On Dec 6, 2011, at 1:09 PM, Simo Sorce wrote:
> Thanks Rob for all the great work!
> I want to add just one warning that may escape users attention.
> Due to the need to address the CSRF attack, our command line tools
> (including ipa-client-install) will not work on newer servers until you
> upgrade those clients. The reason is that the old tools never sent the
> Referer header.
How do you upgrade your clients if they are RHEL and the Server is Fedora?
> The newer tools should work w/o any issue against an old server.
> Unfortunately although CSRF attacks are a concern only when using the
> Web UI, we had to break compatibility because a browser could be
> subverted to use the xml-rpc interface used by the CLI tools, and we
> couldn't leave that hole open even though this means we are breaking
> backwards compatibility.
> So if you need to have a gradual upgrade you should start from clients
> (and install images) before upgrading the server.
> Keep in mind though that the flaw will not be fixed until you upgrade
> the server. So, although the flaw is not really critical (IMO), you
> should not delay upgrades too long in production environments and be
> careful on administrative clients where you use admin credentials.
Freeipa-devel mailing list