ipa-4.13.1-1

- Resolves: RHEL-141446 [RFE] Command that retrieve and install new CA certificates - Resolves: RHEL-140584 Support replaceable WebUI artwork for RHEL and CentOS - Resolves: RHEL-141297 Memory leaks in IPA plugins - Resolves: RHEL-141054 IPA fails to sign zone - Resolves: RHEL-138570 AddressSanitizer: SEGV ipa-pwd-extop/common.c:584 in ipapwd_gen_checks - Resolves: RHEL-138473 Include latest fixes in python3-ipatests package - Resolves: RHEL-137585 ipa-server-upgrade succeeds but ipactl restart fails due to ipa-dnskeysyncd service failure caused by SELinux AVC denial on RHEL 9.8 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
2026-01-16 16:28:33 +01:00 · 2026-01-16 16:28:33 +01:00 · e037873f2b
commit e037873f2b
parent 7b095b326d
5 changed files with 26 additions and 130 deletions
--- a/.gitignore
+++ b/.gitignore
@ -128,3 +128,5 @@
 /freeipa-4.12.2.tar.gz.asc
 /freeipa-4.13.0.tar.gz
 /freeipa-4.13.0.tar.gz.asc
+/freeipa-4.13.1.tar.gz
+/freeipa-4.13.1.tar.gz.asc
--- a/0004-Trust-fix-tdo-with-WITH_FOREST.patch
+++ b/0004-Trust-fix-tdo-with-WITH_FOREST.patch
@ -1,51 +0,0 @@
-From 6f0cd075e5a588628a98d3b4a95e755af59845d7 Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Thu, 4 Dec 2025 13:13:21 +0100
-Subject: [PATCH] Trust: fix tdo with WITH_FOREST
-
-When a trust was established pre samba 4.23, the trust domain object
-could contain ipanttrustattributes: 8 (LSA_TRUST_ATTRIBUTE_WITHIN_FOREST)
-This value prevents winbind restart.
-
-The current code replaces 0 with LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
-but should also handle the case for LSA_TRUST_ATTRIBUTE_WITHIN_FOREST.
-In this case we should drop the bit and replace it by FOREST_TRANSITIVE
-one because otherwise Samba will skip the domain. Do not change the LDAP
-representation to allow older replicas to continue operations.
-
-Fixes: https://pagure.io/freeipa/issue/9892
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
---
- daemons/ipa-sam/ipa_sam.c | 15 +++++++++++----
- 1 file changed, 11 insertions(+), 4 deletions(-)
-
-diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
-index c43ffddbbdd69123b5d568a937fbc12d138243d1..ea25934d569f378f41b386bbb57d33eaf2bb19c0 100644
--- a/daemons/ipa-sam/ipa_sam.c
-+++ b/daemons/ipa-sam/ipa_sam.c
-@@ -2545,10 +2545,17 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
- 	if (!res) {
- 		goto done;
- 	}
-	if (td->trust_attributes == 0 && (td->domain_name != dns_domain)) {
-                /* attribute wasn't present and this is not a subdomain within
-                 * the parent forest */
-		td->trust_attributes = LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE;
-+	if (td->domain_name != dns_domain) {
-+		if ((td->trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) != 0 ||
-+		    (td->trust_attributes == 0)) {
-+		    /* when trust attribute is not present or contains WITHIN_FOREST,
-+			 * we should drop the bit and replace it by FOREST_TRANSITIVE
-+			 * one because otherwise Samba will skip the domain.
-+			 * Do not change the LDAP representation to allow older replicas
-+			 * to continue operations. */
-+		    td->trust_attributes &= ~LSA_TRUST_ATTRIBUTE_WITHIN_FOREST;
-+		    td->trust_attributes |= LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE;
-+		}
- 	}
- 
- 	res = get_uint32_t_from_ldap_msg(ipasam_state, entry,
-- 
-2.52.0
-
--- a/0005-ipatest-add-an-integration-test-for-samba-upgrade.patch
+++ b/0005-ipatest-add-an-integration-test-for-samba-upgrade.patch
@ -1,65 +0,0 @@
-From c03f7eb2b9a0ee36d0ad396f3e4e4e8a6e40ecd2 Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Thu, 4 Dec 2025 12:58:38 +0100
-Subject: [PATCH] ipatest: add an integration test for samba upgrade
-
-When a trust was establish pre samba 4.23, the trust domain object
-could contain ipanttrustattributes = 40 (LSA_TRUST_ATTRIBUTE_WITHIN_FOREST)
-and winbind would fail to restart after an upgrade to samba 4.23.
-
-Add a test simulating the situation and calling ipa-server-upgrade
-
-Related: https://pagure.io/freeipa/issue/9892
-Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
---
- ipatests/test_integration/test_trust.py | 33 +++++++++++++++++++++++++
- 1 file changed, 33 insertions(+)
-
-diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
-index 7bb74e2f5821719ffe2ceaf2bdcd8e7d46a6cd1f..13ad0afa4c1fb032d50f40cf7cb9b79283203225 100644
--- a/ipatests/test_integration/test_trust.py
-+++ b/ipatests/test_integration/test_trust.py
-@@ -1009,6 +1009,39 @@ class TestTrust(BaseTestTrust):
-         tasks.unconfigure_windows_dns_for_trust(self.ad, self.master)
-         tasks.unconfigure_dns_for_trust(self.master, self.ad)
- 
-+    def test_upgrade_within_forest(self):
-+        """
-+        Simulate an upgrade from a trust established with samba pre 4.23
-+
-+        With older samba version, the trust domain object had
-+        ipanttrustattributes: 8
-+        corresponding to LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
-+        and this breaks ipa-upgrade (winbind fails to restart)
-+        """
-+
-+        tasks.configure_dns_for_trust(self.master, self.ad)
-+        tasks.configure_windows_dns_for_trust(self.ad, self.master)
-+        tasks.establish_trust_with_ad(
-+            self.master, self.ad_domain,
-+            extra_args=['--range-type', 'ipa-ad-trust'])
-+
-+        conn = self.master.ldap_connect()
-+        trust_dn = DN("cn={},cn=ad,cn=trusts,{}".format(
-+            self.ad.domain.name, self.master.domain.basedn
-+        ))
-+        entry = conn.get_entry(trust_dn)
-+
-+        # set the trust attributes to LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
-+        entry.single_value['ipanttrustattributes'] = '40'
-+        conn.update_entry(entry)
-+        self.master.run_command(['ipa-server-upgrade'])
-+        self.master.run_command(['ipactl', 'restart'])
-+
-+        # cleanup for next test
-+        self.remove_trust(self.ad)
-+        tasks.unconfigure_windows_dns_for_trust(self.ad, self.master)
-+        tasks.unconfigure_dns_for_trust(self.master, self.ad)
-+
-     def test_server_option_with_unreachable_ad(self):
-         """
-         Check trust can be established with partially unreachable AD topology
-- 
-2.52.0
-
--- a/freeipa.spec
+++ b/freeipa.spec
@ -216,7 +216,7 @@

 # Work-around fact that RPM SPEC parser does not accept
 # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
-%define IPA_VERSION 4.13.0
+%define IPA_VERSION 4.13.1
 # Release candidate version -- uncomment with one percent for RC versions
 #%%global rc_version
 %define AT_SIGN @
@ -252,8 +252,6 @@ Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
 Patch0001:      0001-Revert-Replace-netifaces-with-ifaddr.patch
 Patch0002:      0002-Revert-custodia-do-not-use-deprecated-jwcrypto-wrapp.patch
 Patch0003:      0003-Revert-Remove-NIS-server-support.patch
-Patch0004:      0004-Trust-fix-tdo-with-WITH_FOREST.patch
-Patch0005:      0005-ipatest-add-an-integration-test-for-samba-upgrade.patch
 Patch0006:      0006-Revert-Stop-using-deprecated-pkg_resources.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 %endif
@ -600,18 +598,18 @@ Provides: bundled(npm(cookie)) = 1.0.2
 Provides: bundled(npm(csstype)) = 3.1.3
 Provides: bundled(npm(file-selector)) = 2.1.2
 Provides: bundled(npm(focus-trap)) = 7.6.4
-Provides: bundled(npm(freeipa-webui)) = 0.1.6
+Provides: bundled(npm(freeipa-webui)) = 0.1.9
 Provides: bundled(npm(immer)) = 10.1.1
 Provides: bundled(npm(js-tokens)) = 4.0.0
 Provides: bundled(npm(lodash)) = 4.17.21
 Provides: bundled(npm(loose-envify)) = 1.4.0
 Provides: bundled(npm(object-assign)) = 4.1.1
-Provides: bundled(npm(@patternfly/patternfly)) = 6.3.0
-Provides: bundled(npm(@patternfly/react-core)) = 6.3.0
