ELSA-2024-2147

ELSA-2024-2147 - ipa security update

Type:SECURITY
Impact:MODERATE
Release Date:2024-05-03

Description


[4.11.0-9.0.1]
- Set IPAPLATFORM=rhel when build on Oracle Linux [Orabug: 29516674]
- Add bind to ipa-server-common Requires [Orabug: 36518596]

[4.11.0-9]
- Resolves: RHEL-28258 vault fails on non-fips client if server is in FIPS mode
- Resolves: RHEL-26154 ipa: freeipa: specially crafted HTTP requests potentially lead to DoS or data exposure

[4.11.0-8]
- Resolves: RHEL-12143 'ipa vault-add is failing with ipa: ERROR: an internal error has occurred in FIPS mode
- Resolves: RHEL-25738 ipa-kdb: Cannot determine if PAC generator is available

[4.11.0-7]
- Resolves: RHEL-25260 tier-1-upstream-dns-locations failed on RHEL8.8 gating
- Resolves: RHEL-25738 ipa-kdb: Cannot determine if PAC generator is available
- Resolves: RHEL-25815 Backport latest test fixes in python3-ipatests

[4.11.0-6]
- Resolves: RHEL-23627 IPA stops working if HTTP/... service principal was created before FreeIPA 4.4.0 and never modified
- Resolves: RHEL-23625 sidgen plugin does not ignore staged users
- Resolves: RHEL-23621 session cookie can't be read
- Resolves: RHEL-22372 Gating-DL1 test failure in test_integration/test_dns_locations.py::TestDNSLocations::()::test_ipa_ca_records
- Resolves: RHEL-21809 CA less servers are failing to be added in topology segment for domain suffix
- Resolves: RHEL-17996 Memory leak in IdM's KDC

[4.11.0-5]
- Resolves: RHEL-12589 ipa: Invalid CSRF protection
- Resolves: RHEL-19748 ipa hbac-test did not report that it hit an arbitrary search limit
- Resolves: RHEL-21059 'DogtagCertsConfigCheck' fails, displaying the error message 'Malformed directive: ca.signing.certnickname=caSigningCert cert-pki-ca'
- Resolves: RHEL-21804 ipa client 4.10.2 - Failed to obtain host TGT
- Resolves: RHEL-21809 CA less servers are failing to be added in topology segment for domain suffix
- Resolves: RHEL-21810 ipa-client-install --automount-location does not work
- Resolves: RHEL-21811 Handle change in behavior of pki-server ca-config-show in pki 11.5.0
- Resolves: RHEL-21812 Backport latest test fixes in ipa
- Resolves: RHEL-21813 krb5kdc fails to start when pkinit and otp auth type is enabled in ipa
- Resolves: RHEL-21815 IPA 389ds plugins need to have better logging and tracing
- Resolves: RHEL-21937 Make sure a default NetBIOS name is set if not passed in by ADTrust instance constructor

[4.11.0-4]
- Resolves: RHEL-16985 Handle samba 4.19 changes in samba.security.dom_sid()

[4.11.0-3]
- Resolves: RHEL-14428 healthcheck reports nsslapd-accesslog-logbuffering is set to 'off'

[4.11.0-2]
- Resolves: RHEL-14292 Backport latest test fixes in python3-ipatests
- Resolves: RHEL-15443 Server install: failure to install with externally signed CA because of timezone issue
- Resolves: RHEL-15444 Minimum length parameter in pwpolicy cannot be removed with empty string
- Resolves: RHEL-14842 Upstream xmlrpc tests are failing in RHEL9.4

[4.11.0-1]
- Resolves: RHEL-11652 Rebase ipa to latest 4.11.x version for RHEL 9.4

[4.10.2-4]
- Resolves: rhbz#2231847 RHEL 8.8 & 9.2 fails to create AD trust with STIG applied
- Resolves: rhbz#2232056 Include latest test fixes in python3-ipatests

[4.10.2-3]
- Resolves: rhbz#2229712 Delete operation protection for admin user
- Resolves: rhbz#2227831 Interrupt request processing in ipadb_fill_info3() if connection to 389ds is lost
- Resolves: rhbz#2227784 libipa_otp_lasttoken plugin memory leak
- Resolves: rhbz#2224570 Improved error messages are needed when attempting to add a non-existing idp to a user
- Resolves: rhbz#2230251 Backport latest test fixes to python3-ipatests

