DNF Includes an offline-upgrade Command

Oracle Linux includes the dnf offline-upgrade command from the DNF system-upgrade plugin. Offline upgrades help protect a system during upgrades by performing package installations after a reboot and before libraries that might be affected by package updates are loaded.

This feature includes the option to apply security advisory filters, such as --advisory, --security, and --bugfix, to limit the download of packages and their dependencies to a specified advisory.

DNF API Includes an unload_plugins Function

The DNF API supports the unload_plugins function which enables you to unload plugins. To use this feature, first run the init_plugins function, and then run the unload_plugins function.

rpm2archive Includes a --nocompression Option

The rpm2archive command includes a --nocompression option that prevents compression when unpacking an RPM package.

Updated Compilers and Development Tools

The following performance tools and debuggers are updated:

• Valgrind 3.19

• SystemTap 4.8

• Dyninst 12.1.0

• elfutils 0.188

The following performance monitoring tools are updated:

• PCP 5.3.7

• Grafana 7.5.15

The following compiler toolsets are updated :

• GCC Toolset 12

• LLVM Toolset 15.0.7

• Rust Toolset 1.66

• Go Toolset 1.19.4

GCC Toolset 12

GCC Toolset 12 is a compiler toolset that provides recent versions of development tools. The toolset is available as an Application Stream in the form of a Software Collection in the AppStream repository.

The following tools and versions are available in the GCC Toolset 12:

• GCC 12.2.1

• GDB 11.2

• binutils 2.38

• dwz 0.14

• anobin 11.08

To install the toolset, type:

sudo dnf install gcc-toolset-12

To run a tool from GCC Toolset 12, type:

scl enable gcc-toolset-12 tool

To run a shell session where tool versions from GCC Toolset 12 override system versions of these tools:

scl enable gcc-toolset-12 bash

swig:4.1 Module Stream Introduced

Oracle Linux 8 introduces the Simplified Wrapper and Interface Generator (SWIG) version 4.1, which is available as a new module stream, swig:4.1.

To install the swig:4.1 module stream, type:

sudo dnf module install swig:4.1

jaxb:4 Module Stream Is Introduced

Jakarta XML Binding (JAXB) 4 is the new jaxb:4 module stream. With the JAXB framework, developers can map Java classes to and from XML representations. To install jaxb:4, type:

sudo dnf install jaxb:4

Security Improvements for glibc

The SafeLinking feature is added to glibc, which improves protection for the malloc family of functions against certain single-linked list corruption, including the allocator's thread-local cache.

Rust Toolset Updated to Version 1.66.1

The updated version includes the following features:

• Additions to the toolset's API

• Keyword and statement changes

• Generic associated types (GATs) for new abstractions over types and lifetimes

• rust-analyzer as a new Language Server Protocol implementation

• Additional subcommands

tzdata Package Includes the leap-seconds.list File

The /usr/share/zoneinfo/leap-seconds.list file accommodates an alternate format to the /usr/share/zoneinfo/leapseconds file that is shipped with the tzdata package. With the two files, applications can use either format to calculate International Atomic Time (TAI) from Coordinated Universal Time (UTC) values.

Improved glibc Dynamic Loader Algorithm

While processing shared objects with deeply nested dependencies, the glibc dyanmic loader algorithm can slow down application startup and shutdown times. The updated algorithm avoids this impact by using depth-first search (DFS).

The dynamic loader's O(n³) algorithm is used through the glibc.rtld.dynamic_sort tunable, whose new default setting is 2 to use the updated version. To use the previous algorithm, set the tunable to 1, as follows:

GLIBC_TUNABLES=glibc.rtld.dynamic_sort=1
export GLIBC_TUNABLES

Python 3.11 Is Available

Python 3.11 is an update from Python 3.9. Some notable changes that are introduced in this version include the following:

• Availability of the match keyword for Structural Pattern Matching

• Availability of the tomllib standard library module for parsing Tom's Obvious Minimal Language (TOML) formats

• Additional features related to type hints and the typing module, such as the new X | Y type union operator, variadic generics, and the new Self type

• Capability for raising and handling multiple unrelated exceptions simultaneously through Exception Groups and the new except* syntax

• Better error handling by providing precise error locations in tracebacks that point to the expression that caused the error, improved error messages, and so on

Python 3.11 can be installed in parallel with Python 3.9, Python 3.8, and Python 3.6. Note that, unlike the previous versions, Python 3.11 is distributed as standard RPM packages instead of a module.

