From e037873f2ba19de919b9fe48ee688269e1dd8556 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Fri, 16 Jan 2026 16:28:33 +0100 Subject: [PATCH] ipa-4.13.1-1 - Resolves: RHEL-141446 [RFE] Command that retrieve and install new CA certificates - Resolves: RHEL-140584 Support replaceable WebUI artwork for RHEL and CentOS - Resolves: RHEL-141297 Memory leaks in IPA plugins - Resolves: RHEL-141054 IPA fails to sign zone - Resolves: RHEL-138570 AddressSanitizer: SEGV ipa-pwd-extop/common.c:584 in ipapwd_gen_checks - Resolves: RHEL-138473 Include latest fixes in python3-ipatests package - Resolves: RHEL-137585 ipa-server-upgrade succeeds but ipactl restart fails due to ipa-dnskeysyncd service failure caused by SELinux AVC denial on RHEL 9.8 Signed-off-by: Florence Blanc-Renaud --- .gitignore | 2 + 0004-Trust-fix-tdo-with-WITH_FOREST.patch | 51 --------------- ...n-integration-test-for-samba-upgrade.patch | 65 ------------------- freeipa.spec | 34 ++++++---- sources | 4 +- 5 files changed, 26 insertions(+), 130 deletions(-) delete mode 100644 0004-Trust-fix-tdo-with-WITH_FOREST.patch delete mode 100644 0005-ipatest-add-an-integration-test-for-samba-upgrade.patch diff --git a/.gitignore b/.gitignore index 3039161..7024cf3 100644 --- a/.gitignore +++ b/.gitignore @@ -128,3 +128,5 @@ /freeipa-4.12.2.tar.gz.asc /freeipa-4.13.0.tar.gz /freeipa-4.13.0.tar.gz.asc +/freeipa-4.13.1.tar.gz +/freeipa-4.13.1.tar.gz.asc diff --git a/0004-Trust-fix-tdo-with-WITH_FOREST.patch b/0004-Trust-fix-tdo-with-WITH_FOREST.patch deleted file mode 100644 index 9223c10..0000000 --- a/0004-Trust-fix-tdo-with-WITH_FOREST.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 6f0cd075e5a588628a98d3b4a95e755af59845d7 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Thu, 4 Dec 2025 13:13:21 +0100 -Subject: [PATCH] Trust: fix tdo with WITH_FOREST - -When a trust was established pre samba 4.23, the trust domain object -could contain ipanttrustattributes: 8 (LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) -This value prevents winbind restart. - -The current code replaces 0 with LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE -but should also handle the case for LSA_TRUST_ATTRIBUTE_WITHIN_FOREST. -In this case we should drop the bit and replace it by FOREST_TRANSITIVE -one because otherwise Samba will skip the domain. Do not change the LDAP -representation to allow older replicas to continue operations. - -Fixes: https://pagure.io/freeipa/issue/9892 -Signed-off-by: Alexander Bokovoy -Reviewed-By: Alexander Bokovoy ---- - daemons/ipa-sam/ipa_sam.c | 15 +++++++++++---- - 1 file changed, 11 insertions(+), 4 deletions(-) - -diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c -index c43ffddbbdd69123b5d568a937fbc12d138243d1..ea25934d569f378f41b386bbb57d33eaf2bb19c0 100644 ---- a/daemons/ipa-sam/ipa_sam.c -+++ b/daemons/ipa-sam/ipa_sam.c -@@ -2545,10 +2545,17 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx, - if (!res) { - goto done; - } -- if (td->trust_attributes == 0 && (td->domain_name != dns_domain)) { -- /* attribute wasn't present and this is not a subdomain within -- * the parent forest */ -- td->trust_attributes = LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE; -+ if (td->domain_name != dns_domain) { -+ if ((td->trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) != 0 || -+ (td->trust_attributes == 0)) { -+ /* when trust attribute is not present or contains WITHIN_FOREST, -+ * we should drop the bit and replace it by FOREST_TRANSITIVE -+ * one because otherwise Samba will skip the domain. -+ * Do not change the LDAP representation to allow older replicas -+ * to continue operations. */ -+ td->trust_attributes &= ~LSA_TRUST_ATTRIBUTE_WITHIN_FOREST; -+ td->trust_attributes |= LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE; -+ } - } - - res = get_uint32_t_from_ldap_msg(ipasam_state, entry, --- -2.52.0 - diff --git a/0005-ipatest-add-an-integration-test-for-samba-upgrade.patch