RHSA-2020:3936 - Security Advisory

Topic

An update for ipa is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments.

The following packages have been upgraded to a later upstream version: ipa (4.6.8). (BZ#1819725)

Security Fix(es):

• js-jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)
• bootstrap: XSS in the data-target attribute (CVE-2016-10735)
• bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
• bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip. (CVE-2018-14042)
• bootstrap: XSS in the tooltip data-viewport attribute (CVE-2018-20676)
• bootstrap: XSS in the affix configuration target property (CVE-2018-20677)
• bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331)
• js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection (CVE-2019-11358)
• jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
• ipa: No password length restriction leads to denial of service (CVE-2020-1722)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 7 x86_64
• Red Hat Enterprise Linux Workstation 7 x86_64
• Red Hat Enterprise Linux Desktop 7 x86_64
• Red Hat Enterprise Linux for IBM z Systems 7 s390x
• Red Hat Enterprise Linux for Power, big endian 7 ppc64
• Red Hat Enterprise Linux for Scientific Computing 7 x86_64
• Red Hat Enterprise Linux for Power, little endian 7 ppc64le

Fixes

• BZ - 1399546 - CVE-2015-9251 js-jquery: Cross-site scripting via cross-domain ajax requests
• BZ - 1404770 - ID Views: do not allow custom Views for the masters
• BZ - 1545755 - ipa-replica-prepare should not update pki admin password.
• BZ - 1601614 - CVE-2018-14040 bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute
• BZ - 1601617 - CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip.
• BZ - 1668082 - CVE-2018-20676 bootstrap: XSS in the tooltip data-viewport attribute
• BZ - 1668089 - CVE-2018-20677 bootstrap: XSS in the affix configuration target property
• BZ - 1668097 - CVE-2016-10735 bootstrap: XSS in the data-target attribute
• BZ - 1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute
• BZ - 1701972 - CVE-2019-11358 js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection
• BZ - 1754902 - Running ipa-server-install fails when RHEL 7.7 packages are installed on RHEL 7.6
• BZ - 1755535 - ipa-advise on a RHEL7 IdM server is not able to generate a configuration script for a RHEL8 IdM client
• BZ - 1756568 - ipa-server-certinstall man page does not match built-in help.
• BZ - 1758406 - KRA authentication fails when IPA CA has custom Subject DN
• BZ - 1769791 - Invisible part of notification area in Web UI intercepts clicks of some page elements
• BZ - 1771356 - Default client configuration breaks ssh in FIPS mode.
• BZ - 1780548 - Man page ipa-cacert-manage does not display correctly on RHEL
• BZ - 1782587 - add "systemctl restart sssd" to warning message when adding trust agents to replicas
• BZ - 1788718 - ipa-server-install incorrectly setting slew mode (-x) when setting up ntpd
• BZ - 1788907 - Renewed certs are not picked up by IPA CAs
• BZ - 1793071 - CVE-2020-1722 ipa: No password length restriction leads to denial of service
• BZ - 1795890 - ipa-pkinit-manage enable fails on replica if it doesn't host the CA
• BZ - 1801791 - Compatibility Schema difference in functionality for systems following RHEL 7.5 -> 7.6 upgrade path as opposed to new RHEL 7.6 systems
• BZ - 1817886 - ipa group-add-member: prevent adding IPA objects as external members
• BZ - 1817918 - Secure tomcat AJP connector
• BZ - 1817919 - Enable compat tree to provide information about AD users and groups on trust agents
• BZ - 1817922 - covscan memory leaks report
• BZ - 1817923 - IPA upgrade is failing with error "Failed to get request: bus, object_path and dbus_interface must not be None."
• BZ - 1817927 - host-add --password logs cleartext userpassword to Apache error log
• BZ - 1819725 - Rebase IPA to latest 4.6.x version
• BZ - 1825829 - ipa-advise on a RHEL7 IdM server generate a configuration script for client having hardcoded python3
• BZ - 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
• BZ - 1829787 - ipa service-del deletes the required principal when specified in lower/upper case
• BZ - 1834385 - Man page syntax issue detected by rpminspect
• BZ - 1842950 - ipa-adtrust-install fails when replica is offline

CVEs

• CVE-2015-9251
• CVE-2016-10735
• CVE-2018-14040
• CVE-2018-14042
• CVE-2018-20676
• CVE-2018-20677
• CVE-2019-8331
• CVE-2019-11358
• CVE-2020-1722
• CVE-2020-11022

References

• https://access.redhat.com/security/updates/classification/#moderate
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index