ELBA-2017-2304
- ULN >
- Oracle Linux Errata repository >
- ELBA-2017-2304
ELBA-2017-2304 - ipa bug fix and enhancement update
| Type: | BUG |
| Impact: | NA |
| Release Date: | 2017-08-08 |
Description
ipa
[4.5.0-20.0.1]
- Blank out header-logo.png product-name.png
Replace login-screen-logo.png [20362818]
[4.5.0-20.el7]
- Resolves: #1452216 Replica installation grants HTTP principal
access in WebUI
- Make sure we check ccaches in all rpcserver paths
[4.5.0-19.el7]
- Resolves: #1462112 ipaserver installation fails in FIPS mode: OpenSSL
internal error, assertion failed: Digest MD4 forbidden in FIPS mode!
- ipa-sam: replace encode_nt_key() with E_md4hash()
- ipa_pwd_extop: do not generate NT hashes in FIPS mode
- Resolves: #1377973 ipa-server-install fails when the provided or resolved
IP address is not found on local interfaces
- Fix local IP address validation
- ipa-dns-install: remove check for local ip address
- refactor CheckedIPAddress class
- CheckedIPAddress: remove match_local param
- Remove ip_netmask from option parser
- replica install: add missing check for non-local IP address
- Remove network and broadcast address warnings
[4.5.0-18.el7]
- Resolves: #1449189 ipa-kra-install timeouts on replica
- kra: promote: Get ticket before calling custodia
[4.5.0-17.el7]
- Resolve: #1455946 Provide a tooling automating the configuration
of Smart Card authentication on a FreeIPA master
- server certinstall: update KDC master entry
- pkinit manage: introduce ipa-pkinit-manage
- server upgrade: do not enable PKINIT by default
- Extend the advice printing code by some useful abstractions
- Prepare advise plugin for smart card auth configuration
- Resolve: #1461053 allow to modify list of UPNs of a trusted forest
- trust-mod: allow modifying list of UPNs of a trusted forest
- WebUI: add support for changing trust UPN suffixes
[4.5.0-16.el7]
- Resolves: #1377973 ipa-server-install fails when the provided or resolved
IP address is not found on local interfaces
- Only warn when specified server IP addresses don't match intf
- Resolves: #1438016 gssapi errors after IPA server upgrade
- Bump version of python-gssapi
- Resolves: #1457942 certauth: use canonical principal for lookups
- ipa-kdb: use canonical principal in certauth plugin
- Resolves: #1459153 Do not send Max-Age in ipa_session cookie to avoid
breaking older clients
- Add code to be able to set default kinit lifetime
- Revert setting sessionMaxAge for old clients
[4.5.0-15.el7]
- Resolves: #1442233 IPA client commands fail when pointing to replica
- httpinstance: wait until the service entry is replicated
- Resolves: #1456769 ipaAnchorUUID index incorrectly configured and then
not indexed
- Fix index definition for ipaAnchorUUID
- Resolves: #1438016 gssapi errors after IPA server upgrade
- Avoid possible endless recursion in RPC call
- rpc: preparations for recursion fix
- rpc: avoid possible recursion in create_connection
- Resolves: #1446087 services entries missing krbCanonicalName attribute.
- Changing cert-find to do not use only primary key to search in LDAP.
- Resolves: #1452763 ipa certmaprule change not reflected in krb5kdc workers
- ipa-kdb: reload certificate mapping rules periodically
- Resolves: #1455541 after upgrade login from web ui breaks
- kdc.key should not be visible to all
- Resolves: #1435606 Add pkinit_indicator option to KDC configuration
- ipa-kdb: add pkinit authentication indicator in case of a successful
certauth
- Resolves: #1455945 Enabling OCSP checks in mod_nss breaks certificate
issuance when ipa-ca records are not resolvable
- Turn off OCSP check
- Resolves: #1454483 rhel73 ipa ui - cannot del server - IPA Error 903 -
server_del - TypeError: 'NoneType' object is not iterable
- fix incorrect suffix handling in topology checks
[4.5.0-14.el7]
- Resolves: #1438731 Extend ipa-server-certinstall and ipa-certupdate to
handle PKINIT certificates/anchors
- certdb: add named trust flag constants
- certdb, certs: make trust flags argument mandatory
- certdb: use custom object for trust flags
- install: trust IPA CA for PKINIT
- client install: fix client PKINIT configuration
- install: introduce generic Kerberos Augeas lens
- server install: fix KDC PKINIT configuration
- ipapython.ipautil.run: Add option to set umask before executing command
- certs: do not export keys world-readable in install_key_from_p12
- certs: do not export CA certs in install_pem_from_p12
- server install: fix KDC certificate validation in CA-less
- replica install: respect --pkinit-cert-file
- cacert manage: support PKINIT
- server certinstall: support PKINIT
- Resolves: #1444432 CA-less pkinit not installable with --pkinit-cert-file
option
- certs: do not export CA certs in install_pem_from_p12
- server install: fix KDC certificate validation in CA-less
- Resolves: #1451228 ipa-kra-install fails when primary KRA server has been
decommissioned
- ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname
- Resolves: #1451712 KRA installation fails on server that was originally
installed as CA-less
- ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt
- Resolves: #1441499 ipa cert-show does not raise error if no file name
specified
- ca/cert-show: check certificate_out in options
- Resolves: #1449522 Deprecate command in FreeIPA 4.5+
- Remove pkinit-anonymous command
- Resolves: #1449523 Provide an API command to retrieve PKINIT status
in the FreeIPA topology
- Allow for multivalued server attributes
- Refactor the role/attribute member reporting code
- Add an attribute reporting client PKINIT-capable servers
- Add the list of PKINIT servers as a virtual attribute to global config
- Add command
- test_serverroles: Get rid of MockLDAP and use ldap2 instead
- Resolves: #1452216 Replica installation grants HTTP principal access in WebUI
- Fix rare race condition with missing ccache file
- Resolves: #1455045 Simple service uninstallers must be able to handle
missing service files gracefully
- only stop/disable simple service if it is installed
- Resolves: #1455541 after upgrade login from web ui breaks
- krb5: make sure KDC certificate is readable
- Resolves: #1455862 'ipa: ERROR: an internal error has occurred' on executing
command 'ipa cert-request --add' after upgrade
- Change python-cryptography to python2-cryptography
[4.5.0-13.el7]
- Resolves: #1451804 'AttributeError: 'tuple' object has no attribute 'append''
error observed during ipa upgrade with latest package.
