On 03/23/2017 08:06 PM, Martin Basti wrote: > > Release date: 2017-03-23 > > The FreeIPA team would like to announce FreeIPA 4.3.3 release! > > It can be downloaded from http://www.freeipa.org/page/Downloads. > > Please note that this is the last upstream release of FreeIPA 4.3.x > branch. > > This announcement is also available at > <http://www.freeipa.org/page/Releases/4.3.3>. > > > == Highlights in 4.3.3 == > === Enhancements === > === Known Issues === > === Bug fixes === > FreeIPA 4.3.3 is a stabilization release for the features delivered as a > part of 4.3.0. There are more than 20 bug-fixes which details can be > seen in > the list of resolved tickets below. > > == Upgrading == > Upgrade instructions are available on [[Upgrade]] page. > > == Feedback == > Please provide comments, bugs and other feedback via the freeipa-users > mailing > list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa > channel on Freenode. > > == Resolved tickets == > * 6774 FreeIPA client <= 4.4 fail to parse 4.5 cookies > * 6561 CVE-2016-7030 freeipa: ipa: DoS attack against kerberized > services by abusing password policy > * 6560 CVE-2016-9575 freeipa: ipa: Insufficient permission check in > certprofile-mod > * 6485 Document make_delete_command method in UserTracker > * 6378 Tests: Fix failing sudo test > * 6317 backport #6213 Incorrect test for > DNSForwardPolicyConflictWithEmptyZone warning in > test_xmlrpc/test_dns_plugin > * 6316 backport #6199 Received ACIError instead of DuplicatedError in > stageuser_tests > * 6311 Fix or remove the `LDAPUpdate.update_from_dict` method > * 6287 Refer to nodes in TestWrongClientDomain replica promotion tests > as replicas > * 6284 Tests: avoid skipping tests because of missing files when > running as outoftree > * 6278 Use OAEP padding with custodia (to avoid CVE-2016-6298) > * 6262 Fix integration sudo tests setup and checks > * 6254 kinit_admin raises an exception if server uninstallation is > called from test teardown with server not installed > * 6244 build: add python-libsss_nss_idmap and python-sss to BuildRequires > * 6205 The ipa-server-upgrade command failed when named-pkcs11 does > not happen to run during dnf upgrade > * 6177 ca-less test are broken - invalid usage of ipautil.run > * 6167 Incorrect domainlevel info in tests > * 6166 Subsequent external CA installation fails > * 6147 Failing automember tests due to manager output normalization > * 6134 Command "ipa-replica-prepare" not allowed to create line > replication topology > * 6120 ipa-adtrust-install: when running with --netbios-name="", the > NetBIOS name is changed without notification > * 6076 Mulitple domain Active Directory Trust conflict > * 6056 custodia.conf and server.keys file is world-readable. > * 6016 ipa-ca-install on replica tries to connect to master:8443 > * 5696 Add conflicts with bind-chroot to spec. > == Detailed changelog since 4.3.2 == > === Alexander Bokovoy (5) === > * ipa-kdb: search for password policies globally > * ipa-kdb: simplify trusted domain parent search > * trust: make sure ID range is created for the child domain even if it > exists > * trust: automatically resolve DNS trust conflicts for triangle trusts > * ipaserver/dcerpc: reformat to make the code closer to pep8 > > === Christian Heimes (3) === > * Use RSA-OAEP instead of RSA PKCS#1 v1.5 > * Secure permissions of Custodia server.keys > * RedHatCAService should wait for local Dogtag instance > > === David Kupka (1) === > * password policy: Add explicit default password policy for hosts and > services > > === Fraser Tweedale (2) === > * certprofile-mod: correctly authorise config update > * cert-revoke: fix permission check bypass (CVE-2016-5404) > > === Ganna Kaihorodova (1) === > * Fix for integration tests replication layouts > > === Jan Cholasta (2) === > * Revert "spec: add conflict with bind-chroot to freeipa-server-dns" > * install: fix external CA cert validation > > === Lenka Doudova (7) === > * Document make_delete_command method in UserTracker > * Tests: Fix integration sudo test > * Tests: Fix integration sudo tests setup and checks > * Tests: Avoid skipping tests due to missing files > * Raise error when running ipa-adtrust-install with empty netbios--name > * Tests: Fix failing automember tests > * Tests: Remove DNS configuration from trust tests > > === Martin Babinsky (1) === > * add python-libsss_nss_idmap and python-sss to BuildRequires > > === Martin Basti (5) === > * Become IPA 4.3.3 > * Update Contributors.txt > * Raise DuplicatedEnrty error when user exists in delete_container > * Catch DNS exceptions during emptyzones named.conf upgrade > * Start named during configuration upgrade. > > === Oleg Fayans (3) === > * Changed addressing to the client hosts to be replicas > * Disabled raiseonerr in kinit call during topology level check > * Fixed incorrect domainlevel determination in tests > > === Peter Lacko (1) === > * Test URIs in certificate. > > === Petr Spacek (3) === > * Tests: fix test_forward_zones in test_xmlrpc/test_dns_plugin > * DNS server upgrade: do not fail when DNS server did not respond > * Fix ipa-replica-prepare's error message about missing local CA instance > > === Petr Vobornik (1) === > * ca-less tests: fix getting cert in pem format from nssdb > > === Stanislav Laznicka (3) === > * Add debug log in case cookie retrieval went wrong > * Fix cookie with Max-Age processing > * Remove update_from_dict() method > > === Tomas Krizek (1) === > * Keep NSS trust flags of existing certificates > > > > FreeIPA 4.3.3 was released to Fedora 24.
F24: https://bodhi.fedoraproject.org/updates/freeipa-4.3.3-1.fc24 -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
