The FreeIPA team would like to announce FreeIPA v4.1.4 security release!
- 1 Highlights in 4.1.4
- 2 Upgrading
- 3 Feedback
- 4 Detailed Changelog since 4.1.3
- 4.1 Alexander Bokovoy (2)
- 4.2 David Kupka (2)
- 4.3 Gabe Alford (3)
- 4.4 Jan Cholasta (4)
- 4.5 Martin Babinsky (3)
- 4.6 Martin Bašti (7)
- 4.7 Martin Košek (1)
- 4.8 Nathan Kinder (1)
- 4.9 Petr Voborník (2)
- 4.10 Petr Špaček (3)
- 4.11 Simo Sorce (2)
- 4.12 Sumit Bose (7)
- 4.13 Tomáš Babej (3)
- 4.14 Thierry Bordaz (1)
Highlights in 4.1.4
- CVE-2015-1827 It was discovered that the IPA extdom Directory Server plug-in did not correctly perform memory reallocation when handling user account information. A request for a list of groups for a user that belongs to a large number of groups would cause a Directory Server to crash.
- CVE-2015-0283 Additionally, FreeIPA 4.1.4 requires use of slapi-nis 0.54.2 which includes number of fixes for the CVE-2015-0283:
It was discovered that the slapi-nis Directory Server plug-in did not correctly perform memory reallocation when handling user account information. A request for information about a group with many members, or a request for a user that belongs to a large number of groups, would cause a Directory Server to enter an infinite loop and consume an excessive amount of CPU time.
These issues were discovered by Sumit Bose of Red Hat.
- Various documentation improvements by Gabe Alford
- Various fixes to DNSSEC support and overall DNS deployment scripts
- Improvements in handling CA certificates from previous deployments when installing FreeIPA clients
- Licensing of FreeIPA is clarified with regards to OpenSSL integration
- More robust configuration of slapi-nis plugin to prevent potential dead-locks with other operations requiring lower-level database access.
Upgrade instructions are available on Upgrade page.
Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.
Detailed Changelog since 4.1.3
Alexander Bokovoy (2)
- fix Makefile.am for daemons
- slapi-nis: require 0.54.2 for CVE-2015-0283 fixes
David Kupka (2)
- Use IPA CA certificate when available and ignore NO_TLS_LDAP when not.
- Restore default.conf and use it to build API.
Gabe Alford (3)
- ipa-replica-prepare should document ipv6 options
- ipatests: Add tests for valid and invalid ipa-advise
- ipa-replica-prepare can only be created on the first master
Jan Cholasta (4)
- certstore: Make certificate retrieval more robust
- client-install: Do not crash on invalid CA certificate in LDAP
- client: Fix ca_is_enabled calls
- upload_cacrt: Fix empty cACertificate in cn=CAcert
Martin Babinsky (3)
- ipa-dns-install: use STARTTLS to connect to DS
- migrate-ds: print out failed attempts when no users/groups are migrated
- show the exception message thrown by dogtag._parse_ca_status during install
Martin Bašti (7)
- DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism
- Fix memory leaks in ipap11helper
- Remove unused method from ipap11pkcs helper module
- DNS fix: do not traceback if unsupported records are in LDAP
- DNS fix: do not show part options for unsupported records
- DNS: remove NSEC3PARAM from records
- Fix dead code in ipap11helper module
Martin Košek (1)
- Remove references to GPL v2.0 license
Nathan Kinder (1)
- Timeout when performing time sync during client install
Petr Voborník (2)
- ipatests: add missing ssh object classes to idoverrideuser
- Become IPA 4.1.4
Petr Špaček (3)
- p11helper: standardize indentation and other visual aspects of the code
- p11helper: use sizeof() instead of magic constants
- p11helper: clarify error message
Simo Sorce (2)
- Add a clear OpenSSL exception.
- Stop including the DES algorythm from openssl.
Sumit Bose (7)
- ipa-range-check: do not treat missing objects as error
- Add configure check for cwrap libraries
- extdom: handle ERANGE return code for getXXYYY_r() calls
- extdom: make nss buffer configurable
- extdom: return LDAP_NO_SUCH_OBJECT to the client
- extdom: fix memory leak
- extdom: fix wrong realloc size
Tomáš Babej (3)
- ipatests: Add coverage for adding and removing sshpubkeys in ID overrides
- ipalib: Make sure correct attribute name is referenced for fax
- idviews: Use case-insensitive detection of Default Trust View
Thierry Bordaz (1)
- Limit deadlocks between DS plugin DNA and slapi-nis