freeipa - Debian Package Tracker

general

source: freeipa (main)
version: 4.12.2-3
maintainer: Debian FreeIPA Team (archive) (DMD)
uploaders: Timo Aaltonen [DMD]
arch: all any
std-ver: 4.5.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 4.7.2-3
o-o-sec: 4.7.2-3+deb10u1
old-bpo: 4.9.8-1~bpo11+1
stable: 4.9.11-1
testing: 4.12.2-3
unstable: 4.12.2-3

versioned links

4.7.2-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.7.2-3+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.9.8-1~bpo11+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.9.11-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.12.2-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

freeipa-client (6 bugs: 0, 5, 1, 0)
freeipa-client-epn
freeipa-client-samba (2 bugs: 0, 1, 1, 0)
freeipa-common
python3-ipaclient
python3-ipalib

action needed

A new upstream version is available: 4.12.3 high

A new upstream version 4.12.3 is available, you should consider packaging it.

Created: 2025-01-18 Last update: 2025-05-19 12:30

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2024-11029: A flaw was found in the FreeIPA API audit, where it sends the whole FreeIPA command line to journalctl. As a consequence, during the FreeIPA installation process, it inadvertently leaks the administrative user credentials, including the administrator password, to the journal database. In the worst-case scenario, where the journal log is centralized, users with access to it can have improper access to the FreeIPA administrator credentials.

Created: 2024-02-07 Last update: 2025-02-27 05:02

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2024-11029: A flaw was found in the FreeIPA API audit, where it sends the whole FreeIPA command line to journalctl. As a consequence, during the FreeIPA installation process, it inadvertently leaks the administrative user credentials, including the administrator password, to the journal database. In the worst-case scenario, where the journal log is centralized, users with access to it can have improper access to the FreeIPA administrator credentials.

Created: 2025-01-16 Last update: 2025-02-27 05:02

5 security issues in buster high

There are 5 open security issues in buster.

2 important issues:

CVE-2024-2698: A vulnerability was found in FreeIPA in how the initial implementation of MS-SFU by MIT Kerberos was missing a condition for granting the "forwardable" flag on S4U2Self tickets. Fixing this mistake required adding a special case for the check_allowed_to_delegate() function: If the target service argument is NULL, then it means the KDC is probing for general constrained delegation rules and not checking a specific S4U2Proxy request. In FreeIPA 4.11.0, the behavior of ipadb_match_acl() was modified to match the changes from upstream MIT Kerberos 1.20. However, a mistake resulting in this mechanism applies in cases where the target service argument is set AND where it is unset. This results in S4U2Proxy requests being accepted regardless of whether or not there is a matching service delegation rule.
CVE-2024-3183: A vulnerability was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the client’s session key. This key is different for each new session, which protects it from brute force attacks. However, the ticket it contains is encrypted using the target principal key directly. For user principals, this key is a hash of a public per-principal randomly-generated salt and the user’s password. If a principal is compromised it means the attacker would be able to retrieve tickets encrypted to any principal, all of them being encrypted by their own key directly. By taking these tickets and salts offline, the attacker could run brute force attacks to find character strings able to decrypt tickets when combined to a principal salt (i.e. find the principal’s password).

3 issues postponed or untriaged:

CVE-2020-1722: (needs triaging) A flaw was found in all ipa versions 4.x.x through 4.8.0. When sending a very long password (>= 1,000,000 characters) to the server, the password hashing process could exhaust memory and CPU leading to a denial of service and the website becoming unresponsive. The highest threat from this vulnerability is to system availability.
CVE-2019-10195: (needs triaging) A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way that FreeIPA's batch processing API logged operations. This included passing user passwords in clear text on FreeIPA masters. Batch processing of commands with passwords as arguments or options is not performed by default in FreeIPA but is possible by third-party components. An attacker having access to system logs on FreeIPA masters could use this flaw to produce log file content with passwords exposed.
CVE-2019-14867: (needs triaging) A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way the internal function ber_scanf() was used in some components of the IPA server, which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal key could cause the IPA server to crash or in some conditions, cause arbitrary code to be executed on the server hosting the IPA server.

Created: 2024-06-11 Last update: 2024-06-24 17:49

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 4.12.2-4, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit b5c86fac930dc6220b28158d48b7b01e154b5477
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Wed Feb 5 08:22:43 2025 +0200

    control: Demote libnss-myhostname to Suggests.

Created: 2025-02-05 Last update: 2025-05-13 19:28

lintian reports 9 warnings normal

Lintian reports 9 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-02-05 Last update: 2025-02-05 06:31

2 low-priority security issues in bookworm low

There are 2 open security issues in bookworm.

1 issue left for the package maintainer to handle:

CVE-2024-11029: (needs triaging) A flaw was found in the FreeIPA API audit, where it sends the whole FreeIPA command line to journalctl. As a consequence, during the FreeIPA installation process, it inadvertently leaks the administrative user credentials, including the administrator password, to the journal database. In the worst-case scenario, where the journal log is centralized, users with access to it can have improper access to the FreeIPA administrator credentials.

You can find information about how to handle this issue in the security team's documentation.

1 ignored issue:

CVE-2024-1481: A flaw was found in FreeIPA. This issue may allow a remote attacker to craft a HTTP request with parameters that can be interpreted as command arguments to kinit on the FreeIPA server, which can lead to a denial of service.

Created: 2024-02-07 Last update: 2025-02-27 05:02

debian/patches: 3 patches to forward upstream low

Among the 3 debian patches available in version 4.12.2-3 of the package, we noticed the following issues:

3 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2025-02-05 09:31

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.5.0).

Created: 2020-11-17 Last update: 2025-02-27 13:25

news

[rss feed]

[2025-02-10] freeipa 4.12.2-3 MIGRATED to testing (Debian testing watch)
[2025-02-04] Accepted freeipa 4.12.2-3 (source) into unstable (Timo Aaltonen)
[2025-02-01] Accepted freeipa 4.12.2-2 (source) into unstable (Timo Aaltonen)
[2024-12-09] Accepted freeipa 4.12.2-1 (source) into unstable (Timo Aaltonen)
[2024-07-31] Accepted freeipa 4.11.1-2.1 (source) into unstable (Michael Biebl)
[2024-04-25] freeipa REMOVED from testing (Debian testing watch)
[2024-04-25] freeipa REMOVED from testing (Debian testing watch)
[2024-04-12] Accepted freeipa 4.11.1-2+exp1 (source) into experimental (Timo Aaltonen)
[2024-04-12] Accepted freeipa 4.11.1-2 (source) into unstable (Timo Aaltonen)
[2024-04-10] Accepted freeipa 4.11.1-1+exp1 (source) into experimental (Timo Aaltonen)
[2024-04-10] Accepted freeipa 4.11.1-1 (source) into unstable (Timo Aaltonen)
[2024-03-25] Accepted freeipa 4.7.2-3+deb10u1 (source) into oldoldstable (Chris Lamb)
[2023-10-23] freeipa 4.10.2-2 MIGRATED to testing (Debian testing watch)
[2023-10-23] freeipa 4.10.2-2 MIGRATED to testing (Debian testing watch)
[2023-10-18] Accepted freeipa 4.10.2-2+exp1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Timo Aaltonen)
[2023-10-18] Accepted freeipa 4.10.2-2 (source) into unstable (Timo Aaltonen)
[2023-08-15] freeipa 4.10.2-1 MIGRATED to testing (Debian testing watch)
[2023-08-15] freeipa 4.10.2-1 MIGRATED to testing (Debian testing watch)
[2023-08-10] Accepted freeipa 4.10.2-1 (source) into unstable (Timo Aaltonen)
[2023-06-13] freeipa 4.9.11-2 MIGRATED to testing (Debian testing watch)
[2023-06-13] freeipa 4.9.11-2 MIGRATED to testing (Debian testing watch)
[2023-04-27] Accepted freeipa 4.9.11-2 (source) into unstable (Timo Aaltonen)
[2023-03-01] Accepted freeipa 4.10.1+dfsg1-1+exp1 (source) into experimental (Timo Aaltonen)
[2023-02-21] Accepted freeipa 4.10.1-1+exp1 (source) into experimental (Timo Aaltonen)
[2023-01-24] freeipa 4.9.11-1 MIGRATED to testing (Debian testing watch)
[2023-01-18] Accepted freeipa 4.9.11-1+exp1 (source) into experimental (Timo Aaltonen)
[2023-01-18] Accepted freeipa 4.9.11-1 (source) into unstable (Timo Aaltonen)
[2022-08-15] freeipa 4.9.8-1 MIGRATED to testing (Debian testing watch)
[2022-06-12] freeipa REMOVED from testing (Debian testing watch)
[2022-01-12] Accepted freeipa 4.9.8-1~bpo11+1 (source amd64 all) into bullseye-backports, bullseye-backports (Debian FTP Masters) (signed by: Timo Aaltonen)

bugs [bug history graph]

all: 12
RC: 0
I&N: 10
M&W: 2
F&P: 0
patch: 0

links

homepage
lintian (0, 9)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
l10n (-, 100)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.12.2-3
5 bugs