-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update
Advisory ID: RHSA-2021:1846-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1846
Issue date: 2021-05-18
CVE Names: CVE-2020-11023
=====================================================================
1. Summary:
An update for the idm:DL1 and idm:client modules is now available for Red
Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64
3. Description:
Red Hat Identity Management (IdM) is a centralized authentication, identity
management, and authorization solution for both traditional and cloud-based
enterprise environments.
Security Fix(es):
* jquery: Passing HTML containing RedHat: RHSA-2021-1846:01 Moderate: idm:DL1 and idm:client security, bug fix,
An update for the idm:DL1 and idm:client modules is now available for Red Hat Enterprise Linux 8
Summary
Red Hat Identity Management (IdM) is a centralized authentication, identity
management, and authorization solution for both traditional and cloud-based
enterprise environments.
Security Fix(es):
* jquery: Passing HTML containing
Solution
For details on how to apply this update, which includes the changesdescribed in this advisory, refer to:https://access.redhat.com/articles/11258
References
https://access.redhat.com/security/cve/CVE-2020-11023
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.4_release_notes/
Package List
Red Hat Enterprise Linux AppStream (v. 8):Source:bind-dyndb-ldap-11.6-2.module+el8.4.0+9328+4ec4e316.src.rpmcustodia-0.6.0-3.module+el8.1.0+4098+f286395e.src.rpmipa-4.9.2-3.module+el8.4.0+10412+5ecb5b37.src.rpmipa-4.9.2-3.module+el8.4.0+10413+a92f1bfa.src.rpmipa-healthcheck-0.7-3.module+el8.4.0+9007+5084bdd8.src.rpmipa-healthcheck-0.7-3.module+el8.4.0+9008+94c5103b.src.rpmopendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8.src.rpmpython-jwcrypto-0.5.0-1.module+el8.1.0+4098+f286395e.src.rpmpython-jwcrypto-0.5.0-1.module+el8.1.0+4107+4a66eb87.src.rpmpython-kdcproxy-0.4-5.module+el8.2.0+4691+a05b2456.src.rpmpython-qrcode-5.1-12.module+el8.1.0+4098+f286395e.src.rpmpython-qrcode-5.1-12.module+el8.1.0+4107+4a66eb87.src.rpmpython-yubico-1.3.2-9.module+el8.1.0+4098+f286395e.src.rpmpython-yubico-1.3.2-9.module+el8.1.0+4107+4a66eb87.src.rpmpyusb-1.0.0-9.module+el8.1.0+4098+f286395e.src.rpmpyusb-1.0.0-9.module+el8.1.0+4107+4a66eb87.src.rpmslapi-nis-0.56.6-1.module+el8.4.0+9005+f55ff3e7.src.rpmsofthsm-2.6.0-5.module+el8.4.0+10227+076cd560.src.rpmaarch64:bind-dyndb-ldap-11.6-2.module+el8.4.0+9328+4ec4e316.aarch64.rpmbind-dyndb-ldap-debuginfo-11.6-2.module+el8.4.0+9328+4ec4e316.aarch64.rpmbind-dyndb-ldap-debugsource-11.6-2.module+el8.4.0+9328+4ec4e316.aarch64.rpmipa-client-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpmipa-client-4.9.2-3.module+el8.4.0+10413+a92f1bfa.aarch64.rpmipa-client-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpmipa-client-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.aarch64.rpmipa-client-epn-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpmipa-client-epn-4.9.2-3.module+el8.4.0+10413+a92f1bfa.aarch64.rpmipa-client-samba-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpmipa-client-samba-4.9.2-3.module+el8.4.0+10413+a92f1bfa.aarch64.rpmipa-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpmipa-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.aarch64.rpmipa-debugsource-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpmipa-debugsource-4.9.2-3.module+el8.4.0+10413+a92f1bfa.aarch64.rpmipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpmipa-server-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpmipa-server-trust-ad-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpmipa-server-trust-ad-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpmopendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8.aarch64.rpmopendnssec-debuginfo-2.1.7-1.module+el8.4.0+9007+5084bdd8.aarch64.rpmopendnssec-debugsource-2.1.7-1.module+el8.4.0+9007+5084bdd8.aarch64.rpmslapi-nis-0.56.6-1.module+el8.4.0+9005+f55ff3e7.aarch64.rpmslapi-nis-debuginfo-0.56.6-1.module+el8.4.0+9005+f55ff3e7.aarch64.rpmslapi-nis-debugsource-0.56.6-1.module+el8.4.0+9005+f55ff3e7.aarch64.rpmsofthsm-2.6.0-5.module+el8.4.0+10227+076cd560.aarch64.rpmsofthsm-debuginfo-2.6.0-5.module+el8.4.0+10227+076cd560.aarch64.rpmsofthsm-debugsource-2.6.0-5.module+el8.4.0+10227+076cd560.aarch64.rpmsofthsm-devel-2.6.0-5.module+el8.4.0+10227+076cd560.aarch64.rpmnoarch:custodia-0.6.0-3.module+el8.1.0+4098+f286395e.noarch.rpmipa-client-common-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpmipa-client-common-4.9.2-3.module+el8.4.0+10413+a92f1bfa.noarch.rpmipa-common-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpmipa-common-4.9.2-3.module+el8.4.0+10413+a92f1bfa.noarch.rpmipa-healthcheck-0.7-3.module+el8.4.0+9007+5084bdd8.noarch.rpmipa-healthcheck-core-0.7-3.module+el8.4.0+9007+5084bdd8.noarch.rpmipa-healthcheck-core-0.7-3.module+el8.4.0+9008+94c5103b.noarch.rpmipa-python-compat-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpmipa-python-compat-4.9.2-3.module+el8.4.0+10413+a92f1bfa.noarch.rpmipa-selinux-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpmipa-selinux-4.9.2-3.module+el8.4.0+10413+a92f1bfa.noarch.rpmipa-server-common-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpmipa-server-dns-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpmpython3-custodia-0.6.0-3.module+el8.1.0+4098+f286395e.noarch.rpmpython3-ipaclient-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpmpython3-ipaclient-4.9.2-3.module+el8.4.0+10413+a92f1bfa.noarch.rpmpython3-ipalib-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpmpython3-ipalib-4.9.2-3.module+el8.4.0+10413+a92f1bfa.noarch.rpmpython3-ipaserver-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpmpython3-ipatests-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpmpython3-jwcrypto-0.5.0-1.module+el8.1.0+4098+f286395e.noarch.rpmpython3-jwcrypto-0.5.0-1.module+el8.1.0+4107+4a66eb87.noarch.rpmpython3-kdcproxy-0.4-5.module+el8.2.0+4691+a05b2456.noarch.rpmpython3-pyusb-1.0.0-9.module+el8.1.0+4098+f286395e.noarch.rpmpython3-pyusb-1.0.0-9.module+el8.1.0+4107+4a66eb87.noarch.rpmpython3-qrcode-5.1-12.module+el8.1.0+4098+f286395e.noarch.rpmpython3-qrcode-5.1-12.module+el8.1.0+4107+4a66eb87.noarch.rpmpython3-qrcode-core-5.1-12.module+el8.1.0+4098+f286395e.noarch.rpmpython3-qrcode-core-5.1-12.module+el8.1.0+4107+4a66eb87.noarch.rpmpython3-yubico-1.3.2-9.module+el8.1.0+4098+f286395e.noarch.rpmpython3-yubico-1.3.2-9.module+el8.1.0+4107+4a66eb87.noarch.rpmppc64le:bind-dyndb-ldap-11.6-2.module+el8.4.0+9328+4ec4e316.ppc64le.rpmbind-dyndb-ldap-debuginfo-11.6-2.module+el8.4.0+9328+4ec4e316.ppc64le.rpmbind-dyndb-ldap-debugsource-11.6-2.module+el8.4.0+9328+4ec4e316.ppc64le.rpmipa-client-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpmipa-client-4.9.2-3.module+el8.4.0+10413+a92f1bfa.ppc64le.rpmipa-client-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpmipa-client-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.ppc64le.rpmipa-client-epn-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpmipa-client-epn-4.9.2-3.module+el8.4.0+10413+a92f1bfa.ppc64le.rpmipa-client-samba-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpmipa-client-samba-4.9.2-3.module+el8.4.0+10413+a92f1bfa.ppc64le.rpmipa-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpmipa-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.ppc64le.rpmipa-debugsource-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpmipa-debugsource-4.9.2-3.module+el8.4.0+10413+a92f1bfa.ppc64le.rpmipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpmipa-server-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpmipa-server-trust-ad-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpmipa-server-trust-ad-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpmopendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8.ppc64le.rpmopendnssec-debuginfo-2.1.7-1.module+el8.4.0+9007+5084bdd8.ppc64le.rpmopendnssec-debugsource-2.1.7-1.module+el8.4.0+9007+5084bdd8.ppc64le.rpmslapi-nis-0.56.6-1.module+el8.4.0+9005+f55ff3e7.ppc64le.rpmslapi-nis-debuginfo-0.56.6-1.module+el8.4.0+9005+f55ff3e7.ppc64le.rpmslapi-nis-debugsource-0.56.6-1.module+el8.4.0+9005+f55ff3e7.ppc64le.rpmsofthsm-2.6.0-5.module+el8.4.0+10227+076cd560.ppc64le.rpmsofthsm-debuginfo-2.6.0-5.module+el8.4.0+10227+076cd560.ppc64le.rpmsofthsm-debugsource-2.6.0-5.module+el8.4.0+10227+076cd560.ppc64le.rpmsofthsm-devel-2.6.0-5.module+el8.4.0+10227+076cd560.ppc64le.rpms390x:bind-dyndb-ldap-11.6-2.module+el8.4.0+9328+4ec4e316.s390x.rpmbind-dyndb-ldap-debuginfo-11.6-2.module+el8.4.0+9328+4ec4e316.s390x.rpmbind-dyndb-ldap-debugsource-11.6-2.module+el8.4.0+9328+4ec4e316.s390x.rpmipa-client-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpmipa-client-4.9.2-3.module+el8.4.0+10413+a92f1bfa.s390x.rpmipa-client-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpmipa-client-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.s390x.rpmipa-client-epn-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpmipa-client-epn-4.9.2-3.module+el8.4.0+10413