[Freeipa-interest] [Freeipa-users] [Announce] Security releases: FreeIPA 4.8.3, 4.7.4, and 4.6.7 released

Alexander Bokovoy abokovoy at redhat.com
Tue Nov 26 17:25:22 UTC 2019 

On ti, 26 marras 2019, Alexander Bokovoy via FreeIPA-users wrote:
>Hello!
>
>The FreeIPA team would like to announce FreeIPA security releases for
>three release series: 4.8.3, 4.7.4, and 4.6.7 release!
>
>Each series includes a security update release that contains fixes for two issues:
>
>* CVE-2019-10195: Don't log passwords embedded in commands in calls using batch
>
>A flaw was found in the way that FreeIPA's batch processing API logged
>operations. This included passing user passwords in clear text on FreeIPA
>masters. Batch processing of commands with passwords as arguments or options is
>not performed by default in FreeIPA but is possible by third-party components.
>An attacker having access to system logs on FreeIPA masters could use this flaw
>to produce log file content with passwords exposed.
>
>The issue was reported by Jamison Bennett from Cloudera
>
>* CVE-2019-14867: Make sure to have storage space for tag
>
>A flaw was found in the way the internal function ber_scanf() was used in some
>components of the IPA server, which parsed kerberos key data. An
>unauthenticated attacker who could trigger parsing of the krb principal key
>could cause the IPA server to crash or in some conditions, cause arbitrary code
>to be executed on the server hosting the IPA server.
>
>The issue was reported by Todd Lipcon from Cloudera

I submitted updates to Fedora 29, Fedora 30, Fedora 31, and Rawhide.

They can be found here:

* Fedora 29: https://bodhi.fedoraproject.org/updates/FEDORA-2019-69598ea9e0
* Fedora 30: https://bodhi.fedoraproject.org/updates/FEDORA-2019-8e9093da55
* Fedora 31: https://bodhi.fedoraproject.org/updates/FEDORA-2019-c64e1612f5


>
>== Upgrading ==
>Upgrade instructions are available on [[Upgrade]] page.
>
>== Feedback ==
>Please provide comments, bugs and other feedback via the freeipa-users mailing
>list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/)
>or #freeipa channel on Freenode.
>
>== Detailed changelog since 4.6.6 ==
>=== Alexander Bokovoy (1) ===
>* Become FreeIPA 4.6.7
>
>=== Rob Crittenden (1) ===
>* CVE-2019-10195: Don't log passwords embedded in commands in calls using batch
>
>=== Simo Sorce (1) ===
>* CVE-2019-14867: Make sure to have storage space for tag
>
>== Detailed changelog since 4.7.3 ==
>=== Alexander Bokovoy (1) ===
>* Become FreeIPA 4.7.4
>
>=== Rob Crittenden (1) ===
>* CVE-2019-10195: Don't log passwords embedded in commands in calls using batch
>
>=== Simo Sorce (1) ===
>* CVE-2019-14867: Make sure to have storage space for tag
>
>== Detailed changelog since 4.8.2 ==
>=== Alexander Bokovoy (1) ===
>* Become FreeIPA 4.8.3
>
>=== Rob Crittenden (1) ===
>* CVE-2019-10195: Don't log passwords embedded in commands in calls using batch
>
>=== Simo Sorce (1) ===
>* CVE-2019-14867: Make sure to have storage space for tag
>
>-- 
>/ Alexander Bokovoy
>Sr. Principal Software Engineer
>Security / Identity Management Engineering
>Red Hat Limited, Finland
>_______________________________________________
>FreeIPA-users mailing list -- freeipa-users at lists.fedorahosted.org
>To unsubscribe send an email to freeipa-users-leave at lists.fedorahosted.org
>Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

-- 
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

More information about the Freeipa-interest mailing list