ELBA-2023-6737

ELBA-2023-6737 - ipa bug fix update

Type:BUG
Severity:NA
Release Date:2023-11-20

Description


[4.10.2-4.0.1.1]
- Resolves: RHEL-12373 ACIs are missing for RBCD self-management
- Set IPAPLATFORM=rhel when build on Oracle Linux [Orabug: 29516674]

[4.10.2-4]
- Resolves: rhbz#2231847 RHEL 8.8 & 9.2 fails to create AD trust with STIG applied
- Resolves: rhbz#2232056 Include latest test fixes in python3-ipatests

[4.10.2-3]
- Resolves: rhbz#2229712 Delete operation protection for admin user
- Resolves: rhbz#2227831 Interrupt request processing in ipadb_fill_info3() if connection to 389ds is lost
- Resolves: rhbz#2227784 libipa_otp_lasttoken plugin memory leak
- Resolves: rhbz#2224570 Improved error messages are needed when attempting to add a non-existing idp to a user
- Resolves: rhbz#2230251 Backport latest test fixes to python3-ipatests

[4.10.2-2]
- Resolves: rhbz#2192969 Better handling of the command line and web UI cert search and/or list features
- Resolves: rhbz#2214933 Uninstalling of the IPA server is encountering a failure during the unconfiguration of the CA (Unconfiguring CA)
- Resolves: rhbz#2216114 After updating the RHEL from 8.7 to 8.8, IPA services fails to start
- Resolves: rhbz#2216549 Upgrade to 4.9.10-6.0.1 fails: attributes are managed by topology plugin
- Resolves: rhbz#2216611 Backport latest test fixes in python3-ipatests
- Resolves: rhbz#2216872 User authentication failing on OTP validation using multiple tokens, succeeds with password only

[4.10.2-1]
- Resolves: rhbz#2196426 [Rebase] Rebase ipa to latest 4.10.x release for RHEL 9.3
- Resolves: rhbz#2192969 Better handling of the command line and web UI cert search and/or list features
- Resolves: rhbz#2192625 Better catch of the IPA web UI event 'IPA Error 4301:CertificateOperationError', and IPA httpd error CertificateOperationError
- Resolves: rhbz#2188567 IPA client Kerberos configuration incompatible with java
- Resolves: rhbz#2182683 Tolerate absence of PAC ticket signature depending of domain and servers capabilities [rhel-9]
- Resolves: rhbz#2180914 Sequence processing failures for group_add using server context
- Resolves: rhbz#2165880 Add RBCD support to IPA
- Resolves: rhbz#2160399 get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct

[4.10.1-6]
- Resolves: rhbz#2169632 Backport latest test fixes in python3-ipatests

[4.10.1-5]
- Resolves: rhbz#2162656 Passwordless (GSSAPI) SSH not working for subdomain
- Resolves: rhbz#2166326 Removing the last DNS type for ipa-ca does not work
- Resolves: rhbz#2167473 RFE - Add a warning note about possible performance impact of the Auto Member rebuild task
- Resolves: rhbz#2168244 requestsearchtimelimit=0 doesn't seems to be work with ipa-acme-manage pruning command

[4.10.1-4]
- Resolves: rhbz#2161284 'ERROR Could not remove /tmp/tmpbkw6hawo.ipabkp' can be seen prior to 'ipa-client-install' command was successful
- Resolves: rhbz#2164403 ipa-trust-add with --range-type=ipa-ad-trust-posix fails while creating an ID range
- Resolves: rhbz#2162677 RFE: Implement support for PKI certificate and request pruning
- Resolves: rhbz#2167312 - Backport latest test fixes in python3-ipatests

[4.10.1-3]
- Rebuild against krb5 1.20.1 ABI
- Resolves: rhbz#2155425

[4.10.1-2]
- Resolves: rhbz#2148887 MemberManager with groups fails
- Resolves: rhbz#2150335 idm:client is missing dependency on krb5-pkinit

