ELBA-2022-2387
- ULN >
- Oracle Linux Errata repository >
- ELBA-2022-2387
ELBA-2022-2387 - ipa
| Type: | BUG |
| Impact: | NA |
| Release Date: | 2022-06-30 |
Description
[4.9.8-7.0.1]
- Set IPAPLATFORM=rhel when build on Oracle Linux [Orabug: 29516674]
[4.9.8-7]
- Resolves: rhbz#2057471 Consequences of FIPS crypto policy tightening in RHEL 9
- KRB instance: make provision to work with crypto policy without SHA-1 HMAC types
- tests: ensure AD-SUPPORT subpolicy is active
- ipatests: extend AES keyset to SHA2-based ones
- freeipa.spec: bump crypto-policies dependency for CentOS 9 Stream
- Kerberos instance: default to AES256-SHA2 for master key encryption
- test_otp: do not use paramiko unless it is really needed
- test_krbtpolicy: skip SPAKE-related tests in FIPS mode
- Support AES for KRA archival wrapping
- Set AES as default for KRA archival wrapping
[4.9.8-6]
- Resolves: rhbz#2057467 Backport latest test fixes in python3-ipatests
- ipatests: Tests for Autoprivate group.
- mark xfail for test_idoverride_with_auto_private_group[hybrid]
- Mark xfail test_gidnumber_not_corresponding_existing_group[true,hybrid]
[4.9.8-5]
- Resolves: rhbz#2053025
- add IPA test suite fixes
[4.9.8-4]
- Resolves: rhbz#2053586 IPA LDAP plugin ipa-cldap memory leak
- fix memory leak in CLDAP responder
[4.9.8-3]
- Resolves: rhbz#2050540 Unable to join RHEL 8.5 Replica to RHEL 7.9 Master for migration purposes
- Dont always override the port in import_included_profiles
- Resolves: rhbz#2051582 Enable ipa-ccache-sweep.timer during server installation
- Test ipa-ccache-sweep.timer enabled by default during installation
- Enable the ccache sweep timer during installation
- Resolves: rhbz#2051844 ipa-join tests are failing due to changes in expected output
- Remove ipa-join errors from behind the debug option
[4.9.8-2]
- Resolves: rhbz#2040619 - Changing default pac type to nfs:NONE and MS-PAC doesnot display error ipa: ERROR: no modifications to be performed
- Config plugin: return EmptyModlist when no change is applied
- config plugin: add a test ensuring EmptyModlist is returned
- Resolves: rhbz#2048510 - [rhel-9.0] Backport latest test fixes in python3-ipatests
- ipatests: webui: Tests for subordinate ids.
- ipatests: webui: Use safe-loader for loading YAML configuration file
- ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica teardown
- Test cases for ipa-replica-conncheck command
- PEP8 Fixes
- ipatests: Test empty cert request doesnt force certmonger to segfault
- ipatests: Test default value of nsslapd-sizelimit.
- Extend test to see if replica is not shown when running ipa-replica-manage list -v
- Added test automation for SHA384withRSA CSR support
- Resolves: rhbz#2049104 - User cant log in after ipa-user-mod --user-auth-type=hardened
- ipa-kdb: do not remove keys for hardened auth-enabled users
- ipatests: add case for hardened-only ticket policy
- Resolves: rhbz#2049174 - KRA GetStatus service blocked by IPA proxy
- ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus
[4.9.8-1]
- Resolves: rhbz#2015608 - [Rebase] Rebase ipa to latest 4.9.x release RHEL9
- Resolves: rhbz#1825010 - Concerns regarding ipa pwpolicy-mod --minlife 24 --maxlife 1
- Resolves: rhbz#1966289 - Info about searchrecordslimit set search limit to 10,000 after upgrade
- Resolves: rhbz#1980356 - reinstalling samba client causes winbindd coredump
- Resolves: rhbz#1986054 - fix automountlocation-tofiles output
- Resolves: rhbz#2020205 - Missing bind-pkcs11-utils causing failures in OpenDNSSec
- Resolves: rhbz#2021445 - CVE-2020-25719 ipa: samba: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets
- ipa-kdb: issue PAC_REQUESTER_SID only for TGTs
- ipa-kdb: fix requester SID check according to MS-KILE and MS-SFU updates
[4.9.6-9]
- Resolves: rhbz#2010701 ipa-server-install fails while configuring certificate server instance
- Parse getStatus as JSON not XML
- Parse cert chain as JSON not XML
- Specify PKI installation log paths
- Make Dogtag return XML for ipa cert-find
[4.9.6-8]
- Resolves: rhbz#2005864 ipa cert-request replaces user certificate instead of adding
- Dont store entries with a usercertificate in the LDAP cache
- ipatests: Test that a user can be issued multiple certificates
[4.9.6-7]
- Resolves: rhbz#2003005 AVC denied { read } comm=ipa-custodia on aarch64 during installation of ipa-server
- selinux policy: allow custodia to access /proc/cpuinfo
- Resolves: rhbz#2003004 extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT
- extdom: return LDAP_NO_SUCH_OBJECT if domains differ
- Resolves: rhbz#2003003 subid: subid-match displays the DN of the owner, not its UID.
