Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update

Synopsis

Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Topic

An update for the idm:DL1 and idm:client modules is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments.

The following packages have been upgraded to a later upstream version: ipa (4.8.7), softhsm (2.6.0), opendnssec (2.1.6). (BZ#1759888, BZ#1818765, BZ#1818877)

Security Fix(es):

• js-jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)
  
• bootstrap: XSS in the data-target attribute (CVE-2016-10735)
  
• bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
  
• bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
  
• bootstrap: XSS in the tooltip data-viewport attribute (CVE-2018-20676)
  
• bootstrap: XSS in the affix configuration target property (CVE-2018-20677)
  
• bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331)
  
• js-jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)
  
• jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
  
• ipa: No password length restriction leads to denial of service (CVE-2020-1722)
  

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux for x86_64 8 x86_64
• Red Hat Enterprise Linux for IBM z Systems 8 s390x
• Red Hat Enterprise Linux for Power, little endian 8 ppc64le
• Red Hat Enterprise Linux for ARM 64 8 aarch64

Fixes

• BZ - 1399546 - CVE-2015-9251 jquery: Cross-site scripting via cross-domain ajax requests
• BZ - 1430365 - [RFE] Host-group names command rename
• BZ - 1488732 - fake_mname in named.conf is no longer effective
• BZ - 1585020 - Enable compat tree to provide information about AD users and groups on trust agents
• BZ - 1601614 - CVE-2018-14040 bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute
• BZ - 1601617 - CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip
• BZ - 1651577 - [WebUI] IPA Error 3007: RequirmentError" while adding members in "User ID overrides" tab
• BZ - 1668082 - CVE-2018-20676 bootstrap: XSS in the tooltip data-viewport attribute
• BZ - 1668089 - CVE-2018-20677 bootstrap: XSS in the affix configuration target property
• BZ - 1668097 - CVE-2016-10735 bootstrap: XSS in the data-target attribute
• BZ - 1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute
• BZ - 1701233 - [RFE] support setting supported signature methods on the token
• BZ - 1701972 - CVE-2019-11358 jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection
• BZ - 1746830 - Memory leak during search of idview overrides
• BZ - 1750893 - Memory leak when slapi-nis return entries retrieved from nsswitch
• BZ - 1751295 - When sync-repl is enabled, slapi-nis can deadlock during retrochanglog trimming
• BZ - 1757045 - IDM Web GUI / IPA web UI: the ID override operation doesn't work in GUI (it works only from CLI)
• BZ - 1759888 - Rebase OpenDNSSEC to 2.1
• BZ - 1768156 - ERR - schemacompat - map rdlock: old way MAP_MONITOR_DISABLED
• BZ - 1777806 - When Service weight is set as 0 for server in IPA location "IPA Error 903: InternalError" is displayed
• BZ - 1793071 - CVE-2020-1722 ipa: No password length restriction leads to denial of service
• BZ - 1801698 - [RFE] Changing default hostgroup is too easy
• BZ - 1802471 - SELinux policy for ipa-custodia
• BZ - 1809835 - RFE: ipa group-add-member: number of failed should also be emphasized
• BZ - 1810154 - RFE: ipa-backup should compare locally and globally installed server roles
• BZ - 1810179 - ipa-client-install should name authselect backups and restore to that at uninstall time
• BZ - 1813330 - ipa-restore does not restart httpd
• BZ - 1816784 - KRA install fails if all KRA members are Hidden Replicas
• BZ - 1818765 - [Rebase] Rebase ipa to 4.8.6+
• BZ - 1818877 - [Rebase] Rebase to softhsm 2.6.0+
• BZ - 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
• BZ - 1831732 - AVC avc: denied { dac_override } for comm="ods-enforcerd
• BZ - 1831935 - AD authentication with IdM against SQL Server
• BZ - 1832331 - [abrt] [faf] 389-ds-base: unknown function(): /usr/sbin/ns-slapd killed by 11
• BZ - 1833266 - [dirsrv] set 'nsslapd-enable-upgrade-hash: off' as this raises warnings
• BZ - 1834264 - BIND rebase: rebuild against new so version
• BZ - 1834909 - softhsm use-after-free on process exit
• BZ - 1845211 - Rebase bind-dyndb-ldap to 11.3
• BZ - 1845537 - IPA bind configuration issue
• BZ - 1845596 - ipa trust-add fails with 'Fetching domains from trusted forest failed'
• BZ - 1846352 - cannot issue certs with multiple IP addresses corresponding to different hosts
• BZ - 1846434 - Remove ipa-idoverride-memberof as superceded by ipa-server 4.8.7
• BZ - 1847999 - EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in freeipa-client-epn
• BZ - 1849914 - FreeIPA - Utilize 256-bit AJP connector passwords
• BZ - 1851411 - ipa: typo issue in ipanthomedirectoryrive deffinition
• BZ - 1852244 - ipa-healthcheck inadvertently obsoleted in RHEL 8.2
• BZ - 1853263 - ipa-selinux package missing
• BZ - 1857157 - replica install failing with avc denial for custodia component
• BZ - 1858318 - AttributeError: module 'ssl' has no attribute 'SSLCertVerificationError' when upgrading ca-less ipa master
• BZ - 1859213 - AVC denial during ipa-adtrust-install --add-agents
• BZ - 1863079 - ipa-epn command displays 'exception: ConnectionRefusedError: [Errno 111] Connection refused'
• BZ - 1863616 - CA-less install does not set required permissions on KDC certificate
• BZ - 1866291 - EPN: enhance input validation
• BZ - 1866938 - ipa-epn fails to retrieve user data if some user attributes are not present
• BZ - 1868432 - Unhandled Python exception in '/usr/libexec/ipa/ipa-pki-retrieve-key'
• BZ - 1869311 - ipa trust-add fails with 'Fetching domains from trusted forest failed'
• BZ - 1870202 - File permissions of /etc/ipa/ca.crt differ between CA-ful and CA-less
• BZ - 1874015 - ipa hbacrule-add-service --hbacsvcs=sshd is not applied successfully for subdomain
• BZ - 1875348 - Valgrind reports a memory leak in the Schema Compatibility plugin.
• BZ - 1879604 - pkispawn logs files are empty

CVEs

• CVE-2015-9251
• CVE-2016-10735
• CVE-2018-14040
• CVE-2018-14042
• CVE-2018-20676
• CVE-2018-20677
• CVE-2019-8331
• CVE-2019-11358
• CVE-2020-1722
• CVE-2020-11022

References

• https://access.redhat.com/security/updates/classification/#moderate
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/