[Pkg-freeipa-devel] [Git][freeipa-team/freeipa][upstream] 7 commits: Unify use of option parsers

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Wed Jun 25 10:46:52 BST 2025 


Timo Aaltonen pushed to branch upstream at FreeIPA packaging / freeipa


Commits:
cf84a222 by Alexander Bokovoy at 2025-01-15T11:15:09+01:00
Unify use of option parsers

Do not use direct optparse references, instead import IPAOptionParser

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
3b38efe7 by Alexander Bokovoy at 2025-01-15T11:15:39+01:00
ipa tools: remove sensitive material from the commandline

When command line tools accept passwords, remove them from the command
line so that they don't get visible in '/proc/pid/commandline'.

There is no common method to access the original ARGV vector and modify
it from Python. Since this mostly affects Linux systems where IPA
services run, we expect use of GNU libc and thus can rely on internal
glibc symbols. If they aren't available, the code will skip removing
passwords.

Fixes: CVE-2024-11029

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
7a5a10b6 by Sumit Bose at 2025-01-15T11:15:39+01:00
ipa-otpd: use oidc_child's --client-secret-stdin option

To remove the client secret from the command line where it would be
visible e.g. when calling ps it is now passed via stdin to oidc_child.

Fixes: CVE-2024-11029

Signed-off-by: Sumit Bose <sbose at redhat.com>

- - - - -
f33a0e8e by Antonio Torres at 2025-01-15T12:01:25+01:00
Become IPA 4.12.3

- - - - -
6ae52a2f by Julien Rische at 2025-06-17T09:08:19+02:00
kdb: keep ipadb_get_connection() from succeeding with null LDAP context

The final call to ipadb_reinit_mspac() in ipadb_get_connection() is not
considered essential for the function to succeed, as there might be
cases where the required pieces of information to generate PACs are not
yet configured in the database. However, in environments where 389ds is
overwhelmed, the LDAP connection established at the beginning of
ipadb_get_connection() might already be lost while executing
ipadb_reinit_mspac().

Connection errors were not distinguished from configuration errors,
which could result in ipadb_get_connection() succeeding while the LDAP
context is set to null, leading to a KDC crash on the next LDAP request.

ipadb_get_connection() now explicitly checks the value of the LDAP
context before returning.

Fixes: https://pagure.io/freeipa/issue/9777
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>

- - - - -
e8c410ae by Rob Crittenden at 2025-06-17T09:11:34+02:00
Set krbCanonicalName=admin at REALM on the admin user

The admin must always own this name. If another entry has this
value set then remove it.

There is a uniqueness plugin for this attribute so the only two
possibilities are:

- no entry has this value set
- the admin user has this value set
- a different entry has the value set

Still, for robustness purposes, the upgrade plugin will handle
more entries.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
f2fc367f by Antonio Torres at 2025-06-17T09:14:30+02:00
Become IPA 4.12.4

- - - - -


31 changed files:

- VERSION.m4
- daemons/ipa-kdb/ipa_kdb.c
- daemons/ipa-otpd/oauth2.c
- install/oddjob/com.redhat.idm.trust-fetch-domains.in
- install/share/bootstrap-template.ldif
- install/tools/ipa-adtrust-install.in
- install/tools/ipa-ca-install.in
- install/tools/ipa-compat-manage.in
- install/tools/ipa-csreplica-manage.in
- install/tools/ipa-managed-entries.in
- install/tools/ipa-replica-conncheck.in
- install/tools/ipa-replica-manage.in
- install/updates/90-post_upgrade_plugins.update
- ipaclient/install/ipa_client_automount.py
- ipaclient/install/ipa_client_samba.py
- ipalib/cli.py
- ipalib/plugable.py
- ipapython/admintool.py
- ipapython/config.py
- ipapython/install/cli.py
- ipaserver/install/ipa_acme_manage.py
- ipaserver/install/ipa_backup.py
- ipaserver/install/ipa_cacert_manage.py
- ipaserver/install/ipa_kra_install.py
- ipaserver/install/ipa_migrate.py
- ipaserver/install/ipa_restore.py
- ipaserver/install/ipa_server_certinstall.py
- + ipaserver/install/plugins/add_admin_krbcanonicalname.py
- ipatests/i18n.py
- ipatests/test_integration/test_commands.py
- makeapi.in


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/c7da7e0dc979c2ecd834a0727114f53cdf878297...f2fc367fb00193a8ca8a1f22786fccd6b0024dac

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/c7da7e0dc979c2ecd834a0727114f53cdf878297...f2fc367fb00193a8ca8a1f22786fccd6b0024dac
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20250625/b587f08e/attachment.htm>

More information about the Pkg-freeipa-devel mailing list