- subid: subid-match: display the owners ID not DN
- Resolves: rhbz#2013116 ipa migrate-ds command fails to warn when compat plugin is enabled
- migrate-ds: workaround to detect compat tree
[4.9.6-6]
- Resolves: rhbz#1998098 - Backport latest test fixes in python3-ipatests
- ipatests: Test unsecure nsupdate.
- ipatests: Fix TestAJPSecretUpgrade tests on systems without pkiuser
- ipatests: test_ipahealthcheck: Verify permissions for /var/log/ files
- ipatests: test to renew certs on replica using ipa-cert-fix
- ipatests: wait while http/ldap/pkinit cert get renew on replica
- ipatests: refactor test_ipa_cert_fix with tasks
- ipatests: use whole date for journalctl --since
[4.9.6-5]
- Resolves: rhbz#1988383 Do SRV discovery in ipa-getkeytab if -s and -H arent provided
- ipa-getkeytab: add option to discover servers using DNS SRV
- ipa-getkeytab: fix compiler warnings
- ipatests: test ipa-getkeytab server option
- Resolves: rhbz#1986329 ipa-server install failure without DNS
- Fix ldapupdate.get_sub_dict() for missing named user
- Resolves: rhbz#1980734 Remove python3-pexpect as dependency for ipatests pkg
- freeipa.spec.in: remove python3-pexpect from Requires
- Resolves: rhbz#1992538 Backport recent test fixes in python3-ipatests
- ipatests: use whole date when calling journalctl --since
- ipatests: Fix for test_source_ipahealthcheck_ipa_host_check_ipahostkeytab
- ipatests: test_ipahealthcheck: print a message if a system is healthy
- ipatests: test_installation: move tracking_reqs dependency to ipalib constants ipaserver: krainstance: utilize moved tracking_reqs dependency
- webui tests: close notification when revoking cert
- ipatests: Test ipa-cert-fix warns when startup directive is missing from CS.cfg
- webui tests: fix algo for finding available idrange
- ipatests: smbclient -k => --use-kerberos=desired
- test_acme: refactor with tasks
- test_acme: make password renewal more robust
- tasks.py: fix flake8-reported issues
- ipatests: Test for OTP when the LDAP connection timed out.
- ipatests: verify that getcert output includes the issued date
- ipatests: Look for warning into stderr instead of stdout
- ipatests: use krb5_trace in TestIpaAdTrustInstall
- ipatests: Test ldapsearch with base scope works with compat tree.
- ipatests: skip test_basesearch_compat_tree on fedora.
