[RHSA-2015:0442-01] Moderate: ipa security, bug fix, and enhancement update

[news 28]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Moderate: ipa security, bug fix, and enhancement update

Advisory ID: RHSA-2015:0442-01

Product: Red Hat Enterprise Linux

Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0442.html

Issue date: 2015-03-05

CVE Names: CVE-2010-5312 CVE-2012-6662

=====================================================================

 

1. Summary:

 

Updated ipa packages that fix two security issues, several bugs, and add

various enhancements are now available for Red Hat Enterprise Linux 7.

 

Red Hat Product Security has rated this update as having Moderate security

impact. Common Vulnerability Scoring System (CVSS) base scores, which give

detailed severity ratings, are available for each vulnerability from the

CVE links in the References section.

 

2. Relevant releases/architectures:

 

Red Hat Enterprise Linux Client (v. 7) - x86_64

Red Hat Enterprise Linux Client Optional (v. 7) - x86_64

Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64

Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64

Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64

Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x

Red Hat Enterprise Linux Workstation (v. 7) - x86_64

 

3. Description:

 

Red Hat Identity Management (IdM) is a centralized authentication, identity

management, and authorization solution for both traditional and cloud-based

enterprise environments.

 

Two cross-site scripting (XSS) flaws were found in jQuery, which impacted

the Identity Management web administrative interface, and could allow an

authenticated user to inject arbitrary HTML or web script into the

interface. (CVE-2010-5312, CVE-2012-6662)

 

Note: The IdM version provided by this update no longer uses jQuery.

 

This update adds several enhancements that are described in more detail in

the Red Hat Enterprise Linux 7.1 Release Notes, linked to in the References

section, including:

 

* Added the "ipa-cacert-manage" command, which renews the Certification

Authority (CA) file. (BZ#886645)

 

* Added the ID Views feature. (BZ#891984)

 

* IdM now supports using one-time password (OTP) authentication and allows

gradual migration from proprietary OTP solutions to the IdM OTP solution.

(BZ#919228)

 

* Added the "ipa-backup" and "ipa-restore" commands to allow manual

backups. (BZ#951581)

 

* Added a solution for regulating access permissions to specific sections

of the IdM server. (BZ#976382)

 

This update also fixes several bugs, including:

 

* Previously, when IdM servers were configured to require the Transport

Layer Security protocol version 1.1 (TLSv1.1) or later in the httpd server,

the "ipa" command-line utility failed. With this update, running "ipa"

works as expected with TLSv1.1 or later. (BZ#1156466)

 

In addition, this update adds multiple enhancements, including:

 

* The "ipa-getkeytab" utility can now optionally fetch existing keytabs

from the KDC. Previously, retrieving an existing keytab was not supported,

as the only option was to generate a new key. (BZ#1007367)

 

* You can now create and manage a "." root zone on IdM servers. DNS queries

sent to the IdM DNS server use this configured zone instead of the public

zone. (BZ#1056202)

 

* The IdM server web UI has been updated and is now based on the Patternfly

framework, offering better responsiveness. (BZ#1108212)

 

* A new user attribute now enables provisioning systems to add custom tags

for user objects. The tags can be used for automember rules or for

additional local interpretation. (BZ#1108229)

 

* This update adds a new DNS zone type to ensure that forward and master

zones are better separated. As a result, the IdM DNS interface complies

with the forward zone semantics in BIND. (BZ#1114013)

 

* This update adds a set of Apache modules that external applications can

use to achieve tighter interaction with IdM beyond simple authentication.

(BZ#1107555)

 

* IdM supports configuring automember rules for automated assignment of

users or hosts in respective groups according to their characteristics,

such as the "userClass" or "departmentNumber" attributes. Previously, the

rules could be applied only to new entries. This update allows applying the

rules also to existing users or hosts. (BZ#1108226)

 

* The extdom plug-in translates Security Identifiers (SIDs) of Active

Directory (AD) users and groups to names and POSIX IDs. With this update,

extdom returns the full member list for groups and the full list of group

memberships for a user, the GECOS field, the home directory, as well as the

login shell of a user. Also, an optional list of key-value pairs contains

the SID of the requested object if the SID is available. (BZ#1030699)

 

All ipa users are advised to upgrade to these updated packages, which

contain backported patches to correct these issues and add these

enhancements.

 

4. Solution:

 

Before applying this update, make sure all previously released errata

relevant to your system have been applied.

