Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title ipa security and bug fix update
Informations
Name RHSA-2015:1462 First vendor Publication 2015-07-22
Vendor RedHat Last vendor Modification 2015-07-22
Severity (Vendor) Moderate Revision 01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated ipa packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Red Hat Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64

3. Description:

Two cross-site scripting (XSS) flaws were found in jQuery, which impacted the Identity Management web administrative interface, and could allow an authenticated user to inject arbitrary HTML or web script into the interface. (CVE-2010-5312, CVE-2012-6662)

Note: The IdM version provided by this update no longer uses jQuery.

Bug fixes:

* The ipa-server-install, ipa-replica-install, and ipa-client-install utilities are not supported on machines running in FIPS-140 mode. Previously, IdM did not warn users about this. Now, IdM does not allow running the utilities in FIPS-140 mode, and displays an explanatory message. (BZ#1131571)

* If an Active Directory (AD) server was specified or discovered automatically when running the ipa-client-install utility, the utility produced a traceback instead of informing the user that an IdM server is expected in this situation. Now, ipa-client-install detects the AD server and fails with an explanatory message. (BZ#1132261)

* When IdM servers were configured to require the TLS protocol version 1.1 (TLSv1.1) or later in the httpd server, the ipa utility failed. With this update, running ipa works as expected with TLSv1.1 or later. (BZ#1154687)

* In certain high-load environments, the Kerberos authentication step of the IdM client installer can fail. Previously, the entire client installation failed in this situation. This update modifies ipa-client-install to prefer the TCP protocol over the UDP protocol and to retry the authentication attempt in case of failure. (BZ#1161722)

* If ipa-client-install updated or created the /etc/nsswitch.conf file, the sudo utility could terminate unexpectedly with a segmentation fault. Now, ipa-client-install puts a new line character at the end of nsswitch.conf if it modifies the last line of the file, fixing this bug. (BZ#1185207)

* The ipa-client-automount utility failed with the "UNWILLING_TO_PERFORM" LDAP error when the nsslapd-minssf Red Hat Directory Server configuration parameter was set to "1". This update modifies ipa-client-automount to use encrypted connection for LDAP searches by default, and the utility now finishes successfully even with nsslapd-minssf specified. (BZ#1191040)

* If installing an IdM server failed after the Certificate Authority (CA) installation, the "ipa-server-install --uninstall" command did not perform a proper cleanup. After the user issued "ipa-server-install --uninstall" and then attempted to install the server again, the installation failed. Now, "ipa-server-install --uninstall" removes the CA-related files in the described situation, and ipa-server-install no longer fails with the mentioned error message. (BZ#1198160)

* Running ipa-client-install added the "sss" entry to the sudoers line in nsswitch.conf even if "sss" was already configured and the entry was present in the file. Duplicate "sss" then caused sudo to become unresponsive. Now, ipa-client-install no longer adds "sss" if it is already present in nsswitch.conf. (BZ#1198339)

* After running ipa-client-install, it was not possible to log in using SSH under certain circumstances. Now, ipa-client-install no longer corrupts the sshd_config file, and the sshd service can start as expected, and logging in using SSH works in the described situation. (BZ#1201454)

* An incorrect definition of the dc attribute in the /usr/share/ipa/05rfc2247.ldif file caused bogus error messages to be returned during migration. The attribute has been fixed, but the bug persists if the copy-schema-to-ca.py script was run on Red Hat Enterprise Linux 6.6 prior to running it on Red Hat Enterprise Linux 6.7. To work around this problem, manually copy /usr/share/ipa/schema/05rfc2247.ldif to /etc/dirsrv/slapd-PKI-IPA/schema/ and restart IdM. (BZ#1220788)

All ipa users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1132261 - ipa-client-install failing produces a traceback instead of useful error message 1146870 - ipa-client-install fails with "KerbTransport instance has no attribute '__conn'" traceback 1154687 - POODLE: force using safe ciphers (non-SSLv3) in IPA client and server 1166041 - CVE-2010-5312 jquery-ui: XSS vulnerability in jQuery.ui.dialog title option 1166064 - CVE-2012-6662 jquery-ui: XSS vulnerability in default content in Tooltip widget 1185207 - ipa-client dont end new line character in /etc/nsswitch.conf 1198339 - ipa-client-install adds extra sss to sudoers in nsswitch.conf 1201454 - ipa breaks sshd config 1205660 - ipa-client rpm should require keyutils 1207649 - host certificate not issued to client during ipa-client-install 1220788 - request to backport ticket 3578 to RHEL

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2015-1462.html

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Application 221
Application 2
Application 1
Os 2
Os 2
Os 1
Os 1
Os 1
Os 1

Nessus® Vulnerability Scanner

Date Description
2015-08-04 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20150722_ipa_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2015-07-30 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2015-1462.nasl - Type : ACT_GATHER_INFO
2015-07-28 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2015-1462.nasl - Type : ACT_GATHER_INFO
2015-07-23 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2015-1462.nasl - Type : ACT_GATHER_INFO
2015-06-30 Name : The remote Debian host is missing a security update.
File : debian_DLA-258.nasl - Type : ACT_GATHER_INFO
2015-05-05 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3249.nasl - Type : ACT_GATHER_INFO
2015-03-27 Name : The remote Fedora host is missing a security update.
File : fedora_2015-3079.nasl - Type : ACT_GATHER_INFO
2015-03-27 Name : The remote Fedora host is missing a security update.
File : fedora_2015-3211.nasl - Type : ACT_GATHER_INFO
2015-03-27 Name : The remote Fedora host is missing a security update.
File : fedora_2015-3186.nasl - Type : ACT_GATHER_INFO
2015-03-26 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20150305_ipa_on_SL7_x.nasl - Type : ACT_GATHER_INFO
2015-03-18 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2015-0442.nasl - Type : ACT_GATHER_INFO
2015-03-13 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2015-0442.nasl - Type : ACT_GATHER_INFO
2015-03-05 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2015-0442.nasl - Type : ACT_GATHER_INFO
2014-12-15 Name : The remote Fedora host is missing a security update.
File : fedora_2014-16048.nasl - Type : ACT_GATHER_INFO
2014-12-15 Name : The remote Fedora host is missing a security update.
File : fedora_2014-15967.nasl - Type : ACT_GATHER_INFO
2014-12-07 Name : The remote Fedora host is missing a security update.
File : fedora_2014-15630.nasl - Type : ACT_GATHER_INFO
2014-12-03 Name : The remote Fedora host is missing a security update.
File : fedora_2014-15515.nasl - Type : ACT_GATHER_INFO
2014-12-03 Name : The remote Fedora host is missing a security update.
File : fedora_2014-15519.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2015-12-05 13:28:12
  • Multiple Updates
2015-07-31 13:29:12
  • Multiple Updates
2015-07-24 13:30:07
  • Multiple Updates
2015-07-22 09:24:27
  • First insertion