[Freeipa-interest] Announcing FreeIPA 4.2.2

Thu Oct 8 15:19:01 UTC 2015

The FreeIPA team would like to announce FreeIPA v4.2.2 security release!

It can be downloaded from http://www.freeipa.org/page/Downloads. The 
builds are available for Fedora 23 
<https://bodhi.fedoraproject.org/updates/freeipa-4.2.2-1.fc23> and 
rawhide. Builds for Fedora 22 are available in the official COPR 
repository <https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/>.

This announcement is also available at 
<http://www.freeipa.org/page/Releases/4.2.2>.

== Highlights in 4.2.2 ==
FreeIPA 4.2.0 introduced Key Archival Agent (KRA) support. This release 
fixes CVE-2015-5284. The CVE affects IPA servers where ipa-kra-install 
was run. Read manual instructions if your system was affected 
<http://www.freeipa.org/page/CVE-2015-5284#Manual_Instructions>.

=== Bug fixes ===
* CVE-2015-5284: ipa-kra-install included certificate and private key in 
world readable file.
* Firefox configuration steps were adjusted to new extension signing policy.
* ipa-restore does not overwrite files with local users/groups
* ipa-restore now works with KRA installed
* Fixed an integer underflow bug in libotp which prevented from syncing 
TOTP tokens under certain circumstances.
* winsync-migrate properly handles collisions in the names of external 
group
* Fixed regression where installation of CA failed on CA-less server #5288.
* Vault operations now works on a replica without KRA installed 
(assuming that at least one replica has KRA installed). #5302

=== Enhancements ===
* Improved performance of search in Web UI's dialog for adding e.g. 
users to e.g. sudo rules.
* Modified vault access control and  added commands for managing vault 
containers. #5250
* Added support for generating client referrals for trusted domain 
principals. Note that bug 
https://bugzilla.redhat.com/show_bug.cgi?id=1259844 has to be fixed in 
MIT Kerberos packages to allow client referrals from FreeIPA KDC to be 
processed.

== Upgrading ==
Upgrade instructions are available on upgrade page 
<http://www.freeipa.org/page/Upgrade>.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users 
mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or 
#freeipa channel on Freenode.

== Detailed Changelog since 4.2.1 ==

=== Abhijeet Kasurde (1) ===
* Updated number of legacy permission in ipatests

=== Alexander Bokovoy (1) ===
* client referral support for trusted domain principals

=== Christian Heimes (1) ===
* Handle timeout error in ipa-httpd-kdcproxy

=== Gabe Alford (4) ===
* Add Chromium configuration note to ssbrowser
* Standardize minvalue for ipasearchrecordlimit and ipasesarchsizelimit 
for unlimited minvalue
* dnssec option missing in ipa-dns-install man page
* Update FreeIPA package description

=== Jan Cholasta (16) ===
* config: allow user/host attributes with tagging options
* baseldap: make subtree deletion optional in LDAPDelete
* vault: set owner to current user on container creation
* vault: update access control
* vault: add permissions and administrator privilege
* install: support KRA update
* install: Support overriding knobs in subclasses
* install: Add common base class for server and replica install
* install: Move unattended option to the general help section
* install: create kdcproxy user during server install
* platform: add option to create home directory when adding user
* install: fix kdcproxy user home directory
* install: fix ipa-server-install fail on missing --forwarder
* install: fix KRA agent PEM file permissions
* install: always export KRA agent PEM file
* vault: select a server with KRA for vault operations

=== Martin Babinsky (5) ===
* load RA backend plugins during standalone CA install on CA-less IPA master
* destroy httpd ccache after stopping the service
* ipa-server-install: mark master_password Knob as deprecated
* re-kinit after ipa-restore in backup/restore CI tests
* do not overwrite files with local users/groups when restoring authconfig

=== Martin Bašti (11) ===
* FIX vault tests
* Server Upgrade: backup CS.cfg when dogtag is turned off
* IPA Restore: allows to specify files that should be removed
* DNSSEC: improve CI test
* DNSSEC CI: test master migration
* backup CI: test DNS/DNSSEC after backup and restore
* Limit max age of replication changelog
* Server Upgrade: addifnew should not create entry
* CI: backup and restore with KRA
* Replica inst. fix: do not require -r, -a, -p options in unattended mode
* Fix import get_reverse_zone_default in tasks

=== Milan Kubík (4) ===
* ipatests: Add Certprofile tracker class implementation
* ipatests: Add basic tests for certificate profile plugin
* ipatests: configure Network Manager not to manage resolv.conf
* Include ipatests/test_xmlrpc/data directory into distribution.

=== Nathaniel McCallum (1) ===
* Fix an integer underflow bug in libotp

=== Oleg Fayans (1) ===
* Added a proper workaround for dnssec test failures in Beaker environment

=== Petr Voborník (4) ===
* vault: add vault container commands
* webui: use manual Firefox configuration for Firefox >= 40
* webui: improve performance of search in association dialog
* Become IPA 4.2.2

=== Petr Špaček (1) ===
* Avoid ipa-dnskeysync-replica & ipa-ods-exporter crashes caused by 
exceeding LDAP limits

=== Timo Aaltonen (2) ===
* paths: Add GENERATE_RNDC_KEY.
* httpinstance: Replace a hardcoded path to password.conf with 
HTTPD_PASSWORD_CONF

=== Tomáš Babej (4) ===
* winsync: Add inetUser objectclass to the passsync sysaccount
* ipa-backup: Add mechanism to store empty directory structure
* winsync-migrate: Convert entity names to posix friendly strings
* winsync-migrate: Properly handle collisions in the names of external 
groups

-- 
Petr Vobornik