-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2019-8e9093da55 2019-12-05 01:09:44.880022 --------------------------------------------------------------------------------
Name : freeipa Product : Fedora 30 Version : 4.8.3 Release : 1.fc30 URL : http://www.freeipa.org/ Summary : The Identity, Policy and Audit system Description : IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts).
-------------------------------------------------------------------------------- Update Information:
FreeIPA 4.8.3 is a security update release that includes fixes for two issues: * CVE-2019-10195: Don't log passwords embedded in commands in calls using batch A flaw was found in the way that FreeIPA's batch processing API logged operations. This included passing user passwords in clear text on FreeIPA masters. Batch processing of commands with passwords as arguments or options is not performed by default in FreeIPA but is possible by third-party components. An attacker having access to system logs on FreeIPA masters could use this flaw to produce log file content with passwords exposed. The issue was reported by Jamison Bennett from Cloudera * CVE-2019-14867: Make sure to have storage space for tag A flaw was found in the way the internal function ber_scanf() was used in some components of the IPA server, which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal key could cause the IPA server to crash or in some conditions, cause arbitrary code to be executed on the server hosting the IPA server. The issue was reported by Todd Lipcon from Cloudera -------------------------------------------------------------------------------- ChangeLog:
* Tue Nov 26 2019 Alexander Bokovoy abokovoy@redhat.com - 4.8.3-1 - New upstream release 4.8.3 - CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf() - CVE-2019-10195: Don't log passwords embedded in commands in calls using batch * Tue Nov 12 2019 Rob Crittenden rcritten@redhat.com - 4.8.2-1 - New upstream release 4.8.2 - Replace %{_libdir} macro in BuildRequires (#1746882) - Restore user-nsswitch.conf before calling authselect (#1746557) - ipa service-find does not list cifs service created by ipa-client-samba (#1731433) - Occasional 'whoami.data is undefined' error in FreeIPA web UI (#1699109) - ipa-kra-install fails due to fs.protected_regular=1 (#1698384) * Sun Oct 20 2019 Alexander Bokovoy abokovoy@redhat.com - 4.8.1-4 - Don't create log files from helper scripts - Fixes: rhbz#1754189 * Tue Oct 8 2019 Christian Heimes cheimes@redhat.com - 4.8.1-3 - Fix compatibility issue with preexec_fn in Python 3.8 - Fixes: rhbz#1759290 * Tue Oct 1 2019 Alexander Bokovoy abokovoy@redhat.com - 4.8.1-2 - Fix ipasam for compatibility with Samba 4.11 - Fixes: rhbz#1757089 * Wed Aug 14 2019 Alexander Bokovoy abokovoy@redhat.com - 4.8.1-1 - New upstream release 4.8.1 - Fixes: rhbz#1732528 - Fixes: rhbz#1732524 * Wed Jul 3 2019 Alexander Bokovoy abokovoy@redhat.com - 4.8.0-1 - New upstream release 4.8.0 - New subpackage: freeipa-client-samba * Sat May 11 2019 Alexander Bokovoy abokovoy@redhat.com - 4.7.90.pre1-4 - Upgrade: handle situation when trusts were configured but not established yet * Wed May 1 2019 Adam Williamson awilliam@redhat.com - 4.7.90.pre1-3 - Backport PR #3104 to fix a font path error * Wed May 1 2019 Alexander Bokovoy abokovoy@redhat.com - 4.7.90.pre1-2 - Revert MINSSF defaults because realmd cannot join FreeIPA right now as it uses anonymous LDAP connection for the discovery and validation * Mon Apr 29 2019 Alexander Bokovoy abokovoy@redhat.com - 4.7.90.pre1-1 - First release candidate for FreeIPA 4.8.0 -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1777147 - CVE-2019-10195 freeipa: IPA: batch API logging user passwords to /var/log/httpd/error_log [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1777147 [ 2 ] Bug #1777200 - CVE-2019-14867 freeipa: ipa: Denial of service in IPA server due to wrong use of ber_scanf() [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1777200 --------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2019-8e9093da55' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------