[4.10.1-1]
- Resolves: rhbz#2141315 [Rebase] Rebase ipa to latest 4.10.x release for RHEL 9.2
- Resolves: rhbz#2094673 ipa-client-install should just use system wide CA store and do not specify TLS_CACERT in ldap.conf
- Resolves: rhbz#2117167 After leapp upgrade on ipa-client ipa-server package installation failed. (REQ_FULL_WITH_MEMBERS returns object from wrong domain)
- Resolves: rhbz#2127833 Password Policy Grace login limit allows invalid maximum value
- Resolves: rhbz#2143224 [RFE] add certificate support to ipa-client instead of one time password
- Resolves: rhbz#2144736 vault interoperability with older RHEL systems is broken
- Resolves: rhbz#2148258 ipa-client-install does not maintain server affinity during installation
- Resolves: rhbz#2148379 Add warning for empty targetattr when creating ACI with RBAC
- Resolves: rhbz#2148380 OTP token sync always returns OK even with random numbers
- Resolves: rhbz#2148381 Deprecated feature idnssoaserial in IdM appears when creating reverse dns zones
- Resolves: rhbz#2148382 Introduction of URI records for kerberos breaks location functionality

[4.10.0-7]
- Resolves: rhbz#2124547 Attempt to log in as 'root' user with admin's password in Web UI does not properly fail
- Resolves: rhbz#2137555 Attempt to log in as 'root' user with admin's password in Web UI does not properly fail [rhel-9.1.0.z]

[4.10.0-6]
- Resolves: rhbz#2110014 ldap bind occurs when admin user changes password with gracelimit=0
- Resolves: rhbz#2112901 RFE: Allow grace login limit to be set in IPA WebUI
- Resolves: rhbz#2115495 group password policy by default does not allow grace logins
- Resolves: rhbz#2116966 ipa-replica-manage displays traceback: Unexpected error: 'bool' object has no attribute 'lower'

[4.10.0-5]
- Resolves: rhbz#2109645
- Rebuild for samba-4.16.3-101.el9

[4.10.0-4]
- Resolves: rhbz#2109645
- Rebuild for samba-4.16.3-100.el9

[4.10.0-3]
- Resolves: rhbz#2105294 IdM WebUI Pagination Size should not allow empty value

[4.10.0-2]
- Resolves: rhbz#2091988 [RFE] Add code to check password expiration on ldap bind

[4.10.0-1]
- Resolves: rhbz#747959 [RFE] Support random serial numbers in IPA certificates
- Resolves: rhbz#2100227 [UX] Preserving a user account produces output saying it was deleted

[4.9.10-1]
- Resolves: rhbz#2079469 [Rebase] Rebase ipa to latest 4.9.x release
- Resolves: rhbz#2012911 named journalctl logs shows 'zone testrealm.test/IN: serial (serialnumber) write back to LDAP failed.'
- Resolves: rhbz#2069202 [RFE] add support for authenticating against external IdP services using OAUTH2 preauthenticaiton mechanism provided by SSSD
- Resolves: rhbz#2083218 ipa-dnskeysyncd floods /var/log/messages with DEBUG messages
- Resolves: rhbz#2089750 RFE: Improve error message with more detail for ipa-replica-install command
- Resolves: rhbz#2091988 [RFE] Add code to check password expiration on ldap bind
- Resolves: rhbz#2094400 [RFE] ipa-client-install should provide option to enable subid: sss in /etc/nsswitch.conf
- Resolves: rhbz#2096922 secret in ipa-pki-proxy.conf is not changed if new requiredSecret value is present in /etc/pki/pki-tomcat/server.xml

[4.9.8-8]
- Resolves: rhbz#2067971 Consequences of FIPS crypto policy tightening in RHEL 9
- tests: ensure AD-SUPPORT subpolicy is active in more cases
- ipatests: fix check for AD topology being present

[4.9.8-7]
- Resolves: rhbz#2067971 Consequences of FIPS crypto policy tightening in RHEL 9
- KRB instance: make provision to work with crypto policy without SHA-1 HMAC types
- tests: ensure AD-SUPPORT subpolicy is active
- ipatests: extend AES keyset to SHA2-based ones
- freeipa.spec: bump crypto-policies dependency for CentOS 9 Stream
- Kerberos instance: default to AES256-SHA2 for master key encryption
- test_otp: do not use paramiko unless it is really needed
- test_krbtpolicy: skip SPAKE-related tests in FIPS mode
- Support AES for KRA archival wrapping
- Set AES as default for KRA archival wrapping

[4.9.8-6]
- Resolves: rhbz#2057467 Backport latest test fixes in python3-ipatests
- ipatests: Tests for Autoprivate group.
- mark xfail for test_idoverride_with_auto_private_group[hybrid]
- Mark xfail test_gidnumber_not_corresponding_existing_group[true,hybrid]

