Ctrl+K

Highlights in 4.2.2

The FreeIPA team would like to announce FreeIPA v4.2.2 security release!

It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are available for Fedora 23 and rawhide. Builds for Fedora 22 are available in the official COPR repository.

Highlights in 4.2.2#

FreeIPA 4.2.0 introduced Key Archival Agent (KRA) support. This release fixes CVE-2015-5284. The CVE affects IPA servers where ipa-kra-install was run. Read manual instructions if your system was affected.

Bug fixes#

  • CVE-2015-5284: ipa-kra-install included certificate and private key in world readable file.

  • Firefox configuration steps were adjusted to new extension signing policy.

  • ipa-restore does not overwrite files with local users/groups

  • ipa-restore now works with KRA installed

  • Fixed an integer underflow bug in libotp which prevented from syncing TOTP tokens under certain circumstances.

  • winsync-migrate properly handles collisions in the names of external group

  • Fixed regression where installation of CA failed on CA-less server #5288.

  • Vault operations now works on a replica without KRA installed (assuming that at least one replica has KRA installed). #5302

Enhancements#

  • Improved performance of search in Web UI’s dialog for adding e.g. users to e.g. sudo rules.

  • Modified vault access control and added commands for managing vault containers. #5250

  • Added support for generating client referrals for trusted domain principals. Note that bug https://bugzilla.redhat.com/show_bug.cgi?id=1259844 has to be fixed in MIT Kerberos packages to allow client referrals from FreeIPA KDC to be processed.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Detailed Changelog since 4.2.1#

Abhijeet Kasurde (1)#

  • Updated number of legacy permission in ipatests

Alexander Bokovoy (1)#

  • client referral support for trusted domain principals

Christian Heimes (1)#

  • Handle timeout error in ipa-httpd-kdcproxy

Gabe Alford (4)#

  • Add Chromium configuration note to ssbrowser

  • Standardize minvalue for ipasearchrecordlimit and ipasesarchsizelimit for unlimited minvalue

  • dnssec option missing in ipa-dns-install man page

  • Update FreeIPA package description

Jan Cholasta (16)#

  • config: allow user/host attributes with tagging options

  • baseldap: make subtree deletion optional in LDAPDelete

  • vault: set owner to current user on container creation

  • vault: update access control

  • vault: add permissions and administrator privilege

  • install: support KRA update

  • install: Support overriding knobs in subclasses

  • install: Add common base class for server and replica install

  • install: Move unattended option to the general help section

  • install: create kdcproxy user during server install

  • platform: add option to create home directory when adding user

  • install: fix kdcproxy user home directory

  • install: fix ipa-server-install fail on missing –forwarder

  • install: fix KRA agent PEM file permissions

  • install: always export KRA agent PEM file

  • vault: select a server with KRA for vault operations

Martin Babinsky (5)#

  • load RA backend plugins during standalone CA install on CA-less IPA master

  • destroy httpd ccache after stopping the service

  • ipa-server-install: mark master_password Knob as deprecated

  • re-kinit after ipa-restore in backup/restore CI tests

  • do not overwrite files with local users/groups when restoring authconfig

Martin Bašti (11)#

  • FIX vault tests

  • Server Upgrade: backup CS.cfg when dogtag is turned off

  • IPA Restore: allows to specify files that should be removed

  • DNSSEC: improve CI test

  • DNSSEC CI: test master migration

  • backup CI: test DNS/DNSSEC after backup and restore

  • Limit max age of replication changelog

  • Server Upgrade: addifnew should not create entry

  • CI: backup and restore with KRA

  • Replica inst. fix: do not require -r, -a, -p options in unattended mode

  • Fix import get_reverse_zone_default in tasks

Milan Kubík (4)#

  • ipatests: Add Certprofile tracker class implementation

  • ipatests: Add basic tests for certificate profile plugin

  • ipatests: configure Network Manager not to manage resolv.conf

  • Include ipatests/test_xmlrpc/data directory into distribution.

Nathaniel McCallum (1)#

  • Fix an integer underflow bug in libotp

Oleg Fayans (1)#

  • Added a proper workaround for dnssec test failures in Beaker environment

Petr Voborník (4)#

  • vault: add vault container commands

  • webui: use manual Firefox configuration for Firefox >= 40

  • webui: improve performance of search in association dialog

  • Become IPA 4.2.2

Petr Špaček (1)#

  • Avoid ipa-dnskeysync-replica & ipa-ods-exporter crashes caused by exceeding LDAP limits

Timo Aaltonen (2)#

  • paths: Add GENERATE_RNDC_KEY.

  • httpinstance: Replace a hardcoded path to password.conf with HTTPD_PASSWORD_CONF

Tomáš Babej (4)#

  • winsync: Add inetUser objectclass to the passsync sysaccount

  • ipa-backup: Add mechanism to store empty directory structure

  • winsync-migrate: Convert entity names to posix friendly strings

  • winsync-migrate: Properly handle collisions in the names of external groups

Contents