 

For details on how to apply this update, refer to:

 

https://access.redhat.com/articles/11258

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

711693 - [RFE] Normal users should not be given privileges to view all sudorules and their details.

788645 - [RFE] Allow filter and subtree to be added in same permission

815828 - Rename DNS permissions to use mixed-case

817909 - error indicates a different reason when ipa permission-mod fails to modify attrs

854335 - Unable to update "remove automount keys" - it has filter and subtree specified

887988 - [RFE] Expose the krbPrincipalExpiration attribute for editing in the IPA CLI / WEBUI

891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution

893850 - Unable to update permissions for "Add Automount Keys"

921655 - fix UI CSS to support RH branding

922749 - IPA Navigation links overlaped or unclickable

924008 - Unknown binary attributes can cause migration to fail

924395 - [RFE] ipa-client-install should configure sudo automatically

951581 - [RFE] Backup & Restore mechanism

970618 - [RFE] pac-type change must be effective immediately without kdc restart

971061 - Localization not working even for languages that are localized

975456 - [RFE] add option to ipa-client-install to configure automount

985234 - ipa-client-install --uninstall starts nscd service

1027712 - "username" field in IPA webUI login page should be mandatory

1027713 - There is no version information on IPA WebUI

1030699 - [RFE] Support initgroups for unauthenticated AD users

1031111 - ipa-client: add root CA to trust anchors if not already available

1033357 - ipactl can not restart ipa services if current status is "stopped"

1035286 - [WebUI] Realm domain is not providing proper error message

1048934 - [WebUI] Retry and Cancel dialogs do not support 'confirmation by Enter'

1048956 - [WebUI] "OK" button is not focused on "Operations Error" dialog, once we opened "show details"

1056202 - [RFE] Support DNS root zone

1058780 - Missing checks during ipa idrange-add

1060349 - IPA: Unable to add host when ipv6 address already exits

1061772 - [WebUI] Maximum serial number search accepts negative inputs and lists wrong search results.

1072502 - running ipa-server-install --setup-dns results in a crash

1075129 - bogus time estimates shown for configuration of various component in replica installation

1077734 - [WebUI] select all checkbox remains selected after operation

1080209 - IPA server does not allow sudo host network filters

1080532 - ipa-client-install --uninstall crash on a freshly installed machine joined to IPA via reamd and anaconda

1081626 - When certmonger is still tracking cert in ipa, uninstall fails but error does not indicate this

1084609 - [RFE] RHEL7 support for ipa-admintools on other architectures

1099811 - Apache crashes when replica is restarted when installing

1107555 - [RFE] Provide a stack of apache modules for any applications to consume

1108195 - MOD command returns duplicate memberships

1108201 - cannot create dns zone when name has consecutive dash characters

1108202 - dnsrecord-* with absolute target gives error

1108203 - [RFE] Add EmployeeID in the Web UI and command name

1108204 - PTR record cannot be added from UI, if user added zone without last '.'

1108205 - Replica installation dies if /etc/resolv.conf is not writeable

1108206 - sshd should run at least once before ipa-client-install

1108207 - [WebUI] When adding a condition to an automember rule, expression field should be required

1108208 - The Synchronizing time with KDC... message looks strange between login and password prompts

1108212 - [RFE] Adopt Patternfly/RCUE open interface project for the Web UI

1108213 - Installers should explicitly specify auth mechanism when calling ldapmodify

1108214 - ipa-replica-install: DNS check is between "host already exists" message and exit

1108215 - Make Read replication agreements permission less more targeted

1108216 - Unexpected error when providing incorrect password to ipa-ldap-updater

1108220 - Broken Firefox configuration files in freeipa-client package

1108222 - SSH widget doesn't honor a lack of write right

1108224 - Replace ntpdate calls with ntpd

1108225 - ipadb.so could get tripped up by DAL changes to support keyless principals

1108226 - [RFE] Use automember for hosts after the host is added

1108228 - Add UI for the new user and host userClass attribute

1108229 - [RFE] Better integration with the external provisioning systems - users

1108230 - Should not display ports to open when password is incorrect during ipa-client-install.

