Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Moderate: ipa security and bug fix update

Related Vulnerabilities: CVE-2011-3636   CVE-2011-3636  

Source

Synopsis

Moderate: ipa security and bug fix update

Type/Severity

Security Advisory: Moderate

Topic

Updated ipa packages that fix one security issue and several bugs are now
available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Description

Red Hat Identity Management is a centralized authentication, identity
management and authorization solution for both traditional and cloud based
enterprise environments. It integrates components of the Red Hat Directory
Server, MIT Kerberos, Red Hat Certificate System, NTP and DNS. It provides
web browser and command-line interfaces. Its administration tools allow an
administrator to quickly install, set up, and administer a group of domain
controllers to meet the authentication and identity management requirements
of large scale Linux and UNIX deployments.

A Cross-Site Request Forgery (CSRF) flaw was found in Red Hat Identity
Management. If a remote attacker could trick a user, who was logged into
the management web interface, into visiting a specially-crafted URL, the
attacker could perform Red Hat Identity Management configuration changes
with the privileges of the logged in user. (CVE-2011-3636)

Due to the changes required to fix CVE-2011-3636, client tools will need to
be updated for client systems to communicate with updated Red Hat Identity
Management servers. New client systems will need to have the updated
ipa-client package installed to be enrolled. Already enrolled client
systems will need to have the updated certmonger package installed to be
able to renew their system certificate. Note that system certificates are
valid for two years by default.

Updated ipa-client and certmonger packages for Red Hat Enterprise Linux 6
were released as part of Red Hat Enterprise Linux 6.2. Future updates will
provide updated packages for Red Hat Enterprise Linux 5.

This update includes several bug fixes. Space precludes documenting all of
these changes in this advisory. Users are directed to the Red Hat
Enterprise Linux 6.2 Technical Notes for information on the most
significant of these changes, linked to in the References section.

Users of Red Hat Identity Management should upgrade to these updated
packages, which correct these issues.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

  • Red Hat Enterprise Linux Server 6 x86_64
  • Red Hat Enterprise Linux Server 6 i386
  • Red Hat Enterprise Linux Workstation 6 x86_64
  • Red Hat Enterprise Linux Workstation 6 i386
  • Red Hat Enterprise Linux Desktop 6 x86_64
  • Red Hat Enterprise Linux Desktop 6 i386
  • Red Hat Enterprise Linux for IBM z Systems 6 s390x
  • Red Hat Enterprise Linux for Power, big endian 6 ppc64
  • Red Hat Enterprise Linux for Scientific Computing 6 x86_64
  • Red Hat Enterprise Linux Server from RHUI 6 x86_64
  • Red Hat Enterprise Linux Server from RHUI 6 i386

Fixes

  • BZ - 680504 - Can not delete reverse DNS record - interactive CLI mode
  • BZ - 681978 - Uninstalling client if the server is installed should be prevented
  • BZ - 681979 - Man page is not clear for ipa-client-install --on-master option usage
  • BZ - 688925 - IPA Replica Install Hangs if DS port is unreachable by Master Server
  • BZ - 689023 - Can't create password policy via UI
  • BZ - 689810 - Inconsistent Error message attempting to add duplicate user
  • BZ - 690185 - Uninstalling ipa-client doesn't restore some files, if reinstalled with -force option
  • BZ - 690473 - Installing ipa-client indicates DNS is updated for this unknown hostname, but is not on server
  • BZ - 692144 - Uninstalling ipa-client doesn't restore sssd.conf, if previously installed with --no-sssd option
  • BZ - 692950 - Installing ipa server with --no-reverse option sets up reverse zone
  • BZ - 693464 - Make explicit reference to ds-replication package
  • BZ - 693483 - Duplicate GIDs
  • BZ - 693766 - Mismatch in man page and --help for ipa-server-install
  • BZ - 693771 - Preinstall check needed if zonemgr has special char
  • BZ - 696193 - Client install fails on ipa-join when master is down, and replica is running.
  • BZ - 696268 - IPA server install with DNS setup, and with --ip-address cannot resolve hostnames
  • BZ - 696282 - Preinstall check needed if subject is not specified in required format
  • BZ - 697009 - ipa-replica-manage: man page and help pages do not match
  • BZ - 697878 - IPA server install should wait for Directory Server port to open after every restart of dirsrv
  • BZ - 698219 - Uninstalling ipa-client fails, if it joined replica when being installed
  • BZ - 698421 - IPA Replica Installing failing on during replication update
  • BZ - 700586 - brand name error in ipa-dns-install cli, it still says "FreeIPA Server"
  • BZ - 701325 - Unable to Download Certificate with Browser
  • BZ - 703188 - TPS: Source rebuild Failures on x86_64 client and workstation
  • BZ - 703869 - Managed Entry Configuration Not Setup when installing replica server
  • BZ - 704012 - IPA Replica Installation Fails - reverse address doesn't match error
  • BZ - 705794 - IPA Replica not started on reboot
  • BZ - 705800 - Improve debug logging in ipa-client-install
  • BZ - 707001 - Illegal CL input results in NULL csr when requesting external ca.
  • BZ - 707009 - IPA server with external CA fails with cannot concatenate 'str' and 'NoneType' objects
  • BZ - 707133 - Successful "ipa-nis-manage enable" command has exit status as 1.
  • BZ - 707229 - ipa-server-install with --no-host-dns still checks DNS
  • BZ - 707312 - Add support for loading new zones from LDAP
  • BZ - 708294 - No output while deleting a sudorule.
  • BZ - 709645 - Remaining external hosts not displayed while removing one from a sudorule.
  • BZ - 709665 - Removed external host is displayed in the output when "--all" switch is used.
  • BZ - 710240 - Added option to Sudo rule message is displayed even when the given option already exists.
  • BZ - 710245 - Removed option from Sudo rule message is displayed even when the given option doesn't exist.
  • BZ - 710253 - RunAs group is not displayed in output while adding as sudorule-add-runasuser with --groups swtich.
  • BZ - 710494 - ipa-nis-manage crashes if the specified passwd file does not exist.
  • BZ - 710530 - ipa-nis-manage does not quit when an empty password is entered.
  • BZ - 710592 - ipa sudocmd-add accepts blank spaces as sudo commands.
  • BZ - 710598 - ipa sudocmdgroup-add accepts blank spaces as sudocmdgroup name.
  • BZ - 710601 - ipa sudorule-add accepts blank spaces as sudorule name.
  • BZ - 711667 - Comma separated values for --runasexternaluser option in sudorule-mod are accepted as a single value.
  • BZ - 711671 - Comma separated values for --runasexternalgroup option in sudorule-mod are accepted as a single value.
  • BZ - 711761 - Internal error while removing sudorule option without "--sudooption".
  • BZ - 711786 - sudorunasgroup automatically picks up incorrect value while adding a sudorunasuser.
  • BZ - 712889 - Internal Error: ipa cert-remove-hold ; revocation reason 7
  • BZ - 713069 - Comma separated values for --externaluser option in sudorule-mod are accepted as a single value.
  • BZ - 713374 - Misleading purpose statement for "ipa help sudorule-remove-runasuser"
  • BZ - 713380 - RunAs group is not displayed in output while removing as sudorule-add-runasuser with --groups swtich.
  • BZ - 713385 - Missing label for "ipasudorunas_group".
  • BZ - 713481 - Removed "RunAs External Group" is displayed in the output when "--all" switch is used.
  • BZ - 713501 - Inconsistency in how "runas" is termed.
  • BZ - 713531 - [ipa webui] error msg does not match with UI label
  • BZ - 713549 - [ipa webui] Deleting more than 2 elements leaves the Delete prompt open
  • BZ - 713603 - [ipa webui] inconsistent user member list
  • BZ - 713798 - Set allow-recursion by default in IPA DNS
  • BZ - 714238 - --sizelimit unhelpful error with *-find commands
  • BZ - 714597 - ipa-client-install adds duplicate information to krb5.conf
  • BZ - 714600 - ipa-client-install should configure sssd to store password if offline
  • BZ - 714919 - ipa-client-install should configure hostname
  • BZ - 714924 - ipa-client-install complains about non-existing nss_ldap
  • BZ - 715112 - Managed Entries: mep_mod_post_op: Unable to update mapped attributes from origin entry
  • BZ - 716287 - ipa host-mod --setattr should not allow enrolledBy to be changed
  • BZ - 716432 - when directory server debugging enabled, ipactl should not display debugging
  • BZ - 716462 - IPA with integrated DNS - reverse zone is now being added incorrectly
  • BZ - 717020 - [ipa webui] When deactivating user, it updates the user, without having to click on "update" btn
  • BZ - 717625 - [ipa webui] Unable to update config changes
  • BZ - 717724 - [ipa webui] Config: Certificate Subject Base - Should not be Editable
  • BZ - 717726 - [ipa webui] Config: Name on the configuration page is irrelevant and means nothing to an admin
  • BZ - 717729 - [ipa webui] Config: Missing configurable options
  • BZ - 717732 - [ipa webui] Config: Page Needs Better Organization
  • BZ - 717965 - ipa config-show : should display new "Password Expiration Notification"
  • BZ - 718062 - When admin resets a user's password with "ipa passwd" user's failed log in count is not reset
  • BZ - 719656 - Disabling ipa-nis-manage removes netgroup compat suffix in DS.
  • BZ - 720011 - [ipa webui] Add Host: dns zone filter replaces text already typed in hostname.
  • BZ - 720013 - [ipa webui] Add Host: dns zone filter should not list reverse zones
  • BZ - 720336 - WebUI not displaying admin options if the user is admin, but only via nested group
  • BZ - 720711 - Users are not matched from sudo client.
  • BZ - 722228 - [ipa webui] Force Add Host with IP address - Allows cancel but still adds host and dns record
  • BZ - 722468 - [ipa webui] Host Edit Page lists Host Name twice
  • BZ - 723027 - [ipa webui] Host Edit Page Missing Fields
  • BZ - 723233 - HBAC rule :: invalid error message now that deny rule is deprecated and help needs update
  • BZ - 723241 - Unexpected error message with krb Failure Count Interval on i386
  • BZ - 723622 - Need an arch-specific Requires on cyrus-sasl-gssapi
  • BZ - 723624 - Regression: Internal Error: Adding Host Groups
  • BZ - 723778 - No output while deleting an automount location.
  • BZ - 723781 - Missing message summary while adding an automount location.
  • BZ - 723882 - [ipa webui] Host OTP from previously added host appears in new host's edit page
  • BZ - 723969 - Regression: Incorrect Error message returned attempting to add user with uid 0
  • BZ - 723990 - Can not create replication package with ipa-replica-prepare
  • BZ - 724036 - Internal error revoking certificate - default revocation reason
  • BZ - 725433 - automountmap gets added even though the return code is 1.
  • BZ - 725763 - Incorrect message summary while adding an automountkey.
  • BZ - 726028 - Automountkey value doesn't get renamed.
  • BZ - 726123 - Unable to use "--continue" option with "ipa automountkey-del".
  • BZ - 726454 - [ipa webui] After setting an OTP the Web UI does not indicate one was set
  • BZ - 726526 - Reduce number of ports used by CS in IPA by default
  • BZ - 726715 - Importing /etc/auto.master does not detect and import /etc/auto.direct.
  • BZ - 726722 - Error message states 'automountlocationcn' while add/mod/del automountmap or automountkey with empty location.
  • BZ - 726725 - Error message states 'automountmapautomountmapname' while add/mod/del automountkey with empty automountmap name.
  • BZ - 726751 - [ipa webui] Hostgroups :: enroll :: Error 'cn' required when attempting to filter groups with hide already enrolled unchecked
  • BZ - 726943 - IPA should enable configurable ports for its management web interface
  • BZ - 727282 - [ipa webui] Can not get or view host certificate - Regression
  • BZ - 727691 - [IPA WebUI] Identity->DNS : why there is "member" and "setting" under DNS operation
  • BZ - 727921 - [ipa webui] Hostgroup :: No memberOf Net Groups Tab
  • BZ - 728118 - Regression: Unknown attribute 'ipasudorunasgroup_group" displayed while adding sudo runasgroup.
  • BZ - 728614 - el61 - ipa-replica-install does not check for dbus, fails on certmonger
  • BZ - 728950 - IPA should start even if certs are expired
  • BZ - 729089 - [ipa webui] Does not return appropriate error when deleting an external host but checking update dns
  • BZ - 729166 - ipa-server-install creates wrong reverse zone record in LDAP
  • BZ - 729245 - Regression: Missing message summary while adding sudooption.
  • BZ - 729246 - Regression: Missing message summary while removing sudooption.
  • BZ - 729377 - ipa-server-install fails on DNS errors when no DNS check is required
  • BZ - 729665 - [ipa webui] Checking/Unchecking "Hide already enrolled" doesn't change list;
  • BZ - 730436 - use slapi_rwlock instead of NSPR PR_RWLock directly
  • BZ - 730713 - [ipa webui] Checkbox stays checked after deleting a list of objects
  • BZ - 730751 - [ipa webui] inconsistency in enabling "delete" buttons
  • BZ - 731784 - Add Requires on subscription-manager for entitlements
  • BZ - 731804 - [IPA] When upgrading ipa from 2.0.0-23 to 2.1.0-1 uninstall is leaving leftovers and reinstall fails.
  • BZ - 731805 - [ipa webui] in-consistency error msg
  • BZ - 732084 - IPA 2.1 won't start if SELinux is disabled
  • BZ - 732088 - IPA man page is unclear about allowed combinations of arguments
  • BZ - 732468 - ipa-client-install should set LDAPSASL_NOCANON when calling ipa-getkeytab
  • BZ - 732521 - ipa entitle-register : prompts for rhsm password twice like you are trying to set a new password
  • BZ - 732803 - Rebase IPA to upstream 2.1.1
  • BZ - 732996 - Access denied by HBAC rules while using the default ftp hbac service.
  • BZ - 733009 - ipa-client-install says system configured after an unsuccessful run
  • BZ - 733436 - IPA does not always properly detect its configuration status
  • BZ - 734013 - ipa-client-install breaks network configuration
  • BZ - 734706 - ipa hbactest does not evaluate users from groups in an hbacrule.
  • BZ - 734725 - Incorrect service name in examples of ipa help hbactest.
  • BZ - 735187 - [ipa webui] Sudo Rule has extra User group section in "As Whom" section
  • BZ - 736276 - ipa hbactest fails if sourcehost is external.
  • BZ - 736455 - [ipa webui] Sudo Rule includes indirect hosts and users members in its list to add
  • BZ - 736617 - ipa-client-install mishandles ntp service configuration
  • BZ - 736684 - ipa-client-install should sync time before kinit
  • BZ - 736787 - ipa-client-install fails to join ipa server.
  • BZ - 737048 - ipa-client-install calls authconfig with wrong parameters
  • BZ - 737516 - ipa-server files with incorrect selinux context
  • BZ - 737581 - ipa host-add Allowed to add host - hostname trailing space
  • BZ - 737994 - File parameter fails if prompted for
  • BZ - 737997 - should enforce some naming constraints on users and groups
  • BZ - 738038 - [ipa webui] Remove Category info from HBAC and Sudo pages
  • BZ - 738053 - ipa-ldap-updater : Not an end user utility and the man pages should reflect this
  • BZ - 738339 - [ipa webui] Encode special chars in values when displaying
  • BZ - 738693 - user is not prompted to enter current password when changing to a new password
  • BZ - 739040 - Traceback message displayed while installing ipa client on IPv6 machine.
  • BZ - 739060 - Disable entitlement plugin and CAL counting
  • BZ - 739061 - Disable entitlement plugin in Web UI
  • BZ - 739089 - Unable to add ipa user on IPv6 machine.
  • BZ - 739195 - [ipa webui] Unprovisioning keytab does not have cancel option
  • BZ - 739604 - ipa-server-install :: failing to configure CA :: restorecon returning 1 when changing context
  • BZ - 739640 - [ipa webui] Allowed to add service without defining service name
  • BZ - 739650 - [ipa webui] IPA Server Configuration :: Issue with Default Size Limit and Default User Group
  • BZ - 740320 - [ipa webui] Posix checkbox for group-add has no effect
  • BZ - 740830 - Intermittently see "search criteria was not specific enough." while adding a hbacrule
  • BZ - 740838 - Missing additional info while adding a non-existing service to an hbacrule.
  • BZ - 740844 - Missing additional info while removing a non-existing service from an hbacrule.
  • BZ - 740850 - hbactest does not resolve canonical names during simulation.
  • BZ - 740854 - Inconsistency in the error output while providing an invalid rule name.
  • BZ - 740879 - [ipa webui] In adder_dialog, an object can be selected to be added multiple times.
  • BZ - 740880 - [ipa webui] In adder_dialog, change order of >> and <<
  • BZ - 740885 - [ipa webui] In adder_dialog, no error indicated when choosing to enroll without selecting an object
  • BZ - 740891 - [ipa webui] Deleting a host in HBAC Rule without selecting it, throws a browser error instead of an IPA error
  • BZ - 741050 - Unable to configure IPA client against IPA server with anonymous bind disabled
  • BZ - 741277 - [ipa webui] IN HBAC & Sudo, when a category is set to 'All', entries in that category are not deleted
  • BZ - 741677 - ipa-client-install --password=$PASSWORD will cause /var/log/ipaclient-install.log to contain the password.
  • BZ - 741808 - ipa migrate-ds does not migrate all groups that are expected to migrate
  • BZ - 742024 - [ipa webui] Missing option in Config tab to set default shell
  • BZ - 742327 - Default DNS Administration Role - Permissions missing
  • BZ - 742616 - IPA man pages should be more clear about the meaning of --selfsign
  • BZ - 742875 - named fails to start after installing ipa server when short hostname preceeds fqdn in /etc/hosts.
  • BZ - 743253 - duplicate hostgroup and netgroup
  • BZ - 743295 - [ipa webui] If adding non-posix group, unchecking posix box should disable GID field
  • BZ - 743788 - Title is missing while configuring browser first time
  • BZ - 743936 - [ipa webui] Unable to access Webui
  • BZ - 743955 - Cert error when accessing host in webui or cli
  • BZ - 744024 - ipa-client-install return code indicates a success, even though it failed
  • BZ - 744074 - [ipa webui] global password policy should not be able to be deleted
  • BZ - 744101 - Client install fails when anonymous bind is disabled
  • BZ - 744234 - Internal Server Error adding invalid reverse DNS zone
  • BZ - 744264 - [ipa webui] missing fields in password policy page
  • BZ - 744306 - Unable to add Windows Synchronization Agreement
  • BZ - 744410 - ipa hbactest does not evaluate indirect members from groups.
  • BZ - 744422 - Leaks KDC password and master password via command line arguments
  • BZ - 744798 - Traceback when upgrading from ipa-server-2.1.1-1 to ipa-server-2.1.2-2
  • BZ - 745392 - ipa-client-install hangs if the discovered server is unresponsive
  • BZ - 745575 - [ipa webui] Config - User search fields - if blank, throws error - an internal error has occurred
  • BZ - 745698 - --forwarder option of ipa-dns-install allows invalid IP address.
  • BZ - 745957 - [ipa webui] As a Host Administrator, user does not have access to the Host tab
  • BZ - 746056 - [ipa webui] Unable to add external user for RunAs User for Sudo rules
  • BZ - 746199 - typo in error message while adding invalid ptr record.
  • BZ - 746227 - hbactest fails while you have svcgroup in hbacrule.
  • BZ - 746229 - ipa-server-install fails with latest dev build
  • BZ - 746276 - Error when using ipa-client-install with --no-sssd option
  • BZ - 746298 - installation fails if sssd.conf exists and is already configured
  • BZ - 746717 - Disable automember functionality
  • BZ - 747028 - Fix minor problems in help system
  • BZ - 747443 - Certmonger fail to issue host certificate when IPA client is outside of the IPA domain.
  • BZ - 747710 - CVE-2011-3636 FreeIPA: CSRF vulnerability
  • BZ - 748754 - "krb5kdc: line 1: 7: command not found" message displayed during ipactl restart on multi-cpu system.
  • BZ - 749352 - users not in ypcat netgroup output
  • BZ - 751179 - [ipa webui] Unable to change password, misleading error

CVEs

References

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started