+a92f1bfa.s390x.rpmipa-client-samba-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpmipa-client-samba-4.9.2-3.module+el8.4.0+10413+a92f1bfa.s390x.rpmipa-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpmipa-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.s390x.rpmipa-debugsource-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpmipa-debugsource-4.9.2-3.module+el8.4.0+10413+a92f1bfa.s390x.rpmipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpmipa-server-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpmipa-server-trust-ad-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpmipa-server-trust-ad-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpmopendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8.s390x.rpmopendnssec-debuginfo-2.1.7-1.module+el8.4.0+9007+5084bdd8.s390x.rpmopendnssec-debugsource-2.1.7-1.module+el8.4.0+9007+5084bdd8.s390x.rpmslapi-nis-0.56.6-1.module+el8.4.0+9005+f55ff3e7.s390x.rpmslapi-nis-debuginfo-0.56.6-1.module+el8.4.0+9005+f55ff3e7.s390x.rpmslapi-nis-debugsource-0.56.6-1.module+el8.4.0+9005+f55ff3e7.s390x.rpmsofthsm-2.6.0-5.module+el8.4.0+10227+076cd560.s390x.rpmsofthsm-debuginfo-2.6.0-5.module+el8.4.0+10227+076cd560.s390x.rpmsofthsm-debugsource-2.6.0-5.module+el8.4.0+10227+076cd560.s390x.rpmsofthsm-devel-2.6.0-5.module+el8.4.0+10227+076cd560.s390x.rpmx86_64:bind-dyndb-ldap-11.6-2.module+el8.4.0+9328+4ec4e316.x86_64.rpmbind-dyndb-ldap-debuginfo-11.6-2.module+el8.4.0+9328+4ec4e316.x86_64.rpmbind-dyndb-ldap-debugsource-11.6-2.module+el8.4.0+9328+4ec4e316.x86_64.rpmipa-client-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpmipa-client-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64.rpmipa-client-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpmipa-client-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64.rpmipa-client-epn-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpmipa-client-epn-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64.rpmipa-client-samba-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpmipa-client-samba-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64.rpmipa-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpmipa-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64.rpmipa-debugsource-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpmipa-debugsource-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64.rpmipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpmipa-server-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpmipa-server-trust-ad-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpmipa-server-trust-ad-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpmopendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8.x86_64.rpmopendnssec-debuginfo-2.1.7-1.module+el8.4.0+9007+5084bdd8.x86_64.rpmopendnssec-debugsource-2.1.7-1.module+el8.4.0+9007+5084bdd8.x86_64.rpmslapi-nis-0.56.6-1.module+el8.4.0+9005+f55ff3e7.x86_64.rpmslapi-nis-debuginfo-0.56.6-1.module+el8.4.0+9005+f55ff3e7.x86_64.rpmslapi-nis-debugsource-0.56.6-1.module+el8.4.0+9005+f55ff3e7.x86_64.rpmsofthsm-2.6.0-5.module+el8.4.0+10227+076cd560.x86_64.rpmsofthsm-debuginfo-2.6.0-5.module+el8.4.0+10227+076cd560.x86_64.rpmsofthsm-debugsource-2.6.0-5.module+el8.4.0+10227+076cd560.x86_64.rpmsofthsm-devel-2.6.0-5.module+el8.4.0+10227+076cd560.x86_64.rpmThese packages are GPG signed by Red Hat for security. Our key anddetails on how to verify the signature are available fromhttps://access.redhat.com/security/team/key/
Severity
Synopsis: Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update
Advisory ID: RHSA-2021:1846-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1846
Issued Date: : 2021-05-18
CVE Names: CVE-2020-11023
Topic
An update for the idm:DL1 and idm:client modules is now available for RedHat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Relevant Releases Architectures
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64
Bugs Fixed
871208 - ipa sudorule-add-user should accept external users
1340463 - [RFE] Implement pam_pwquality featureset in IPA password policies
1357495 - ipa command provides stack trace when provided with single hypen commands
1484088 - [RFE]: Able to browse different links from IPA web gui in new tabs
1542737 - Incorrect certs are being updated with "ipa-certupdate"
1544379 - ipa-client-install changes system wide ssh configuration
1660877 - kinit is failing due to overflow in Root CA certificate's timestamp
1779981 - ipa-cert-fix warning message should use commercial name for the product.