-Provides: bundled(npm(@patternfly/react-icons)) = 6.3.0
-Provides: bundled(npm(@patternfly/react-styles)) = 6.3.0
-Provides: bundled(npm(@patternfly/react-table)) = 6.3.0
-Provides: bundled(npm(@patternfly/react-tokens)) = 6.3.0
+Provides: bundled(npm(@patternfly/patternfly)) = 6.3.1
+Provides: bundled(npm(@patternfly/react-core)) = 6.3.1
+Provides: bundled(npm(@patternfly/react-icons)) = 6.3.1
+Provides: bundled(npm(@patternfly/react-styles)) = 6.3.1
+Provides: bundled(npm(@patternfly/react-table)) = 6.3.1
+Provides: bundled(npm(@patternfly/react-tokens)) = 6.3.1
 Provides: bundled(npm(prop-types)) = 15.8.1
 Provides: bundled(npm(qrcode.react)) = 4.2.0
 Provides: bundled(npm(react)) = 18.3.1
@ -619,8 +617,7 @@ Provides: bundled(npm(react-dom)) = 18.3.1
 Provides: bundled(npm(react-dropzone)) = 14.3.8
 Provides: bundled(npm(react-is)) = 16.13.1
 Provides: bundled(npm(react-redux)) = 9.2.0
-Provides: bundled(npm(react-router)) = 7.6.2
-Provides: bundled(npm(react-router-dom)) = 7.6.2
+Provides: bundled(npm(react-router)) = 7.12.0
 Provides: bundled(npm(redux)) = 5.0.1
 Provides: bundled(npm(@reduxjs/toolkit)) = 2.6.1
 Provides: bundled(npm(redux-thunk)) = 3.1.0
@ -628,6 +625,7 @@ Provides: bundled(npm(reselect)) = 5.1.1
 Provides: bundled(npm(scheduler)) = 0.23.2
 Provides: bundled(npm(set-cookie-parser)) = 2.7.1
 Provides: bundled(npm(tabbable)) = 6.2.0
+Provides: bundled(npm(tiny-invariant)) = 1.3.3
 Provides: bundled(npm(tslib)) = 2.8.1
 Provides: bundled(npm(@types/prop-types)) = 15.7.14
 Provides: bundled(npm(@types/react)) = 18.3.20
@ -1165,6 +1163,9 @@ rm -f %{buildroot}%{_usr}/share/ipa/ui/images/header-logo.png
 rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-background.jpg
 rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png
 rm -f %{buildroot}%{_usr}/share/ipa/ui/images/product-name.png
+rm -f %{buildroot}%{_usr}/share/ipa/modern-ui/assets/images/header-logo.png
+rm -f %{buildroot}%{_usr}/share/ipa/modern-ui/assets/images/login-screen-background.jpg
+rm -f %{buildroot}%{_usr}/share/ipa/modern-ui/assets/images/product-name.png
 %endif
 # RHEL spec file only: END

@ -1972,6 +1973,15 @@ fi
 %endif

 %changelog
+* Fri Jan 16 2026 Florence Blanc-Renaud <flo@redhat.com> - 4.13.1-1
+- Resolves: RHEL-141446 [RFE] Command that retrieve and install new CA certificates
+- Resolves: RHEL-140584 Support replaceable WebUI artwork for RHEL and CentOS
+- Resolves: RHEL-141297 Memory leaks in IPA plugins
+- Resolves: RHEL-141054 IPA fails to sign zone
+- Resolves: RHEL-138570 AddressSanitizer: SEGV ipa-pwd-extop/common.c:584 in ipapwd_gen_checks
+- Resolves: RHEL-138473 Include latest fixes in python3-ipatests package
+- Resolves: RHEL-137585 ipa-server-upgrade succeeds but ipactl restart fails due to ipa-dnskeysyncd service failure caused by SELinux AVC denial on RHEL 9.8
+
 * Tue Dec 9 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.13.0-1
 - Resolves: RHEL-134542 Add modern WebUI as submodule and enable routing in Apache 
 - Resolves: RHEL-134540 Switch IPA to use the PKI python API directly rather than RPC calls
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (freeipa-4.13.0.tar.gz) = 4fba303c828e1f0abb42b549ccc7163f0b477e61892f42ed431ed80003d1159b78786500ec56ab8e35eaa3ee27a1c0dd8e8afafa867a23beec387694487fcc5a
-SHA512 (freeipa-4.13.0.tar.gz.asc) = 870644bb28b7857a891b10f43b403145d07adf510abd0172b29f7e0713ad54263705c547a8f0050d08ef43a1f84a512fafbd0cdb263cf7f03128ab5e49f38ce4
+SHA512 (freeipa-4.13.1.tar.gz) = 78d7675aa49e9a3323b36fd225e0f2aebfb0df58bff4f232cce96933dbe250a90bf062d64d1838b2ab84cb0764537646a7441c7c643672e2757a5501871d6311
+SHA512 (freeipa-4.13.1.tar.gz.asc) = ddde77e1bd04440f3aeb0fb1f28b017e8374f586c9287b6805fa482161e44bed7fc502a7dbb38bbf6dc7ac5013c353c950ba27148ffe915b88a7a746fb4e4f95