The FreeIPA team would like to announce FreeIPA v4.2.2 security release!
It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are available for Fedora 23 and rawhide. Builds for Fedora 22 are available in the official COPR repository.
Highlights in 4.2.2#
FreeIPA 4.2.0 introduced Key Archival Agent (KRA) support. This release fixes CVE-2015-5284. The CVE affects IPA servers where ipa-kra-install was run. Read manual instructions if your system was affected.
Bug fixes#
CVE-2015-5284: ipa-kra-install included certificate and private key in world readable file.
Firefox configuration steps were adjusted to new extension signing policy.
ipa-restore does not overwrite files with local users/groups
ipa-restore now works with KRA installed
Fixed an integer underflow bug in libotp which prevented from syncing TOTP tokens under certain circumstances.
winsync-migrate properly handles collisions in the names of external group
Fixed regression where installation of CA failed on CA-less server #5288.
Vault operations now works on a replica without KRA installed (assuming that at least one replica has KRA installed). #5302
Enhancements#
Improved performance of search in Web UI’s dialog for adding e.g. users to e.g. sudo rules.
Modified vault access control and added commands for managing vault containers. #5250
Added support for generating client referrals for trusted domain principals. Note that bug https://bugzilla.redhat.com/show_bug.cgi?id=1259844 has to be fixed in MIT Kerberos packages to allow client referrals from FreeIPA KDC to be processed.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.
Detailed Changelog since 4.2.1#
Abhijeet Kasurde (1)#
Updated number of legacy permission in ipatests
Alexander Bokovoy (1)#
client referral support for trusted domain principals
Christian Heimes (1)#
Handle timeout error in ipa-httpd-kdcproxy
Gabe Alford (4)#
Add Chromium configuration note to ssbrowser
Standardize minvalue for ipasearchrecordlimit and ipasesarchsizelimit for unlimited minvalue
dnssec option missing in ipa-dns-install man page
Update FreeIPA package description
Jan Cholasta (16)#
config: allow user/host attributes with tagging options
baseldap: make subtree deletion optional in LDAPDelete
vault: set owner to current user on container creation
vault: update access control
vault: add permissions and administrator privilege
install: support KRA update
install: Support overriding knobs in subclasses
install: Add common base class for server and replica install
install: Move unattended option to the general help section
install: create kdcproxy user during server install
platform: add option to create home directory when adding user
install: fix kdcproxy user home directory
install: fix ipa-server-install fail on missing –forwarder
install: fix KRA agent PEM file permissions
install: always export KRA agent PEM file
vault: select a server with KRA for vault operations
Martin Babinsky (5)#
load RA backend plugins during standalone CA install on CA-less IPA master
destroy httpd ccache after stopping the service
ipa-server-install: mark master_password Knob as deprecated
re-kinit after ipa-restore in backup/restore CI tests
do not overwrite files with local users/groups when restoring authconfig
Martin Bašti (11)#
FIX vault tests
Server Upgrade: backup CS.cfg when dogtag is turned off
IPA Restore: allows to specify files that should be removed
DNSSEC: improve CI test
DNSSEC CI: test master migration
backup CI: test DNS/DNSSEC after backup and restore
Limit max age of replication changelog
Server Upgrade: addifnew should not create entry
CI: backup and restore with KRA
Replica inst. fix: do not require -r, -a, -p options in unattended mode
Fix import get_reverse_zone_default in tasks
Milan Kubík (4)#
ipatests: Add Certprofile tracker class implementation
ipatests: Add basic tests for certificate profile plugin
ipatests: configure Network Manager not to manage resolv.conf
Include ipatests/test_xmlrpc/data directory into distribution.
Nathaniel McCallum (1)#
Fix an integer underflow bug in libotp
Oleg Fayans (1)#
Added a proper workaround for dnssec test failures in Beaker environment
Petr Voborník (4)#
vault: add vault container commands
webui: use manual Firefox configuration for Firefox >= 40
webui: improve performance of search in association dialog
Become IPA 4.2.2
Petr Špaček (1)#
Avoid ipa-dnskeysync-replica & ipa-ods-exporter crashes caused by exceeding LDAP limits
Timo Aaltonen (2)#
paths: Add GENERATE_RNDC_KEY.
httpinstance: Replace a hardcoded path to password.conf with HTTPD_PASSWORD_CONF
Tomáš Babej (4)#
winsync: Add inetUser objectclass to the passsync sysaccount
ipa-backup: Add mechanism to store empty directory structure
winsync-migrate: Convert entity names to posix friendly strings
winsync-migrate: Properly handle collisions in the names of external groups