RedHat: RHSA-2020-3936:01 Moderate: ipa security, bug fix,
Summary
Red Hat Identity Management (IdM) is a centralized authentication, identity
management, and authorization solution for both traditional and cloud-based
enterprise environments.
The following packages have been upgraded to a later upstream version: ipa
(4.6.8). (BZ#1819725)
Security Fix(es):
* js-jquery: Cross-site scripting via cross-domain ajax requests
(CVE-2015-9251)
* bootstrap: XSS in the data-target attribute (CVE-2016-10735)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent
attribute (CVE-2018-14040)
* bootstrap: Cross-site Scripting (XSS) in the data-container property of
tooltip. (CVE-2018-14042)
* bootstrap: XSS in the tooltip data-viewport attribute (CVE-2018-20676)
* bootstrap: XSS in the affix configuration target property
(CVE-2018-20677)
* bootstrap: XSS in the tooltip or popover data-template attribute
(CVE-2019-8331)
* js-jquery: prototype pollution in object's prototype leading to denial of
service or remote code execution or property injection (CVE-2019-11358)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter
method (CVE-2020-11022)
* ipa: No password length restriction leads to denial of service
(CVE-2020-1722)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.9 Release Notes linked from the References section.
Summary
Solution
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
References
https://access.redhat.com/security/cve/CVE-2015-9251 https://access.redhat.com/security/cve/CVE-2016-10735 https://access.redhat.com/security/cve/CVE-2018-14040 https://access.redhat.com/security/cve/CVE-2018-14042 https://access.redhat.com/security/cve/CVE-2018-20676 https://access.redhat.com/security/cve/CVE-2018-20677 https://access.redhat.com/security/cve/CVE-2019-8331 https://access.redhat.com/security/cve/CVE-2019-11358 https://access.redhat.com/security/cve/CVE-2020-1722 https://access.redhat.com/security/cve/CVE-2020-11022 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index
Package List
Red Hat Enterprise Linux Client (v. 7):
Source:
ipa-4.6.8-5.el7.src.rpm
noarch:
ipa-client-common-4.6.8-5.el7.noarch.rpm
ipa-common-4.6.8-5.el7.noarch.rpm
ipa-python-compat-4.6.8-5.el7.noarch.rpm
python2-ipaclient-4.6.8-5.el7.noarch.rpm
python2-ipalib-4.6.8-5.el7.noarch.rpm
x86_64:
ipa-client-4.6.8-5.el7.x86_64.rpm
ipa-debuginfo-4.6.8-5.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
noarch:
ipa-server-common-4.6.8-5.el7.noarch.rpm
ipa-server-dns-4.6.8-5.el7.noarch.rpm
python2-ipaserver-4.6.8-5.el7.noarch.rpm
x86_64:
ipa-debuginfo-4.6.8-5.el7.x86_64.rpm
ipa-server-4.6.8-5.el7.x86_64.rpm
ipa-server-trust-ad-4.6.8-5.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
ipa-4.6.8-5.el7.src.rpm
noarch:
ipa-client-common-4.6.8-5.el7.noarch.rpm
ipa-common-4.6.8-5.el7.noarch.rpm
ipa-python-compat-4.6.8-5.el7.noarch.rpm
python2-ipaclient-4.6.8-5.el7.noarch.rpm
python2-ipalib-4.6.8-5.el7.noarch.rpm
x86_64:
ipa-client-4.6.8-5.el7.x86_64.rpm
ipa-debuginfo-4.6.8-5.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
noarch:
ipa-server-common-4.6.8-5.el7.noarch.rpm
ipa-server-dns-4.6.8-5.el7.noarch.rpm
python2-ipaserver-4.6.8-5.el7.noarch.rpm
x86_64:
ipa-debuginfo-4.6.8-5.el7.x86_64.rpm
ipa-server-4.6.8-5.el7.x86_64.rpm
ipa-server-trust-ad-4.6.8-5.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
ipa-4.6.8-5.el7.src.rpm
noarch:
ipa-client-common-4.6.8-5.el7.noarch.rpm
ipa-common-4.6.8-5.el7.noarch.rpm
ipa-python-compat-4.6.8-5.el7.noarch.rpm
ipa-server-common-4.6.8-5.el7.noarch.rpm
ipa-server-dns-4.6.8-5.el7.noarch.rpm
python2-ipaclient-4.6.8-5.el7.noarch.rpm
python2-ipalib-4.6.8-5.el7.noarch.rpm
python2-ipaserver-4.6.8-5.el7.noarch.rpm
ppc64:
ipa-client-4.6.8-5.el7.ppc64.rpm