- ipa-server-install: fix uninstall
- Resolves: #1445390 ipa-[ca|kra]-install with invalid DM password break
replica
- ca install: merge duplicated code for DM password
- installutils: add DM password validator
- ca, kra install: validate DM password
[4.5.0-12.el7]
- Resolves: #1447284 Upgrade from ipa-4.1 fails when enabling KDC proxy
- python2-ipalib: add missing python dependency
- installer service: fix typo in service entry
- upgrade: add missing suffix to http instance
- Resolves: #1444791 Update man page of ipa-kra-install
- ipa-kra-install manpage: document domain-level 1
- Resolves: #1441493 ipa cert-show raises stack traces when
--certificate-out=/tmp
- cert-show: writable files does not mean dirs
- Resolves: #1441192 Add the name of URL parameter which will be check for
username during cert login
- Bump version of ipa.conf file
- Resolves: #1378797 Web UI must check OCSP and CRL during smartcard login
- Turn on NSSOCSP check in mod_nss conf
- Resolves: #1322963 Errors from AD when trying to sign ipa.csr, conflicting
template on
- renew agent: respect CA renewal master setting
- server upgrade: always fix certmonger tracking request
- cainstance: use correct profile for lightweight CA certificates
- renew agent: allow reusing existing certs
- renew agent: always export CSR on IPA CA certificate renewal
- renew agent: get rid of virtual profiles
- ipa-cacert-manage: add --external-ca-type
- Resolves: #1441593 error adding authenticator indicators to host
- Fixing adding authenticator indicators to host
- Resolves: #1449525 Set directory ownership in spec file
- Added plugins directory to ipaclient subpackages
- ipaclient: fix missing RPM ownership
- Resolves: #1451279 otptoken-add-yubikey KeyError: 'ipatokenotpdigits'
- otptoken-add-yubikey: When --digits not provided use default value
[4.5.0-11.el7]
- Resolves: #1449189 ipa-kra-install timeouts on replica
- ipa-kra-install: fix check_host_keys
[4.5.0-10.el7]
- Resolves: #1438833 [ipa-replica-install] - 406 Client Error: Failed to
validate message: Incorrect number of results (0) searching forpublic key for
host
- Make sure remote hosts have our keys
- Resolves: #1442815 Replica install fails during migration from older IPA
master
- Refresh Dogtag RestClient.ca_host property
- Remove the cachedproperty class
- Resolves: #1444787 Update warning message when KRA installation fails
- kra install: update installation failure message
- Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode
- ipa-server-install with external CA: fix pkinit cert issuance
- Resolves: #1445397 GET in KerberosSession.finalize_kerberos_acquisition()
must use FreeIPA CA
- kerberos session: use CA cert with full cert chain for obtaining cookie
- Resolves: #1447375 ipa-client-install: extra space in pkinit_anchors
definition
- ipa-client-install: remove extra space in pkinit_anchors definition
- Resolves: #1447703 Fix SELinux contex of http.keytab during upgrade
- Use proper SELinux context with http.keytab
[4.5.0-9.el7]
- Resolves: #1200767 [RFE] Allow Kerberos authentication for users with
certificates on smart cards (pkinit)
- spec file: bump krb5 Requires for certauth fixes
- Resolves: #1438729 Configure local PKINIT on DL0 or when '--no-pkinit' option
is used
- separate function to set ipaConfigString values on service entry
- Allow for configuration of all three PKINIT variants when deploying KDC
- API for retrieval of master's PKINIT status and publishing it in LDAP
- Use only anonymous PKINIT to fetch armor ccache
- Stop requesting anonymous keytab and purge all references of it
- Use local anchor when armoring password requests
- Upgrade: configure local/full PKINIT depending on the master status
- Do not test anonymous PKINIT after install/upgrade
- Resolves: #1442427 ipa.ipaserver.install.plugins.adtrust.
