On Dec 6, 2011, at 1:09 PM, Simo Sorce wrote:

> Thanks Rob for all the great work!
> 
> 
> I want to add just one warning that may escape users attention.
> 
> Due to the need to address the CSRF attack, our command line tools
> (including ipa-client-install) will not work on newer servers until you
> upgrade those clients. The reason is that the old tools never sent the
> Referer header.

How do you upgrade your clients if they are RHEL and the Server is Fedora?

> 
> The newer tools should work w/o any issue against an old server.
> 
> Unfortunately although CSRF attacks are a concern only when using the
> Web UI, we had to break compatibility because a browser could be
> subverted to use the xml-rpc interface used by the CLI tools, and we
> couldn't leave that hole open even though this means we are breaking
> backwards compatibility.
> 
> So if you need to have a gradual upgrade you should start from clients
> (and install images) before upgrading the server.
> 
> Keep in mind though that the flaw will not be fixed until you upgrade
> the server. So, although the flaw is not really critical (IMO), you
> should not delay upgrades too long in production environments and be
> careful on administrative clients where you use admin credentials.
> 
> HTH,
> Simo.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to