[Freeipa] [Bug 1717356] [NEW] CVE-2016-6298
*** This bug is a security vulnerability *** Public security bug reported: The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in jwcrypto before 0.3.2 lacks the Random Filling protection mechanism, which makes it easier for remote attackers to obtain cleartext data via a Million Message Attack (MMA). https://people.canonical.com/~ubuntu- security/cve/2016/CVE-2016-6298.html ** Affects: python-jwcrypto (Ubuntu) Importance: Undecided Assignee: Brian Morton (rokclimb15) Status: In Progress ** Information type changed from Private Security to Public Security ** Changed in: python-jwcrypto (Ubuntu) Assignee: (unassigned) => Brian Morton (rokclimb15) ** Changed in: python-jwcrypto (Ubuntu) Status: New => In Progress ** Description changed: The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in jwcrypto before 0.3.2 lacks the Random Filling protection mechanism, which - makes it easier for remote attackers to obtain cleartext data via a Million - Message Attack (MMA). + makes it easier for remote attackers to obtain cleartext data via a Million Message Attack (MMA). https://people.canonical.com/~ubuntu- security/cve/2016/CVE-2016-6298.html ** Description changed: The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in - jwcrypto before 0.3.2 lacks the Random Filling protection mechanism, which - makes it easier for remote attackers to obtain cleartext data via a Million Message Attack (MMA). + jwcrypto before 0.3.2 lacks the Random Filling protection mechanism, + which makes it easier for remote attackers to obtain cleartext data via + a Million Message Attack (MMA). https://people.canonical.com/~ubuntu- security/cve/2016/CVE-2016-6298.html ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6298 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to python-jwcrypto in Ubuntu. https://bugs.launchpad.net/bugs/1717356 Title: CVE-2016-6298 Status in python-jwcrypto package in Ubuntu: In Progress Bug description: The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in jwcrypto before 0.3.2 lacks the Random Filling protection mechanism, which makes it easier for remote attackers to obtain cleartext data via a Million Message Attack (MMA). https://people.canonical.com/~ubuntu- security/cve/2016/CVE-2016-6298.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-jwcrypto/+bug/1717356/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1693154] Update Released
The verification of the Stable Release Update for freeipa has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1693154 Title: ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library Status in freeipa package in Ubuntu: Fix Released Status in freeipa source package in Zesty: Fix Released Status in kerberos-configs package in Debian: New Bug description: [Impact] ipa-client-install fails because it modifies /etc/krb5.conf to include /etc/krb5.conf.d which doesn't exist, so kinit fails. The (temporary) fix is to add /etc/krb5.conf.d directory to freeipa- client. [Test case] Enroll an IPA client with ipa-client-install, it should pass. [Regression potential] None, this is a safe addition. [original description] Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS) wrt. joining a FreeIPA kerberos server. I am running a server on 10.111.112.100 with a COCKPIT.LAN domain (from the "ipa-*" image on https://fedorapeople.org/groups/cockpit/images/), and realmd.service fails. Running ipa-client-install manually shows why: $ sudo DEBIAN_FRONTEND=noninteractive apt -y install freeipa-client realmd sssd-tools packagekit $ echo 'nameserver 10.111.112.100' | sudo tee -a /etc/resolv.conf $ sudo ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W --force-ntpd -w foobarfoo Discovery was successful! Client hostname: autopkgtest Realm: COCKPIT.LAN DNS Domain: cockpit.lan IPA Server: f0.cockpit.lan BaseDN: dc=cockpit,dc=lan Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library Installation failed. Rolling back changes. IPA client is not configured on this system. stracing shows that it tries to access /etc/krb5.conf.d/ which does not exist. mkdir'ing this is sufficient to fix it. I'm not entirely sure if this is really in freeipa-client or krb5-user (kinit), but running "kinit -f ad...@cockpit.lan" directly succeeds. ProblemType: Bug DistroRelease: Ubuntu 17.04 Package: freeipa-client 4.4.3-3ubuntu2 ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11 Uname: Linux 4.10.0-21-generic x86_64 ApportVersion: 2.20.4-0ubuntu4.1 Architecture: amd64 Date: Wed May 24 09:30:57 2017 ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: freeipa UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1693154/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1693154] Re: ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library
This bug was fixed in the package freeipa - 4.4.3-3ubuntu2.1 --- freeipa (4.4.3-3ubuntu2.1) zesty; urgency=medium * client.dirs: Ship /etc/krb5.conf.d, because not having that breaks the installer when krb5.conf tries to include it. (LP: #1693154) -- Timo AaltonenWed, 14 Jun 2017 13:56:03 +0300 ** Changed in: freeipa (Ubuntu Zesty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1693154 Title: ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library Status in freeipa package in Ubuntu: Fix Released Status in freeipa source package in Zesty: Fix Released Status in kerberos-configs package in Debian: New Bug description: [Impact] ipa-client-install fails because it modifies /etc/krb5.conf to include /etc/krb5.conf.d which doesn't exist, so kinit fails. The (temporary) fix is to add /etc/krb5.conf.d directory to freeipa- client. [Test case] Enroll an IPA client with ipa-client-install, it should pass. [Regression potential] None, this is a safe addition. [original description] Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS) wrt. joining a FreeIPA kerberos server. I am running a server on 10.111.112.100 with a COCKPIT.LAN domain (from the "ipa-*" image on https://fedorapeople.org/groups/cockpit/images/), and realmd.service fails. Running ipa-client-install manually shows why: $ sudo DEBIAN_FRONTEND=noninteractive apt -y install freeipa-client realmd sssd-tools packagekit $ echo 'nameserver 10.111.112.100' | sudo tee -a /etc/resolv.conf $ sudo ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W --force-ntpd -w foobarfoo Discovery was successful! Client hostname: autopkgtest Realm: COCKPIT.LAN DNS Domain: cockpit.lan IPA Server: f0.cockpit.lan BaseDN: dc=cockpit,dc=lan Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library Installation failed. Rolling back changes. IPA client is not configured on this system. stracing shows that it tries to access /etc/krb5.conf.d/ which does not exist. mkdir'ing this is sufficient to fix it. I'm not entirely sure if this is really in freeipa-client or krb5-user (kinit), but running "kinit -f ad...@cockpit.lan" directly succeeds. ProblemType: Bug DistroRelease: Ubuntu 17.04 Package: freeipa-client 4.4.3-3ubuntu2 ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11 Uname: Linux 4.10.0-21-generic x86_64 ApportVersion: 2.20.4-0ubuntu4.1 Architecture: amd64 Date: Wed May 24 09:30:57 2017 ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: freeipa UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1693154/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1693154] Re: ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library
Using the reproduction steps in the description, I re-confirmed that with the current zesty version joining the domain fails because of that missing directory. After installing freeipa-{client,common} from -proposed, joining the domain now succeeds. ** Tags removed: verification-needed-zesty ** Tags added: verification-done-zesty ** Tags removed: verification-needed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1693154 Title: ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library Status in freeipa package in Ubuntu: Fix Released Status in freeipa source package in Zesty: Fix Committed Status in kerberos-configs package in Debian: New Bug description: [Impact] ipa-client-install fails because it modifies /etc/krb5.conf to include /etc/krb5.conf.d which doesn't exist, so kinit fails. The (temporary) fix is to add /etc/krb5.conf.d directory to freeipa- client. [Test case] Enroll an IPA client with ipa-client-install, it should pass. [Regression potential] None, this is a safe addition. [original description] Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS) wrt. joining a FreeIPA kerberos server. I am running a server on 10.111.112.100 with a COCKPIT.LAN domain (from the "ipa-*" image on https://fedorapeople.org/groups/cockpit/images/), and realmd.service fails. Running ipa-client-install manually shows why: $ sudo DEBIAN_FRONTEND=noninteractive apt -y install freeipa-client realmd sssd-tools packagekit $ echo 'nameserver 10.111.112.100' | sudo tee -a /etc/resolv.conf $ sudo ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W --force-ntpd -w foobarfoo Discovery was successful! Client hostname: autopkgtest Realm: COCKPIT.LAN DNS Domain: cockpit.lan IPA Server: f0.cockpit.lan BaseDN: dc=cockpit,dc=lan Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library Installation failed. Rolling back changes. IPA client is not configured on this system. stracing shows that it tries to access /etc/krb5.conf.d/ which does not exist. mkdir'ing this is sufficient to fix it. I'm not entirely sure if this is really in freeipa-client or krb5-user (kinit), but running "kinit -f ad...@cockpit.lan" directly succeeds. ProblemType: Bug DistroRelease: Ubuntu 17.04 Package: freeipa-client 4.4.3-3ubuntu2 ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11 Uname: Linux 4.10.0-21-generic x86_64 ApportVersion: 2.20.4-0ubuntu4.1 Architecture: amd64 Date: Wed May 24 09:30:57 2017 ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: freeipa UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1693154/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp