Comments

191 Comments
karma

OpenQA tests for FreeIPA succeeded. The upgrade test showed known SELinux AVCs which are being taken care of already.

BZ#2239304 glibc: Revert change to run ELF destructor in reverse constructor order

@fweimer this seems like unloading GSSAPI mechglue plugin after ipa-getkeytab successfully completed.

Judging by cockpit logs:

/usr/libexec/cockpit-certificate-helper: line 86:  2147 Aborted                 (core dumped) ipa-getkeytab -p "HTTP/${HOST}" -k "${KEYTAB}"

this is, again, a very basic 'ipa-getkeytab' operation that attempts to store/delete a key in the keytab: a single process, single thread operation, nothing fancy. I think this is the code corresponding to krb5int_key_delete (there are macro definitions that bring it from k5_key_delete name): https://github.com/krb5/krb5/blob/master/src/util/support/threads.c#L362-L397

Passed now without problems.

Judging by the errors, it is the code in https://github.com/krb5/krb5/blob/krb5-1.21.1-final/src/lib/krb5/keytab/kt_file.c#L523-L552 which is a file-based keytab backend. The locking mutex is local to this code. ipa-getkeytab is a single-process program that uses krb5_kt_add_entry() function to store an entry into a keytab.

BZ#2238224 Passkey authentication: SELinux transition missing

@adamwill well, that was exactly my (awkward, sorry) ask ;)

@adamwill can we get this update merged with selinux-policy update? https://bodhi.fedoraproject.org/updates/FEDORA-2023-22190b6562 contains selinux-policy version we depend on for this FreeIPA update but I cannot merge these two bodhi updates myself.

Yes, please be patient and let's see if this gets passed. :)

I am waiving test results because it is an incorrect test in OpenQA. The test should be using --ignore-last-of-role or remove a replica first.

I am waiving test results because it is an incorrect test in OpenQA. The test should be using --ignore-last-of-role or remove a replica first.

karma

FreeIPA tests work fine in OpenQA.

OpenQA tests are successful. The AVCs reported in update.upgrade_server_domain_controller test suite are known and have corresponding bugs opened already.

User Icon abbra commented & provided feedback on krb5-1.20.1-1.fc38 a year ago

A proper update is https://bodhi.fedoraproject.org/updates/FEDORA-2022-311128dd7e which includes krb5, samba, and freeipa.

User Icon abbra commented & provided feedback on krb5-1.19.2-9.fc35 a year ago
karma

FreeIPA works fine.

BZ#2140960 CVE-2022-42898 krb5: integer overflow vulnerabilities in PAC parsing
BZ#2143009 CVE-2022-42898 krb5: integer overflow vulnerabilities in PAC parsing [fedora-35]
karma

FreeIPA works fine.

BZ#2140960 CVE-2022-42898 krb5: integer overflow vulnerabilities in PAC parsing
BZ#2143010 CVE-2022-42898 krb5: integer overflow vulnerabilities in PAC parsing [fedora-36]
karma

FreeIPA works fine.

BZ#2140960 CVE-2022-42898 krb5: integer overflow vulnerabilities in PAC parsing
BZ#2143011 CVE-2022-42898 krb5: integer overflow vulnerabilities in PAC parsing [fedora-37]