Update to upstream 4.4.2

2016-10-13 16:48:06 +02:00 · 2016-10-13 16:48:06 +02:00 · d16eb0d756
commit d16eb0d756
parent 070313822d
6 changed files with 10 additions and 271 deletions
--- a/.gitignore
+++ b/.gitignore
@ -45,3 +45,4 @@
 /freeipa-4.3.1.tar.gz
 /freeipa-4.3.2.tar.gz
 /freeipa-4.4.1.tar.gz
 /freeipa-4.4.2.tar.gz
--- a/0002-DNS-server-upgrade-do-not-fail-when-DNS-server-did-n.patch
+++ b/0002-DNS-server-upgrade-do-not-fail-when-DNS-server-did-n.patch
@ -1,62 +0,0 @@
 From 27534f8d7294536364147b18b76ecb2bac67870f Mon Sep 17 00:00:00 2001
 From: Petr Spacek <pspacek@redhat.com>
 Date: Thu, 11 Aug 2016 13:44:29 +0200
 Subject: [PATCH] DNS server upgrade: do not fail when DNS server did not
 respond
 Previously, update_dnsforward_emptyzones failed with an exeception if
 DNS query failed for some reason. Now the error is logged and upgrade
 continues.
 I assume that this is okay because the DNS query is used as heuristics
 of last resort in the upgrade logic and failure to do so should not have
 catastrophics consequences: In the worst case, the admin needs to
 manually change forwarding policy from 'first' to 'only'.
 In the end I have decided not to auto-start BIND because BIND depends on
 GSSAPI for authentication, which in turn depends on KDC ... Alternative
 like reconfiguring BIND to use LDAPI+EXTERNAL and reconfiguring DS to
 accept LDAP external bind from named user are too complicated.
 https://fedorahosted.org/freeipa/ticket/6205
 Reviewed-By: Martin Basti <mbasti@redhat.com>
 ---
 ipaserver/install/plugins/dns.py | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)
 diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py
 index 873dbd0..6f67f98 100644
 --- a/ipaserver/install/plugins/dns.py
 +++ b/ipaserver/install/plugins/dns.py
@@ -17,6 +17,9 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 +from __future__ import absolute_import
 +
 +import dns.exception
 import ldap as _ldap
 import re
 import traceback
@@ -489,8 +492,15 @@ class update_dnsforward_emptyzones(DNSUpdater):
         self.api.Command['dnsconfig_mod'](ipadnsversion=2)
         self.update_zones()
 -        if dnsutil.has_empty_zone_addresses(self.api.env.host):
 -            self.update_global_ldap_forwarder()
 +        try:
 +            if dnsutil.has_empty_zone_addresses(self.api.env.host):
 +                self.update_global_ldap_forwarder()
 +        except dns.exception.DNSException as ex:
 +            self.log.error('Skipping update of global DNS forwarder in LDAP: '
 +                           'Unable to determine if local server is using an '
 +                           'IP address belonging to an automatic empty zone. '
 +                           'Consider changing forwarding policy to "only". '
 +                           'DNS exception: %s', ex)
         return False, []
 -- 
 2.5.5
--- a/0003-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch
+++ b/0003-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch
@ -1,115 +0,0 @@
 From d68f99203c5bab33e8bc4af6becea57e0736bbc5 Mon Sep 17 00:00:00 2001
 From: Fraser Tweedale <ftweedal@redhat.com>
 Date: Thu, 30 Jun 2016 10:21:01 +1000
 Subject: [PATCH] cert-revoke: fix permission check bypass (CVE-2016-5404)
 The 'cert_revoke' command checks the 'revoke certificate'
 permission, however, if an ACIError is raised, it then invokes the
 'cert_show' command.  The rational was to re-use a "host manages
 certificate" check that is part of the 'cert_show' command, however,
 it is sufficient that 'cert_show' executes successfully for
 'cert_revoke' to recover from the ACIError continue.  Therefore,
 anyone with 'retrieve certificate' permission can revoke *any*
 certificate and cause various kinds of DoS.
 Fix the problem by extracting the "host manages certificate" check
 to its own method and explicitly calling it from 'cert_revoke'.
 Fixes: https://fedorahosted.org/freeipa/ticket/6232
 ---
 ipalib/plugins/cert.py | 49 +++++++++++++++++++++++++++++++------------------
 1 file changed, 31 insertions(+), 18 deletions(-)
 diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
 index b4ea2feae5de9ffc020709092f79791d99472ffc..f257088e2d45a0c991cce68222577dbe212415d9 100644
 --- a/ipalib/plugins/cert.py
 +++ b/ipalib/plugins/cert.py
@@ -243,6 +243,25 @@ def caacl_check(principal_type, principal_string, ca, profile_id):
             )
         )
 +
 +def bind_principal_can_manage_cert(cert):
 +    """Check that the bind principal can manage the given cert.
 +
 +    ``cert``
 +        An NSS certificate object.
 +
 +    """
 +    bind_principal = getattr(context, 'principal')
 +    if not bind_principal.startswith('host/'):
 +        return False
 +
 +    hostname = get_host_from_principal(bind_principal)
 +
 +    # If we have a hostname we want to verify that the subject
 +    # of the certificate matches it.
 +    return hostname == cert.subject.common_name  #pylint: disable=E1101
 +
 +
 @register()
 class cert_request(VirtualCommand):
     __doc__ = _('Submit a certificate signing request.')
@@ -608,29 +627,23 @@ class cert_show(VirtualCommand):
     def execute(self, serial_number, **options):
         ca_enabled_check()
 -        hostname = None
 -        try:
 -            self.check_access()
 -        except errors.ACIError as acierr:
 -            self.debug("Not granted by ACI to retrieve certificate, looking at principal")
 -            bind_principal = getattr(context, 'principal')
 -            if not bind_principal.startswith('host/'):
 -                raise acierr
 -            hostname = get_host_from_principal(bind_principal)
         result=self.Backend.ra.get_certificate(serial_number)
         cert = x509.load_certificate(result['certificate'])
 +
 +        try:
 +            self.check_access()
 +        except errors.ACIError as acierr:
 +            self.debug("Not granted by ACI to retrieve certificate, looking at principal")
 +            if not bind_principal_can_manage_cert(cert):
 +                raise acierr  # pylint: disable=E0702
 +
         result['subject'] = unicode(cert.subject)
         result['issuer'] = unicode(cert.issuer)
         result['valid_not_before'] = unicode(cert.valid_not_before_str)
         result['valid_not_after'] = unicode(cert.valid_not_after_str)
         result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
         result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
 -        if hostname:
 -            # If we have a hostname we want to verify that the subject
 -            # of the certificate matches it, otherwise raise an error
 -            if hostname != cert.subject.common_name:    #pylint: disable=E1101
 -                raise acierr
         return dict(result=result)
@@ -676,17 +689,17 @@ class cert_revoke(VirtualCommand):
     def execute(self, serial_number, **kw):
         ca_enabled_check()
 -        hostname = None
         try:
             self.check_access()
         except errors.ACIError as acierr:
             self.debug("Not granted by ACI to revoke certificate, looking at principal")
             try:
 -                # Let cert_show() handle verifying that the subject of the
 -                # cert we're dealing with matches the hostname in the principal
                 result = api.Command['cert_show'](unicode(serial_number))['result']
 +                cert = x509.load_certificate(result['certificate'])
 +                if not bind_principal_can_manage_cert(cert):
 +                    raise acierr
             except errors.NotImplementedError:
 -                pass
 +                raise acierr
         revocation_reason = kw['revocation_reason']
         if revocation_reason == 7:
             raise errors.CertificateOperationError(error=_('7 is not a valid revocation reason'))
 -- 
 2.5.5
--- a/0004-ipa-kdb-Allow-to-build-with-samba-4.5.patch
+++ b/0004-ipa-kdb-Allow-to-build-with-samba-4.5.patch
@ -1,88 +0,0 @@
 From d5e08d714d47b24da9dcb413cdbbf67d0b66ba45 Mon Sep 17 00:00:00 2001
 From: Lukas Slebodnik <lslebodn@redhat.com>
 Date: Fri, 5 Aug 2016 08:29:27 +0200
 Subject: [PATCH] ipa-kdb: Allow to build with samba 4.5
 daemons/ipa-kdb/ipa_kdb_mspac.c: In function 'filter_logon_info':
 daemons/ipa-kdb/ipa_kdb_mspac.c:1536:19: error: 'struct PAC_LOGON_INFO'
  has no member named 'res_group_dom_sid'
     if (info->info->res_group_dom_sid != NULL &&
                   ^~
 daemons/ipa-kdb/ipa_kdb_mspac.c:1537:19: error: 'struct PAC_LOGON_INFO'
  has no member named 'res_groups'; did you mean 'resource_groups'?
         info->info->res_groups.count != 0) {
                   ^~
 mv -f .deps/ipa_kdb_delegation.Tpo .deps/ipa_kdb_delegation.Plo
 Makefile:806: recipe for target 'ipa_kdb_mspac.lo' failed
 make[3]: *** [ipa_kdb_mspac.lo] Error 1
 make[3]: *** Waiting for unfinished jobs....
 Related change in samba
 https://github.com/samba-team/samba/commit/4406cf792a599724f55777a45efb6367a9bd92b2
 Resolves:
 https://fedorahosted.org/freeipa/ticket/6173
 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 ---
 daemons/configure.ac            | 12 ++++++++++++
 daemons/ipa-kdb/ipa_kdb_mspac.c |  9 +++++++++
 2 files changed, 21 insertions(+)
 diff --git a/daemons/configure.ac b/daemons/configure.ac
 index f2eebee..9789f68 100644
 --- a/daemons/configure.ac
 +++ b/daemons/configure.ac
@@ -170,6 +170,18 @@ PKG_CHECK_MODULES([SAMBAUTIL], [samba-util])
 SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba -Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba"
 AC_SUBST(SAMBA40EXTRA_LIBPATH)
 +bck_cflags="$CFLAGS"
 +CFLAGS="$NDRPAC_CFLAGS"
 +AC_CHECK_MEMBER(
 +    [struct PAC_DOMAIN_GROUP_MEMBERSHIP.domain_sid],
 +    [AC_DEFINE([HAVE_STRUCT_PAC_DOMAIN_GROUP_MEMBERSHIP], [1],
 +               [struct PAC_DOMAIN_GROUP_MEMBERSHIP is available.])],
 +    [AC_MSG_NOTICE([struct PAC_DOMAIN_GROUP_MEMBERSHIP is not available])],
 +                 [[#include <ndr.h>
 +                   #include <gen_ndr/krb5pac.h>]])
 +
 +CFLAGS="$bck_cflags"
 +
 LIBPDB_NAME=""
 AC_CHECK_LIB([samba-passdb],
              [make_pdb_method],
 diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
 index 638069e..484479b 100644
 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c
 +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -20,6 +20,8 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 +#include "config.h"
 +
 #include "ipa_kdb.h"
 #include "ipa_mspac.h"
 #include <talloc.h>
@@ -1533,10 +1535,17 @@ krb5_error_code filter_logon_info(krb5_context context,
     /* According to MS-KILE, ResourceGroups must be zero, so check
      * that it is the case here */
 +#ifdef HAVE_STRUCT_PAC_DOMAIN_GROUP_MEMBERSHIP
 +    if (info->info->resource_groups.domain_sid != NULL &&
 +        info->info->resource_groups.groups.count != 0) {
 +        return EINVAL;
 +    }
 +#else
     if (info->info->res_group_dom_sid != NULL &&
         info->info->res_groups.count != 0) {
         return EINVAL;
     }
 +#endif
     return 0;
 }
 -- 
 2.5.5
--- a/freeipa.spec
+++ b/freeipa.spec
@ -32,7 +32,7 @@
 %global platform_module fedora
 %endif
-%global VERSION 4.4.1
+%global VERSION 4.4.2
 %define _hardened_build 1
@ -168,8 +168,8 @@ Requires(post): systemd-units
 Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base >= %{selinux_policy_version}
 Requires: slapi-nis >= %{slapi_nis_version}
-Requires: pki-ca >= 10.3.3-3
+Requires: pki-ca >= 10.3.5-6
-Requires: pki-kra >= 10.3.3-3
+Requires: pki-kra >= 10.3.5-6
 Requires(preun): python systemd-units
 Requires(postun): python systemd-units
 Requires: zip
@ -333,7 +333,6 @@ Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
 Requires: krb5-workstation
 Requires: authconfig
 Requires: pam_krb5
 Requires: curl
 # NIS domain name config: /usr/lib/systemd/system/*-domainname.service
 Requires: initscripts
@ -606,6 +605,7 @@ Requires: python-pytest-multihost >= 0.5
 Requires: python-pytest-sourceorder
 Requires: ldns-utils
 Requires: python-sssdconfig
 Requires: python2-cryptography
 Provides: %{alt_name}-tests = %{version}
 Conflicts: %{alt_name}-tests
@ -639,6 +639,7 @@ Requires: python3-pytest-multihost >= 0.5
 Requires: python3-pytest-sourceorder
 Requires: ldns-utils
 Requires: python3-sssdconfig
 Requires: python3-cryptography
 %description -n python3-ipatests
 IPA is an integrated solution to provide centrally managed Identity (users,
@ -1474,6 +1475,9 @@ fi
 %endif # ONLY_CLIENT
 %changelog
 * Thu Oct 13 2016 Petr Vobornik <pvoborni@redhat.com> - 4.4.2-1
 - Update to upstream 4.4.2 - see http://www.freeipa.org/page/Releases/4.4.2
 * Thu Sep 01 2016 Alexander Bokovoy <abokovoy@redhat.com> - 4.4.1-1
 - Update to upstream 4.4.1 - see http://www.freeipa.org/page/Releases/4.4.1
--- a/3
+++ b/3
@ -1,2 +1 @@
-419d87905223df25fb76e7829abd4c36  freeipa-4.3.2.tar.gz
+d8eeb580de58d9230724b40575270bc4  freeipa-4.4.2.tar.gz
 b235784cc2e3cc430a930e7ed52947a2  freeipa-4.4.1.tar.gz
`@ -1,2 +1 @@`
	`419d87905223df25fb76e7829abd4c36 freeipa-4.3.2.tar.gz`	`d8eeb580de58d9230724b40575270bc4 freeipa-4.4.2.tar.gz`
	`b235784cc2e3cc430a930e7ed52947a2 freeipa-4.4.1.tar.gz`