ipa security update

CentOS Errata and Security Advisory CESA-2015:1462

Two cross-site scripting (XSS) flaws were found in jQuery, which impacted
the Identity Management web administrative interface, and could allow an
authenticated user to inject arbitrary HTML or web script into the
interface. (CVE-2010-5312, CVE-2012-6662)

Note: The IdM version provided by this update no longer uses jQuery.

Bug fixes:

• The ipa-server-install, ipa-replica-install, and ipa-client-install
  utilities are not supported on machines running in FIPS-140 mode.
  Previously, IdM did not warn users about this. Now, IdM does not allow
  running the utilities in FIPS-140 mode, and displays an explanatory
  message. (BZ#1131571)

• If an Active Directory (AD) server was specified or discovered
  automatically when running the ipa-client-install utility, the utility
  produced a traceback instead of informing the user that an IdM server is
  expected in this situation. Now, ipa-client-install detects the AD server
  and fails with an explanatory message. (BZ#1132261)

• When IdM servers were configured to require the TLS protocol version 1.1
  (TLSv1.1) or later in the httpd server, the ipa utility failed. With this
  update, running ipa works as expected with TLSv1.1 or later. (BZ#1154687)

• In certain high-load environments, the Kerberos authentication step of
  the IdM client installer can fail. Previously, the entire client
  installation failed in this situation. This update modifies
  ipa-client-install to prefer the TCP protocol over the UDP protocol and to
  retry the authentication attempt in case of failure. (BZ#1161722)

• If ipa-client-install updated or created the /etc/nsswitch.conf file, the
  sudo utility could terminate unexpectedly with a segmentation fault. Now,
  ipa-client-install puts a new line character at the end of nsswitch.conf if
  it modifies the last line of the file, fixing this bug. (BZ#1185207)

• The ipa-client-automount utility failed with the “UNWILLING_TO_PERFORM”
  LDAP error when the nsslapd-minssf Red Hat Directory Server configuration
  parameter was set to “1”. This update modifies ipa-client-automount to use
  encrypted connection for LDAP searches by default, and the utility now
  finishes successfully even with nsslapd-minssf specified. (BZ#1191040)

• If installing an IdM server failed after the Certificate Authority (CA)
  installation, the “ipa-server-install --uninstall” command did not perform
  a proper cleanup. After the user issued “ipa-server-install --uninstall”
  and then attempted to install the server again, the installation failed.
  Now, “ipa-server-install --uninstall” removes the CA-related files in the
  described situation, and ipa-server-install no longer fails with the
  mentioned error message. (BZ#1198160)

• Running ipa-client-install added the “sss” entry to the sudoers line in
  nsswitch.conf even if “sss” was already configured and the entry was
  present in the file. Duplicate “sss” then caused sudo to become
  unresponsive. Now, ipa-client-install no longer adds “sss” if it is already
  present in nsswitch.conf. (BZ#1198339)

• After running ipa-client-install, it was not possible to log in using SSH
  under certain circumstances. Now, ipa-client-install no longer corrupts the
  sshd_config file, and the sshd service can start as expected, and logging
  in using SSH works in the described situation. (BZ#1201454)

• An incorrect definition of the dc attribute in the
  /usr/share/ipa/05rfc2247.ldif file caused bogus error messages to be
  returned during migration. The attribute has been fixed, but the bug
  persists if the copy-schema-to-ca.py script was run on Red Hat Enterprise
  Linux 6.6 prior to running it on Red Hat Enterprise Linux 6.7. To work
  around this problem, manually copy /usr/share/ipa/schema/05rfc2247.ldif to
  /etc/dirsrv/slapd-PKI-IPA/schema/ and restart IdM. (BZ#1220788)

All ipa users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-cr-announce/2015-July/028347.html

Affected packages:
ipa-admintools
ipa-client
ipa-python
ipa-server
ipa-server-selinux
ipa-server-trust-ad

Upstream details at:
https://access.redhat.com/errata/RHSA-2015:1462