To install packages from the python3.11 stack, type:

sudo dnf install python3.11
sudo dnf install python3.11-pip

To run the interpreter, type:

python3.11
python3.11 -m pip --help

git Updated to Version 2.39.1

• Logging function accepts specification of a description of the output by using the git log --format=%(describe) command syntax.

• Options are added to the commit operation:

  • --fixup<commit> fixes the content of the commit without changing the log message.

  • --fixup=amend:<commit> changes both the message and the content.

  • --fixup=reword:<commit> updates only the commit message.

• Cloning accepts the new --reject-shallow option to disable cloning from a shallow repository.

• Branching accepts the new --recurse-submodules option.

• The git merge-tree command can be used to test if two branches can merge or to compute a tree that results from a merge commit that merges the branches.:

• The new safe.bareRepository configuration variable can filter out bare repositories.

git-lfs Updated to Version 3.2.0

Some notable features of the updated Git Large File Storage include the following:

• Introduction of a pure SSH based transport protocol

• Provision of a merge driver

• The git lfs fsck command also checks that pointers are canonical and that expected LFS files have the correct format

• Removal of support for the NT LAN Manager (NTLM) authentication protocol, which is replaced by Kerberos or Basic authentication

New nginx Module Stream

The nginx 1.22 web and proxy server is available as the nginx:1.22 module stream and contains new features such as the following:

• Support for OpenSSL 3.0 and the SSL_sendfile() function, the PCRE2 library, and the POP3 and IMAP pipelining in the mail proxy module.

• Passes the Auth-SSL-Protocol and Auth-SSL-Cipher header lines to the mail proxy authentication server.

• Multiple enhanced directives.

• Better error handling capabilities.

• Uses the Application Layer Protocol Negotiation (ALPN) for HTTP/2 connections and no longer supports the Next Protocol Negotiation (NPN) protocol.

To install the nginx:1.22 stream, type:

sudo dnf install nginx:1.22

mod_security Updated to 2.9.6

This updated mod_serucity module for the Apache HTTP Server includes adjusted parser activation rules in the modsecurity.conf-recommended file as well as enhancements to the way the module parses HTTP multipart requests. The module also includes the following additions:

• New MULTIPART_PART_HEADERS collection.

• Microsec timestamp resolution to the formatted log timestamp.

• Missing Geo Countries.

postgresql:15 Module Stream Added

PostgreSQL version 15 is made available as the postgresql:15 module stream. PostgreSQL 15 includes several new features and enhancements over version 13. See https://www.postgresql.org/docs/release/15.0/ for more information.

Module stream life cycle information is available in Oracle Linux: Product Life Cycle Information.

New Tomcat Package Introduced

The current Oracle Linux release includes the Apache Tomcat server version 9. Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. Tomcat is developed in an open and participatory environment and released under the Apache Software License version 2.0.

nodejs:18 Updated to Version 18.14 With npm Updated to Version 9

The updated Node.js 18.14 includes a SemVer major upgrade of npm from version 8 to version 9. In this update, support for unscoped authentication configurations is removed to improve security. This update might require adjustments to the current npm configuration.

If you use unscoped authentication tokens, generate and supply registry-scoped tokens in the .npmrc file. If the .npmrc file contains lines that use _auth, for example, ///registry.npmjs.org/:_auth, replace these lines with ///registry.npmjs.org:_authToken=${NPM_TOKEN}. Then apply the scoped token that is generated.

Pacemaker Can Run the validate-all Action for Resource and STONITH Agents

Use the validate-all --agent-validation command option when creating or updating a resource or a STONITH device to trigger additional validation to that performed by pcs based on the agent's metadata.

synce41 Package for Frequency Synchronization Added

The synce4l package manages devices that include the SyncE (Synchronous Ethernet), a hardware feature that helps PTP clocks to achieve precise synchronization of frequency at the physical layer. SyncE is available in certain network interface cards (NICs) and network switches and helps Telco Radio Access Network (RAN) applications to achieve accurate time synchronization for better communication efficiency. See https://github.com/intel/synce4l for more information.

powertop Updated to Version 2.15

The updated powertop package includes the following features and changes:

• General fixes and stability improvements

• Improved compatibility with Ryzen processors and Kaby Lake platforms

• Enabled Lake Field, Alder Lake N, and Raptor Lake platform functionality

• Enabled Ice Lake NNPI and Meteor Lake mobile and desktop functionality

tuned Updated Version 2.20.0

The updated tuned package includes the following features and changes:

• API update to facilitate moving devices between plugin instances at runtime.

• Updates to the plugin_cpu module:

  • The pm_qos_resume_latency_us feature limits the maximum time permitted for each CPU to transition from an idle state to an active state.

