Jump to: navigation, search

Releases/4.3.3

Release date Released 2017-03-23

The FreeIPA team would like to announce FreeIPA 4.3.3 release!

It can be downloaded from http://www.freeipa.org/page/Downloads.

Please note that this is the last upstream release of FreeIPA 4.3.x branch.

Highlights in 4.3.3

Enhancements

Known Issues

Bug fixes

FreeIPA 4.3.3 is a stabilization release for the features delivered as a part of 4.3.0. There are more than 20 bug-fixes which details can be seen in the list of resolved tickets below.

Upgrading

Upgrade instructions are available on Upgrade page.

Feedback

Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.


Resolved tickets

  • #6774 FreeIPA client <= 4.4 fail to parse 4.5 cookies
  • #6561 CVE-2016-7030 freeipa: ipa: DoS attack against kerberized services by abusing password policy
  • #6560 CVE-2016-9575 freeipa: ipa: Insufficient permission check in certprofile-mod
  • #6485 Document make_delete_command method in UserTracker
  • #6378 Tests: Fix failing sudo test
  • #6317 backport #6213 Incorrect test for DNSForwardPolicyConflictWithEmptyZone warning in test_xmlrpc/test_dns_plugin
  • #6316 backport #6199 Received ACIError instead of DuplicatedError in stageuser_tests
  • #6311 Fix or remove the `LDAPUpdate.update_from_dict` method
  • #6287 Refer to nodes in TestWrongClientDomain replica promotion tests as replicas
  • #6284 Tests: avoid skipping tests because of missing files when running as outoftree
  • #6278 Use OAEP padding with custodia (to avoid CVE-2016-6298)
  • #6262 Fix integration sudo tests setup and checks
  • #6254 kinit_admin raises an exception if server uninstallation is called from test teardown with server not installed
  • #6244 build: add python-libsss_nss_idmap and python-sss to BuildRequires
  • #6205 The ipa-server-upgrade command failed when named-pkcs11 does not happen to run during dnf upgrade
  • #6177 ca-less test are broken - invalid usage of ipautil.run
  • #6167 Incorrect domainlevel info in tests
  • #6166 Subsequent external CA installation fails
  • #6147 Failing automember tests due to manager output normalization
  • #6134 Command "ipa-replica-prepare" not allowed to create line replication topology
  • #6120 ipa-adtrust-install: when running with --netbios-name="", the NetBIOS name is changed without notification
  • #6076 Mulitple domain Active Directory Trust conflict
  • #6056 custodia.conf and server.keys file is world-readable.
  • #6016 ipa-ca-install on replica tries to connect to master:8443
  • #5696 Add conflicts with bind-chroot to spec.

Detailed changelog since 4.3.2

Alexander Bokovoy (5)

  • ipa-kdb: search for password policies globally commit #6561
  • ipa-kdb: simplify trusted domain parent search commit #5738
  • trust: make sure ID range is created for the child domain even if it exists commit #5738
  • trust: automatically resolve DNS trust conflicts for triangle trusts commit #6076
  • ipaserver/dcerpc: reformat to make the code closer to pep8 commit #6076

Christian Heimes (3)

  • Use RSA-OAEP instead of RSA PKCS#1 v1.5 commit #6278
  • Secure permissions of Custodia server.keys commit #6056
  • RedHatCAService should wait for local Dogtag instance commit #6016

David Kupka (1)

  • password policy: Add explicit default password policy for hosts and services commit #6561

Fraser Tweedale (2)

  • certprofile-mod: correctly authorise config update commit #6560
  • cert-revoke: fix permission check bypass (CVE-2016-5404) commit #6232

Ganna Kaihorodova (1)

  • Fix for integration tests replication layouts commit

Jan Cholasta (2)

  • Revert "spec: add conflict with bind-chroot to freeipa-server-dns" commit #5696
  • install: fix external CA cert validation commit #6166

Lenka Doudova (7)

  • Document make_delete_command method in UserTracker commit #6485
  • Tests: Fix integration sudo test commit #6378
  • Tests: Fix integration sudo tests setup and checks commit #6262
  • Tests: Avoid skipping tests due to missing files commit #6284
  • Raise error when running ipa-adtrust-install with empty netbios--name commit #6120
  • Tests: Fix failing automember tests commit #6147
  • Tests: Remove DNS configuration from trust tests commit

Martin Babinsky (1)

  • add python-libsss_nss_idmap and python-sss to BuildRequires commit #6244

Martin Basti (5)

  • Become IPA 4.3.3 commit
  • Update Contributors.txt commit
  • Raise DuplicatedEnrty error when user exists in delete_container commit #6199, #6316
  • Catch DNS exceptions during emptyzones named.conf upgrade commit #6205
  • Start named during configuration upgrade. commit #6205

Oleg Fayans (3)

  • Changed addressing to the client hosts to be replicas commit #6287
  • Disabled raiseonerr in kinit call during topology level check commit #6254
  • Fixed incorrect domainlevel determination in tests commit #6167

Peter Lacko (1)

Petr Spacek (3)

  • Tests: fix test_forward_zones in test_xmlrpc/test_dns_plugin commit #6213, #6317
  • DNS server upgrade: do not fail when DNS server did not respond commit #6205
  • Fix ipa-replica-prepare's error message about missing local CA instance commit #6134

Petr Vobornik (1)

  • ca-less tests: fix getting cert in pem format from nssdb commit #6177

Stanislav Laznicka (3)

Tomas Krizek (1)

  • Keep NSS trust flags of existing certificates commit #5791