[4.9.8-5]
- Resolves: rhbz#2053025
- add IPA test suite fixes

[4.9.8-4]
- Resolves: rhbz#2053586 IPA LDAP plugin ipa-cldap memory leak
- fix memory leak in CLDAP responder

[4.9.8-3]
- Resolves: rhbz#2050540 Unable to join RHEL 8.5 Replica to RHEL 7.9 Master for migration purposes
- Don't always override the port in import_included_profiles
- Resolves: rhbz#2051582 Enable ipa-ccache-sweep.timer during server installation
- Test ipa-ccache-sweep.timer enabled by default during installation
- Enable the ccache sweep timer during installation
- Resolves: rhbz#2051844 ipa-join tests are failing due to changes in expected output
- Remove ipa-join errors from behind the debug option

[4.9.8-2]
- Resolves: rhbz#2040619 - Changing default pac type to 'nfs:NONE and MS-PAC' doesnot display error 'ipa: ERROR: no modifications to be performed'
- Config plugin: return EmptyModlist when no change is applied
- config plugin: add a test ensuring EmptyModlist is returned
- Resolves: rhbz#2048510 - [rhel-9.0] Backport latest test fixes in python3-ipatests
- ipatests: webui: Tests for subordinate ids.
- ipatests: webui: Use safe-loader for loading YAML configuration file
- ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica teardown
- Test cases for ipa-replica-conncheck command
- PEP8 Fixes
- ipatests: Test empty cert request doesn't force certmonger to segfault
- ipatests: Test default value of nsslapd-sizelimit.
- Extend test to see if replica is not shown when running ipa-replica-manage list -v
- Added test automation for SHA384withRSA CSR support
- Resolves: rhbz#2049104 - User can't log in after ipa-user-mod --user-auth-type=hardened
- ipa-kdb: do not remove keys for hardened auth-enabled users
- ipatests: add case for hardened-only ticket policy
- Resolves: rhbz#2049174 - KRA GetStatus service blocked by IPA proxy
- ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus

[4.9.8-1]
- Resolves: rhbz#2015608 - [Rebase] Rebase ipa to latest 4.9.x release RHEL9
- Resolves: rhbz#1825010 - Concerns regarding 'ipa pwpolicy-mod --minlife 24 --maxlife 1'
- Resolves: rhbz#1966289 - Info about searchrecordslimit set search limit to 10,000 after upgrade
- Resolves: rhbz#1980356 - reinstalling samba client causes winbindd coredump
- Resolves: rhbz#1986054 - fix automountlocation-tofiles output
- Resolves: rhbz#2020205 - Missing bind-pkcs11-utils causing failures in OpenDNSSec
- Resolves: rhbz#2021445 - CVE-2020-25719 ipa: samba: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets
- ipa-kdb: issue PAC_REQUESTER_SID only for TGTs
- ipa-kdb: fix requester SID check according to MS-KILE and MS-SFU updates




