<html> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8"> </head> <body bgcolor="#FFFFFF" text="#000000"> Release date: 2017-03-23 The FreeIPA team would like to announce FreeIPA 4.3.3 release! It can be downloaded from <a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Downloads">http://www.freeipa.org/page/Downloads</a>. Please note that this is the last upstream release of FreeIPA 4.3.x branch. This announcement is also available at <a class="moz-txt-link-rfc2396E" href="http://www.freeipa.org/page/Releases/4.3.3"><http://www.freeipa.org/page/Releases/4.3.3></a>. == Highlights in 4.3.3 == === Enhancements === === Known Issues === === Bug fixes === FreeIPA 4.3.3 is a stabilization release for the features delivered as a part of 4.3.0. There are more than 20 bug-fixes which details can be seen in the list of resolved tickets below. == Upgrading == Upgrade instructions are available on [[Upgrade]] page. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (<a class="moz-txt-link-freetext" href="http://www.redhat.com/mailman/listinfo/freeipa-users">http://www.redhat.com/mailman/listinfo/freeipa-users</a>) or #freeipa channel on Freenode. == Resolved tickets == * 6774 FreeIPA client <= 4.4 fail to parse 4.5 cookies * 6561 CVE-2016-7030 freeipa: ipa: DoS attack against kerberized services by abusing password policy * 6560 CVE-2016-9575 freeipa: ipa: Insufficient permission check in certprofile-mod * 6485 Document make_delete_command method in UserTracker * 6378 Tests: Fix failing sudo test * 6317 backport #6213 Incorrect test for DNSForwardPolicyConflictWithEmptyZone warning in test_xmlrpc/test_dns_plugin * 6316 backport #6199 Received ACIError instead of DuplicatedError in stageuser_tests * 6311 Fix or remove the `LDAPUpdate.update_from_dict` method * 6287 Refer to nodes in TestWrongClientDomain replica promotion tests as replicas * 6284 Tests: avoid skipping tests because of missing files when running as outoftree * 6278 Use OAEP padding with custodia (to avoid CVE-2016-6298) * 6262 Fix integration sudo tests setup and checks * 6254 kinit_admin raises an exception if server uninstallation is called from test teardown with server not installed * 6244 build: add python-libsss_nss_idmap and python-sss to BuildRequires * 6205 The ipa-server-upgrade command failed when named-pkcs11 does not happen to run during dnf upgrade * 6177 ca-less test are broken - invalid usage of ipautil.run * 6167 Incorrect domainlevel info in tests * 6166 Subsequent external CA installation fails * 6147 Failing automember tests due to manager output normalization * 6134 Command "ipa-replica-prepare" not allowed to create line replication topology * 6120 ipa-adtrust-install: when running with --netbios-name="", the NetBIOS name is changed without notification * 6076 Mulitple domain Active Directory Trust conflict * 6056 custodia.conf and server.keys file is world-readable. * 6016 ipa-ca-install on replica tries to connect to master:8443 * 5696 Add conflicts with bind-chroot to spec. == Detailed changelog since 4.3.2 == === Alexander Bokovoy (5) === * ipa-kdb: search for password policies globally * ipa-kdb: simplify trusted domain parent search * trust: make sure ID range is created for the child domain even if it exists * trust: automatically resolve DNS trust conflicts for triangle trusts * ipaserver/dcerpc: reformat to make the code closer to pep8 === Christian Heimes (3) === * Use RSA-OAEP instead of RSA PKCS#1 v1.5 * Secure permissions of Custodia server.keys * RedHatCAService should wait for local Dogtag instance === David Kupka (1) === * password policy: Add explicit default password policy for hosts and services === Fraser Tweedale (2) === * certprofile-mod: correctly authorise config update * cert-revoke: fix permission check bypass (CVE-2016-5404) === Ganna Kaihorodova (1) === * Fix for integration tests replication layouts === Jan Cholasta (2) === * Revert "spec: add conflict with bind-chroot to freeipa-server-dns" * install: fix external CA cert validation === Lenka Doudova (7) === * Document make_delete_command method in UserTracker * Tests: Fix integration sudo test * Tests: Fix integration sudo tests setup and checks * Tests: Avoid skipping tests due to missing files * Raise error when running ipa-adtrust-install with empty netbios--name * Tests: Fix failing automember tests * Tests: Remove DNS configuration from trust tests === Martin Babinsky (1) === * add python-libsss_nss_idmap and python-sss to BuildRequires === Martin Basti (5) === * Become IPA 4.3.3 * Update Contributors.txt * Raise DuplicatedEnrty error when user exists in delete_container * Catch DNS exceptions during emptyzones named.conf upgrade * Start named during configuration upgrade. === Oleg Fayans (3) === * Changed addressing to the client hosts to be replicas * Disabled raiseonerr in kinit call during topology level check * Fixed incorrect domainlevel determination in tests === Peter Lacko (1) === * Test URIs in certificate. === Petr Spacek (3) === * Tests: fix test_forward_zones in test_xmlrpc/test_dns_plugin * DNS server upgrade: do not fail when DNS server did not respond * Fix ipa-replica-prepare's error message about missing local CA instance === Petr Vobornik (1) === * ca-less tests: fix getting cert in pem format from nssdb === Stanislav Laznicka (3) === * Add debug log in case cookie retrieval went wrong * Fix cookie with Max-Age processing * Remove update_from_dict() method === Tomas Krizek (1) === * Keep NSS trust flags of existing certificates </body> </html>