ipa is vulnerable to man-in-the-middle attack. There is no secure way to provide the ipa server’s Certificate Authority (CA) certificate to a client during join, which limited the client’s ability to authenticate and verify the server. This allows an attacker to perform a man-in-the-middle attack against the client during a client enrollment process and obtain confidential information such as the administrator’s credentials.
git.fedorahosted.org/cgit/freeipa.git/commit/?id=18eea90ebb24a9c22248f0b7e18646cc6e3e3e0f
git.fedorahosted.org/cgit/freeipa.git/commit/?id=31e41eea6c2322689826e6065ceba82551c565aa
git.fedorahosted.org/cgit/freeipa.git/commit/?id=91f4af7e6af53e1c6bf17ed36cb2161863eddae4
git.fedorahosted.org/cgit/freeipa.git/commit/?id=a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9
git.fedorahosted.org/cgit/freeipa.git/commit/?id=a40285c5a0288669b72f9d991508d4405885bffc
rhn.redhat.com/errata/RHSA-2013-0188.html
rhn.redhat.com/errata/RHSA-2013-0189.html
www.freeipa.org/page/CVE-2012-5484
www.freeipa.org/page/Releases/3.1.2
access.redhat.com/security/updates/classification/#important
rhn.redhat.com/errata/RHSA-2013-0188.html