[Freeipa-devel] [freeipa PR#5882][opened] [Backport][ipa-4-9] Server install: do not use unchecked ip addr for ipa-ca record

Thu, 08 Jul 2021 04:41:03 -0700 

   URL: https://github.com/freeipa/freeipa/pull/5882
Author: flo-renaud
 Title: #5882: [Backport][ipa-4-9] Server install: do not use unchecked ip addr 
for ipa-ca record
Action: opened

PR body:
"""
This PR was opened automatically because PR #5880 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5882/head:pr5882
git checkout pr5882

From f4e020795350dfa963dc35ffef40374f7c5bd16d Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <[email protected]>
Date: Thu, 8 Jul 2021 09:49:53 +0200
Subject: [PATCH] Server install: do not use unchecked ip addr for ipa-ca
 record

At the end of a server installation, the DNS records for
ipa-ca.$DOMAIN are created/updated with the IP addresses of the
new server.
The current code resolves the IP addresses of the new server
but doesn't check them. This can result in the addition of
a link-local address to ipa-ca record.

For each address, make sure that it's neither reserved nor a
link-local address.

Fixes: https://pagure.io/freeipa/issue/8810
Signed-off-by: Florence Blanc-Renaud <[email protected]>
---
 ipaserver/install/installutils.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 56b137476c7..f3c90bc282e 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -491,6 +491,13 @@ def resolve_rrsets_nss(fqdn):
     ipv4 = []
     ipv6 = []
     for ip_address in ip_addresses:
+        # Skip reserved or link-local addresses
+        try:
+            ipautil.CheckedIPAddress(ip_address)
+        except ValueError as e:
+            logger.warning("Invalid IP address %s for %s: %s",
+                           ip_address, fqdn, unicode(e))
+            continue
         if ip_address.version == 4:
             ipv4.append(str(ip_address))
         elif ip_address.version == 6:

_______________________________________________
FreeIPA-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to