- ipatests: Refactor test_check_otpd_after_idle_timeout
[4.9.6-4.1]
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
[4.9.6-4]
- Use new method in check to prevent removal of last KRA (#1985072)
- ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL (#1982952)
- Fix index definition for memberOf (#1952028)
[4.9.6-3]
- Resolves: rhbz#1979629 Add checks to prevent assigning authentication indicators to internal IPA services
- Resolves: rhbz#1982212 ipa-trust-add fails with not enough quota
- Resolves: rhbz#1952028 [RFE] Add support for managing subuids and subgids in FreeIPA
- Resolves: rhbz#1981789 [man page] contradiction in ipa-server-upgrade commands man page and usage
[4.9.6-2]
- Resolves: rhbz#1955440 ipa installation fails to configure chrony
- Resolves: rhbz#1976761 Package python3-ipatests (from CRB repo) Requires python3-coverage
- Resolves: rhbz#1979609 Unable to set ipaUserAuthType with stageuser-add
- Resolves: rhbz#1979629 Add checks to prevent assigning authentication indicators to internal IPA services
[4.9.6-1]
- Resolves: rhbz#1969351 Rebase IPA to latest 4.9.x version
- Resolves: rhbz#1976288 ansible-freeipa automember test fails with automember_add_condition: testgroup: objectclass due to ldap cache
- Resolves: rhbz#1975139 Upgrade error: Add failure missing required attribute objectclass
- Resolves: rhbz#1973024 CA_less ipa-server-install fails if CA cert subject contains non ascii chars
- Resolves: rhbz#1966101 [RFE] - IDM - Allow specifying permanent logging settings for BIND
- Resolves: rhbz#1962570 IPA in c9s should not require redhat-logos-ipa as a runtime package
- Resolves: rhbz#1957736 [RFE] IPA to allow configuring auto-private-groups at idrange level
[4.9.3-2.1]
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
[4.9.3-2]
- RHEL 9 Beta mass rebuild. Resolves: rhbz#1951304
[4.9.3-1]
- Upstream release FreeIPA 4.9.3
[4.9.2-4]
- Rebuild against 389-ds and PKI to fix https://github.com/389ds/389-ds-base/issues/4609
[4.9.2-3]
- Only use python-platform on RHEL 8
[4.9.2-2]
- Fix ipatests dependency to python3-pexpect
[4.9.2-1]
- Upstream release FreeIPA 4.9.2
[4.9.1-1]
- Upstream release FreeIPA 4.9.1
[4.9.0-2.1]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
[4.9.0-2]
- Set client keytab location for 389ds (RHBZ#1918075)
[4.9.0-1]
- FreeIPA 4.9.0 final release
[4.9.0-0.6.rc3]
- Refactor DNSSEC paths creation code (upstream PR#5340)
[4.9.0-0.5.rc3]
- FreeIPA 4.9.0 release candidate 3
- Enforce C.UTF-8 locale in systemd service units
- Fold up fixes from Rawhide and RHEL 8.4 testing
[4.9.0-0.4.rc2]
- Fix upgrade script for CA rule rewrites
- Fix permissions for /run/ipa/ccaches
[4.9.0-0.3.rc2]
- Correct SELinux policy requirements
[4.9.0-0.2.rc2]
- FreeIPA 4.9.0 release candidate 2
[4.9.0-0.1.rc1]
- Use correct bind PKCS11 engine dependencies
- Fix SELinux build requirement
- Fix linting requirements
[4.9.0-0.rc1]
- FreeIPA 4.9.0 release candidate 1