1108231 - ipa-join usage instructions are incorrect

1108232 - [RFE] ipa migrate-ds should have an argument to specify cert to use for DS connection

1108233 - [RFE] ipa dnsrecord-add should allow internationalized names

1108234 - [WebUI] it is not clear which row a value belongs to

1108235 - xmlrpc system commands do not work

1108236 - Name is blank in error message for duplicate automember rule

1108237 - [RFE] Enhance input validation for filters in access control

1109726 - Rebase IPA to 4.1

1112603 - Internal Error: `ipa sudorule-mod rule --order=`

1112605 - [RFE] Add support for SubjectAltNames (SAN) to IPA service certificates

1112691 - ipa-server-install break sshd

1113918 - Setting a sudo category to all doesn't check to see if rules already exist

1113919 - Let deny commands be added to sudo rule with cmdcatetory=ALL

1113920 - Sudo runasgroup entry not generated by the sudo compat tree

1114013 - [RFE] Separate master and forward DNS zones

1115048 - Description attribute should not be required

1115616 - [RFE] Allow unlocking user in Web UI

1126989 - ipa-client-install creates configuration file with deprecated values

1128380 - Failure when installing on dual stacked system with external ca

1129558 - Windows Server 2012 CA does not accept CSR generated by IdM External CA installation

1129730 - CA-less installation fails when the CA cert has an empty subject

1131049 - Update SSL ciphers configured in 389-ds-base

1131187 - ipa-ldap-upgrade should restore Directory Server settings when upgrade fails

1131877 - Registering one IPA server with the browser removes entries for another

1133966 - ipa trust-add cmd should be interactive

1138773 - Internal error received for blank password with --trust-secret

1138775 - Password migration is broken

1138777 - Renewal with no master CA

1138791 - Prohibit setting --rid-base for ranges of ipa-trust-ad-posix type

1138792 - Disable unsupported ID range types

1138795 - DS returns limited RootDSE

1138798 - Add support for bounce_url to /ipa/ui/reset_password.html

1138803 - Do not store host certificate in shared NSS database /etc/pki/nssdb

1142088 - ipa-server-install searches CA under different hostname

1142789 - host-del command does not accept --continue

1147679 - ipa man page incorrectly indicates how to add users

1149124 - group-add doesn't accept gid parameter

1156466 - POODLE: force using safe ciphers (non-SSLv3) in IPA client and server

1159011 - Trust setting not restored for CA cert with ipa-restore command

1159330 - RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for httpd

1159816 - ignoring user attributes in migrate-ds does not work if uppercase characters are returned by ldap

1160756 - Investigate & fix Coverity defects in IPA DS/KDC plugins

1160758 - Tests: host-del returns DatabaseError

1161128 - Upgrade 3.3.5 to 4.1 failed

1161129 - ipactl stop should stop dirsrv last

1161131 - Deadlock in schema compat plugin

1162340 - ipa-server-install fails when restarting named

1163498 - Renewing the CA signing certificate does not extend its validity period end

1163849 - error message which is not understandable when IDNA2003 characters are present in --zonemgr (--zonemgr=Têko ( -at -) redhat.com)

1164859 - Traceback when adding zone with long name

1164896 - RHEL7.1 IPA server httpd avc denials after upgrade

1166041 - CVE-2010-5312 jquery-ui: XSS vulnerability in jQuery.ui.dialog title option

1166064 - CVE-2012-6662 jquery-ui: XSS vulnerability in default content in Tooltip widget

1166641 - ipa-otp-lasttoken loads all user's tokens on every mod/del

1166931 - RHEL7.1 ipa automatic CA cert renewal stuck in submitting state

1167196 - schema update on RHEL-6.6 using latest copy-schema-to-ca.py from RHEL-7.1 build fails

1167270 - Tracebacks with latest build for --zonemgr cli option

1167964 - RHEL7.1 ipa replica unable to replicate to rhel6 master

1168214 - [WebUI] Not able to unprovisioning service in IPA 4.1

1168376 - Clean up debug log for trust-add

1168916 - Extend host-show to add the view attribute in set of default attributes

1169591 - RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible

1169867 - Winsync: Setup is broken due to incorrect import of certificate

1170003 - RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert

1170695 - krb5kdc crash in ldap_pvt_search

1171089 - webui: increase notification duration

1172578 - CLI doesn't show SSHFP records with SHA256 added via nsupdate (regression)

1172598 - Access is not rejected for disabled domain

1173207 - IPA certs fail to autorenew simultaneouly

1175277 - Data replication not working as expected after data restore from full backup

1175287 - No error message thrown on restore(full kind) on replica from full backup taken on master

1175326 - ipa-restore proceed even IPA not configured

1175384 - DNS zones are not migrated into forward zones if 4.0+ replica is added

1176034 - More validation required on ipa-restore's options

1176995 - IPA replica missing data after master upgraded

1177133 - When migrating warn user if compat is enabled

1178128 - IPA externally signed CA cert expiration warning missing from log

1181010 - ipa-replica-manage list does not list synced domain

1181093 - PassSync does not sync passwords due to missing ACIs

1181767 - ipa-upgradeconfig fails in CA-less installs

1183279 - ipa-replica-manage disconnect fails without password

1184149 - DUA profile not available anonymously

1185410 - idoverrideuser-add option --sshpubkey does not work

1186396 - ipa-restore crashes if replica is unreachable

1186398 - Wrong directories created on full restore

1187342 - Login ignores global OTP enablement

1187540 - Full set of objectclass not available post group detach.

