[Freeipa-users] Announcing FreeIPA 4.1.1

Thu Nov 6 16:35:27 UTC 2014

The FreeIPA team would like to announce FreeIPA v4.1.1 security release!

It can be downloaded from http://www.freeipa.org/page/Downloads. The 
builds will be available for Fedora 21. Builds for Fedora 20 are 
available in the official COPR repository 
[https://copr.fedoraproject.org/coprs/mkosek/freeipa/].

== Highlights in 4.1.1 ==

=== Bug fixes ===
* CVE-2014-7828: ensure that a password is provided in 2 factor 
authentication [http://www.freeipa.org/page/CVE-2014-7828]
* fixed upgrade issue from FreeIPA 3.3.5 
[https://fedorahosted.org/freeipa/ticket/4670] 
[https://fedorahosted.org/freeipa/ticket/4635]
* various bug fixes in CA management tools and DNS sec
* Allow reading SSH public keys overrides of users
* Allow reading GID value override for users
* prevent possible deadlocks with schema compatibility plugin

== Known Issues ==
* On Fedora 21 beta, FreeIPA server installation fails with SELinux in 
enforcing mode.

== Upgrading ==
An IPA server can be upgraded simply by installing updated rpms. The 
server does not need to be shut down in advance.

Please note that if you are doing the upgrade in special environment 
(e.g. FedUp) which does not allow running the LDAP server during upgrade 
process, upgrade scripts need to be run manually after the first boot:

  # ipa-ldap-updater --upgrade
  # ipa-upgradeconfig

Also note that the performance improvements require an extended set of 
indexes to be configured. RPM update for an IPA server with a excessive 
number of users may require several minutes to finish.

If you have multiple servers you may upgrade them one at a time. It is 
expected that all servers will be upgraded in a relatively short period 
(days or weeks, not months). They should be able to co-exist peacefully 
but new features will not be available on old servers and enrolling a 
new client against an old server will result in the SSH keys not being 
uploaded.

Downgrading a server once upgraded is not supported.

Upgrading from 3.3.0 and later versions is supported. Upgrading from 
previous versions is not supported and has not been tested.

An enrolled client does not need the new packages installed unless you 
want to re-enroll it. SSH keys for already installed clients are not 
uploaded, you will have to re-enroll the client or manually upload the keys.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users 
mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or 
#freeipa channel on Freenode.

== Detailed Changelog since 4.1.0 ==

=== Alexander Bokovoy (1) ===
* Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides

=== David Kupka (2) ===
* Respect UID and GID soft static allocation.
* Stop dirsrv last in ipactl stop.

=== Jan Cholasta (10) ===
* Do not check if port 8443 is available in step 2 of external CA install
* Handle profile changes in dogtag-ipa-ca-renew-agent
* Do not wait for new CA certificate to appear in LDAP in ipa-certupdate
* Fail if certmonger can't see new CA certificate in LDAP in 
ipa-cacert-manage
* Fix possible NULL dereference in ipa-kdb
* Fix memory leaks in ipa-extdom-extop
* Fix various bugs in ipa-opt-counter and ipa-otp-lasttoken
* Fix memory leak in ipa-pwd-extop
* Fix memory leaks in ipa-join
* Fix various bugs in ipap11helper

=== Martin Basti (4) ===
* Fix dns zonemgr validation regression
* Add bind-dyndb-ldap working dir to IPA specfile
* Fix CI tests: install_adtrust
* Fix upgrade: do not use invalid ldap connection

=== Nathaniel McCallum (1) ===
* Ensure that a password exists after OTP validation

=== Petr Spacek (1) ===
* Fix zone name to directory name conversion in BINDMgr.

=== Petr Vobornik (2) ===
* build: increase java stack size for all arches
* Become IPA 4.1.1

=== Thierry bordaz (tbordaz) (1) ===
* Deadlock in schema compat plugin (between automember_update_membership 
task and dse update)
-- 
Petr Vobornik