Update to upstream 4.4.3
This commit is contained in:
Pavel Vomacka
Petr Vobornik
parent
d3389e055a
commit
f573742499
1
.gitignore
vendored
1
.gitignore
vendored
@ -46,3 +46,4 @@
|
|||||||
/freeipa-4.3.2.tar.gz
|
/freeipa-4.3.2.tar.gz
|
||||||
/freeipa-4.4.1.tar.gz
|
/freeipa-4.4.1.tar.gz
|
||||||
/freeipa-4.4.2.tar.gz
|
/freeipa-4.4.2.tar.gz
|
||||||
|
/freeipa-4.4.3.tar.gz
|
||||||
|
|||||||
@ -1,38 +0,0 @@
|
|||||||
From cca4741602bf60fbc0589116113dd95646fa2888 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
||||||
Date: Tue, 15 Nov 2016 14:02:54 +1000
|
|
||||||
Subject: [PATCH] certprofile-mod: correctly authorise config update
|
|
||||||
|
|
||||||
Certificate profiles consist of an FreeIPA object, and a
|
|
||||||
corresponding Dogtag configuration object. When updating profile
|
|
||||||
configuration, changes to the Dogtag configuration are not properly
|
|
||||||
authorised, allowing unprivileged operators to modify (but not
|
|
||||||
create or delete) profiles. This could result in issuance of
|
|
||||||
certificates with fraudulent subject naming information, improper
|
|
||||||
key usage, or other badness.
|
|
||||||
|
|
||||||
Update certprofile-mod to ensure that the operator has permission to
|
|
||||||
modify FreeIPA certprofile objects before modifying the Dogtag
|
|
||||||
configuration.
|
|
||||||
---
|
|
||||||
ipaserver/plugins/certprofile.py | 5 +++++
|
|
||||||
1 file changed, 5 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/plugins/certprofile.py b/ipaserver/plugins/certprofile.py
|
|
||||||
index f4466077484591c8e941027fa8e4897602384f7c..2bd3311e3b729b768188d537bf7f675a0f9346c2 100644
|
|
||||||
--- a/ipaserver/plugins/certprofile.py
|
|
||||||
+++ b/ipaserver/plugins/certprofile.py
|
|
||||||
@@ -310,6 +310,11 @@ class certprofile_mod(LDAPUpdate):
|
|
||||||
raise errors.ProtectedEntryError(label='certprofile', key=keys[0],
|
|
||||||
reason=_('Certificate profiles cannot be renamed'))
|
|
||||||
if 'file' in options:
|
|
||||||
+ # ensure operator has permission to update a certprofile
|
|
||||||
+ if not ldap.can_write(dn, 'ipacertprofilestoreissued'):
|
|
||||||
+ raise errors.ACIError(info=_(
|
|
||||||
+ "Insufficient privilege to modify a certificate profile."))
|
|
||||||
+
|
|
||||||
with self.api.Backend.ra_certprofile as profile_api:
|
|
||||||
profile_api.disable_profile(keys[0])
|
|
||||||
try:
|
|
||||||
--
|
|
||||||
2.7.4
|
|
||||||
@ -1,188 +0,0 @@
|
|||||||
From bcb06e1d67b3aefad33db387ce7a7700a224f30c Mon Sep 17 00:00:00 2001
|
|
||||||
From: David Kupka <dkupka@redhat.com>
|
|
||||||
Date: Thu, 29 Sep 2016 15:59:34 +0200
|
|
||||||
Subject: [PATCH] password policy: Add explicit default password policy for
|
|
||||||
hosts and services
|
|
||||||
|
|
||||||
Set explicitly krbPwdPolicyReference attribute to all hosts (entries in
|
|
||||||
cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and
|
|
||||||
Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's
|
|
||||||
CoS so no attributes are really added.
|
|
||||||
|
|
||||||
The default policies effectively disable any enforcement or lockout for hosts
|
|
||||||
and services. Since hosts and services use keytabs passwords enforcements
|
|
||||||
doesn't make much sense. Also the lockout policy could be used for easy and
|
|
||||||
cheap DoS.
|
|
||||||
---
|
|
||||||
install/updates/20-default_password_policy.update | 133 ++++++++++++++++++++++
|
|
||||||
install/updates/Makefile.am | 1 +
|
|
||||||
ipaserver/install/service.py | 1 +
|
|
||||||
3 files changed, 135 insertions(+)
|
|
||||||
create mode 100644 install/updates/20-default_password_policy.update
|
|
||||||
|
|
||||||
diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000000000000000000000000000000000000..b1f9754a98e9c4b9cb8558e96f7195ea87c2f1ce
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/install/updates/20-default_password_policy.update
|
|
||||||
@@ -0,0 +1,133 @@
|
|
||||||
+# Default password policies for hosts, services and Kerberos services
|
|
||||||
+# Setting all attributes to zero effectively disables any password policy
|
|
||||||
+# We can do this because hosts and services uses keytabs instead of passwords
|
|
||||||
+
|
|
||||||
+# hosts
|
|
||||||
+dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
|
|
||||||
+default:objectClass: krbPwdPolicy
|
|
||||||
+default:objectClass: nsContainer
|
|
||||||
+default:objectClass: top
|
|
||||||
+default:cn: Default Host Password Policy
|
|
||||||
+default:krbMinPwdLife: 0
|
|
||||||
+default:krbPwdMinDiffChars: 0
|
|
||||||
+default:krbPwdMinLength: 0
|
|
||||||
+default:krbPwdHistoryLength: 0
|
|
||||||
+default:krbMaxPwdLife: 0
|
|
||||||
+default:krbPwdMaxFailure: 0
|
|
||||||
+default:krbPwdFailureCountInterval: 0
|
|
||||||
+default:krbPwdLockoutDuration: 0
|
|
||||||
+
|
|
||||||
+# services
|
|
||||||
+dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
|
|
||||||
+default:objectClass: krbPwdPolicy
|
|
||||||
+default:objectClass: nsContainer
|
|
||||||
+default:objectClass: top
|
|
||||||
+default:cn: Default Service Password Policy
|
|
||||||
+default:krbMinPwdLife: 0
|
|
||||||
+default:krbPwdMinDiffChars: 0
|
|
||||||
+default:krbPwdMinLength: 0
|
|
||||||
+default:krbPwdHistoryLength: 0
|
|
||||||
+default:krbMaxPwdLife: 0
|
|
||||||
+default:krbPwdMaxFailure: 0
|
|
||||||
+default:krbPwdFailureCountInterval: 0
|
|
||||||
+default:krbPwdLockoutDuration: 0
|
|
||||||
+
|
|
||||||
+# kerberos policy container
|
|
||||||
+# this is necessary to avoid mixing the Kerberos sevice password policy
|
|
||||||
+# with group-membership based user password policies
|
|
||||||
+dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
|
|
||||||
+default:objectClass: nsContainer
|
|
||||||
+default:objectClass: top
|
|
||||||
+default:cn: Kerberos Service Password Policy
|
|
||||||
+
|
|
||||||
+# kerberos services
|
|
||||||
+dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
|
|
||||||
+default:objectClass: krbPwdPolicy
|
|
||||||
+default:objectClass: nsContainer
|
|
||||||
+default:objectClass: top
|
|
||||||
+default:cn: Default Kerberos Service Password Policy
|
|
||||||
+default:krbMinPwdLife: 0
|
|
||||||
+default:krbPwdMinDiffChars: 0
|
|
||||||
+default:krbPwdMinLength: 0
|
|
||||||
+default:krbPwdHistoryLength: 0
|
|
||||||
+default:krbMaxPwdLife: 0
|
|
||||||
+default:krbPwdMaxFailure: 0
|
|
||||||
+default:krbPwdFailureCountInterval: 0
|
|
||||||
+default:krbPwdLockoutDuration: 0
|
|
||||||
+
|
|
||||||
+# default password policies for hosts, services and kerberos services
|
|
||||||
+# cosPriority is set intentionally to higher number than FreeIPA API allows
|
|
||||||
+# to set to ensure that these password policies have always lower priority
|
|
||||||
+# than any defined by user.
|
|
||||||
+
|
|
||||||
+# hosts
|
|
||||||
+dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
|
|
||||||
+default:objectclass: top
|
|
||||||
+default:objectclass: nsContainer
|
|
||||||
+default:cn: cosTemplates
|
|
||||||
+
|
|
||||||
+dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
|
|
||||||
+default:objectclass: top
|
|
||||||
+default:objectclass: cosTemplate
|
|
||||||
+default:objectclass: extensibleObject
|
|
||||||
+default:objectclass: krbContainer
|
|
||||||
+default:cn: Default Password Policy
|
|
||||||
+default:cosPriority: 10000000000
|
|
||||||
+default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
|
|
||||||
+
|
|
||||||
+dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX
|
|
||||||
+default:description: Default Password Policy for Hosts
|
|
||||||
+default:objectClass: top
|
|
||||||
+default:objectClass: ldapsubentry
|
|
||||||
+default:objectClass: cosSuperDefinition
|
|
||||||
+default:objectClass: cosPointerDefinition
|
|
||||||
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
|
|
||||||
+default:cosAttribute: krbPwdPolicyReference default
|
|
||||||
+
|
|
||||||
+# services
|
|
||||||
+dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
|
|
||||||
+default:objectclass: top
|
|
||||||
+default:objectclass: nsContainer
|
|
||||||
+default:cn: cosTemplates
|
|
||||||
+
|
|
||||||
+dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
|
|
||||||
+default:objectclass: top
|
|
||||||
+default:objectclass: cosTemplate
|
|
||||||
+default:objectclass: extensibleObject
|
|
||||||
+default:objectclass: krbContainer
|
|
||||||
+default:cn: Default Password Policy
|
|
||||||
+default:cosPriority: 10000000000
|
|
||||||
+default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
|
|
||||||
+
|
|
||||||
+dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX
|
|
||||||
+default:description: Default Password Policy for Services
|
|
||||||
+default:objectClass: top
|
|
||||||
+default:objectClass: ldapsubentry
|
|
||||||
+default:objectClass: cosSuperDefinition
|
|
||||||
+default:objectClass: cosPointerDefinition
|
|
||||||
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
|
|
||||||
+default:cosAttribute: krbPwdPolicyReference default
|
|
||||||
+
|
|
||||||
+# kerberos services
|
|
||||||
+dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
|
|
||||||
+default:objectclass: top
|
|
||||||
+default:objectclass: nsContainer
|
|
||||||
+default:cn: cosTemplates
|
|
||||||
+
|
|
||||||
+dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
|
|
||||||
+default:objectclass: top
|
|
||||||
+default:objectclass: cosTemplate
|
|
||||||
+default:objectclass: extensibleObject
|
|
||||||
+default:objectclass: krbContainer
|
|
||||||
+default:cn: Default Password Policy
|
|
||||||
+default:cosPriority: 10000000000
|
|
||||||
+default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
|
|
||||||
+
|
|
||||||
+dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
|
|
||||||
+default:description: Default Password Policy for Kerberos Services
|
|
||||||
+default:objectClass: top
|
|
||||||
+default:objectClass: ldapsubentry
|
|
||||||
+default:objectClass: cosSuperDefinition
|
|
||||||
+default:objectClass: cosPointerDefinition
|
|
||||||
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
|
|
||||||
+default:cosAttribute: krbPwdPolicyReference default
|
|
||||||
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
|
|
||||||
index a80256f029f5547b1bc5c2226c9a0a0dd45432f4..e8a55e1734eb9979b34ddb96783902926cc975c0 100644
|
|
||||||
--- a/install/updates/Makefile.am
|
|
||||||
+++ b/install/updates/Makefile.am
|
|
||||||
@@ -24,6 +24,7 @@ app_DATA = \
|
|
||||||
20-winsync_index.update \
|
|
||||||
20-idoverride_index.update \
|
|
||||||
20-uuid.update \
|
|
||||||
+ 20-default_password_policy.update \
|
|
||||||
21-replicas_container.update \
|
|
||||||
21-ca_renewal_container.update \
|
|
||||||
21-certstore_container.update \
|
|
||||||
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
|
|
||||||
index 4cc7012f62c5945839af694e8d8e74179d998b12..6451f92f0d3d768cf4619e8b0e3f52e190b628c8 100644
|
|
||||||
--- a/ipaserver/install/service.py
|
|
||||||
+++ b/ipaserver/install/service.py
|
|
||||||
@@ -245,6 +245,7 @@ class Service(object):
|
|
||||||
# There is no service in the wrong location, nothing to do.
|
|
||||||
# This can happen when installing a replica
|
|
||||||
return None
|
|
||||||
+ entry.pop('krbpwdpolicyreference', None) # don't copy virtual attr
|
|
||||||
newdn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix)
|
|
||||||
hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix)
|
|
||||||
api.Backend.ldap2.delete_entry(entry)
|
|
||||||
--
|
|
||||||
2.7.4
|
|
||||||
|
|
||||||
13
freeipa.spec
13
freeipa.spec
@ -32,13 +32,13 @@
|
|||||||
%global platform_module fedora
|
%global platform_module fedora
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%global VERSION 4.4.2
|
%global VERSION 4.4.3
|
||||||
|
|
||||||
%define _hardened_build 1
|
%define _hardened_build 1
|
||||||
|
|
||||||
Name: freeipa
|
Name: freeipa
|
||||||
Version: %{VERSION}
|
Version: %{VERSION}
|
||||||
Release: 4%{?dist}
|
Release: 1%{?dist}
|
||||||
Summary: The Identity, Policy and Audit system
|
Summary: The Identity, Policy and Audit system
|
||||||
|
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
@ -49,8 +49,6 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
|||||||
|
|
||||||
Patch0001: 0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
|
Patch0001: 0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
|
||||||
Patch0002: 0002-Support-DAL-version-5-and-version-6.patch
|
Patch0002: 0002-Support-DAL-version-5-and-version-6.patch
|
||||||
Patch0003: 0003-certprofile-mod-correctly-authorise-config-update.patch
|
|
||||||
Patch0004: 0004-password-policy-Add-explicit-default-password-policy.patch
|
|
||||||
|
|
||||||
%if ! %{ONLY_CLIENT}
|
%if ! %{ONLY_CLIENT}
|
||||||
BuildRequires: 389-ds-base-devel >= 1.3.5.6
|
BuildRequires: 389-ds-base-devel >= 1.3.5.6
|
||||||
@ -147,7 +145,7 @@ Requires: %{name}-server-common = %{version}-%{release}
|
|||||||
Requires: %{name}-client = %{version}-%{release}
|
Requires: %{name}-client = %{version}-%{release}
|
||||||
Requires: %{name}-common = %{version}-%{release}
|
Requires: %{name}-common = %{version}-%{release}
|
||||||
Requires: python2-ipaserver = %{version}-%{release}
|
Requires: python2-ipaserver = %{version}-%{release}
|
||||||
Requires: 389-ds-base >= 1.3.5.6
|
Requires: 389-ds-base >= 1.3.5.14
|
||||||
Requires: openldap-clients > 2.4.35-4
|
Requires: openldap-clients > 2.4.35-4
|
||||||
Requires: nss >= 3.14.3-12.0
|
Requires: nss >= 3.14.3-12.0
|
||||||
Requires: nss-tools >= 3.14.3-12.0
|
Requires: nss-tools >= 3.14.3-12.0
|
||||||
@ -179,7 +177,7 @@ Requires: zip
|
|||||||
Requires: policycoreutils >= 2.1.12-5
|
Requires: policycoreutils >= 2.1.12-5
|
||||||
Requires: tar
|
Requires: tar
|
||||||
Requires(pre): certmonger >= 0.78
|
Requires(pre): certmonger >= 0.78
|
||||||
Requires(pre): 389-ds-base >= 1.3.5.6
|
Requires(pre): 389-ds-base >= 1.3.5.14
|
||||||
Requires: fontawesome-fonts
|
Requires: fontawesome-fonts
|
||||||
Requires: open-sans-fonts
|
Requires: open-sans-fonts
|
||||||
Requires: openssl
|
Requires: openssl
|
||||||
@ -1478,6 +1476,9 @@ fi
|
|||||||
%endif # ONLY_CLIENT
|
%endif # ONLY_CLIENT
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Dec 16 2016 Pavel Vomacka <pvomacka@redhat.com> - 4.4.3-1
|
||||||
|
- Update to upstream 4.4.3 - see http://www.freeipa.org/page/Releases/4.4.3
|
||||||
|
|
||||||
* Wed Dec 14 2016 Pavel Vomacka <pvomacka@redhat.com> - 4.4.2-4
|
* Wed Dec 14 2016 Pavel Vomacka <pvomacka@redhat.com> - 4.4.2-4
|
||||||
- Fixes 1395311 - CVE-2016-9575 ipa: Insufficient permission check in certprofile-mod
|
- Fixes 1395311 - CVE-2016-9575 ipa: Insufficient permission check in certprofile-mod
|
||||||
- Fixes 1370493 - CVE-2016-7030 ipa: DoS attack against kerberized services
|
- Fixes 1370493 - CVE-2016-7030 ipa: DoS attack against kerberized services
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user