The FreeIPA team would like to announce FreeIPA v4.1.4 security release!

It can be downloaded from The builds will be available for Fedora 21. Builds for Fedora 20 are available in the official COPR repository.

Highlights in 4.1.4#

Security fixes#

  • CVE-2015-1827 It was discovered that the IPA extdom Directory Server plug-in did not correctly perform memory reallocation when handling user account information. A request for a list of groups for a user that belongs to a large number of groups would cause a Directory Server to crash.

  • CVE-2015-0283 Additionally, FreeIPA 4.1.4 requires use of slapi-nis 0.54.2 which includes number of fixes for the CVE-2015-0283:

It was discovered that the slapi-nis Directory Server plug-in did not correctly perform memory reallocation when handling user account information. A request for information about a group with many members, or a request for a user that belongs to a large number of groups, would cause a Directory Server to enter an infinite loop and consume an excessive amount of CPU time.

These issues were discovered by Sumit Bose of Red Hat.


  • Various documentation improvements by Gabe Alford

Bug fixes#

  • Various fixes to DNSSEC support and overall DNS deployment scripts

  • Improvements in handling CA certificates from previous deployments when installing FreeIPA clients

  • Licensing of FreeIPA is clarified with regards to OpenSSL integration

  • More robust configuration of slapi-nis plugin to prevent potential dead-locks with other operations requiring lower-level database access.


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list ( or #freeipa channel on Freenode.

Detailed Changelog since 4.1.3#

Alexander Bokovoy (2)#

  • fix for daemons

  • slapi-nis: require 0.54.2 for CVE-2015-0283 fixes

David Kupka (2)#

  • Use IPA CA certificate when available and ignore NO_TLS_LDAP when not.

  • Restore default.conf and use it to build API.

Gabe Alford (3)#

  • ipa-replica-prepare should document ipv6 options

  • ipatests: Add tests for valid and invalid ipa-advise

  • ipa-replica-prepare can only be created on the first master

Jan Cholasta (4)#

  • certstore: Make certificate retrieval more robust

  • client-install: Do not crash on invalid CA certificate in LDAP

  • client: Fix ca_is_enabled calls

  • upload_cacrt: Fix empty cACertificate in cn=CAcert

Martin Babinsky (3)#

  • ipa-dns-install: use STARTTLS to connect to DS

  • migrate-ds: print out failed attempts when no users/groups are migrated

  • show the exception message thrown by dogtag._parse_ca_status during install

Martin Bašti (7)#

  • DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism

  • Fix memory leaks in ipap11helper

  • Remove unused method from ipap11pkcs helper module

  • DNS fix: do not traceback if unsupported records are in LDAP

  • DNS fix: do not show part options for unsupported records

  • DNS: remove NSEC3PARAM from records

  • Fix dead code in ipap11helper module

Martin Košek (1)#

  • Remove references to GPL v2.0 license

Nathan Kinder (1)#

  • Timeout when performing time sync during client install

Petr Voborník (2)#

  • ipatests: add missing ssh object classes to idoverrideuser

  • Become IPA 4.1.4

Petr Špaček (3)#

  • p11helper: standardize indentation and other visual aspects of the code

  • p11helper: use sizeof() instead of magic constants

  • p11helper: clarify error message

Simo Sorce (2)#

  • Add a clear OpenSSL exception.

  • Stop including the DES algorythm from openssl.

Sumit Bose (7)#

  • ipa-range-check: do not treat missing objects as error

  • Add configure check for cwrap libraries

  • extdom: handle ERANGE return code for getXXYYY_r() calls

  • extdom: make nss buffer configurable

  • extdom: return LDAP_NO_SUCH_OBJECT to the client

  • extdom: fix memory leak

  • extdom: fix wrong realloc size

Tomáš Babej (3)#

  • ipatests: Add coverage for adding and removing sshpubkeys in ID overrides

  • ipalib: Make sure correct attribute name is referenced for fax

  • idviews: Use case-insensitive detection of Default Trust View

Thierry Bordaz (1)#

  • Limit deadlocks between DS plugin DNA and slapi-nis