 

6. Package List:

 

Red Hat Enterprise Linux Client (v. 7):

 

Source:

ipa-4.1.0-18.el7.src.rpm

 

x86_64:

ipa-client-4.1.0-18.el7.x86_64.rpm

ipa-debuginfo-4.1.0-18.el7.x86_64.rpm

ipa-python-4.1.0-18.el7.x86_64.rpm

 

Red Hat Enterprise Linux Client Optional (v. 7):

 

x86_64:

ipa-admintools-4.1.0-18.el7.x86_64.rpm

ipa-debuginfo-4.1.0-18.el7.x86_64.rpm

ipa-server-4.1.0-18.el7.x86_64.rpm

ipa-server-trust-ad-4.1.0-18.el7.x86_64.rpm

 

Red Hat Enterprise Linux ComputeNode (v. 7):

 

Source:

ipa-4.1.0-18.el7.src.rpm

 

x86_64:

ipa-client-4.1.0-18.el7.x86_64.rpm

ipa-debuginfo-4.1.0-18.el7.x86_64.rpm

ipa-python-4.1.0-18.el7.x86_64.rpm

 

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

 

x86_64:

ipa-admintools-4.1.0-18.el7.x86_64.rpm

ipa-debuginfo-4.1.0-18.el7.x86_64.rpm

ipa-server-4.1.0-18.el7.x86_64.rpm

ipa-server-trust-ad-4.1.0-18.el7.x86_64.rpm

 

Red Hat Enterprise Linux Server (v. 7):

 

Source:

ipa-4.1.0-18.el7.src.rpm

 

ppc64:

ipa-client-4.1.0-18.el7.ppc64.rpm

ipa-debuginfo-4.1.0-18.el7.ppc64.rpm

ipa-python-4.1.0-18.el7.ppc64.rpm

 

s390x:

ipa-client-4.1.0-18.el7.s390x.rpm

ipa-debuginfo-4.1.0-18.el7.s390x.rpm

ipa-python-4.1.0-18.el7.s390x.rpm

 

x86_64:

ipa-admintools-4.1.0-18.el7.x86_64.rpm

ipa-client-4.1.0-18.el7.x86_64.rpm

ipa-debuginfo-4.1.0-18.el7.x86_64.rpm

ipa-python-4.1.0-18.el7.x86_64.rpm

ipa-server-4.1.0-18.el7.x86_64.rpm

ipa-server-trust-ad-4.1.0-18.el7.x86_64.rpm

 

Red Hat Enterprise Linux Server Optional (v. 7):

 

ppc64:

ipa-admintools-4.1.0-18.el7.ppc64.rpm

ipa-debuginfo-4.1.0-18.el7.ppc64.rpm

 

s390x:

ipa-admintools-4.1.0-18.el7.s390x.rpm

ipa-debuginfo-4.1.0-18.el7.s390x.rpm

 

Red Hat Enterprise Linux Workstation (v. 7):

 

Source:

ipa-4.1.0-18.el7.src.rpm

 

x86_64:

ipa-admintools-4.1.0-18.el7.x86_64.rpm

ipa-client-4.1.0-18.el7.x86_64.rpm

ipa-debuginfo-4.1.0-18.el7.x86_64.rpm

ipa-python-4.1.0-18.el7.x86_64.rpm

ipa-server-4.1.0-18.el7.x86_64.rpm

ipa-server-trust-ad-4.1.0-18.el7.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2010-5312

https://access.redhat.com/security/cve/CVE-2012-6662

https://access.redhat.com/security/updates/classification/#moderate

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.1_Release_Notes/index.html

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2015 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD8DBQFU+Gn6XlSAg2UNWIIRAom6AJ450oYK39lzrnhP1tEAjyWJSSuIewCghc9I

YLx9EP6hrQprcMa6HO/FYX0=

=5cxi

-----END PGP SIGNATURE-----

 

 

--