The FreeIPA team is proud to announce version FreeIPA v3.1.2

This release contains Security Updates

It can be downloaded from


During the past few months a number of security Issues have been found that affect FreeIPA.

Three Security Advisories have been released:

The FreeIPA Team would like to thank the Red Hat Security Response Team and in particular Vincent Danen for the invaluable assistance provided for the assessment and resolution of these issues. For CVE-2012-5484 we would like to thank Petr Menšík for reporting the issue.


Please consult each CVE announcement for related Upgrading instructions.

An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance.

Please note, that the referential integrity extension requires an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of hosts, SUDO or HBAC entries may require several minutes to finish.

If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded.

Downgrading a server once upgraded is not supported.

Upgrading from 2.2.0 is supported. Upgrading from previous versions is not supported and has not been tested.

An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys. Feedback

Please provide comments, bugs and other feedback via the freeipa-devel mailing list:

Detailed Changelog since 3.1.1#

Alexander Bokovoy (1):

  • Update plugin to upload CA certificate to LDAP

Ana Krivokapic (1):

  • Raise ValidationError for incorrect subtree option.

John Dennis (1):

  • Use secure method to acquire IPA CA certificate

Martin Kosek (5):

  • permission-find no longer crashes with –targetgroup

  • Avoid CRL migration error message

  • Sort LDAP updates properly

  • Upgrade process should not crash on named restart

  • Installer should not connect to

Rob Crittenden (5):

  • Convert uniqueMember members into DN objects.

  • Do SSL CA verification and hostname validation.

  • Don’t initialize NSS if we don’t have to, clean up unused cert refs

  • Update anonymous access ACI to protect secret attributes.

  • Become IPA 3.1.2

Simo Sorce (1):

  • Upload CA cert in the directory on install