-
Tue Jan 17 2017 Kevin Lyons <kevin.x.lyons@oracle.com> - 4.4.0-14.0.1.el7_3.4
- Blank out header-logo.png product-name.png
Replace login-screen-logo.png [20362818]
-
Fri Dec 16 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.4
- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services
by abusing password policy
- ipa-kdb: search for password policies globally
- Renamed patches 1011 and 1012 to 0151 and 0150, as they were merged upstream
-
Tue Dec 13 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.3
- Resolves: #1404338 Check IdM Topology for broken record caused by replication
conflict before upgrading it
- Check for conflict entries before raising domain level
-
Tue Dec 13 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.2
- Resolves: #1401953 ipa-ca-install on promoted replica hangs on creating a
temporary CA admin
- replication: ensure bind DN group check interval is set on replica config
- add missing attribute to ipaca replica during CA topology update
- Resolves: #1404169 IPA upgrade of replica without DNS fails during restart of
named-pkcs11
- bindinstance: use data in named.conf to determine configuration status
- Resolves: #1404171 Creation of replica for disconnected environment is
failing with CA issuance errors; Need good steps.
- gracefully handle setting replica bind dn group on old masters
-
Mon Dec 12 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.1
- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services
by abusing password policy
- password policy: Add explicit default password policy for hosts and
services
- Resolves: #1395311 CVE-2016-9575 ipa: Insufficient permission check in
certprofile-mod
- certprofile-mod: correctly authorise config update
-
Tue Nov 01 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14
- Resolves: #1378353 Replica install fails with old IPA master sometimes during
replication process
- spec file: bump minimal required version of 389-ds-base
- Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1
- Fix missing file that fails DL1 replica installation
- Resolves: #1387782 WebUI: Services are not displayed correctly after upgrade
- WebUI: services without canonical name are shown correctly
- Resolves: #1389709 Traceback seen in error_log when trustdomain-del is run
- trustdomain-del: fix the way how subdomain is searched
-
Mon Oct 31 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-13
- Resolves: #1318616 CA fails to start after doing ipa-ca-install --external-ca
- Keep NSS trust flags of existing certificates
- Resolves: #1360813 ipa-server-certinstall does not update all certificate
stores and doesn't set proper trust permissions
- Add cert checks in ipa-server-certinstall
- Resolves: #1371479 cert-find --all does not show information about revocation
- cert: add revocation reason back to cert-find output
- Resolves: #1375133 WinSync users who have First.Last casing creates users who
can have their password set
- ipa passwd: use correct normalizer for user principals
- Resolves: #1377858 Users with 2FA tokens are not able to login to IPA servers
- Properly handle LDAP socket closures in ipa-otpd
- Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1
- Make httpd publish its CA certificate on DL1
-
Fri Sep 16 2016 Petr Vobornik <pvoborni@redhat.com> - 4.4.0-12
- Resolves: #1373910 IPA server upgrade fails with DNS timed out errors.
- Resolves: #1375269 ipa trust-fetch-domains throws internal error
-
Tue Sep 13 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-11
- Resolves: #1373359 ipa-certupdate fails with "CA is not configured"
- Fix regression introduced in ipa-certupdate
-
Wed Sep 07 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-10
- Resolves: #1355753 adding two way non transitive(external) trust displays
internal error on the console
- Always fetch forest info from root DCs when establishing two-way trust
- factor out `populate_remote_domain` method into module-level function
- Always fetch forest info from root DCs when establishing one-way trust
- Resolves: #1356101 Lightweight sub-CA certs are not tracked by certmonger
after `ipa-replica-install`
- Track lightweight CAs on replica installation
- Resolves: #1357488 ipa command stuck forever on higher versioned client with
lower versioned server
- compat: Save server's API version in for pre-schema servers
- compat: Fix ping command call
- schema cache: Store and check info for pre-schema servers
- Resolves: #1363905 man page for ipa-replica-manage has a typo in -c flag
- Fix man page ipa-replica-manage: remove duplicate -c option
from --no-lookup
- Resolves: #1367865 webui: cert_revoke should use --cacn to set correct CA
when revoking certificate
- cert: include CA name in cert command output
- WebUI add support for sub-CAs while revoking certificates
- Resolves: #1368424 Unable to view certificates issued by Sub CA in Web UI
- Add support for additional options taken from table facet
- WebUI: Fix showing certificates issued by sub-CA
- Resolves: #1368557 dnsrecord-add does not prompt for missing record parts
internactively
- dns: normalize record type read interactively in dnsrecord_add
- dns: prompt for missing record parts in CLI
- dns: fix crash in interactive mode against old servers
- Resolves: #1370519 Certificate revocation in service-del and host-del isn't
aware of Sub CAs
- cert: fix cert-find --certificate when the cert is not in LDAP
- Make host/service cert revocation aware of lightweight CAs
- Resolves: #1371901 Use OAEP padding with custodia
- Use RSA-OAEP instead of RSA PKCS#1 v1.5
- Resolves: #1371915 When establishing external two-way trust, forest root
Administrator account is used to fetch domain info
- do not use trusted forest name to construct domain admin principal
- Resolves: #1372597 Incorrect CA ACL evaluation of SAN DNS names in
certificate request
- Fix CA ACL Check on SubjectAltNames
- Resolves: #1373272 CLI always sends default command version
- cli: use full name when executing a command
- Resolves: #1373359 ipa-certupdate fails with "CA is not configured"
- Fix ipa-certupdate for CA-less installation
- Resolves: #1373540 client-install with IPv6 address fails on link-local
address (always)
- Fix parse errors with link-local addresses