[Freeipa-users] ATTN: CVE-2014-7828
Martin Kosek
mkosek at redhat.com
Fri Nov 7 09:48:32 UTC 2014
On 11/05/2014 09:43 PM, Alexander Bokovoy wrote:
> Hi,
>
> Heads up for those who are using 2FA feature of FreeIPA 4.0 and 4.1.
> A security issue was identified in the released versions of FreeIPA 4.0
> and 4.1 that makes possible for users with enabled OTP token to
> authenticate using only the second factor.
>
> We have a fix available already and will be doing releases for 4.0.5 and
> 4.1.1 tomorrow to get packages into Fedora 21, COPR repos, and Debian
> Unstable.
>
> In meantime, you can mitigate by disabling OTP authentication for the
> users.
>
> Sorry for inconvenience.
>
> https://fedorahosted.org/freeipa/ticket/4690
Just to close the thread, FreeIPA releases fixing the CVE are now in both
Fedora 21 updates-testing repository and also in the main Copr repository.
Details also in http://www.freeipa.org/page/CVE-2014-7828
Martin
More information about the Freeipa-users
mailing list