FreeIPA 4.6.10#

The FreeIPA team would like to announce FreeIPA 4.6.10 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.6.10#

  • CVE-2023-5455

During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.

The overall severity of this issue is marked as MODERATE by Red Hat Product Security. FreeIPA team would like to thank Egor Uvarov for discovering and reporting this issue.

Bug fixes#

FreeIPA 4.6.10 is a security fix release.

Details of the bug-fixes can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on libera.chat.

Resolved tickets#

Detailed changelog since 4.6.9#

Antonio Torres (1)#

Florence Blanc-Renaud (2)#

  • Integration tests for verifying Referer header in the UI commit

  • Check the HTTP Referer header on all requests commit