- Synchronize spec file with upstream and RHEL
[4.8.10-7]
- Backport #5212 for deployment failures with 389-ds-base 1.4.4.6+
[4.8.10-6]
- Handle sshd_config upgrade properly
Fixes: rhbz#1887928
[4.8.10-5]
- Properly handle upgrade case when systemd-resolved is enabled
[4.8.10-4]
- Fix permissions for /etc/systemd/resolved.conf.d/zzz-ipa.conf
- Add NetworkManager and systemd-resolved configuration files to backup
[4.8.10-3]
- Fix dependency between freeipa-selinux and freeipa-common
- Resolves: rhbz#1883005
[4.8.10-2]
- Support upgrade F32 -> F33 with systemd-resolved
[4.8.10-1]
- Upstream release FreeIPA 4.8.10
[4.8.9-2]
- Backport fix for detecting older installations on upgrade
[4.8.9-1]
- Upstream release FreeIPA 4.8.9
[4.8.7-5]
- Make use of unshare+chroot in ipa-extdom-extop unittests to work against glibc 2.32
[4.8.7-4]
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
[4.8.7-3]
- Conditional fixes for ELN to set krb5-kdb version appropriately
[4.8.7-2]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
[4.8.7-1]
- Upstream release FreeIPA 4.8.7
[4.8.6-2]
- Rebuilt for Python 3.9
Updated Packages
| Release/Architecture | Filename | sha256 | Superseded By Advisory | Channel Label |
| Oracle Linux 9 (aarch64) | ipa-4.9.8-7.0.1.el9_0.src.rpm | 8e6b2f5647156582c408dd1b8c8e797f5f3633201b2fe66c87ad4458a3787135 | - | ol9_aarch64_appstream |
| ipa-4.9.8-7.0.1.el9_0.src.rpm | 8e6b2f5647156582c408dd1b8c8e797f5f3633201b2fe66c87ad4458a3787135 | - | ol9_aarch64_codeready_builder | |
| ipa-client-4.9.8-7.0.1.el9_0.aarch64.rpm | b8c2ddfb0de21ea23b8758cabed3a16a8d7ac88311afc8747e837792daa2285f | - | ol9_aarch64_appstream | |
| ipa-client-common-4.9.8-7.0.1.el9_0.noarch.rpm | 051c62dc8df1acb10b9b2f1440fec9fd3d2331401133c933580c517d9a165c25 | - | ol9_aarch64_appstream | |
| ipa-client-epn-4.9.8-7.0.1.el9_0.aarch64.rpm | 29c29637bef1937b8bc55a4dc65cae0f5eb2c0b50ab67e2d0d10c8867ac0755a | - | ol9_aarch64_appstream | |
| ipa-client-samba-4.9.8-7.0.1.el9_0.aarch64.rpm | 5f7cc0f6f18d912f784a69aa0e883d676034dace9a8aed6a77ddfdb74e5dedb9 | - | ol9_aarch64_appstream | |
| ipa-common-4.9.8-7.0.1.el9_0.noarch.rpm | bb2d0eb3957b6ccf967959228140903ca9b1a33fb0cec8f8b96b1e5934187d90 | - | ol9_aarch64_appstream | |
| ipa-selinux-4.9.8-7.0.1.el9_0.noarch.rpm | d1c0b8ea8b5cc7293de44e58d40b4649b1d42c7d8886ec185e6cc79298418b7c | - | ol9_aarch64_appstream | |
| ipa-server-4.9.8-7.0.1.el9_0.aarch64.rpm | b2226c5eb8b4955a62f3424b64909ea5e6908c227b0f18d690fbab41e122a9ab | - | ol9_aarch64_appstream | |
| ipa-server-common-4.9.8-7.0.1.el9_0.noarch.rpm | 0b33f85e71f4760d58de744a14bd7ef7076385a5060b3553bd064084741ff4de | - | ol9_aarch64_appstream | |
| ipa-server-dns-4.9.8-7.0.1.el9_0.noarch.rpm | 8f06c587eab00a24fae750b60dac3cfcc1a8d1cb18a866e3b5080fac3c6b073f | - | ol9_aarch64_appstream | |
| ipa-server-trust-ad-4.9.8-7.0.1.el9_0.aarch64.rpm | 58b20a2741a59df948433618ff697f2d27fe0b56ccd038548b9abc2027901b0d | - | ol9_aarch64_appstream | |
