rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Hardening for CVE-2020-25717

Browse Source 
Generate SIDs for IPA users and groups by default
Verify MS-PAC consistency when it is generated or validated
Rebuild against samba-4.15.2

Resolves: rhbz#2021720

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Alexander Bokovoy 2021-11-10 19:09:01 +02:00
parent b0ff11761b
commit ec142de931
2 changed files with 4237 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4223
freeipa-harden-pac.patch Normal file
View File

File diff suppressed because it is too large Load Diff

18
freeipa.spec
View File

@ -68,8 +68,8 @@
%global krb5_kdb_version 8.0
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.19
# Require 4.7.0 which brings Python 3 bindings
%global samba_version 4.12.3-12
# Require 4.14.5-11 which brings CVE-2020-25717 fixes
%global samba_version 4.14.5-11
%global selinux_policy_version 3.14.3-52
%global slapi_nis_version 0.56.4
%global python_ldap_version 3.1.0-1
@ -94,7 +94,8 @@
%global python_netaddr_version 0.7.16
# Require 4.7.0 which brings Python 3 bindings
# Require 4.12 which has DsRGetForestTrustInformation access rights fixes
%global samba_version 2:4.12.10
# Require 4.15.2 which brings CVE-2020-25717 fixes
%global samba_version 2:4.15.2
# 3.14.5-45 or later includes a number of interfaces fixes for IPA interface
%global selinux_policy_version 3.14.5-45
@ -195,7 +196,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 2%{?rc_version:.%rc_version}%{?dist}
Release: 3%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@ -220,6 +221,7 @@ Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
# RHEL spec file only: END
Patch0001: 0001-Make-Dogtag-return-XML-for-ipa-cert-find.patch
Patch0002: freeipa-harden-pac.patch
# For the timestamp trick in patch application
BuildRequires: diffstat
@ -1372,6 +1374,7 @@ fi
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent
%dir %{_libexecdir}/ipa/oddjob
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.config-enable-sid
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
@ -1702,6 +1705,13 @@ fi
%endif
%changelog
* Wed Nov 10 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.7-3
- Hardening for CVE-2020-25717
- Generate SIDs for IPA users and groups by default
- Verify MS-PAC consistency when it is generated or validated
- Rebuild against samba-4.15.2
- Resolves: rhbz#2021720
* Fri Oct 15 2021 Rob Crittenden <rcritten@redhat.com> - 4.9.7-2
- Make Dogtag return XML for ipa cert-find (#2014658)