ipa-debuginfo-4.6.8-5.el7.ppc64.rpm
ppc64le:
ipa-client-4.6.8-5.el7.ppc64le.rpm
ipa-debuginfo-4.6.8-5.el7.ppc64le.rpm
s390x:
ipa-client-4.6.8-5.el7.s390x.rpm
ipa-debuginfo-4.6.8-5.el7.s390x.rpm
x86_64:
ipa-client-4.6.8-5.el7.x86_64.rpm
ipa-debuginfo-4.6.8-5.el7.x86_64.rpm
ipa-server-4.6.8-5.el7.x86_64.rpm
ipa-server-trust-ad-4.6.8-5.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
ipa-4.6.8-5.el7.src.rpm
noarch:
ipa-client-common-4.6.8-5.el7.noarch.rpm
ipa-common-4.6.8-5.el7.noarch.rpm
ipa-python-compat-4.6.8-5.el7.noarch.rpm
ipa-server-common-4.6.8-5.el7.noarch.rpm
ipa-server-dns-4.6.8-5.el7.noarch.rpm
python2-ipaclient-4.6.8-5.el7.noarch.rpm
python2-ipalib-4.6.8-5.el7.noarch.rpm
python2-ipaserver-4.6.8-5.el7.noarch.rpm
x86_64:
ipa-client-4.6.8-5.el7.x86_64.rpm
ipa-debuginfo-4.6.8-5.el7.x86_64.rpm
ipa-server-4.6.8-5.el7.x86_64.rpm
ipa-server-trust-ad-4.6.8-5.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
Topic
An update for ipa is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64
Bugs Fixed
1399546 - CVE-2015-9251 js-jquery: Cross-site scripting via cross-domain ajax requests
1404770 - ID Views: do not allow custom Views for the masters1545755 - ipa-replica-prepare should not update pki admin password.
1601614 - CVE-2018-14040 bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute
1601617 - CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip.
1668082 - CVE-2018-20676 bootstrap: XSS in the tooltip data-viewport attribute
1668089 - CVE-2018-20677 bootstrap: XSS in the affix configuration target property
1668097 - CVE-2016-10735 bootstrap: XSS in the data-target attribute
1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute
1701972 - CVE-2019-11358 js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection
1754902 - Running ipa-server-install fails when RHEL 7.7 packages are installed on RHEL 7.6
1755535 - ipa-advise on a RHEL7 IdM server is not able to generate a configuration script for a RHEL8 IdM client
1756568 - ipa-server-certinstall man page does not match built-in help.
1758406 - KRA authentication fails when IPA CA has custom Subject DN
1769791 - Invisible part of notification area in Web UI intercepts clicks of some page elements
1771356 - Default client configuration breaks ssh in FIPS mode.
1780548 - Man page ipa-cacert-manage does not display correctly on RHEL
1782587 - add "systemctl restart sssd" to warning message when adding trust agents to replicas
1788718 - ipa-server-install incorrectly setting slew mode (-x) when setting up ntpd
1788907 - Renewed certs are not picked up by IPA CAs
1793071 - CVE-2020-1722 ipa: No password length restriction leads to denial of service
1795890 - ipa-pkinit-manage enable fails on replica if it doesn't host the CA
1801791 - Compatibility Schema difference in functionality for systems following RHEL 7.5 -> 7.6 upgrade path as opposed to new RHEL 7.6 systems
1817886 - ipa group-add-member: prevent adding IPA objects as external members1817918 - Secure tomcat AJP connector
1817919 - Enable compat tree to provide information about AD users and groups on trust agents
1817922 - covscan memory leaks report
1817923 - IPA upgrade is failing with error "Failed to get request: bus, object_path and dbus_interface must not be None."
1817927 - host-add --password logs cleartext userpassword to Apache error log
1819725 - Rebase IPA to latest 4.6.x version
1825829 - ipa-advise on a RHEL7 IdM server generate a configuration script for client having hardcoded python3
1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
1829787 - ipa service-del deletes the required principal when specified in lower/upper case
1834385 - Man page syntax issue detected by rpminspect
1842950 - ipa-adtrust-install fails when replica is offline