The FreeIPA team would like to announce FreeIPA 4.3.3 release!

It can be downloaded from http://www.freeipa.org/page/Downloads.

Please note that this is the last upstream release of FreeIPA 4.3.x branch.

Highlights in 4.3.3#

Enhancements#

Known Issues#

Bug fixes#

FreeIPA 4.3.3 is a stabilization release for the features delivered as a part of 4.3.0. There are more than 20 bug-fixes which details can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Resolved tickets#

  • #6774 FreeIPA client <= 4.4 fail to parse 4.5 cookies

  • #6561 CVE-2016-7030 freeipa: ipa: DoS attack against kerberized services by abusing password policy

  • #6560 CVE-2016-9575 freeipa: ipa: Insufficient permission check in certprofile-mod

  • #6485 Document make_delete_command method in UserTracker

  • #6378 Tests: Fix failing sudo test

  • #6317 backport #6213 Incorrect test for DNSForwardPolicyConflictWithEmptyZone warning in test_xmlrpc/test_dns_plugin

  • #6316 backport #6199 Received ACIError instead of DuplicatedError in stageuser_tests

  • #6311 Fix or remove the `LDAPUpdate.update_from_dict` method

  • #6287 Refer to nodes in TestWrongClientDomain replica promotion tests as replicas

  • #6284 Tests: avoid skipping tests because of missing files when running as outoftree

  • #6278 Use OAEP padding with custodia (to avoid CVE-2016-6298)

  • #6262 Fix integration sudo tests setup and checks

  • #6254 kinit_admin raises an exception if server uninstallation is called from test teardown with server not installed

  • #6244 build: add python-libsss_nss_idmap and python-sss to BuildRequires

  • #6205 The ipa-server-upgrade command failed when named-pkcs11 does not happen to run during dnf upgrade

  • #6177 ca-less test are broken - invalid usage of ipautil.run

  • #6167 Incorrect domainlevel info in tests

  • #6166 Subsequent external CA installation fails

  • #6147 Failing automember tests due to manager output normalization

  • #6134 Command “ipa-replica-prepare” not allowed to create line replication topology

  • #6120 ipa-adtrust-install: when running with –netbios-name=””, the NetBIOS name is changed without notification

  • #6076 Mulitple domain Active Directory Trust conflict

  • #6056 custodia.conf and server.keys file is world-readable.

  • #6016 ipa-ca-install on replica tries to connect to master:8443

  • #5696 Add conflicts with bind-chroot to spec.

Detailed changelog since 4.3.2#

Alexander Bokovoy (5)#

  • ipa-kdb: search for password policies globally commit #6561

  • ipa-kdb: simplify trusted domain parent search commit #5738

  • trust: make sure ID range is created for the child domain even if it exists commit #5738

  • trust: automatically resolve DNS trust conflicts for triangle trusts commit #6076

  • ipaserver/dcerpc: reformat to make the code closer to pep8 commit #6076

Christian Heimes (3)#

  • Use RSA-OAEP instead of RSA PKCS#1 v1.5 commit #6278

  • Secure permissions of Custodia server.keys commit #6056

  • RedHatCAService should wait for local Dogtag instance commit #6016

David Kupka (1)#

  • password policy: Add explicit default password policy for hosts and services commit #6561

Fraser Tweedale (2)#

  • certprofile-mod: correctly authorise config update commit #6560

  • cert-revoke: fix permission check bypass (CVE-2016-5404) commit #6232

Ganna Kaihorodova (1)#

  • Fix for integration tests replication layouts commit

Jan Cholasta (2)#

  • Revert “spec: add conflict with bind-chroot to freeipa-server-dns” commit #5696

  • install: fix external CA cert validation commit #6166

Lenka Doudova (7)#

  • Document make_delete_command method in UserTracker commit #6485

  • Tests: Fix integration sudo test commit #6378

  • Tests: Fix integration sudo tests setup and checks commit #6262

  • Tests: Avoid skipping tests due to missing files commit #6284

  • Raise error when running ipa-adtrust-install with empty netbios–name commit #6120

  • Tests: Fix failing automember tests commit #6147

  • Tests: Remove DNS configuration from trust tests commit

Martin Babinsky (1)#

  • add python-libsss_nss_idmap and python-sss to BuildRequires commit #6244

Martin Basti (5)#

  • Become IPA 4.3.3 commit

  • Update Contributors.txt commit

  • Raise DuplicatedEnrty error when user exists in delete_container commit #6199, #6316

  • Catch DNS exceptions during emptyzones named.conf upgrade commit #6205

  • Start named during configuration upgrade. commit #6205

Oleg Fayans (3)#

  • Changed addressing to the client hosts to be replicas commit #6287

  • Disabled raiseonerr in kinit call during topology level check commit #6254

  • Fixed incorrect domainlevel determination in tests commit #6167

Peter Lacko (1)#

Petr Spacek (3)#

  • Tests: fix test_forward_zones in test_xmlrpc/test_dns_plugin commit #6213, #6317

  • DNS server upgrade: do not fail when DNS server did not respond commit #6205

  • Fix ipa-replica-prepare’s error message about missing local CA instance commit #6134

Petr Vobornik (1)#

  • ca-less tests: fix getting cert in pem format from nssdb commit #6177

Stanislav Laznicka (3)#

Tomas Krizek (1)#

  • Keep NSS trust flags of existing certificates commit #5791