Thanks Rob for all the great work!

I want to add just one warning that may escape users attention.

Due to the need to address the CSRF attack, our command line tools
(including ipa-client-install) will not work on newer servers until you
upgrade those clients. The reason is that the old tools never sent the
Referer header.

The newer tools should work w/o any issue against an old server.

Unfortunately although CSRF attacks are a concern only when using the
Web UI, we had to break compatibility because a browser could be
subverted to use the xml-rpc interface used by the CLI tools, and we
couldn't leave that hole open even though this means we are breaking
backwards compatibility.

So if you need to have a gradual upgrade you should start from clients
(and install images) before upgrading the server.

Keep in mind though that the flaw will not be fixed until you upgrade
the server. So, although the flaw is not really critical (IMO), you
should not delay upgrades too long in production environments and be
careful on administrative clients where you use admin credentials.


On Tue, 2011-12-06 at 14:26 -0500, Rob Crittenden wrote:
> The FreeIPA team is proud to announce version 2.1.4.
> It can be downloaded from and should 
> appear in the Fedora 15 and 16 updates-testing soon (still waiting for 
> bohdi to push the builds). A rawhide (F-17) build is also available.
> == Highlights in 2.1.4 ==
> This is a security release, users are strongly advised to upgrade.
> Specifically, it addresses CVE-2011-3636. A Cross-Site Request Forgery 
> (CSRF) flaw was found in FreeIPA due to a lack of checking the Referer 
> Header in the server (it is not set in the CLI utilities). If a remote 
> attacker could trick a user, who was logged into the FreeIPA management 
> interface, into visiting a specially-crafted URL, the attacker could 
> perform FreeIPA configuration changes with the privileges of the logged 
> in user.
> Some bugs have been addressed too, the highlights are:
> * Certificates in the UI are now displayed in PEM format
> * systemd support in Fedora 16
> * Change the way the Kerberos random salt is calculated to improve 
> interoperability with Windows
> * Fix nis netgroups, users and groups were not appearing
> * Better handling of Kerberos realm to domain mapping
> == Upgrading ==
> === Server ===
> To upgrade a 2.0.0, 2.0.1 or 2.1.0 server do the following:
>   # yum update freeipa-server --enablerepo=updates-testing
> This will pull in updated freeIPA, 389-ds, dogtag, libcurl and xmlrpc-c 
> packages (and perhaps some others). A script will be executed in the rpm 
> postinstall phase to update the IPA LDAP server with any required changes.
> There is a bug reported against 389-ds, 
>, related to 
> read-write locks. The NSPR RW lock implementation does not safely allow 
> re-entrant use of reader
> locks. This is a timing issue so it is difficult to predict. During 
> testing one user experienced this and the upgrade hung. To break the 
> hang kill the ns-slapd process for your realm, wait for the yum 
> transaction to complete, then restart 389-ds and manually run the update 
> process:
>   # service dirsrv start
>   # ipa-ldap-updater --update
> === Client ===
> The ipa-client-install tool in the ipa-client package is just a 
> configuration tool. There should be no need to re-run this on every 
> client already enrolled.
> == Detailed Changelog for 2.1.3 ==
> Alexander Bokovoy (4):
>   * hbactest fails while you have svcgroup in hbacrule
>   * Add support for systemd environments and use it to support Fedora 16
>   * Spin for connection success also when socket is not (yet) available
>   * Quote multiple workers option
> Endi S. Dewata (1):
>   * Added current password field.
> Evgeny Sinelnikov (1):
>   * ipa_kpasswd: Update selinux policies for ldap and urandom
> John Dennis (1):
>   * Unable to Download Certificate with Browser
> Martin Kosek (8):
>   * Fix client krb5 domain mapping and DNS
>   * Fix ipa-managed-entries password option long form
>   * Fix ipa-server-install answer cache
>   * Fix ipa-replica-conncheck port labels
>   * Fix ipa-managed-entries bind procedure
>   * Let PublicError accept Gettext objects
>   * Enable automember for upgraded servers
>   * Make ipa-server-install clean after itself
> Ondrej Hamada (1):
>   * Client install root privileges check
> Rob Crittenden (4):
>   * Fix problems in help system
>   * Fix nis netgroup config entry so users appear in netgroup triple.
>   * Don't allow default objectclass list to be empty.
>   * Require an HTTP Referer header in the server. Send one in ipa tools. 
> (CVE-2011-3636)
> Simo Sorce (1):
>   * Modify random salt creation for interoperability
> _______________________________________________
> Freeipa-users mailing list

Simo Sorce * Red Hat, Inc * New York

Freeipa-interest mailing list

Reply via email to