-
Mon Jan 02 2017 Jingdong Lu <jingdong.lu@oracle.com> - 4.4.0-14.0.1.el7_3.1.1
- Blank out header-logo.png product-name.png
Replace login-screen-logo.png [20362818]
-
Fri Dec 16 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.1.1
- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services
by abusing password policy
- ipa-kdb: search for password policies globally
- Renamed patches 1011 and 1012 to 0146 and 0145, as they were merged upstream
-
Mon Dec 12 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.1
- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services
by abusing password policy
- password policy: Add explicit default password policy for hosts and
services
- Resolves: #1395311 CVE-2016-9575 ipa: Insufficient permission check in
certprofile-mod
- certprofile-mod: correctly authorise config update
-
Tue Nov 01 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14
- Resolves: #1378353 Replica install fails with old IPA master sometimes during
replication process
- spec file: bump minimal required version of 389-ds-base
- Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1
- Fix missing file that fails DL1 replica installation
- Resolves: #1387782 WebUI: Services are not displayed correctly after upgrade
- WebUI: services without canonical name are shown correctly
- Resolves: #1389709 Traceback seen in error_log when trustdomain-del is run
- trustdomain-del: fix the way how subdomain is searched
-
Mon Oct 31 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-13
- Resolves: #1318616 CA fails to start after doing ipa-ca-install --external-ca
- Keep NSS trust flags of existing certificates
- Resolves: #1360813 ipa-server-certinstall does not update all certificate
stores and doesn't set proper trust permissions
- Add cert checks in ipa-server-certinstall
- Resolves: #1371479 cert-find --all does not show information about revocation
- cert: add revocation reason back to cert-find output
- Resolves: #1375133 WinSync users who have First.Last casing creates users who
can have their password set
- ipa passwd: use correct normalizer for user principals
- Resolves: #1377858 Users with 2FA tokens are not able to login to IPA servers
- Properly handle LDAP socket closures in ipa-otpd
- Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1
- Make httpd publish its CA certificate on DL1
-
Fri Sep 16 2016 Petr Vobornik <pvoborni@redhat.com> - 4.4.0-12
- Resolves: #1373910 IPA server upgrade fails with DNS timed out errors.
- Resolves: #1375269 ipa trust-fetch-domains throws internal error
-
Tue Sep 13 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-11
- Resolves: #1373359 ipa-certupdate fails with "CA is not configured"
- Fix regression introduced in ipa-certupdate
-
Wed Sep 07 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-10
- Resolves: #1355753 adding two way non transitive(external) trust displays
internal error on the console
- Always fetch forest info from root DCs when establishing two-way trust
- factor out `populate_remote_domain` method into module-level function
- Always fetch forest info from root DCs when establishing one-way trust
- Resolves: #1356101 Lightweight sub-CA certs are not tracked by certmonger
after `ipa-replica-install`
- Track lightweight CAs on replica installation
- Resolves: #1357488 ipa command stuck forever on higher versioned client with
lower versioned server
- compat: Save server's API version in for pre-schema servers
- compat: Fix ping command call
- schema cache: Store and check info for pre-schema servers
- Resolves: #1363905 man page for ipa-replica-manage has a typo in -c flag
- Fix man page ipa-replica-manage: remove duplicate -c option
from --no-lookup
- Resolves: #1367865 webui: cert_revoke should use --cacn to set correct CA
when revoking certificate
- cert: include CA name in cert command output
- WebUI add support for sub-CAs while revoking certificates
- Resolves: #1368424 Unable to view certificates issued by Sub CA in Web UI
- Add support for additional options taken from table facet
- WebUI: Fix showing certificates issued by sub-CA
- Resolves: #1368557 dnsrecord-add does not prompt for missing record parts
internactively
- dns: normalize record type read interactively in dnsrecord_add
- dns: prompt for missing record parts in CLI
- dns: fix crash in interactive mode against old servers
- Resolves: #1370519 Certificate revocation in service-del and host-del isn't
aware of Sub CAs
- cert: fix cert-find --certificate when the cert is not in LDAP
- Make host/service cert revocation aware of lightweight CAs
- Resolves: #1371901 Use OAEP padding with custodia
- Use RSA-OAEP instead of RSA PKCS#1 v1.5
- Resolves: #1371915 When establishing external two-way trust, forest root
Administrator account is used to fetch domain info
- do not use trusted forest name to construct domain admin principal
- Resolves: #1372597 Incorrect CA ACL evaluation of SAN DNS names in
certificate request
- Fix CA ACL Check on SubjectAltNames
- Resolves: #1373272 CLI always sends default command version
- cli: use full name when executing a command
- Resolves: #1373359 ipa-certupdate fails with "CA is not configured"
- Fix ipa-certupdate for CA-less installation
- Resolves: #1373540 client-install with IPv6 address fails on link-local
address (always)
- Fix parse errors with link-local addresses
-
Fri Sep 02 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-9
- Resolves: #1081561 CA not start during ipa server install in pure IPv6 env
- Fix ipa-server-install in pure IPv6 environment
- Resolves: #1318169 Tree-root domains in a trusted AD forest aren't marked as
reachable via the forest root
- trust: make sure ID range is created for the child domain even if it exists
- ipa-kdb: simplify trusted domain parent search
- Resolves: #1335567 Update Warning in IdM Web UI API browser
- WebUI: add API browser is tech preview warning
- Resolves: #1348560 Mulitple domain Active Directory Trust conflict
- ipaserver/dcerpc: reformat to make the code closer to pep8
- trust: automatically resolve DNS trust conflicts for triangle trusts
- Resolves: #1351593 CVE-2016-5404 ipa: Insufficient privileges check in
certificate revocation
- cert-revoke: fix permission check bypass (CVE-2016-5404)
- Resolves: #1353936 custodia.conf and server.keys file is world-readable.
- Remove Custodia server keys from LDAP
- Secure permissions of Custodia server.keys
- Resolves: #1358752 ipa-ca-install fails on replica when IPA server is
converted from CA-less to CA-full
- custodia: include known CA certs in the PKCS#12 file for Dogtag
- custodia: force reconnect before retrieving CA certs from LDAP
- Resolves: #1362333 ipa vault container owner cannot add vault
- Fix: container owner should be able to add vault
- Resolves: #1365546 External trust with root domain is transitive
- trust: make sure external trust topology is correctly rendered
- Resolves: #1365572 IPA server broken after upgrade
- Require pki-core-10.3.3-7
- Resolves: #1367864 Server assumes latest version of command instead of
version 1 for old / 3rd party clients
- rpcserver: assume version 1 for unversioned command calls
- rpcserver: fix crash in XML-RPC system commands
- Resolves: #1367773 thin client ignores locale change
- schema cache: Fallback to 'en_us' when locale is not available
- Resolves: #1368754 ipa server uninstall fails with Python "Global Name error"
- Fail on topology disconnect/last role removal
- Resolves: #1368981 ipa otptoken-add --type=hotp --key creates wrong OTP
- otptoken, permission: Convert custom type parameters on server
- Resolves: #1369414 ipa server-del fails with Python stack trace
- Handled empty hostname in server-del command
- Resolves: #1369761 ipa-server must depend on a version of httpd that support
mod_proxy with UDS
- Require httpd 2.4.6-31 with mod_proxy Unix socket support
- Resolves: #1370512 Received ACIError instead of DuplicatedError in
stageuser_tests
- Raise DuplicatedEnrty error when user exists in delete_container
- Resolves: #1371479 cert-find --all does not show information about revocation
- cert: add missing param values to cert-find output
- Renamed patch 1011 to 0100, as it was merged upstream
-
Wed Aug 17 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-8
- Resolves: #1298288 [RFE] Improve performance in large environments.
- cert: speed up cert-find
- Resolves: #1317379 [EXPERIMENTAL][RFE] Web UI: allow Smart Card
authentication
- service: add flag to allow S4U2Self
- Add 'trusted to auth as user' checkbox
- Added new authentication method
- Resolves: #1353881 ipa-replica-install suggests about
non-existent --force-ntpd option
- Don't show --force-ntpd option in replica install
- Resolves: #1354441 DNS forwarder check is too strict: unable to add
sub-domain to already-broken domain
- DNS: allow to add forward zone to already broken sub-domain
- Resolves: #1356146 performance regression in CLI help
- schema: Speed up schema cache
- frontend: Change doc, summary, topic and NO_CLI to class properties
- schema: Introduce schema cache format
- schema: Generate bits for help load them on request
- help: Do not create instances to get information about commands and topics
- schema cache: Do not reset ServerInfo dirty flag
- schema cache: Do not read fingerprint and format from cache
- Access data for help separately
- frontent: Add summary class property to CommandOverride
- schema cache: Read server info only once
- schema cache: Store API schema cache in memory
- client: Do not create instance just to check isinstance
- schema cache: Read schema instead of rewriting it when SchemaUpToDate
- Resolves: #1360769 ipa-server-certinstall couldnt unlock private key file
- server install: do not prompt for cert file PIN repeatedly
- Resolves: #1364113 ipa-password: ipa: ERROR: RuntimeError: Unable to create
cache directory: [Errno 13] Permission denied: '/home/test_user'
- schema: Speed up schema cache
- Resolves: #1366604 `cert-find` crashes on invalid certificate data
- cert: do not crash on invalid data in cert-find
- Resolves: #1366612 Middle replica uninstallation in line topology works
without '--ignore-topology-disconnect'
- Fail on topology disconnect/last role removal
- Resolves: #1366626 caacl-add-service: incorrect error message when service
does not exists
- Fix ipa-caalc-add-service error message
- Resolves: #1367022 The ipa-server-upgrade command failed when named-pkcs11
does not happen to run during dnf upgrade
- DNS server upgrade: do not fail when DNS server did not respond
- Resolves: #1367759 [RFE] [webui] warn admin if there is only one IPA server
with CA
- Add warning about only one existing CA server
- Set servers list as default facet in topology facet group
- Resolves: #1367773 thin client ignores locale change
- schema check: Check current client language against cached one