| python3-ipaclient-4.9.8-7.0.1.el9_0.noarch.rpm | 00809e30943cd8cd276a64e1407203aceffd54c09347a07c5743ca5421a44abc | - | ol9_aarch64_appstream | |
| python3-ipalib-4.9.8-7.0.1.el9_0.noarch.rpm | 2f6b54273a1b02587e9b7ec37f4ce41a5e25e68495252e5bcd88ea8b1a8387dc | - | ol9_aarch64_appstream | |
| python3-ipaserver-4.9.8-7.0.1.el9_0.noarch.rpm | eee6138f550f3a33caf9c0f90eca36d55ef864e588bb7d79f43c106c39206ee3 | - | ol9_aarch64_appstream | |
| python3-ipatests-4.9.8-7.0.1.el9_0.noarch.rpm | daa3b5c0eabd9788dcb44eb2efa23e49f6303699f3373c28541c8506f44fe7c4 | - | ol9_aarch64_codeready_builder | |
| Oracle Linux 9 (x86_64) | ipa-4.9.8-7.0.1.el9_0.src.rpm | 8e6b2f5647156582c408dd1b8c8e797f5f3633201b2fe66c87ad4458a3787135 | - | ol9_x86_64_appstream |
| ipa-4.9.8-7.0.1.el9_0.src.rpm | 8e6b2f5647156582c408dd1b8c8e797f5f3633201b2fe66c87ad4458a3787135 | - | ol9_x86_64_codeready_builder | |
| ipa-client-4.9.8-7.0.1.el9_0.x86_64.rpm | a93335b7f465e83bd95a79337c7333f1480734317afb8df742d59b5b28cd280c | - | ol9_x86_64_appstream | |
| ipa-client-common-4.9.8-7.0.1.el9_0.noarch.rpm | 051c62dc8df1acb10b9b2f1440fec9fd3d2331401133c933580c517d9a165c25 | - | ol9_x86_64_appstream | |
| ipa-client-epn-4.9.8-7.0.1.el9_0.x86_64.rpm | f0007bc97a0c38c942e370ae065f2c2ae5c1d11d74ef38a14cdf7d19a698b257 | - | ol9_x86_64_appstream | |
| ipa-client-samba-4.9.8-7.0.1.el9_0.x86_64.rpm | 0ed3ae01d666a6fdd2a29f4a8400f683735bfd002429fe115cc68543563ea497 | - | ol9_x86_64_appstream | |
| ipa-common-4.9.8-7.0.1.el9_0.noarch.rpm | bb2d0eb3957b6ccf967959228140903ca9b1a33fb0cec8f8b96b1e5934187d90 | - | ol9_x86_64_appstream | |
| ipa-selinux-4.9.8-7.0.1.el9_0.noarch.rpm | d1c0b8ea8b5cc7293de44e58d40b4649b1d42c7d8886ec185e6cc79298418b7c | - | ol9_x86_64_appstream | |
| ipa-server-4.9.8-7.0.1.el9_0.x86_64.rpm | 2a52885c4d4d8dd246b9007d07cc8bf7c396225c59f69485962aee6e499c8146 | - | ol9_x86_64_appstream | |
| ipa-server-common-4.9.8-7.0.1.el9_0.noarch.rpm | 0b33f85e71f4760d58de744a14bd7ef7076385a5060b3553bd064084741ff4de | - | ol9_x86_64_appstream | |
| ipa-server-dns-4.9.8-7.0.1.el9_0.noarch.rpm | 8f06c587eab00a24fae750b60dac3cfcc1a8d1cb18a866e3b5080fac3c6b073f | - | ol9_x86_64_appstream | |
| ipa-server-trust-ad-4.9.8-7.0.1.el9_0.x86_64.rpm | 108dd15e457bc01dd36fad31cfadc7997e5eaaf634b867959d3d5fc476d63a71 | - | ol9_x86_64_appstream | |
| python3-ipaclient-4.9.8-7.0.1.el9_0.noarch.rpm | 00809e30943cd8cd276a64e1407203aceffd54c09347a07c5743ca5421a44abc | - | ol9_x86_64_appstream | |
| python3-ipalib-4.9.8-7.0.1.el9_0.noarch.rpm | 2f6b54273a1b02587e9b7ec37f4ce41a5e25e68495252e5bcd88ea8b1a8387dc | - | ol9_x86_64_appstream | |
| python3-ipaserver-4.9.8-7.0.1.el9_0.noarch.rpm | eee6138f550f3a33caf9c0f90eca36d55ef864e588bb7d79f43c106c39206ee3 | - | ol9_x86_64_appstream | |
| python3-ipatests-4.9.8-7.0.1.el9_0.noarch.rpm | daa3b5c0eabd9788dcb44eb2efa23e49f6303699f3373c28541c8506f44fe7c4 | - | ol9_x86_64_codeready_builder | |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team
