Alexander Bokovoy wrote:
On Mon, 19 Dec 2011, Craig T wrote:

Thanks for that, I will try it again tomorrow.

Just curious, but I'm getting the impression that when we do finally
go live with IPA v2.x. It will take some monitoring to ensure that
clients are always compatible?

I imagine that when Fedora 18 comes out, my "now" current IPA Server
my have issues with that ipa-client? Are Redhat planning to make
this backward and forward compatible? I only ask because at this
stage we don't have a SOE for our LAN.
The change between 2.1.3 and 2.1.4 is a pro-active fix of potential
cross-site request forgery tracked with CVE-2011-3636. Unfortunately,
it required change of the communication protocol details which made
old clients incompatible. You may read more details in Simo's mail on
December 6th, sent to freeipa-devel@ and freeipa-users@:

We have released updates to F15, F16, F17 (as 2.1.4), and various
versions of RHEL5/RHEL6 (as a patch on top of 2.1.3), but on Fedora 16
side critpath was blocked due to some issues with glibc packages which
created a delay in package flows for more than two weeks.

There are no protocol changes planned for IPAv2 anymore. In the scope
of IPAv3 there will be command set extensions but we are doing our
best to maintain backward compatibility for older clients so that they
would be able to use the functionality they are aware of against newer
servers, after CSRF fix.

I hope that our effort preventing possible remote attacks on
core piece of enterprise infrastructure will be helpful when you'll go
live with your installation.

Also, this only affected client enrollment. An already enrolled client is be affected as long as the certmonger package is updated befored the host SSL certificate expires (and then only if the client is actually using the cert).


Freeipa-users mailing list

Reply via email to