Skip to navigation

Security Advisory Low: ipa security, bug fix and enhancement update

Advisory: RHSA-2013:0528-2
Type: Security Advisory
Severity: Low
Issued on: 2013-02-21
Last updated on: 2013-02-21
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux HPC Node (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2012-4546

Details

Updated ipa packages that fix one security issue, several bugs, and add
various enhancements are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Red Hat Identity Management is a centralized authentication, identity
management and authorization solution for both traditional and cloud-based
enterprise environments. It integrates components of the Red Hat Directory
Server, MIT Kerberos, Red Hat Certificate System, NTP, and DNS. It provides
web browser and command-line interfaces. Its administration tools allow an
administrator to quickly install, set up, and administer a group of domain
controllers to meet the authentication and identity management requirements
of large-scale Linux and UNIX deployments.

It was found that the current default configuration of IPA servers did not
publish correct CRLs (Certificate Revocation Lists). The default
configuration specifies that every replica is to generate its own CRL;
however, this can result in inconsistencies in the CRL contents provided to
clients from different Identity Management replicas. More specifically, if
a certificate is revoked on one Identity Management replica, it will not
show up on another Identity Management replica. (CVE-2012-4546)

These updated ipa packages also include numerous bug fixes and
enhancements. Space precludes documenting all of these changes in this
advisory. Users are directed to the Red Hat Enterprise Linux 6.4 Technical
Notes, linked to in the References, for information on the most significant
of these changes.

Users are advised to upgrade to these updated ipa packages, which fix these
issues and add these enhancements.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
ipa-3.0.0-25.el6.src.rpm
File outdated by:  RHBA-2013:1651
    MD5: 9bf77e3101ba72aebf7079da86d46973
SHA-256: f5883d0028140ebdea6d869e5fdb0cbc981ab7d86e0b1fc0271054394d3e8d7f
 
IA-32:
ipa-admintools-3.0.0-25.el6.i686.rpm
File outdated by:  RHBA-2013:1651
    MD5: 3e5256457c6e79087d41a44f37db2584
SHA-256: faa3f9f3a2121cde12b1dedbd80c22292684b60183b1858284a500c82f7fd4c8
ipa-client-3.0.0-25.el6.i686.rpm
File outdated by:  RHBA-2013:1651
    MD5: 819e3e49403b3ecf260931121a3d2feb
SHA-256: 7eb57bd631459fa774e9f07e42d759ced56287ba1d200dbce11a38a3dc5e4c91
ipa-debuginfo-3.0.0-25.el6.i686.rpm
File outdated by:  RHBA-2013:1651
    MD5: 6c1153a9a1b5aa84a148ca0f81bc5167
SHA-256: 69014566969ceb3e7119cadbccee62c72856a44018a89a376b513721e4c921e8
ipa-python-3.0.0-25.el6.i686.rpm
File outdated by:  RHBA-2013:1651
    MD5: aba13d46679046e5134c898211f506b3
SHA-256: 6ff98b1a4166c494d34708a43a8fd005d2021aeb5190c88736915927bf3d5ba7
ipa-server-3.0.0-25.el6.i686.rpm
File outdated by:  RHBA-2013:1651
    MD5: e9d961f8304eae98581f921ec6f5841f
SHA-256: 5ab71709c14d05251b6d660d9a71f678d01787f8607cbea8a98e4b35960cb898
ipa-server-selinux-3.0.0-25.el6.i686.rpm
File outdated by:  RHBA-2013:1651
    MD5: 09662d3761119f4ad26e3886d64f4cbb
SHA-256: 865b4108ed3657bf767246cdafa4bf21c7585b12536e2dc7b208a0b16ffda232
ipa-server-trust-ad-3.0.0-25.el6.i686.rpm
File outdated by:  RHBA-2013:1651
    MD5: e226cf308a04e2bc8545a8205dc4100c
SHA-256: 3ac8817e06d94ebcb45786a0721af3ac4f3e33ba7eaa6f12acc1b9881e503c1c
 
x86_64:
ipa-admintools-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: daecf8f56080d29c2dbf59b9947b6f50
SHA-256: d7de4bff8baa3046c7b277e35c978daa1b4a782d3f0ac2611e039463c27e5b60
ipa-client-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: 1407ae8af6ba91b90379e95c77fd0330
SHA-256: b6c10adb7854ab07565a70b4f18e469e220bdf59bf9adee14e4b0d5fe4248e1c
ipa-debuginfo-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: d4819e0a43a250c3226dd00804582f33
SHA-256: d93ba8c6a5e9b7c1d4858c3fb712188e4875a230afebb39bd10c3ab09d4339bb
ipa-python-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: 10d5fe687bbfd019540e1a34fd0d66fe
SHA-256: b04522013e06d4bba2d732a6bc354e66ade67109f8787dc863d74c071fc72463
ipa-server-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: ef93e1c89343c365dae0ae7fd01090c6
SHA-256: b334296b7bb40189cd39630ba091d0fc54d1d7d141315c964a09c065742f6575
ipa-server-selinux-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: 73e5d42d2ea236713ad1e028aaaea72d
SHA-256: ccbf2611fba183b0c9eec5e94bcf47ba60ba76780971a6f6546fba1f25c3f083
ipa-server-trust-ad-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: 7288b1b4ed34bfc6b2df638aa4c568ef
SHA-256: 0e5d69da57fbce09c887a1eb0d6ed39c257dc42c71e1ac53a4f49a00d230db88
 
Red Hat Enterprise Linux HPC Node (v. 6)

SRPMS:
ipa-3.0.0-25.el6.src.rpm
File outdated by:  RHBA-2013:1651
    MD5: 9bf77e3101ba72aebf7079da86d46973
SHA-256: f5883d0028140ebdea6d869e5fdb0cbc981ab7d86e0b1fc0271054394d3e8d7f
 
x86_64:
ipa-admintools-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: daecf8f56080d29c2dbf59b9947b6f50
SHA-256: d7de4bff8baa3046c7b277e35c978daa1b4a782d3f0ac2611e039463c27e5b60
ipa-client-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: 1407ae8af6ba91b90379e95c77fd0330
SHA-256: b6c10adb7854ab07565a70b4f18e469e220bdf59bf9adee14e4b0d5fe4248e1c
ipa-debuginfo-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: d4819e0a43a250c3226dd00804582f33
SHA-256: d93ba8c6a5e9b7c1d4858c3fb712188e4875a230afebb39bd10c3ab09d4339bb
ipa-python-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: 10d5fe687bbfd019540e1a34fd0d66fe
SHA-256: b04522013e06d4bba2d732a6bc354e66ade67109f8787dc863d74c071fc72463
ipa-server-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: ef93e1c89343c365dae0ae7fd01090c6
SHA-256: b334296b7bb40189cd39630ba091d0fc54d1d7d141315c964a09c065742f6575
ipa-server-selinux-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: 73e5d42d2ea236713ad1e028aaaea72d
SHA-256: ccbf2611fba183b0c9eec5e94bcf47ba60ba76780971a6f6546fba1f25c3f083
ipa-server-trust-ad-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: 7288b1b4ed34bfc6b2df638aa4c568ef
SHA-256: 0e5d69da57fbce09c887a1eb0d6ed39c257dc42c71e1ac53a4f49a00d230db88
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
ipa-3.0.0-25.el6.src.rpm
File outdated by:  RHBA-2013:1651
    MD5: 9bf77e3101ba72aebf7079da86d46973
SHA-256: f5883d0028140ebdea6d869e5fdb0cbc981ab7d86e0b1fc0271054394d3e8d7f
 
IA-32:
ipa-admintools-3.0.0-25.el6.i686.rpm
File outdated by:  RHBA-2013:1651
    MD5: 3e5256457c6e79087d41a44f37db2584
SHA-256: faa3f9f3a2121cde12b1dedbd80c22292684b60183b1858284a500c82f7fd4c8
ipa-client-3.0.0-25.el6.i686.rpm
File outdated by:  RHBA-2013:1651
    MD5: 819e3e49403b3ecf260931121a3d2feb
SHA-256: 7eb57bd631459fa774e9f07e42d759ced56287ba1d200dbce11a38a3dc5e4c91
ipa-debuginfo-3.0.0-25.el6.i686.rpm
File outdated by:  RHBA-2013:1651
    MD5: 6c1153a9a1b5aa84a148ca0f81bc5167
SHA-256: 69014566969ceb3e7119cadbccee62c72856a44018a89a376b513721e4c921e8
ipa-python-3.0.0-25.el6.i686.rpm
File outdated by:  RHBA-2013:1651
    MD5: aba13d46679046e5134c898211f506b3
SHA-256: 6ff98b1a4166c494d34708a43a8fd005d2021aeb5190c88736915927bf3d5ba7
ipa-server-3.0.0-25.el6.i686.rpm
File outdated by:  RHBA-2013:1651
    MD5: e9d961f8304eae98581f921ec6f5841f
SHA-256: 5ab71709c14d05251b6d660d9a71f678d01787f8607cbea8a98e4b35960cb898
ipa-server-selinux-3.0.0-25.el6.i686.rpm
File outdated by:  RHBA-2013:1651
    MD5: 09662d3761119f4ad26e3886d64f4cbb
SHA-256: 865b4108ed3657bf767246cdafa4bf21c7585b12536e2dc7b208a0b16ffda232
ipa-server-trust-ad-3.0.0-25.el6.i686.rpm
File outdated by:  RHBA-2013:1651
    MD5: e226cf308a04e2bc8545a8205dc4100c
SHA-256: 3ac8817e06d94ebcb45786a0721af3ac4f3e33ba7eaa6f12acc1b9881e503c1c
 
PPC:
ipa-admintools-3.0.0-25.el6.ppc64.rpm
File outdated by:  RHBA-2013:1651
    MD5: 2d5effb6a2d9af7f16aee2ceeff75013
SHA-256: 31fa6ec0eea32c502940377bffabfce15b69e69fd09c1e27c838a0a7b8e58d66
ipa-client-3.0.0-25.el6.ppc64.rpm
File outdated by:  RHBA-2013:1651
    MD5: 2b4ab1ff2b2e318f3a26da7b1c9f20f6
SHA-256: 5e7708721c5f0b92020e491e9c611c79e0a477db3ad2e4aaf2637bd4f274e074
ipa-debuginfo-3.0.0-25.el6.ppc64.rpm
File outdated by:  RHBA-2013:1651
    MD5: 2c0894ba0f51f9063c1e16017fec55bd
SHA-256: 81a2c495d04dc0a1e94e13451f441b7c5486285ac687ecf6c58039f58cad4faf
ipa-python-3.0.0-25.el6.ppc64.rpm
File outdated by:  RHBA-2013:1651
    MD5: 2926a77a8b251c7f30a95aacac04b7e9
SHA-256: db44790f6a6a0096bd7067c0a94aa23ce7a778769b7c5509ae1ed54b09f66bb9
 
s390x:
ipa-admintools-3.0.0-25.el6.s390x.rpm
File outdated by:  RHBA-2013:1651
    MD5: ac002ab0ece404760a6010aef9f3190d
SHA-256: c0800c581389389e6277273ee6844c1a0a5f88550f9e03e564ff3ff2844eda26
ipa-client-3.0.0-25.el6.s390x.rpm
File outdated by:  RHBA-2013:1651
    MD5: 86a460a1b5be315eecd2a5d3385acfba
SHA-256: 3c9f06597442efc5234d8c408e0f981780ccf86f69f1944bc874a274e0cfcec8
ipa-debuginfo-3.0.0-25.el6.s390x.rpm
File outdated by:  RHBA-2013:1651
    MD5: 37bec1291ec37256b9f73bd0e5856054
SHA-256: 18643207e0ec606856944d18c0820536701e319548a712fb4a5008d8c829195b
ipa-python-3.0.0-25.el6.s390x.rpm
File outdated by:  RHBA-2013:1651
    MD5: 66d1dd1443a57862a1473c884e7fb8d9
SHA-256: 9d0b2ae7042d678fc4611a8c6212b4640a6bbf0a82a45a2ff84703722b95918f
 
x86_64:
ipa-admintools-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: daecf8f56080d29c2dbf59b9947b6f50
SHA-256: d7de4bff8baa3046c7b277e35c978daa1b4a782d3f0ac2611e039463c27e5b60
ipa-client-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: 1407ae8af6ba91b90379e95c77fd0330
SHA-256: b6c10adb7854ab07565a70b4f18e469e220bdf59bf9adee14e4b0d5fe4248e1c
ipa-debuginfo-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: d4819e0a43a250c3226dd00804582f33
SHA-256: d93ba8c6a5e9b7c1d4858c3fb712188e4875a230afebb39bd10c3ab09d4339bb
ipa-python-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: 10d5fe687bbfd019540e1a34fd0d66fe
SHA-256: b04522013e06d4bba2d732a6bc354e66ade67109f8787dc863d74c071fc72463
ipa-server-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: ef93e1c89343c365dae0ae7fd01090c6
SHA-256: b334296b7bb40189cd39630ba091d0fc54d1d7d141315c964a09c065742f6575
ipa-server-selinux-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: 73e5d42d2ea236713ad1e028aaaea72d
SHA-256: ccbf2611fba183b0c9eec5e94bcf47ba60ba76780971a6f6546fba1f25c3f083
ipa-server-trust-ad-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: 7288b1b4ed34bfc6b2df638aa4c568ef
SHA-256: 0e5d69da57fbce09c887a1eb0d6ed39c257dc42c71e1ac53a4f49a00d230db88
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
ipa-3.0.0-25.el6.src.rpm
File outdated by:  RHBA-2013:1651
    MD5: 9bf77e3101ba72aebf7079da86d46973
SHA-256: f5883d0028140ebdea6d869e5fdb0cbc981ab7d86e0b1fc0271054394d3e8d7f
 
IA-32:
ipa-admintools-3.0.0-25.el6.i686.rpm
File outdated by:  RHBA-2013:1651
    MD5: 3e5256457c6e79087d41a44f37db2584
SHA-256: faa3f9f3a2121cde12b1dedbd80c22292684b60183b1858284a500c82f7fd4c8
ipa-client-3.0.0-25.el6.i686.rpm
File outdated by:  RHBA-2013:1651
    MD5: 819e3e49403b3ecf260931121a3d2feb
SHA-256: 7eb57bd631459fa774e9f07e42d759ced56287ba1d200dbce11a38a3dc5e4c91
ipa-debuginfo-3.0.0-25.el6.i686.rpm
File outdated by:  RHBA-2013:1651
    MD5: 6c1153a9a1b5aa84a148ca0f81bc5167
SHA-256: 69014566969ceb3e7119cadbccee62c72856a44018a89a376b513721e4c921e8
ipa-python-3.0.0-25.el6.i686.rpm
File outdated by:  RHBA-2013:1651
    MD5: aba13d46679046e5134c898211f506b3
SHA-256: 6ff98b1a4166c494d34708a43a8fd005d2021aeb5190c88736915927bf3d5ba7
ipa-server-3.0.0-25.el6.i686.rpm
File outdated by:  RHBA-2013:1651
    MD5: e9d961f8304eae98581f921ec6f5841f
SHA-256: 5ab71709c14d05251b6d660d9a71f678d01787f8607cbea8a98e4b35960cb898
ipa-server-selinux-3.0.0-25.el6.i686.rpm
File outdated by:  RHBA-2013:1651
    MD5: 09662d3761119f4ad26e3886d64f4cbb
SHA-256: 865b4108ed3657bf767246cdafa4bf21c7585b12536e2dc7b208a0b16ffda232
ipa-server-trust-ad-3.0.0-25.el6.i686.rpm
File outdated by:  RHBA-2013:1651
    MD5: e226cf308a04e2bc8545a8205dc4100c
SHA-256: 3ac8817e06d94ebcb45786a0721af3ac4f3e33ba7eaa6f12acc1b9881e503c1c
 
x86_64:
ipa-admintools-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: daecf8f56080d29c2dbf59b9947b6f50
SHA-256: d7de4bff8baa3046c7b277e35c978daa1b4a782d3f0ac2611e039463c27e5b60
ipa-client-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: 1407ae8af6ba91b90379e95c77fd0330
SHA-256: b6c10adb7854ab07565a70b4f18e469e220bdf59bf9adee14e4b0d5fe4248e1c
ipa-debuginfo-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: d4819e0a43a250c3226dd00804582f33
SHA-256: d93ba8c6a5e9b7c1d4858c3fb712188e4875a230afebb39bd10c3ab09d4339bb
ipa-python-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: 10d5fe687bbfd019540e1a34fd0d66fe
SHA-256: b04522013e06d4bba2d732a6bc354e66ade67109f8787dc863d74c071fc72463
ipa-server-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: ef93e1c89343c365dae0ae7fd01090c6
SHA-256: b334296b7bb40189cd39630ba091d0fc54d1d7d141315c964a09c065742f6575
ipa-server-selinux-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: 73e5d42d2ea236713ad1e028aaaea72d
SHA-256: ccbf2611fba183b0c9eec5e94bcf47ba60ba76780971a6f6546fba1f25c3f083
ipa-server-trust-ad-3.0.0-25.el6.x86_64.rpm
File outdated by:  RHBA-2013:1651
    MD5: 7288b1b4ed34bfc6b2df638aa4c568ef
SHA-256: 0e5d69da57fbce09c887a1eb0d6ed39c257dc42c71e1ac53a4f49a00d230db88
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

748987 - If master has leftover replica agreement from a previous failed attempt, next replica install can fail
766095 - [RFE] UI for SELinux user mapping
767723 - [RFE] Implement ipa web GUI to create trusts
768510 - migrate-ds : misleading error message when invalid objectclass defined
773490 - dns discovery domain needs to be added to sssd.conf
781208 - ipa user-find --manager does not find matches
782847 - ipa permission-mod prompts for all parameters
782981 - [RFE] Form based auth page needs to support password changes too
783274 - [RFE] Create NIS map for ethers table
784378 - Run CLEANRUV task when completely deleting a replica
784621 - [ipa webui] Reset password link is enabled for a user without permission to change it
785251 - ipa permisison-find --name brings back all permissions
785254 - ipa permission-find --subtree brings back all permissions
785257 - ipa permission-find --sizelimit is disregarded
786199 - [RFE] CLI session support (Store session cookie in ccache for cli users)
796390 - ipa netgroup-add with both --desc and --addattr=description returns internal error
798355 - Fill DNS update policy by default
798363 - [RFE] add in UI of "create password policy" measurement unit examples
798365 - defect: add in UI of "policy" -> "kerberos ticket policy" measurement unit examples
798493 - adding reverse zones in gui fails to create correct zone
801931 - [RFE] Expand current 'update dns entries' permission to be per-domain level?
804619 - DNS zone serial number is not updated
805203 - set ipa_hostname for sssd.conf
805233 - [RFE] Prevent deletion of the last admin
805430 - IPA dnszone-add does not accept the utmost valid serial number.
807018 - ipa config-mod should not be allowed to modify certificate subject base
809562 - Constraints for CNAME records are not enforced
809565 - Cannot change DNS name without recreating it
811207 - [ipa webui] When permission Type is updated, attributes should reflect new Type
811211 - [ipa webui] Refresh issue with re-adding objects with same name as deleted objects
811295 - Installation fails when CN is set in certificate subject base
813325 - ipa netgroup-mod addattr and setattr allow invalid characters for externalHost
813402 - [RFE] Warn users in UI when password is going to expire in n days
814785 - [ipa webui] Update Unsaved Changes for Netgroups
815364 - [ipa webui] DNS permissions not listed and are in lowercase
815481 - hostgroup and netgroup names with one letter not allowed
815494 - [ipa webui] Netgroups page does not have members listed as links
815830 - [WebUI] Unsaved changes dialog appers more than once in some cases
815849 - ipa-server-install unhandled exception with unclear error messages (inside DNS check)
816574 - ipa permission-add throws internal server error when --addattr or --setattr is blank
816624 - ipa privilege-remove-permission with blank permission throws internal error
817075 - ipa-server-install: s/calculated/determined/
817080 - ipa-server-install --uninstall doesn't clear certmonger dirs, which leads to install failing
817407 - [Web UI] Password policies are not sorted properly
817412 - there is no permission/privilege for modifying automount keys
817413 - validate that domain name uses only valid characters
817821 - ipa config-mod --delattr misleading invalid error messages
817831 - ipa config-mod --delattr user and group search fields returns internal server error
817865 - we should not influence ip address family selection (traceback when IPv6 disabled)
817869 - Clean keytabs before installing new keys into them
817885 - Internal error : ipa config-mod addattr on user and group objectclasses
818665 - [ipa webui] Unprovisioning keytab does not have cancel option
818714 - [ipa webui] Instructions to generate cert should include specifying size of private key
818836 - ipa pwpolicy-find displays incorrect max and min lifetime.
819629 - Enable persistent search in bind-dyndb-ldap during IPA upgrade
819635 - Fix help string for DNS zone --forwarder option
820983 - Nested search facets have wrong tab name
821448 - RFE: Browser config javascript should check to see if sending Referer is enabled
822608 - Passwords cannot be migrated
823657 - ipa-replica-manage connect fails with GSSAPI error after delete if using previous kerberos ticket
824074 - Create ipaserver-upgrade.log on upgrades
824488 - Add 'disable_last_success' and 'disable_lockout' to the ipadb.so dblibrary
824490 - WinSync users who have First.Last casing creates users who can have their password set
824492 - Cannot re-connect replica to previously disconnected master
826152 - zonemgr is set to default for reverse zone even with --zonemgr
826677 - IPA cannot remove disconnected replica data to reconnect
827162 - ipa-client uninstall causes a crash after installing using --preserve-sssd
827321 - ipa-server-install does not fill the default value for --subject option and it crashes later.
827392 - Host OTP :: Random password characters should be limited.
827583 - [ipa webui] DNS Zones - Add - on IE does not open a Add window, and instead writes on top on existing page
828687 - Unable to update dns when deleting host
829070 - ipa-server-install --uninstall does not remove /var/lib/sss/pubconf/kdcinfo.$REALM
829746 - [ipa webui] IE - Add members dialog box cannot be resized
829899 - [ipa webui] IE - Attribute listing when adding permission or delegation is not displayed same as FF
830598 - ipa-server-install --uninstall not stopping sssd and seeing ipa-replica-conncheck kinit errors
830817 - [ipa webui] IE - Add permission of type Subtree, has a smaller textarea for subtree than FF
831010 - [RFE] ipa-client-install always adds _srv_ entry to sssd.conf even when server specified.
831227 - [ipa webui] IE - Unable to Edit Service, and intermittently add service fails
831299 - [ipa webui] IE -Scrollbar jumps back when checkbox'ing an object
831313 - ipa-replica-install enable GSSAPI for replication list index out of range failure
831661 - ipa-replica-manage re-initialize update failed due to named ldap timeout
832243 - Sporadic JSON errors under MSIE
833505 - ipa-client-install crashes when --hostname is given
833515 - permissions of replica files should be 0600
833516 - Ipactl exception not handled well in ipactl
833517 - [RFE] [Web UI] Add support for DNS per-domain permissions
835642 - mail attribute not automatically populated
837357 - Attributelevelrights differs in permission-show and permission-mod for the same permission
837358 - Don't display: Logged in as: user@FREEIPA.ORG
837365 - CLEANALLRUV must deal with offline replicas and older replicas
837380 - Add group external member support to Web UI
839008 - Indirect roles not checked for in WebUI
839638 - ipa-replica-manage allows disconnect of last connection for a single replica
840657 - sshpubkey not accepting ssh keys in the right format for user
845405 - ipa-replica-install httpd restart failed
845691 - ipa-client-install Failed to obtain host TGT
846309 - Prevent disabling last admin
852480 - automountkey is not indexed
854321 - Password policies are sorted lexicographically instead of numerically
854325 - Time synchronization is disabled in ipa-client-install
855278 - I'm getting jQuery error when adding command includes "??" into the sudo commands field in IPA web interface.
856282 - [Web UI] Improve instructions to generate certificate
856293 - Nameserver does not have a corresponding A/AAAA record while creating new dns zone
856294 - Instructions to uninstall are unclear
859968 - IPA browser configuration won't work on Firefox >= 15
860683 - group-mod should not be allowed to rename or modify admins account
864533 - Forbidden access to IPA published CRL
866572 - ipa-adtrust-install checks for /usr/bin/smbpasswd, which is not required
866966 - httpd needs restart post ipa-adtrust-install
866977 - Inform user when ipa-upgradeconfig reports errors
866978 - ipa-server-install --setup-dns always installs reverse zone
867447 - ipa-adtrust-install does not reset all information when re-run
867676 - extdom plugin does not handle Posix UID and GID request
868956 - Adding dnsone using name-server and ipaddress, adds zone with incorrect data
869279 - Bad link to Web UI config page after session is expired
869616 - Issues when adding AD user as member of external group
869656 - Improve information on passsync user in man page, command help
869658 - It is not possible to disable forwarding on per-zone basics
869741 - Re-adding an existing entry in trust, does not throw exception.
870053 - Default SELinuxusermaporder needs to mapped with default selinux users list
870234 - CVE-2012-4546 ipa: servers do not publish correct CRLs
870446 - multi operations with attribute manipulation not returning error
872707 - ipa-server dependency on krb5-server is not adequate
874935 - ipa-server installation fails to find A/AAAA record for IPA hostname
875261 - IPA WebUI login for AD Trusted User fails
877324 - Missing Option to add SSH Public Key in Web UI after upgrade
877434 - not exact error message show up when adding an AD member to an external type group while the time difference between ad and ipa is too great
878288 - IPA users are not available after ipa-server-install because sssd not running
878462 - Special case NFS related ticket to avoid attaching MS-PACs
878480 - Lookup user SIDs in external groups
878485 - ipa trust-add prints misleading information about required DNS setting
878969 - Write replacement for python-crypto
880655 - Regression in default value of group type in user group adder dialog
888124 - ipa install does not enable sssd start on boot
888524 - ipa delegation-find --group option returns internal error
888915 - cookie library does not parse nor generate expires attribute correctly when locale is not english
888956 - Cannot install an IPA Replica server with PKI-CA/Dogtag from a master with a large CRL
889583 - ipa server install failing when realm differs from domain
891980 - Make the root CA lifetime at least 15 years
893187 - Installing IPA with a single realm component sometimes fails
893722 - ipa-server upgrade ERROR Cannot move CRL file to new directory
893827 - ipa permission-find using valid targetgroup throws internal error
894090 - Internal Server Error during ldap Migration
894131 - ipa-replica-install fails to add idnssoaserial for a new zone
894143 - ipa-replica-prepare fails when reverse zone does not have SOA serial data
895298 - IPA upgrade error restarting named when dirsrv off before upgrade
895561 - IPA install in pure IPv6 environment fails with "Can't contact LDAP server" error
903758 - upgrading IPA from 2.2 to 3.0 sees certmonger errors
905594 - Unable to install ipa-server-trust-ad pkg on 32-bit platform


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/