On 11/05/2014 09:43 PM, Alexander Bokovoy wrote:
Heads up for those who are using 2FA feature of FreeIPA 4.0 and 4.1.
A security issue was identified in the released versions of FreeIPA 4.0
and 4.1 that makes possible for users with enabled OTP token to
authenticate using only the second factor.
We have a fix available already and will be doing releases for 4.0.5 and
4.1.1 tomorrow to get packages into Fedora 21, COPR repos, and Debian
In meantime, you can mitigate by disabling OTP authentication for the
Sorry for inconvenience.
Just to close the thread, FreeIPA releases fixing the CVE are now in both
Fedora 21 updates-testing repository and also in the main Copr repository.
Details also in http://www.freeipa.org/page/CVE-2014-7828
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project