IPAv2_214

IPAv2_214#

The FreeIPA team is proud to announce version 2.1.4.

It can be downloaded from http://www.freeipa.org/Downloads and is currently in the Fedora 15 and 16 updates-testing, and rawhide updates.

Highlights in 2.1.4#

This is a security release.

Specifically, it addresses CVE-2011-3636. A Cross-Site Request Forgery (CSRF) flaw was found in FreeIPA due to a lack of checking the Referer Header in the server (it is not set in the CLI utilities). If a remote attacker could trick a user, who was logged into the FreeIPA management interface, into visiting a specially-crafted URL, the attacker could perform FreeIPA configuration changes with the privileges of the logged in user.

Some bugs have been addressed too, the highlights are:

  • Certificates in the UI are now displayed in PEM format

  • systemd support in Fedora 16

  • Change the way the Kerberos random salt is calculated to improve interoperability with Windows

  • Fix nis netgroups, users and groups were not appearing

  • Better handling of Kerberos realm to domain mapping

Upgrading#

Server#

To upgrade a 2.0.0, 2.0.1 or 2.1.0 server do the following:

# yum update freeipa-server --enablerepo=updates-testing

This will pull in updated freeIPA, 389-ds, dogtag, libcurl and xmlrpc-c packages (and perhaps some others). A script will be executed in the rpm postinstall phase to update the IPA LDAP server with any required changes.

There is a bug reported against 389-ds, https://bugzilla.redhat.com/show_bug.cgi?id=730387, related to read-write locks. The NSPR RW lock implementation does not safely allow re-entrant use of reader locks. This is a timing issue so it is difficult to predict. During testing one user experienced this and the upgrade hung. To break the hang kill the ns-slapd process for your realm, wait for the yum transaction to complete, then restart 389-ds and manually run the update process:

# service dirsrv start
# ipa-ldap-updater --update

Client#

The ipa-client-install tool in the ipa-client package is just a configuration tool. There should be no need to re-run this on every client already enrolled.

Detailed Changelog for 2.1.3#

Alexander Bokovoy (4):

  • hbactest fails while you have svcgroup in hbacrule

  • Add support for systemd environments and use it to support Fedora 16

  • Spin for connection success also when socket is not (yet) available

  • Quote multiple workers option

Endi S. Dewata (1):

  • Added current password field.

Evgeny Sinelnikov (1):

  • ipa_kpasswd: Update selinux policies for ldap and urandom

John Dennis (1):

  • Unable to Download Certificate with Browser

Martin Kosek (8):

  • Fix client krb5 domain mapping and DNS

  • Fix ipa-managed-entries password option long form

  • Fix ipa-server-install answer cache

  • Fix ipa-replica-conncheck port labels

  • Fix ipa-managed-entries bind procedure

  • Let PublicError accept Gettext objects

  • Enable automember for upgraded servers

  • Make ipa-server-install clean after itself

Ondrej Hamada (1):

  • Client install root privileges check

Rob Crittenden (4):

  • Fix problems in help system

  • Fix nis netgroup config entry so users appear in netgroup triple.

  • Don’t allow default objectclass list to be empty.

  • Require an HTTP Referer header in the server. Send one in ipa tools. (CVE-2011-3636)

Simo Sorce (1):

  • Modify random salt creation for interoperability