[4.10.2-2]
- Resolves: rhbz#2192969 Better handling of the command line and web UI cert search and/or list features
- Resolves: rhbz#2214933 Uninstalling of the IPA server is encountering a failure during the unconfiguration of the CA (Unconfiguring CA)
- Resolves: rhbz#2216114 After updating the RHEL from 8.7 to 8.8, IPA services fails to start
- Resolves: rhbz#2216549 Upgrade to 4.9.10-6.0.1 fails: attributes are managed by topology plugin
- Resolves: rhbz#2216611 Backport latest test fixes in python3-ipatests
- Resolves: rhbz#2216872 User authentication failing on OTP validation using multiple tokens, succeeds with password only

[4.10.2-1]
- Resolves: rhbz#2196426 [Rebase] Rebase ipa to latest 4.10.x release for RHEL 9.3
- Resolves: rhbz#2192969 Better handling of the command line and web UI cert search and/or list features
- Resolves: rhbz#2192625 Better catch of the IPA web UI event 'IPA Error 4301:CertificateOperationError', and IPA httpd error CertificateOperationError
- Resolves: rhbz#2188567 IPA client Kerberos configuration incompatible with java
- Resolves: rhbz#2182683 Tolerate absence of PAC ticket signature depending of domain and servers capabilities [rhel-9]
- Resolves: rhbz#2180914 Sequence processing failures for group_add using server context
- Resolves: rhbz#2165880 Add RBCD support to IPA
- Resolves: rhbz#2160399 get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct

[4.10.1-6]
- Resolves: rhbz#2169632 Backport latest test fixes in python3-ipatests

[4.10.1-5]
- Resolves: rhbz#2162656 Passwordless (GSSAPI) SSH not working for subdomain
- Resolves: rhbz#2166326 Removing the last DNS type for ipa-ca does not work
- Resolves: rhbz#2167473 RFE - Add a warning note about possible performance impact of the Auto Member rebuild task
- Resolves: rhbz#2168244 requestsearchtimelimit=0 doesn't seems to be work with ipa-acme-manage pruning command

[4.10.1-4]
- Resolves: rhbz#2161284 'ERROR Could not remove /tmp/tmpbkw6hawo.ipabkp' can be seen prior to 'ipa-client-install' command was successful
- Resolves: rhbz#2164403 ipa-trust-add with --range-type=ipa-ad-trust-posix fails while creating an ID range
- Resolves: rhbz#2162677 RFE: Implement support for PKI certificate and request pruning
- Resolves: rhbz#2167312 - Backport latest test fixes in python3-ipatests

[4.10.1-3]
- Rebuild against krb5 1.20.1 ABI
- Resolves: rhbz#2155425

[4.10.1-2]
- Resolves: rhbz#2148887 MemberManager with groups fails
- Resolves: rhbz#2150335 idm:client is missing dependency on krb5-pkinit

[4.10.1-1]
- Resolves: rhbz#2141315 [Rebase] Rebase ipa to latest 4.10.x release for RHEL 9.2
- Resolves: rhbz#2094673 ipa-client-install should just use system wide CA store and do not specify TLS_CACERT in ldap.conf
- Resolves: rhbz#2117167 After leapp upgrade on ipa-client ipa-server package installation failed. (REQ_FULL_WITH_MEMBERS returns object from wrong domain)
- Resolves: rhbz#2127833 Password Policy Grace login limit allows invalid maximum value
- Resolves: rhbz#2143224 [RFE] add certificate support to ipa-client instead of one time password
- Resolves: rhbz#2144736 vault interoperability with older RHEL systems is broken
- Resolves: rhbz#2148258 ipa-client-install does not maintain server affinity during installation
- Resolves: rhbz#2148379 Add warning for empty targetattr when creating ACI with RBAC
- Resolves: rhbz#2148380 OTP token sync always returns OK even with random numbers
- Resolves: rhbz#2148381 Deprecated feature idnssoaserial in IdM appears when creating reverse dns zones
- Resolves: rhbz#2148382 Introduction of URI records for kerberos breaks location functionality

[4.10.0-7]
- Resolves: rhbz#2124547 Attempt to log in as 'root' user with admin's password in Web UI does not properly fail
- Resolves: rhbz#2137555 Attempt to log in as 'root' user with admin's password in Web UI does not properly fail [rhel-9.1.0.z]

[4.10.0-6]
- Resolves: rhbz#2110014 ldap bind occurs when admin user changes password with gracelimit=0
- Resolves: rhbz#2112901 RFE: Allow grace login limit to be set in IPA WebUI
- Resolves: rhbz#2115495 group password policy by default does not allow grace logins
- Resolves: rhbz#2116966 ipa-replica-manage displays traceback: Unexpected error: 'bool' object has no attribute 'lower'

