[Freeipa-interest] [Announce] FreeIPA 4.8.4 released

Sat Dec 14 13:05:48 UTC 2019

Hello!

The FreeIPA team would like to announce FreeIPA 4.8.4 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for
Fedora 30 and 31 will be available in the official repositories.

== Highlights in 4.8.4 ==

FreeIPA 4.8.4 uses system-provided crypto policy on Fedora and RHEL-based
distributions. It enables TLS 1.3 support in its HTTPS end-points. 

A support to manage list of group managers has been added to both IPA CLI and
Web UI. A group now can have a list of group managers who are allowed to add
and remove group members. This allows for a more complex per-group permission
granting.

=== Enhancements ===
=== Known Issues ===

=== Bug fixes ===
FreeIPA 4.8.4 is a stabilization release for the features delivered as a
part of 4.8.0 series.

There are more than 20 bug-fixes details of which can be seen in
the list of resolved tickets below.

== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing
list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/)
or #freeipa channel on Freenode.

== Resolved tickets ==
* 6951 Update samba config file and use sss idmap module
* 7323 IPv6 hack for Travis CI
* 7804 `ipa otptoken-sync` fails with stack trace
* 7958 traceback in idview
* 7985 test failure in test_dnssec.py::TestInstallDNSSECLast::()::test_disable_reenable_signing_replica::teardown
* 8001 Need default authentication indicators for SPAKE, PKINIT and encrypted challenge preauth
* 8082 Default client configuration breaks ssh in FIPS mode.
* 8104 RFE: Disable Stale/Inactive Users - Upstream Design Document
* 8118 Run smoke tests in FIPS mode
* 8120 Invisible part of notification area in Web UI intercepts clicks of some page elements
* 8122 group-add-member-manager does not report errors
* 8123 [WebUI] Finish group membership management UI
* 8125 Use default crypto policy for TLS and enable TLS 1.3 support
* 8129 Tests: Replace paramiko with OpenSSH
* 8131 covscan memory leaks report
* 8133 check_client_configuration() no longer works with IPA_CONFDIR
* 8134 ipa user-add is inefficient
* 8137 reinstall failed in adding delegation layout
* 8138 Man page ipa-cacert-manage does not display correctly on RHEL
* 8142 check Not Before / Not After in externally signed CA sanity check
* 8143 service.ldap_disable() does not remove "enabledService"
* 8144 test_nfs.py: umount.nfs4: /home: device is busy
* 8148 add "systemctl restart sssd" to warning message when adding trust agents to replicas
* 8149 SIDs of AD domains do not display in ipa-client-samba installer

== Detailed changelog since 4.8.2 ==
=== Armando Neto (1) ===
* travis: Remove CI integration

=== Alexander Bokovoy (8) ===
* ipa-client-samba: map domain sid of trust domain properly for display
* DNS install check: allow overlapping zone to be from the master itself
* covscan: free ucs2-encoded password copy when generating NTLM hash
* covscan: free encryption types in case there is an error
* Become FreeIPA 4.8.3
* Add Authentication Indicator Kerberos ticket policy options
* Allow presence of LDAP attribute options
* Do not run trust upgrade code if master lacks Samba bindings

=== Anuja More (1) ===
* ipatests : Login via ssh using private-key for ipa-user should work.

=== Christian Heimes (18) ===
* Fix get_trusted_domain_object_from_sid()
* Fix service ldap_disable()
* Require idstart to be larger than UID_MAX
* Check valid before/after of external certs
* Fix lite-server to work with GSS_NAME
* Fix logic of check_client_configuration
* Optimize user-add by caching ldap2.has_upg()
* Don't hard-code client's TLS versions and ciphers
* Update Apache HTTPd for RHBZ#1775146
* Enable TLS 1.3 support on the server
* Skip paramiko tests in FIPS mode
* FIPS: server key has different name in FIPS mode
* Remove FIPS noise from SSHd
* Add test case for OTP login
* Fix otptoken_sync plugin
* Show group-add/remove-member-manager failures
* Test installation with (fake) userspace FIPS
* Use default ssh host key algorithms

=== Cédric Jeanneret (1) ===
* Update selinux-policy minimal requirement

=== François Cami (4) ===
* ipatests: fix pr-ci templates' indentation
* ipatests/test_nfs.py: wait before umount
* adtrust.py: mention restarting sssd when adding trust agents
* DSU: add Design for Disable Stale Users

=== Florence Blanc-Renaud (7) ===
* ipa-cacert-manage man page: fix indentation
* ipatests: fix TestMigrateDNSSECMaster teardown
* trust upgrade: ensure that host is member of adtrust agents
* ipatests: fix test_crlgen_manage
* ipatests: fix teardown
* ipatests: generic uninstall should call ipa server-del
* Nightly definition: use right template for krbtpolicy

=== MIZUTA Takeshi (1) ===
* Add config that maintains existing content to ipa-client-install manpage

=== Rob Crittenden (2) ===
* CVE-2019-10195: Don't log passwords embedded in commands in calls using batch
* Add integration test for Kerberos ticket policy

=== Sumit Bose (1) ===
* ipa-kdb: Remove keys if password auth is disabled

=== Sergey Orlov (1) ===
* ipatests: add check that ipa-adtrust-install generates sane smb.conf

=== Simo Sorce (1) ===
* Make sure to have storage space for tag

=== Serhii Tsymbaliuk (2) ===
* WebUI: Fix notification area layout
* WebUI: Fix adding member manager for groups and host groups

=== Timo Aaltonen (1) ===
* Debian: Fix font-awesome path.

=== Thomas Woerner (2) ===
* Enable TestInstallMasterDNSRepeatedly in prci_definitions
* Test repeated installation of the primary with DNS enabled and domain set

-- 
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland