From c777305290f5d09a730a369f0acbae8254819d21 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Fri, 22 Sep 2017 13:44:05 +0200 Subject: [PATCH] 4.6.1-1: rebase to upstream 4.6.1 - Fixes #1491053 Firefox reports insecure TLS configuration when visiting FreeIPA web UI after standard server deployment Signed-off-by: Tomas Krizek --- .gitignore | 2 + 1044.patch | 84 ------------------- ...dbdb66e563d93a30ac51b1ac559adbd18190.patch | 26 ------ ...86599331cf81d222687d658f5ce54e923478.patch | 29 ------- freeipa.spec | 75 +++++++---------- sources | 4 +- 6 files changed, 36 insertions(+), 184 deletions(-) delete mode 100644 1044.patch delete mode 100644 473ddbdb66e563d93a30ac51b1ac559adbd18190.patch delete mode 100644 ba4386599331cf81d222687d658f5ce54e923478.patch diff --git a/.gitignore b/.gitignore index f3ea5d2..0701480 100644 --- a/.gitignore +++ b/.gitignore @@ -57,3 +57,5 @@ /freeipa-4.5.3.tar.gz.asc /freeipa-4.6.0.tar.gz /freeipa-4.6.0.tar.gz.asc +/freeipa-4.6.1.tar.gz +/freeipa-4.6.1.tar.gz.asc diff --git a/1044.patch b/1044.patch deleted file mode 100644 index b60944c..0000000 --- a/1044.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 8c242fd2cf2bbe14a4aae5d31d1f945901c72afb Mon Sep 17 00:00:00 2001 -From: Pavel Vomacka -Date: Wed, 6 Sep 2017 15:19:58 +0200 -Subject: [PATCH 1/2] WebUI: remove unused parameter from get_whoami_command - -The batch param is not used anywhere therefore we can remove it. - -https://pagure.io/freeipa/issue/7143 ---- - install/ui/src/freeipa/ipa.js | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js -index 2538001c94..3920b8eb0a 100644 ---- a/install/ui/src/freeipa/ipa.js -+++ b/install/ui/src/freeipa/ipa.js -@@ -191,7 +191,7 @@ var IPA = function () { - } - })); - -- batch.add_command(that.get_whoami_command(true)); -+ batch.add_command(that.get_whoami_command()); - - batch.add_command(rpc.command({ - method: 'env', -@@ -259,10 +259,8 @@ var IPA = function () { - /** - * Prepares `user-find --whoami` command - * @protected -- * @param {boolean} batch - Specifies if it will be used as single command or -- * in a batch. - */ -- that.get_whoami_command = function(batch) { -+ that.get_whoami_command = function() { - return rpc.command({ - method: 'whoami', - on_success: function(data, text_status, xhr) { - -From df34476d8bd7ac2de93588b4169e996605c85fe3 Mon Sep 17 00:00:00 2001 -From: Pavel Vomacka -Date: Wed, 6 Sep 2017 15:20:07 +0200 -Subject: [PATCH 2/2] WebUI: Fix calling undefined method during reset - passwords - -When calling reset password the whoami command is not called in batch -command, therefore the result is different then in calling -during reset password operation. That needs to be handled to properly -set entity_show method which needs to be called after to gather -data about logged in entity. - -https://pagure.io/freeipa/issue/7143 ---- - install/ui/src/freeipa/ipa.js | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js -index 3920b8eb0a..138ca031b8 100644 ---- a/install/ui/src/freeipa/ipa.js -+++ b/install/ui/src/freeipa/ipa.js -@@ -264,18 +264,19 @@ var IPA = function () { - return rpc.command({ - method: 'whoami', - on_success: function(data, text_status, xhr) { -- that.whoami.metadata = data; -+ that.whoami.metadata = data.result || data; -+ var wa_data = that.whoami.metadata; - - rpc.command({ -- method: data.details || data.command, -- args: data.arguments, -+ method: wa_data.details || wa_data.command, -+ args: wa_data.arguments, - options: function() { -- var options = data.options || []; -+ var options = wa_data.options || []; - $.extend(options, {all: true}); - return options; - }(), - on_success: function(data, text_status, xhr) { -- that.whoami.data = false ? data.result[0] : data.result.result; -+ that.whoami.data = data.result.result; - var entity = that.whoami.metadata.object; - - if (entity === 'user') { diff --git a/473ddbdb66e563d93a30ac51b1ac559adbd18190.patch b/473ddbdb66e563d93a30ac51b1ac559adbd18190.patch deleted file mode 100644 index 677647a..0000000 --- a/473ddbdb66e563d93a30ac51b1ac559adbd18190.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 473ddbdb66e563d93a30ac51b1ac559adbd18190 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Sep 13 2017 14:53:32 +0000 -Subject: dsinstance: Restore context after changing dse.ldif - - -Fixes https://pagure.io/freeipa/issue/7150 - -Reviewed-By: Stanislav Laznicka -Reviewed-By: Rob Crittenden - ---- - -diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py -index d823635..3eeb7f7 100644 ---- a/ipaserver/install/dsinstance.py -+++ b/ipaserver/install/dsinstance.py -@@ -596,6 +596,7 @@ class DsInstance(service.Service): - parser.parse() - new_dse_ldif.flush() - shutil.copy2(temp_filename, dse_filename) -+ tasks.restore_context(dse_filename) - try: - os.remove(temp_filename) - except OSError as e: - diff --git a/ba4386599331cf81d222687d658f5ce54e923478.patch b/ba4386599331cf81d222687d658f5ce54e923478.patch deleted file mode 100644 index 5960451..0000000 --- a/ba4386599331cf81d222687d658f5ce54e923478.patch +++ /dev/null @@ -1,29 +0,0 @@ -From ba4386599331cf81d222687d658f5ce54e923478 Mon Sep 17 00:00:00 2001 -From: Stanislav Laznicka -Date: Sep 13 2017 10:41:36 +0000 -Subject: client: fix retrieving certs from HTTP - - -We're applying bytes regex on the result of a command but were -using decoded stdout instead of raw. - -https://pagure.io/freeipa/issue/7131 - -Reviewed-By: Florence Blanc-Renaud - ---- - -diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py -index e971aea..8d70519 100644 ---- a/ipaclient/install/client.py -+++ b/ipaclient/install/client.py -@@ -1615,7 +1615,7 @@ def get_ca_certs_from_http(url, warn=True): - result = run([paths.BIN_CURL, "-o", "-", url], capture_output=True) - except CalledProcessError: - raise errors.NoCertificateError(entry=url) -- stdout = result.output -+ stdout = result.raw_output - - try: - certs = x509.load_certificate_list(stdout) - diff --git a/freeipa.spec b/freeipa.spec index d0fe758..497a896 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -39,8 +39,8 @@ %global krb5_version 1.15.1-4 # 0.7.16: https://github.com/drkjam/netaddr/issues/71 %global python_netaddr_version 0.7.5-8 -# Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation -%global samba_version 4.6.0-4 +# Require 4.7.0 which brings Python 3 bindings +%global samba_version 4.7.0 %global samba_build_version %{samba_version} %global selinux_policy_version 3.12.1-153 %global slapi_nis_version 0.56.0-4 @@ -49,8 +49,8 @@ %global krb5_version 1.15.1-7 # 0.7.16: https://github.com/drkjam/netaddr/issues/71 %global python_netaddr_version 0.7.16 -# Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation -%global samba_version 2:4.6.0-4 +# Require 4.7.0 which brings Python 3 bindings +%global samba_version 2:4.7.0 %global samba_build_version 2:4.2.1 %global selinux_policy_version 3.13.1-158.4 %global slapi_nis_version 0.56.1 @@ -62,13 +62,13 @@ %global etc_systemd_dir %{_sysconfdir}/systemd/system %global gettext_domain ipa -%global VERSION 4.6.0 +%global VERSION 4.6.1 %define _hardened_build 1 Name: freeipa Version: %{VERSION} -Release: 3%{?dist} +Release: 1%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -79,19 +79,6 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.as BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Patch0001: 0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch -# Fix issue with password change in web UI: -# https://github.com/freeipa/freeipa/pull/1044 -# https://bugzilla.redhat.com/show_bug.cgi?id=1488640 -Patch0002: 1044.patch -# Restore context after changing dse.ldif in ipa-server-install -# https://github.com/freeipa/freeipa/pull/1062 -# https://pagure.io/freeipa/c/473ddbdb66e563d93a30ac51b1ac559adbd18190 -Patch0003: 473ddbdb66e563d93a30ac51b1ac559adbd18190.patch -# Fix issue with CA cert retrieval via HTTP (kickstart client enrolment): -# https://github.com/freeipa/freeipa/pull/1071 -# https://pagure.io/freeipa/c/ba4386599331cf81d222687d658f5ce54e923478 -# https://bugzilla.redhat.com/show_bug.cgi?id=1491056 -Patch0004: ba4386599331cf81d222687d658f5ce54e923478.patch # For the timestamp trick in patch application BuildRequires: diffstat @@ -186,7 +173,7 @@ BuildRequires: python-gssapi >= 1.2.0-5 %if 0%{?fedora} >= 26 BuildRequires: python2-pylint %else -BuildRequires: pylint >= 1.6 +BuildRequires: pylint >= 1.7 %endif # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 BuildRequires: python2-polib @@ -220,12 +207,11 @@ BuildRequires: python2-jinja2 BuildRequires: python2-augeas %if 0%{?with_python3} -# FIXME: this depedency is missing - server will not work -#BuildRequires: python3-samba +BuildRequires: python3-samba # 1.6: x509.Name.rdns (https://github.com/pyca/cryptography/issues/3199) BuildRequires: python3-cryptography >= 1.6 BuildRequires: python3-gssapi >= 1.2.0 -BuildRequires: python3-pylint >= 1.6 +BuildRequires: python3-pylint >= 1.7 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 BuildRequires: python3-polib BuildRequires: python3-libipa_hbac @@ -387,7 +373,7 @@ Requires: python-ldap >= 2.4.15 Requires: python2-lxml Requires: python-gssapi >= 1.2.0-5 Requires: python2-sssdconfig -Requires: python2-pyasn1 +Requires: python2-pyasn1 >= 0.3.2-2 Requires: dbus-python Requires: python2-dns >= 1.15 Requires: python-kdcproxy >= 0.3 @@ -420,7 +406,7 @@ Requires(pre): python3-pyldap >= 2.4.35.1-2 Requires: python3-lxml Requires: python3-gssapi >= 1.2.0 Requires: python3-sssdconfig -Requires: python3-pyasn1 +Requires: python3-pyasn1 >= 0.3.2-2 Requires: python3-dbus Requires: python3-dns >= 1.15 Requires: python3-kdcproxy >= 0.3 @@ -494,12 +480,21 @@ Summary: Virtual package to install packages required for Active Directory trust Group: System Environment/Base Requires: %{name}-server = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} -Requires: samba-python + Requires: samba >= %{samba_version} Requires: samba-winbind Requires: libsss_idmap -Requires: python-libsss_nss_idmap -Requires: python-sss + +%if 0%{?with_python3} +Requires: python3-samba +Requires: python3-libsss_nss_idmap +Requires: python3-sss +%else +Requires: python2-samba +Requires: python2-libsss_nss_idmap +Requires: python2-sss +%endif # with_python3 + # We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5 # on the installes where server-trust-ad subpackage is installed because # IPA AD trusts cannot be used at the same time with the locator plugin @@ -699,8 +694,8 @@ Requires: python2-cryptography >= 1.6 Requires: python-netaddr >= %{python_netaddr_version} Requires: python2-libipa_hbac Requires: python-qrcode-core >= 5.0.0 -Requires: python2-pyasn1 -Requires: python2-pyasn1-modules +Requires: python2-pyasn1 >= 0.3.2-2 +Requires: python2-pyasn1-modules >= 0.3.2-2 Requires: python2-dateutil Requires: python2-yubico >= 1.2.3 Requires: python2-sss-murmur @@ -748,8 +743,8 @@ Requires: python3-cryptography >= 1.6 Requires: python3-netaddr >= %{python_netaddr_version} Requires: python3-libipa_hbac Requires: python3-qrcode-core >= 5.0.0 -Requires: python3-pyasn1 -Requires: python3-pyasn1-modules +Requires: python3-pyasn1 >= 0.3.2-2 +Requires: python3-pyasn1-modules >= 0.3.2-2 Requires: python3-dateutil # fixes searching for yubikeys in python3 Requires: python3-yubico >= 1.3.2-7 @@ -1104,9 +1099,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/ /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf /bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt -/bin/touch %{buildroot}%{_usr}/share/ipa/html/kerberosauth.xpi /bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con -/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.js /bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini /bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con @@ -1444,10 +1437,7 @@ fi %{_usr}/share/ipa/profiles/README %{_usr}/share/ipa/profiles/*.cfg %dir %{_usr}/share/ipa/html -%{_usr}/share/ipa/html/ffconfig.js -%{_usr}/share/ipa/html/ffconfig_page.js %{_usr}/share/ipa/html/ssbrowser.html -%{_usr}/share/ipa/html/browserconfig.html %{_usr}/share/ipa/html/unauthorized.html %dir %{_usr}/share/ipa/migration %{_usr}/share/ipa/migration/error.html @@ -1479,11 +1469,8 @@ fi %{_usr}/share/ipa/wsgi/plugins.py* %dir %{_sysconfdir}/ipa %dir %{_sysconfdir}/ipa/html -%config(noreplace) %{_sysconfdir}/ipa/html/ffconfig.js -%config(noreplace) %{_sysconfdir}/ipa/html/ffconfig_page.js %config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html %config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html -%config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf @@ -1494,9 +1481,7 @@ fi %{_usr}/share/ipa/ipa-rewrite.conf %{_usr}/share/ipa/ipa-pki-proxy.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt -%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con -%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.js %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con %dir %{_usr}/share/ipa/updates/ @@ -1504,7 +1489,7 @@ fi %dir %{_localstatedir}/lib/ipa %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/gssproxy -%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore +%attr(711,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca %ghost %{_localstatedir}/lib/ipa/pki-ca/publish @@ -1726,6 +1711,10 @@ fi %endif # with_ipatests %changelog +* Fri Sep 22 2017 Tomas Krizek - 4.6.1-1 +- Fixes #1491053 Firefox reports insecure TLS configuration when visiting + FreeIPA web UI after standard server deployment + * Wed Sep 13 2017 Adam Williamson - 4.6.0-3 - Fixes #1490762 Ipa-server-install update dse.ldif with wrong SELinux context - Fixes #1491056 FreeIPA enrolment via kickstart fails diff --git a/sources b/sources index 12d99c5..5f513d1 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (freeipa-4.6.0.tar.gz) = 4719fb821b74b76b8159cf9866c386a265e7d821cec70f008c9cf4ad9df9ee9362ca058a59a323e1151660a29938c9c6eb928b922a355bdc49c8b72f33a5dd8f -SHA512 (freeipa-4.6.0.tar.gz.asc) = 4bf540a36a8c667d1b130bfe6de54eed8d7fdc860089762c91f823af878af1e53acd2032f6fd1518c76e56ac39ca740875c85e81cf4bd41919498ce15333b26e +SHA512 (freeipa-4.6.1.tar.gz) = 0b2a1bacf8462f92b366c73111b3b04b67f6b9bd4b57a3fd69bd1b531e3d78f26f8fe53dee48b167f2c2803990c8687e8b72c2f85be36b69b3057c2a71e8bfd4 +SHA512 (freeipa-4.6.1.tar.gz.asc) = c1164f7a4e1cfea1d6b7da38a024ba92eee7e3dea52783d691926e8874588f964be27e47754369494afc70bd64aa7b400f5918c11bc7a782c50d15693d4ad245