b/0005-ipatest-add-an-integration-test-for-samba-upgrade.patch deleted file mode 100644 index 969cabc..0000000 --- a/0005-ipatest-add-an-integration-test-for-samba-upgrade.patch +++ /dev/null @@ -1,65 +0,0 @@ -From c03f7eb2b9a0ee36d0ad396f3e4e4e8a6e40ecd2 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Thu, 4 Dec 2025 12:58:38 +0100 -Subject: [PATCH] ipatest: add an integration test for samba upgrade - -When a trust was establish pre samba 4.23, the trust domain object -could contain ipanttrustattributes = 40 (LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) -and winbind would fail to restart after an upgrade to samba 4.23. - -Add a test simulating the situation and calling ipa-server-upgrade - -Related: https://pagure.io/freeipa/issue/9892 -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Alexander Bokovoy ---- - ipatests/test_integration/test_trust.py | 33 +++++++++++++++++++++++++ - 1 file changed, 33 insertions(+) - -diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py -index 7bb74e2f5821719ffe2ceaf2bdcd8e7d46a6cd1f..13ad0afa4c1fb032d50f40cf7cb9b79283203225 100644 ---- a/ipatests/test_integration/test_trust.py -+++ b/ipatests/test_integration/test_trust.py -@@ -1009,6 +1009,39 @@ class TestTrust(BaseTestTrust): - tasks.unconfigure_windows_dns_for_trust(self.ad, self.master) - tasks.unconfigure_dns_for_trust(self.master, self.ad) - -+ def test_upgrade_within_forest(self): -+ """ -+ Simulate an upgrade from a trust established with samba pre 4.23 -+ -+ With older samba version, the trust domain object had -+ ipanttrustattributes: 8 -+ corresponding to LSA_TRUST_ATTRIBUTE_WITHIN_FOREST -+ and this breaks ipa-upgrade (winbind fails to restart) -+ """ -+ -+ tasks.configure_dns_for_trust(self.master, self.ad) -+ tasks.configure_windows_dns_for_trust(self.ad, self.master) -+ tasks.establish_trust_with_ad( -+ self.master, self.ad_domain, -+ extra_args=['--range-type', 'ipa-ad-trust']) -+ -+ conn = self.master.ldap_connect() -+ trust_dn = DN("cn={},cn=ad,cn=trusts,{}".format( -+ self.ad.domain.name, self.master.domain.basedn -+ )) -+ entry = conn.get_entry(trust_dn) -+ -+ # set the trust attributes to LSA_TRUST_ATTRIBUTE_WITHIN_FOREST -+ entry.single_value['ipanttrustattributes'] = '40' -+ conn.update_entry(entry) -+ self.master.run_command(['ipa-server-upgrade']) -+ self.master.run_command(['ipactl', 'restart']) -+ -+ # cleanup for next test -+ self.remove_trust(self.ad) -+ tasks.unconfigure_windows_dns_for_trust(self.ad, self.master) -+ tasks.unconfigure_dns_for_trust(self.master, self.ad) -+ - def test_server_option_with_unreachable_ad(self): - """ - Check trust can be established with partially unreachable AD topology --- -2.52.0 - diff --git a/freeipa.spec b/freeipa.spec index 135a3b4..defda12 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -216,7 +216,7 @@ # Work-around fact that RPM SPEC parser does not accept # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement -%define IPA_VERSION 4.13.0 +%define IPA_VERSION 4.13.1 # Release candidate version -- uncomment with one percent for RC versions #%%global rc_version %define AT_SIGN @ @@ -252,8 +252,6 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers Patch0001: 0001-Revert-Replace-netifaces-with-ifaddr.patch Patch0002: 0002-Revert-custodia-do-not-use-deprecated-jwcrypto-wrapp.patch Patch0003: 0003-Revert-Remove-NIS-server-support.patch -Patch0004: 0004-Trust-fix-tdo-with-WITH_FOREST.patch -Patch0005: 0005-ipatest-add-an-integration-test-for-samba-upgrade.patch Patch0006: 0006-Revert-Stop-using-deprecated-pkg_resources.