URL: https://github.com/freeipa/freeipa/pull/478
Author: flo-renaud
Title: #478: [4.4] Do not configure PKI ajp redirection to use "::1"
Action: closed
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/478/head:pr478
git
URL: https://github.com/freeipa/freeipa/pull/478
Title: #478: [4.4] Do not configure PKI ajp redirection to use "::1"
Label: +pushed
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA:
URL: https://github.com/freeipa/freeipa/pull/471
Title: #471: Fix some privilege separation regressions
HonzaCholasta commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/b4fa354f500bcf3ac23ee3805f2c166c6a635b92
URL: https://github.com/freeipa/freeipa/pull/471
Title: #471: Fix some privilege separation regressions
Label: +pushed
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA:
URL: https://github.com/freeipa/freeipa/pull/471
Author: HonzaCholasta
Title: #471: Fix some privilege separation regressions
Action: closed
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/471/head:pr471
git checkout pr471
--
URL: https://github.com/freeipa/freeipa/pull/484
Title: #484: FIPS: Remove pkispawn cruft
tiran commented:
"""
Or you could always clean up ```/root/.dogtag``` and remove the tmp dir when
the var is not None.
By the way do you clean up ```/root/.dogtag``` during update?
"""
See the full
URL: https://github.com/freeipa/freeipa/pull/471
Title: #471: Fix some privilege separation regressions
stlaz commented:
"""
The raised issues seem to have been fixed. ACK.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/471#issuecomment-281071960
--
Manage your
URL: https://github.com/freeipa/freeipa/pull/471
Title: #471: Fix some privilege separation regressions
Label: +ack
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA:
URL: https://github.com/freeipa/freeipa/pull/471
Author: HonzaCholasta
Title: #471: Fix some privilege separation regressions
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/471/head:pr471
git checkout
URL: https://github.com/freeipa/freeipa/pull/484
Title: #484: FIPS: Remove pkispawn cruft
stlaz commented:
"""
Always tend to forget about the upgrade part, will do, thanks
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/484#issuecomment-281069900
--
Manage your
URL: https://github.com/freeipa/freeipa/pull/471
Title: #471: Fix some privilege separation regressions
stlaz commented:
"""
Note that `KRA_AGENT_PEM` will not be moved to the correct folder if KRA is not
installed but that's fine with me.
`/bin/systemctl status ipa_memcached.service` still
URL: https://github.com/freeipa/freeipa/pull/478
Title: #478: [4.4] Do not configure PKI ajp redirection to use "::1"
martbab commented:
"""
Fixed upstream
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/4a30e9d53475d60fb76242a098f1d969d6b19f75
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/484
Title: #484: FIPS: Remove pkispawn cruft
MartinBasti commented:
"""
```
* Module ipaserver.install.cainstance
ipaserver/install/cainstance.py:685: [E1101(no-member),
CAInstance.import_ra_cert] Instance of 'CAInstance' has no
URL: https://github.com/freeipa/freeipa/pull/483
Author: tiran
Title: #483: lite-server: validate LDAP connection and cache schema
Action: opened
PR body:
"""
The LDAP schema cache makes the lite-server behave more like mod_wsgi.
See https://fedorahosted.org/freeipa/ticket/6679
URL: https://github.com/freeipa/freeipa/pull/484
Title: #484: FIPS: Remove pkispawn cruft
stlaz commented:
"""
Hm, originally had this over the nsslib removal patchset but the rebase was not
as successful as I thought, will fix the issues.
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/478
Title: #478: [4.4] Do not configure PKI ajp redirection to use "::1"
Label: +ack
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA:
URL: https://github.com/freeipa/freeipa/pull/482
Author: stlaz
Title: #482: Don't count service/host/user cert md5 fprints in FIPS
Action: opened
PR body:
"""
To be "backward compatible" we cannot remove `md5_fingerprint` so we at least
supply the reason why it can't be counted.
URL: https://github.com/freeipa/freeipa/pull/482
Author: stlaz
Title: #482: Don't count service/host/user cert md5 fprints in FIPS
Action: edited
Changed field: body
Original value:
"""
To be "backward compatible" we cannot remove `md5_fingerprint` so we at least
supply the reason why it
URL: https://github.com/freeipa/freeipa/pull/484
Author: stlaz
Title: #484: FIPS: Remove pkispawn cruft
Action: opened
PR body:
"""
`pkispawn` leaves some ugly files after its successful run. This patch:
a) makes sure the files are removed (say no to `__del__` in `DogtagInstance`)
b) prevents
URL: https://github.com/freeipa/freeipa/pull/480
Title: #480: Add request_type doc string in cert-request
MartinBasti commented:
"""
Ticket is `Enumerate all available request type options in ipa cert-request
help` but your commit doesn't enumerate all possible certtypes
"""
See the full
URL: https://github.com/freeipa/freeipa/pull/480
Title: #480: Add request_type doc string in cert-request
MartinBasti commented:
"""
Ticket is `Enumerate all available request type options in ipa cert-request
help` but your commit doesn't enumerate all possible certtypes
"""
See the full
URL: https://github.com/freeipa/freeipa/pull/484
Title: #484: FIPS: Remove pkispawn cruft
tiran commented:
"""
pylint needs some attention, too.
```
* Module ipaserver.install.cainstance
ipaserver/install/cainstance.py:685: [E1101(no-member),
CAInstance.import_ra_cert] Instance of
URL: https://github.com/freeipa/freeipa/pull/472
Title: #472: Packaging: Add placeholder packages
MartinBasti commented:
"""
We want to prevent others to have packages in PyPI with the same names as used
for IPA. This is reasonable for protecting users to get attacker code from PyPI
and
URL: https://github.com/freeipa/freeipa/pull/485
Author: simo5
Title: #485: Fix session logout
Action: opened
PR body:
"""
There were 2 issues with session logouts, one is that the logout_cookie
was checked and acted on in the wrong place, the other is that the wrong
value was set in the
URL: https://github.com/freeipa/freeipa/pull/484
Title: #484: FIPS: Remove pkispawn cruft
stlaz commented:
"""
All should be fixed now.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/484#issuecomment-281120295
--
Manage your subscription for the Freeipa-devel mailing
URL: https://github.com/freeipa/freeipa/pull/482
Title: #482: Don't count service/host/user cert md5 fprints in FIPS
MartinBasti commented:
"""
I don't think that this is a good way how to handle backward compatibility.
With FIPS mode enabled there is no md5 backward compatibility and users
URL: https://github.com/freeipa/freeipa/pull/482
Title: #482: Don't count service/host/user cert md5 fprints in FIPS
MartinBasti commented:
"""
I don't think that this is a good way how to handle backward compatibility.
With FIPS mode enabled there is no md5 backward compatibility and users
URL: https://github.com/freeipa/freeipa/pull/482
Title: #482: Don't count service/host/user cert md5 fprints in FIPS
tomaskrizek commented:
"""
@rcritten Currently, the tests fail because we need #437 merged. It would be
caught.
@MartinBasti The only other option I see is to provide `None`.
URL: https://github.com/freeipa/freeipa/pull/482
Title: #482: Don't count service/host/user cert md5 fprints in FIPS
rcritten commented:
"""
In service.py the error isn't wrapped in _(). You should use the same message
in both.
Given the different messages I'm surprised this didn't pop up as
URL: https://github.com/freeipa/freeipa/pull/398
Author: flo-renaud
Title: #398: Support for Certificate Identity Mapping
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/398/head:pr398
git checkout pr398
On la, 18 helmi 2017, Timo Aaltonen wrote:
Hi,
So Fedora puts all of dist-packages/ipaserver/* in python-ipaserver,
but dcerpc.py imports python-samba which -ipaserver does not depend on.
So I've kept dcerpc.py and adtrustinstance.py in freeipa-server-trust-ad
on Debian, but now with 4.4.3
URL: https://github.com/freeipa/freeipa/pull/487
Author: npmccallum
Title: #487: Limit request sizes to /KdcProxy
Action: opened
PR body:
"""
Related: CVE-2015-5159
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa
URL: https://github.com/freeipa/freeipa/pull/487
Author: npmccallum
Title: #487: Limit request sizes to /KdcProxy
Action: closed
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/487/head:pr487
git checkout pr487
--
Manage your
URL: https://github.com/freeipa/freeipa/pull/487
Title: #487: Limit request sizes to /KdcProxy
Label: +rejected
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA:
URL: https://github.com/freeipa/freeipa/pull/486
Title: #486: Migrate OTP import script to python-cryptography
tiran commented:
"""
Thanks Indiana Nathaniel, good code archaeology. The ticket aligns nicely with
https://fedorahosted.org/freeipa/ticket/6650
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/487
Title: #487: Limit request sizes to /KdcProxy
npmccallum commented:
"""
@tiran Indeed, I did. Thanks!
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/487#issuecomment-281163319
--
Manage your subscription for the
URL: https://github.com/freeipa/freeipa/pull/487
Title: #487: Limit request sizes to /KdcProxy
npmccallum commented:
"""
I found this old patch on my system. I don't remember if it is relevant any
more. Maybe @tiran knows?
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/488
Author: tiran
Title: #488: Speed up client schema cache
Action: opened
PR body:
"""
It's inefficient to open a zip file over and over again. By loading all
members of the schema cache file at once, the ipa CLI script starts
about 25 to 30%
URL: https://github.com/freeipa/freeipa/pull/486
Author: npmccallum
Title: #486: Migrate OTP import script to python-cryptography
Action: opened
PR body:
"""
https://fedorahosted.org/freeipa/ticket/5192
"""
To pull the PR as Git branch:
git remote add ghfreeipa
URL: https://github.com/freeipa/freeipa/pull/486
Title: #486: Migrate OTP import script to python-cryptography
npmccallum commented:
"""
This is an old patch I found on my system that doesn't appear to be merged.
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/487
Title: #487: Limit request sizes to /KdcProxy
tiran commented:
"""
You fixed the issue in summer 2015.
https://github.com/latchset/kdcproxy/commit/f274aa6787cb8b3ec1cc12c440a56665b7231882
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/480
Title: #480: Add request_type doc string in cert-request
frasertweedale commented:
"""
I would like to NACK this. We instead want to hide or remove the option,
because
we only support PKCS #10 and this is unlikely to change any time soon.
URL: https://github.com/freeipa/freeipa/pull/472
Title: #472: Packaging: Add placeholder packages
HonzaCholasta commented:
"""
Is this really the right thing to do? IMO it does not make much sense to have
placeholders for every `ipa*` package, as it does not scale at all - nothing is
URL: https://github.com/freeipa/freeipa/pull/471
Author: HonzaCholasta
Title: #471: Fix some privilege separation regressions
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/471/head:pr471
git checkout
URL: https://github.com/freeipa/freeipa/pull/471
Title: #471: Fix some privilege separation regressions
HonzaCholasta commented:
"""
@stlaz, not sure what's going on there, but not my fault, these failures happen
even without this PR.
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/481
Title: #481: Minor typo fix in DNS install plugin
Label: +ack
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA:
URL: https://github.com/freeipa/freeipa/pull/486
Title: #486: Migrate OTP import script to python-cryptography
stlaz commented:
"""
Thanks for the patch, less `nss` is always good. It seems that
python-cryptography might have added the `backend` attribute to some
constructors since the patch
URL: https://github.com/freeipa/freeipa/pull/480
Title: #480: Add request_type doc string in cert-request
Akasurde commented:
"""
@frasertweedale What do you recommend to hide this option ? does removing this
option has detrimental effect on `cert-request` command ?
"""
See the full comment
48 matches
Mail list logo
