Skip to navigation

Bug Fix Advisory ipa-client bug fix update

Advisory: RHBA-2012:0190-1
Type: Bug Fix Advisory
Severity: N/A
Issued on: 2012-02-20
Last updated on: 2012-02-20
Affected Products: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)

Details

An updated ipa-client package that fixes various bugs and adds several
enhancements is now available for Red Hat Enterprise Linux 5.

The ipa-client package provides a tool to enroll a machine to an IPA version 2
server. IPA (Identity, Policy, Audit) is an integrated solution to provide
centrally managed identity, that is, machine, user, virtual machines, groups,
and authentication credentials.

The ipa-client package has been upgraded to upstream version 2.1.3, which
provides a number of bug fixes and enhancements over the previous version.
(BZ#753936)

This update also fixes the following bugs:

* Prior to this update, GSSAPI credential delegation was disabled in the curl
utility due to a security issue. As a result, applications that rely on the
delegation did not work properly. This update utilizes a new constructor
argument in the xmlrpc-c client API to set the new CURLOPT_GSSAPI_DELEGATION
curl option. This option enables credential delegation. (BZ#723667)

* A previous change to the Referer server required that a caller to the IPA
server API include the Referer header in its request. Previously, requests from
the certmonger and ipa administrative tools did not provide the header, and the
tool requests could fail with the error "Missing or invalid HTTP Referer".
However, the requests are transferred using curl and curl does not allow setting
of arbitrary headers. To resolve this problem, the code has been changed so that
the curl version is stored in the HTTP request field X-Original-User-Agent and
the rest of the header is overridden. As a result, the correct header is used
for the requests and the problem no longer occurs. (BZ#752226)

* If the user ran the ipa-client-install command with the password defined (for
example, "ipa-client-install --principal=admin --password=SecretPsswd"), the
/var/log/ipaclient-install.log file contained the password in plain text. With
this update, the underlying code is modified and the provided password is no
longer saved in the logs in this scenario. (BZ#739068)

* Previously, KDC (Key Distribution Center) autodiscovery failed if the domain
name differed from the Kerberos realm name. This happened because the
ipa-client-install utility always assumed that the realm name was identical to
the domain name. Now the realm is used when performing autodiscovery and the
problem no longer occurs. (BZ#710143)

* The cyrus-sasl-gssapi package is a soft dependency needed by some IPA client
tools. Previously, the ipa-client package spec file did not contain the
cyrus-sasl-gssapi dependency for some architectures. As a result, installation
on some platforms could fail. This update adds the missing dependency to the
spec file and the installation process finishes successfully. (BZ#750338)

* The cyrus-sasl-gssapi package is a soft dependency needed by some IPA client
tools. Previously, when installing 32-bit packages on a 64-bit system, the macro
determining the required architecture version of the cyrus-sasl-gssapi package
did not work correctly. As a result, an incorrect version of cyrus-sasl-gssapi
was installed and the system failed to work; for example, the ipa-getkeytab
command failed with the following error because the 32-bit GSSAPI SASL mechanism
was not available:

SASL Bind failed.

This update corrects the macro and the problem no longer occurs. (BZ#723620)

All ipa-client users are advised to upgrade to this updated package, which fixes
these bugs and adds these enhancements.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux (v. 5 server)

SRPMS:
ipa-client-2.1.3-1.el5.src.rpm
File outdated by:  RHBA-2013:1334
    MD5: 3202088c83d7ba99282ea74cffd75e03
SHA-256: 79c4deeac0274d7857f46dac7d7a7cd3393cb4e5f3528578659d44f517e8af20
 
IA-32:
ipa-client-2.1.3-1.el5.i386.rpm
File outdated by:  RHBA-2013:1334
    MD5: b1c13246210d7b98ca16f4929d46de6f
SHA-256: 274f84d43dd9efda5ac8054fb02c3b7916e7fd71738c03738fd52de0c2baa3f4
 
IA-64:
ipa-client-2.1.3-1.el5.ia64.rpm
File outdated by:  RHBA-2013:1334
    MD5: 210846ea9a92952509e6b80a5dbf0972
SHA-256: 0b0fdd9461778ba5000789f5f73c1f749f094172b6b57e6f7fa1ffd4e528d740
 
PPC:
ipa-client-2.1.3-1.el5.ppc.rpm
File outdated by:  RHBA-2013:1334
    MD5: cf88dfddb2844bbe712a52c1183654d7
SHA-256: 69718c968926afaad2b54ee6d1fc1254db2c3d406721db7a6b33c787e5b8b1fd
 
s390x:
ipa-client-2.1.3-1.el5.s390x.rpm
File outdated by:  RHBA-2013:1334
    MD5: 265c1f9036435ec1bf6163e5ada8fca8
SHA-256: 3425f1ee7c5c67a86aae1dda4a2617d723fbfc82f784600c16b68727477d5081
 
x86_64:
ipa-client-2.1.3-1.el5.x86_64.rpm
File outdated by:  RHBA-2013:1334
    MD5: b5e6dcc8936bf780a4e64dad8eea0325
SHA-256: dd72e66468f1e1c4f257c53226ab96254b11c2f89484243ecdfca6f9011aa7ca
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
ipa-client-2.1.3-1.el5.src.rpm
File outdated by:  RHBA-2013:1334
    MD5: 3202088c83d7ba99282ea74cffd75e03
SHA-256: 79c4deeac0274d7857f46dac7d7a7cd3393cb4e5f3528578659d44f517e8af20
 
IA-32:
ipa-client-2.1.3-1.el5.i386.rpm
File outdated by:  RHBA-2013:1334
    MD5: b1c13246210d7b98ca16f4929d46de6f
SHA-256: 274f84d43dd9efda5ac8054fb02c3b7916e7fd71738c03738fd52de0c2baa3f4
 
x86_64:
ipa-client-2.1.3-1.el5.x86_64.rpm
File outdated by:  RHBA-2013:1334
    MD5: b5e6dcc8936bf780a4e64dad8eea0325
SHA-256: dd72e66468f1e1c4f257c53226ab96254b11c2f89484243ecdfca6f9011aa7ca
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

723620 - Need an arch-specific Requires on cyrus-sasl-gssapi
739068 - ipa-client-install --password=$PASSWORD will cause /var/log/ipaclient-install.log to contain the password.
752226 - ipa-client: Requires client-side changes for server-side fixes (due to CVE-2011-3636) [rhel-5.8]
753936 - Rebase ipa-client to upstream 2.1.3



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/