|
| 1 | +FreeIPA 4.12.3 |
| 2 | +============== |
| 3 | + |
| 4 | +.. raw:: mediawiki |
| 5 | +
|
| 6 | + {{ReleaseDate|2025-01-15}} |
| 7 | +
|
| 8 | +The FreeIPA team would like to announce FreeIPA 4.12.3 release! |
| 9 | + |
| 10 | +It can be downloaded from http://www.freeipa.org/page/Downloads. Builds |
| 11 | +for Fedora distributions will be available from the official repository |
| 12 | +soon. |
| 13 | + |
| 14 | +.. _highlights_in_4.12.3: |
| 15 | + |
| 16 | +Highlights in 4.12.3 |
| 17 | +-------------------- |
| 18 | + |
| 19 | +- CVE-2024-11029 |
| 20 | + |
| 21 | +When FreeIPA command line tools that run on IPA servers accept passwords |
| 22 | +on the command line, their details could be logged into systemd journal |
| 23 | +if the tools are using IPA API via '/proc/pid/commandline' content. |
| 24 | + |
| 25 | +systemd journald daemon collects these details along with any call that |
| 26 | +writes data to the systemd journal. The journal content is not |
| 27 | +accessible outside of administrators by default but could be exposed by |
| 28 | +forwarding the journal to external centralized log collectors. |
| 29 | + |
| 30 | +In most cases the centralized logging protocols like rsyslog do not |
| 31 | +forward \_CMDLINE property and thus do not see the command line |
| 32 | +directly. However, if administrators create backup copies of the systemd |
| 33 | +journal files, the binary data will contain all journal properties. |
| 34 | + |
| 35 | +In order to prevent unwanted exposure of passwords in command lines, |
| 36 | +FreeIPA tools now replace the passwords specified on the command line |
| 37 | +with a marker 'XXXXXX'. |
| 38 | + |
| 39 | +Enhancements |
| 40 | +~~~~~~~~~~~~ |
| 41 | + |
| 42 | +.. _known_issues: |
| 43 | + |
| 44 | +Known Issues |
| 45 | +~~~~~~~~~~~~ |
| 46 | + |
| 47 | +.. _bug_fixes: |
| 48 | + |
| 49 | +Bug fixes |
| 50 | +~~~~~~~~~ |
| 51 | + |
| 52 | +FreeIPA 4.12.3 is a security fix release. |
| 53 | + |
| 54 | +Details of the bug-fixes can be seen in the list of resolved tickets |
| 55 | +below. |
| 56 | + |
| 57 | +Upgrading |
| 58 | +--------- |
| 59 | + |
| 60 | +Upgrade instructions are available on |
| 61 | +`Upgrade <https://www.freeipa.org/page/Upgrade>`__ page. |
| 62 | + |
| 63 | +Feedback |
| 64 | +-------- |
| 65 | + |
| 66 | +Please provide comments, bugs and other feedback via the freeipa-users |
| 67 | +mailing list |
| 68 | +(https://lists.fedoraproject.org/archives/list/ [email protected]/) |
| 69 | +or #freeipa channel on libera.chat. |
| 70 | + |
| 71 | +.. _resolved_tickets: |
| 72 | + |
| 73 | +Resolved tickets |
| 74 | +---------------- |
| 75 | + |
| 76 | +.. _detailed_changelog_since_4.12.2: |
| 77 | + |
| 78 | +Detailed changelog since 4.12.2 |
| 79 | +------------------------------- |
| 80 | + |
| 81 | +.. _alexander_bokovoy_2: |
| 82 | + |
| 83 | +Alexander Bokovoy (2) |
| 84 | +~~~~~~~~~~~~~~~~~~~~~ |
| 85 | + |
| 86 | +- ipa tools: remove sensitive material from the commandline |
| 87 | + `commit <https://pagure.io/freeipa/c/3b38efe75865d0696829b4f26572575a8e74ddce>`__ |
| 88 | +- Unify use of option parsers |
| 89 | + `commit <https://pagure.io/freeipa/c/cf84a22228460957f578ac102f02516febe13f92>`__ |
| 90 | + |
| 91 | +.. _sumit_bose_1: |
| 92 | + |
| 93 | +Sumit Bose (1) |
| 94 | +~~~~~~~~~~~~~~ |
| 95 | + |
| 96 | +- ipa-otpd: use oidc_child's --client-secret-stdin option |
| 97 | + `commit <https://pagure.io/freeipa/c/7a5a10b6bf2e3eafd4b69362ffaece39791be2a8>`__ |
0 commit comments