[Freeipa-users] ATTN: CVE-2014-7828

Martin Kosek mkosek at redhat.com
Fri Nov 7 09:48:32 UTC 2014

On 11/05/2014 09:43 PM, Alexander Bokovoy wrote:
> Hi,
> Heads up for those who are using 2FA feature of FreeIPA 4.0 and 4.1.
> A security issue was identified in the released versions of FreeIPA 4.0
> and 4.1 that makes possible for users with enabled OTP token to
> authenticate using only the second factor.
> We have a fix available already and will be doing releases for 4.0.5 and
> 4.1.1 tomorrow to get packages into Fedora 21, COPR repos, and Debian
> Unstable.
> In meantime, you can mitigate by disabling OTP authentication for the
> users.
> Sorry for inconvenience.
> https://fedorahosted.org/freeipa/ticket/4690

Just to close the thread, FreeIPA releases fixing the CVE are now in both 
Fedora 21 updates-testing repository and also in the main Copr repository.

Details also in http://www.freeipa.org/page/CVE-2014-7828


More information about the Freeipa-users mailing list