ELSA-2013-0528

ELSA-2013-0528 - ipa security, bug fix and enhancement update

Type:SECURITY
Severity:LOW
Release Date:2013-02-27

Description


[3.0.0-25.el6]
- Filter generated winbind dependencies so the right version of samba
can be installed. (#905594)

[3.0.0-24.el6]
- Add certmonger condrestart to server post scriptlet (#903758)
- Make certmonger a (pre) Requires (#903758)
- Add selinux-policy to Requires(pre) to avoid post scriptlet AVCs
(#903758)
- Set minimum version of pki-ca to 9.0.3-30 and add to Requires(pre)
to pick up certmonger upgrade fix (#902474)
- Update anonymous access ACI to protect secret attributes (#902481)

[3.0.0-23.el6]
- Installer should not connect to 127.0.0.1. (#895561)
- Don't initialize NSS if we don't have to. (#878220)

[3.0.0-22.el6]
- Set minimum version of bind-dyndb-ldap to 2.3-2 to pick up missing DNS
zone SOA serial fix (#894131)
- Stopped named service crashed ipa-upgradeconfig program (#895298)
- ipa-replica-prepare crashed when manipulating DNS zone without SOA
serial (#894143)
- Use new certmonger locking to prevent NSS database corruption during
CA subsystem renewal (#883484)
- Set minimum selinux-policy to 3.7.19-193 to allow certmonger to talk
to dbus in an rpm scriptlet. (related #883484)
- Set minimum vresion of certmonger to 0.61-3 for new locking scheme
(related #883484)

[3.0.0-21.el6]
- Properly handle migrated uniqueMember attributes (#894090)
- ipa permission-find using valid targetgroup throws internal error (#893827)
- Fix migration of CRLs to new directory location (#893722)
- Installing IPA with a single realm component sometimes fails (#893187)

[3.0.0-20.el6]
- Set maxbersize to a large value to accomondate large CRLs during replica
installation. (#888956)
- Set minimum version of pki-ca, pki-slient and pki-setup to 9.0.3-29 to
pick up default CA validity period of 20 years. (#891980)

[3.0.0-19.el6]
- Client installation crashes when Kerberos SRV record is not found (#889583)
- Fix typo in patch 0048 for CVE-2012-5484 (#878220)

[3.0.0-18.el6]
- Cookie Expires date should be locale insensitive to avoid CLI errors (#888915)

[3.0.0-17.el6]
- ipa delegation-find --group option returns internal error (#888524)
- Add missing Requires for python-crypto replacement (#878969)

[3.0.0-16.el6]
- sssd is not enabled on client/server install (#888124)

[3.0.0-15.el6]
- ipa-server-install --uninstall doesn't clear certmonger dirs, which leads
to install failing (#817080)

[3.0.0-14.el6]
- Compliant client side session cookie behavior. CVE-2012-5631.
(#886371)

[3.0.0-13.el6]
- Use secure method to retrieve IPA CA during client enrollment.
CVE-2012-5484 (#878220)
- Reformat patch 0044 so it works with git-am

[3.0.0-12.el6]
- Include /var/lib/sss/pubconf/krb5.include.d/ for domain-realm mappings
in krb5.conf (#883166)
- Set minimum selinux-policy >= 3.7.19-184 to allow domains that can read
sssd_public_t files to also list the directory (#881413)
- Remove dist label from changelog entries.
- Fix timestamp on patched files to avoid multilib warnings

[3.0.0-11.el6]
- Set Requires on httpd 2.2.15-24, mod_nss to 1.0.8-18 and patch to
check for existing mod_ssl configuration. These versions allow mod_proxy
to simultaneously support SSL servers using mod_ssl and mod_proxy (#761574)
- IPA WebUI login for AD Trusted User fails (#875261)
- Add 'disable_last_success' and 'disable_lockout' to the ipa_lockout
plugin (#824488)

[3.0.0-10.el6]
- Make default group type POSIX in ui (#880655)
- Write replacement for python-crypto (#878969)
- ipa trust-add prints misleading information about required DNS setting
(#878485)
- Lookup user SIDs in external groups (#878480)
- Special case NFS related ticket to avoid attaching MS-PACs (#878462)
- IPA users are not available after ipa-server-install because sssd not running
(#878288)
- Incorrect error message when time difference between AD and IPA is too great
(#877434)
- Missing option to add SSH Public Key in Web UI after upgrade (#877324)

[3.0.0-9.el6]
- Update minimum BR and Requires of sssd to 1.9.2-25 (related #870278,
related #871160, related #878262)
- Replication agreement tools report errors with new single instance CA database
(#878491)
- If time is moved back on the IPA server, ipasam does not invalidate the
existing ticket (#866576)

[3.0.0-8.el6]
- Server installation fails to find A/AAAA record for IPA hostname (#874935)
- Out of range error when listing RUV on host with no agreements (#873726)
- Tighten dependency on krb5-server to limit to 1.10 (#872707)
- Default SELinuxusermaporder needs to mapped with default selinux users list
(#870053)
- Clarify trust-add help regarding multiple runs against the same domain
(#869741)
- Improve reliabilityof RA renewal script (#869663)
- Add option to disable DNS forwarding by zone (#869658)
- Update minimum version of bind-dyndb-ldap to 2.3-1 (#869658)
- Improve information on passsync user in man page, command help (#869656)
- Resolve external members from trusted domain via Global Catalog (#869616)
- Process relative nameserver DNS record correctly (#868956)
- ipa-adtrust-install does not reset all information when re-run (#867447)
- Fix potential memory leak in KDB backend (#811989)

