On Dec 6, 2011, at 1:09 PM, Simo Sorce wrote: > Thanks Rob for all the great work! > > > I want to add just one warning that may escape users attention. > > Due to the need to address the CSRF attack, our command line tools > (including ipa-client-install) will not work on newer servers until you > upgrade those clients. The reason is that the old tools never sent the > Referer header.
How do you upgrade your clients if they are RHEL and the Server is Fedora? > > The newer tools should work w/o any issue against an old server. > > Unfortunately although CSRF attacks are a concern only when using the > Web UI, we had to break compatibility because a browser could be > subverted to use the xml-rpc interface used by the CLI tools, and we > couldn't leave that hole open even though this means we are breaking > backwards compatibility. > > So if you need to have a gradual upgrade you should start from clients > (and install images) before upgrading the server. > > Keep in mind though that the flaw will not be fixed until you upgrade > the server. So, although the flaw is not really critical (IMO), you > should not delay upgrades too long in production environments and be > careful on administrative clients where you use admin credentials. > > HTH, > Simo. _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
