ipa security, bug fix and enhancement update

ID ELSA-2013-0528
Type oraclelinux
Reporter Oracle
Modified 2013-02-27T00:00:00


[3.0.0-25.el6] - Filter generated winbind dependencies so the right version of samba can be installed. (#905594)

[3.0.0-24.el6] - Add certmonger condrestart to server post scriptlet (#903758) - Make certmonger a (pre) Requires (#903758) - Add selinux-policy to Requires(pre) to avoid post scriptlet AVCs (#903758) - Set minimum version of pki-ca to 9.0.3-30 and add to Requires(pre) to pick up certmonger upgrade fix (#902474) - Update anonymous access ACI to protect secret attributes (#902481)

[3.0.0-23.el6] - Installer should not connect to (#895561) - Don't initialize NSS if we don't have to. (#878220)

[3.0.0-22.el6] - Set minimum version of bind-dyndb-ldap to 2.3-2 to pick up missing DNS zone SOA serial fix (#894131) - Stopped named service crashed ipa-upgradeconfig program (#895298) - ipa-replica-prepare crashed when manipulating DNS zone without SOA serial (#894143) - Use new certmonger locking to prevent NSS database corruption during CA subsystem renewal (#883484) - Set minimum selinux-policy to 3.7.19-193 to allow certmonger to talk to dbus in an rpm scriptlet. (related #883484) - Set minimum vresion of certmonger to 0.61-3 for new locking scheme (related #883484)

[3.0.0-21.el6] - Properly handle migrated uniqueMember attributes (#894090) - ipa permission-find using valid targetgroup throws internal error (#893827) - Fix migration of CRLs to new directory location (#893722) - Installing IPA with a single realm component sometimes fails (#893187)

[3.0.0-20.el6] - Set maxbersize to a large value to accomondate large CRLs during replica installation. (#888956) - Set minimum version of pki-ca, pki-slient and pki-setup to 9.0.3-29 to pick up default CA validity period of 20 years. (#891980)

[3.0.0-19.el6] - Client installation crashes when Kerberos SRV record is not found (#889583) - Fix typo in patch 0048 for CVE-2012-5484 (#878220)

[3.0.0-18.el6] - Cookie Expires date should be locale insensitive to avoid CLI errors (#888915)

[3.0.0-17.el6] - ipa delegation-find --group option returns internal error (#888524) - Add missing Requires for python-crypto replacement (#878969)

[3.0.0-16.el6] - sssd is not enabled on client/server install (#888124)

[3.0.0-15.el6] - ipa-server-install --uninstall doesn't clear certmonger dirs, which leads to install failing (#817080)

[3.0.0-14.el6] - Compliant client side session cookie behavior. CVE-2012-5631. (#886371)

[3.0.0-13.el6] - Use secure method to retrieve IPA CA during client enrollment. CVE-2012-5484 (#878220) - Reformat patch 0044 so it works with git-am

[3.0.0-12.el6] - Include /var/lib/sss/pubconf/krb5.include.d/ for domain-realm mappings in krb5.conf (#883166) - Set minimum selinux-policy >= 3.7.19-184 to allow domains that can read sssd_public_t files to also list the directory (#881413) - Remove dist label from changelog entries. - Fix timestamp on patched files to avoid multilib warnings

[3.0.0-11.el6] - Set Requires on httpd 2.2.15-24, mod_nss to 1.0.8-18 and patch to check for existing mod_ssl configuration. These versions allow mod_proxy to simultaneously support SSL servers using mod_ssl and mod_proxy (#761574) - IPA WebUI login for AD Trusted User fails (#875261) - Add 'disable_last_success' and 'disable_lockout' to the ipa_lockout plugin (#824488)

[3.0.0-10.el6] - Make default group type POSIX in ui (#880655) - Write replacement for python-crypto (#878969) - ipa trust-add prints misleading information about required DNS setting (#878485) - Lookup user SIDs in external groups (#878480) - Special case NFS related ticket to avoid attaching MS-PACs (#878462) - IPA users are not available after ipa-server-install because sssd not running (#878288) - Incorrect error message when time difference between AD and IPA is too great (#877434) - Missing option to add SSH Public Key in Web UI after upgrade (#877324)

[3.0.0-9.el6] - Update minimum BR and Requires of sssd to 1.9.2-25 (related #870278, related #871160, related #878262) - Replication agreement tools report errors with new single instance CA database (#878491) - If time is moved back on the IPA server, ipasam does not invalidate the existing ticket (#866576)

[3.0.0-8.el6] - Server installation fails to find A/AAAA record for IPA hostname (#874935) - Out of range error when listing RUV on host with no agreements (#873726) - Tighten dependency on krb5-server to limit to 1.10 (#872707) - Default SELinuxusermaporder needs to mapped with default selinux users list (#870053) - Clarify trust-add help regarding multiple runs against the same domain (#869741) - Improve reliabilityof RA renewal script (#869663) - Add option to disable DNS forwarding by zone (#869658) - Update minimum version of bind-dyndb-ldap to 2.3-1 (#869658) - Improve information on passsync user in man page, command help (#869656) - Resolve external members from trusted domain via Global Catalog (#869616) - Process relative nameserver DNS record correctly (#868956) - ipa-adtrust-install does not reset all information when re-run (#867447) - Fix potential memory leak in KDB backend (#811989)

[3.0.0-7.el6] - Fix type conversion of integers when doing modifications (#870446) - Set SECURE_NFS to lowercase yes rather than uppercase (#869654) - Add autofs service to sssd.conf before enabling it (#869649) - Add strict Requires for policycoreutils to avoid user removing them during package lifetime (#869281) - Make internal rename_s() call compatible with python-ldap-2.3.10 (#867902) - Update minimum version of bind-dyndb-ldap to 2.2-1.el6 (related #871583) - Restart httpd after running ipa-adtrust-install (#866966)

[3.0.0-6.el6] - Add patch to override xmlrpc request method for session (#786199) - Bad link to Web UI config page after session is expired (#869279) - extdom plugin does not handle Posix UID and GID request (#867676) - ipa-server-install --setup-dns always installs reverse zone (#866978) - Inform user when ipa-upgradeconfig reports errors (#866977) - Certificate request fails when CSR has subjectAltnames (#866955) - ipa-adtrust-install checks for /usr/bin/smbpasswd, which is not required (#866572) - Instructions to uninstall are unclear (#856294) - Inconsistent service naming in ipa-server-install (#856292) - Improve instructions to generate certificate in Web UI (#856282) - /etc/ipa/default.conf is out of date (#855855) - Time synchronization is disabled in ipa-client-install (#854325) - ipa-replica-install httpd restart sometimes fails (#845405) - Improve error messages during ipa-replica-manage del (#835632) - Always log errors from dogtag (#813401)

[3.0.0-5.el6] - Update to upstream 3.0.0 GA release (#827602) - Add zip dependency, needed for creating unsigned Firefox extensions - Filter generated winbind dependencies so the right version of samba can be installed. - Remove patch to support python-ldap 2.3.10. Fixed upstream. - Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca (#864533) - Add zip dependency, needed for creating unsigned Firefox extensions

[3.0.0-4.el6] - Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so plugin to /dev/null since they cannot be used when trusts are configured (related #864889) - Update BR and Requires of samba4 to 4.0.0-31 to pick up winbind_krb5_locator alternatives change. (related #864889)

[3.0.0-3.el6] - Update to upstream 3.0.0.rc2 release (#827602) - Provide new Firefox extension. - Own /etc/ipa/ca.crt

[3.0.0-2.el6] - Remove Requires on krb5-pkinit-openssl as part of disabling pkinit code. - Add missing subdirectories in site-packages/ipaserver discovered by rpmdiff. (#827602)

[3.0.0-1.el6] - Update to upstream 3.0.0.rc1 release (#827602) - Update BR and Requires of 389-ds-base to - Update BR and Requires of krb5 to 1.10 - Update BR and Requires of samba4 to 4.0.0-24 - Update BR and Requires of sssd to 1.9.0 - Update Requires on policycoreutils to 2.0.83-19.24 - Update Requires on httpd to httpd-2.2.15-17 to pick up #787247 - Update minimum version of bind-dyndb-ldap to 1.1.0-0.9.b1.el6_3.1 - Update minimum version of bind to 9.8.2-0.10.rc1.el6_3.2 - Sync upstream spec file Requires - Add patch to support python-ldap 2.3.10