[ELSA-2020-3936] ipa security, bug fix, and enhancement update
[4.6.8-5.0.1]
- Blank out header-logo.png product-name.png
- Replace login-screen-logo.png [Orabug: 20362818]
[4.6.8-5.el7]
- Resolves: #1826659 IPA: Ldap authentication failure due to Kerberos principal expiration UTC timestamp
- ipa-pwd-extop: use timegm() instead of mktime() to preserve timezone offset
[4.6.8-4.el7]
- Resolves: #1842950 ipa-adtrust-install fails when replica is offline
- ipa-adtrust-install: avoid failure when replica is offline
- Resolves: #1831856 CVE-2020-11022 ipa: jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
- WebUI: Apply jQuery patch to fix htmlPrefilter issue
[4.6.8-3.el7]
- Resolves: #1834385 Man page syntax issue detected by rpminspect
- Man pages: fix syntax issues
- Resolves: #1829787 ipa service-del deletes the required principal when specified in lower/upper case
- Make check_required_principal() case-insensitive
- Resolves: #1825829 ipa-advise on a RHEL7 IdM server generate a configuration script for client having hardcoded python3
- ipa-advise: fallback to /usr/libexec/platform-python if python3 not found
- Resolves: #1812020 CVE-2015-9251 ipa: js-jquery: Cross-site scripting via cross-domain ajax requests
- Web UI: Upgrade jQuery version 2.0.3 -> 3.4.1
- Resolves: #1713487 CVE-2019-11358 ipa: js-jquery: prototype pollution in objects prototype leading to denial of service or remote code execution or property injection
- Web UI: Upgrade jQuery version 2.0.3 -> 3.4.1
[4.6.8-2.el7]
- Resolves: #1802408 CVE-2020-1722 ipa: No password length restriction leads to denial of service
- Add interactive prompt for the LDAP bind password to ipa-getkeytab
- CVE-2020-1722: prevent use of too long passwords
[4.6.8-1.el7]
- Resolves: #1819725 - Rebase IPA to latest 4.6.x version
- Resolves: #1817927 - host-add --password logs cleartext userpassword to Apache error log
- Resolves: #1817923 - IPA upgrade is failing with error 'Failed to get request: bus, object_path and dbus_interface must not be None.'
- Resolves: #1817922 - covscan memory leaks report
- Resolves: #1817919 - Enable compat tree to provide information about AD users and groups on trust agents
- Resolves: #1817918 - Secure tomcat AJP connector
- Resolves: #1817886 - ipa group-add-member: prevent adding IPA objects as external members
- Resolves: #1788718 - ipa-server-install incorrectly setting slew mode (-x) when setting up ntpd
[4.6.6-12.el7]
- Resolves: #1754902 - Running ipa-server-install fails when RHEL 7.7 packages are installed on RHEL 7.6
- Resolves: #1404770 - ID Views: do not allow custom Views for the masters
- idviews: prevent applying to a master
- Resolves: #1801791 - Compatibility Schema difference in functionality for systems following RHEL 7.5 -> 7.6 upgrade path as opposed to new RHEL 7.6 systems
- install/updates: move external members past schema compat update
- Resolves: #1795890 - ipa-pkinit-manage enable fails on replica if it doesnt host the CA
- pkinit setup: fix regression on master install
- pkinit enable: use local dogtag only if host has CA
- Resolves: #1788907 - Renewed certs are not picked up by IPA CAs
- Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit
- Resolves: #1780548 - Man page ipa-cacert-manage does not display correctly on RHEL
- ipa-cacert-manage man page: fix indentation
- Resolves: #1782587 - add 'systemctl restart sssd' to warning message when adding trust agents to replicas
- adtrust.py: mention restarting sssd when adding trust agents
- Resolves: #1771356 - Default client configuration breaks ssh in FIPS mode
- Use default ssh host key algorithms
- Resolves: #1755535 - ipa-advise on a RHEL7 IdM server is not able to generate a configuration script for a RHEL8 IdM client
- smartcard: make the ipa-advise script compatible with authselect/authconfig
- Resolves: #1758406 - KRA authentication fails when IPA CA has custom Subject DN
- upgrade: fix ipakra people entry 'description' attribute
- krainstance: set correct issuer DN in uid=ipakra entry
- Resolves: #1756568 - ipa-server-certinstall man page does not match built-in help
- ipa-server-certinstall manpage: add missing options
- Resolves: #1206690 - UPG not being enforced properly
- ipa user_add: do not check group if UPG is disabled
- Resolves: #1811982 - CVE-2018-14042 ipa: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip.
- Resolves: #1811978 - CVE-2018-14040 ipa: bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute
- Resolves: #1811972 - CVE-2016-10735 ipa: bootstrap: XSS in the data-target attribute
- Resolves: #1811969 -CVE-2018-20676 ipa: bootstrap: XSS in the tooltip data-viewport attribute
- Resolves: #1811966 - CVE-2018-20677 ipa: bootstrap: XSS in the affix configuration target property
- Resolves: #1811962 - CVE-2019-8331 ipa: bootstrap: XSS in the tooltip or popover data-template attribute
- Web UI: Upgrade Bootstrap version 3.3.7 -> 3.4.1
- Resolves: #1769791 - Invisible part of notification area in Web UI intercepts clicks of some page elements
- WebUI: Fix notification area layout
- Resolves: #1545755 - ipa-replica-prepare should not update pki admin password
- Fix indentation levels
- ipa-pwd-extop: use SLAPI_BIND_TARGET_SDN
- ipa-pwd-extop: dont check password policy for non-Kerberos account set by DM or a passsync manager
- Dont save password history on non-Kerberos accounts
Package | Affected Version |
---|---|
pkg:rpm/oraclelinux/python2-ipaserver?distro=oraclelinux-7 | < 4.6.8-5.0.1.el7 |
pkg:rpm/oraclelinux/python2-ipalib?distro=oraclelinux-7 | < 4.6.8-5.0.1.el7 |
pkg:rpm/oraclelinux/python2-ipaclient?distro=oraclelinux-7 | < 4.6.8-5.0.1.el7 |
pkg:rpm/oraclelinux/ipa-server?distro=oraclelinux-7 | < 4.6.8-5.0.1.el7 |
pkg:rpm/oraclelinux/ipa-server-trust-ad?distro=oraclelinux-7 | < 4.6.8-5.0.1.el7 |
pkg:rpm/oraclelinux/ipa-server-dns?distro=oraclelinux-7 | < 4.6.8-5.0.1.el7 |
pkg:rpm/oraclelinux/ipa-server-common?distro=oraclelinux-7 | < 4.6.8-5.0.1.el7 |
pkg:rpm/oraclelinux/ipa-python-compat?distro=oraclelinux-7 | < 4.6.8-5.0.1.el7 |
pkg:rpm/oraclelinux/ipa-common?distro=oraclelinux-7 | < 4.6.8-5.0.1.el7 |
pkg:rpm/oraclelinux/ipa-client?distro=oraclelinux-7 | < 4.6.8-5.0.1.el7 |
pkg:rpm/oraclelinux/ipa-client-common?distro=oraclelinux-7 | < 4.6.8-5.0.1.el7 |
- ID
- ELSA-2020-3936
- Severity
- moderate
- URL
- https://linux.oracle.com/errata/ELSA-2020-3936.html
- Published
-
2020-10-06T00:00:00
(4 years ago) - Modified
-
2020-10-06T00:00:00
(4 years ago) - Rights
- Copyright 2020 Oracle, Inc.
- Other Advisories
-
- ALAS-2020-1422
- ALAS2-2020-1519
- ALAS2-2023-1905
- ALPINE:CVE-2015-9251
- ALPINE:CVE-2019-11358
- ALPINE:CVE-2020-11022
- ALSA-2020:4670
- ALSA-2020:4847
- ASA-201906-2
- ASA-201910-4
- DSA-4434-1
- DSA-4460-1
- DSA-4693-1
- ELSA-2022-7343
- ELSA-2022-9177
- FEDORA-2019-040857fd75
- FEDORA-2019-1a3edd7e8a
- FEDORA-2019-2a0ce0c58c
- FEDORA-2019-41d6ffd6f0
- FEDORA-2019-5f1a2cc839
- FEDORA-2019-7eaf0bbe7c
- FEDORA-2019-84a50e34a9
- FEDORA-2019-a06dffab1c
- FEDORA-2019-eba8e44ee6
- FEDORA-2019-f563e66380
- FEDORA-2020-0b32a59b54
- FEDORA-2020-11be4b36d4
- FEDORA-2020-36d2db5f51
- FEDORA-2020-7dddce530c
- FEDORA-2020-8a15713da2
- FEDORA-2020-fbb94073a1
- FEDORA-2020-fe94df8c34
- FREEBSD:1FB13175-ED52-11EA-8B93-001B217B3468
- FREEBSD:3C5A4FE0-9EBB-11E9-9169-FCAA147E860E
- FREEBSD:416CA0F4-3FE0-11E9-BBDD-6805CA0B3D42
- FREEBSD:81FCC2F9-E15A-11E9-ABBF-800DD28B22BD
- FREEBSD:CD2DC126-CFE4-11EA-9172-4C72B94353B5
- FREEBSD:ED8D5535-CA78-11E9-980B-999FF59C22EA
- FREEBSD:FFC73E87-87F0-11E9-AD56-FCAA147E860E
- GLSA-202007-03
- MAVEN:GHSA-3MGP-FX93-9XV5
- MAVEN:GHSA-3WQF-4X89-9G79
- MAVEN:GHSA-4P24-VMCR-4GQJ
- MAVEN:GHSA-6C3J-C64M-QHGQ
- MAVEN:GHSA-7MVR-5X2G-WFC8
- MAVEN:GHSA-9V3M-8FP8-MJ99
- MAVEN:GHSA-GXR4-XJJ5-5PX2
- MAVEN:GHSA-PH58-4VRJ-W6HR
- MAVEN:GHSA-RMXG-73GG-4P98
- NPM:GHSA-3MGP-FX93-9XV5
- NPM:GHSA-3WQF-4X89-9G79
- NPM:GHSA-4P24-VMCR-4GQJ
- NPM:GHSA-6C3J-C64M-QHGQ
- NPM:GHSA-7MVR-5X2G-WFC8
- NPM:GHSA-9V3M-8FP8-MJ99
- NPM:GHSA-GXR4-XJJ5-5PX2
- NPM:GHSA-PH58-4VRJ-W6HR
- NPM:GHSA-RMXG-73GG-4P98
- openSUSE-SU-2019:1839-1
- openSUSE-SU-2019:1872-1
- openSUSE-SU-2020:0395-1
- openSUSE-SU-2020:1060-1
- openSUSE-SU-2020:1106-1
- openSUSE-SU-2020:1888-1
- RHSA-2020:3936
- RHSA-2020:4670
- RHSA-2020:4847
- RHSA-2021:4142
- RHSA-2022:7343
- RLSA-2020:4670
- RLSA-2020:4847
- RUBYSEC:BOOTSTRAP-2016-10735
- RUBYSEC:BOOTSTRAP-2018-14040
- RUBYSEC:BOOTSTRAP-2018-14042
- RUBYSEC:BOOTSTRAP-2018-20676
- RUBYSEC:BOOTSTRAP-2018-20677
- RUBYSEC:BOOTSTRAP-2019-8331
- RUBYSEC:BOOTSTRAP-SASS-2016-10735
- RUBYSEC:BOOTSTRAP-SASS-2018-14040
- RUBYSEC:BOOTSTRAP-SASS-2018-14042
- RUBYSEC:BOOTSTRAP-SASS-2018-20676
- RUBYSEC:BOOTSTRAP-SASS-2018-20677
- RUBYSEC:BOOTSTRAP-SASS-2019-8331
- RUBYSEC:JQUERY-RAILS-2015-9251
- RUBYSEC:JQUERY-RAILS-2019-11358
- RUBYSEC:JQUERY-RAILS-2020-11022
- RUBYSEC:TWITTER-BOOTSTRAP-RAILS-2019-8331
- SUSE-SU-2020:0737-1
- SUSE-SU-2020:2292-1
- SUSE-SU-2020:2373-1
- SUSE-SU-2020:2650-1
Source | # ID | Name | URL |
