[Freeipa-users] Fedora 16 with new RHEL 6.2 Server? (RPC failed at server Error)

Rob Crittenden rcritten at redhat.com
Mon Dec 19 13:59:51 UTC 2011 

Alexander Bokovoy wrote:
> On Mon, 19 Dec 2011, Craig T wrote:
>
>> Thanks for that, I will try it again tomorrow.
>>
>> Just curious, but I'm getting the impression that when we do finally
>> go live with IPA v2.x. It will take some monitoring to ensure that
>> clients are always compatible?
>>
>> I imagine that when Fedora 18 comes out, my "now" current IPA Server
>> my have issues with that ipa-client? Are Redhat planning to make
>> this backward and forward compatible? I only ask because at this
>> stage we don't have a SOE for our LAN.
> The change between 2.1.3 and 2.1.4 is a pro-active fix of potential
> cross-site request forgery tracked with CVE-2011-3636. Unfortunately,
> it required change of the communication protocol details which made
> old clients incompatible. You may read more details in Simo's mail on
> December 6th, sent to freeipa-devel@ and freeipa-users@:
> https://www.redhat.com/archives/freeipa-devel/2011-December/msg00107.html
>
> We have released updates to F15, F16, F17 (as 2.1.4), and various
> versions of RHEL5/RHEL6 (as a patch on top of 2.1.3), but on Fedora 16
> side critpath was blocked due to some issues with glibc packages which
> created a delay in package flows for more than two weeks.
>
> There are no protocol changes planned for IPAv2 anymore. In the scope
> of IPAv3 there will be command set extensions but we are doing our
> best to maintain backward compatibility for older clients so that they
> would be able to use the functionality they are aware of against newer
> servers, after CSRF fix.
>
> I hope that our effort preventing possible remote attacks on
> core piece of enterprise infrastructure will be helpful when you'll go
> live with your installation.

Also, this only affected client enrollment. An already enrolled client 
is be affected as long as the certmonger package is updated befored the 
host SSL certificate expires (and then only if the client is actually 
using the cert).

rob

More information about the Freeipa-users mailing list