--------------------------------------------------------------------------------Fedora Update Notification
FEDORA-2019-c64e1612f5
2019-12-05 01:39:12.689096
--------------------------------------------------------------------------------Name        : freeipa
Product     : Fedora 31
Version     : 4.8.3
Release     : 1.fc31
URL         : https://www.freeipa.org/
Summary     : The Identity, Policy and Audit system
Description :
IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization
(host access control, SELinux user roles, services). The solution provides
features for further integration with Linux based clients (SUDO, automount)
and integration with Active Directory based infrastructures (Trusts).

--------------------------------------------------------------------------------Update Information:

FreeIPA 4.8.3 is a security update release that includes fixes for two issues:
* CVE-2019-10195: Don't log passwords embedded in commands in calls using batch
A flaw was found in the way that FreeIPA's batch processing API logged
operations. This included passing user passwords in clear text on FreeIPA
masters. Batch processing of commands with passwords as arguments or options is
not performed by default in FreeIPA but is possible by third-party components.
An attacker having access to system logs on FreeIPA masters could use this flaw
to produce log file content with passwords exposed. The issue was reported by
Jamison Bennett from Cloudera  * CVE-2019-14867: Make sure to have storage space
for tag A flaw was found in the way the internal function ber_scanf() was used
in some components of the IPA server, which parsed kerberos key data. An
unauthenticated attacker who could trigger parsing of the krb principal key
could cause the IPA server to crash or in some conditions, cause arbitrary code
to be executed on the server hosting the IPA server. The issue was reported by
Todd Lipcon from Cloudera
--------------------------------------------------------------------------------ChangeLog:

* Tue Nov 26 2019 Alexander Bokovoy  - 4.8.3-1
- New upstream release 4.8.3
- CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf()
- CVE-2019-10195: Don't log passwords embedded in commands in calls using batch
* Tue Nov 12 2019 Rob Crittenden  - 4.8.2-1
- New upstream release 4.8.2
- Replace %{_libdir} macro in BuildRequires (#1746882)
- Restore user-nsswitch.conf before calling authselect (#1746557)
- ipa service-find does not list cifs service created by
  ipa-client-samba (#1731433)
- Occasional 'whoami.data is undefined' error in FreeIPA web UI
  (#1699109)
- ipa-kra-install fails due to fs.protected_regular=1 (#1698384)
* Sun Oct 20 2019 Alexander Bokovoy  - 4.8.1-4
- Don't create log files from helper scripts
- Fixes: rhbz#1754189
* Tue Oct  8 2019 Christian Heimes  - 4.8.1-3
- Fix compatibility issue with preexec_fn in Python 3.8
- Fixes: rhbz#1759290
--------------------------------------------------------------------------------References:

  [ 1 ] Bug #1777147 - CVE-2019-10195 freeipa: IPA: batch API logging user passwords to /var/log/httpd/error_log [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1777147
  [ 2 ] Bug #1777200 - CVE-2019-14867 freeipa: ipa: Denial of service in IPA server due to wrong use of ber_scanf() [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1777200
--------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2019-c64e1612f5' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
--------------------------------------------------------------------------------_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Fedora 31: freeipa FEDORA-2019-c64e1612f5

December 4, 2019
FreeIPA 4.8.3 is a security update release that includes fixes for two issues: * CVE-2019-10195: Don't log passwords embedded in commands in calls using batch A flaw was found in t...

Summary

IPA is an integrated solution to provide centrally managed Identity (users,

hosts, services), Authentication (SSO, 2FA), and Authorization

(host access control, SELinux user roles, services). The solution provides

features for further integration with Linux based clients (SUDO, automount)

and integration with Active Directory based infrastructures (Trusts).

FreeIPA 4.8.3 is a security update release that includes fixes for two issues:

* CVE-2019-10195: Don't log passwords embedded in commands in calls using batch

A flaw was found in the way that FreeIPA's batch processing API logged

operations. This included passing user passwords in clear text on FreeIPA

masters. Batch processing of commands with passwords as arguments or options is

not performed by default in FreeIPA but is possible by third-party components.

An attacker having access to system logs on FreeIPA masters could use this flaw

to produce log file content with passwords exposed. The issue was reported by

Jamison Bennett from Cloudera * CVE-2019-14867: Make sure to have storage space

for tag A flaw was found in the way the internal function ber_scanf() was used

in some components of the IPA server, which parsed kerberos key data. An

unauthenticated attacker who could trigger parsing of the krb principal key

could cause the IPA server to crash or in some conditions, cause arbitrary code

to be executed on the server hosting the IPA server. The issue was reported by

Todd Lipcon from Cloudera

* Tue Nov 26 2019 Alexander Bokovoy - 4.8.3-1

- New upstream release 4.8.3

- CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf()

- CVE-2019-10195: Don't log passwords embedded in commands in calls using batch

* Tue Nov 12 2019 Rob Crittenden - 4.8.2-1

- New upstream release 4.8.2

- Replace %{_libdir} macro in BuildRequires (#1746882)

- Restore user-nsswitch.conf before calling authselect (#1746557)

- ipa service-find does not list cifs service created by

ipa-client-samba (#1731433)

- Occasional 'whoami.data is undefined' error in FreeIPA web UI

(#1699109)

- ipa-kra-install fails due to fs.protected_regular=1 (#1698384)

* Sun Oct 20 2019 Alexander Bokovoy - 4.8.1-4

- Don't create log files from helper scripts

- Fixes: rhbz#1754189

* Tue Oct 8 2019 Christian Heimes - 4.8.1-3

- Fix compatibility issue with preexec_fn in Python 3.8

- Fixes: rhbz#1759290

[ 1 ] Bug #1777147 - CVE-2019-10195 freeipa: IPA: batch API logging user passwords to /var/log/httpd/error_log [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1777147

[ 2 ] Bug #1777200 - CVE-2019-14867 freeipa: ipa: Denial of service in IPA server due to wrong use of ber_scanf() [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1777200

su -c 'dnf upgrade --advisory FEDORA-2019-c64e1612f5' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

FEDORA-2019-c64e1612f5 2019-12-05 01:39:12.689096 Product : Fedora 31 Version : 4.8.3 Release : 1.fc31 URL : https://www.freeipa.org/ Summary : The Identity, Policy and Audit system Description : IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). FreeIPA 4.8.3 is a security update release that includes fixes for two issues: * CVE-2019-10195: Don't log passwords embedded in commands in calls using batch A flaw was found in the way that FreeIPA's batch processing API logged operations. This included passing user passwords in clear text on FreeIPA masters. Batch processing of commands with passwords as arguments or options is not performed by default in FreeIPA but is possible by third-party components. An attacker having access to system logs on FreeIPA masters could use this flaw to produce log file content with passwords exposed. The issue was reported by Jamison Bennett from Cloudera * CVE-2019-14867: Make sure to have storage space for tag A flaw was found in the way the internal function ber_scanf() was used in some components of the IPA server, which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal key could cause the IPA server to crash or in some conditions, cause arbitrary code to be executed on the server hosting the IPA server. The issue was reported by Todd Lipcon from Cloudera * Tue Nov 26 2019 Alexander Bokovoy - 4.8.3-1 - New upstream release 4.8.3 - CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf() - CVE-2019-10195: Don't log passwords embedded in commands in calls using batch * Tue Nov 12 2019 Rob Crittenden - 4.8.2-1 - New upstream release 4.8.2 - Replace %{_libdir} macro in BuildRequires (#1746882) - Restore user-nsswitch.conf before calling authselect (#1746557) - ipa service-find does not list cifs service created by ipa-client-samba (#1731433) - Occasional 'whoami.data is undefined' error in FreeIPA web UI (#1699109) - ipa-kra-install fails due to fs.protected_regular=1 (#1698384) * Sun Oct 20 2019 Alexander Bokovoy - 4.8.1-4 - Don't create log files from helper scripts - Fixes: rhbz#1754189 * Tue Oct 8 2019 Christian Heimes - 4.8.1-3 - Fix compatibility issue with preexec_fn in Python 3.8 - Fixes: rhbz#1759290 [ 1 ] Bug #1777147 - CVE-2019-10195 freeipa: IPA: batch API logging user passwords to /var/log/httpd/error_log [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1777147 [ 2 ] Bug #1777200 - CVE-2019-14867 freeipa: ipa: Denial of service in IPA server due to wrong use of ber_scanf() [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1777200 su -c 'dnf upgrade --advisory FEDORA-2019-c64e1612f5' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Change Log

References

Update Instructions

Severity
Product : Fedora 31
Version : 4.8.3
Release : 1.fc31
URL : https://www.freeipa.org/
Summary : The Identity, Policy and Audit system

Related News

30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
2.Motherboard Esm H320
2 - 3 min read
The recently uncovered "Native Branch History Injection (BHI)" exploit against the Linux kernel marks a significant milestone in the ongoing battle

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved