import ipa-4.9.6-10.module+el8.5.0+13587+92118e57
This commit is contained in:
parent
32d9493df4
commit
c07c360d7e
222
SOURCES/freeipa-4.9.6-bf-2.patch
Normal file
222
SOURCES/freeipa-4.9.6-bf-2.patch
Normal file
@ -0,0 +1,222 @@
|
|||||||
|
From fe59e6a0b06926a3d71c6b6f361714d1422d5b0f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Date: Thu, 11 Nov 2021 09:58:09 +0200
|
||||||
|
Subject: [PATCH 1/2] ipa-kdb: honor SID from the host or service entry
|
||||||
|
|
||||||
|
If the SID was explicitly set for the host or service entry, honor it
|
||||||
|
when issuing PAC. For normal services and hosts we don't allocate
|
||||||
|
individual SIDs but for cifs/... principals on domain members we do as
|
||||||
|
they need to login to Samba domain controller.
|
||||||
|
|
||||||
|
Related: https://pagure.io/freeipa/issue/9031
|
||||||
|
|
||||||
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
---
|
||||||
|
daemons/ipa-kdb/ipa_kdb_mspac.c | 46 ++++++++++++++++++++-------------
|
||||||
|
1 file changed, 28 insertions(+), 18 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
|
index 0e0ee3616..6f272f9fe 100644
|
||||||
|
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
|
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
|
@@ -653,6 +653,28 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
||||||
|
* clear it after detecting the changes */
|
||||||
|
info3->base.acct_flags = ACB_USE_AES_KEYS;
|
||||||
|
|
||||||
|
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
||||||
|
+ "ipaNTSecurityIdentifier", &strres);
|
||||||
|
+ if (ret) {
|
||||||
|
+ /* SID is mandatory for all but host/services */
|
||||||
|
+ if (!(is_host || is_service)) {
|
||||||
|
+ return ret;
|
||||||
|
+ }
|
||||||
|
+ info3->base.rid = 0;
|
||||||
|
+ } else {
|
||||||
|
+ ret = ipadb_string_to_sid(strres, &sid);
|
||||||
|
+ free(strres);
|
||||||
|
+ if (ret) {
|
||||||
|
+ return ret;
|
||||||
|
+ }
|
||||||
|
+ ret = sid_split_rid(&sid, &info3->base.rid);
|
||||||
|
+ if (ret) {
|
||||||
|
+ return ret;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* If SID was present prefer using it even for hosts and services
|
||||||
|
+ * but we still need to set the account flags correctly */
|
||||||
|
if ((is_host || is_service)) {
|
||||||
|
/* it is either host or service, so get the hostname first */
|
||||||
|
char *sep = strchr(info3->base.account_name.string, '/');
|
||||||
|
@@ -661,29 +683,17 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
||||||
|
sep ? sep + 1 : info3->base.account_name.string);
|
||||||
|
if (is_master) {
|
||||||
|
/* Well known RID of domain controllers group */
|
||||||
|
- info3->base.rid = 516;
|
||||||
|
+ if (info3->base.rid == 0) {
|
||||||
|
+ info3->base.rid = 516;
|
||||||
|
+ }
|
||||||
|
info3->base.acct_flags |= ACB_SVRTRUST;
|
||||||
|
} else {
|
||||||
|
/* Well known RID of domain computers group */
|
||||||
|
- info3->base.rid = 515;
|
||||||
|
+ if (info3->base.rid == 0) {
|
||||||
|
+ info3->base.rid = 515;
|
||||||
|
+ }
|
||||||
|
info3->base.acct_flags |= ACB_WSTRUST;
|
||||||
|
}
|
||||||
|
- } else {
|
||||||
|
- ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
||||||
|
- "ipaNTSecurityIdentifier", &strres);
|
||||||
|
- if (ret) {
|
||||||
|
- /* SID is mandatory */
|
||||||
|
- return ret;
|
||||||
|
- }
|
||||||
|
- ret = ipadb_string_to_sid(strres, &sid);
|
||||||
|
- free(strres);
|
||||||
|
- if (ret) {
|
||||||
|
- return ret;
|
||||||
|
- }
|
||||||
|
- ret = sid_split_rid(&sid, &info3->base.rid);
|
||||||
|
- if (ret) {
|
||||||
|
- return ret;
|
||||||
|
- }
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
|
||||||
|
--
|
||||||
|
2.33.1
|
||||||
|
|
||||||
|
|
||||||
|
From 21af43550aa0a31e1ec5240578bd64fcbdd4ee24 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Date: Thu, 11 Nov 2021 10:16:47 +0200
|
||||||
|
Subject: [PATCH 2/2] ipa-kdb: validate domain SID in incoming PAC for trusted
|
||||||
|
domains for S4U
|
||||||
|
|
||||||
|
Previously, ipadb_check_logon_info() was called only for cross-realm
|
||||||
|
case. Now we call it for both in-realm and cross-realm cases. In case of
|
||||||
|
the S4U2Proxy, we would be passed a PAC of the original caller which
|
||||||
|
might be a principal from the trusted realm. We cannot validate that PAC
|
||||||
|
against our local client DB entry because this is the proxy entry which
|
||||||
|
is guaranteed to have different SID.
|
||||||
|
|
||||||
|
In such case, validate the SID of the domain in PAC against our realm
|
||||||
|
and any trusted doman but skip an additional check of the DB entry in
|
||||||
|
the S4U2Proxy case.
|
||||||
|
|
||||||
|
Related: https://pagure.io/freeipa/issue/9031
|
||||||
|
|
||||||
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
---
|
||||||
|
daemons/ipa-kdb/ipa_kdb_mspac.c | 54 ++++++++++++++++++++++++++-------
|
||||||
|
1 file changed, 43 insertions(+), 11 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
|
index 6f272f9fe..6f7d1ac15 100644
|
||||||
|
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
|
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
|
@@ -1637,11 +1637,13 @@ static void filter_logon_info_log_message_rid(struct dom_sid *sid, uint32_t rid)
|
||||||
|
static krb5_error_code check_logon_info_consistent(krb5_context context,
|
||||||
|
TALLOC_CTX *memctx,
|
||||||
|
krb5_const_principal client_princ,
|
||||||
|
+ krb5_boolean is_s4u,
|
||||||
|
struct PAC_LOGON_INFO_CTR *info)
|
||||||
|
{
|
||||||
|
krb5_error_code kerr = 0;
|
||||||
|
struct ipadb_context *ipactx;
|
||||||
|
bool result;
|
||||||
|
+ bool is_from_trusted_domain = false;
|
||||||
|
krb5_db_entry *client_actual = NULL;
|
||||||
|
struct ipadb_e_data *ied = NULL;
|
||||||
|
int flags = 0;
|
||||||
|
@@ -1671,14 +1673,36 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
|
||||||
|
result = dom_sid_check(&ipactx->mspac->domsid,
|
||||||
|
info->info->info3.base.domain_sid, true);
|
||||||
|
if (!result) {
|
||||||
|
- /* memctx is freed by the caller */
|
||||||
|
- char *sid = dom_sid_string(memctx, info->info->info3.base.domain_sid);
|
||||||
|
- char *dom = dom_sid_string(memctx, &ipactx->mspac->domsid);
|
||||||
|
- krb5_klog_syslog(LOG_ERR, "PAC issue: PAC record claims domain SID different "
|
||||||
|
- "to local domain SID: local [%s], PAC [%s]",
|
||||||
|
- dom ? dom : "<failed to display>",
|
||||||
|
- sid ? sid : "<failed to display>");
|
||||||
|
- return KRB5KDC_ERR_POLICY;
|
||||||
|
+ /* In S4U case we might be dealing with the PAC issued by the trusted domain */
|
||||||
|
+ if (is_s4u && (ipactx->mspac->trusts != NULL)) {
|
||||||
|
+ /* Iterate through list of trusts and check if this SID belongs to
|
||||||
|
+ * one of the domains we trust */
|
||||||
|
+ for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
|
||||||
|
+ result = dom_sid_check(&ipactx->mspac->trusts[i].domsid,
|
||||||
|
+ info->info->info3.base.domain_sid, true);
|
||||||
|
+ if (result) {
|
||||||
|
+ is_from_trusted_domain = true;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!result) {
|
||||||
|
+ /* memctx is freed by the caller */
|
||||||
|
+ char *sid = dom_sid_string(memctx, info->info->info3.base.domain_sid);
|
||||||
|
+ char *dom = dom_sid_string(memctx, &ipactx->mspac->domsid);
|
||||||
|
+ krb5_klog_syslog(LOG_ERR, "PAC issue: PAC record claims domain SID different "
|
||||||
|
+ "to local domain SID or any trusted domain SID: "
|
||||||
|
+ "local [%s], PAC [%s]",
|
||||||
|
+ dom ? dom : "<failed to display>",
|
||||||
|
+ sid ? sid : "<failed to display>");
|
||||||
|
+ return KRB5KDC_ERR_POLICY;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (is_s4u && is_from_trusted_domain) {
|
||||||
|
+ /* If the PAC belongs to a user from the trusted domain, we cannot compare SIDs */
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
kerr = ipadb_get_principal(context, client_princ, flags, &client_actual);
|
||||||
|
@@ -1703,6 +1727,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+
|
||||||
|
kerr = ipadb_get_sid_from_pac(memctx, info->info, &client_sid);
|
||||||
|
if (kerr) {
|
||||||
|
goto done;
|
||||||
|
@@ -1956,6 +1981,7 @@ krb5_error_code filter_logon_info(krb5_context context,
|
||||||
|
static krb5_error_code ipadb_check_logon_info(krb5_context context,
|
||||||
|
krb5_const_principal client_princ,
|
||||||
|
krb5_boolean is_cross_realm,
|
||||||
|
+ krb5_boolean is_s4u,
|
||||||
|
krb5_data *pac_blob,
|
||||||
|
struct dom_sid *requester_sid)
|
||||||
|
{
|
||||||
|
@@ -1999,8 +2025,11 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context,
|
||||||
|
|
||||||
|
if (!is_cross_realm) {
|
||||||
|
/* For local realm case we need to check whether the PAC is for our user
|
||||||
|
- * but we don't need to process further */
|
||||||
|
- kerr = check_logon_info_consistent(context, tmpctx, client_princ, &info);
|
||||||
|
+ * but we don't need to process further. In S4U2Proxy case when the client
|
||||||
|
+ * is ours but operates on behalf of the cross-realm principal, we will
|
||||||
|
+ * search through the trusted domains but otherwise skip the exact SID check
|
||||||
|
+ * as we are not responsible for the principal from the trusted domain */
|
||||||
|
+ kerr = check_logon_info_consistent(context, tmpctx, client_princ, is_s4u, &info);
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -2251,7 +2280,10 @@ static krb5_error_code ipadb_verify_pac(krb5_context context,
|
||||||
|
#endif
|
||||||
|
|
||||||
|
kerr = ipadb_check_logon_info(context,
|
||||||
|
- client_princ, is_cross_realm, &pac_blob,
|
||||||
|
+ client_princ,
|
||||||
|
+ is_cross_realm,
|
||||||
|
+ (flags & KRB5_KDB_FLAGS_S4U),
|
||||||
|
+ &pac_blob,
|
||||||
|
requester_sid);
|
||||||
|
if (kerr != 0) {
|
||||||
|
goto done;
|
||||||
|
--
|
||||||
|
2.33.1
|
||||||
|
|
122
SOURCES/freeipa-4.9.6-bf-3.patch
Normal file
122
SOURCES/freeipa-4.9.6-bf-3.patch
Normal file
@ -0,0 +1,122 @@
|
|||||||
|
From 7d93bda31ce0b4e0e22c6e464c9138800dcf8b1c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Date: Fri, 26 Nov 2021 11:13:51 +0200
|
||||||
|
Subject: [PATCH] ipa-kdb: fix requester SID check according to MS-KILE and
|
||||||
|
MS-SFU updates
|
||||||
|
|
||||||
|
New versions of MS-KILE and MS-SFU after Windows Server November 2021
|
||||||
|
security updates add PAC_REQUESTER_SID buffer check behavior:
|
||||||
|
|
||||||
|
- PAC_REQUESTER_SID should only be added for TGT requests
|
||||||
|
|
||||||
|
- if PAC_REQUESTER_SID is present, KDC must verify that the cname on
|
||||||
|
the ticket resolves to the account with the same SID as the
|
||||||
|
PAC_REQUESTER_SID. If it doesn't KDC must respond with
|
||||||
|
KDC_ERR_TKT_REVOKED
|
||||||
|
|
||||||
|
Change requester SID check to skip exact check for non-local
|
||||||
|
PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains
|
||||||
|
we know about.
|
||||||
|
|
||||||
|
If requester SID is the same as in PAC, we already do cname vs PAC SID
|
||||||
|
verification.
|
||||||
|
|
||||||
|
With these changes FreeIPA works against Windows Server 2019 with
|
||||||
|
November 2021 security fixes in cross-realm S4U2Self operations.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9031
|
||||||
|
|
||||||
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
---
|
||||||
|
daemons/ipa-kdb/ipa_kdb_mspac.c | 47 ++++++++++++++++++++++++---------
|
||||||
|
1 file changed, 34 insertions(+), 13 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
|
index 538cfbba9..1b972c167 100644
|
||||||
|
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
|
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
|
@@ -1697,7 +1697,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
|
||||||
|
"local [%s], PAC [%s]",
|
||||||
|
dom ? dom : "<failed to display>",
|
||||||
|
sid ? sid : "<failed to display>");
|
||||||
|
- return KRB5KDC_ERR_POLICY;
|
||||||
|
+ return KRB5KDC_ERR_TGT_REVOKED;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1709,7 +1709,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
|
||||||
|
kerr = ipadb_get_principal(context, client_princ, flags, &client_actual);
|
||||||
|
if (kerr != 0) {
|
||||||
|
krb5_klog_syslog(LOG_ERR, "PAC issue: ipadb_get_principal failed.");
|
||||||
|
- return KRB5KDC_ERR_POLICY;
|
||||||
|
+ return KRB5KDC_ERR_TGT_REVOKED;
|
||||||
|
}
|
||||||
|
|
||||||
|
ied = (struct ipadb_e_data *)client_actual->e_data;
|
||||||
|
@@ -1743,7 +1743,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
|
||||||
|
"local [%s] vs PAC [%s]",
|
||||||
|
local_sid ? local_sid : "<failed to display>",
|
||||||
|
pac_sid ? pac_sid : "<failed to display>");
|
||||||
|
- kerr = KRB5KDC_ERR_POLICY;
|
||||||
|
+ kerr = KRB5KDC_ERR_TGT_REVOKED;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -2005,22 +2005,43 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context,
|
||||||
|
/* Check that requester SID is the same as in the PAC entry */
|
||||||
|
if (requester_sid != NULL) {
|
||||||
|
struct dom_sid client_sid;
|
||||||
|
+ bool is_from_trusted_domain = false;
|
||||||
|
kerr = ipadb_get_sid_from_pac(tmpctx, info.info, &client_sid);
|
||||||
|
if (kerr) {
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
result = dom_sid_check(&client_sid, requester_sid, true);
|
||||||
|
if (!result) {
|
||||||
|
- /* memctx is freed by the caller */
|
||||||
|
- char *pac_sid = dom_sid_string(tmpctx, &client_sid);
|
||||||
|
- char *req_sid = dom_sid_string(tmpctx, requester_sid);
|
||||||
|
- krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
|
||||||
|
- "different from what PAC requester claims. "
|
||||||
|
- "PAC [%s] vs PAC requester [%s]",
|
||||||
|
- pac_sid ? pac_sid : "<failed to display>",
|
||||||
|
- req_sid ? req_sid : "<failed to display>");
|
||||||
|
- kerr = KRB5KDC_ERR_POLICY;
|
||||||
|
- goto done;
|
||||||
|
+ struct ipadb_context *ipactx = ipadb_get_context(context);
|
||||||
|
+ if (!ipactx || !ipactx->mspac) {
|
||||||
|
+ return KRB5_KDB_DBNOTINITED;
|
||||||
|
+ }
|
||||||
|
+ /* In S4U case we might be dealing with the PAC issued by the trusted domain */
|
||||||
|
+ if (is_s4u && (ipactx->mspac->trusts != NULL)) {
|
||||||
|
+ /* Iterate through list of trusts and check if this SID belongs to
|
||||||
|
+ * one of the domains we trust */
|
||||||
|
+ for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
|
||||||
|
+ result = dom_sid_check(&ipactx->mspac->trusts[i].domsid,
|
||||||
|
+ requester_sid, false);
|
||||||
|
+ if (result) {
|
||||||
|
+ is_from_trusted_domain = true;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!is_from_trusted_domain) {
|
||||||
|
+ /* memctx is freed by the caller */
|
||||||
|
+ char *pac_sid = dom_sid_string(tmpctx, &client_sid);
|
||||||
|
+ char *req_sid = dom_sid_string(tmpctx, requester_sid);
|
||||||
|
+ krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
|
||||||
|
+ "different from what PAC requester claims. "
|
||||||
|
+ "PAC [%s] vs PAC requester [%s]",
|
||||||
|
+ pac_sid ? pac_sid : "<failed to display>",
|
||||||
|
+ req_sid ? req_sid : "<failed to display>");
|
||||||
|
+ kerr = KRB5KDC_ERR_TGT_REVOKED;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
3979
SOURCES/freeipa-4.9.6-bf.patch
Normal file
3979
SOURCES/freeipa-4.9.6-bf.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -68,8 +68,8 @@
|
|||||||
%global krb5_kdb_version 8.0
|
%global krb5_kdb_version 8.0
|
||||||
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
|
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
|
||||||
%global python_netaddr_version 0.7.19
|
%global python_netaddr_version 0.7.19
|
||||||
# Require 4.7.0 which brings Python 3 bindings
|
# Require 4.14.5-6 which brings CVE-2020-25717 fixes in RHEL 8.5.z
|
||||||
%global samba_version 4.12.3-12
|
%global samba_version 4.14.5-6
|
||||||
%global selinux_policy_version 3.14.3-52
|
%global selinux_policy_version 3.14.3-52
|
||||||
%global slapi_nis_version 0.56.4
|
%global slapi_nis_version 0.56.4
|
||||||
%global python_ldap_version 3.1.0-1
|
%global python_ldap_version 3.1.0-1
|
||||||
@ -92,9 +92,9 @@
|
|||||||
%global krb5_version 1.18.2-29
|
%global krb5_version 1.18.2-29
|
||||||
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
|
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
|
||||||
%global python_netaddr_version 0.7.16
|
%global python_netaddr_version 0.7.16
|
||||||
# Require 4.7.0 which brings Python 3 bindings
|
|
||||||
# Require 4.12 which has DsRGetForestTrustInformation access rights fixes
|
# Require 4.14.6 which brings CVE-2020-25717 fixes
|
||||||
%global samba_version 2:4.12.10
|
%global samba_version 2:4.14.6
|
||||||
|
|
||||||
# 3.14.5-45 or later includes a number of interfaces fixes for IPA interface
|
# 3.14.5-45 or later includes a number of interfaces fixes for IPA interface
|
||||||
%global selinux_policy_version 3.14.5-45
|
%global selinux_policy_version 3.14.5-45
|
||||||
@ -191,7 +191,7 @@
|
|||||||
|
|
||||||
Name: %{package_name}
|
Name: %{package_name}
|
||||||
Version: %{IPA_VERSION}
|
Version: %{IPA_VERSION}
|
||||||
Release: 6%{?rc_version:.%rc_version}%{?dist}
|
Release: 10%{?rc_version:.%rc_version}%{?dist}
|
||||||
Summary: The Identity, Policy and Audit system
|
Summary: The Identity, Policy and Audit system
|
||||||
|
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -228,6 +228,11 @@ Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
|||||||
%endif
|
%endif
|
||||||
%endif
|
%endif
|
||||||
# RHEL spec file only: END
|
# RHEL spec file only: END
|
||||||
|
# SID hardening patches
|
||||||
|
Patch1100: freeipa-4.9.6-bf.patch
|
||||||
|
Patch1101: freeipa-4.9.6-bf-2.patch
|
||||||
|
Patch1102: freeipa-4.9.6-bf-3.patch
|
||||||
|
|
||||||
|
|
||||||
# For the timestamp trick in patch application
|
# For the timestamp trick in patch application
|
||||||
BuildRequires: diffstat
|
BuildRequires: diffstat
|
||||||
@ -471,6 +476,8 @@ Requires: gssproxy >= 0.7.0-2
|
|||||||
Requires: sssd-dbus >= %{sssd_version}
|
Requires: sssd-dbus >= %{sssd_version}
|
||||||
Requires: libpwquality
|
Requires: libpwquality
|
||||||
Requires: cracklib-dicts
|
Requires: cracklib-dicts
|
||||||
|
# NDR libraries are internal in Samba and change with version without changing SONAME
|
||||||
|
Requires: samba-client-libs >= %{samba_version}
|
||||||
|
|
||||||
Provides: %{alt_name}-server = %{version}
|
Provides: %{alt_name}-server = %{version}
|
||||||
Conflicts: %{alt_name}-server
|
Conflicts: %{alt_name}-server
|
||||||
@ -1377,6 +1384,7 @@ fi
|
|||||||
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent
|
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent
|
||||||
%dir %{_libexecdir}/ipa/oddjob
|
%dir %{_libexecdir}/ipa/oddjob
|
||||||
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
|
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
|
||||||
|
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.config-enable-sid
|
||||||
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent
|
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent
|
||||||
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
|
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
|
||||||
%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
|
%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
|
||||||
@ -1709,6 +1717,22 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Nov 30 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-10
|
||||||
|
- Bump realease version due to build issue.
|
||||||
|
Related: RHBZ#2021489
|
||||||
|
|
||||||
|
* Thu Nov 30 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-9
|
||||||
|
- Hardening for CVE-2020-25717, part 3
|
||||||
|
Related: RHBZ#2021489
|
||||||
|
|
||||||
|
* Thu Nov 18 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-8
|
||||||
|
- Hardening for CVE-2020-25717, part 2
|
||||||
|
- Related: RHBZ#2021171
|
||||||
|
|
||||||
|
* Sun Nov 07 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-7
|
||||||
|
- Hardening for CVE-2020-25717
|
||||||
|
- Related: RHBZ#2021171
|
||||||
|
|
||||||
* Fri Sep 17 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-6
|
* Fri Sep 17 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-6
|
||||||
- Don't store entries with a usercertificate in the LDAP cache
|
- Don't store entries with a usercertificate in the LDAP cache
|
||||||
Resolves: RHBZ#1999893
|
Resolves: RHBZ#1999893
|
||||||
|
Loading…
Reference in New Issue
Block a user