An ipa security, bug fix, and enhancement update has been released for Red Hat Enterprise Linux 7.

RHSA-2020:3936-01: Moderate: ipa security, bug fix, and enhancement update

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: ipa security, bug fix, and enhancement update
Advisory ID: RHSA-2020:3936-01
Product: Red Hat Enterprise Linux
Advisory URL:   https://access.redhat.com/errata/RHSA-2020:3936
Issue date: 2020-09-29
CVE Names: CVE-2015-9251 CVE-2016-10735 CVE-2018-14040
CVE-2018-14042 CVE-2018-20676 CVE-2018-20677
CVE-2019-8331 CVE-2019-11358 CVE-2020-1722
CVE-2020-11022
=====================================================================

1. Summary:

An update for ipa is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64

3. Description:

Red Hat Identity Management (IdM) is a centralized authentication, identity
management, and authorization solution for both traditional and cloud-based
enterprise environments.

The following packages have been upgraded to a later upstream version: ipa
(4.6.8). (BZ#1819725)

Security Fix(es):

* js-jquery: Cross-site scripting via cross-domain ajax requests
(CVE-2015-9251)

* bootstrap: XSS in the data-target attribute (CVE-2016-10735)

* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent
attribute (CVE-2018-14040)

* bootstrap: Cross-site Scripting (XSS) in the data-container property of
tooltip. (CVE-2018-14042)

* bootstrap: XSS in the tooltip data-viewport attribute (CVE-2018-20676)

* bootstrap: XSS in the affix configuration target property
(CVE-2018-20677)

* bootstrap: XSS in the tooltip or popover data-template attribute
(CVE-2019-8331)

* js-jquery: prototype pollution in object's prototype leading to denial of
service or remote code execution or property injection (CVE-2019-11358)

* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter
method (CVE-2020-11022)

* ipa: No password length restriction leads to denial of service
(CVE-2020-1722)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.9 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

  https://access.redhat.com/articles/11258

5. Bugs fixed (  https://bugzilla.redhat.com/):

1399546 - CVE-2015-9251 js-jquery: Cross-site scripting via cross-domain ajax requests
1404770 - ID Views: do not allow custom Views for the masters
1545755 - ipa-replica-prepare should not update pki admin password.
1601614 - CVE-2018-14040 bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute
1601617 - CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip.
1668082 - CVE-2018-20676 bootstrap: XSS in the tooltip data-viewport attribute
1668089 - CVE-2018-20677 bootstrap: XSS in the affix configuration target property
1668097 - CVE-2016-10735 bootstrap: XSS in the data-target attribute
1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute
1701972 - CVE-2019-11358 js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection
1754902 - Running ipa-server-install fails when RHEL 7.7 packages are installed on RHEL 7.6
1755535 - ipa-advise on a RHEL7 IdM server is not able to generate a configuration script for a RHEL8 IdM client
1756568 - ipa-server-certinstall man page does not match built-in help.
1758406 - KRA authentication fails when IPA CA has custom Subject DN
1769791 - Invisible part of notification area in Web UI intercepts clicks of some page elements
1771356 - Default client configuration breaks ssh in FIPS mode.
1780548 - Man page ipa-cacert-manage does not display correctly on RHEL
1782587 - add "systemctl restart sssd" to warning message when adding trust agents to replicas
1788718 - ipa-server-install incorrectly setting slew mode (-x) when setting up ntpd
1788907 - Renewed certs are not picked up by IPA CAs
1793071 - CVE-2020-1722 ipa: No password length restriction leads to denial of service
1795890 - ipa-pkinit-manage enable fails on replica if it doesn't host the CA
1801791 - Compatibility Schema difference in functionality for systems following RHEL 7.5 -> 7.6 upgrade path as opposed to new RHEL 7.6 systems
1817886 - ipa group-add-member: prevent adding IPA objects as external members
1817918 - Secure tomcat AJP connector
1817919 - Enable compat tree to provide information about AD users and groups on trust agents
1817922 - covscan memory leaks report
1817923 - IPA upgrade is failing with error "Failed to get request: bus, object_path and dbus_interface must not be None."
1817927 - host-add --password logs cleartext userpassword to Apache error log
1819725 - Rebase IPA to latest 4.6.x version
1825829 - ipa-advise on a RHEL7 IdM server generate a configuration script for client having hardcoded python3
1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
1829787 - ipa service-del deletes the required principal when specified in lower/upper case
1834385 - Man page syntax issue detected by rpminspect
1842950 - ipa-adtrust-install fails when replica is offline

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:
ipa-4.6.8-5.el7.src.rpm

noarch:
ipa-client-common-4.6.8-5.el7.noarch.rpm
ipa-common-4.6.8-5.el7.noarch.rpm
ipa-python-compat-4.6.8-5.el7.noarch.rpm
python2-ipaclient-4.6.8-5.el7.noarch.rpm
python2-ipalib-4.6.8-5.el7.noarch.rpm

x86_64:
ipa-client-4.6.8-5.el7.x86_64.rpm
ipa-debuginfo-4.6.8-5.el7.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

noarch:
ipa-server-common-4.6.8-5.el7.noarch.rpm
ipa-server-dns-4.6.8-5.el7.noarch.rpm
python2-ipaserver-4.6.8-5.el7.noarch.rpm

x86_64:
ipa-debuginfo-4.6.8-5.el7.x86_64.rpm
ipa-server-4.6.8-5.el7.x86_64.rpm
ipa-server-trust-ad-4.6.8-5.el7.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
ipa-4.6.8-5.el7.src.rpm

noarch:
ipa-client-common-4.6.8-5.el7.noarch.rpm
ipa-common-4.6.8-5.el7.noarch.rpm
ipa-python-compat-4.6.8-5.el7.noarch.rpm
python2-ipaclient-4.6.8-5.el7.noarch.rpm
python2-ipalib-4.6.8-5.el7.noarch.rpm

x86_64:
ipa-client-4.6.8-5.el7.x86_64.rpm
ipa-debuginfo-4.6.8-5.el7.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

noarch:
ipa-server-common-4.6.8-5.el7.noarch.rpm
ipa-server-dns-4.6.8-5.el7.noarch.rpm
python2-ipaserver-4.6.8-5.el7.noarch.rpm

x86_64:
ipa-debuginfo-4.6.8-5.el7.x86_64.rpm
ipa-server-4.6.8-5.el7.x86_64.rpm
ipa-server-trust-ad-4.6.8-5.el7.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
ipa-4.6.8-5.el7.src.rpm

noarch:
ipa-client-common-4.6.8-5.el7.noarch.rpm
ipa-common-4.6.8-5.el7.noarch.rpm
ipa-python-compat-4.6.8-5.el7.noarch.rpm
ipa-server-common-4.6.8-5.el7.noarch.rpm
ipa-server-dns-4.6.8-5.el7.noarch.rpm
python2-ipaclient-4.6.8-5.el7.noarch.rpm
python2-ipalib-4.6.8-5.el7.noarch.rpm
python2-ipaserver-4.6.8-5.el7.noarch.rpm

ppc64:
ipa-client-4.6.8-5.el7.ppc64.rpm
ipa-debuginfo-4.6.8-5.el7.ppc64.rpm

ppc64le:
ipa-client-4.6.8-5.el7.ppc64le.rpm
ipa-debuginfo-4.6.8-5.el7.ppc64le.rpm

s390x:
ipa-client-4.6.8-5.el7.s390x.rpm
ipa-debuginfo-4.6.8-5.el7.s390x.rpm

x86_64:
ipa-client-4.6.8-5.el7.x86_64.rpm
ipa-debuginfo-4.6.8-5.el7.x86_64.rpm
ipa-server-4.6.8-5.el7.x86_64.rpm
ipa-server-trust-ad-4.6.8-5.el7.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
ipa-4.6.8-5.el7.src.rpm

noarch:
ipa-client-common-4.6.8-5.el7.noarch.rpm
ipa-common-4.6.8-5.el7.noarch.rpm
ipa-python-compat-4.6.8-5.el7.noarch.rpm
ipa-server-common-4.6.8-5.el7.noarch.rpm
ipa-server-dns-4.6.8-5.el7.noarch.rpm
python2-ipaclient-4.6.8-5.el7.noarch.rpm
python2-ipalib-4.6.8-5.el7.noarch.rpm
python2-ipaserver-4.6.8-5.el7.noarch.rpm

x86_64:
ipa-client-4.6.8-5.el7.x86_64.rpm
ipa-debuginfo-4.6.8-5.el7.x86_64.rpm
ipa-server-4.6.8-5.el7.x86_64.rpm
ipa-server-trust-ad-4.6.8-5.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
  https://access.redhat.com/security/team/key/

7. References:

  https://access.redhat.com/security/cve/CVE-2015-9251
  https://access.redhat.com/security/cve/CVE-2016-10735
  https://access.redhat.com/security/cve/CVE-2018-14040
  https://access.redhat.com/security/cve/CVE-2018-14042
  https://access.redhat.com/security/cve/CVE-2018-20676
  https://access.redhat.com/security/cve/CVE-2018-20677
  https://access.redhat.com/security/cve/CVE-2019-8331
  https://access.redhat.com/security/cve/CVE-2019-11358
  https://access.redhat.com/security/cve/CVE-2020-1722
  https://access.redhat.com/security/cve/CVE-2020-11022
  https://access.redhat.com/security/updates/classification/#moderate
  https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index

8. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.