[Freeipa-devel] Announcing FreeIPA 2.1.4

Tue Dec 6 19:26:19 UTC 2011

The FreeIPA team is proud to announce version 2.1.4.

It can be downloaded from http://www.freeipa.org/Downloads and should 
appear in the Fedora 15 and 16 updates-testing soon (still waiting for 
bohdi to push the builds). A rawhide (F-17) build is also available.

== Highlights in 2.1.4 ==

This is a security release, users are strongly advised to upgrade.

Specifically, it addresses CVE-2011-3636. A Cross-Site Request Forgery 
(CSRF) flaw was found in FreeIPA due to a lack of checking the Referer 
Header in the server (it is not set in the CLI utilities). If a remote 
attacker could trick a user, who was logged into the FreeIPA management 
interface, into visiting a specially-crafted URL, the attacker could 
perform FreeIPA configuration changes with the privileges of the logged 
in user.

Some bugs have been addressed too, the highlights are:

* Certificates in the UI are now displayed in PEM format
* systemd support in Fedora 16
* Change the way the Kerberos random salt is calculated to improve 
interoperability with Windows
* Fix nis netgroups, users and groups were not appearing
* Better handling of Kerberos realm to domain mapping

== Upgrading ==

=== Server ===

To upgrade a 2.0.0, 2.0.1 or 2.1.0 server do the following:
  # yum update freeipa-server --enablerepo=updates-testing

This will pull in updated freeIPA, 389-ds, dogtag, libcurl and xmlrpc-c 
packages (and perhaps some others). A script will be executed in the rpm 
postinstall phase to update the IPA LDAP server with any required changes.

There is a bug reported against 389-ds, 
https://bugzilla.redhat.com/show_bug.cgi?id=730387, related to 
read-write locks. The NSPR RW lock implementation does not safely allow 
re-entrant use of reader
locks. This is a timing issue so it is difficult to predict. During 
testing one user experienced this and the upgrade hung. To break the 
hang kill the ns-slapd process for your realm, wait for the yum 
transaction to complete, then restart 389-ds and manually run the update 
process:

  # service dirsrv start
  # ipa-ldap-updater --update

=== Client ===

The ipa-client-install tool in the ipa-client package is just a 
configuration tool. There should be no need to re-run this on every 
client already enrolled.

== Detailed Changelog for 2.1.3 ==

Alexander Bokovoy (4):
  * hbactest fails while you have svcgroup in hbacrule
  * Add support for systemd environments and use it to support Fedora 16
  * Spin for connection success also when socket is not (yet) available
  * Quote multiple workers option

Endi S. Dewata (1):
  * Added current password field.

Evgeny Sinelnikov (1):
  * ipa_kpasswd: Update selinux policies for ldap and urandom

John Dennis (1):
  * Unable to Download Certificate with Browser

Martin Kosek (8):
  * Fix client krb5 domain mapping and DNS
  * Fix ipa-managed-entries password option long form
  * Fix ipa-server-install answer cache
  * Fix ipa-replica-conncheck port labels
  * Fix ipa-managed-entries bind procedure
  * Let PublicError accept Gettext objects
  * Enable automember for upgraded servers
  * Make ipa-server-install clean after itself

Ondrej Hamada (1):
  * Client install root privileges check

Rob Crittenden (4):
  * Fix problems in help system
  * Fix nis netgroup config entry so users appear in netgroup triple.
  * Don't allow default objectclass list to be empty.
  * Require an HTTP Referer header in the server. Send one in ipa tools. 
(CVE-2011-3636)

Simo Sorce (1):
  * Modify random salt creation for interoperability