Subject: | |
From: | |
Reply To: | |
Date: | Mon, 28 Jan 2013 10:25:54 -0600 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
For further dependency resolution the following packages have been added:
i386:
tdb-tools-1.2.10-1.el5.i386.rpm
x86_64:
tdb-tools-1.2.10-1.el5.x86_64.rpm
On 01/24/2013 10:36 AM, Pat Riehecky wrote:
> Synopsis: Important: ipa-client security update
> Issue Date: 2013-01-23
> CVE Numbers: CVE-2012-5484
> --
>
> A weakness was found in the way IPA clients communicated with IPA
> servers when
> initially attempting to join IPA domains. As there was no secure way
> to provide
> the IPA server's Certificate Authority (CA) certificate to the client
> during a
> join, the IPA client enrollment process was susceptible to
> man-in-the-middle
> attacks. This flaw could allow an attacker to obtain access to the IPA
> server
> using the credentials provided by an IPA client, including administrative
> access to the entire domain if the join was performed using an
> administrator's
> credentials. (CVE-2012-5484)
>
> Note: This weakness was only exposed during the initial client join to
> the
> realm, because the IPA client did not yet have the CA certificate of the
> server. Once an IPA client has joined the realm and has obtained the CA
> certificate of the IPA server, all further communication is secure. If
> a client
> were using the OTP (one-time password) method to join to the realm, an
> attacker
> could only obtain unprivileged access to the server (enough to only
> join the
> realm).
>
> When a fix for this flaw has been applied to the client but not yet
> the server,
> ipa-client-install, in unattended mode, will fail if you do not have the
> correct CA certificate locally, noting that you must use the "--force"
> option
> to insecurely obtain the certificate. In interactive mode, the
> certificate will
> try to be obtained securely from LDAP. If this fails, you will be
> prompted to
> insecurely download the certificate via HTTP. In the same situation
> when using
> OTP, LDAP will not be queried and you will be prompted to insecurely
> download
> the certificate via HTTP.
> --
>
> SL5
> x86_64
> ipa-client-2.1.3-5.el5_9.2.x86_64.rpm
> ipa-client-debuginfo-2.1.3-5.el5_9.2.x86_64.rpm
> i386
> ipa-client-2.1.3-5.el5_9.2.i386.rpm
> ipa-client-debuginfo-2.1.3-5.el5_9.2.i386.rpm
>
> For dependency resolution the following packages have been added to
> the SL5
> security repo on some older releases:
> x86_64
> authconfig-5.3.21-7.el5.x86_64.rpm
> authconfig-gtk-5.3.21-7.el5.x86_64.rpm
> certmonger-0.50-3.el5.x86_64.rpm
> curl-7.15.5-15.el5.i386.rpm
> curl-7.15.5-15.el5.x86_64.rpm
> curl-devel-7.15.5-15.el5.i386.rpm
> curl-devel-7.15.5-15.el5.x86_64.rpm
> libipa_hbac-1.5.1-58.el5.i386.rpm
> libipa_hbac-1.5.1-58.el5.x86_64.rpm
> libipa_hbac-devel-1.5.1-58.el5.i386.rpm
> libipa_hbac-devel-1.5.1-58.el5.x86_64.rpm
> libipa_hbac-python-1.5.1-58.el5.x86_64.rpm
> libtdb-1.2.10-1.el5.i386.rpm
> libtdb-1.2.10-1.el5.x86_64.rpm
> libtdb-devel-1.2.10-1.el5.i386.rpm
> libtdb-devel-1.2.10-1.el5.x86_64.rpm
> policycoreutils-1.33.12-14.8.el5.x86_64.rpm
> policycoreutils-gui-1.33.12-14.8.el5.x86_64.rpm
> policycoreutils-newrole-1.33.12-14.8.el5.x86_64.rpm
> shadow-utils-4.0.17-21.el5.x86_64.rpm
> sssd-1.5.1-58.el5.x86_64.rpm
> sssd-client-1.5.1-58.el5.i386.rpm
> sssd-client-1.5.1-58.el5.x86_64.rpm
> sssd-tools-1.5.1-58.el5.x86_64.rpm
> xmlrpc-c-1.16.24-1206.1840.4.el5.i386.rpm
> xmlrpc-c-1.16.24-1206.1840.4.el5.x86_64.rpm
> xmlrpc-c-apps-1.16.24-1206.1840.4.el5.x86_64.rpm
> xmlrpc-c-c++-1.16.24-1206.1840.4.el5.i386.rpm
> xmlrpc-c-c++-1.16.24-1206.1840.4.el5.x86_64.rpm
> xmlrpc-c-client-1.16.24-1206.1840.4.el5.i386.rpm
> xmlrpc-c-client++-1.16.24-1206.1840.4.el5.i386.rpm
> xmlrpc-c-client-1.16.24-1206.1840.4.el5.x86_64.rpm
> xmlrpc-c-client++-1.16.24-1206.1840.4.el5.x86_64.rpm
> xmlrpc-c-devel-1.16.24-1206.1840.4.el5.i386.rpm
> xmlrpc-c-devel-1.16.24-1206.1840.4.el5.x86_64.rpm
> i386
> authconfig-5.3.21-7.el5.i386.rpm
> authconfig-gtk-5.3.21-7.el5.i386.rpm
> certmonger-0.50-3.el5.i386.rpm
> curl-7.15.5-15.el5.i386.rpm
> curl-devel-7.15.5-15.el5.i386.rpm
> libipa_hbac-1.5.1-58.el5.i386.rpm
> libipa_hbac-devel-1.5.1-58.el5.i386.rpm
> libipa_hbac-python-1.5.1-58.el5.i386.rpm
> libtdb-1.2.10-1.el5.i386.rpm
> libtdb-devel-1.2.10-1.el5.i386.rpm
> policycoreutils-1.33.12-14.8.el5.i386.rpm
> policycoreutils-gui-1.33.12-14.8.el5.i386.rpm
> policycoreutils-newrole-1.33.12-14.8.el5.i386.rpm
> shadow-utils-4.0.17-21.el5.i386.rpm
> sssd-1.5.1-58.el5.i386.rpm
> sssd-client-1.5.1-58.el5.i386.rpm
> sssd-tools-1.5.1-58.el5.i386.rpm
> xmlrpc-c-1.16.24-1206.1840.4.el5.i386.rpm
> xmlrpc-c-apps-1.16.24-1206.1840.4.el5.i386.rpm
> xmlrpc-c-c++-1.16.24-1206.1840.4.el5.i386.rpm
> xmlrpc-c-client-1.16.24-1206.1840.4.el5.i386.rpm
> xmlrpc-c-client++-1.16.24-1206.1840.4.el5.i386.rpm
> xmlrpc-c-devel-1.16.24-1206.1840.4.el5.i386.rpm
>
> - Scientific Linux Development Team
--
Pat Riehecky
Scientific Linux Developer
|
|
|