[Freeipa-users] Announcing FreeIPA 4.3.3

Thu Mar 23 19:06:58 UTC 2017

Release date: 2017-03-23

The FreeIPA team would like to announce FreeIPA 4.3.3 release!

It can be downloaded from http://www.freeipa.org/page/Downloads.

Please note that this is the last upstream release of FreeIPA 4.3.x branch.

This announcement is also available at 
<http://www.freeipa.org/page/Releases/4.3.3>.

== Highlights in 4.3.3 ==
=== Enhancements ===
=== Known Issues ===
=== Bug fixes ===
FreeIPA 4.3.3 is a stabilization release for the features delivered as a
part of 4.3.0. There are more than 20 bug-fixes which details can be seen in
the list of resolved tickets below.

== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users 
mailing
list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa
channel on Freenode.

== Resolved tickets ==
* 6774 FreeIPA client <= 4.4 fail to parse 4.5 cookies
* 6561 CVE-2016-7030 freeipa: ipa: DoS attack against kerberized 
services by abusing password policy
* 6560 CVE-2016-9575 freeipa: ipa: Insufficient permission check in 
certprofile-mod
* 6485 Document make_delete_command method in UserTracker
* 6378 Tests: Fix failing sudo test
* 6317 backport #6213 Incorrect test for 
DNSForwardPolicyConflictWithEmptyZone warning in test_xmlrpc/test_dns_plugin
* 6316 backport #6199 Received ACIError instead of DuplicatedError in 
stageuser_tests
* 6311 Fix or remove the  `LDAPUpdate.update_from_dict` method
* 6287 Refer to nodes in TestWrongClientDomain replica promotion tests 
as replicas
* 6284 Tests: avoid skipping tests because of missing files when running 
as outoftree
* 6278 Use OAEP padding with custodia (to avoid CVE-2016-6298)
* 6262 Fix integration sudo tests setup and checks
* 6254 kinit_admin raises an exception if server uninstallation is 
called from test teardown with server not installed
* 6244 build: add python-libsss_nss_idmap and python-sss to BuildRequires
* 6205 The ipa-server-upgrade command failed when named-pkcs11 does not 
happen to run during dnf upgrade
* 6177 ca-less test are broken - invalid usage of ipautil.run
* 6167 Incorrect domainlevel info in tests
* 6166 Subsequent external CA installation fails
* 6147 Failing automember tests due to manager output normalization
* 6134 Command "ipa-replica-prepare" not allowed to create line 
replication topology
* 6120 ipa-adtrust-install: when running with --netbios-name="", the 
NetBIOS name is changed without notification
* 6076 Mulitple domain Active Directory Trust conflict
* 6056 custodia.conf and server.keys file is world-readable.
* 6016 ipa-ca-install on replica tries to connect to master:8443
* 5696 Add conflicts with bind-chroot to spec.
== Detailed changelog since 4.3.2 ==
=== Alexander Bokovoy (5) ===
* ipa-kdb: search for password policies globally
* ipa-kdb: simplify trusted domain parent search
* trust: make sure ID range is created for the child domain even if it 
exists
* trust: automatically resolve DNS trust conflicts for triangle trusts
* ipaserver/dcerpc: reformat to make the code closer to pep8

=== Christian Heimes (3) ===
* Use RSA-OAEP instead of RSA PKCS#1 v1.5
* Secure permissions of Custodia server.keys
* RedHatCAService should wait for local Dogtag instance

=== David Kupka (1) ===
* password policy: Add explicit default password policy for hosts and 
services

=== Fraser Tweedale (2) ===
* certprofile-mod: correctly authorise config update
* cert-revoke: fix permission check bypass (CVE-2016-5404)

=== Ganna Kaihorodova (1) ===
* Fix for integration tests replication layouts

=== Jan Cholasta (2) ===
* Revert "spec: add conflict with bind-chroot to freeipa-server-dns"
* install: fix external CA cert validation

=== Lenka Doudova (7) ===
* Document make_delete_command method in UserTracker
* Tests: Fix integration sudo test
* Tests: Fix integration sudo tests setup and checks
* Tests: Avoid skipping tests due to missing files
* Raise error when running ipa-adtrust-install with empty netbios--name
* Tests: Fix failing automember tests
* Tests: Remove DNS configuration from trust tests

=== Martin Babinsky (1) ===
* add python-libsss_nss_idmap and python-sss to BuildRequires

=== Martin Basti (5) ===
* Become IPA 4.3.3
* Update Contributors.txt
* Raise DuplicatedEnrty error when user exists in delete_container
* Catch DNS exceptions during emptyzones named.conf upgrade
* Start named during configuration upgrade.

=== Oleg Fayans (3) ===
* Changed addressing to the client hosts to be replicas
* Disabled raiseonerr in kinit call during topology level check
* Fixed incorrect domainlevel determination in tests

=== Peter Lacko (1) ===
* Test URIs in certificate.

=== Petr Spacek (3) ===
* Tests: fix test_forward_zones in test_xmlrpc/test_dns_plugin
* DNS server upgrade: do not fail when DNS server did not respond
* Fix ipa-replica-prepare's error message about missing local CA instance

=== Petr Vobornik (1) ===
* ca-less tests: fix getting cert in pem format from nssdb

=== Stanislav Laznicka (3) ===
* Add debug log in case cookie retrieval went wrong
* Fix cookie with Max-Age processing
* Remove update_from_dict() method

=== Tomas Krizek (1) ===
* Keep NSS trust flags of existing certificates

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170323/f1aad475/attachment.htm>