diff --git a/SOURCES/0145-certprofile-mod-correctly-authorise-config-update.patch b/SOURCES/0145-certprofile-mod-correctly-authorise-config-update.patch new file mode 100644 index 0000000..729a5b9 --- /dev/null +++ b/SOURCES/0145-certprofile-mod-correctly-authorise-config-update.patch @@ -0,0 +1,43 @@ +From 8de62d5187f54b0e994c160a1d39dbece4615aa5 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Tue, 15 Nov 2016 14:02:54 +1000 +Subject: [PATCH] certprofile-mod: correctly authorise config update + +Certificate profiles consist of an FreeIPA object, and a +corresponding Dogtag configuration object. When updating profile +configuration, changes to the Dogtag configuration are not properly +authorised, allowing unprivileged operators to modify (but not +create or delete) profiles. This could result in issuance of +certificates with fraudulent subject naming information, improper +key usage, or other badness. + +Update certprofile-mod to ensure that the operator has permission to +modify FreeIPA certprofile objects before modifying the Dogtag +configuration. + +https://fedorahosted.org/freeipa/ticket/6560 + +Reviewed-By: Jan Cholasta +--- + ipaserver/plugins/certprofile.py | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/ipaserver/plugins/certprofile.py b/ipaserver/plugins/certprofile.py +index f4466077484591c8e941027fa8e4897602384f7c..2bd3311e3b729b768188d537bf7f675a0f9346c2 100644 +--- a/ipaserver/plugins/certprofile.py ++++ b/ipaserver/plugins/certprofile.py +@@ -310,6 +310,11 @@ class certprofile_mod(LDAPUpdate): + raise errors.ProtectedEntryError(label='certprofile', key=keys[0], + reason=_('Certificate profiles cannot be renamed')) + if 'file' in options: ++ # ensure operator has permission to update a certprofile ++ if not ldap.can_write(dn, 'ipacertprofilestoreissued'): ++ raise errors.ACIError(info=_( ++ "Insufficient privilege to modify a certificate profile.")) ++ + with self.api.Backend.ra_certprofile as profile_api: + profile_api.disable_profile(keys[0]) + try: +-- +2.10.2 + diff --git a/SOURCES/0146-password-policy-Add-explicit-default-password-policy.patch b/SOURCES/0146-password-policy-Add-explicit-default-password-policy.patch new file mode 100644 index 0000000..9c4e4af --- /dev/null +++ b/SOURCES/0146-password-policy-Add-explicit-default-password-policy.patch @@ -0,0 +1,192 @@ +From 016631a08b67bda3dc996b84061f863e0f5cdc7f Mon Sep 17 00:00:00 2001 +From: David Kupka +Date: Thu, 29 Sep 2016 15:59:34 +0200 +Subject: [PATCH] password policy: Add explicit default password policy for + hosts and services + +Set explicitly krbPwdPolicyReference attribute to all hosts (entries in +cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and +Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's +CoS so no attributes are really added. + +The default policies effectively disable any enforcement or lockout for hosts +and services. Since hosts and services use keytabs passwords enforcements +doesn't make much sense. Also the lockout policy could be used for easy and +cheap DoS. + +https://fedorahosted.org/freeipa/ticket/6561 + +Reviewed-By: Pavel Vomacka +--- + install/updates/20-default_password_policy.update | 133 ++++++++++++++++++++++ + install/updates/Makefile.am | 1 + + ipaserver/install/service.py | 1 + + 3 files changed, 135 insertions(+) + create mode 100644 install/updates/20-default_password_policy.update + +diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update +new file mode 100644 +index 0000000000000000000000000000000000000000..b1f9754a98e9c4b9cb8558e96f7195ea87c2f1ce +--- /dev/null ++++ b/install/updates/20-default_password_policy.update +@@ -0,0 +1,133 @@ ++# Default password policies for hosts, services and Kerberos services ++# Setting all attributes to zero effectively disables any password policy ++# We can do this because hosts and services uses keytabs instead of passwords ++ ++# hosts ++dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX ++default:objectClass: krbPwdPolicy ++default:objectClass: nsContainer ++default:objectClass: top ++default:cn: Default Host Password Policy ++default:krbMinPwdLife: 0 ++default:krbPwdMinDiffChars: 0 ++default:krbPwdMinLength: 0 ++default:krbPwdHistoryLength: 0 ++default:krbMaxPwdLife: 0 ++default:krbPwdMaxFailure: 0 ++default:krbPwdFailureCountInterval: 0 ++default:krbPwdLockoutDuration: 0 ++ ++# services ++dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX ++default:objectClass: krbPwdPolicy ++default:objectClass: nsContainer ++default:objectClass: top ++default:cn: Default Service Password Policy ++default:krbMinPwdLife: 0 ++default:krbPwdMinDiffChars: 0 ++default:krbPwdMinLength: 0 ++default:krbPwdHistoryLength: 0 ++default:krbMaxPwdLife: 0 ++default:krbPwdMaxFailure: 0 ++default:krbPwdFailureCountInterval: 0 ++default:krbPwdLockoutDuration: 0 ++ ++# kerberos policy container ++# this is necessary to avoid mixing the Kerberos sevice password policy ++# with group-membership based user password policies ++dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX ++default:objectClass: nsContainer ++default:objectClass: top ++default:cn: Kerberos Service Password Policy ++ ++# kerberos services ++dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX ++default:objectClass: krbPwdPolicy ++default:objectClass: nsContainer ++default:objectClass: top ++default:cn: Default Kerberos Service Password Policy ++default:krbMinPwdLife: 0 ++default:krbPwdMinDiffChars: 0 ++default:krbPwdMinLength: 0 ++default:krbPwdHistoryLength: 0 ++default:krbMaxPwdLife: 0 ++default:krbPwdMaxFailure: 0 ++default:krbPwdFailureCountInterval: 0 ++default:krbPwdLockoutDuration: 0 ++ ++# default password policies for hosts, services and kerberos services ++# cosPriority is set intentionally to higher number than FreeIPA API allows ++# to set to ensure that these password policies have always lower priority ++# than any defined by user. ++ ++# hosts ++dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX ++default:objectclass: top ++default:objectclass: nsContainer ++default:cn: cosTemplates ++ ++dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX ++default:objectclass: top ++default:objectclass: cosTemplate ++default:objectclass: extensibleObject ++default:objectclass: krbContainer ++default:cn: Default Password Policy ++default:cosPriority: 10000000000 ++default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX ++ ++dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX ++default:description: Default Password Policy for Hosts ++default:objectClass: top ++default:objectClass: ldapsubentry ++default:objectClass: cosSuperDefinition ++default:objectClass: cosPointerDefinition ++default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX ++default:cosAttribute: krbPwdPolicyReference default ++ ++# services ++dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX ++default:objectclass: top ++default:objectclass: nsContainer ++default:cn: cosTemplates ++ ++dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX ++default:objectclass: top ++default:objectclass: cosTemplate ++default:objectclass: extensibleObject ++default:objectclass: krbContainer ++default:cn: Default Password Policy ++default:cosPriority: 10000000000 ++default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX ++ ++dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX ++default:description: Default Password Policy for Services ++default:objectClass: top ++default:objectClass: ldapsubentry ++default:objectClass: cosSuperDefinition ++default:objectClass: cosPointerDefinition ++default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX ++default:cosAttribute: krbPwdPolicyReference default ++ ++# kerberos services ++dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX ++default:objectclass: top ++default:objectclass: nsContainer ++default:cn: cosTemplates ++ ++dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX ++default:objectclass: top ++default:objectclass: cosTemplate ++default:objectclass: extensibleObject ++default:objectclass: krbContainer ++default:cn: Default Password Policy ++default:cosPriority: 10000000000 ++default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX ++ ++dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX ++default:description: Default Password Policy for Kerberos Services ++default:objectClass: top ++default:objectClass: ldapsubentry ++default:objectClass: cosSuperDefinition ++default:objectClass: cosPointerDefinition ++default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX ++default:cosAttribute: krbPwdPolicyReference default +diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am +index 455fd209d171888dc94a7f708dc5fa1743f62bf4..310ae39c3b659cbe897380f572824acb26009574 100644 +--- a/install/updates/Makefile.am ++++ b/install/updates/Makefile.am +@@ -23,6 +23,7 @@ app_DATA = \ + 20-winsync_index.update \ + 20-idoverride_index.update \ + 20-uuid.update \ ++ 20-default_password_policy.update \ + 21-replicas_container.update \ + 21-ca_renewal_container.update \ + 21-certstore_container.update \ +diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py +index 057cd3d4b512513a4e3a8f228dc5f07f31fd84e0..6bb2e76f64ac11abc426c70c645cfb042be474c2 100644 +--- a/ipaserver/install/service.py ++++ b/ipaserver/install/service.py +@@ -252,6 +252,7 @@ class Service(object): + # There is no service in the wrong location, nothing to do. + # This can happen when installing a replica + return None ++ entry.pop('krbpwdpolicyreference', None) # don't copy virtual attr + newdn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix) + hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix) + self.admin_conn.delete_entry(entry) +-- +2.10.2 + diff --git a/SOURCES/0147-ipa-kdb-search-for-password-policies-globally.patch b/SOURCES/0147-ipa-kdb-search-for-password-policies-globally.patch new file mode 100644 index 0000000..96cc471 --- /dev/null +++ b/SOURCES/0147-ipa-kdb-search-for-password-policies-globally.patch @@ -0,0 +1,38 @@ +From a90a67fc7c4ef114e5f5336d868009fd0caa956b Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Thu, 15 Dec 2016 16:30:00 +0200 +Subject: [PATCH] ipa-kdb: search for password policies globally + +With the CoS templates now used to create additional password policies +per object type that are placed under the object subtrees, DAL driver +needs to search for the policies in the whole tree. + +Individual policies referenced by the krbPwdPolicyReference attribute +are always searched by their full DN and with the base scope. However, +when KDC asks a DAL driver to return a password policy by name, we don't +have any specific base to search. The original code did search by the +realm subtree. + +Fixes https://fedorahosted.org/freeipa/ticket/6561 + +Reviewed-By: Martin Babinsky +--- + daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c +index 076314a12840881a340763ab5693131aaccafec6..0c810af98f7a37b76afc4ca40b29441d9793f12f 100644 +--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c ++++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c +@@ -163,7 +163,7 @@ krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name, + } + + kerr = ipadb_simple_search(ipactx, +- ipactx->realm_base, LDAP_SCOPE_SUBTREE, ++ ipactx->base, LDAP_SCOPE_SUBTREE, + src_filter, std_pwdpolicy_attrs, &res); + if (kerr) { + goto done; +-- +2.10.2 + diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch deleted file mode 100644 index 673cd2f..0000000 --- a/SOURCES/ipa-centos-branding.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001 -From: Jim Perrin -Date: Wed, 11 Mar 2015 10:37:03 -0500 -Subject: [PATCH] update for new ntp server method - ---- - ipaplatform/base/paths.py | 1 + - ipaserver/install/ntpinstance.py | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index af50262..5090062 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -99,6 +99,7 @@ class BasePathNamespace(object): - PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/" - PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf" - ETC_REDHAT_RELEASE = "/etc/redhat-release" -+ ETC_CENTOS_RELEASE = "/etc/centos-release" - RESOLV_CONF = "/etc/resolv.conf" - SAMBA_KEYTAB = "/etc/samba/samba.keytab" - SMB_CONF = "/etc/samba/smb.conf" -diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py -index c653525..4b0578b 100644 ---- a/ipaserver/install/ntpinstance.py -+++ b/ipaserver/install/ntpinstance.py -@@ -44,6 +44,8 @@ class NTPInstance(service.Service): - os = "" - if ipautil.file_exists(paths.ETC_FEDORA_RELEASE): - os = "fedora" -+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE): -+ os = "centos" - elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE): - os = "rhel" - --- -1.8.3.1 - diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index d46d747..ab32d78 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -43,7 +43,7 @@ Name: ipa Version: 4.4.0 -Release: 14%{?dist} +Release: 14%{?dist}.1.1 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -51,10 +51,10 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity-Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source3: login-screen-logo.png -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source3: login-screen-logo.png +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity-Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -203,6 +203,9 @@ Patch0141: 0141-WebUI-services-without-canonical-name-are-shown-corr.patch Patch0142: 0142-Fix-missing-file-that-fails-DL1-replica-installation.patch Patch0143: 0143-trustdomain-del-fix-the-way-how-subdomain-is-searche.patch Patch0144: 0144-spec-file-bump-minimal-required-version-of-389-ds-ba.patch +Patch0145: 0145-certprofile-mod-correctly-authorise-config-update.patch +Patch0146: 0146-password-policy-Add-explicit-default-password-policy.patch +Patch0147: 0147-ipa-kdb-search-for-password-policies-globally.patch Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch Patch1002: 1002-Remove-pkinit-plugin.patch @@ -214,7 +217,6 @@ Patch1007: 1007-Do-not-build-tests.patch Patch1008: 1008-RCUE.patch Patch1009: 1009-Revert-Increased-mod_wsgi-socket-timeout.patch Patch1010: 1010-WebUI-add-API-browser-is-tech-preview-warning.patch -Patch1011: ipa-centos-branding.patch # RHEL spec file only: END %if ! %{ONLY_CLIENT} @@ -794,10 +796,10 @@ for p in %patches ; do done # Red Hat's Identity Management branding -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE3 install/ui/images/login-screen-logo.png -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE3 install/ui/images/login-screen-logo.png +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END @@ -1533,8 +1535,20 @@ fi %changelog -* Tue Dec 06 2016 CentOS Sources - 4.4.0-14.el7.centos -- Roll in CentOS Branding +* Fri Dec 16 2016 Jan Cholasta - 4.4.0-14.1.1 +- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services + by abusing password policy + - ipa-kdb: search for password policies globally +- Renamed patches 1011 and 1012 to 0146 and 0145, as they were merged upstream + +* Mon Dec 12 2016 Jan Cholasta - 4.4.0-14.1 +- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services + by abusing password policy + - password policy: Add explicit default password policy for hosts and + services +- Resolves: #1395311 CVE-2016-9575 ipa: Insufficient permission check in + certprofile-mod + - certprofile-mod: correctly authorise config update * Tue Nov 1 2016 Jan Cholasta - 4.4.0-14 - Resolves: #1378353 Replica install fails with old IPA master sometimes during