FreeIPA 4.12.5#

The FreeIPA team would like to announce FreeIPA 4.12.5 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.12.5#

  • CVE-2025-7493

Continuation of CVE-2025-4404 due to incomplete uniqueness checks for multiple Kerberos attributes. In CVE-2025-4404 it was found that uniqueness of the canonical Kerberos principal name and its aliases was not complete. We further found that cross-attribute uniqueness was not possible to enforce in 389-ds LDAP server. As a result, it was still possible to add an alias of ‘root’ to a Kerberos service principal controlled by a system already enrolled into IPA.

In order to prevent further attacks on existing Kerberos principals and aliases, 389-ds LDAP server uniqueness plugin was extended to allow cross-attribute uniqueness checks with custom LDAP match rules. The 389-ds upstream issue 389ds/389-ds-base#6857 was fixed in all supported 389-ds releases. FreeIPA fix for CVE-2025-7493 relies on this change.

Additionally, FreeIPA team has decided to apply a Kerberos policy of rejecting any ticket that lacks PAC structure in the evidence tickets presented in service ticket requests sent to IPA Kerberos KDC.

PAC structure in Kerberos tickets contains a number of individual buffers that encode information about the Kerberos client principal available to Kerberos KDC. The structure is cryptographically signed and also contains additional signatures that can be validated by both KDC and the service that will receive the ticket.

Since FreeIPA 4.9.0, new deployments always configured to associate security identifier (SID) information with each IPA user account and use it to issue PACs. Machines enrolled into IPA environment and their Kerberos services also get associated well-known SIDs. This allows to issue and validate PAC structures with information known about the client principal, whether they are from IPA realm or are coming from the trusted Active Directory domains. MIT Kerberos 1.20 or later also adds cryptographically signed information about the Kerberos principal that was used to request a Kerberos ticket. This additional information allows application services to prevent account spoofing. To date, only SSSD has enabled automated PAC validation on the client side.

To help applications, CVE-2025-7493 fix is to reject ticket requests that ask for a Kerberos service ticket with an evidence ticket that lacks PAC structure. PAC structure content is already validated against the original requester information.

The fix at the Kerberos KDC side cannot help in the environments where SIDs aren’t associated with the Kerberos principals and no PAC is issued at all. We urge FreeIPA administrators to upgrade their deployments and enable use of SIDs and PAC generation to prevent the attacks associated with identity spoofing through the Kerberos protocol.

FreeIPA identity mapping is described in details in the following design page: https://freeipa.readthedocs.io/en/latest/designs/id-mapping.html

Red Hat’s knowledge base also has practical articles helping to enable SIDs for existing IPA deployments: - “POSIX IDs, SIDs and IDRanges in IPA “, https://access.redhat.com/articles/7027037 - “When upgrading to RHEL9, IDM users are not able to login anymore.”, https://access.redhat.com/solutions/7014959

Enhancements#

Known Issues#

Bug fixes#

FreeIPA 4.12.5 is a security fix release.

Details of the bug-fixes can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on libera.chat.

Detailed changelog since 4.12.4#

Antonio Torres (1)#

Florence Blanc-Renaud (1)#

  • ipatests: extend test for unique krbcanonicalname commit

Julien Rische (1)#

  • ipa-kdb: enforce PAC presence on TGT for TGS-REQ context commit

Rob Crittenden (1)#

  • Enforce uniqueness across krbprincipalname and krbcanonicalname commit