[Pkg-freeipa-devel] Bug#849950: Bug#849950: freeipa: CVE-2016-9575: Insufficient permission check in certprofile-mod
Salvatore Bonaccorso
carnil at debian.org
Tue Jan 3 05:51:05 UTC 2017
Hello Timo,
On Tue, Jan 03, 2017 at 12:40:10AM +0200, Timo Aaltonen wrote:
> On 02.01.2017 17:45, Salvatore Bonaccorso wrote:
> > Source: freeipa
> > Version: 4.3.2-5
> > Severity: grave
> > Tags: upstream security
> > Justification: user security hole
> >
> > Hi,
> >
> > the following vulnerability was published for freeipa. Note that I'm
> > not too familiar with freeipa, so just checked source wise. The code
> > should be present in ipalib/plugins/certprofile.py, and according to
> > the Red Hat bug [1] all freeipa versions above 4.2 should be affected.
> > it contains a patch as well.
>
> Yes, I'm aware of these recent cve's but can't test any updates because
> tomcat 8.5 broke dogtag-pki. Will need to wait for that to get fixed
> first I guess, and then push 4.4.3 out.
Great, thank you for you quick feedback!
Regards,
Salvatore
More information about the Pkg-freeipa-devel
mailing list