lockout plugin [15/35]: creating indices [16/35]: enabling referential integrity plugin [17/35]: configuring ssl for ds instance [18/35]: configuring certmap.conf [19/35]: configure autobind for root [20/35]: configure new location for managed entries [21/35]: configure dirsrv ccache [22/35]: enable SASL mapping fallback [23/35]: restarting directory server [24/35]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 4 seconds elapsed Update succeeded [25/35]: updating schema [26/35]: setting Auto Member configuration [27/35]: enabling S4U2Proxy delegation [28/35]: importing CA certificates from LDAP [29/35]: initializing group membership [30/35]: adding master entry [31/35]: configuring Posix uid/gid generation [32/35]: adding replication acis [33/35]: enabling compatibility plugin [34/35]: tuning directory server [35/35]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/22]: creating certificate server user [2/22]: configuring certificate server instance [3/22]: stopping certificate server instance to update CS.cfg [4/22]: backing up CS.cfg [5/22]: disabling nonces [6/22]: set up CRL publishing [7/22]: enable PKIX certificate path discovery and validation [8/22]: starting certificate server instance [9/22]: creating RA agent certificate database [10/22]: importing CA chain to RA certificate database [11/22]: fixing RA database permissions [12/22]: setting up signing cert profile [13/22]: set certificate subject base [14/22]: enabling Subject Key Identifier [15/22]: enabling Subject Alternative Name [16/22]: enabling CRL and OCSP extensions for certificates [17/22]: setting audit signing renewal to 2 years [18/22]: configuring certificate server to start on boot [19/22]: configure certmonger for renewals [20/22]: configure certificate renewals [21/22]: configure Server-Cert certificate renewal [22/22]: Configure HTTP to proxy connections Done configuring certificate server (pki-tomcatd). Restarting the directory and certificate servers Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds [1/9]: adding sasl mappings to the directory [2/9]: writing stash file from DS [3/9]: configuring KDC [4/9]: creating a keytab for the directory [5/9]: creating a keytab for the machine [6/9]: adding the password extension to the directory [7/9]: enable GSSAPI for replication [8/9]: starting the KDC [9/9]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring the web interface (httpd): Estimated time 1 minute [1/14]: setting mod_nss port to 443 [2/14]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [3/14]: setting mod_nss password file [4/14]: enabling mod_nss renegotiate [5/14]: adding URL rewriting rules [6/14]: configuring httpd [7/14]: setting up ssl [8/14]: importing CA certificates from LDAP [9/14]: publish CA cert [10/14]: creating a keytab for httpd [11/14]: clean up any existing httpd ccache [12/14]: configuring SELinux for httpd [13/14]: restarting httpd [14/14]: configuring httpd to start on boot Done configuring the web interface (httpd). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Applying LDAP updates Restarting Directory server to apply updates [1/2]: stopping directory server [2/2]: starting directory server Done. Restarting the directory server Restarting the KDC Restarting the certificate server Configuring DNS (named) [1/9]: generating rndc key file [2/9]: setting up reverse zone [3/9]: setting up our own record [4/9]: adding NS record to the zones [5/9]: setting up CA record [6/9]: setting up kerberos principal [7/9]: setting up named.conf [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves Done configuring DNS (named). Restarting named Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server [root@rhel7-1 ~]# kinit admin Password for admin: [root@rhel7-1 ~]# ipa user-find -------------- 1 user matched -------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash UID: 1289600000 GID: 1289600000 Account disabled: False Password: True Kerberos keys available: True ---------------------------- Number of entries returned 1 ---------------------------- [root@rhel7-1 ~]# ssh root@rhel6-1 "echo ^C [root@rhel7-1 ~]# ADMINPW=Secret123 [root@rhel7-1 ~]# ssh root@rhel6-1 "echo $ADMINPW|kinit admin; ipa user-find" root@rhel6-1's password: Password for admin: -------------- 1 user matched -------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash UID: 1289600000 GID: 1289600000 Account disabled: False Password: True Kerberos keys available: True ---------------------------- Number of entries returned 1 ---------------------------- Scenario 2: RHEL7.1 master [root@rhel7-2 ~]# ipa-server-install --setup-dns --forwarder=192.168.122.1 -r EXAMPLE.COM -a Secret123 -p Secret123 -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) Warning: skipping DNS resolution of host rhel7-2.example.com The domain name has been determined based on the host name. Checking forwarders, please wait ... WARNING: DNS forwarder 192.168.122.1 does not return DNSSEC signatures in answers Please fix forwarder configuration to enable DNSSEC support. (For BIND 9 add directive "dnssec-enable yes;" to "options {}") WARNING: DNSSEC validation will be disabled Using reverse zone(s) 122.168.192.in-addr.arpa. The IPA Master Server will be configured with: Hostname: rhel7-2.example.com IP address(es): 192.168.122.72 Domain name: example.com Realm name: EXAMPLE.COM BIND DNS server will be configured to serve IPA domain with: Forwarders: 192.168.122.1 Reverse zone(s): 122.168.192.in-addr.arpa. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin [7/38]: enabling IPA enrollment plugin [8/38]: enabling ldapi [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: creating indices [16/38]: enabling referential integrity plugin [17/38]: configuring certmap.conf [18/38]: configure autobind for root [19/38]: configure new location for managed entries [20/38]: configure dirsrv ccache [21/38]: enable SASL mapping fallback [22/38]: restarting directory server [23/38]: adding default layout [24/38]: adding delegation layout [25/38]: creating container for managed entries [26/38]: configuring user private groups [27/38]: configuring netgroups from hostgroups [28/38]: creating default Sudo bind user [29/38]: creating default Auto Member layout [30/38]: adding range check plugin [31/38]: creating default HBAC rule allow_all [32/38]: initializing group membership [33/38]: adding master entry [34/38]: configuring Posix uid/gid generation [35/38]: adding replication acis [36/38]: enabling compatibility plugin [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/27]: creating certificate server user [2/27]: configuring certificate server instance [3/27]: stopping certificate server instance to update CS.cfg [4/27]: backing up CS.cfg [5/27]: disabling nonces [6/27]: set up CRL publishing [7/27]: enable PKIX certificate path discovery and validation [8/27]: starting certificate server instance [9/27]: creating RA agent certificate database [10/27]: importing CA chain to RA certificate database [11/27]: fixing RA database permissions [12/27]: setting up signing cert profile [13/27]: set certificate subject base [14/27]: enabling Subject Key Identifier [15/27]: enabling Subject Alternative Name [16/27]: enabling CRL and OCSP extensions for certificates [17/27]: setting audit signing renewal to 2 years [18/27]: configuring certificate server to start on boot [19/27]: restarting certificate server [20/27]: requesting RA certificate from CA [21/27]: issuing RA agent certificate [22/27]: adding RA agent as a trusted user [23/27]: configure certmonger for renewals [24/27]: configure certificate renewals [25/27]: configure RA certificate renewal [26/27]: configure Server-Cert certificate renewal [27/27]: Configure HTTP to proxy connections Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv): Estimated time 10 seconds [1/3]: configuring ssl for ds instance [2/3]: restarting directory server [3/3]: adding CA certificate entry Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container [5/10]: adding default ACIs [6/10]: creating a keytab for the directory [7/10]: creating a keytab for the machine [8/10]: adding the password extension to the directory [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring the web interface (httpd): Estimated time 1 minute [1/15]: setting mod_nss port to 443 [2/15]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [3/15]: setting mod_nss password file [4/15]: enabling mod_nss renegotiate [5/15]: adding URL rewriting rules [6/15]: configuring httpd [7/15]: setting up ssl [8/15]: importing CA certificates from LDAP [9/15]: setting up browser autoconfig [10/15]: publish CA cert [11/15]: creating a keytab for httpd [12/15]: clean up any existing httpd ccache [13/15]: configuring SELinux for httpd [14/15]: restarting httpd [15/15]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Restarting Directory server to apply updates [1/2]: stopping directory server [2/2]: starting directory server Done. Restarting the directory server Restarting the KDC Restarting the certificate server Configuring DNS (named) [1/12]: generating rndc key file [2/12]: adding DNS container [3/12]: setting up our zone [4/12]: setting up reverse zone [5/12]: setting up our own record [6/12]: setting up records for other masters [7/12]: adding NS record to the zones [8/12]: setting up CA record [9/12]: setting up kerberos principal [10/12]: setting up named.conf [11/12]: configuring named to start on boot [12/12]: changing resolv.conf to point to ourselves Done configuring DNS (named). Restarting named Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password [root@rhel7-2 ~]# kinit admin Password for admin: [root@rhel7-2 ~]# ipa user-find -------------- 1 user matched -------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash UID: 1375600000 GID: 1375600000 Account disabled: False Password: True Kerberos keys available: True ---------------------------- Number of entries returned 1 ---------------------------- [root@rhel7-2 ~]# ipa-replica-manage list rhel7-2.example.com: master Fixed upstream master: https://fedorahosted.org/freeipa/changeset/730b472db123e97a0c158b626e9f7c3f0b13e2ca ipa-4-1: https://fedorahosted.org/freeipa/changeset/7a901060d3e9a23e44cb4b5c84ad436e4db49ea2 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html |