ipa-4.4.0-14.6.0.1.el7.AXS7

エラータID: AXSA:2017-1334:03

Release date: 
Monday, March 6, 2017 - 10:31
Subject: 
ipa-4.4.0-14.6.0.1.el7.AXS7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization
(host access control, SELinux user roles, services). The solution provides
features for further integration with Linux based clients (SUDO, automount)
and integration with Active Directory based infrastructures (Trusts).

Security issues fixed with this release:

CVE-2017-2590
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.

Fixed bugs:

* Previously, during an Identity Management (IdM) replica installation that runs on domain level "1" or higher, Directory Server was not configured to use TLS encryption. As a consequence, installing a certificate authority (CA) on that replica failed. Directory Server is now configured to use TLS encryption during the replica installation and as a result, the CA installation works as expected.
* Previously, the Identity Management (IdM) public key infrastructure (PKI) component was configured to listen on the "::1" IPv6 localhost address. In environments have the the IPv6 protocol disabled, the replica installer was unable to retrieve the Directory Server certificate, and the installation failed. The default listening address of the PKI connector has been updated from the IP address to "localhost". As a result, the PKI connector now listens on the correct addresses in IPv4 and IPv6 environments.
* Previously, when installing a certificate authority (CA) on a replica, Identity Management (IdM) was unable to provide third-party CA certificates to the Certificate System CA installer. As a consequence, the installer was unable to connect to the remote master if the remote master used a third-party server certificate, and the installation failed. This updates applies a patch and as a result, installing a CA replica works as expected in the described situation.
* When installing a replica, the web server service entry is created on the Identity Management (IdM) master and replicated to all IdM servers. Previously, when installing a replica without a certificate authority (CA), in certain situations the service entry was not replicated to the new replica on time, and the installation failed. The replica installer has been updated and now waits until the web server service entry is replicated. As a result, the replica installation no longer fails in the described situation.

Solution: 

Update package.

CVEs: 
CVE-2017-2590
A vulnerability was found in ipa before 4.4. IdM's ca-del, ca-disable, and ca-enable commands did not properly check the user's permissions while modifying CAs in Dogtag. An authenticated, unauthorized attacker could use this flaw to delete, disable, or enable CAs causing various denial of service problems with certificate issuance, OCSP signing, and deletion of secret keys.
Additional Info: 

N/A

Download: 

SRPMS
  1. ipa-4.4.0-14.6.0.1.el7.AXS7.src.rpm
    MD5: 40d1ed2434b9425ce02ea5de35b6a3de
    SHA-256: 9df99c54e2db3b17aa0255c045dd6aeaf34903ec6bc8973b8371fd3eaa65fbe1
    Size: 6.84 MB

Asianux Server 7 for x86_64
  1. ipa-admintools-4.4.0-14.6.0.1.el7.AXS7.noarch.rpm
    MD5: 20813da63329158cda48ee77cc742d00
    SHA-256: 59f2c1b451b7c33729a2f52f99c24b2e0c4b697d01ee0b01fe94fe9391288e7e
    Size: 121.74 kB
  2. ipa-client-4.4.0-14.6.0.1.el7.AXS7.x86_64.rpm
    MD5: 2a93fac25d3a34ec91ace837c69347e1
    SHA-256: 57ed280018d8e5fc9ccaad500f4b963d09f64480f4a769ffb09a26d5d1184851
    Size: 228.92 kB
  3. ipa-client-common-4.4.0-14.6.0.1.el7.AXS7.noarch.rpm
    MD5: cab54abdcfbe9c5023a77bbd401696b7
    SHA-256: 186765a08da0e20e28d926018bd2a7dce77edb020d254b96cc67e57fe06db909
    Size: 122.54 kB
  4. ipa-common-4.4.0-14.6.0.1.el7.AXS7.noarch.rpm
    MD5: 181bb8171110d4f37bf11f6fef809415
    SHA-256: c7bee554966d7b8a81125f2717bfe47ade772c5f704d85be3c9170865fdfb2c2
    Size: 440.24 kB
  5. ipa-server-4.4.0-14.6.0.1.el7.AXS7.x86_64.rpm
    MD5: a71ed557f10e074d35c653a9490805bd
    SHA-256: 6ed473cdb75e528943034b53cd480c7ee4b75757be8fabfd91b4cd008665dfb8
    Size: 436.02 kB
  6. ipa-server-common-4.4.0-14.6.0.1.el7.AXS7.noarch.rpm
    MD5: 35e102ad4d07f050fe466de11db15d77
    SHA-256: 46026a89f645865918b1fafbda5d0fe5b6f00f803cb2356f647e2d26cb7e90fa
    Size: 620.79 kB
  7. ipa-server-dns-4.4.0-14.6.0.1.el7.AXS7.noarch.rpm
    MD5: 5f36cf7237073fe3cd5231b385d15e7a
    SHA-256: 588fae04c7764d643dd6c926aefefc73e6b029c6a4ee23ed1caea8c1ac991979
    Size: 120.57 kB
  8. ipa-server-trust-ad-4.4.0-14.6.0.1.el7.AXS7.x86_64.rpm
    MD5: b499acfd62c5050c337cd4269eba6939
    SHA-256: 8f54c898175216b0ab96a066b29034ca8488da8982bce0be2d9b1a4f27195c24
    Size: 204.47 kB
  9. python2-ipaclient-4.4.0-14.6.0.1.el7.AXS7.noarch.rpm
    MD5: 449a854e0ba14bfbc403f5aa082db350
    SHA-256: 89cc2a54fbcd8accca33118f59d205c5ef0a725b5cab6f982ed1c0f880fcceb2
    Size: 538.68 kB
  10. python2-ipalib-4.4.0-14.6.0.1.el7.AXS7.noarch.rpm
    MD5: e7a9c0f39193bb7af501569e017dd3dd
    SHA-256: 0798e86b7648ffe5e0b64872890e22c785ad4619d3b919027ac51a70a18e884d
    Size: 653.15 kB
  11. python2-ipaserver-4.4.0-14.6.0.1.el7.AXS7.noarch.rpm
    MD5: 83c72e0d13cd13d973f43e823f4be18d
    SHA-256: 1fe29a0db4d6d0ba9d483f9b750ad54fbf3defa4bd7207133d89a6dc03e8faa7
    Size: 1.27 MB