---|---|---|---|
elsa | ELSA-2020-3936 | https://linux.oracle.com/errata/ELSA-2020-3936.html | |
CVE | CVE-2019-11358 | https://linux.oracle.com/cve/CVE-2019-11358.html | |
CVE | CVE-2015-9251 | https://linux.oracle.com/cve/CVE-2015-9251.html | |
CVE | CVE-2020-11022 | https://linux.oracle.com/cve/CVE-2020-11022.html | |
CVE | CVE-2018-20677 | https://linux.oracle.com/cve/CVE-2018-20677.html | |
CVE | CVE-2018-14042 | https://linux.oracle.com/cve/CVE-2018-14042.html | |
CVE | CVE-2018-20676 | https://linux.oracle.com/cve/CVE-2018-20676.html | |
CVE | CVE-2018-14040 | https://linux.oracle.com/cve/CVE-2018-14040.html | |
CVE | CVE-2019-8331 | https://linux.oracle.com/cve/CVE-2019-8331.html | |
CVE | CVE-2020-1722 | https://linux.oracle.com/cve/CVE-2020-1722.html | |
CVE | CVE-2016-10735 | https://linux.oracle.com/cve/CVE-2016-10735.html |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:rpm/oraclelinux/python2-ipaserver?distro=oraclelinux-7 | oraclelinux | python2-ipaserver | < 4.6.8-5.0.1.el7 | oraclelinux-7 | ||
Affected | pkg:rpm/oraclelinux/python2-ipalib?distro=oraclelinux-7 | oraclelinux | python2-ipalib | < 4.6.8-5.0.1.el7 | oraclelinux-7 | ||
Affected | pkg:rpm/oraclelinux/python2-ipaclient?distro=oraclelinux-7 | oraclelinux | python2-ipaclient | < 4.6.8-5.0.1.el7 | oraclelinux-7 | ||
Affected | pkg:rpm/oraclelinux/ipa-server?distro=oraclelinux-7 | oraclelinux | ipa-server | < 4.6.8-5.0.1.el7 | oraclelinux-7 | ||
Affected | pkg:rpm/oraclelinux/ipa-server-trust-ad?distro=oraclelinux-7 | oraclelinux | ipa-server-trust-ad | < 4.6.8-5.0.1.el7 | oraclelinux-7 | ||
Affected | pkg:rpm/oraclelinux/ipa-server-dns?distro=oraclelinux-7 | oraclelinux | ipa-server-dns | < 4.6.8-5.0.1.el7 | oraclelinux-7 | ||
Affected | pkg:rpm/oraclelinux/ipa-server-common?distro=oraclelinux-7 | oraclelinux | ipa-server-common | < 4.6.8-5.0.1.el7 | oraclelinux-7 | ||
Affected | pkg:rpm/oraclelinux/ipa-python-compat?distro=oraclelinux-7 | oraclelinux | ipa-python-compat | < 4.6.8-5.0.1.el7 | oraclelinux-7 | ||
Affected | pkg:rpm/oraclelinux/ipa-common?distro=oraclelinux-7 | oraclelinux | ipa-common | < 4.6.8-5.0.1.el7 | oraclelinux-7 | ||
Affected | pkg:rpm/oraclelinux/ipa-client?distro=oraclelinux-7 | oraclelinux | ipa-client | < 4.6.8-5.0.1.el7 | oraclelinux-7 | ||
Affected | pkg:rpm/oraclelinux/ipa-client-common?distro=oraclelinux-7 | oraclelinux | ipa-client-common | < 4.6.8-5.0.1.el7 | oraclelinux-7 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |