[Pkg-freeipa-devel] freeipa: Changes to 'master-next'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Sat Jan 14 13:38:11 UTC 2017
debian/TODO | 6 -
debian/changelog | 12 ++-
debian/control | 7 +
debian/patches/fix-cve-2016-5404.diff | 109 ----------------------------
debian/patches/purge-firefox-extension.diff | 18 ++--
debian/patches/series | 2
6 files changed, 24 insertions(+), 130 deletions(-)
New commits:
commit b60eb8b01e56253af1a2f0cb619af3b53f974b6c
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Sat Jan 14 15:37:21 2017 +0200
releasing package freeipa version 4.4.3-1
diff --git a/debian/changelog b/debian/changelog
index e410aa7..5666d37 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-freeipa (4.4.3-1) UNRELEASED; urgency=medium
+freeipa (4.4.3-1) experimental; urgency=medium
* New upstream release. (Closes: #848762)
* configure-apache-from-installer.diff: Dropped, upstream.
@@ -9,14 +9,13 @@ freeipa (4.4.3-1) UNRELEASED; urgency=medium
* watch: Use https url.
* client.postinst: Use update_ipa_nssdb(), which also removes remnants
from /etc/pki/nssdb.
- * control: Bump depends on slapi-nis to 0.55.
+ * control: Bump depends on slapi-nis to 0.56.1.
* control: Add python-custodia and python-requests to ipalib depends.
* control: Use python-netifaces instead of iproute.
* control: Add python-sssdconfig to python-ipatests depends.
* control: Bump depends on 389-ds-base to 1.3.5.6, upstream #5396
#2008.
* control: Bump bind9-dyndb-ldap depends to 10, upstream #2008.
- * control: Depend on slapi-nis 0.56.1.
* control: Add python-libsss-nss-idmap to build-depends.
* control: Bump depends on sssd to 1.14.0.
* install: Updated.
@@ -30,7 +29,7 @@ freeipa (4.4.3-1) UNRELEASED; urgency=medium
* control: Demote ntp to Recommends so that lxc containers can be
enrolled without it. (LP: #1630911)
- -- Timo Aaltonen <tjaalton at debian.org> Thu, 01 Dec 2016 08:25:03 +0200
+ -- Timo Aaltonen <tjaalton at debian.org> Sat, 14 Jan 2017 15:29:25 +0200
freeipa (4.3.2-5) unstable; urgency=medium
commit 3f7fe2aa9c2cbf3f2160e5cea5926f0f3a865f90
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Sat Jan 14 15:21:56 2017 +0200
control: Demote ntp to Recommends so that lxc containers can be enrolled without it. (LP: #1630911)
diff --git a/debian/changelog b/debian/changelog
index 21ae581..e410aa7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -27,6 +27,8 @@ freeipa (4.4.3-1) UNRELEASED; urgency=medium
- add & update some paths
- add some stub services (LP: #1653245)
* control: Add krb5-otp to server depends. (LP: #1640732)
+ * control: Demote ntp to Recommends so that lxc containers can be
+ enrolled without it. (LP: #1630911)
-- Timo Aaltonen <tjaalton at debian.org> Thu, 01 Dec 2016 08:25:03 +0200
diff --git a/debian/control b/debian/control
index a0477d4..fade4c1 100644
--- a/debian/control
+++ b/debian/control
@@ -192,7 +192,6 @@ Depends:
libsasl2-modules-gssapi-mit,
libsss-sudo,
libxmlrpc-core-c3 (>= 1.16.33-3.1ubuntu5),
- ntp,
oddjob-mkhomedir,
python-dnspython,
python-ipaclient (= ${source:Version}),
@@ -202,7 +201,10 @@ Depends:
${misc:Depends},
${python:Depends},
${shlibs:Depends}
-Suggests: libpam-krb5
+Recommends:
+ ntp,
+Suggests:
+ libpam-krb5,
Description: FreeIPA centralized identity framework -- client
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
commit 799d94959b989051d5a6e8aad9466a2d365dceca
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Sat Jan 14 11:31:26 2017 +0200
update purge-firefox-extension.diff
diff --git a/debian/patches/purge-firefox-extension.diff b/debian/patches/purge-firefox-extension.diff
index f8c6630..aa13dae 100644
--- a/debian/patches/purge-firefox-extension.diff
+++ b/debian/patches/purge-firefox-extension.diff
@@ -541,10 +541,10 @@ Date: Tue Mar 29 21:33:15 2016 +0300
self.step("importing CA certificates from LDAP", self.__import_ca_certs)
- if autoconfig:
- self.step("setting up browser autoconfig", self.__setup_autoconfig)
- if not self.promote:
- self.step("publish CA cert", self.__publish_ca_cert)
+ self.step("publish CA cert", self.__publish_ca_cert)
self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
-@@ -376,42 +374,6 @@ class HTTPInstance(service.Service):
+ self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
+@@ -383,42 +381,6 @@ class HTTPInstance(service.Service):
db = certs.CertDB(self.realm, subject_base=self.subject_base)
self.import_ca_certs(db, self.ca_is_configured)
@@ -605,7 +605,7 @@ Date: Tue Mar 29 21:33:15 2016 +0300
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
-@@ -269,16 +269,6 @@ def cleanup_adtrust(fstore):
+@@ -270,16 +270,6 @@ def cleanup_adtrust(fstore):
root_logger.debug('Removing %s from backup', backed_up_file)
@@ -619,14 +619,14 @@ Date: Tue Mar 29 21:33:15 2016 +0300
- http.setup_firefox_extension(realm, domain)
-
-
- def ca_configure_profiles_acl(ca):
- root_logger.info('[Authorizing RA Agent to modify profiles]')
-
-@@ -1716,7 +1706,6 @@ def upgrade_configuration():
+ def upgrade_adtrust_config():
+ """
+ Upgrade 'dedicated keytab file' in smb.conf to omit FILE: prefix
+@@ -1737,7 +1727,6 @@ def upgrade_configuration():
cleanup_kdc(fstore)
cleanup_adtrust(fstore)
- setup_firefox_extension(fstore)
+ upgrade_adtrust_config()
bind = bindinstance.BindInstance(fstore)
- if bind.is_configured() and not bind.is_running():
commit 59e06164f8781230e2594fb547c88ac1ff1e687a
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Sat Jan 14 11:22:03 2017 +0200
control: Add krb5-otp to server depends. (LP: #1640732)
diff --git a/debian/changelog b/debian/changelog
index cf4787d..21ae581 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -26,6 +26,7 @@ freeipa (4.4.3-1) UNRELEASED; urgency=medium
- migrate some services to use systemd
- add & update some paths
- add some stub services (LP: #1653245)
+ * control: Add krb5-otp to server depends. (LP: #1640732)
-- Timo Aaltonen <tjaalton at debian.org> Thu, 01 Dec 2016 08:25:03 +0200
diff --git a/debian/control b/debian/control
index aea4c72..a0477d4 100644
--- a/debian/control
+++ b/debian/control
@@ -83,6 +83,7 @@ Depends:
krb5-admin-server,
krb5-kdc,
krb5-kdc-ldap,
+ krb5-otp,
krb5-pkinit,
ldap-utils,
libapache2-mod-auth-gssapi (>= 1.4.0),
commit b741e1dfe0b2ab3cc4fd74ff84167ad4d3c32c4e
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Sat Jan 14 11:21:06 2017 +0200
close a LP bug
diff --git a/debian/changelog b/debian/changelog
index c72f378..cf4787d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -25,6 +25,7 @@ freeipa (4.4.3-1) UNRELEASED; urgency=medium
- add some comments to tasks.py
- migrate some services to use systemd
- add & update some paths
+ - add some stub services (LP: #1653245)
-- Timo Aaltonen <tjaalton at debian.org> Thu, 01 Dec 2016 08:25:03 +0200
commit 9e22c17a91fd58042d7f6255f306bdff8f7c694a
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Sat Jan 14 11:15:08 2017 +0200
Update TODO
diff --git a/debian/TODO b/debian/TODO
index e6a5105..8d04d8b 100644
--- a/debian/TODO
+++ b/debian/TODO
@@ -1,5 +1,3 @@
-4.1 needs
-
-- softhsm 2.x
-- dnssec patch in bind9
+TODO
+- Bundle OpenSans fonts? Fallback works fine though
commit 7ee921d824d8d4f5d02a10d19b164a4eb9986cd3
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Sat Jan 14 10:56:09 2017 +0200
fix-cve-2016-5404.diff: Dropped, upstream.
diff --git a/debian/changelog b/debian/changelog
index 8ea96da..c72f378 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ freeipa (4.4.3-1) UNRELEASED; urgency=medium
* New upstream release. (Closes: #848762)
* configure-apache-from-installer.diff: Dropped, upstream.
+ * fix-cve-2016-5404.diff: Dropped, upstream.
* patches: Refreshed.
* work-around-apache-fail.diff: Dropped, apache supports systemd now
so this should not be needed.
diff --git a/debian/patches/fix-cve-2016-5404.diff b/debian/patches/fix-cve-2016-5404.diff
deleted file mode 100644
index 115bdb3..0000000
--- a/debian/patches/fix-cve-2016-5404.diff
+++ /dev/null
@@ -1,109 +0,0 @@
-commit 7eb1502863408d869dc2e706a5e194ad122997bf
-Author: Fraser Tweedale <ftweedal at redhat.com>
-Date: Thu Jun 30 10:21:01 2016 +1000
-
- cert-revoke: fix permission check bypass (CVE-2016-5404)
-
- The 'cert_revoke' command checks the 'revoke certificate'
- permission, however, if an ACIError is raised, it then invokes the
- 'cert_show' command. The rational was to re-use a "host manages
- certificate" check that is part of the 'cert_show' command, however,
- it is sufficient that 'cert_show' executes successfully for
- 'cert_revoke' to recover from the ACIError continue. Therefore,
- anyone with 'retrieve certificate' permission can revoke *any*
- certificate and cause various kinds of DoS.
-
- Fix the problem by extracting the "host manages certificate" check
- to its own method and explicitly calling it from 'cert_revoke'.
-
- Fixes: https://fedorahosted.org/freeipa/ticket/6232
- Reviewed-By: Jan Cholasta <jcholast at redhat.com>
-
-diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
-index b4ea2fe..f257088 100644
---- a/ipalib/plugins/cert.py
-+++ b/ipalib/plugins/cert.py
-@@ -243,6 +243,25 @@ def caacl_check(principal_type, principal_string, ca, profile_id):
- )
- )
-
-+
-+def bind_principal_can_manage_cert(cert):
-+ """Check that the bind principal can manage the given cert.
-+
-+ ``cert``
-+ An NSS certificate object.
-+
-+ """
-+ bind_principal = getattr(context, 'principal')
-+ if not bind_principal.startswith('host/'):
-+ return False
-+
-+ hostname = get_host_from_principal(bind_principal)
-+
-+ # If we have a hostname we want to verify that the subject
-+ # of the certificate matches it.
-+ return hostname == cert.subject.common_name #pylint: disable=E1101
-+
-+
- @register()
- class cert_request(VirtualCommand):
- __doc__ = _('Submit a certificate signing request.')
-@@ -608,29 +627,23 @@ class cert_show(VirtualCommand):
-
- def execute(self, serial_number, **options):
- ca_enabled_check()
-- hostname = None
-+
-+ result=self.Backend.ra.get_certificate(serial_number)
-+ cert = x509.load_certificate(result['certificate'])
-+
- try:
- self.check_access()
- except errors.ACIError as acierr:
- self.debug("Not granted by ACI to retrieve certificate, looking at principal")
-- bind_principal = getattr(context, 'principal')
-- if not bind_principal.startswith('host/'):
-- raise acierr
-- hostname = get_host_from_principal(bind_principal)
-+ if not bind_principal_can_manage_cert(cert):
-+ raise acierr # pylint: disable=E0702
-
-- result=self.Backend.ra.get_certificate(serial_number)
-- cert = x509.load_certificate(result['certificate'])
- result['subject'] = unicode(cert.subject)
- result['issuer'] = unicode(cert.issuer)
- result['valid_not_before'] = unicode(cert.valid_not_before_str)
- result['valid_not_after'] = unicode(cert.valid_not_after_str)
- result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
- result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
-- if hostname:
-- # If we have a hostname we want to verify that the subject
-- # of the certificate matches it, otherwise raise an error
-- if hostname != cert.subject.common_name: #pylint: disable=E1101
-- raise acierr
-
- return dict(result=result)
-
-@@ -676,17 +689,17 @@ class cert_revoke(VirtualCommand):
-
- def execute(self, serial_number, **kw):
- ca_enabled_check()
-- hostname = None
- try:
- self.check_access()
- except errors.ACIError as acierr:
- self.debug("Not granted by ACI to revoke certificate, looking at principal")
- try:
-- # Let cert_show() handle verifying that the subject of the
-- # cert we're dealing with matches the hostname in the principal
- result = api.Command['cert_show'](unicode(serial_number))['result']
-+ cert = x509.load_certificate(result['certificate'])
-+ if not bind_principal_can_manage_cert(cert):
-+ raise acierr
- except errors.NotImplementedError:
-- pass
-+ raise acierr
- revocation_reason = kw['revocation_reason']
- if revocation_reason == 7:
- raise errors.CertificateOperationError(error=_('7 is not a valid revocation reason'))
diff --git a/debian/patches/series b/debian/patches/series
index 601e3f5..fd4f181 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,7 +1,5 @@
# upstreamed
ipa-kdb-support-dal-version-5-and-6.diff
-fix-cve-2016-5404.diff
-configure-apache-from-installer.diff
# not upstreamable
prefix.patch
More information about the Pkg-freeipa-devel
mailing list