On 03/26/2015 02:20 PM, Alexander Bokovoy wrote:

I've released slapi-nis 0.54.2 this morning as a fix for CVE-2015-0283,
packages are built for Fedora and RHEL7.1. However, to complete the
cycle, we need to release FreeIPA 4.1.4 to fix CVE-2015-1827.

Both CVEs are for processing of group membership when dealing with users
from trusted AD domains. Fix in FreeIPA is in extdom plugin which is in
use by sssd 1.12.x, while slapi-nis fix is for legacy clients.

We need to commit attached patches to FreeIPA and make a release of
FreeIPA 4.1.4 today. Then I can do Fedora builds and a combined update
push for slapi-nis+freeipa packages in Fedora.

Patch 1 is actual CVE-2015-1827 fix.

Patch 2 is to remove wrong values from Makefile.am files that actually
prevent regenerating Makefiles in daemons/ subdirectory, causing
non-working RHEL build. We fixed 4.1.0 base with this patch in RHEL and
we just need to bring upstream in sync with downstream on this.

Patch 3 raises requirement of slapi-nis to the fixed version.

These patches has been already tested while the CVE was embargoed.

pushed to
* 447c5c7b0d76482dbb4273ea968a87cee2f4cddd fix Makefile.am for daemons
* fd8e796873f34c942b8ab28d486b5edfe1c27abd extdom: fix wrong realloc size
* 704c79d91d58f87b80afe6e9331e8060116b5ec0 fix Makefile.am for daemons
* c1114ef82516002de08e004a930b5ba4a1791b25 extdom: fix wrong realloc size

* 93302a8c28731625a0e38e647be50a9598bb49e7 slapi-nis: require 0.54.2 for CVE-2015-0283 fixes
* 1b781b777f534b12a178202afa0982afd2d9c1dd slapi-nis: require 0.54.2 for CVE-2015-0283 fixes

I'm going to do the FreeIPA 4.1.4 release now.
Petr Vobornik

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to