[Freeipa-users] Announcing FreeIPA 2.2.2

Martin Kosek mkosek at redhat.com
Wed Feb 13 09:48:42 UTC 2013 

The FreeIPA team is proud to announce version FreeIPA v2.2.2

This release contains Security Updates.

It can be downloaded from http://www.freeipa.org/page/Downloads.

A build is currently on the way to updates-testing for Fedora 17.

== Highlights ==

This release contains a Security Advisory:

* CVE-2012-5484: MITM Attack during Join process

The FreeIPA Team would like to thank the Red Hat Security Response Team and in
particular Vincent Danen for the invaluable assistance provided for the
assessment and resolution of these issues.
For CVE-2012-5484 we would like to thank Petr Menšík for reporting the issue.

== Upgrading ==

Please consult each CVE announcement for related Upgrading instructions.

An IPA server can be upgraded simply by installing updated rpms. The server
does not need to be shut down in advance.

If you have multiple servers you may upgrade them one at a time. It is expected
that all servers will be upgraded in a relatively short period (days or weeks
not months). They should be able to co-exist peacefully but new features will
not be available on old servers and enrolling a new client against an old
server will result in the SSH keys not being uploaded.

Downgrading a server once upgraded is not supported.

== Feedback ==

Please provide comments, bugs and other feedback via the freeipa-devel mailing
list: http://www.redhat.com/mailman/listinfo/freeipa-devel

== Detailed Changelog since 2.2.1 ==

Alexander Bokovoy (1):
* Update plugin to upload CA certificate to LDAP

Jan Cholasta (1):
* Pylint cleanup

John Dennis (1):
* Use secure method to acquire IPA CA certificate

Martin Kosek (3):
* Run index task for new indexes
* Filter suffix in replication management tools
* Become IPA 2.2.2

Rob Crittenden (1):
* Do SSL CA verification and hostname validation.

Simo Sorce (1):
* Upload CA cert in the directory on install

################################################################################

== CVE-2012-5484: MITM Attack during Join process ==

A weakness was found in the way an IPA client communicates with an IPA
server when attempting to join an IPA domain.

When an IPA client attempts to join an IPA domain an attacker could run
a Man in The Middle Attack to try to intercept and hijack initial
communication. A join initiated by an administrative user would grant
the attacker administrative rights to the IPA server, whereas a join
initiated by an unprivileged user would only grant the attacker limited
privilege (typically just the ability to join the domain).

The weakness is caused by the way the CA certificate is retrieved from
the server. The following SSL communication may then be intercepted and
subverted.

Note that no credentials are exposed through this attack and it is
effective only if performed during the join procedure and network
traffic can be redirected or intercepted. Mere observation of the
network traffic is not sufficient to grant an attacker any privilege.

== Affected Versions ==

All 2.x and 3.x versions

== Impact ==

Low

== Acknowledgements ==

The FreeIPA team would like to thank Petr Menšík for reporting this
issue.

== Upgrade instructions ==

The resolution for this issue consist in allowing clients to download
the CA certificate exclusively via a mutually authenticated LDAP
connection or by providing the CA cert via an external method to the
client. At least one IPA server in a domain need to be updated using the
provided patches, so that the CA certificate is made available via LDAP.
All client should be upgraded to use the updated ipa-client-install
script that downloads the CA cert via an authenticated LDAP connection.

More information about the Freeipa-users mailing list