SCIENTIFIC-LINUX-ERRATA Archives

January 2013

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Security ERRATA Important: ipa-client on SL5.x i386/x86_64
From:
Pat Riehecky <[log in to unmask]>
Reply To:
Pat Riehecky <[log in to unmask]>
Date:
Mon, 28 Jan 2013 10:25:54 -0600
Content-Type:
text/plain
Parts/Attachments:
text/plain (137 lines) 
For further dependency resolution the following packages have been added:

i386:
tdb-tools-1.2.10-1.el5.i386.rpm

x86_64:
tdb-tools-1.2.10-1.el5.x86_64.rpm


On 01/24/2013 10:36 AM, Pat Riehecky wrote:
> Synopsis:          Important: ipa-client security update
> Issue Date:        2013-01-23
> CVE Numbers:       CVE-2012-5484
> -- 
>
> A weakness was found in the way IPA clients communicated with IPA 
> servers when
> initially attempting to join IPA domains. As there was no secure way 
> to provide
> the IPA server's Certificate Authority (CA) certificate to the client 
> during a
> join, the IPA client enrollment process was susceptible to 
> man-in-the-middle
> attacks. This flaw could allow an attacker to obtain access to the IPA 
> server
> using the credentials provided by an IPA client, including administrative
> access to the entire domain if the join was performed using an 
> administrator's
> credentials. (CVE-2012-5484)
>
> Note: This weakness was only exposed during the initial client join to 
> the
> realm, because the IPA client did not yet have the CA certificate of the
> server. Once an IPA client has joined the realm and has obtained the CA
> certificate of the IPA server, all further communication is secure. If 
> a client
> were using the OTP (one-time password) method to join to the realm, an 
> attacker
> could only obtain unprivileged access to the server (enough to only 
> join the
> realm).
>
> When a fix for this flaw has been applied to the client but not yet 
> the server,
> ipa-client-install, in unattended mode, will fail if you do not have the
> correct CA certificate locally, noting that you must use the "--force" 
> option
> to insecurely obtain the certificate. In interactive mode, the 
> certificate will
> try to be obtained securely from LDAP. If this fails, you will be 
> prompted to
> insecurely download the certificate via HTTP. In the same situation 
> when using
> OTP, LDAP will not be queried and you will be prompted to insecurely 
> download
> the certificate via HTTP.
> -- 
>
> SL5
>   x86_64
>     ipa-client-2.1.3-5.el5_9.2.x86_64.rpm
>     ipa-client-debuginfo-2.1.3-5.el5_9.2.x86_64.rpm
>   i386
>     ipa-client-2.1.3-5.el5_9.2.i386.rpm
>     ipa-client-debuginfo-2.1.3-5.el5_9.2.i386.rpm
>
> For dependency resolution the following packages have been added to 
> the SL5
> security repo on some older releases:
>   x86_64
>     authconfig-5.3.21-7.el5.x86_64.rpm
>     authconfig-gtk-5.3.21-7.el5.x86_64.rpm
>     certmonger-0.50-3.el5.x86_64.rpm
>     curl-7.15.5-15.el5.i386.rpm
>     curl-7.15.5-15.el5.x86_64.rpm
>     curl-devel-7.15.5-15.el5.i386.rpm
>     curl-devel-7.15.5-15.el5.x86_64.rpm
>     libipa_hbac-1.5.1-58.el5.i386.rpm
>     libipa_hbac-1.5.1-58.el5.x86_64.rpm
>     libipa_hbac-devel-1.5.1-58.el5.i386.rpm
>     libipa_hbac-devel-1.5.1-58.el5.x86_64.rpm
>     libipa_hbac-python-1.5.1-58.el5.x86_64.rpm
>     libtdb-1.2.10-1.el5.i386.rpm
>     libtdb-1.2.10-1.el5.x86_64.rpm
>     libtdb-devel-1.2.10-1.el5.i386.rpm
>     libtdb-devel-1.2.10-1.el5.x86_64.rpm
>     policycoreutils-1.33.12-14.8.el5.x86_64.rpm
>     policycoreutils-gui-1.33.12-14.8.el5.x86_64.rpm
>     policycoreutils-newrole-1.33.12-14.8.el5.x86_64.rpm
>     shadow-utils-4.0.17-21.el5.x86_64.rpm
>     sssd-1.5.1-58.el5.x86_64.rpm
>     sssd-client-1.5.1-58.el5.i386.rpm
>     sssd-client-1.5.1-58.el5.x86_64.rpm
>     sssd-tools-1.5.1-58.el5.x86_64.rpm
>     xmlrpc-c-1.16.24-1206.1840.4.el5.i386.rpm
>     xmlrpc-c-1.16.24-1206.1840.4.el5.x86_64.rpm
>     xmlrpc-c-apps-1.16.24-1206.1840.4.el5.x86_64.rpm
>     xmlrpc-c-c++-1.16.24-1206.1840.4.el5.i386.rpm
>     xmlrpc-c-c++-1.16.24-1206.1840.4.el5.x86_64.rpm
>     xmlrpc-c-client-1.16.24-1206.1840.4.el5.i386.rpm
>     xmlrpc-c-client++-1.16.24-1206.1840.4.el5.i386.rpm
>     xmlrpc-c-client-1.16.24-1206.1840.4.el5.x86_64.rpm
>     xmlrpc-c-client++-1.16.24-1206.1840.4.el5.x86_64.rpm
>     xmlrpc-c-devel-1.16.24-1206.1840.4.el5.i386.rpm
>     xmlrpc-c-devel-1.16.24-1206.1840.4.el5.x86_64.rpm
>   i386
>     authconfig-5.3.21-7.el5.i386.rpm
>     authconfig-gtk-5.3.21-7.el5.i386.rpm
>     certmonger-0.50-3.el5.i386.rpm
>     curl-7.15.5-15.el5.i386.rpm
>     curl-devel-7.15.5-15.el5.i386.rpm
>     libipa_hbac-1.5.1-58.el5.i386.rpm
>     libipa_hbac-devel-1.5.1-58.el5.i386.rpm
>     libipa_hbac-python-1.5.1-58.el5.i386.rpm
>     libtdb-1.2.10-1.el5.i386.rpm
>     libtdb-devel-1.2.10-1.el5.i386.rpm
>     policycoreutils-1.33.12-14.8.el5.i386.rpm
>     policycoreutils-gui-1.33.12-14.8.el5.i386.rpm
>     policycoreutils-newrole-1.33.12-14.8.el5.i386.rpm
>     shadow-utils-4.0.17-21.el5.i386.rpm
>     sssd-1.5.1-58.el5.i386.rpm
>     sssd-client-1.5.1-58.el5.i386.rpm
>     sssd-tools-1.5.1-58.el5.i386.rpm
>     xmlrpc-c-1.16.24-1206.1840.4.el5.i386.rpm
>     xmlrpc-c-apps-1.16.24-1206.1840.4.el5.i386.rpm
>     xmlrpc-c-c++-1.16.24-1206.1840.4.el5.i386.rpm
>     xmlrpc-c-client-1.16.24-1206.1840.4.el5.i386.rpm
>     xmlrpc-c-client++-1.16.24-1206.1840.4.el5.i386.rpm
>     xmlrpc-c-devel-1.16.24-1206.1840.4.el5.i386.rpm
>
> - Scientific Linux Development Team


-- 
Pat Riehecky
Scientific Linux Developer

ATOM RSS1 RSS2