update_tdo_gidnumber: ERROR Default SMB Group not found
- upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is
installed
- Resolves: #1442932 ipa restore fails to restore IPA user
- restore: restart/reload gssproxy after restore
- Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode
- Fix CA/server cert validation in FIPS
- Resolves: #1444947 Deadlock between topology and schema-compat plugins
- compat-manage: behave the same for all users
- Move the compat plugin setup at the end of install
- compat: ignore cn=topology,cn=ipa,cn=etc subtree
- Resolves: #1445358 ipa vault-add raises TypeError
- vault: piped input for ipa vault-add fails
- Resolves: #1445382 ipa vault-retrieve fails to retrieve data from vault
- Vault: Explicitly default to 3DES CBC
- Resolves: #1445432 uninstall ipa client automount failed with RuntimeWarning
- automount install: fix checking of SSSD functionality on uninstall
- Resolves: #1446137 pki_client_database_password is shown in
ipaserver-install.log
- Hide PKI Client database password in log file
[4.5.0-8.el7]
- Resolves: #1443869 Command 'openssl pkcs12 ...' failed during IPA upgrade
- Fix CAInstance.import_ra_cert for empty passwords
[4.5.0-7.el7]
- Resolves: #1431520 ipa cert-find runs a large number of searches, so IPA
WebUI is slow to display user details page
- cert: defer cert-find result post-processing
- Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit
helper when installing replica
- server-install: No double Kerberos install
- Resolves: #1437502 ipa-replica-install fails with requirement to
use --force-join that is a client install option.
- Add the force-join option to replica install
- replicainstall: better client install exception handling
- Resolves: #1437953 Server CA-less impossible option check
- server-install: remove broken no-pkinit check
- Resolves: #1441160 FreeIPA client <= 4.4 fail to parse 4.5 cookies
- Add debug log in case cookie retrieval went wrong
- Resolves: #1441548 ipa server install fails with --external-ca option
- ext. CA: correctly write the cert chain
- Resolves: #1441718 Conversion of CA-less server to CA fails on CA instance
spawn
- Fix CA-less to CA-full upgrade
- Resolves: #1442133 Do not link libkrad, liblber, libldap_r and
libsss_nss_idmap to every binary in IPA
- configure: fix AC_CHECK_LIB usage
- Resolves: #1442815 Replica install fails during migration from older IPA
master
- Fix RA cert import during DL0 replication
- Related: #1442004 Building IdM/FreeIPA internally on all architectures -
filtering unsupported packages
- Build all subpackages on all architectures
[4.5.0-6.el7]
- Resolves: #1382053 Need to have validation for idrange names
- idrange-add: properly handle empty --dom-name option
- Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit
helper when installing replica
- dsinstance: reconnect ldap2 after DS is restarted by certmonger
- httpinstance: avoid httpd restart during certificate request
- dsinstance, httpinstance: consolidate certificate request code
- install: request service certs after host keytab is set up
- renew agent: revert to host keytab authentication
- renew agent, restart scripts: connect to LDAP after kinit
- Resolves: #1436987 ipasam: gidNumber attribute is not created in the trusted
domain entry
- ipa-sam: create the gidNumber attribute in the trusted domain entry
- Upgrade: add gidnumber to trusted domain entry
- Resolves: #1438679 [ipa-replica-install] - IncorrectPasswordException:
Incorrect client security database password
- Add pki_pin only when needed
- Resolves: #1438348 Console output message while adding trust should be
mapped with texts changed in Samba.
- ipaserver/dcerpc: unify error processing
- Resolves: #1438366 ipa trust-fetch-domains: ValidationError: invalid
'Credentials': Missing credentials for cross-forest communication
- trust: always use oddjobd helper for fetching trust information
- Resolves: #1441192 Add the name of URL parameter which will be check for
username during cert login
- WebUI: cert login: Configure name of parameter used to pass username
- Resolves: #1437879 [copr] Replica install failing
- Create system users for FreeIPA services during package installation
- Resolves: #1441316 WebUI cert auth fails after ipa-adtrust-install
- Fix s4u2self with adtrust
[4.5.0-5.el7]
- Resolves: #1318186 Misleading error message during external-ca IPA master
install
- httpinstance: make sure NSS database is backed up
- Resolves: #1331443 Re-installing ipa-server after uninstall fails with 'ERROR
CA certificate chain in ... incomplete'
- httpinstance: make sure NSS database is backed up
- Resolves: #1393726 Enumerate all available request type options in ipa
cert-request help
- Hide request_type doc string in cert-request help
- Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping
- spec file: bump libsss_nss_idmap-devel BuildRequires
- server: make sure we test for sss_nss_getlistbycert
- Resolves: #1437378 ipa-adtrust-install produced an error and failed on
starting smb when hostname is not FQDN
- adtrust: make sure that runtime hostname result is consistent with the
configuration
- Resolves: #1437555 ipa-replica-install with DL0 fails to get annonymous
keytab
- Always check and create anonymous principal during KDC install
- Remove duplicate functionality in upgrade
- Resolves: #1437946 Upgrade to FreeIPA 4.5.0 does not configure anonymous
principal for PKINIT
- Upgrade: configure PKINIT after adding anonymous principal
- Remove unused variable from failed anonymous PKINIT handling
- Split out anonymous PKINIT test to a separate method
- Ensure KDC is propery configured after upgrade
- Resolves: #1437951 Remove pkinit-related options from server/replica-install
on DL0
- Fix the order of cert-files check
- Don't allow setting pkinit-related options on DL0
- replica-prepare man: remove pkinit option refs
- Remove redundant option check for cert files
- Resolves: #1438490 CA-less installation fails on publishing CA certificate
- Get correct CA cert nickname in CA-less
- Remove publish_ca_cert() method from NSSDatabase
- Resolves: #1438838 Avoid arch-specific path in /etc/krb5.conf.d/ipa-certmap
- IPA-KDB: use relative path in ipa-certmap config snippet
- Resolves: #1439038 Allow erasing ipaDomainResolutionOrder attribute
- Allow erasing ipaDomainResolutionOrder attribute
[4.5.0-4.el7]
- Resolves: #1434032 Run ipa-custodia with custom SELinux context
- Require correct custodia version
[4.5.0-3.el7]
- Resolves: #800545 [RFE] Support SUDO command rename
- Reworked the renaming mechanism
- Allow renaming of the sudorule objects
- Resolves: #872671 IPA WebUI login for AD Trusted User fails
- WebUI: check principals in lowercase
- WebUI: add method for disabling item in user dropdown menu
- WebUI: Add support for login for AD users
- Resolves: #1200767 [RFE] Allow Kerberos authentication for users with
certificates on smart cards (pkinit)
- ipa-kdb: add ipadb_fetch_principals_with_extra_filter()
- IPA certauth plugin
- ipa-kdb: do not depend on certauth_plugin.h
- spec file: bump krb5-devel BuildRequires for certauth
- Resolves: #1264370 RFE: disable last successful authentication by default in
ipa.
- Set 'KDC:Disable Last Success' by default
- Resolves: #1318186 Misleading error message during external-ca IPA master
install
- certs: do not implicitly create DS pin.txt
- httpinstance: clean up /etc/httpd/alias on uninstall
- Resolves: #1331443 Re-installing ipa-server after uninstall fails with 'ERROR
CA certificate chain in ... incomplete'
- certs: do not implicitly create DS pin.txt
- httpinstance: clean up /etc/httpd/alias on uninstall
- Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication
- configure: fix --disable-server with certauth plugin
- rpcserver.login_x509: Actually return reply from __call__ method
- spec file: Bump requires to make Certificate Login in WebUI work
- Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping
- extdom: do reverse search for domain separator
- extdom: improve cert request
- Resolves: #1430363 [RFE] HBAC rule names command rename
- Reworked the renaming mechanism
- Allow renaming of the HBAC rule objects
- Resolves: #1433082 systemctl daemon-reload needs to be called after
httpd.service.d/ipa.conf is manipulated
- tasks: run after httpd.service.d updates
- Resolves: #1434032 Run ipa-custodia with custom SELinux context
- Use Custodia 0.3.1 features
- Resolves: #1434384 RPC client should use HTTP persistent connection
- Use connection keep-alive
- Add debug logging for keep-alive
- Increase Apache HTTPD's default keep alive timeout
- Resolves: #1434729 man ipa-cacert-manage install needs clarification
- man ipa-cacert-manage install needs clarification
- Resolves: #1434910 replica install against IPA v3 master fails with ACIError
- Fixing replica install: fix ldap connection in domlvl 0
- Resolves: #1435394 Ipa-kra-install fails with weird output when backspace is
used during typing Directory Manager password
- ipapython.ipautil.nolog_replace: Do not replace empty value
- Resolves: #1435397 ipa-replica-install can't install replica file produced by
ipa-replica-prepare on 4.5
- replica prepare: fix wrong IPA CA nickname in replica file
- Resolves: #1435599 WebUI: in self-service Vault menu item is shown even if
KRA is not installed
- WebUI: Fix showing vault in selfservice view
- Resolves: #1435718 As a ID user I cannot call a command with --rights option
- ldap2: use LDAP whoami operation to retrieve bind DN for current connection
- Resolves: #1436319 'Truncated search results' pop-up appears in user details
in WebUI
- WebUI: Add support for suppressing warnings
- WebUI: suppress truncation warning in select widget
- Resolves: #1436333 Uninstall fails with No such file or directory:
