rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to upstream 4.4.2

Browse Source
This commit is contained in:
Petr Vobornik 2016-10-13 16:48:06 +02:00
parent 070313822d
commit d16eb0d756
6 changed files with 10 additions and 271 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -45,3 +45,4 @@
/freeipa-4.3.1.tar.gz
/freeipa-4.3.2.tar.gz
/freeipa-4.4.1.tar.gz
/freeipa-4.4.2.tar.gz

62
0002-DNS-server-upgrade-do-not-fail-when-DNS-server-did-n.patch
View File

@ -1,62 +0,0 @@
From 27534f8d7294536364147b18b76ecb2bac67870f Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspacek@redhat.com>
Date: Thu, 11 Aug 2016 13:44:29 +0200
Subject: [PATCH] DNS server upgrade: do not fail when DNS server did not
respond
Previously, update_dnsforward_emptyzones failed with an exeception if
DNS query failed for some reason. Now the error is logged and upgrade
continues.
I assume that this is okay because the DNS query is used as heuristics
of last resort in the upgrade logic and failure to do so should not have
catastrophics consequences: In the worst case, the admin needs to
manually change forwarding policy from 'first' to 'only'.
In the end I have decided not to auto-start BIND because BIND depends on
GSSAPI for authentication, which in turn depends on KDC ... Alternative
like reconfiguring BIND to use LDAPI+EXTERNAL and reconfiguring DS to
accept LDAP external bind from named user are too complicated.
https://fedorahosted.org/freeipa/ticket/6205
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
ipaserver/install/plugins/dns.py | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py
index 873dbd0..6f67f98 100644
--- a/ipaserver/install/plugins/dns.py
+++ b/ipaserver/install/plugins/dns.py
@@ -17,6 +17,9 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
+from __future__ import absolute_import
+
+import dns.exception
import ldap as _ldap
import re
import traceback
@@ -489,8 +492,15 @@ class update_dnsforward_emptyzones(DNSUpdater):
self.api.Command['dnsconfig_mod'](ipadnsversion=2)
self.update_zones()
- if dnsutil.has_empty_zone_addresses(self.api.env.host):
- self.update_global_ldap_forwarder()
+ try:
+ if dnsutil.has_empty_zone_addresses(self.api.env.host):
+ self.update_global_ldap_forwarder()
+ except dns.exception.DNSException as ex:
+ self.log.error('Skipping update of global DNS forwarder in LDAP: '
+ 'Unable to determine if local server is using an '
+ 'IP address belonging to an automatic empty zone. '
+ 'Consider changing forwarding policy to "only". '
+ 'DNS exception: %s', ex)
return False, []
--
2.5.5

115
0003-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch
View File

@ -1,115 +0,0 @@
From d68f99203c5bab33e8bc4af6becea57e0736bbc5 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Thu, 30 Jun 2016 10:21:01 +1000
Subject: [PATCH] cert-revoke: fix permission check bypass (CVE-2016-5404)
The 'cert_revoke' command checks the 'revoke certificate'
permission, however, if an ACIError is raised, it then invokes the
'cert_show' command. The rational was to re-use a "host manages
certificate" check that is part of the 'cert_show' command, however,
it is sufficient that 'cert_show' executes successfully for
'cert_revoke' to recover from the ACIError continue. Therefore,
anyone with 'retrieve certificate' permission can revoke *any*
certificate and cause various kinds of DoS.
Fix the problem by extracting the "host manages certificate" check
to its own method and explicitly calling it from 'cert_revoke'.
Fixes: https://fedorahosted.org/freeipa/ticket/6232
---
ipalib/plugins/cert.py | 49 +++++++++++++++++++++++++++++++------------------
1 file changed, 31 insertions(+), 18 deletions(-)
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index b4ea2feae5de9ffc020709092f79791d99472ffc..f257088e2d45a0c991cce68222577dbe212415d9 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -243,6 +243,25 @@ def caacl_check(principal_type, principal_string, ca, profile_id):
)
)
+
+def bind_principal_can_manage_cert(cert):
+ """Check that the bind principal can manage the given cert.
+
+ ``cert``
+ An NSS certificate object.
+
+ """
+ bind_principal = getattr(context, 'principal')
+ if not bind_principal.startswith('host/'):
+ return False
+
+ hostname = get_host_from_principal(bind_principal)
+
+ # If we have a hostname we want to verify that the subject
+ # of the certificate matches it.
+ return hostname == cert.subject.common_name #pylint: disable=E1101
+
+
@register()
class cert_request(VirtualCommand):
__doc__ = _('Submit a certificate signing request.')
@@ -608,29 +627,23 @@ class cert_show(VirtualCommand):
def execute(self, serial_number, **options):
ca_enabled_check()
- hostname = None
- try:
- self.check_access()
- except errors.ACIError as acierr:
- self.debug("Not granted by ACI to retrieve certificate, looking at principal")
- bind_principal = getattr(context, 'principal')
- if not bind_principal.startswith('host/'):
- raise acierr
- hostname = get_host_from_principal(bind_principal)
result=self.Backend.ra.get_certificate(serial_number)
cert = x509.load_certificate(result['certificate'])
+
+ try:
+ self.check_access()
+ except errors.ACIError as acierr:
+ self.debug("Not granted by ACI to retrieve certificate, looking at principal")
+ if not bind_principal_can_manage_cert(cert):
+ raise acierr # pylint: disable=E0702
+
result['subject'] = unicode(cert.subject)
result['issuer'] = unicode(cert.issuer)
result['valid_not_before'] = unicode(cert.valid_not_before_str)
result['valid_not_after'] = unicode(cert.valid_not_after_str)
result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
- if hostname:
- # If we have a hostname we want to verify that the subject
- # of the certificate matches it, otherwise raise an error
- if hostname != cert.subject.common_name: #pylint: disable=E1101
- raise acierr
return dict(result=result)
@@ -676,17 +689,17 @@ class cert_revoke(VirtualCommand):
def execute(self, serial_number, **kw):
ca_enabled_check()
- hostname = None
try:
self.check_access()
except errors.ACIError as acierr:
self.debug("Not granted by ACI to revoke certificate, looking at principal")
try:
- # Let cert_show() handle verifying that the subject of the
- # cert we're dealing with matches the hostname in the principal
result = api.Command['cert_show'](unicode(serial_number))['result']
+ cert = x509.load_certificate(result['certificate'])
+ if not bind_principal_can_manage_cert(cert):
+ raise acierr
except errors.NotImplementedError:
- pass
+ raise acierr
revocation_reason = kw['revocation_reason']
if revocation_reason == 7:
raise errors.CertificateOperationError(error=_('7 is not a valid revocation reason'))
--
2.5.5

88
0004-ipa-kdb-Allow-to-build-with-samba-4.5.patch
View File

@ -1,88 +0,0 @@
From d5e08d714d47b24da9dcb413cdbbf67d0b66ba45 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Fri, 5 Aug 2016 08:29:27 +0200
Subject: [PATCH] ipa-kdb: Allow to build with samba 4.5
daemons/ipa-kdb/ipa_kdb_mspac.c: In function 'filter_logon_info':
daemons/ipa-kdb/ipa_kdb_mspac.c:1536:19: error: 'struct PAC_LOGON_INFO'
has no member named 'res_group_dom_sid'
if (info->info->res_group_dom_sid != NULL &&
^~
daemons/ipa-kdb/ipa_kdb_mspac.c:1537:19: error: 'struct PAC_LOGON_INFO'
has no member named 'res_groups'; did you mean 'resource_groups'?
info->info->res_groups.count != 0) {
^~
mv -f .deps/ipa_kdb_delegation.Tpo .deps/ipa_kdb_delegation.Plo
Makefile:806: recipe for target 'ipa_kdb_mspac.lo' failed
make[3]: *** [ipa_kdb_mspac.lo] Error 1
make[3]: *** Waiting for unfinished jobs....
Related change in samba
https://github.com/samba-team/samba/commit/4406cf792a599724f55777a45efb6367a9bd92b2
Resolves:
https://fedorahosted.org/freeipa/ticket/6173
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/configure.ac | 12 ++++++++++++
daemons/ipa-kdb/ipa_kdb_mspac.c | 9 +++++++++
2 files changed, 21 insertions(+)
diff --git a/daemons/configure.ac b/daemons/configure.ac
index f2eebee..9789f68 100644
--- a/daemons/configure.ac
+++ b/daemons/configure.ac
@@ -170,6 +170,18 @@ PKG_CHECK_MODULES([SAMBAUTIL], [samba-util])
SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba -Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba"
AC_SUBST(SAMBA40EXTRA_LIBPATH)
+bck_cflags="$CFLAGS"
+CFLAGS="$NDRPAC_CFLAGS"
+AC_CHECK_MEMBER(
+ [struct PAC_DOMAIN_GROUP_MEMBERSHIP.domain_sid],
+ [AC_DEFINE([HAVE_STRUCT_PAC_DOMAIN_GROUP_MEMBERSHIP], [1],
+ [struct PAC_DOMAIN_GROUP_MEMBERSHIP is available.])],
+ [AC_MSG_NOTICE([struct PAC_DOMAIN_GROUP_MEMBERSHIP is not available])],
+ [[#include <ndr.h>
+ #include <gen_ndr/krb5pac.h>]])
+
+CFLAGS="$bck_cflags"
+
LIBPDB_NAME=""
AC_CHECK_LIB([samba-passdb],
[make_pdb_method],
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 638069e..484479b 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -20,6 +20,8 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
+#include "config.h"
+
#include "ipa_kdb.h"
#include "ipa_mspac.h"
#include <talloc.h>
@@ -1533,10 +1535,17 @@ krb5_error_code filter_logon_info(krb5_context context,
/* According to MS-KILE, ResourceGroups must be zero, so check
* that it is the case here */
+#ifdef HAVE_STRUCT_PAC_DOMAIN_GROUP_MEMBERSHIP
+ if (info->info->resource_groups.domain_sid != NULL &&
+ info->info->resource_groups.groups.count != 0) {
+ return EINVAL;
+ }
+#else
if (info->info->res_group_dom_sid != NULL &&
info->info->res_groups.count != 0) {
return EINVAL;
}
+#endif
return 0;
}
--
2.5.5

12
freeipa.spec
View File

@ -32,7 +32,7 @@
%global platform_module fedora
%endif
%global VERSION 4.4.1
%global VERSION 4.4.2
%define _hardened_build 1
@ -168,8 +168,8 @@ Requires(post): systemd-units
Requires: selinux-policy >= %{selinux_policy_version}
Requires(post): selinux-policy-base >= %{selinux_policy_version}
Requires: slapi-nis >= %{slapi_nis_version}
Requires: pki-ca >= 10.3.3-3
Requires: pki-kra >= 10.3.3-3
Requires: pki-ca >= 10.3.5-6
Requires: pki-kra >= 10.3.5-6
Requires(preun): python systemd-units
Requires(postun): python systemd-units
Requires: zip
@ -333,7 +333,6 @@ Requires: cyrus-sasl-gssapi%{?_isa}
Requires: ntp
Requires: krb5-workstation
Requires: authconfig
Requires: pam_krb5
Requires: curl
# NIS domain name config: /usr/lib/systemd/system/*-domainname.service
Requires: initscripts
@ -606,6 +605,7 @@ Requires: python-pytest-multihost >= 0.5
Requires: python-pytest-sourceorder
Requires: ldns-utils
Requires: python-sssdconfig
Requires: python2-cryptography
Provides: %{alt_name}-tests = %{version}
Conflicts: %{alt_name}-tests
@ -639,6 +639,7 @@ Requires: python3-pytest-multihost >= 0.5
Requires: python3-pytest-sourceorder
Requires: ldns-utils
Requires: python3-sssdconfig
Requires: python3-cryptography
%description -n python3-ipatests
IPA is an integrated solution to provide centrally managed Identity (users,
@ -1474,6 +1475,9 @@ fi
%endif # ONLY_CLIENT
%changelog
* Thu Oct 13 2016 Petr Vobornik <pvoborni@redhat.com> - 4.4.2-1
- Update to upstream 4.4.2 - see http://www.freeipa.org/page/Releases/4.4.2
* Thu Sep 01 2016 Alexander Bokovoy <abokovoy@redhat.com> - 4.4.1-1
- Update to upstream 4.4.1 - see http://www.freeipa.org/page/Releases/4.4.1

3
sources
View File

@ -1,2 +1 @@
419d87905223df25fb76e7829abd4c36 freeipa-4.3.2.tar.gz
b235784cc2e3cc430a930e7ed52947a2 freeipa-4.4.1.tar.gz
d8eeb580de58d9230724b40575270bc4 freeipa-4.4.2.tar.gz