RHBA-2012:0190 - Bug Fix Advisory

Topic

An updated ipa-client package that fixes various bugs and adds several
enhancements is now available for Red Hat Enterprise Linux 5.

Description

The ipa-client package provides a tool to enroll a machine to an IPA version 2
server. IPA (Identity, Policy, Audit) is an integrated solution to provide
centrally managed identity, that is, machine, user, virtual machines, groups,
and authentication credentials.

The ipa-client package has been upgraded to upstream version 2.1.3, which
provides a number of bug fixes and enhancements over the previous version.
(BZ#753936)

This update also fixes the following bugs:

• Prior to this update, GSSAPI credential delegation was disabled in the curl

utility due to a security issue. As a result, applications that rely on the
delegation did not work properly. This update utilizes a new constructor
argument in the xmlrpc-c client API to set the new CURLOPT_GSSAPI_DELEGATION
curl option. This option enables credential delegation. (BZ#723667)

• A previous change to the Referer server required that a caller to the IPA

server API include the Referer header in its request. Previously, requests from
the certmonger and ipa administrative tools did not provide the header, and the
tool requests could fail with the error "Missing or invalid HTTP Referer".
However, the requests are transferred using curl and curl does not allow setting
of arbitrary headers. To resolve this problem, the code has been changed so that
the curl version is stored in the HTTP request field X-Original-User-Agent and
the rest of the header is overridden. As a result, the correct header is used
for the requests and the problem no longer occurs. (BZ#752226)

• If the user ran the ipa-client-install command with the password defined (for

example, "ipa-client-install --principal=admin --password=SecretPsswd"), the
/var/log/ipaclient-install.log file contained the password in plain text. With
this update, the underlying code is modified and the provided password is no
longer saved in the logs in this scenario. (BZ#739068)

• Previously, KDC (Key Distribution Center) autodiscovery failed if the domain

name differed from the Kerberos realm name. This happened because the
ipa-client-install utility always assumed that the realm name was identical to
the domain name. Now the realm is used when performing autodiscovery and the
problem no longer occurs. (BZ#710143)

• The cyrus-sasl-gssapi package is a soft dependency needed by some IPA client

tools. Previously, the ipa-client package spec file did not contain the
cyrus-sasl-gssapi dependency for some architectures. As a result, installation
on some platforms could fail. This update adds the missing dependency to the
spec file and the installation process finishes successfully. (BZ#750338)

• The cyrus-sasl-gssapi package is a soft dependency needed by some IPA client

tools. Previously, when installing 32-bit packages on a 64-bit system, the macro
determining the required architecture version of the cyrus-sasl-gssapi package
did not work correctly. As a result, an incorrect version of cyrus-sasl-gssapi
was installed and the system failed to work; for example, the ipa-getkeytab
command failed with the following error because the 32-bit GSSAPI SASL mechanism
was not available:

SASL Bind failed.

This update corrects the macro and the problem no longer occurs. (BZ#723620)

All ipa-client users are advised to upgrade to this updated package, which fixes
these bugs and adds these enhancements.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 723620 - Need an arch-specific Requires on cyrus-sasl-gssapi
• BZ - 739068 - ipa-client-install --password=$PASSWORD will cause /var/log/ipaclient-install.log to contain the password.
• BZ - 752226 - ipa-client: Requires client-side changes for server-side fixes (due to CVE-2011-3636) [rhel-5.8]
• BZ - 753936 - Rebase ipa-client to upstream 2.1.3

CVEs

(none)

References

(none)