[4.10.0-5]
- Resolves: rhbz#2109645
- Rebuild for samba-4.16.3-101.el9

[4.10.0-4]
- Resolves: rhbz#2109645
- Rebuild for samba-4.16.3-100.el9

[4.10.0-3]
- Resolves: rhbz#2105294 IdM WebUI Pagination Size should not allow empty value

[4.10.0-2]
- Resolves: rhbz#2091988 [RFE] Add code to check password expiration on ldap bind

[4.10.0-1]
- Resolves: rhbz#747959 [RFE] Support random serial numbers in IPA certificates
- Resolves: rhbz#2100227 [UX] Preserving a user account produces output saying it was deleted

[4.9.10-1]
- Resolves: rhbz#2079469 [Rebase] Rebase ipa to latest 4.9.x release
- Resolves: rhbz#2012911 named journalctl logs shows 'zone testrealm.test/IN: serial (serialnumber) write back to LDAP failed.'
- Resolves: rhbz#2069202 [RFE] add support for authenticating against external IdP services using OAUTH2 preauthenticaiton mechanism provided by SSSD
- Resolves: rhbz#2083218 ipa-dnskeysyncd floods /var/log/messages with DEBUG messages
- Resolves: rhbz#2089750 RFE: Improve error message with more detail for ipa-replica-install command
- Resolves: rhbz#2091988 [RFE] Add code to check password expiration on ldap bind
- Resolves: rhbz#2094400 [RFE] ipa-client-install should provide option to enable subid: sss in /etc/nsswitch.conf
- Resolves: rhbz#2096922 secret in ipa-pki-proxy.conf is not changed if new requiredSecret value is present in /etc/pki/pki-tomcat/server.xml


Related CVEs


CVE-2024-1481

Updated Packages


Release/ArchitectureFilenamesha256Superseded By AdvisoryChannel Label
Oracle Linux 9 (aarch64) ipa-4.11.0-9.0.1.el9_4.src.rpm60b8f43e3497d98af859be2337dd57dd345d68dd6130d847fb9dafe03f8ecc4c-ol9_aarch64_appstream
ipa-4.11.0-9.0.1.el9_4.src.rpm60b8f43e3497d98af859be2337dd57dd345d68dd6130d847fb9dafe03f8ecc4c-ol9_aarch64_codeready_builder
ipa-client-4.11.0-9.0.1.el9_4.aarch64.rpm9dd8691749826dff43f7da39e961d2eb7f295d121c96655af19c7e0a6804473e-ol9_aarch64_appstream
ipa-client-common-4.11.0-9.0.1.el9_4.noarch.rpm20c8747933d20457e056c87b78b1fe2adc2332d6327cf0d32dc1a36e00920202-ol9_aarch64_appstream
ipa-client-epn-4.11.0-9.0.1.el9_4.aarch64.rpm54cb394572e30950f882ca4de006bf12830f5bc1e068649d26e4be0aa7fc2428-ol9_aarch64_appstream
ipa-client-samba-4.11.0-9.0.1.el9_4.aarch64.rpm1cb034c9d4bb66765faa55bc931e01300804b0d7bdbfcc9e1f52fd6967c7bf83-ol9_aarch64_appstream
ipa-common-4.11.0-9.0.1.el9_4.noarch.rpmdd9dafe4ab98ed316301bdc14f64b3e7c63b8fd5003959da86543cc501a63a46-ol9_aarch64_appstream
ipa-selinux-4.11.0-9.0.1.el9_4.noarch.rpm4b7d56f20e80b2d4fd70b36f8b87438f6297e05af57cc1db924371753ef2c05c-ol9_aarch64_appstream
ipa-server-4.11.0-9.0.1.el9_4.aarch64.rpmede950168742ccdf8a20bf4625f3e222d1337a26bea12f7d6751c6320d7e5e8d-ol9_aarch64_appstream
ipa-server-common-4.11.0-9.0.1.el9_4.noarch.rpm0513222bed7f0ce4e44cf19524ed5a05fdfdc388dce78eed4ba9e664635fbcfb-ol9_aarch64_appstream
ipa-server-dns-4.11.0-9.0.1.el9_4.noarch.rpm079d6a24808ad743ed9089d7c86221fdb2300ea55e21a438a2c84443b9d3d44e-ol9_aarch64_appstream
ipa-server-trust-ad-4.11.0-9.0.1.el9_4.aarch64.rpm4611f36418a8d4b3be449e8f263207bdf2358a38b7dd44d1ce64bc8f47af302b-ol9_aarch64_appstream
python3-ipaclient-4.11.0-9.0.1.el9_4.noarch.rpm9b95ad22afa9edf945ba601641aad4c812f5edf9b199ef365c7fd37739cd2500-ol9_aarch64_appstream
python3-ipalib-4.11.0-9.0.1.el9_4.noarch.rpm09a7cbf04f999c3a3828155b12c038cbe4c7e3e53d42e810ee54e3664befbec1-ol9_aarch64_appstream
python3-ipaserver-4.11.0-9.0.1.el9_4.noarch.rpm798231271f041c78bd3f6382a511d43cc6d1cb78f2014cf1a43ffb3e34aee6c3-ol9_aarch64_appstream
python3-ipatests-4.11.0-9.0.1.el9_4.noarch.rpmb349fba250c798b8c71aa432805884d579d7b21a29699eed204a305cc35c11d3-ol9_aarch64_codeready_builder
Oracle Linux 9 (x86_64) ipa-4.11.0-9.0.1.el9_4.src.rpm60b8f43e3497d98af859be2337dd57dd345d68dd6130d847fb9dafe03f8ecc4c-ol9_x86_64_appstream
ipa-4.11.0-9.0.1.el9_4.src.rpm60b8f43e3497d98af859be2337dd57dd345d68dd6130d847fb9dafe03f8ecc4c-ol9_x86_64_codeready_builder
ipa-client-4.11.0-9.0.1.el9_4.x86_64.rpm297510620041e4a42cdba8b1b266f346ef4bb2909ea7478addecd0ffd327900a-ol9_x86_64_appstream
ipa-client-common-4.11.0-9.0.1.el9_4.noarch.rpm20c8747933d20457e056c87b78b1fe2adc2332d6327cf0d32dc1a36e00920202-ol9_x86_64_appstream
ipa-client-epn-4.11.0-9.0.1.el9_4.x86_64.rpm141da11d90224f90e6c6b065270290ce359e7ac9f0c9667f361db772ee061441-ol9_x86_64_appstream
ipa-client-samba-4.11.0-9.0.1.el9_4.x86_64.rpm7b83909820ad5609d8d9cafc1af1c4b2c53bf82ba714cee1438cd37efc8c7724-ol9_x86_64_appstream
ipa-common-4.11.0-9.0.1.el9_4.noarch.rpmdd9dafe4ab98ed316301bdc14f64b3e7c63b8fd5003959da86543cc501a63a46-ol9_x86_64_appstream
ipa-selinux-4.11.0-9.0.1.el9_4.noarch.rpm4b7d56f20e80b2d4fd70b36f8b87438f6297e05af57cc1db924371753ef2c05c-ol9_x86_64_appstream
ipa-server-4.11.0-9.0.1.el9_4.x86_64.rpmc93bd13b41888d75401526a73cfb9fc936cd26ff70995c4b5e22131de125e552-ol9_x86_64_appstream
ipa-server-common-4.11.0-9.0.1.el9_4.noarch.rpm0513222bed7f0ce4e44cf19524ed5a05fdfdc388dce78eed4ba9e664635fbcfb-ol9_x86_64_appstream
ipa-server-dns-4.11.0-9.0.1.el9_4.noarch.rpm079d6a24808ad743ed9089d7c86221fdb2300ea55e21a438a2c84443b9d3d44e-ol9_x86_64_appstream
ipa-server-trust-ad-4.11.0-9.0.1.el9_4.x86_64.rpmca5b5c6b9347b0b464de9d27d9cecdf5be7b837394d77a9f40f7912fb3c71af1-ol9_x86_64_appstream
python3-ipaclient-4.11.0-9.0.1.el9_4.noarch.rpm9b95ad22afa9edf945ba601641aad4c812f5edf9b199ef365c7fd37739cd2500-ol9_x86_64_appstream
python3-ipalib-4.11.0-9.0.1.el9_4.noarch.rpm09a7cbf04f999c3a3828155b12c038cbe4c7e3e53d42e810ee54e3664befbec1-ol9_x86_64_appstream
python3-ipaserver-4.11.0-9.0.1.el9_4.noarch.rpm798231271f041c78bd3f6382a511d43cc6d1cb78f2014cf1a43ffb3e34aee6c3-ol9_x86_64_appstream
python3-ipatests-4.11.0-9.0.1.el9_4.noarch.rpmb349fba250c798b8c71aa432805884d579d7b21a29699eed204a305cc35c11d3-ol9_x86_64_codeready_builder



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete