This update includes a rebase from 9.0.30 up to 9.0.31 which resolves one CVE along with various other bugs/features:
WARNING - This update does not enforce the change in defaults for the AJP Connector like the upstream fix does. This is done to prevent breakage of current installations, but it is highly advised to review your AJP Connector configuration to ensure that it is only accessible by your proxy! For more information see the Tomcat Security Page and the Tomcat Security Considerations Document.
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2020-0e42878ba7
Please login to add feedback.
This update has been submitted for testing by csutherl.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'ignored'.
This update has been pushed to testing.
This breaks the openQA FreeIPA tests - see links on Automated Tests tab. Logs available in 'Logs & Assets' tab of the failed tests. Didn't look into the cause myself yet, but it definitely broke something. @ab
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
sorry, @abbra
@adamwill @abbra the breakage occurred due to changes in the defaults on the AJP Connector to mitigate CVE-2020-1938. There are two changes that likely caused issue: the default bind address for the connector changed from all interfaces to localhost and the connector will no longer start unless you define a secret. We can proceed two different ways. You can update the FreeIPA configuration to address those (add 'address' and 'secretRequired=false' to your Connector config), or I can create a patch to undo those changes (which is what I did for RHEL tomcat). The problem with the second approach is that I don't know of any mechanism to tell users that they need to review their configurations, so they likely won't do anything and remain vulnerable to exploitation. Got any tips on that?
This update can be pushed to stable now if the maintainer wishes
I'm afraid I don't, I'm just the test monkey :) ab might.
It's the secret. Alexander is working on a PR to address the issue, https://github.com/freeipa/freeipa/pull/4337
I think it's best to rollback those default changes for f30-f32 (and fix this like I did for RHEL) so we don't break current user environments. The work done in the freeipa project to use the secret is still valid, but after I introduce a new build it won't be broken by default.
csutherl edited this update.
New build(s):
Removed build(s):
Karma has been reset.
This update has been submitted for testing by csutherl.
csutherl edited this update.
We are going to do a FreeIPA 4.8 release tomorrow that will include the fixes for AJP protection (and will migrate old configuration to a new one too).
This update has been pushed to testing.
This update can be pushed to stable now if the maintainer wishes
This update has been submitted for stable by pwalter.
This update has been pushed to stable.