diff --git a/.gitignore b/.gitignore index 2d38ac2..f7374d7 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ /freeipa-2.1.3-systemd.patch.gz /freeipa-2.1.3.tar.gz /freeipa-2.1.3-wait_for_socket.patch.gz +/freeipa-2.1.4.tar.gz diff --git a/freeipa-2.1.3-kpasswd-selinux.patch b/freeipa-2.1.3-kpasswd-selinux.patch deleted file mode 100644 index 4dd6233..0000000 --- a/freeipa-2.1.3-kpasswd-selinux.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 6e81b847eecd2e91523119e041f892716aa16e9c Mon Sep 17 00:00:00 2001 -From: Evgeny Sinelnikov -Date: Sat, 3 Dec 2011 09:44:38 +0400 -Subject: [PATCH] ipa_kpasswd: Update selinux policies for ldap and urandom - -Fixes: https://fedorahosted.org/freeipa/ticket/2160 ---- - selinux/ipa_kpasswd/ipa_kpasswd.te | 6 ++++++ - 1 files changed, 6 insertions(+), 0 deletions(-) - -diff --git a/selinux/ipa_kpasswd/ipa_kpasswd.te b/selinux/ipa_kpasswd/ipa_kpasswd.te -index 292be7b..eefb70b 100644 ---- a/selinux/ipa_kpasswd/ipa_kpasswd.te -+++ b/selinux/ipa_kpasswd/ipa_kpasswd.te -@@ -64,6 +64,7 @@ corenet_tcp_bind_all_nodes(ipa_kpasswd_t) - corenet_udp_bind_all_nodes(ipa_kpasswd_t) - corenet_tcp_bind_kerberos_admin_port(ipa_kpasswd_t) - corenet_udp_bind_kerberos_admin_port(ipa_kpasswd_t) -+corenet_tcp_connect_ldap_port(ipa_kpasswd_t) - require { - type krb5kdc_conf_t; - }; -@@ -78,3 +79,8 @@ optional_policy(` - corenet_udp_bind_kerberos_password_port(ipa_kpasswd_t) - ') - -+require { -+ type urandom_device_t; -+} -+ -+allow ipa_kpasswd_t urandom_device_t:chr_file { open read getattr }; --- -1.7.7.3 - diff --git a/freeipa.spec b/freeipa.spec index 3410dc6..781a291 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -13,8 +13,8 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} %global gettext_domain ipa Name: freeipa -Version: 2.1.3 -Release: 8%{?dist} +Version: 2.1.4 +Release: 1%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -22,9 +22,6 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: freeipa-%{version}.tar.gz Source1: freeipa-systemd-upgrade -Patch0: freeipa-2.1.3-systemd.patch.gz -Patch1: freeipa-2.1.3-wait_for_socket.patch.gz -Patch2: freeipa-2.1.3-kpasswd-selinux.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %if ! %{ONLY_CLIENT} @@ -218,9 +215,6 @@ package. %prep %setup -n freeipa-%{version} -q -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 cp %{SOURCE1} init/systemd/ %build @@ -543,6 +537,9 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf %changelog +* Tue Dec 6 2011 Rob Crittenden - 2.1.4-1 +- Update to upstream 2.1.4 (CVE-2011-3636) + * Mon Dec 5 2011 Rob Crittenden - 2.1.3-8 - Update SELinux policy to allow ipa_kpasswd to connect ldap and read /dev/urandom. (#759679) diff --git a/sources b/sources index 65d1a20..983450e 100644 --- a/sources +++ b/sources @@ -1,3 +1 @@ -8475a0768b90171f58b4be76d09d6820 freeipa-2.1.3.tar.gz -558f5ccb5610cf66db1eeb969420cac2 freeipa-2.1.3-systemd.patch.gz -eee14c5b2640d9b1d6f694befc62e85f freeipa-2.1.3-wait_for_socket.patch.gz +213047f62f3dfa5d6088fe916356c298 freeipa-2.1.4.tar.gz