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif @@ -600,18 +598,18 @@ Provides: bundled(npm(cookie)) = 1.0.2 Provides: bundled(npm(csstype)) = 3.1.3 Provides: bundled(npm(file-selector)) = 2.1.2 Provides: bundled(npm(focus-trap)) = 7.6.4 -Provides: bundled(npm(freeipa-webui)) = 0.1.6 +Provides: bundled(npm(freeipa-webui)) = 0.1.9 Provides: bundled(npm(immer)) = 10.1.1 Provides: bundled(npm(js-tokens)) = 4.0.0 Provides: bundled(npm(lodash)) = 4.17.21 Provides: bundled(npm(loose-envify)) = 1.4.0 Provides: bundled(npm(object-assign)) = 4.1.1 -Provides: bundled(npm(@patternfly/patternfly)) = 6.3.0 -Provides: bundled(npm(@patternfly/react-core)) = 6.3.0 -Provides: bundled(npm(@patternfly/react-icons)) = 6.3.0 -Provides: bundled(npm(@patternfly/react-styles)) = 6.3.0 -Provides: bundled(npm(@patternfly/react-table)) = 6.3.0 -Provides: bundled(npm(@patternfly/react-tokens)) = 6.3.0 +Provides: bundled(npm(@patternfly/patternfly)) = 6.3.1 +Provides: bundled(npm(@patternfly/react-core)) = 6.3.1 +Provides: bundled(npm(@patternfly/react-icons)) = 6.3.1 +Provides: bundled(npm(@patternfly/react-styles)) = 6.3.1 +Provides: bundled(npm(@patternfly/react-table)) = 6.3.1 +Provides: bundled(npm(@patternfly/react-tokens)) = 6.3.1 Provides: bundled(npm(prop-types)) = 15.8.1 Provides: bundled(npm(qrcode.react)) = 4.2.0 Provides: bundled(npm(react)) = 18.3.1 @@ -619,8 +617,7 @@ Provides: bundled(npm(react-dom)) = 18.3.1 Provides: bundled(npm(react-dropzone)) = 14.3.8 Provides: bundled(npm(react-is)) = 16.13.1 Provides: bundled(npm(react-redux)) = 9.2.0 -Provides: bundled(npm(react-router)) = 7.6.2 -Provides: bundled(npm(react-router-dom)) = 7.6.2 +Provides: bundled(npm(react-router)) = 7.12.0 Provides: bundled(npm(redux)) = 5.0.1 Provides: bundled(npm(@reduxjs/toolkit)) = 2.6.1 Provides: bundled(npm(redux-thunk)) = 3.1.0 @@ -628,6 +625,7 @@ Provides: bundled(npm(reselect)) = 5.1.1 Provides: bundled(npm(scheduler)) = 0.23.2 Provides: bundled(npm(set-cookie-parser)) = 2.7.1 Provides: bundled(npm(tabbable)) = 6.2.0 +Provides: bundled(npm(tiny-invariant)) = 1.3.3 Provides: bundled(npm(tslib)) = 2.8.1 Provides: bundled(npm(@types/prop-types)) = 15.7.14 Provides: bundled(npm(@types/react)) = 18.3.20 @@ -1165,6 +1163,9 @@ rm -f %{buildroot}%{_usr}/share/ipa/ui/images/header-logo.png rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-background.jpg rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png rm -f %{buildroot}%{_usr}/share/ipa/ui/images/product-name.png +rm -f %{buildroot}%{_usr}/share/ipa/modern-ui/assets/images/header-logo.png +rm -f %{buildroot}%{_usr}/share/ipa/modern-ui/assets/images/login-screen-background.jpg +rm -f %{buildroot}%{_usr}/share/ipa/modern-ui/assets/images/product-name.png %endif # RHEL spec file only: END @@ -1972,6 +1973,15 @@ fi %endif %changelog +* Fri Jan 16 2026 Florence Blanc-Renaud - 4.13.1-1 +- Resolves: RHEL-141446 [RFE] Command that retrieve and install new CA certificates +- Resolves: RHEL-140584 Support replaceable WebUI artwork for RHEL and CentOS +- Resolves: RHEL-141297 Memory leaks in IPA plugins +- Resolves: RHEL-141054 IPA fails to sign zone +- Resolves: RHEL-138570 AddressSanitizer: SEGV ipa-pwd-extop/common.c:584 in ipapwd_gen_checks +- Resolves: RHEL-138473 Include latest fixes in python3-ipatests package +- Resolves: RHEL-137585 ipa-server-upgrade succeeds but ipactl restart fails due to ipa-dnskeysyncd service failure caused by SELinux AVC denial on RHEL 9.8 + * Tue Dec 9 2025 Florence Blanc-Renaud - 4.13.0-1 - Resolves: RHEL-134542 Add modern WebUI as submodule and enable routing in Apache - Resolves: RHEL-134540 Switch IPA to use the PKI python API directly rather than RPC calls diff --git a/sources b/sources index 0843a14..a619003 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (freeipa-4.13.0.tar.gz) = 4fba303c828e1f0abb42b549ccc7163f0b477e61892f42ed431ed80003d1159b78786500ec56ab8e35eaa3ee27a1c0dd8e8afafa867a23beec387694487fcc5a -SHA512 (freeipa-4.13.0.tar.gz.asc) = 870644bb28b7857a891b10f43b403145d07adf510abd0172b29f7e0713ad54263705c547a8f0050d08ef43a1f84a512fafbd0cdb263cf7f03128ab5e49f38ce4 +SHA512 (freeipa-4.13.1.tar.gz) = 78d7675aa49e9a3323b36fd225e0f2aebfb0df58bff4f232cce96933dbe250a90bf062d64d1838b2ab84cb0764537646a7441c7c643672e2757a5501871d6311 +SHA512 (freeipa-4.13.1.tar.gz.asc) = ddde77e1bd04440f3aeb0fb1f28b017e8374f586c9287b6805fa482161e44bed7fc502a7dbb38bbf6dc7ac5013c353c950ba27148ffe915b88a7a746fb4e4f95