For further dependency resolution the following packages have been added: i386: tdb-tools-1.2.10-1.el5.i386.rpm x86_64: tdb-tools-1.2.10-1.el5.x86_64.rpm On 01/24/2013 10:36 AM, Pat Riehecky wrote: > Synopsis: Important: ipa-client security update > Issue Date: 2013-01-23 > CVE Numbers: CVE-2012-5484 > -- > > A weakness was found in the way IPA clients communicated with IPA > servers when > initially attempting to join IPA domains. As there was no secure way > to provide > the IPA server's Certificate Authority (CA) certificate to the client > during a > join, the IPA client enrollment process was susceptible to > man-in-the-middle > attacks. This flaw could allow an attacker to obtain access to the IPA > server > using the credentials provided by an IPA client, including administrative > access to the entire domain if the join was performed using an > administrator's > credentials. (CVE-2012-5484) > > Note: This weakness was only exposed during the initial client join to > the > realm, because the IPA client did not yet have the CA certificate of the > server. Once an IPA client has joined the realm and has obtained the CA > certificate of the IPA server, all further communication is secure. If > a client > were using the OTP (one-time password) method to join to the realm, an > attacker > could only obtain unprivileged access to the server (enough to only > join the > realm). > > When a fix for this flaw has been applied to the client but not yet > the server, > ipa-client-install, in unattended mode, will fail if you do not have the > correct CA certificate locally, noting that you must use the "--force" > option > to insecurely obtain the certificate. In interactive mode, the > certificate will > try to be obtained securely from LDAP. If this fails, you will be > prompted to > insecurely download the certificate via HTTP. In the same situation > when using > OTP, LDAP will not be queried and you will be prompted to insecurely > download > the certificate via HTTP. > -- > > SL5 > x86_64 > ipa-client-2.1.3-5.el5_9.2.x86_64.rpm > ipa-client-debuginfo-2.1.3-5.el5_9.2.x86_64.rpm > i386 > ipa-client-2.1.3-5.el5_9.2.i386.rpm > ipa-client-debuginfo-2.1.3-5.el5_9.2.i386.rpm > > For dependency resolution the following packages have been added to > the SL5 > security repo on some older releases: > x86_64 > authconfig-5.3.21-7.el5.x86_64.rpm > authconfig-gtk-5.3.21-7.el5.x86_64.rpm > certmonger-0.50-3.el5.x86_64.rpm > curl-7.15.5-15.el5.i386.rpm > curl-7.15.5-15.el5.x86_64.rpm > curl-devel-7.15.5-15.el5.i386.rpm > curl-devel-7.15.5-15.el5.x86_64.rpm > libipa_hbac-1.5.1-58.el5.i386.rpm > libipa_hbac-1.5.1-58.el5.x86_64.rpm > libipa_hbac-devel-1.5.1-58.el5.i386.rpm > libipa_hbac-devel-1.5.1-58.el5.x86_64.rpm > libipa_hbac-python-1.5.1-58.el5.x86_64.rpm > libtdb-1.2.10-1.el5.i386.rpm > libtdb-1.2.10-1.el5.x86_64.rpm > libtdb-devel-1.2.10-1.el5.i386.rpm > libtdb-devel-1.2.10-1.el5.x86_64.rpm > policycoreutils-1.33.12-14.8.el5.x86_64.rpm > policycoreutils-gui-1.33.12-14.8.el5.x86_64.rpm > policycoreutils-newrole-1.33.12-14.8.el5.x86_64.rpm > shadow-utils-4.0.17-21.el5.x86_64.rpm > sssd-1.5.1-58.el5.x86_64.rpm > sssd-client-1.5.1-58.el5.i386.rpm > sssd-client-1.5.1-58.el5.x86_64.rpm > sssd-tools-1.5.1-58.el5.x86_64.rpm > xmlrpc-c-1.16.24-1206.1840.4.el5.i386.rpm > xmlrpc-c-1.16.24-1206.1840.4.el5.x86_64.rpm > xmlrpc-c-apps-1.16.24-1206.1840.4.el5.x86_64.rpm > xmlrpc-c-c++-1.16.24-1206.1840.4.el5.i386.rpm > xmlrpc-c-c++-1.16.24-1206.1840.4.el5.x86_64.rpm > xmlrpc-c-client-1.16.24-1206.1840.4.el5.i386.rpm > xmlrpc-c-client++-1.16.24-1206.1840.4.el5.i386.rpm > xmlrpc-c-client-1.16.24-1206.1840.4.el5.x86_64.rpm > xmlrpc-c-client++-1.16.24-1206.1840.4.el5.x86_64.rpm > xmlrpc-c-devel-1.16.24-1206.1840.4.el5.i386.rpm > xmlrpc-c-devel-1.16.24-1206.1840.4.el5.x86_64.rpm > i386 > authconfig-5.3.21-7.el5.i386.rpm > authconfig-gtk-5.3.21-7.el5.i386.rpm > certmonger-0.50-3.el5.i386.rpm > curl-7.15.5-15.el5.i386.rpm > curl-devel-7.15.5-15.el5.i386.rpm > libipa_hbac-1.5.1-58.el5.i386.rpm > libipa_hbac-devel-1.5.1-58.el5.i386.rpm > libipa_hbac-python-1.5.1-58.el5.i386.rpm > libtdb-1.2.10-1.el5.i386.rpm > libtdb-devel-1.2.10-1.el5.i386.rpm > policycoreutils-1.33.12-14.8.el5.i386.rpm > policycoreutils-gui-1.33.12-14.8.el5.i386.rpm > policycoreutils-newrole-1.33.12-14.8.el5.i386.rpm > shadow-utils-4.0.17-21.el5.i386.rpm > sssd-1.5.1-58.el5.i386.rpm > sssd-client-1.5.1-58.el5.i386.rpm > sssd-tools-1.5.1-58.el5.i386.rpm > xmlrpc-c-1.16.24-1206.1840.4.el5.i386.rpm > xmlrpc-c-apps-1.16.24-1206.1840.4.el5.i386.rpm > xmlrpc-c-c++-1.16.24-1206.1840.4.el5.i386.rpm > xmlrpc-c-client-1.16.24-1206.1840.4.el5.i386.rpm > xmlrpc-c-client++-1.16.24-1206.1840.4.el5.i386.rpm > xmlrpc-c-devel-1.16.24-1206.1840.4.el5.i386.rpm > > - Scientific Linux Development Team -- Pat Riehecky Scientific Linux Developer