1780328 - ipa-healthcheck - Mention that the default output format is JSON.
1780510 - Source 'ipahealthcheck.ipa.topology' not found is displayed when ipactl service is stopped
1780782 - ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing from CS.cfg
1784657 - Unlock user accounts after a password reset and replicate that unlock to all IdM servers
1809215 - Man page has incorrect examples; log location for healthcheck tool
1810148 - ipa-server-certinstall raises exception when installing IPA-issued web server cert
1812871 - Intermittent IdM Client Registration Failures
1824193 - Add Directory Server Healthchecks from lib389
1850004 - CVE-2020-11023 jquery: Passing HTML containing
1851835 - [RFE] IdM short-term certificates ACME provider
1857272 - negative option for token.mechanism not working correctly
1860129 - ipa trust-add fails when FIPS enabled
1866558 - ipa-healthcheck --input-file returns 1 on exit
1872603 - KRA Transport and Storage Certificates do not renew
1875001 - It is not possible to edit KDC database when the FreeIPA server is running
1882340 - nsslapd-db-locks patching no longer works
1891056 - ipa-kdb: support subordinate/superior UPN suffixes
1891505 - ipa-healthcheck returns msg": "{sssctl} {key} reports mismatch: sssd domains {sssd_domains} trust domains {trust_domains}"
1891735 - [Rebase] Rebase bind-dyndb-ldap to the recent upstream release
1891741 - [Rebase] Rebase slapi-nis to recent upstream release
1891832 - [Rebase] Rebase FreeIPA to a recent upstream release
1891850 - [Rebase] Rebase ipa-healthcheck to 0.7 upstream release
1894800 - IPA WebUI inaccessible after upgrading to RHEL 8.3.- idoverride-memberof.js missing
1901068 - Traceback while doing ipa-backup
1902173 - Uninstallation of IPA server with KRA installed displays 'ERROR: subprocess.CalledProcessError:'
1902727 - ipa-acme-manage enable fails after upgrade
1903025 - test failure in test_acme.py::TestACME::test_third_party_certs
1904484 - [Rebase] Rebase opendnssec to 2.1.7
1904612 - bind-dyndb-ldap: Rebased bind modifies so versions
1905919 - ipa-server-upgrade fails with traceback "exception: KeyError: 'DOMAIN'"
1909876 - ipa uninstall fails when dns not installed
1912845 - ipa-certupdate drops profile from the caSigningCert tracking
1922955 - Resubmitting KDC cert fails with internal server error
1923900 - Samba on IdM member failure
1924026 - Fix upstream test test_trust.py::test_subordinate_suffix
1924501 - ipa-client-install: Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 7
1924812 - Fix upstream test test_smb.py::TestSMB::test_authentication_with_smb_cifs_principal_alias
1925410 - Cannot delete sudocmd with typo error e.g. "/usr/sbin/reboot."
1926699 - avc denial for gpg-agent with systemd-run
1926910 - ipa cert-remove-hold
1928900 - Support new baseURL config option for ACME
1930426 - IPA krb5kdc crash possible doublefree ipadb_mspac_struct_free finish_process_as_req
1932289 - Sync ipatests from upstream to RHEL packages for FreeIPA 4.9 branch
1939371 - ipa-client-install displays false message 'sudo binary does not seem to be present on this system'
News
HOWTOs
Features
Secure Linux Hosting for Businesses
What Is Threat Intelligence?
CloudLinux Simplifies & Enhances Linux Security with its TuxCare Unified Enterprise Support Services
LinuxSecurity, Leading Provider of Linux Security News and Information, Unveils its New Website
Biden’s New Executive Cybersecurity Order Highlights the Power of Open-Source Security
About Us
Powered By
