An idm:DL1 and idm:client security, bug fix, and enhancement update has been released for Red Hat Enterprise Linux 8.
RHSA-2021:1846-01: Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update
Advisory ID: RHSA-2021:1846-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1846
Issue date: 2021-05-18
CVE Names: CVE-2020-11023
=====================================================================
1. Summary:
An update for the idm:DL1 and idm:client modules is now available for Red
Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64
3. Description:
Red Hat Identity Management (IdM) is a centralized authentication, identity
management, and authorization solution for both traditional and cloud-based
enterprise environments.
Security Fix(es):
* jquery: Passing HTML containing elements to manipulation methods
could result in untrusted code execution (CVE-2020-11023)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.4 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed ( https://bugzilla.redhat.com/):
871208 - ipa sudorule-add-user should accept external users
1340463 - [RFE] Implement pam_pwquality featureset in IPA password policies
1357495 - ipa command provides stack trace when provided with single hypen commands
1484088 - [RFE]: Able to browse different links from IPA web gui in new tabs
1542737 - Incorrect certs are being updated with "ipa-certupdate"
1544379 - ipa-client-install changes system wide ssh configuration
1660877 - kinit is failing due to overflow in Root CA certificate's timestamp
1779981 - ipa-cert-fix warning message should use commercial name for the product.
1780328 - ipa-healthcheck - Mention that the default output format is JSON.
1780510 - Source 'ipahealthcheck.ipa.topology' not found is displayed when ipactl service is stopped
1780782 - ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing from CS.cfg
1784657 - Unlock user accounts after a password reset and replicate that unlock to all IdM servers
1809215 - Man page has incorrect examples; log location for healthcheck tool
1810148 - ipa-server-certinstall raises exception when installing IPA-issued web server cert
1812871 - Intermittent IdM Client Registration Failures
1824193 - Add Directory Server Healthchecks from lib389
1850004 - CVE-2020-11023 jquery: Passing HTML containing elements to manipulation methods could result in untrusted code execution
1851835 - [RFE] IdM short-term certificates ACME provider
1857272 - negative option for token.mechanism not working correctly
1860129 - ipa trust-add fails when FIPS enabled
1866558 - ipa-healthcheck --input-file returns 1 on exit
1872603 - KRA Transport and Storage Certificates do not renew
1875001 - It is not possible to edit KDC database when the FreeIPA server is running
1882340 - nsslapd-db-locks patching no longer works
1891056 - ipa-kdb: support subordinate/superior UPN suffixes
1891505 - ipa-healthcheck returns msg": "{sssctl} {key} reports mismatch: sssd domains {sssd_domains} trust domains {trust_domains}"
1891735 - [Rebase] Rebase bind-dyndb-ldap to the recent upstream release
1891741 - [Rebase] Rebase slapi-nis to recent upstream release
1891832 - [Rebase] Rebase FreeIPA to a recent upstream release
1891850 - [Rebase] Rebase ipa-healthcheck to 0.7 upstream release
1894800 - IPA WebUI inaccessible after upgrading to RHEL 8.3.- idoverride-memberof.js missing
1901068 - Traceback while doing ipa-backup
1902173 - Uninstallation of IPA server with KRA installed displays 'ERROR: subprocess.CalledProcessError:'
1902727 - ipa-acme-manage enable fails after upgrade
1903025 - test failure in test_acme.py::TestACME::test_third_party_certs
1904484 - [Rebase] Rebase opendnssec to 2.1.7
1904612 - bind-dyndb-ldap: Rebased bind modifies so versions
1905919 - ipa-server-upgrade fails with traceback "exception: KeyError: 'DOMAIN'"
1909876 - ipa uninstall fails when dns not installed
1912845 - ipa-certupdate drops profile from the caSigningCert tracking
1922955 - Resubmitting KDC cert fails with internal server error
1923900 - Samba on IdM member failure
1924026 - Fix upstream test test_trust.py::test_subordinate_suffix
1924501 - ipa-client-install: Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 7
1924812 - Fix upstream test test_smb.py::TestSMB::test_authentication_with_smb_cifs_principal_alias
1925410 - Cannot delete sudocmd with typo error e.g. "/usr/sbin/reboot."
1926699 - avc denial for gpg-agent with systemd-run
1926910 - ipa cert-remove-hold returns an incorrect error message
1928900 - Support new baseURL config option for ACME
1930426 - IPA krb5kdc crash possible doublefree ipadb_mspac_struct_free finish_process_as_req
1932289 - Sync ipatests from upstream to RHEL packages for FreeIPA 4.9 branch
1939371 - ipa-client-install displays false message 'sudo binary does not seem to be present on this system'
6. Package List:
Red Hat Enterprise Linux AppStream (v. 8):
Source:
bind-dyndb-ldap-11.6-2.module+el8.4.0+9328+4ec4e316.src.rpm
custodia-0.6.0-3.module+el8.1.0+4098+f286395e.src.rpm
ipa-4.9.2-3.module+el8.4.0+10412+5ecb5b37.src.rpm
ipa-4.9.2-3.module+el8.4.0+10413+a92f1bfa.src.rpm
ipa-healthcheck-0.7-3.module+el8.4.0+9007+5084bdd8.src.rpm
ipa-healthcheck-0.7-3.module+el8.4.0+9008+94c5103b.src.rpm
opendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8.src.rpm
python-jwcrypto-0.5.0-1.module+el8.1.0+4098+f286395e.src.rpm
python-jwcrypto-0.5.0-1.module+el8.1.0+4107+4a66eb87.src.rpm
python-kdcproxy-0.4-5.module+el8.2.0+4691+a05b2456.src.rpm
python-qrcode-5.1-12.module+el8.1.0+4098+f286395e.src.rpm
python-qrcode-5.1-12.module+el8.1.0+4107+4a66eb87.src.rpm
python-yubico-1.3.2-9.module+el8.1.0+4098+f286395e.src.rpm
python-yubico-1.3.2-9.module+el8.1.0+4107+4a66eb87.src.rpm
pyusb-1.0.0-9.module+el8.1.0+4098+f286395e.src.rpm
pyusb-1.0.0-9.module+el8.1.0+4107+4a66eb87.src.rpm
slapi-nis-0.56.6-1.module+el8.4.0+9005+f55ff3e7.src.rpm
softhsm-2.6.0-5.module+el8.4.0+10227+076cd560.src.rpm
aarch64:
bind-dyndb-ldap-11.6-2.module+el8.4.0+9328+4ec4e316.aarch64.rpm
bind-dyndb-ldap-debuginfo-11.6-2.module+el8.4.0+9328+4ec4e316.aarch64.rpm
bind-dyndb-ldap-debugsource-11.6-2.module+el8.4.0+9328+4ec4e316.aarch64.rpm
ipa-client-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpm
ipa-client-4.9.2-3.module+el8.4.0+10413+a92f1bfa.aarch64.rpm
ipa-client-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpm
ipa-client-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.aarch64.rpm
ipa-client-epn-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpm
ipa-client-epn-4.9.2-3.module+el8.4.0+10413+a92f1bfa.aarch64.rpm
ipa-client-samba-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpm
ipa-client-samba-4.9.2-3.module+el8.4.0+10413+a92f1bfa.aarch64.rpm
ipa-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpm
ipa-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.aarch64.rpm
ipa-debugsource-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpm
ipa-debugsource-4.9.2-3.module+el8.4.0+10413+a92f1bfa.aarch64.rpm
ipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpm
ipa-server-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpm
ipa-server-trust-ad-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpm
ipa-server-trust-ad-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.aarch64.rpm
opendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8.aarch64.rpm
opendnssec-debuginfo-2.1.7-1.module+el8.4.0+9007+5084bdd8.aarch64.rpm
opendnssec-debugsource-2.1.7-1.module+el8.4.0+9007+5084bdd8.aarch64.rpm
slapi-nis-0.56.6-1.module+el8.4.0+9005+f55ff3e7.aarch64.rpm
slapi-nis-debuginfo-0.56.6-1.module+el8.4.0+9005+f55ff3e7.aarch64.rpm
slapi-nis-debugsource-0.56.6-1.module+el8.4.0+9005+f55ff3e7.aarch64.rpm
softhsm-2.6.0-5.module+el8.4.0+10227+076cd560.aarch64.rpm
softhsm-debuginfo-2.6.0-5.module+el8.4.0+10227+076cd560.aarch64.rpm
softhsm-debugsource-2.6.0-5.module+el8.4.0+10227+076cd560.aarch64.rpm
softhsm-devel-2.6.0-5.module+el8.4.0+10227+076cd560.aarch64.rpm
noarch:
custodia-0.6.0-3.module+el8.1.0+4098+f286395e.noarch.rpm
ipa-client-common-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpm
ipa-client-common-4.9.2-3.module+el8.4.0+10413+a92f1bfa.noarch.rpm
ipa-common-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpm
ipa-common-4.9.2-3.module+el8.4.0+10413+a92f1bfa.noarch.rpm
ipa-healthcheck-0.7-3.module+el8.4.0+9007+5084bdd8.noarch.rpm