[3.0.0-7.el6]
- Fix type conversion of integers when doing modifications (#870446)
- Set SECURE_NFS to lowercase yes rather than uppercase (#869654)
- Add autofs service to sssd.conf before enabling it (#869649)
- Add strict Requires for policycoreutils to avoid user removing them
during package lifetime (#869281)
- Make internal rename_s() call compatible with python-ldap-2.3.10 (#867902)
- Update minimum version of bind-dyndb-ldap to 2.2-1.el6 (related #871583)
- Restart httpd after running ipa-adtrust-install (#866966)

[3.0.0-6.el6]
- Add patch to override xmlrpc request method for session (#786199)
- Bad link to Web UI config page after session is expired (#869279)
- extdom plugin does not handle Posix UID and GID request (#867676)
- ipa-server-install --setup-dns always installs reverse zone (#866978)
- Inform user when ipa-upgradeconfig reports errors (#866977)
- Certificate request fails when CSR has subjectAltnames (#866955)
- ipa-adtrust-install checks for /usr/bin/smbpasswd, which is not
required (#866572)
- Instructions to uninstall are unclear (#856294)
- Inconsistent service naming in ipa-server-install (#856292)
- Improve instructions to generate certificate in Web UI (#856282)
- /etc/ipa/default.conf is out of date (#855855)
- Time synchronization is disabled in ipa-client-install (#854325)
- ipa-replica-install httpd restart sometimes fails (#845405)
- Improve error messages during ipa-replica-manage del (#835632)
- Always log errors from dogtag (#813401)

[3.0.0-5.el6]
- Update to upstream 3.0.0 GA release (#827602)
- Add zip dependency, needed for creating unsigned Firefox extensions
- Filter generated winbind dependencies so the right version of samba
can be installed.
- Remove patch to support python-ldap 2.3.10. Fixed upstream.
- Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca (#864533)
- Add zip dependency, needed for creating unsigned Firefox extensions

[3.0.0-4.el6]
- Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so
plugin to /dev/null since they cannot be used when trusts are configured
(related #864889)
- Update BR and Requires of samba4 to 4.0.0-31 to pick up winbind_krb5_locator
alternatives change. (related #864889)

[3.0.0-3.el6]
- Update to upstream 3.0.0.rc2 release (#827602)
- Provide new Firefox extension.
- Own /etc/ipa/ca.crt

[3.0.0-2.el6]
- Remove Requires on krb5-pkinit-openssl as part of disabling pkinit code.
- Add missing subdirectories in site-packages/ipaserver discovered by
rpmdiff. (#827602)

[3.0.0-1.el6]
- Update to upstream 3.0.0.rc1 release (#827602)
- Update BR and Requires of 389-ds-base to 1.2.11.14
- Update BR and Requires of krb5 to 1.10
- Update BR and Requires of samba4 to 4.0.0-24
- Update BR and Requires of sssd to 1.9.0
- Update Requires on policycoreutils to 2.0.83-19.24
- Update Requires on httpd to httpd-2.2.15-17 to pick up #787247
- Update minimum version of bind-dyndb-ldap to 1.1.0-0.9.b1.el6_3.1
- Update minimum version of bind to 9.8.2-0.10.rc1.el6_3.2
- Sync upstream spec file Requires
- Add patch to support python-ldap 2.3.10


Related CVEs


CVE-2012-4546

Updated Packages


Release/ArchitectureFilenameMD5sumSuperseded By Advisory
Oracle Linux 6 (i386) ipa-3.0.0-25.el6.src.rpm7acbee21da3f7cd616df09b43b1338bdELBA-2019-4569
ipa-admintools-3.0.0-25.el6.i686.rpm775901a3fbd57920bcb3445d3ce68a21ELBA-2019-4569
ipa-client-3.0.0-25.el6.i686.rpm572fcfcdaf317b9333aea9be2b50efb4ELBA-2019-4569
ipa-python-3.0.0-25.el6.i686.rpm14c84d4bc949b6fe93be0304a9cffac9ELBA-2019-4569
ipa-server-3.0.0-25.el6.i686.rpm4c019f0d8f36e1eadec31ff3bf17ced1ELBA-2019-4569
ipa-server-selinux-3.0.0-25.el6.i686.rpmf28973b6d4a4160a84e5858f29f7c1efELBA-2019-4569
ipa-server-trust-ad-3.0.0-25.el6.i686.rpm916c31cfdc3c4eace86e4b440f1a3736ELBA-2019-4569
Oracle Linux 6 (x86_64) ipa-3.0.0-25.el6.src.rpm7acbee21da3f7cd616df09b43b1338bdELBA-2019-4569
ipa-admintools-3.0.0-25.el6.x86_64.rpmc201712d3f0e20f8364bb685953c30c3ELBA-2019-4569
ipa-client-3.0.0-25.el6.x86_64.rpm7737b17c1ae8c9d1f2b552c129564445ELBA-2019-4569
ipa-python-3.0.0-25.el6.x86_64.rpm1de83d26f950ed2bb8fe585f48b95f47ELBA-2019-4569
ipa-server-3.0.0-25.el6.x86_64.rpme0557f5db9cdf49c76bf9df1549d3b23ELBA-2019-4569
ipa-server-selinux-3.0.0-25.el6.x86_64.rpmef77d5db7b9ca0868a00190e6a0051ebELBA-2019-4569
ipa-server-trust-ad-3.0.0-25.el6.x86_64.rpmb432c321bca217867f4855a06c8d57b5ELBA-2019-4569



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete