[Freeipa-interest] [Freeipa-devel] [Freeipa-users] Announcing FreeIPA 2.1.4
JR Aquino
JR.Aquino at citrix.com
Tue Dec 6 21:17:57 UTC 2011
On Dec 6, 2011, at 1:09 PM, Simo Sorce wrote:
> Thanks Rob for all the great work!
>
>
> I want to add just one warning that may escape users attention.
>
> Due to the need to address the CSRF attack, our command line tools
> (including ipa-client-install) will not work on newer servers until you
> upgrade those clients. The reason is that the old tools never sent the
> Referer header.
How do you upgrade your clients if they are RHEL and the Server is Fedora?
>
> The newer tools should work w/o any issue against an old server.
>
> Unfortunately although CSRF attacks are a concern only when using the
> Web UI, we had to break compatibility because a browser could be
> subverted to use the xml-rpc interface used by the CLI tools, and we
> couldn't leave that hole open even though this means we are breaking
> backwards compatibility.
>
> So if you need to have a gradual upgrade you should start from clients
> (and install images) before upgrading the server.
>
> Keep in mind though that the flaw will not be fixed until you upgrade
> the server. So, although the flaw is not really critical (IMO), you
> should not delay upgrades too long in production environments and be
> careful on administrative clients where you use admin credentials.
>
> HTH,
> Simo.
More information about the Freeipa-interest
mailing list