Updated Packages


Release/ArchitectureFilenameMD5sumSuperseded By AdvisoryChannel Label
Oracle Linux 9 (aarch64) ipa-4.10.2-4.0.1.el9_3.1.src.rpm4f1ea7f26d75bdaa09d3161c5774aa9e-ol9_aarch64_appstream
ipa-4.10.2-4.0.1.el9_3.1.src.rpm4f1ea7f26d75bdaa09d3161c5774aa9e-ol9_aarch64_codeready_builder
ipa-client-4.10.2-4.0.1.el9_3.1.aarch64.rpmd7f62aca5fd9ef6fb33d1c922b9e925f-ol9_aarch64_appstream
ipa-client-common-4.10.2-4.0.1.el9_3.1.noarch.rpm7fe79938df737f548d415132bbbf07be-ol9_aarch64_appstream
ipa-client-epn-4.10.2-4.0.1.el9_3.1.aarch64.rpm591bbce17c4036e3b7fb403a6d887911-ol9_aarch64_appstream
ipa-client-samba-4.10.2-4.0.1.el9_3.1.aarch64.rpm9824fc82ccf4318864d250f4c5b2fc88-ol9_aarch64_appstream
ipa-common-4.10.2-4.0.1.el9_3.1.noarch.rpm1debc100b799c63c182e3d269fd98cb0-ol9_aarch64_appstream
ipa-selinux-4.10.2-4.0.1.el9_3.1.noarch.rpm37a443830b8809cee5e6a874b28e9d80-ol9_aarch64_appstream
ipa-server-4.10.2-4.0.1.el9_3.1.aarch64.rpm021b9800d466de5992f8fa095088e121-ol9_aarch64_appstream
ipa-server-common-4.10.2-4.0.1.el9_3.1.noarch.rpmea1c157274d97ef8752eeefb068a984b-ol9_aarch64_appstream
ipa-server-dns-4.10.2-4.0.1.el9_3.1.noarch.rpm819d7a672a9521f747a72f8a8c7dda8b-ol9_aarch64_appstream
ipa-server-trust-ad-4.10.2-4.0.1.el9_3.1.aarch64.rpm761e6baca797f3cc78b7b3a3adaf9578-ol9_aarch64_appstream
python3-ipaclient-4.10.2-4.0.1.el9_3.1.noarch.rpm58ef3056252d40dbdfbb0eacc666b38e-ol9_aarch64_appstream
python3-ipalib-4.10.2-4.0.1.el9_3.1.noarch.rpm0497c98f465be63b3d6a12c65291db2f-ol9_aarch64_appstream
python3-ipaserver-4.10.2-4.0.1.el9_3.1.noarch.rpm7c0f82aa198a77376ed4b1d9fca6fc40-ol9_aarch64_appstream
python3-ipatests-4.10.2-4.0.1.el9_3.1.noarch.rpm0f32c8752fbef87864219414f72fa7b8-ol9_aarch64_codeready_builder
Oracle Linux 9 (x86_64) ipa-4.10.2-4.0.1.el9_3.1.src.rpm4f1ea7f26d75bdaa09d3161c5774aa9e-ol9_x86_64_appstream
ipa-4.10.2-4.0.1.el9_3.1.src.rpm4f1ea7f26d75bdaa09d3161c5774aa9e-ol9_x86_64_codeready_builder
ipa-client-4.10.2-4.0.1.el9_3.1.x86_64.rpmd3780e5a3a5ac2e7bce55bed0a0ad952-ol9_x86_64_appstream
ipa-client-common-4.10.2-4.0.1.el9_3.1.noarch.rpm7fe79938df737f548d415132bbbf07be-ol9_x86_64_appstream
ipa-client-epn-4.10.2-4.0.1.el9_3.1.x86_64.rpme230eabe804f62bbc2702812e1b7ecb4-ol9_x86_64_appstream
ipa-client-samba-4.10.2-4.0.1.el9_3.1.x86_64.rpm48b69c996cfc50d0f739534a7e35db1a-ol9_x86_64_appstream
ipa-common-4.10.2-4.0.1.el9_3.1.noarch.rpm1debc100b799c63c182e3d269fd98cb0-ol9_x86_64_appstream
ipa-selinux-4.10.2-4.0.1.el9_3.1.noarch.rpm37a443830b8809cee5e6a874b28e9d80-ol9_x86_64_appstream
ipa-server-4.10.2-4.0.1.el9_3.1.x86_64.rpm6e0b8c3e7750eef0019a7bf0b6fbb91c-ol9_x86_64_appstream
ipa-server-common-4.10.2-4.0.1.el9_3.1.noarch.rpmea1c157274d97ef8752eeefb068a984b-ol9_x86_64_appstream
ipa-server-dns-4.10.2-4.0.1.el9_3.1.noarch.rpm819d7a672a9521f747a72f8a8c7dda8b-ol9_x86_64_appstream
ipa-server-trust-ad-4.10.2-4.0.1.el9_3.1.x86_64.rpm367698044decef8195e23c892ebe9b89-ol9_x86_64_appstream
python3-ipaclient-4.10.2-4.0.1.el9_3.1.noarch.rpm58ef3056252d40dbdfbb0eacc666b38e-ol9_x86_64_appstream
python3-ipalib-4.10.2-4.0.1.el9_3.1.noarch.rpm0497c98f465be63b3d6a12c65291db2f-ol9_x86_64_appstream
python3-ipaserver-4.10.2-4.0.1.el9_3.1.noarch.rpm7c0f82aa198a77376ed4b1d9fca6fc40-ol9_x86_64_appstream
python3-ipatests-4.10.2-4.0.1.el9_3.1.noarch.rpm0f32c8752fbef87864219414f72fa7b8-ol9_x86_64_codeready_builder



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete