Sicherheit: Zwei Probleme in freeipa
Aktuelle Meldungen Distributionen
Name: Zwei Probleme in freeipa
ID: FEDORA-2019-c64e1612f5
Distribution: Fedora
Plattformen: Fedora 31
Datum: Do, 5. Dezember 2019, 07:10
Referenzen: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10195
Applikationen: FreeIPA


Fedora Update Notification
2019-12-05 01:39:12.689096

Name : freeipa
Product : Fedora 31
Version : 4.8.3
Release : 1.fc31
URL : http://www.freeipa.org/
Summary : The Identity, Policy and Audit system
Description :
IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization
(host access control, SELinux user roles, services). The solution provides
features for further integration with Linux based clients (SUDO, automount)
and integration with Active Directory based infrastructures (Trusts).

Update Information:

FreeIPA 4.8.3 is a security update release that includes fixes for two issues:
* CVE-2019-10195: Don't log passwords embedded in commands in calls using
A flaw was found in the way that FreeIPA's batch processing API logged
operations. This included passing user passwords in clear text on FreeIPA
masters. Batch processing of commands with passwords as arguments or options is
not performed by default in FreeIPA but is possible by third-party components.
An attacker having access to system logs on FreeIPA masters could use this flaw
to produce log file content with passwords exposed. The issue was reported by
Jamison Bennett from Cloudera * CVE-2019-14867: Make sure to have storage
for tag A flaw was found in the way the internal function ber_scanf() was used
in some components of the IPA server, which parsed kerberos key data. An
unauthenticated attacker who could trigger parsing of the krb principal key
could cause the IPA server to crash or in some conditions, cause arbitrary code
to be executed on the server hosting the IPA server. The issue was reported by
Todd Lipcon from Cloudera

* Tue Nov 26 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.3-1
- New upstream release 4.8.3
- CVE-2019-14867: Denial of service in IPA server due to wrong use of
- CVE-2019-10195: Don't log passwords embedded in commands in calls using
* Tue Nov 12 2019 Rob Crittenden <rcritten@redhat.com> - 4.8.2-1
- New upstream release 4.8.2
- Replace %{_libdir} macro in BuildRequires (#1746882)
- Restore user-nsswitch.conf before calling authselect (#1746557)
- ipa service-find does not list cifs service created by
ipa-client-samba (#1731433)
- Occasional 'whoami.data is undefined' error in FreeIPA web UI
- ipa-kra-install fails due to fs.protected_regular=1 (#1698384)
* Sun Oct 20 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.1-4
- Don't create log files from helper scripts
- Fixes: rhbz#1754189
* Tue Oct 8 2019 Christian Heimes <cheimes@redhat.com> - 4.8.1-3
- Fix compatibility issue with preexec_fn in Python 3.8
- Fixes: rhbz#1759290

[ 1 ] Bug #1777147 - CVE-2019-10195 freeipa: IPA: batch API logging user
passwords to /var/log/httpd/error_log [fedora-all]
[ 2 ] Bug #1777200 - CVE-2019-14867 freeipa: ipa: Denial of service in IPA
server due to wrong use of ber_scanf() [fedora-all]

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2019-c64e1612f5' at the command
line. For more information, refer to the dnf documentation available at

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org
Pro-Linux @Facebook
Neue Nachrichten