RedHat: RHSA-2021-1846:01 Moderate: idm:DL1 and idm:client security, bug fix,

An update for the idm:DL1 and idm:client modules is now available for Red Hat Enterprise Linux 8

Summary

Red Hat Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments.
Security Fix(es):
* jquery: Passing HTML containing

Summary

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2020-11023 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.4_release_notes/

Package List

Red Hat Enterprise Linux AppStream (v. 8):
Source: bind-dyndb-ldap-11.6-2.module+el8.4.0+9328+4ec4e316.src.rpm custodia-0.6.0-3.module+el8.1.0+4098+f286395e.src.rpm ipa-4.9.2-3.module+el8.4.0+10412+5ecb5b37.src.rpm ipa-4.9.2-3.module+el8.4.0+10413+a92f1bfa.src.rpm ipa-healthcheck-0.7-3.module+el8.4.0+9007+5084bdd8.src.rpm ipa-healthcheck-0.7-3.module+el8.4.0+9008+94c5103b.src.rpm opendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8.src.rpm python-jwcrypto-0.5.0-1.module+el8.1.0+4098+f286395e.src.rpm python-jwcrypto-0.5.0-1.module+el8.1.0+4107+4a66eb87.src.rpm python-kdcproxy-0.4-5.module+el8.2.0+4691+a05b2456.src.rpm python-qrcode-5.1-12.module+el8.1.0+4098+f286395e.src.rpm python-qrcode-5.1-12.module+el8.1.0+4107+4a66eb87.src.rpm python-yubico-1.3.2-9.module+el8.1.0+4098+f286395e.src.rpm python-yubico-1.3.2-9.module+el8.1.0+4107+4a66eb87.src.rpm pyusb-1.0.0-9.module+el8.1.0+4098+f286395e.src.rpm pyusb-1.0.0-9.module+el8.1.0+4107+4a66eb87.src.rpm slapi-nis-0.56.6-1.module+el8.4.0+9005+f55ff3e7.src.rpm softhsm-2.6.0-5.module+el8.4.0+10227+076cd560.src.rpm
aarch64: bind-dyndb-ldap-11.6-2.module+el8.4.0+9328+4ec4e316.aarch64.rpm bind-dyndb-ldap-debuginfo-11.6-2.module+el8.4.0+9328+4ec4e316.aarch64.rpm bind-dyndb-ldap-debugsource-11.6-2.module+el8.4.0+9328+4ec4e316.aarch64.rpm ipa-client-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpm ipa-client-4.9.2-3.module+el8.4.0+10413+a92f1bfa.aarch64.rpm ipa-client-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpm ipa-client-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.aarch64.rpm ipa-client-epn-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpm ipa-client-epn-4.9.2-3.module+el8.4.0+10413+a92f1bfa.aarch64.rpm ipa-client-samba-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpm ipa-client-samba-4.9.2-3.module+el8.4.0+10413+a92f1bfa.aarch64.rpm ipa-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpm ipa-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.aarch64.rpm ipa-debugsource-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpm ipa-debugsource-4.9.2-3.module+el8.4.0+10413+a92f1bfa.aarch64.rpm ipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpm ipa-server-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpm ipa-server-trust-ad-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpm ipa-server-trust-ad-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpm opendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8.aarch64.rpm opendnssec-debuginfo-2.1.7-1.module+el8.4.0+9007+5084bdd8.aarch64.rpm opendnssec-debugsource-2.1.7-1.module+el8.4.0+9007+5084bdd8.aarch64.rpm slapi-nis-0.56.6-1.module+el8.4.0+9005+f55ff3e7.aarch64.rpm slapi-nis-debuginfo-0.56.6-1.module+el8.4.0+9005+f55ff3e7.aarch64.rpm slapi-nis-debugsource-0.56.6-1.module+el8.4.0+9005+f55ff3e7.aarch64.rpm softhsm-2.6.0-5.module+el8.4.0+10227+076cd560.aarch64.rpm softhsm-debuginfo-2.6.0-5.module+el8.4.0+10227+076cd560.aarch64.rpm softhsm-debugsource-2.6.0-5.module+el8.4.0+10227+076cd560.aarch64.rpm softhsm-devel-2.6.0-5.module+el8.4.0+10227+076cd560.aarch64.rpm
noarch: custodia-0.6.0-3.module+el8.1.0+4098+f286395e.noarch.rpm ipa-client-common-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpm ipa-client-common-4.9.2-3.module+el8.4.0+10413+a92f1bfa.noarch.rpm ipa-common-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpm ipa-common-4.9.2-3.module+el8.4.0+10413+a92f1bfa.noarch.rpm ipa-healthcheck-0.7-3.module+el8.4.0+9007+5084bdd8.noarch.rpm ipa-healthcheck-core-0.7-3.module+el8.4.0+9007+5084bdd8.noarch.rpm ipa-healthcheck-core-0.7-3.module+el8.4.0+9008+94c5103b.noarch.rpm ipa-python-compat-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpm ipa-python-compat-4.9.2-3.module+el8.4.0+10413+a92f1bfa.noarch.rpm ipa-selinux-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpm ipa-selinux-4.9.2-3.module+el8.4.0+10413+a92f1bfa.noarch.rpm ipa-server-common-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpm ipa-server-dns-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpm python3-custodia-0.6.0-3.module+el8.1.0+4098+f286395e.noarch.rpm python3-ipaclient-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpm python3-ipaclient-4.9.2-3.module+el8.4.0+10413+a92f1bfa.noarch.rpm python3-ipalib-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpm python3-ipalib-4.9.2-3.module+el8.4.0+10413+a92f1bfa.noarch.rpm python3-ipaserver-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpm python3-ipatests-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpm python3-jwcrypto-0.5.0-1.module+el8.1.0+4098+f286395e.noarch.rpm python3-jwcrypto-0.5.0-1.module+el8.1.0+4107+4a66eb87.noarch.rpm python3-kdcproxy-0.4-5.module+el8.2.0+4691+a05b2456.noarch.rpm python3-pyusb-1.0.0-9.module+el8.1.0+4098+f286395e.noarch.rpm python3-pyusb-1.0.0-9.module+el8.1.0+4107+4a66eb87.noarch.rpm python3-qrcode-5.1-12.module+el8.1.0+4098+f286395e.noarch.rpm python3-qrcode-5.1-12.module+el8.1.0+4107+4a66eb87.noarch.rpm python3-qrcode-core-5.1-12.module+el8.1.0+4098+f286395e.noarch.rpm python3-qrcode-core-5.1-12.module+el8.1.0+4107+4a66eb87.noarch.rpm python3-yubico-1.3.2-9.module+el8.1.0+4098+f286395e.noarch.rpm python3-yubico-1.3.2-9.module+el8.1.0+4107+4a66eb87.noarch.rpm
ppc64le: bind-dyndb-ldap-11.6-2.module+el8.4.0+9328+4ec4e316.ppc64le.rpm bind-dyndb-ldap-debuginfo-11.6-2.module+el8.4.0+9328+4ec4e316.ppc64le.rpm bind-dyndb-ldap-debugsource-11.6-2.module+el8.4.0+9328+4ec4e316.ppc64le.rpm ipa-client-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpm ipa-client-4.9.2-3.module+el8.4.0+10413+a92f1bfa.ppc64le.rpm ipa-client-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpm ipa-client-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.ppc64le.rpm ipa-client-epn-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpm ipa-client-epn-4.9.2-3.module+el8.4.0+10413+a92f1bfa.ppc64le.rpm ipa-client-samba-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpm ipa-client-samba-4.9.2-3.module+el8.4.0+10413+a92f1bfa.ppc64le.rpm ipa-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpm ipa-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.ppc64le.rpm ipa-debugsource-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpm ipa-debugsource-4.9.2-3.module+el8.4.0+10413+a92f1bfa.ppc64le.rpm ipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpm ipa-server-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpm ipa-server-trust-ad-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpm ipa-server-trust-ad-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpm opendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8.ppc64le.rpm opendnssec-debuginfo-2.1.7-1.module+el8.4.0+9007+5084bdd8.ppc64le.rpm opendnssec-debugsource-2.1.7-1.module+el8.4.0+9007+5084bdd8.ppc64le.rpm slapi-nis-0.56.6-1.module+el8.4.0+9005+f55ff3e7.ppc64le.rpm slapi-nis-debuginfo-0.56.6-1.module+el8.4.0+9005+f55ff3e7.ppc64le.rpm slapi-nis-debugsource-0.56.6-1.module+el8.4.0+9005+f55ff3e7.ppc64le.rpm softhsm-2.6.0-5.module+el8.4.0+10227+076cd560.ppc64le.rpm softhsm-debuginfo-2.6.0-5.module+el8.4.0+10227+076cd560.ppc64le.rpm softhsm-debugsource-2.6.0-5.module+el8.4.0+10227+076cd560.ppc64le.rpm softhsm-devel-2.6.0-5.module+el8.4.0+10227+076cd560.ppc64le.rpm
s390x: bind-dyndb-ldap-11.6-2.module+el8.4.0+9328+4ec4e316.s390x.rpm bind-dyndb-ldap-debuginfo-11.6-2.module+el8.4.0+9328+4ec4e316.s390x.rpm bind-dyndb-ldap-debugsource-11.6-2.module+el8.4.0+9328+4ec4e316.s390x.rpm ipa-client-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpm ipa-client-4.9.2-3.module+el8.4.0+10413+a92f1bfa.s390x.rpm ipa-client-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpm ipa-client-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.s390x.rpm ipa-client-epn-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpm ipa-client-epn-4.9.2-3.module+el8.4.0+10413+a92f1bfa.s390x.rpm ipa-client-samba-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpm ipa-client-samba-4.9.2-3.module+el8.4.0+10413+a92f1bfa.s390x.rpm ipa-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpm ipa-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.s390x.rpm ipa-debugsource-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpm ipa-debugsource-4.9.2-3.module+el8.4.0+10413+a92f1bfa.s390x.rpm ipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpm ipa-server-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpm ipa-server-trust-ad-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpm ipa-server-trust-ad-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpm opendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8.s390x.rpm opendnssec-debuginfo-2.1.7-1.module+el8.4.0+9007+5084bdd8.s390x.rpm opendnssec-debugsource-2.1.7-1.module+el8.4.0+9007+5084bdd8.s390x.rpm slapi-nis-0.56.6-1.module+el8.4.0+9005+f55ff3e7.s390x.rpm slapi-nis-debuginfo-0.56.6-1.module+el8.4.0+9005+f55ff3e7.s390x.rpm slapi-nis-debugsource-0.56.6-1.module+el8.4.0+9005+f55ff3e7.s390x.rpm softhsm-2.6.0-5.module+el8.4.0+10227+076cd560.s390x.rpm softhsm-debuginfo-2.6.0-5.module+el8.4.0+10227+076cd560.s390x.rpm softhsm-debugsource-2.6.0-5.module+el8.4.0+10227+076cd560.s390x.rpm softhsm-devel-2.6.0-5.module+el8.4.0+10227+076cd560.s390x.rpm
x86_64: bind-dyndb-ldap-11.6-2.module+el8.4.0+9328+4ec4e316.x86_64.rpm bind-dyndb-ldap-debuginfo-11.6-2.module+el8.4.0+9328+4ec4e316.x86_64.rpm bind-dyndb-ldap-debugsource-11.6-2.module+el8.4.0+9328+4ec4e316.x86_64.rpm ipa-client-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpm ipa-client-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64.rpm ipa-client-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpm ipa-client-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64.rpm ipa-client-epn-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpm ipa-client-epn-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64.rpm ipa-client-samba-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpm ipa-client-samba-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64.rpm ipa-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpm ipa-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64.rpm ipa-debugsource-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpm ipa-debugsource-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64.rpm ipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpm ipa-server-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpm ipa-server-trust-ad-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpm ipa-server-trust-ad-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpm opendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8.x86_64.rpm opendnssec-debuginfo-2.1.7-1.module+el8.4.0+9007+5084bdd8.x86_64.rpm opendnssec-debugsource-2.1.7-1.module+el8.4.0+9007+5084bdd8.x86_64.rpm slapi-nis-0.56.6-1.module+el8.4.0+9005+f55ff3e7.x86_64.rpm slapi-nis-debuginfo-0.56.6-1.module+el8.4.0+9005+f55ff3e7.x86_64.rpm slapi-nis-debugsource-0.56.6-1.module+el8.4.0+9005+f55ff3e7.x86_64.rpm softhsm-2.6.0-5.module+el8.4.0+10227+076cd560.x86_64.rpm softhsm-debuginfo-2.6.0-5.module+el8.4.0+10227+076cd560.x86_64.rpm softhsm-debugsource-2.6.0-5.module+el8.4.0+10227+076cd560.x86_64.rpm softhsm-devel-2.6.0-5.module+el8.4.0+10227+076cd560.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/