ipa-healthcheck-core-0.7-3.module+el8.4.0+9007+5084bdd8.noarch.rpm
ipa-healthcheck-core-0.7-3.module+el8.4.0+9008+94c5103b.noarch.rpm
ipa-python-compat-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpm
ipa-python-compat-4.9.2-3.module+el8.4.0+10413+a92f1bfa.noarch.rpm
ipa-selinux-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpm
ipa-selinux-4.9.2-3.module+el8.4.0+10413+a92f1bfa.noarch.rpm
ipa-server-common-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpm
ipa-server-dns-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpm
python3-custodia-0.6.0-3.module+el8.1.0+4098+f286395e.noarch.rpm
python3-ipaclient-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpm
python3-ipaclient-4.9.2-3.module+el8.4.0+10413+a92f1bfa.noarch.rpm
python3-ipalib-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpm
python3-ipalib-4.9.2-3.module+el8.4.0+10413+a92f1bfa.noarch.rpm
python3-ipaserver-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpm
python3-ipatests-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch.rpm
python3-jwcrypto-0.5.0-1.module+el8.1.0+4098+f286395e.noarch.rpm
python3-jwcrypto-0.5.0-1.module+el8.1.0+4107+4a66eb87.noarch.rpm
python3-kdcproxy-0.4-5.module+el8.2.0+4691+a05b2456.noarch.rpm
python3-pyusb-1.0.0-9.module+el8.1.0+4098+f286395e.noarch.rpm
python3-pyusb-1.0.0-9.module+el8.1.0+4107+4a66eb87.noarch.rpm
python3-qrcode-5.1-12.module+el8.1.0+4098+f286395e.noarch.rpm
python3-qrcode-5.1-12.module+el8.1.0+4107+4a66eb87.noarch.rpm
python3-qrcode-core-5.1-12.module+el8.1.0+4098+f286395e.noarch.rpm
python3-qrcode-core-5.1-12.module+el8.1.0+4107+4a66eb87.noarch.rpm
python3-yubico-1.3.2-9.module+el8.1.0+4098+f286395e.noarch.rpm
python3-yubico-1.3.2-9.module+el8.1.0+4107+4a66eb87.noarch.rpm
ppc64le:
bind-dyndb-ldap-11.6-2.module+el8.4.0+9328+4ec4e316.ppc64le.rpm
bind-dyndb-ldap-debuginfo-11.6-2.module+el8.4.0+9328+4ec4e316.ppc64le.rpm
bind-dyndb-ldap-debugsource-11.6-2.module+el8.4.0+9328+4ec4e316.ppc64le.rpm
ipa-client-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpm
ipa-client-4.9.2-3.module+el8.4.0+10413+a92f1bfa.ppc64le.rpm
ipa-client-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpm
ipa-client-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.ppc64le.rpm
ipa-client-epn-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpm
ipa-client-epn-4.9.2-3.module+el8.4.0+10413+a92f1bfa.ppc64le.rpm
ipa-client-samba-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpm
ipa-client-samba-4.9.2-3.module+el8.4.0+10413+a92f1bfa.ppc64le.rpm
ipa-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpm
ipa-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.ppc64le.rpm
ipa-debugsource-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpm
ipa-debugsource-4.9.2-3.module+el8.4.0+10413+a92f1bfa.ppc64le.rpm
ipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpm
ipa-server-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpm
ipa-server-trust-ad-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpm
ipa-server-trust-ad-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.ppc64le.rpm
opendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8.ppc64le.rpm
opendnssec-debuginfo-2.1.7-1.module+el8.4.0+9007+5084bdd8.ppc64le.rpm
opendnssec-debugsource-2.1.7-1.module+el8.4.0+9007+5084bdd8.ppc64le.rpm
slapi-nis-0.56.6-1.module+el8.4.0+9005+f55ff3e7.ppc64le.rpm
slapi-nis-debuginfo-0.56.6-1.module+el8.4.0+9005+f55ff3e7.ppc64le.rpm
slapi-nis-debugsource-0.56.6-1.module+el8.4.0+9005+f55ff3e7.ppc64le.rpm
softhsm-2.6.0-5.module+el8.4.0+10227+076cd560.ppc64le.rpm
softhsm-debuginfo-2.6.0-5.module+el8.4.0+10227+076cd560.ppc64le.rpm
softhsm-debugsource-2.6.0-5.module+el8.4.0+10227+076cd560.ppc64le.rpm
softhsm-devel-2.6.0-5.module+el8.4.0+10227+076cd560.ppc64le.rpm
s390x:
bind-dyndb-ldap-11.6-2.module+el8.4.0+9328+4ec4e316.s390x.rpm
bind-dyndb-ldap-debuginfo-11.6-2.module+el8.4.0+9328+4ec4e316.s390x.rpm
bind-dyndb-ldap-debugsource-11.6-2.module+el8.4.0+9328+4ec4e316.s390x.rpm
ipa-client-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpm
ipa-client-4.9.2-3.module+el8.4.0+10413+a92f1bfa.s390x.rpm
ipa-client-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpm
ipa-client-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.s390x.rpm
ipa-client-epn-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpm
ipa-client-epn-4.9.2-3.module+el8.4.0+10413+a92f1bfa.s390x.rpm
ipa-client-samba-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpm
ipa-client-samba-4.9.2-3.module+el8.4.0+10413+a92f1bfa.s390x.rpm
ipa-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpm
ipa-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.s390x.rpm
ipa-debugsource-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpm
ipa-debugsource-4.9.2-3.module+el8.4.0+10413+a92f1bfa.s390x.rpm
ipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpm
ipa-server-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpm
ipa-server-trust-ad-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpm
ipa-server-trust-ad-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.s390x.rpm
opendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8.s390x.rpm
opendnssec-debuginfo-2.1.7-1.module+el8.4.0+9007+5084bdd8.s390x.rpm
opendnssec-debugsource-2.1.7-1.module+el8.4.0+9007+5084bdd8.s390x.rpm
slapi-nis-0.56.6-1.module+el8.4.0+9005+f55ff3e7.s390x.rpm
slapi-nis-debuginfo-0.56.6-1.module+el8.4.0+9005+f55ff3e7.s390x.rpm
slapi-nis-debugsource-0.56.6-1.module+el8.4.0+9005+f55ff3e7.s390x.rpm
softhsm-2.6.0-5.module+el8.4.0+10227+076cd560.s390x.rpm
softhsm-debuginfo-2.6.0-5.module+el8.4.0+10227+076cd560.s390x.rpm
softhsm-debugsource-2.6.0-5.module+el8.4.0+10227+076cd560.s390x.rpm
softhsm-devel-2.6.0-5.module+el8.4.0+10227+076cd560.s390x.rpm
x86_64:
bind-dyndb-ldap-11.6-2.module+el8.4.0+9328+4ec4e316.x86_64.rpm
bind-dyndb-ldap-debuginfo-11.6-2.module+el8.4.0+9328+4ec4e316.x86_64.rpm
bind-dyndb-ldap-debugsource-11.6-2.module+el8.4.0+9328+4ec4e316.x86_64.rpm
ipa-client-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpm
ipa-client-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64.rpm
ipa-client-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpm
ipa-client-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64.rpm
ipa-client-epn-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpm
ipa-client-epn-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64.rpm
ipa-client-samba-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpm
ipa-client-samba-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64.rpm
ipa-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpm
ipa-debuginfo-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64.rpm
ipa-debugsource-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpm
ipa-debugsource-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64.rpm
ipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpm
ipa-server-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpm
ipa-server-trust-ad-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpm
ipa-server-trust-ad-debuginfo-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64.rpm
opendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8.x86_64.rpm
opendnssec-debuginfo-2.1.7-1.module+el8.4.0+9007+5084bdd8.x86_64.rpm
opendnssec-debugsource-2.1.7-1.module+el8.4.0+9007+5084bdd8.x86_64.rpm
slapi-nis-0.56.6-1.module+el8.4.0+9005+f55ff3e7.x86_64.rpm
slapi-nis-debuginfo-0.56.6-1.module+el8.4.0+9005+f55ff3e7.x86_64.rpm
slapi-nis-debugsource-0.56.6-1.module+el8.4.0+9005+f55ff3e7.x86_64.rpm
softhsm-2.6.0-5.module+el8.4.0+10227+076cd560.x86_64.rpm
softhsm-debuginfo-2.6.0-5.module+el8.4.0+10227+076cd560.x86_64.rpm
softhsm-debugsource-2.6.0-5.module+el8.4.0+10227+076cd560.x86_64.rpm
softhsm-devel-2.6.0-5.module+el8.4.0+10227+076cd560.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-11023
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.4_release_notes/
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.