Jump to: navigation, search


Release date Released 2017-03-23

The FreeIPA team would like to announce FreeIPA 4.3.3 release!

It can be downloaded from http://www.freeipa.org/page/Downloads.

Please note that this is the last upstream release of FreeIPA 4.3.x branch.

Highlights in 4.3.3


Known Issues

Bug fixes

FreeIPA 4.3.3 is a stabilization release for the features delivered as a part of 4.3.0. There are more than 20 bug-fixes which details can be seen in the list of resolved tickets below.


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Resolved tickets

  • #6774 FreeIPA client <= 4.4 fail to parse 4.5 cookies
  • #6561 CVE-2016-7030 freeipa: ipa: DoS attack against kerberized services by abusing password policy
  • #6560 CVE-2016-9575 freeipa: ipa: Insufficient permission check in certprofile-mod
  • #6485 Document make_delete_command method in UserTracker
  • #6378 Tests: Fix failing sudo test
  • #6317 backport #6213 Incorrect test for DNSForwardPolicyConflictWithEmptyZone warning in test_xmlrpc/test_dns_plugin
  • #6316 backport #6199 Received ACIError instead of DuplicatedError in stageuser_tests
  • #6311 Fix or remove the `LDAPUpdate.update_from_dict` method
  • #6287 Refer to nodes in TestWrongClientDomain replica promotion tests as replicas
  • #6284 Tests: avoid skipping tests because of missing files when running as outoftree
  • #6278 Use OAEP padding with custodia (to avoid CVE-2016-6298)
  • #6262 Fix integration sudo tests setup and checks
  • #6254 kinit_admin raises an exception if server uninstallation is called from test teardown with server not installed
  • #6244 build: add python-libsss_nss_idmap and python-sss to BuildRequires
  • #6205 The ipa-server-upgrade command failed when named-pkcs11 does not happen to run during dnf upgrade
  • #6177 ca-less test are broken - invalid usage of ipautil.run
  • #6167 Incorrect domainlevel info in tests
  • #6166 Subsequent external CA installation fails
  • #6147 Failing automember tests due to manager output normalization
  • #6134 Command "ipa-replica-prepare" not allowed to create line replication topology
  • #6120 ipa-adtrust-install: when running with --netbios-name="", the NetBIOS name is changed without notification
  • #6076 Mulitple domain Active Directory Trust conflict
  • #6056 custodia.conf and server.keys file is world-readable.
  • #6016 ipa-ca-install on replica tries to connect to master:8443
  • #5696 Add conflicts with bind-chroot to spec.

Detailed changelog since 4.3.2

Alexander Bokovoy (5)

  • ipa-kdb: search for password policies globally commit #6561
  • ipa-kdb: simplify trusted domain parent search commit #5738
  • trust: make sure ID range is created for the child domain even if it exists commit #5738
  • trust: automatically resolve DNS trust conflicts for triangle trusts commit #6076
  • ipaserver/dcerpc: reformat to make the code closer to pep8 commit #6076

Christian Heimes (3)

  • Use RSA-OAEP instead of RSA PKCS#1 v1.5 commit #6278
  • Secure permissions of Custodia server.keys commit #6056
  • RedHatCAService should wait for local Dogtag instance commit #6016

David Kupka (1)

  • password policy: Add explicit default password policy for hosts and services commit #6561

Fraser Tweedale (2)

  • certprofile-mod: correctly authorise config update commit #6560
  • cert-revoke: fix permission check bypass (CVE-2016-5404) commit #6232

Ganna Kaihorodova (1)

  • Fix for integration tests replication layouts commit

Jan Cholasta (2)

  • Revert "spec: add conflict with bind-chroot to freeipa-server-dns" commit #5696
  • install: fix external CA cert validation commit #6166

Lenka Doudova (7)

  • Document make_delete_command method in UserTracker commit #6485
  • Tests: Fix integration sudo test commit #6378
  • Tests: Fix integration sudo tests setup and checks commit #6262
  • Tests: Avoid skipping tests due to missing files commit #6284
  • Raise error when running ipa-adtrust-install with empty netbios--name commit #6120
  • Tests: Fix failing automember tests commit #6147
  • Tests: Remove DNS configuration from trust tests commit

Martin Babinsky (1)

  • add python-libsss_nss_idmap and python-sss to BuildRequires commit #6244

Martin Basti (5)

  • Become IPA 4.3.3 commit
  • Update Contributors.txt commit
  • Raise DuplicatedEnrty error when user exists in delete_container commit #6199, #6316
  • Catch DNS exceptions during emptyzones named.conf upgrade commit #6205
  • Start named during configuration upgrade. commit #6205

Oleg Fayans (3)

  • Changed addressing to the client hosts to be replicas commit #6287
  • Disabled raiseonerr in kinit call during topology level check commit #6254
  • Fixed incorrect domainlevel determination in tests commit #6167

Peter Lacko (1)

Petr Spacek (3)

  • Tests: fix test_forward_zones in test_xmlrpc/test_dns_plugin commit #6213, #6317
  • DNS server upgrade: do not fail when DNS server did not respond commit #6205
  • Fix ipa-replica-prepare's error message about missing local CA instance commit #6134

Petr Vobornik (1)

  • ca-less tests: fix getting cert in pem format from nssdb commit #6177

Stanislav Laznicka (3)

Tomas Krizek (1)

  • Keep NSS trust flags of existing certificates commit #5791