Sicherheit: Zwei Probleme in IPA
Aktuelle Meldungen Distributionen
Name: Zwei Probleme in IPA
ID: RHSA-2015:0442-01
Distribution: Red Hat
Plattformen: Red Hat Enterprise Linux
Datum: Do, 5. März 2015, 22:25
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5312
Applikationen: IPA


Red Hat Security Advisory

Synopsis: Moderate: ipa security, bug fix, and enhancement update
Advisory ID: RHSA-2015:0442-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0442.html
Issue date: 2015-03-05
CVE Names: CVE-2010-5312 CVE-2012-6662

1. Summary:

Updated ipa packages that fix two security issues, several bugs, and add
various enhancements are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x
Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

Red Hat Identity Management (IdM) is a centralized authentication, identity
management, and authorization solution for both traditional and cloud-based
enterprise environments.

Two cross-site scripting (XSS) flaws were found in jQuery, which impacted
the Identity Management web administrative interface, and could allow an
authenticated user to inject arbitrary HTML or web script into the
interface. (CVE-2010-5312, CVE-2012-6662)

Note: The IdM version provided by this update no longer uses jQuery.

This update adds several enhancements that are described in more detail in
the Red Hat Enterprise Linux 7.1 Release Notes, linked to in the References
section, including:

* Added the "ipa-cacert-manage" command, which renews the Certification
Authority (CA) file. (BZ#886645)

* Added the ID Views feature. (BZ#891984)

* IdM now supports using one-time password (OTP) authentication and allows
gradual migration from proprietary OTP solutions to the IdM OTP solution.

* Added the "ipa-backup" and "ipa-restore" commands to allow
backups. (BZ#951581)

* Added a solution for regulating access permissions to specific sections
of the IdM server. (BZ#976382)

This update also fixes several bugs, including:

* Previously, when IdM servers were configured to require the Transport
Layer Security protocol version 1.1 (TLSv1.1) or later in the httpd server,
the "ipa" command-line utility failed. With this update, running
works as expected with TLSv1.1 or later. (BZ#1156466)

In addition, this update adds multiple enhancements, including:

* The "ipa-getkeytab" utility can now optionally fetch existing keytabs
from the KDC. Previously, retrieving an existing keytab was not supported,
as the only option was to generate a new key. (BZ#1007367)

* You can now create and manage a "." root zone on IdM servers. DNS
sent to the IdM DNS server use this configured zone instead of the public
zone. (BZ#1056202)

* The IdM server web UI has been updated and is now based on the Patternfly
framework, offering better responsiveness. (BZ#1108212)

* A new user attribute now enables provisioning systems to add custom tags
for user objects. The tags can be used for automember rules or for
additional local interpretation. (BZ#1108229)

* This update adds a new DNS zone type to ensure that forward and master
zones are better separated. As a result, the IdM DNS interface complies
with the forward zone semantics in BIND. (BZ#1114013)

* This update adds a set of Apache modules that external applications can
use to achieve tighter interaction with IdM beyond simple authentication.

* IdM supports configuring automember rules for automated assignment of
users or hosts in respective groups according to their characteristics,
such as the "userClass" or "departmentNumber" attributes.
Previously, the
rules could be applied only to new entries. This update allows applying the
rules also to existing users or hosts. (BZ#1108226)

* The extdom plug-in translates Security Identifiers (SIDs) of Active
Directory (AD) users and groups to names and POSIX IDs. With this update,
extdom returns the full member list for groups and the full list of group
memberships for a user, the GECOS field, the home directory, as well as the
login shell of a user. Also, an optional list of key-value pairs contains
the SID of the requested object if the SID is available. (BZ#1030699)

All ipa users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues and add these

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:


5. Bugs fixed (https://bugzilla.redhat.com/):

711693 - [RFE] Normal users should not be given privileges to view all
sudorules and their details.
788645 - [RFE] Allow filter and subtree to be added in same permission
815828 - Rename DNS permissions to use mixed-case
817909 - error indicates a different reason when ipa permission-mod fails to
modify attrs
854335 - Unable to update "remove automount keys" - it has filter and
subtree specified
887988 - [RFE] Expose the krbPrincipalExpiration attribute for editing in the
891984 - [RFE] ID Views: Support migration from the sync solution to the trust
893850 - Unable to update permissions for "Add Automount Keys"
921655 - fix UI CSS to support RH branding
922749 - IPA Navigation links overlaped or unclickable
924008 - Unknown binary attributes can cause migration to fail
924395 - [RFE] ipa-client-install should configure sudo automatically
951581 - [RFE] Backup & Restore mechanism
970618 - [RFE] pac-type change must be effective immediately without kdc
971061 - Localization not working even for languages that are localized
975456 - [RFE] add option to ipa-client-install to configure automount
985234 - ipa-client-install --uninstall starts nscd service
1027712 - "username" field in IPA webUI login page should be mandatory
1027713 - There is no version information on IPA WebUI
1030699 - [RFE] Support initgroups for unauthenticated AD users
1031111 - ipa-client: add root CA to trust anchors if not already available
1033357 - ipactl can not restart ipa services if current status is
1035286 - [WebUI] Realm domain is not providing proper error message
1048934 - [WebUI] Retry and Cancel dialogs do not support 'confirmation by
1048956 - [WebUI] "OK" button is not focused on "Operations
Error" dialog, once we opened "show details"
1056202 - [RFE] Support DNS root zone
1058780 - Missing checks during ipa idrange-add
1060349 - IPA: Unable to add host when ipv6 address already exits
1061772 - [WebUI] Maximum serial number search accepts negative inputs and
lists wrong search results.
1072502 - running ipa-server-install --setup-dns results in a crash
1075129 - bogus time estimates shown for configuration of various component in
replica installation
1077734 - [WebUI] select all checkbox remains selected after operation
1080209 - IPA server does not allow sudo host network filters
1080532 - ipa-client-install --uninstall crash on a freshly installed machine
joined to IPA via reamd and anaconda
1081626 - When certmonger is still tracking cert in ipa, uninstall fails but
error does not indicate this
1084609 - [RFE] RHEL7 support for ipa-admintools on other architectures
1099811 - Apache crashes when replica is restarted when installing
1107555 - [RFE] Provide a stack of apache modules for any applications to
1108195 - MOD command returns duplicate memberships
1108201 - cannot create dns zone when name has consecutive dash characters
1108202 - dnsrecord-* with absolute target gives error
1108203 - [RFE] Add EmployeeID in the Web UI and command name
1108204 - PTR record cannot be added from UI, if user added zone without last
1108205 - Replica installation dies if /etc/resolv.conf is not writeable
1108206 - sshd should run at least once before ipa-client-install
1108207 - [WebUI] When adding a condition to an automember rule, expression
field should be required
1108208 - The Synchronizing time with KDC... message looks strange between
login and password prompts
1108212 - [RFE] Adopt Patternfly/RCUE open interface project for the Web UI
1108213 - Installers should explicitly specify auth mechanism when calling
1108214 - ipa-replica-install: DNS check is between "host already
exists" message and exit
1108215 - Make Read replication agreements permission less more targeted
1108216 - Unexpected error when providing incorrect password to
1108220 - Broken Firefox configuration files in freeipa-client package
1108222 - SSH widget doesn't honor a lack of write right
1108224 - Replace ntpdate calls with ntpd
1108225 - ipadb.so could get tripped up by DAL changes to support keyless
1108226 - [RFE] Use automember for hosts after the host is added
1108228 - Add UI for the new user and host userClass attribute
1108229 - [RFE] Better integration with the external provisioning systems -
1108230 - Should not display ports to open when password is incorrect during
1108231 - ipa-join usage instructions are incorrect
1108232 - [RFE] ipa migrate-ds should have an argument to specify cert to use
for DS connection
1108233 - [RFE] ipa dnsrecord-add should allow internationalized names
1108234 - [WebUI] it is not clear which row a value belongs to
1108235 - xmlrpc system commands do not work
1108236 - Name is blank in error message for duplicate automember rule
1108237 - [RFE] Enhance input validation for filters in access control
1109726 - Rebase IPA to 4.1
1112603 - Internal Error: `ipa sudorule-mod rule --order=`
1112605 - [RFE] Add support for SubjectAltNames (SAN) to IPA service
1112691 - ipa-server-install break sshd
1113918 - Setting a sudo category to all doesn't check to see if rules
already exist
1113919 - Let deny commands be added to sudo rule with cmdcatetory=ALL
1113920 - Sudo runasgroup entry not generated by the sudo compat tree
1114013 - [RFE] Separate master and forward DNS zones
1115048 - Description attribute should not be required
1115616 - [RFE] Allow unlocking user in Web UI
1126989 - ipa-client-install creates configuration file with deprecated values
1128380 - Failure when installing on dual stacked system with external ca
1129558 - Windows Server 2012 CA does not accept CSR generated by IdM External
CA installation
1129730 - CA-less installation fails when the CA cert has an empty subject
1131049 - Update SSL ciphers configured in 389-ds-base
1131187 - ipa-ldap-upgrade should restore Directory Server settings when
upgrade fails
1131877 - Registering one IPA server with the browser removes entries for
1133966 - ipa trust-add cmd should be interactive
1138773 - Internal error received for blank password with --trust-secret
1138775 - Password migration is broken
1138777 - Renewal with no master CA
1138791 - Prohibit setting --rid-base for ranges of ipa-trust-ad-posix type
1138792 - Disable unsupported ID range types
1138795 - DS returns limited RootDSE
1138798 - Add support for bounce_url to /ipa/ui/reset_password.html
1138803 - Do not store host certificate in shared NSS database /etc/pki/nssdb
1142088 - ipa-server-install searches CA under different hostname
1142789 - host-del command does not accept --continue
1147679 - ipa man page incorrectly indicates how to add users
1149124 - group-add doesn't accept gid parameter
1156466 - POODLE: force using safe ciphers (non-SSLv3) in IPA client and server
1159011 - Trust setting not restored for CA cert with ipa-restore command
1159330 - RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans
for httpd
1159816 - ignoring user attributes in migrate-ds does not work if uppercase
characters are returned by ldap
1160756 - Investigate & fix Coverity defects in IPA DS/KDC plugins
1160758 - Tests: host-del returns DatabaseError
1161128 - Upgrade 3.3.5 to 4.1 failed
1161129 - ipactl stop should stop dirsrv last
1161131 - Deadlock in schema compat plugin
1162340 - ipa-server-install fails when restarting named
1163498 - Renewing the CA signing certificate does not extend its validity
period end
1163849 - error message which is not understandable when IDNA2003 characters
are present in --zonemgr (--zonemgr=Têko@redhat.com)
1164859 - Traceback when adding zone with long name
1164896 - RHEL7.1 IPA server httpd avc denials after upgrade
1166041 - CVE-2010-5312 jquery-ui: XSS vulnerability in jQuery.ui.dialog title
1166064 - CVE-2012-6662 jquery-ui: XSS vulnerability in default content in
Tooltip widget
1166641 - ipa-otp-lasttoken loads all user's tokens on every mod/del
1166931 - RHEL7.1 ipa automatic CA cert renewal stuck in submitting state
1167196 - schema update on RHEL-6.6 using latest copy-schema-to-ca.py from
RHEL-7.1 build fails
1167270 - Tracebacks with latest build for --zonemgr cli option
1167964 - RHEL7.1 ipa replica unable to replicate to rhel6 master
1168214 - [WebUI] Not able to unprovisioning service in IPA 4.1
1168376 - Clean up debug log for trust-add
1168916 - Extend host-show to add the view attribute in set of default
1169591 - RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not
1169867 - Winsync: Setup is broken due to incorrect import of certificate
1170003 - RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca
1170695 - krb5kdc crash in ldap_pvt_search
1171089 - webui: increase notification duration
1172578 - CLI doesn't show SSHFP records with SHA256 added via nsupdate
1172598 - Access is not rejected for disabled domain
1173207 - IPA certs fail to autorenew simultaneouly
1175277 - Data replication not working as expected after data restore from full
1175287 - No error message thrown on restore(full kind) on replica from full
backup taken on master
1175326 - ipa-restore proceed even IPA not configured
1175384 - DNS zones are not migrated into forward zones if 4.0+ replica is
1176034 - More validation required on ipa-restore's options
1176995 - IPA replica missing data after master upgraded
1177133 - When migrating warn user if compat is enabled
1178128 - IPA externally signed CA cert expiration warning missing from log
1181010 - ipa-replica-manage list does not list synced domain
1181093 - PassSync does not sync passwords due to missing ACIs
1181767 - ipa-upgradeconfig fails in CA-less installs
1183279 - ipa-replica-manage disconnect fails without password
1184149 - DUA profile not available anonymously
1185410 - idoverrideuser-add option --sshpubkey does not work
1186396 - ipa-restore crashes if replica is unreachable
1186398 - Wrong directories created on full restore
1187342 - Login ignores global OTP enablement
1187540 - Full set of objectclass not available post group detach.

6. Package List:

Red Hat Enterprise Linux Client (v. 7):



Red Hat Enterprise Linux Client Optional (v. 7):


Red Hat Enterprise Linux ComputeNode (v. 7):



Red Hat Enterprise Linux ComputeNode Optional (v. 7):


Red Hat Enterprise Linux Server (v. 7):





Red Hat Enterprise Linux Server Optional (v. 7):



Red Hat Enterprise Linux Workstation (v. 7):



These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from

7. References:


8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
Version: GnuPG v1


Enterprise-watch-list mailing list
Pro-Linux @Facebook
Neue Nachrichten