  • The intel_pstate scaling driver provides scaling algorithms to tune power management for a system based on usage scenarios.

• Addition of a socket API to control TuneD through a UNIX domain socket is now available as a technology preview.

samba Updated to Version 4.17.5

The updated samba packages include the following features and changes:

• Improvements in performance around security for the Server Message Block (SMB) server when working with high metadata workloads.

• Addition of a --json option to the smbstatus command to display status information in JSON format.

• Addition of samba.smb.conf and samba.samba3.smb.conf modules to the smbconf Python API to facilitate reading and writing the Samba configuration directly from Python programs.

  Server Message Block version 1 (SMB1) protocol is deprecated in Samba 4.11 and later and might be removed in a future release. Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start, Samba automatically updates its tdb database files. Downgrading tdb database files isn't supported. After updating Samba, use the testparm utility to verify the /etc/samba/smb.conf file.

NetworkManager Updated to Version 1.40.16

The updated version includes the following features:

• Correctly calculates expiration times for items configured from IPv6 neighbor discovery messages.

• Automatically updates the /etc/resolv.conf file when the configuration changes.

• Rejects DHCPv6 leases if all addresses fail IPv6 duplicate address detection (DAD).

• Resolves system hostname on interfaces from DNS only after the interfaces are connected.

• No longer sets nonexistent interfaces as primary when activating a bond.

The following changes are also implemented:

• The --print-config subcommand no longer prints duplicate entries.

• The nm-cloud-setup utility preserves externally added addresses.

• Setting a primary interface in a bond now always works, even if the interface doesn't exist when you active the bond.

• The ifcfg-rh plugin can now read InfiniBand P-Key connection profiles without an explicit interface name.

• The nmcli utility can now remove a bond port connection profile from a bond.

• A race condition was fixed that could occur during the activation of veth profiles if the peer already existed.

• Profiles created by the nm-initrd-generator utility now have a lower-than-default priority.

• A race condition was fixed that prevented the automatic activation of MACsec connections at boot.

nm-initrd-generator Profiles Have Lower Priority Than Autoconnect Profiles

NetworkManager's configuration generator utility creates connection profiles that have lower priority than that of autoconnect connection profiles. Consequently, generated network profiles can coexist with user configuration in the default root account.

nispor Updated to Version 1.2.10

The updated nispor packages include the following enhancements and bug fixes:

• NetStateFilter can use the kernel filter on network routes and interfaces.
• Single Root Input and Output Virtualization (SR-IOV) interfaces can query SR-IOV Virtual Function (SR-IOV VF) information per (VF).
• Additional bonding options, namely, lacp_active, arp_missed_max, and ns_ip6_target.

fapolicyd Provides Filtering of the RPM Database

The list of RPM-database files that fapolicyd stores in the trust database can be customized by editing a new /etc/fapolicyd/rpm-filter.conf configuration file. By using this feature, you can override the default configuration filter to specify which applications installed by RPM are permitted or excluded.

Libreswan Updated to Version 4.9

The following features were added:

• {left,right}pubkey= to addconn and whack

• KDF self-tests to Crypto

• Updated syscall allow-list in seccomp

• Support of show host's authentication key (showhostkey) for ECDSA pubkeys and for printing PEM encoded public key through the --pem option

• New functionalities for the Internet Key Exchange Protocol Version 2 (IKEv2) and the pluto IKE daemon

Changes and Updates to SELinux

Updates include confining ufdtools and introducing an SELinux policy for systemd-socket-proxyd with rules for the service to run in its SELinux domain.

OpenSCAP Updated to Version 1.3.7

The updated OpenSCAP packages include the following features and changes:

• Fixed error when processing OVAL filters.

• OpenSCAP no longer generates invalid empty xmlfilecontent items if an XPath doesn't match.

• Removed Failed to check available memory errors.

OpenSSL Driver Can Use Certificates Chains in Rsyslog

With this update, the OpenSSL library can validate multiple CA files that you might specify. Consequently, you can use certificate chains in Rsyslog with the OpenSSL driver.

FIPS Mode Better Conforms to FIPS 140-3

The FIPS mode settings in the RHCK kernel have been adjusted to conform to the Federal Information Processing Standard (FIPS) 140-3. This change introduces stricter settings to many cryptographic algorithms, functions, and cipher suites such as the following:

• The Triple Data Encryption Standard (3DES), Elliptic-curve Diffie-Hellman (ECDH), and Finite-Field Diffie-Hellman (FFDH) algorithms are disabled. This change affects Bluetooth, DH-related operations in the kernel keyring, and Intel QuickAssist Technology (QAT) cryptographic accelerators.
• The hash-based message authentication code (HMAC) key can no longer be shorter than 112 bits. The minimum key length is set to 2048 bits for Rivest-Shamir-Adleman (RSA) algorithms.
• Drivers that used the xts_check_key() function have been updated to use the xts_verify_key() function instead.
• The following Deterministic Random Bit Generator (DRBG) hash functions are disabled: SHA-224, SHA-384, SHA512-224, SHA512-256, SHA3-224, and SHA3-384.

SELinux Confines udftools

With updated selinux-policy packages, SELinux confines udftools services.

Compatibility Between scap-security-guide Rules and RainerScript logs

Rules in scap-security-guide are now compatible with the RainerScript syntax. Therefore, scap-security-guide rules can check and remediate ownership, group ownership, and permissions of Rsyslog log files in both available syntaxes.

SCAP Security Guide Updated to Version 0.1.66

The SCAP Security Guide (SSG) packages are updated to the upstream version 0.1.66 and provides enhancements and bug fixes such as the following:

• Oracle Linux 8 stig and stig_gui profiles are alligned with DISA STIG for Oracle Linux 8 V1r6.

• account_passwords_pam_faillock_audit rule is deprecated in favor of accounts_passwords_pam_faillock_audit.

• accounts_user_dot_no_world_writable_programs rule is updated to look for initialization files on the users' home directories only and to prevent the search for world-writables to descend to other file systems.

• New OVAL macro is introduced to consistently identify interactive users.

• Remediation of sebool_secure_mode_insmod is fixed, which was preventing system boot when the anssi-high profile is applied.

opencryptoki Updated to 3.19.0

The updated package version provides notable features such as the following:

• Dual-function cryptographic functions
• New C_SessionCancel function cancels active session-based operations, as described in the PKCS #11 Cryptographic Token Interface Base Specification v3.0

Updated container-tools Package

The container-tools package is updated for Podman v4.4. The package contains the Podman, Buildah, Skopeo, crun and runc tools. The updates have the following features and changes:

• Information about a container can be audited directly from a journald entry in Podman v4.4 and later. To enable Podman auditing, modify the container.conf file and add the events_container_create_inspect_data=true option to the [engine] section. The audit data is in JSON format, equivalent to the output of the podman container inspect command.

• The podman network update command is added to update networks for containers and pods.

• The podman buildx version command is added to display the Buildah version.

• Container startup health checks are available to trigger a command to check that the container is fully started before the regular health check is activated.

• New Docker compatibility options and aliases are included.

• Improved Kubernetes integration by consolidating kube commands: the podman kube generate and podman kube play replace the podman generate kube and podman play kube commands.

• The following feature support are added to pods that are created by the podman kube play command and managed by systemd:

  • The pods can integrate with sd-notify through the io.containers.sdnotify annotation or, for specific containers, the io.containers.sdnotify/$nameannotation.

  • The pods can be auto updated through the io.containers.auto-update annotation or, for specific containers, the io.containers.auto-update/$nameannotation.

Custom DNS Server Selection Is Available for Aardvark and Netavark

Custom DNS server selection for containers using the Aardvark and Netavark network stack is available. Containers are able to use customer DNS servers instead of the default DNS servers on the host. To enable a custom DNS server, either add the dns_servers field in the containers.conf configuration file or use the new --dns option to specify the IP address of the DNS server when running the podman command. The --dns option overrides any values that are set in the container.conf file.

Generate Sigstore Key Pairs With Skopeo

Skopeo can generate sigstore key pairs through the skopeo generate-sigstore-key command. For more information, see skopeo-generate-sigstore-key manual page.

Toolbox Utility Is Available

Use the toolbox utility to access the container command line environment without installing additional troubleshooting tools directly on the system. Toolbox uses Podman and other standard container technologies from the Open Container Initiative. For more information, see toolbx.

sigstore Signatures Available

Beginning with Podman 4.2, you can use the sigstore format of container image signatures. These signatures are stored in the container registry together with the container image instead of in a separate signature server for storing image signatures.

Podman Supports Pre-execution Hooks

Podman can be configured with pre-execution hooks that can be used to control container operations by creating plugin scripts in /usr/libexec/podman/pre-exec-hooks or /etc/containers/pre-exec-hooks. Pre-execution scripts are only run if a file named /etc/containers/podman_preexec_hooks.txt exists. If all plugin scripts return zero value, then the podman command is run, otherwise, the podman command exits with the exit code returned by the script that failed.

sos clean Command Obfuscates IPv6 Addresses

sos clean detects and obfuscates IPv6 addresses to ensure that customer-sensitive data is appropriately obfuscated.