RedHat: RHSA-2021-1846:01 Moderate: idm:DL1 and idm:client security, bug fix,

An update for the idm:DL1 and idm:client modules is now available for Red Hat Enterprise Linux 8

Summary

Red Hat Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments.
Security Fix(es):
* jquery: Passing HTML containing

Solution

For details on how to apply this update, which includes the changesdescribed in this advisory, refer to:https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2020-11023

https://access.redhat.com/security/updates/classification/#moderate

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.4_release_notes/

Package List

Red Hat Enterprise Linux AppStream (v. 8):Source:bind-dyndb-ldap-11.6-2.module+el8.4.0+9328+4ec4e316.src.rpmcustodia-0.6.0-3.module+el8.1.0+4098+f286395e.src.rpmipa-4.9.2-3.module+el8.4.0+10412+5ecb5b37.src.rpmipa-4.9.2-3.module+el8.4.0+10413+a92f1bfa.src.rpmipa-healthcheck-0.7-3.module+el8.4.0+9007+5084bdd8.src.rpmipa-healthcheck-0.7-3.module+el8.4.0+9008+94c5103b.src.rpmopendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8.src.rpmpython-jwcrypto-0.5.0-1.module+el8.1.0+4098+f286395e.src.rpmpython-jwcrypto-0.5.0-1.module+el8.1.0+4107+4a66eb87.src.rpmpython-kdcproxy-0.4-5.module+el8.2.0+4691+a05b2456.src.rpmpython-qrcode-5.1-12.module+el8.1.0+4098+f286395e.src.rpmpython-qrcode-5.1-12.module+el8.1.0+4107+4a66eb87.src.rpmpython-yubico-1.3.2-9.module+el8.1.0+4098+f286395e.src.rpmpython-yubico-1.3.2-9.module+el8.1.0+4107+4a66eb87.src.rpmpyusb-1.0.0-9.module+el8.1.0+4098+f286395e.src.rpmpyusb-1.0.0-9.module+el8.1.0+4107+4a66eb87.src.rpmslapi-nis-0.56.6-1.module+el8.4.0+9005+f55ff3e7.src.rpmsofthsm-2.6.0-5.module+el8.4.0+10227+076cd560.src.rpmaarch64:bind-dyndb-ldap-11.6-2.module+el8.4.0+9328+4ec4e316.aarch64.rpmbind-dyndb-ldap-debuginfo-11.6-2.module+el8.4.0+9328+4ec4e316.aarch64.rpmbind-dyndb-ldap-debugsource-11.6-2.module+el8.4.0+9328+4ec4e316.aarch64.rpmipa-client-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpmipa-client-4.9.2-3.module+el8.4.0+10413+a92f1bfa.aarch64.rpmipa-client-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpmipa-client-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.aarch64.rpmipa-client-epn-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpmipa-client-epn-4.9.2-3.module+el8.4.0+10413+a92f1bfa.aarch64.rpmipa-client-samba-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpmipa-client-samba-4.9.2-3.module+el8.4.0+10413+a92f1bfa.aarch64.rpmipa-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpmipa-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.aarch64.rpmipa-debugsource-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpmipa-debugsource-4.9.2-3.module+el8.4.0+10413+a92f1bfa.aarch64.rpmipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpmipa-server-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpmipa-server-trust-ad-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpmipa-server-trust-ad-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpmopendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8.aarch64.rpmopendnssec-debuginfo-2.1.7-1.module+el8.4.0+9007+5084bdd8.aarch64.rpmopendnssec-debugsource-2.1.7-1.module+el8.4.0+9007+5084bdd8.aarch64.rpmslapi-nis-0.56.6-1.module+el8.4.0+9005+f55ff3e7.aarch64.rpmslapi-nis-debuginfo-0.56.6-1.module+el8.4.0+9005+f55ff3e7.aarch64.rpmslapi-nis-debugsource-0.56.6-1.module+el8.4.0+9005+f55ff3e7.aarch64.rpmsofthsm-2.6.0-5.module+el8.4.0+10227+076cd560.aarch64.rpmsofthsm-debuginfo-2.6.0-5.module+el8.4.0+10227+076cd560.aarch64.rpmsofthsm-debugsource-2.6.0-5.module+el8.4.0+10227+076cd560.aarch64.rpmsofthsm-devel-2.6.0-5.module+el8.4.0+10227+076cd560.aarch64.rpmnoarch:custodia-0.6.0-3.module+el8.1.0+4098+f286395e.noarch.rpmipa-client-common-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpmipa-client-common-4.9.2-3.module+el8.4.0+10413+a92f1bfa.noarch.rpmipa-common-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpmipa-common-4.9.2-3.module+el8.4.0+10413+a92f1bfa.noarch.rpmipa-healthcheck-0.7-3.module+el8.4.0+9007+5084bdd8.noarch.rpmipa-healthcheck-core-0.7-3.module+el8.4.0+9007+5084bdd8.noarch.rpmipa-healthcheck-core-0.7-3.module+el8.4.0+9008+94c5103b.noarch.rpmipa-python-compat-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpmipa-python-compat-4.9.2-3.module+el8.4.0+10413+a92f1bfa.noarch.rpmipa-selinux-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpmipa-selinux-4.9.2-3.module+el8.4.0+10413+a92f1bfa.noarch.rpmipa-server-common-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpmipa-server-dns-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpmpython3-custodia-0.6.0-3.module+el8.1.0+4098+f286395e.noarch.rpmpython3-ipaclient-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpmpython3-ipaclient-4.9.2-3.module+el8.4.0+10413+a92f1bfa.noarch.rpmpython3-ipalib-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpmpython3-ipalib-4.9.2-3.module+el8.4.0+10413+a92f1bfa.noarch.rpmpython3-ipaserver-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpmpython3-ipatests-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpmpython3-jwcrypto-0.5.0-1.module+el8.1.0+4098+f286395e.noarch.rpmpython3-jwcrypto-0.5.0-1.module+el8.1.0+4107+4a66eb87.noarch.rpmpython3-kdcproxy-0.4-5.module+el8.2.0+4691+a05b2456.noarch.rpmpython3-pyusb-1.0.0-9.module+el8.1.0+4098+f286395e.noarch.rpmpython3-pyusb-1.0.0-9.module+el8.1.0+4107+4a66eb87.noarch.rpmpython3-qrcode-5.1-12.module+el8.1.0+4098+f286395e.noarch.rpmpython3-qrcode-5.1-12.module+el8.1.0+4107+4a66eb87.noarch.rpmpython3-qrcode-core-5.1-12.module+el8.1.0+4098+f286395e.noarch.rpmpython3-qrcode-core-5.1-12.module+el8.1.0+4107+4a66eb87.noarch.rpmpython3-yubico-1.3.2-9.module+el8.1.0+4098+f286395e.noarch.rpmpython3-yubico-1.3.2-9.module+el8.1.0+4107+4a66eb87.noarch.rpmppc64le:bind-dyndb-ldap-11.6-2.module+el8.4.0+9328+4ec4e316.ppc64le.rpmbind-dyndb-ldap-debuginfo-11.6-2.module+el8.4.0+9328+4ec4e316.ppc64le.rpmbind-dyndb-ldap-debugsource-11.6-2.module+el8.4.0+9328+4ec4e316.ppc64le.rpmipa-client-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpmipa-client-4.9.2-3.module+el8.4.0+10413+a92f1bfa.ppc64le.rpmipa-client-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpmipa-client-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.ppc64le.rpmipa-client-epn-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpmipa-client-epn-4.9.2-3.module+el8.4.0+10413+a92f1bfa.ppc64le.rpmipa-client-samba-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpmipa-client-samba-4.9.2-3.module+el8.4.0+10413+a92f1bfa.ppc64le.rpmipa-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpmipa-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.ppc64le.rpmipa-debugsource-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpmipa-debugsource-4.9.2-3.module+el8.4.0+10413+a92f1bfa.ppc64le.rpmipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpmipa-server-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpmipa-server-trust-ad-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpmipa-server-trust-ad-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpmopendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8.ppc64le.rpmopendnssec-debuginfo-2.1.7-1.module+el8.4.0+9007+5084bdd8.ppc64le.rpmopendnssec-debugsource-2.1.7-1.module+el8.4.0+9007+5084bdd8.ppc64le.rpmslapi-nis-0.56.6-1.module+el8.4.0+9005+f55ff3e7.ppc64le.rpmslapi-nis-debuginfo-0.56.6-1.module+el8.4.0+9005+f55ff3e7.ppc64le.rpmslapi-nis-debugsource-0.56.6-1.module+el8.4.0+9005+f55ff3e7.ppc64le.rpmsofthsm-2.6.0-5.module+el8.4.0+10227+076cd560.ppc64le.rpmsofthsm-debuginfo-2.6.0-5.module+el8.4.0+10227+076cd560.ppc64le.rpmsofthsm-debugsource-2.6.0-5.module+el8.4.0+10227+076cd560.ppc64le.rpmsofthsm-devel-2.6.0-5.module+el8.4.0+10227+076cd560.ppc64le.rpms390x:bind-dyndb-ldap-11.6-2.module+el8.4.0+9328+4ec4e316.s390x.rpmbind-dyndb-ldap-debuginfo-11.6-2.module+el8.4.0+9328+4ec4e316.s390x.rpmbind-dyndb-ldap-debugsource-11.6-2.module+el8.4.0+9328+4ec4e316.s390x.rpmipa-client-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpmipa-client-4.9.2-3.module+el8.4.0+10413+a92f1bfa.s390x.rpmipa-client-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpmipa-client-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.s390x.rpmipa-client-epn-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpmipa-client-epn-4.9.2-3.module+el8.4.0+10413+a92f1bfa.s390x.rpmipa-client-samba-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpmipa-client-samba-4.9.2-3.module+el8.4.0+10413+a92f1bfa.s390x.rpmipa-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpmipa-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.s390x.rpmipa-debugsource-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpmipa-debugsource-4.9.2-3.module+el8.4.0+10413+a92f1bfa.s390x.rpmipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpmipa-server-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpmipa-server-trust-ad-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpmipa-server-trust-ad-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpmopendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8.s390x.rpmopendnssec-debuginfo-2.1.7-1.module+el8.4.0+9007+5084bdd8.s390x.rpmopendnssec-debugsource-2.1.7-1.module+el8.4.0+9007+5084bdd8.s390x.rpmslapi-nis-0.56.6-1.module+el8.4.0+9005+f55ff3e7.s390x.rpmslapi-nis-debuginfo-0.56.6-1.module+el8.4.0+9005+f55ff3e7.s390x.rpmslapi-nis-debugsource-0.56.6-1.module+el8.4.0+9005+f55ff3e7.s390x.rpmsofthsm-2.6.0-5.module+el8.4.0+10227+076cd560.s390x.rpmsofthsm-debuginfo-2.6.0-5.module+el8.4.0+10227+076cd560.s390x.rpmsofthsm-debugsource-2.6.0-5.module+el8.4.0+10227+076cd560.s390x.rpmsofthsm-devel-2.6.0-5.module+el8.4.0+10227+076cd560.s390x.rpmx86_64:bind-dyndb-ldap-11.6-2.module+el8.4.0+9328+4ec4e316.x86_64.rpmbind-dyndb-ldap-debuginfo-11.6-2.module+el8.4.0+9328+4ec4e316.x86_64.rpmbind-dyndb-ldap-debugsource-11.6-2.module+el8.4.0+9328+4ec4e316.x86_64.rpmipa-client-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpmipa-client-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64.rpmipa-client-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpmipa-client-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64.rpmipa-client-epn-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpmipa-client-epn-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64.rpmipa-client-samba-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpmipa-client-samba-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64.rpmipa-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpmipa-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64.rpmipa-debugsource-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpmipa-debugsource-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64.rpmipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpmipa-server-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpmipa-server-trust-ad-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpmipa-server-trust-ad-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpmopendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8.x86_64.rpmopendnssec-debuginfo-2.1.7-1.module+el8.4.0+9007+5084bdd8.x86_64.rpmopendnssec-debugsource-2.1.7-1.module+el8.4.0+9007+5084bdd8.x86_64.rpmslapi-nis-0.56.6-1.module+el8.4.0+9005+f55ff3e7.x86_64.rpmslapi-nis-debuginfo-0.56.6-1.module+el8.4.0+9005+f55ff3e7.x86_64.rpmslapi-nis-debugsource-0.56.6-1.module+el8.4.0+9005+f55ff3e7.x86_64.rpmsofthsm-2.6.0-5.module+el8.4.0+10227+076cd560.x86_64.rpmsofthsm-debuginfo-2.6.0-5.module+el8.4.0+10227+076cd560.x86_64.rpmsofthsm-debugsource-2.6.0-5.module+el8.4.0+10227+076cd560.x86_64.rpmsofthsm-devel-2.6.0-5.module+el8.4.0+10227+076cd560.x86_64.rpmThese packages are GPG signed by Red Hat for security. Our key anddetails on how to verify the signature are available fromhttps://access.redhat.com/security/team/key/

Severity

Synopsis: Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update

Advisory ID: RHSA-2021:1846-01

Product: Red Hat Enterprise Linux

Advisory URL: https://access.redhat.com/errata/RHSA-2021:1846

Issued Date: : 2021-05-18

CVE Names: CVE-2020-11023

Topic

An update for the idm:DL1 and idm:client modules is now available for RedHat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

Bugs Fixed

871208 - ipa sudorule-add-user should accept external users

1340463 - [RFE] Implement pam_pwquality featureset in IPA password policies

1357495 - ipa command provides stack trace when provided with single hypen commands

1484088 - [RFE]: Able to browse different links from IPA web gui in new tabs

1542737 - Incorrect certs are being updated with "ipa-certupdate"

1544379 - ipa-client-install changes system wide ssh configuration

1660877 - kinit is failing due to overflow in Root CA certificate's timestamp

1779981 - ipa-cert-fix warning message should use commercial name for the product.

1780328 - ipa-healthcheck - Mention that the default output format is JSON.

1780510 - Source 'ipahealthcheck.ipa.topology' not found is displayed when ipactl service is stopped

1780782 - ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing from CS.cfg

1784657 - Unlock user accounts after a password reset and replicate that unlock to all IdM servers

1809215 - Man page has incorrect examples; log location for healthcheck tool

1810148 - ipa-server-certinstall raises exception when installing IPA-issued web server cert

1812871 - Intermittent IdM Client Registration Failures

1824193 - Add Directory Server Healthchecks from lib389

1850004 - CVE-2020-11023 jquery: Passing HTML containing

1851835 - [RFE] IdM short-term certificates ACME provider

1857272 - negative option for token.mechanism not working correctly

1860129 - ipa trust-add fails when FIPS enabled

1866558 - ipa-healthcheck --input-file returns 1 on exit

1872603 - KRA Transport and Storage Certificates do not renew

1875001 - It is not possible to edit KDC database when the FreeIPA server is running

1882340 - nsslapd-db-locks patching no longer works

1891056 - ipa-kdb: support subordinate/superior UPN suffixes

1891505 - ipa-healthcheck returns msg": "{sssctl} {key} reports mismatch: sssd domains {sssd_domains} trust domains {trust_domains}"

1891735 - [Rebase] Rebase bind-dyndb-ldap to the recent upstream release

1891741 - [Rebase] Rebase slapi-nis to recent upstream release

1891832 - [Rebase] Rebase FreeIPA to a recent upstream release

1891850 - [Rebase] Rebase ipa-healthcheck to 0.7 upstream release

1894800 - IPA WebUI inaccessible after upgrading to RHEL 8.3.- idoverride-memberof.js missing

1901068 - Traceback while doing ipa-backup

1902173 - Uninstallation of IPA server with KRA installed displays 'ERROR: subprocess.CalledProcessError:'

1902727 - ipa-acme-manage enable fails after upgrade

1903025 - test failure in test_acme.py::TestACME::test_third_party_certs

1904484 - [Rebase] Rebase opendnssec to 2.1.7

1904612 - bind-dyndb-ldap: Rebased bind modifies so versions

1905919 - ipa-server-upgrade fails with traceback "exception: KeyError: 'DOMAIN'"

1909876 - ipa uninstall fails when dns not installed

1912845 - ipa-certupdate drops profile from the caSigningCert tracking

1922955 - Resubmitting KDC cert fails with internal server error

1923900 - Samba on IdM member failure

1924026 - Fix upstream test test_trust.py::test_subordinate_suffix

1924501 - ipa-client-install: Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 7

1924812 - Fix upstream test test_smb.py::TestSMB::test_authentication_with_smb_cifs_principal_alias

1925410 - Cannot delete sudocmd with typo error e.g. "/usr/sbin/reboot."

1926699 - avc denial for gpg-agent with systemd-run

1926910 - ipa cert-remove-hold returns an incorrect error message

1928900 - Support new baseURL config option for ACME

1930426 - IPA krb5kdc crash possible doublefree ipadb_mspac_struct_free finish_process_as_req

1932289 - Sync ipatests from upstream to RHEL packages for FreeIPA 4.9 branch

1939371 - ipa-client-install displays false message 'sudo binary does not seem to be present on this system'

Advisories

What Are You Looking For?

Popular Tags

RedHat: RHSA-2021-1846:01 Moderate: idm:DL1 and idm:client security, bug fix,

Summary

Solution

References

Package List

Topic

Relevant Releases Architectures

Bugs Fixed

News

Advisories

HOWTOs

Features

Time is running out for CentOS 8

Open-Source Tool of the Month: Uptycs Addresses Modern Cloud-Native & Containerization Security Challenges with its Uptycs Security Analytics Platform

Best File and Disk Encryption Tools For Linux

Best Linux Backup Solutions to Prevent Data Loss in A Ransomware Attack

What You Need to Know About Linux Rootkits

About Us

Powered By

Advisories

What Are You Looking For?

Popular Tags

Sign In

Not a Member Yet?

RedHat: RHSA-2021-1846:01 Moderate: idm:DL1 and idm:client security, bug fix,

Summary

Solution

References

Package List

Topic

Relevant Releases Architectures

Bugs Fixed

News

Advisories

HOWTOs

Features

Time is running out for CentOS 8

Open-Source Tool of the Month: Uptycs Addresses Modern Cloud-Native & Containerization Security Challenges with its Uptycs Security Analytics Platform

Best File and Disk Encryption Tools For Linux

Best Linux Backup Solutions to Prevent Data Loss in A Ransomware Attack

What You Need to Know About Linux Rootkits

About Us

Powered By