From d16eb0d75616daa1cd6ea6be849d6615f3f31eaf Mon Sep 17 00:00:00 2001 From: Petr Vobornik Date: Thu, 13 Oct 2016 16:48:06 +0200 Subject: [PATCH] Update to upstream 4.4.2 --- .gitignore | 1 + ...de-do-not-fail-when-DNS-server-did-n.patch | 62 ---------- ...permission-check-bypass-CVE-2016-540.patch | 115 ------------------ ...pa-kdb-Allow-to-build-with-samba-4.5.patch | 88 -------------- freeipa.spec | 12 +- sources | 3 +- 6 files changed, 10 insertions(+), 271 deletions(-) delete mode 100644 0002-DNS-server-upgrade-do-not-fail-when-DNS-server-did-n.patch delete mode 100644 0003-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch delete mode 100644 0004-ipa-kdb-Allow-to-build-with-samba-4.5.patch diff --git a/.gitignore b/.gitignore index 037e89b..471692b 100644 --- a/.gitignore +++ b/.gitignore @@ -45,3 +45,4 @@ /freeipa-4.3.1.tar.gz /freeipa-4.3.2.tar.gz /freeipa-4.4.1.tar.gz +/freeipa-4.4.2.tar.gz diff --git a/0002-DNS-server-upgrade-do-not-fail-when-DNS-server-did-n.patch b/0002-DNS-server-upgrade-do-not-fail-when-DNS-server-did-n.patch deleted file mode 100644 index 592ebb4..0000000 --- a/0002-DNS-server-upgrade-do-not-fail-when-DNS-server-did-n.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 27534f8d7294536364147b18b76ecb2bac67870f Mon Sep 17 00:00:00 2001 -From: Petr Spacek -Date: Thu, 11 Aug 2016 13:44:29 +0200 -Subject: [PATCH] DNS server upgrade: do not fail when DNS server did not - respond - -Previously, update_dnsforward_emptyzones failed with an exeception if -DNS query failed for some reason. Now the error is logged and upgrade -continues. - -I assume that this is okay because the DNS query is used as heuristics -of last resort in the upgrade logic and failure to do so should not have -catastrophics consequences: In the worst case, the admin needs to -manually change forwarding policy from 'first' to 'only'. - -In the end I have decided not to auto-start BIND because BIND depends on -GSSAPI for authentication, which in turn depends on KDC ... Alternative -like reconfiguring BIND to use LDAPI+EXTERNAL and reconfiguring DS to -accept LDAP external bind from named user are too complicated. - -https://fedorahosted.org/freeipa/ticket/6205 - -Reviewed-By: Martin Basti ---- - ipaserver/install/plugins/dns.py | 14 ++++++++++++-- - 1 file changed, 12 insertions(+), 2 deletions(-) - -diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py -index 873dbd0..6f67f98 100644 ---- a/ipaserver/install/plugins/dns.py -+++ b/ipaserver/install/plugins/dns.py -@@ -17,6 +17,9 @@ - # You should have received a copy of the GNU General Public License - # along with this program. If not, see . - -+from __future__ import absolute_import -+ -+import dns.exception - import ldap as _ldap - import re - import traceback -@@ -489,8 +492,15 @@ class update_dnsforward_emptyzones(DNSUpdater): - self.api.Command['dnsconfig_mod'](ipadnsversion=2) - - self.update_zones() -- if dnsutil.has_empty_zone_addresses(self.api.env.host): -- self.update_global_ldap_forwarder() -+ try: -+ if dnsutil.has_empty_zone_addresses(self.api.env.host): -+ self.update_global_ldap_forwarder() -+ except dns.exception.DNSException as ex: -+ self.log.error('Skipping update of global DNS forwarder in LDAP: ' -+ 'Unable to determine if local server is using an ' -+ 'IP address belonging to an automatic empty zone. ' -+ 'Consider changing forwarding policy to "only". ' -+ 'DNS exception: %s', ex) - - return False, [] - --- -2.5.5 - diff --git a/0003-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch b/0003-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch deleted file mode 100644 index 142e2d2..0000000 --- a/0003-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch +++ /dev/null @@ -1,115 +0,0 @@ -From d68f99203c5bab33e8bc4af6becea57e0736bbc5 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Thu, 30 Jun 2016 10:21:01 +1000 -Subject: [PATCH] cert-revoke: fix permission check bypass (CVE-2016-5404) - -The 'cert_revoke' command checks the 'revoke certificate' -permission, however, if an ACIError is raised, it then invokes the -'cert_show' command. The rational was to re-use a "host manages -certificate" check that is part of the 'cert_show' command, however, -it is sufficient that 'cert_show' executes successfully for -'cert_revoke' to recover from the ACIError continue. Therefore, -anyone with 'retrieve certificate' permission can revoke *any* -certificate and cause various kinds of DoS. - -Fix the problem by extracting the "host manages certificate" check -to its own method and explicitly calling it from 'cert_revoke'. - -Fixes: https://fedorahosted.org/freeipa/ticket/6232 ---- - ipalib/plugins/cert.py | 49 +++++++++++++++++++++++++++++++------------------ - 1 file changed, 31 insertions(+), 18 deletions(-) - -diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py -index b4ea2feae5de9ffc020709092f79791d99472ffc..f257088e2d45a0c991cce68222577dbe212415d9 100644 ---- a/ipalib/plugins/cert.py -+++ b/ipalib/plugins/cert.py -@@ -243,6 +243,25 @@ def caacl_check(principal_type, principal_string, ca, profile_id): - ) - ) - -+ -+def bind_principal_can_manage_cert(cert): -+ """Check that the bind principal can manage the given cert. -+ -+ ``cert`` -+ An NSS certificate object. -+ -+ """ -+ bind_principal = getattr(context, 'principal') -+ if not bind_principal.startswith('host/'): -+ return False -+ -+ hostname = get_host_from_principal(bind_principal) -+ -+ # If we have a hostname we want to verify that the subject -+ # of the certificate matches it. -+ return hostname == cert.subject.common_name #pylint: disable=E1101 -+ -+ - @register() - class cert_request(VirtualCommand): - __doc__ = _('Submit a certificate signing request.') -@@ -608,29 +627,23 @@ class cert_show(VirtualCommand): - - def execute(self, serial_number, **options): - ca_enabled_check() -- hostname = None -- try: -- self.check_access() -- except errors.ACIError as acierr: -- self.debug("Not granted by ACI to retrieve certificate, looking at principal") -- bind_principal = getattr(context, 'principal') -- if not bind_principal.startswith('host/'): -- raise acierr -- hostname = get_host_from_principal(bind_principal) - - result=self.Backend.ra.get_certificate(serial_number) - cert = x509.load_certificate(result['certificate']) -+ -+ try: -+ self.check_access() -+ except errors.ACIError as acierr: -+ self.debug("Not granted by ACI to retrieve certificate, looking at principal") -+ if not bind_principal_can_manage_cert(cert): -+ raise acierr # pylint: disable=E0702 -+ - result['subject'] = unicode(cert.subject) - result['issuer'] = unicode(cert.issuer) - result['valid_not_before'] = unicode(cert.valid_not_before_str) - result['valid_not_after'] = unicode(cert.valid_not_after_str) - result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0]) - result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0]) -- if hostname: -- # If we have a hostname we want to verify that the subject -- # of the certificate matches it, otherwise raise an error -- if hostname != cert.subject.common_name: #pylint: disable=E1101 -- raise acierr - - return dict(result=result) - -@@ -676,17 +689,17 @@ class cert_revoke(VirtualCommand): - - def execute(self, serial_number, **kw): - ca_enabled_check() -- hostname = None - try: - self.check_access() - except errors.ACIError as acierr: - self.debug("Not granted by ACI to revoke certificate, looking at principal") - try: -- # Let cert_show() handle verifying that the subject of the -- # cert we're dealing with matches the hostname in the principal - result = api.Command['cert_show'](unicode(serial_number))['result'] -+ cert = x509.load_certificate(result['certificate']) -+ if not bind_principal_can_manage_cert(cert): -+ raise acierr - except errors.NotImplementedError: -- pass -+ raise acierr - revocation_reason = kw['revocation_reason'] - if revocation_reason == 7: - raise errors.CertificateOperationError(error=_('7 is not a valid revocation reason')) --- -2.5.5 - diff --git a/0004-ipa-kdb-Allow-to-build-with-samba-4.5.patch b/0004-ipa-kdb-Allow-to-build-with-samba-4.5.patch deleted file mode 100644 index 850fc65..0000000 --- a/0004-ipa-kdb-Allow-to-build-with-samba-4.5.patch +++ /dev/null @@ -1,88 +0,0 @@ -From d5e08d714d47b24da9dcb413cdbbf67d0b66ba45 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Fri, 5 Aug 2016 08:29:27 +0200 -Subject: [PATCH] ipa-kdb: Allow to build with samba 4.5 - -daemons/ipa-kdb/ipa_kdb_mspac.c: In function 'filter_logon_info': -daemons/ipa-kdb/ipa_kdb_mspac.c:1536:19: error: 'struct PAC_LOGON_INFO' - has no member named 'res_group_dom_sid' - if (info->info->res_group_dom_sid != NULL && - ^~ -daemons/ipa-kdb/ipa_kdb_mspac.c:1537:19: error: 'struct PAC_LOGON_INFO' - has no member named 'res_groups'; did you mean 'resource_groups'? - info->info->res_groups.count != 0) { - ^~ -mv -f .deps/ipa_kdb_delegation.Tpo .deps/ipa_kdb_delegation.Plo -Makefile:806: recipe for target 'ipa_kdb_mspac.lo' failed -make[3]: *** [ipa_kdb_mspac.lo] Error 1 -make[3]: *** Waiting for unfinished jobs.... - -Related change in samba -https://github.com/samba-team/samba/commit/4406cf792a599724f55777a45efb6367a9bd92b2 - -Resolves: -https://fedorahosted.org/freeipa/ticket/6173 - -Reviewed-By: Alexander Bokovoy ---- - daemons/configure.ac | 12 ++++++++++++ - daemons/ipa-kdb/ipa_kdb_mspac.c | 9 +++++++++ - 2 files changed, 21 insertions(+) - -diff --git a/daemons/configure.ac b/daemons/configure.ac -index f2eebee..9789f68 100644 ---- a/daemons/configure.ac -+++ b/daemons/configure.ac -@@ -170,6 +170,18 @@ PKG_CHECK_MODULES([SAMBAUTIL], [samba-util]) - SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba -Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba" - AC_SUBST(SAMBA40EXTRA_LIBPATH) - -+bck_cflags="$CFLAGS" -+CFLAGS="$NDRPAC_CFLAGS" -+AC_CHECK_MEMBER( -+ [struct PAC_DOMAIN_GROUP_MEMBERSHIP.domain_sid], -+ [AC_DEFINE([HAVE_STRUCT_PAC_DOMAIN_GROUP_MEMBERSHIP], [1], -+ [struct PAC_DOMAIN_GROUP_MEMBERSHIP is available.])], -+ [AC_MSG_NOTICE([struct PAC_DOMAIN_GROUP_MEMBERSHIP is not available])], -+ [[#include -+ #include ]]) -+ -+CFLAGS="$bck_cflags" -+ - LIBPDB_NAME="" - AC_CHECK_LIB([samba-passdb], - [make_pdb_method], -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c -index 638069e..484479b 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac.c -+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c -@@ -20,6 +20,8 @@ - * along with this program. If not, see . - */ - -+#include "config.h" -+ - #include "ipa_kdb.h" - #include "ipa_mspac.h" - #include -@@ -1533,10 +1535,17 @@ krb5_error_code filter_logon_info(krb5_context context, - - /* According to MS-KILE, ResourceGroups must be zero, so check - * that it is the case here */ -+#ifdef HAVE_STRUCT_PAC_DOMAIN_GROUP_MEMBERSHIP -+ if (info->info->resource_groups.domain_sid != NULL && -+ info->info->resource_groups.groups.count != 0) { -+ return EINVAL; -+ } -+#else - if (info->info->res_group_dom_sid != NULL && - info->info->res_groups.count != 0) { - return EINVAL; - } -+#endif - - return 0; - } --- -2.5.5 - diff --git a/freeipa.spec b/freeipa.spec index f29622a..ad77fd3 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -32,7 +32,7 @@ %global platform_module fedora %endif -%global VERSION 4.4.1 +%global VERSION 4.4.2 %define _hardened_build 1 @@ -168,8 +168,8 @@ Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base >= %{selinux_policy_version} Requires: slapi-nis >= %{slapi_nis_version} -Requires: pki-ca >= 10.3.3-3 -Requires: pki-kra >= 10.3.3-3 +Requires: pki-ca >= 10.3.5-6 +Requires: pki-kra >= 10.3.5-6 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: zip @@ -333,7 +333,6 @@ Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: krb5-workstation Requires: authconfig -Requires: pam_krb5 Requires: curl # NIS domain name config: /usr/lib/systemd/system/*-domainname.service Requires: initscripts @@ -606,6 +605,7 @@ Requires: python-pytest-multihost >= 0.5 Requires: python-pytest-sourceorder Requires: ldns-utils Requires: python-sssdconfig +Requires: python2-cryptography Provides: %{alt_name}-tests = %{version} Conflicts: %{alt_name}-tests @@ -639,6 +639,7 @@ Requires: python3-pytest-multihost >= 0.5 Requires: python3-pytest-sourceorder Requires: ldns-utils Requires: python3-sssdconfig +Requires: python3-cryptography %description -n python3-ipatests IPA is an integrated solution to provide centrally managed Identity (users, @@ -1474,6 +1475,9 @@ fi %endif # ONLY_CLIENT %changelog +* Thu Oct 13 2016 Petr Vobornik - 4.4.2-1 +- Update to upstream 4.4.2 - see http://www.freeipa.org/page/Releases/4.4.2 + * Thu Sep 01 2016 Alexander Bokovoy - 4.4.1-1 - Update to upstream 4.4.1 - see http://www.freeipa.org/page/Releases/4.4.1 diff --git a/sources b/sources index 2ea5aa7..244ebc9 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -419d87905223df25fb76e7829abd4c36 freeipa-4.3.2.tar.gz -b235784cc2e3cc430a930e7ed52947a2 freeipa-4.4.1.tar.gz +d8eeb580de58d9230724b40575270bc4 freeipa-4.4.2.tar.gz