Subject: | |
From: | |
Reply To: | |
Date: | Wed, 20 Mar 2013 15:41:54 +0200 |
Content-Type: | multipart/signed |
Parts/Attachments: |
|
|
Hi
I cant configure ipa to as dns, please see bottom.
On 03/04/2013 09:09 PM, Pat Riehecky wrote:
> Synopsis: Low: ipa security, bug fix and enhancement update
> Issue Date: 2013-02-21
> CVE Numbers: CVE-2012-4546
> --
>
> It was found that the current default configuration of IPA servers did not
> publish correct CRLs (Certificate Revocation Lists). The default configuration
> specifies that every replica is to generate its own CRL; however, this can
> result in inconsistencies in the CRL contents provided to clients from
> different Identity Management replicas. More specifically, if a certificate is
> revoked on one Identity Management replica, it will not show up on another
> Identity Management replica. (CVE-2012-4546)
> --
>
> SL6
> x86_64
> ipa-client-3.0.0-25.el6.x86_64.rpm
> ipa-debuginfo-3.0.0-25.el6.x86_64.rpm
> ipa-python-3.0.0-25.el6.x86_64.rpm
> ipa-admintools-3.0.0-25.el6.x86_64.rpm
> ipa-server-3.0.0-25.el6.x86_64.rpm
> ipa-server-selinux-3.0.0-25.el6.x86_64.rpm
> ipa-server-trust-ad-3.0.0-25.el6.x86_64.rpm
> i386
> ipa-client-3.0.0-25.el6.i686.rpm
> ipa-debuginfo-3.0.0-25.el6.i686.rpm
> ipa-python-3.0.0-25.el6.i686.rpm
> ipa-admintools-3.0.0-25.el6.i686.rpm
> ipa-server-3.0.0-25.el6.i686.rpm
> ipa-server-selinux-3.0.0-25.el6.i686.rpm
> ipa-server-trust-ad-3.0.0-25.el6.i686.rpm
>
> The following packages were added for dependency resolution
> SL6
> x86_64
> certmonger-0.61-3.el6.x86_64.rpm
> mod_nss-1.0.8-18.el6.x86_64.rpm
> nss-3.14.0.0-12.el6.i686.rpm
> nss-3.14.0.0-12.el6.x86_64.rpm
> nss-devel-3.14.0.0-12.el6.i686.rpm
> nss-devel-3.14.0.0-12.el6.x86_64.rpm
> nss-pkcs11-devel-3.14.0.0-12.el6.i686.rpm
> nss-pkcs11-devel-3.14.0.0-12.el6.x86_64.rpm
> nss-sysinit-3.14.0.0-12.el6.x86_64.rpm
> nss-tools-3.14.0.0-12.el6.x86_64.rpm
> nss-util-3.14.0.0-2.el6.i686.rpm
> nss-util-3.14.0.0-2.el6.x86_64.rpm
> nss-util-devel-3.14.0.0-2.el6.i686.rpm
> nss-util-devel-3.14.0.0-2.el6.x86_64.rpm
> policycoreutils-2.0.83-19.24.el6.x86_64.rpm
> policycoreutils-gui-2.0.83-19.24.el6.x86_64.rpm
> policycoreutils-newrole-2.0.83-19.24.el6.x86_64.rpm
> policycoreutils-python-2.0.83-19.24.el6.x86_64.rpm
> policycoreutils-sandbox-2.0.83-19.24.el6.x86_64.rpm
>
> i386
> certmonger-0.61-3.el6.i686.rpm
> mod_nss-1.0.8-18.el6.i686.rpm
> nss-3.14.0.0-12.el6.i686.rpm
> nss-devel-3.14.0.0-12.el6.i686.rpm
> nss-pkcs11-devel-3.14.0.0-12.el6.i686.rpm
> nss-sysinit-3.14.0.0-12.el6.i686.rpm
> nss-tools-3.14.0.0-12.el6.i686.rpm
> nss-util-3.14.0.0-2.el6.i686.rpm
> nss-util-devel-3.14.0.0-2.el6.i686.rpm
> policycoreutils-2.0.83-19.24.el6.i686.rpm
> policycoreutils-gui-2.0.83-19.24.el6.i686.rpm
> policycoreutils-newrole-2.0.83-19.24.el6.i686.rpm
> policycoreutils-python-2.0.83-19.24.el6.i686.rpm
> policycoreutils-sandbox-2.0.83-19.24.el6.i686.rpm
I think bind-dyndb-ldap-2.3.2 needs to be added to that dependency list.
On attempting to configure ipa-server-3.0.0 for dns it complains the bind-dyndb-ldap
is not installed. On installing it says it needs 2.3.2 but only 1.1.0-0.9.b1.el6_3.1 is available.
It is however available in 6.4 though, where 3.0.0 will happily run more than likely.
Although the source packages
http://ftp.scientificlinux.org/linux/scientific/6.4/SRPMS/vendor/bind-dyndb-ldap-1.1.0-0.9.b1.el6_3.1.src.rpm
is the latest but
http://ftp.scientificlinux.org/linux/scientific/6.4/i386/os/Packages/bind-dyndb-ldap-2.3-2.el6.i686.rpm
I cant find the src to build it myself.
There was mention of a similar problem in the transition from 6.1 to 6.2 at
http://listserv.fnal.gov/scripts/wa.exe?A2=ind1201&L=scientific-linux-users&T=0&P=6283
Must I simply wait for 6.4 ?
Thanks
Sean
>
>
> - Scientific Linux Development Team
|
|
|