Severity

Advisory ID: RHSA-2021:1846-01

Product: Red Hat Enterprise Linux

Advisory URL: https://access.redhat.com/errata/RHSA-2021:1846

Issued Date: : 2021-05-18

CVE Names: CVE-2020-11023

Topic

An update for the idm:DL1 and idm:client modules is now available for RedHat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topic

Relevant Releases Architectures

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

Bugs Fixed

871208 - ipa sudorule-add-user should accept external users1340463 - [RFE] Implement pam_pwquality featureset in IPA password policies

1357495 - ipa command provides stack trace when provided with single hypen commands

1484088 - [RFE]: Able to browse different links from IPA web gui in new tabs

1542737 - Incorrect certs are being updated with "ipa-certupdate"

1544379 - ipa-client-install changes system wide ssh configuration

1660877 - kinit is failing due to overflow in Root CA certificate's timestamp

1779981 - ipa-cert-fix warning message should use commercial name for the product.

1780328 - ipa-healthcheck - Mention that the default output format is JSON.

1780510 - Source 'ipahealthcheck.ipa.topology' not found is displayed when ipactl service is stopped

1780782 - ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing from CS.cfg

1784657 - Unlock user accounts after a password reset and replicate that unlock to all IdM servers1809215 - Man page has incorrect examples; log location for healthcheck tool

1810148 - ipa-server-certinstall raises exception when installing IPA-issued web server cert

1812871 - Intermittent IdM Client Registration Failures

1824193 - Add Directory Server Healthchecks from lib389

1850004 - CVE-2020-11023 jquery: Passing HTML containing

1851835 - [RFE] IdM short-term certificates ACME provider

1857272 - negative option for token.mechanism not working correctly

1860129 - ipa trust-add fails when FIPS enabled

1866558 - ipa-healthcheck --input-file returns 1 on exit

1872603 - KRA Transport and Storage Certificates do not renew

1875001 - It is not possible to edit KDC database when the FreeIPA server is running

1882340 - nsslapd-db-locks patching no longer works

1891056 - ipa-kdb: support subordinate/superior UPN suffixes

1891505 - ipa-healthcheck returns msg": "{sssctl} {key} reports mismatch: sssd domains {sssd_domains} trust domains {trust_domains}"

1891735 - [Rebase] Rebase bind-dyndb-ldap to the recent upstream release

1891741 - [Rebase] Rebase slapi-nis to recent upstream release

1891832 - [Rebase] Rebase FreeIPA to a recent upstream release

1891850 - [Rebase] Rebase ipa-healthcheck to 0.7 upstream release

1894800 - IPA WebUI inaccessible after upgrading to RHEL 8.3.- idoverride-memberof.js missing

1901068 - Traceback while doing ipa-backup

1902173 - Uninstallation of IPA server with KRA installed displays 'ERROR: subprocess.CalledProcessError:'

1902727 - ipa-acme-manage enable fails after upgrade

1903025 - test failure in test_acme.py::TestACME::test_third_party_certs

1904484 - [Rebase] Rebase opendnssec to 2.1.7

1904612 - bind-dyndb-ldap: Rebased bind modifies so versions

1905919 - ipa-server-upgrade fails with traceback "exception: KeyError: 'DOMAIN'"

1909876 - ipa uninstall fails when dns not installed

1912845 - ipa-certupdate drops profile from the caSigningCert tracking

1922955 - Resubmitting KDC cert fails with internal server error

1923900 - Samba on IdM member failure

1924026 - Fix upstream test test_trust.py::test_subordinate_suffix

1924501 - ipa-client-install: Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 7

1924812 - Fix upstream test test_smb.py::TestSMB::test_authentication_with_smb_cifs_principal_alias

1925410 - Cannot delete sudocmd with typo error e.g. "/usr/sbin/reboot."

1926699 - avc denial for gpg-agent with systemd-run

1926910 - ipa cert-remove-hold returns an incorrect error message

1928900 - Support new baseURL config option for ACME

1930426 - IPA krb5kdc crash possible doublefree ipadb_mspac_struct_free finish_process_as_req

1932289 - Sync ipatests from upstream to RHEL packages for FreeIPA 4.9 branch

1939371 - ipa-client-install displays false message 'sudo binary does not seem to be present on this system'

RedHat: RHSA-2021-1846:01 Moderate: idm:DL1 and idm:client security, bug fix,

Summary

Summary

Solution

References

Package List

Topic

Topic

Relevant Releases Architectures

Bugs Fixed

Related News

Get the Latest News & Insights

News

Advisories

HOWTOs

Features

About Us

Powered By