The FreeIPA team would like to announce FreeIPA v4.2.2 security release!
Highlights in 4.2.2#
FreeIPA 4.2.0 introduced Key Archival Agent (KRA) support. This release fixes CVE-2015-5284. The CVE affects IPA servers where ipa-kra-install was run. Read manual instructions if your system was affected.
CVE-2015-5284: ipa-kra-install included certificate and private key in world readable file.
Firefox configuration steps were adjusted to new extension signing policy.
ipa-restore does not overwrite files with local users/groups
ipa-restore now works with KRA installed
Fixed an integer underflow bug in libotp which prevented from syncing TOTP tokens under certain circumstances.
winsync-migrate properly handles collisions in the names of external group
Fixed regression where installation of CA failed on CA-less server #5288.
Vault operations now works on a replica without KRA installed (assuming that at least one replica has KRA installed). #5302
Improved performance of search in Web UI’s dialog for adding e.g. users to e.g. sudo rules.
Modified vault access control and added commands for managing vault containers. #5250
Added support for generating client referrals for trusted domain principals. Note that bug https://bugzilla.redhat.com/show_bug.cgi?id=1259844 has to be fixed in MIT Kerberos packages to allow client referrals from FreeIPA KDC to be processed.
Upgrade instructions are available on Upgrade page.
Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.
Detailed Changelog since 4.2.1#
Abhijeet Kasurde (1)#
Updated number of legacy permission in ipatests
Alexander Bokovoy (1)#
client referral support for trusted domain principals
Christian Heimes (1)#
Handle timeout error in ipa-httpd-kdcproxy
Gabe Alford (4)#
Add Chromium configuration note to ssbrowser
Standardize minvalue for ipasearchrecordlimit and ipasesarchsizelimit for unlimited minvalue
dnssec option missing in ipa-dns-install man page
Update FreeIPA package description
Jan Cholasta (16)#
config: allow user/host attributes with tagging options
baseldap: make subtree deletion optional in LDAPDelete
vault: set owner to current user on container creation
vault: update access control
vault: add permissions and administrator privilege
install: support KRA update
install: Support overriding knobs in subclasses
install: Add common base class for server and replica install
install: Move unattended option to the general help section
install: create kdcproxy user during server install
platform: add option to create home directory when adding user
install: fix kdcproxy user home directory
install: fix ipa-server-install fail on missing –forwarder
install: fix KRA agent PEM file permissions
install: always export KRA agent PEM file
vault: select a server with KRA for vault operations
Martin Babinsky (5)#
load RA backend plugins during standalone CA install on CA-less IPA master
destroy httpd ccache after stopping the service
ipa-server-install: mark master_password Knob as deprecated
re-kinit after ipa-restore in backup/restore CI tests
do not overwrite files with local users/groups when restoring authconfig
Martin Bašti (11)#
FIX vault tests
Server Upgrade: backup CS.cfg when dogtag is turned off
IPA Restore: allows to specify files that should be removed
DNSSEC: improve CI test
DNSSEC CI: test master migration
backup CI: test DNS/DNSSEC after backup and restore
Limit max age of replication changelog
Server Upgrade: addifnew should not create entry
CI: backup and restore with KRA
Replica inst. fix: do not require -r, -a, -p options in unattended mode
Fix import get_reverse_zone_default in tasks
Milan Kubík (4)#
ipatests: Add Certprofile tracker class implementation
ipatests: Add basic tests for certificate profile plugin
ipatests: configure Network Manager not to manage resolv.conf
Include ipatests/test_xmlrpc/data directory into distribution.
Nathaniel McCallum (1)#
Fix an integer underflow bug in libotp
Oleg Fayans (1)#
Added a proper workaround for dnssec test failures in Beaker environment
Petr Voborník (4)#
vault: add vault container commands
webui: use manual Firefox configuration for Firefox >= 40
webui: improve performance of search in association dialog
Become IPA 4.2.2
Petr Špaček (1)#
Avoid ipa-dnskeysync-replica & ipa-ods-exporter crashes caused by exceeding LDAP limits
Timo Aaltonen (2)#
paths: Add GENERATE_RNDC_KEY.
httpinstance: Replace a hardcoded path to password.conf with HTTPD_PASSWORD_CONF
Tomáš Babej (4)#
winsync: Add inetUser objectclass to the passsync sysaccount
ipa-backup: Add mechanism to store empty directory structure
winsync-migrate: Convert entity names to posix friendly strings
winsync-migrate: Properly handle collisions in the names of external groups