'/var/run/ipa/services.list'
- Create temporaty directories at the begining of uninstall
- Resolves: #1436334 WebUI: Adding certificate mapping data using certificate
fails
- WebUI: Allow to add certs to certmapping with CERT LINES around
- Resolves: #1436338 CLI doesn't work after ipa-restore
- Backup ipa-specific httpd unit-file
- Backup CA cert from kerberos folder
- Resolves: #1436342 Bump samba version, required for FIPS mode and privilege
separation
- Bump samba version for FIPS and priv. separation
- Resolves: #1436642 [ipalib/rpc.py] - 'maximum recursion depth exceeded' with
ipa vault commands
- Avoid growing FILE ccaches unnecessarily
- Handle failed authentication via cookie
- Work around issues fetching session data
- Prevent churn on ccaches
- Resolves: #1436657 Add workaround for pki_pin for FIPS
- Generate PIN for PKI to help Dogtag in FIPS
- Resolves: #1436714 [vault] cache KRA transport cert
- Simplify KRA transport cert cache
- Resolves: #1436723 cert-find does not find all certificates without
sizelimit=0
- cert: do not limit internal searches in cert-find
- Resolves: #1436724 Renewal of IPA RA fails on replica
- dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function
- Resolves: #1436753 Master tree fails to install
- httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not
available
[4.5.0-2.el7]
- Resolves: #1432630 python2-jinja2 needed for python2-ipaclient
- Remove csrgen
- Resolves: #1432903 Set GssProxy options to enable caching of ldap tickets
- Add options to allow ticket caching
[4.5.0-1.el7]
- Resolves: #828866 [RFE] enhance --subject option for ipa-server-install
- Resolves: #1160555 ipa-server-install: Cannot handle double hyphen '--' in
hostname
- Resolves: #1286288 Insufficient 'write' privilege to the 'ipaExternalMember'
attribute
- Resolves: #1321652 ipa-server-install fails when using external certificates
that encapsulate RDN components in double quotes
- Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on
revocation reasons
- Resolves: #1340880 ipa-server-install: improve prompt on interactive
installation
- Resolves: #1353841 ipa-replica-install fails to install when resolv.conf
incomplete entries
- Resolves: #1356104 cert-show command does not display Subject Alternative
Names
- Resolves: #1357511 Traceback message seen when ipa is provided with invalid
configuration file name
- Resolves: #1358752 ipa-ca-install fails on replica when IPA server is
converted from CA-less to CA-full
- Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication
- Resolves: #1367572 improve error message in ipa migrate-ds: mention ipa
config-mod --enable-migration=TRUE
- Resolves: #1367868 Add options to retrieve lightweight CA certificate/chain
- Resolves: #1371927 Implement ca-enable/disable commands.
- Resolves: #1372202 Add Users into User Group editors fails to show Full names
- Resolves: #1373091 Adding an auth indicator from the CLI creates an extra
check box in the UI
- Resolves: #1375596 Ipa-server WebUI - long user/group name show wrong error
message
- Resolves: #1375905 'Normal' group type in the UI is confusing
- Resolves: #1376040 IPA client ipv6 - invalid --ip-address shows traceback
- Resolves: #1376630 IDM admin password gets written to
/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
- Resolves: #1376729 ipa-server-install script option --no_hbac_allow should
match other options
- Resolves: #1378461 IPA Allows Password Reuse with History value defined when
admin resets the password.
- Resolves: #1379029 conncheck failing intermittently during single step
replica installs
- Resolves: #1379858 [RFE] better debugging for ipa-replica-conncheck
- Resolves: #1384310 ipa dnsrecord-add fails with Keyerror stack trace
- Resolves: #1392778 Update man page for ipa-adtrust-install by
removing --no-msdcs option
- Resolves: #1392858 Rebase to FreeIPA 4.5+
- Rebase to 4.5.0
- Resolves: #1399133 Delete option shouldn't be available for hosts applied to
view.
- Resolves: #1399190 [RFE] Certificates issued by externally signed IdM CA
should contain full trust chain
- Resolves: #1400416 RFE: Provide option to take backup of IPA server before
uninstalling IPA server
- Resolves: #1400529 cert-request is not aware of Kerberos principal aliases
- Resolves: #1401526 IPA WebUI certificates are grayed out on overview page but
not on details page
- Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping
- Resolves: #1404750 ipa-client-install fails to get CA cert via LDAP when
non-FQDN name of IPA server is first in /etc/hosts
- Resolves: #1409628 [RFE] Semi-automatic integration with external DNS using
nsupdate
- Resolves: #1413742 Backport request for bug/issue Change IP address
validation errors to warnings
- Resolves: #1415652 IPA replica install log shows password in plain text
- Resolves: #1427897 different behavior regarding system wide certs in master
and replica.
- Resolves: #1430314 The ipa-managed-entries command failed, exception:
AttributeError: ldap2
python-ply
[3.4-11]
- Replace md5 in signature calculation in order to allow use in FIPS
Updated Packages
| Release/Architecture | Filename | sha256 | Superseded By Advisory | Channel Label |
| Oracle Linux 7 (aarch64) | ipa-4.5.0-20.0.1.el7.src.rpm | 0beecda6bba1e163d7c75cad35867b164ce1e6fd628a29922f99f6c8810ef1cc | ELSA-2024-3760 | ol7_aarch64_latest |
| python-ply-3.4-11.el7.src.rpm | 4e75ac5c59b63016ffa3e6e611de47f482aced062bcf0d3f3f844554b4a1d079 | - | ol7_aarch64_beta | |
| python-ply-3.4-11.el7.src.rpm | 4e75ac5c59b63016ffa3e6e611de47f482aced062bcf0d3f3f844554b4a1d079 | - | ol7_aarch64_latest | |
| python-ply-3.4-11.el7.src.rpm | 4e75ac5c59b63016ffa3e6e611de47f482aced062bcf0d3f3f844554b4a1d079 | - | ol7_aarch64_u5_base | |
| python-ply-3.4-11.el7.src.rpm | 4e75ac5c59b63016ffa3e6e611de47f482aced062bcf0d3f3f844554b4a1d079 | - | ol7_aarch64_u7_base | |
| python-ply-3.4-11.el7.src.rpm | 4e75ac5c59b63016ffa3e6e611de47f482aced062bcf0d3f3f844554b4a1d079 | - | ol7_aarch64_u8_base | |
| python-ply-3.4-11.el7.src.rpm | 4e75ac5c59b63016ffa3e6e611de47f482aced062bcf0d3f3f844554b4a1d079 | - | ol7_aarch64_u9_base | |
| ipa-client-4.5.0-20.0.1.el7.aarch64.rpm | 8c1b042a72b488eab6d0a6cf3515264eb653a6134e6f5c5cd34984df6ae6363a | ELSA-2024-3760 | ol7_aarch64_latest | |
| ipa-client-common-4.5.0-20.0.1.el7.noarch.rpm | cd9c19533c37120f5121f6d33541a3f1e39c282a1c8a183e0d37e76d5f718f10 | ELSA-2024-3760 | ol7_aarch64_latest | |
| ipa-common-4.5.0-20.0.1.el7.noarch.rpm | d995eb838e02851d4fab27f9a807a4c8c7dc35b3cc428fe0449df4c403c4dee7 | ELSA-2024-3760 | ol7_aarch64_latest | |
| ipa-python-compat-4.5.0-20.0.1.el7.noarch.rpm | 6957e7ad02b2ec7d8f8299576692ec72bcd9ca222d3e7740392bab602fd2df82 | ELSA-2024-3760 | ol7_aarch64_latest | |
| ipa-server-4.5.0-20.0.1.el7.aarch64.rpm | 446bc4b7836e907ca0a3295af36cc0a1a8254e4ad207924db552d962c1b4e36c | ELSA-2024-3760 | ol7_aarch64_latest | |
| ipa-server-common-4.5.0-20.0.1.el7.noarch.rpm | 08949f7efceaea8ad81d8d831d00ea091e05515c16bd4a28fc4b4a561b7e8b1f | ELSA-2024-3760 | ol7_aarch64_latest | |
| ipa-server-dns-4.5.0-20.0.1.el7.noarch.rpm | 6e53c9dd1b11dd2f2937f75404592ba7e8bfeec805725465d34e2310fba98d73 | ELSA-2024-3760 | ol7_aarch64_latest | |
| ipa-server-trust-ad-4.5.0-20.0.1.el7.aarch64.rpm | 139cf381124466971cde991476f157aaa02851b7c2cde80581559832956f47a3 | ELSA-2024-3760 | ol7_aarch64_latest | |
| python-ply-3.4-11.el7.noarch.rpm | dfaca85405ab99eb648765973cbb4cd639bc911a0a7dc9f1438845441b79a4b7 | - | ol7_aarch64_beta | |
| python-ply-3.4-11.el7.noarch.rpm | dfaca85405ab99eb648765973cbb4cd639bc911a0a7dc9f1438845441b79a4b7 | - | ol7_aarch64_latest | |
| python-ply-3.4-11.el7.noarch.rpm | dfaca85405ab99eb648765973cbb4cd639bc911a0a7dc9f1438845441b79a4b7 | - | ol7_aarch64_u5_base | |
| python-ply-3.4-11.el7.noarch.rpm | dfaca85405ab99eb648765973cbb4cd639bc911a0a7dc9f1438845441b79a4b7 | - | ol7_aarch64_u7_base | |
| python-ply-3.4-11.el7.noarch.rpm | dfaca85405ab99eb648765973cbb4cd639bc911a0a7dc9f1438845441b79a4b7 | - | ol7_aarch64_u8_base | |
| python-ply-3.4-11.el7.noarch.rpm | dfaca85405ab99eb648765973cbb4cd639bc911a0a7dc9f1438845441b79a4b7 | - | ol7_aarch64_u9_base | |
| python2-ipaclient-4.5.0-20.0.1.el7.noarch.rpm | 42ae993d94fcac2244d3986f7f0351e14bfeaabf08d9b020b28a9e879bb6bad2 | ELSA-2024-3760 | ol7_aarch64_latest | |
| python2-ipalib-4.5.0-20.0.1.el7.noarch.rpm | cff6cb436e786ae5f61eb3192309a6a4ee7abe6306e4990b096580e53bdbb987 | ELSA-2024-3760 | ol7_aarch64_latest | |
| python2-ipaserver-4.5.0-20.0.1.el7.noarch.rpm | 34b47882df80091a920a23ba2d23556282caa07c1c957d2c557af1a8a4d9ca07 | ELSA-2024-3760 | ol7_aarch64_latest | |
| Oracle Linux 7 (x86_64) | ipa-4.5.0-20.0.1.el7.src.rpm | 0beecda6bba1e163d7c75cad35867b164ce1e6fd628a29922f99f6c8810ef1cc | ELSA-2024-3760 | ol7_x86_64_latest_archive |
| ipa-4.5.0-20.0.1.el7.src.rpm | 0beecda6bba1e163d7c75cad35867b164ce1e6fd628a29922f99f6c8810ef1cc | ELSA-2024-3760 | ol7_x86_64_u4_base | |
| python-ply-3.4-11.el7.src.rpm | 4e75ac5c59b63016ffa3e6e611de47f482aced062bcf0d3f3f844554b4a1d079 | - | ol7_x86_64_beta | |
| python-ply-3.4-11.el7.src.rpm | 4e75ac5c59b63016ffa3e6e611de47f482aced062bcf0d3f3f844554b4a1d079 | - | ol7_x86_64_latest | |
| python-ply-3.4-11.el7.src.rpm | 4e75ac5c59b63016ffa3e6e611de47f482aced062bcf0d3f3f844554b4a1d079 | - | ol7_x86_64_latest_archive | |
| python-ply-3.4-11.el7.src.rpm | 4e75ac5c59b63016ffa3e6e611de47f482aced062bcf0d3f3f844554b4a1d079 | - | ol7_x86_64_u4_base | |
| python-ply-3.4-11.el7.src.rpm | 4e75ac5c59b63016ffa3e6e611de47f482aced062bcf0d3f3f844554b4a1d079 | - | ol7_x86_64_u5_base | |
| python-ply-3.4-11.el7.src.rpm | 4e75ac5c59b63016ffa3e6e611de47f482aced062bcf0d3f3f844554b4a1d079 | - | ol7_x86_64_u5_developer | |
| python-ply-3.4-11.el7.src.rpm | 4e75ac5c59b63016ffa3e6e611de47f482aced062bcf0d3f3f844554b4a1d079 | - | ol7_x86_64_u6_base | |
| python-ply-3.4-11.el7.src.rpm | 4e75ac5c59b63016ffa3e6e611de47f482aced062bcf0d3f3f844554b4a1d079 | - | ol7_x86_64_u7_base | |
| python-ply-3.4-11.el7.src.rpm | 4e75ac5c59b63016ffa3e6e611de47f482aced062bcf0d3f3f844554b4a1d079 | - | ol7_x86_64_u8_base | |
| python-ply-3.4-11.el7.src.rpm | 4e75ac5c59b63016ffa3e6e611de47f482aced062bcf0d3f3f844554b4a1d079 | - | ol7_x86_64_u9_base | |
| ipa-client-4.5.0-20.0.1.el7.x86_64.rpm | b568352730da73ed33ee71bdbad05630f4dcff4147fa3af6fdf75186e498a9c3 | ELSA-2024-3760 | ol7_x86_64_latest_archive | |
| ipa-client-4.5.0-20.0.1.el7.x86_64.rpm | b568352730da73ed33ee71bdbad05630f4dcff4147fa3af6fdf75186e498a9c3 | ELSA-2024-3760 | ol7_x86_64_u4_base | |
| ipa-client-common-4.5.0-20.0.1.el7.noarch.rpm | cd9c19533c37120f5121f6d33541a3f1e39c282a1c8a183e0d37e76d5f718f10 | ELSA-2024-3760 | ol7_x86_64_latest_archive | |
| ipa-client-common-4.5.0-20.0.1.el7.noarch.rpm | cd9c19533c37120f5121f6d33541a3f1e39c282a1c8a183e0d37e76d5f718f10 | ELSA-2024-3760 | ol7_x86_64_u4_base | |
| ipa-common-4.5.0-20.0.1.el7.noarch.rpm | d995eb838e02851d4fab27f9a807a4c8c7dc35b3cc428fe0449df4c403c4dee7 | ELSA-2024-3760 | ol7_x86_64_latest_archive | |
| ipa-common-4.5.0-20.0.1.el7.noarch.rpm | d995eb838e02851d4fab27f9a807a4c8c7dc35b3cc428fe0449df4c403c4dee7 | ELSA-2024-3760 | ol7_x86_64_u4_base | |
| ipa-python-compat-4.5.0-20.0.1.el7.noarch.rpm | 6957e7ad02b2ec7d8f8299576692ec72bcd9ca222d3e7740392bab602fd2df82 | ELSA-2024-3760 | ol7_x86_64_latest_archive | |
| ipa-python-compat-4.5.0-20.0.1.el7.noarch.rpm | 6957e7ad02b2ec7d8f8299576692ec72bcd9ca222d3e7740392bab602fd2df82 | ELSA-2024-3760 | ol7_x86_64_u4_base | |
| ipa-server-4.5.0-20.0.1.el7.x86_64.rpm | c8b91ab598711085e35e7a21771eaeb7760848103b5e8feaf043ee4d21394a18 | ELSA-2024-3760 | ol7_x86_64_latest_archive | |
| ipa-server-4.5.0-20.0.1.el7.x86_64.rpm | c8b91ab598711085e35e7a21771eaeb7760848103b5e8feaf043ee4d21394a18 | ELSA-2024-3760 | ol7_x86_64_u4_base | |
| ipa-server-common-4.5.0-20.0.1.el7.noarch.rpm | 08949f7efceaea8ad81d8d831d00ea091e05515c16bd4a28fc4b4a561b7e8b1f | ELSA-2024-3760 | ol7_x86_64_latest_archive | |
| ipa-server-common-4.5.0-20.0.1.el7.noarch.rpm | 08949f7efceaea8ad81d8d831d00ea091e05515c16bd4a28fc4b4a561b7e8b1f | ELSA-2024-3760 | ol7_x86_64_u4_base | |
| ipa-server-dns-4.5.0-20.0.1.el7.noarch.rpm | 6e53c9dd1b11dd2f2937f75404592ba7e8bfeec805725465d34e2310fba98d73 | ELSA-2024-3760 | ol7_x86_64_latest_archive | |
| ipa-server-dns-4.5.0-20.0.1.el7.noarch.rpm | 6e53c9dd1b11dd2f2937f75404592ba7e8bfeec805725465d34e2310fba98d73 | ELSA-2024-3760 | ol7_x86_64_u4_base | |
| ipa-server-trust-ad-4.5.0-20.0.1.el7.x86_64.rpm | 37d44ab86a948018bc972e569e1233c7514a5163a0c116e2e889a8ee4347cf7a | ELSA-2024-3760 | ol7_x86_64_latest_archive | |
| ipa-server-trust-ad-4.5.0-20.0.1.el7.x86_64.rpm | 37d44ab86a948018bc972e569e1233c7514a5163a0c116e2e889a8ee4347cf7a | ELSA-2024-3760 | ol7_x86_64_u4_base | |
| python-ply-3.4-11.el7.noarch.rpm | dfaca85405ab99eb648765973cbb4cd639bc911a0a7dc9f1438845441b79a4b7 | - | ol7_x86_64_beta | |
| python-ply-3.4-11.el7.noarch.rpm | dfaca85405ab99eb648765973cbb4cd639bc911a0a7dc9f1438845441b79a4b7 | - | ol7_x86_64_latest | |
| python-ply-3.4-11.el7.noarch.rpm | dfaca85405ab99eb648765973cbb4cd639bc911a0a7dc9f1438845441b79a4b7 | - | ol7_x86_64_latest_archive | |
| python-ply-3.4-11.el7.noarch.rpm | dfaca85405ab99eb648765973cbb4cd639bc911a0a7dc9f1438845441b79a4b7 | - | ol7_x86_64_u4_base | |
| python-ply-3.4-11.el7.noarch.rpm | dfaca85405ab99eb648765973cbb4cd639bc911a0a7dc9f1438845441b79a4b7 | - | ol7_x86_64_u5_base | |
| python-ply-3.4-11.el7.noarch.rpm | dfaca85405ab99eb648765973cbb4cd639bc911a0a7dc9f1438845441b79a4b7 | - | ol7_x86_64_u5_developer | |
| python-ply-3.4-11.el7.noarch.rpm | dfaca85405ab99eb648765973cbb4cd639bc911a0a7dc9f1438845441b79a4b7 | - | ol7_x86_64_u6_base | |
| python-ply-3.4-11.el7.noarch.rpm | dfaca85405ab99eb648765973cbb4cd639bc911a0a7dc9f1438845441b79a4b7 | - | ol7_x86_64_u7_base | |
| python-ply-3.4-11.el7.noarch.rpm | dfaca85405ab99eb648765973cbb4cd639bc911a0a7dc9f1438845441b79a4b7 | - | ol7_x86_64_u8_base | |
| python-ply-3.4-11.el7.noarch.rpm | dfaca85405ab99eb648765973cbb4cd639bc911a0a7dc9f1438845441b79a4b7 | - | ol7_x86_64_u9_base | |
| python2-ipaclient-4.5.0-20.0.1.el7.noarch.rpm | 42ae993d94fcac2244d3986f7f0351e14bfeaabf08d9b020b28a9e879bb6bad2 | ELSA-2024-3760 | ol7_x86_64_latest_archive | |
| python2-ipaclient-4.5.0-20.0.1.el7.noarch.rpm | 42ae993d94fcac2244d3986f7f0351e14bfeaabf08d9b020b28a9e879bb6bad2 | ELSA-2024-3760 | ol7_x86_64_u4_base | |
| python2-ipalib-4.5.0-20.0.1.el7.noarch.rpm | cff6cb436e786ae5f61eb3192309a6a4ee7abe6306e4990b096580e53bdbb987 | ELSA-2024-3760 | ol7_x86_64_latest_archive | |
| python2-ipalib-4.5.0-20.0.1.el7.noarch.rpm | cff6cb436e786ae5f61eb3192309a6a4ee7abe6306e4990b096580e53bdbb987 | ELSA-2024-3760 | ol7_x86_64_u4_base | |
| python2-ipaserver-4.5.0-20.0.1.el7.noarch.rpm | 34b47882df80091a920a23ba2d23556282caa07c1c957d2c557af1a8a4d9ca07 | ELSA-2024-3760 | ol7_x86_64_latest_archive | |
| python2-ipaserver-4.5.0-20.0.1.el7.noarch.rpm | 34b47882df80091a920a23ba2d23556282caa07c1c957d2c557af1a8a4d9ca07 | ELSA-2024-3760 | ol7_x86_64_u4_base | |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team
