summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Kosek <mkosek@redhat.com>2011-08-11 10:42:29 +0200
committerEndi S. Dewata <edewata@redhat.com>2011-08-11 22:07:16 +0000
commita1c690cc02a021bc400be00808dcf8463744c083 (patch)
tree9000e2da51e399cf278885609cf4438051e14496
parentbb31d3df2190edef181799bf2c159f4c986fcece (diff)
downloadfreeipa-a1c690cc02a021bc400be00808dcf8463744c083.zip
freeipa-a1c690cc02a021bc400be00808dcf8463744c083.tar.gz
freeipa-a1c690cc02a021bc400be00808dcf8463744c083.tar.xz
Fix client enrollment
Enable GSSAPI credentials delegation in xmlrpc-c/curl to fix client enrollment. The unconditional GSSAPI was previously dropped from curl because of CVE-2011-2192. https://fedorahosted.org/freeipa/ticket/1452
-rw-r--r--freeipa.spec.in29
-rw-r--r--ipa-client/ipa-join.c4
2 files changed, 30 insertions, 3 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5dda811..cbc0f50 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -36,8 +36,18 @@ BuildRequires: openldap-devel
BuildRequires: krb5-devel
BuildRequires: krb5-workstation
BuildRequires: libuuid-devel
-BuildRequires: xmlrpc-c-devel
+%if 0%{?fedora} >= 16
+BuildRequires: libcurl-devel >= 7.21.7-2
+BuildRequires: xmlrpc-c-devel >= 1.27.4
+%else
+%if 0%{?fedora} == 15
+BuildRequires: libcurl-devel >= 7.21.3-9
+BuildRequires: xmlrpc-c-devel >= 1.25.4
+%else
BuildRequires: libcurl-devel
+BuildRequires: xmlrpc-c-devel
+%endif
+%endif
BuildRequires: popt-devel
BuildRequires: autoconf
BuildRequires: automake
@@ -150,7 +160,18 @@ Requires: krb5-workstation
Requires: authconfig
Requires: pam_krb5
Requires: wget
-Requires: xmlrpc-c
+%if 0%{?fedora} >= 16
+Requires: libcurl >= 7.21.7-2
+Requires: xmlrpc-c >= 1.27.4
+%else
+%if 0%{?fedora} == 15
+Requires: libcurl >= 7.21.3-9
+Requires: xmlrpc-c >= 1.25.4
+%else
+Requires: libcurl
+Requires: xmlrpc-c
+%endif
+%endif
Requires: sssd >= 1.5.1
Requires: certmonger >= 0.26
Requires: nss-tools
@@ -514,6 +535,10 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%changelog
+* Thu Aug 11 2011 Martin Kosek <mkosek@redhat.com> - 2.0.90-11
+- Set min nvr of xmlrpc-c and libcurl to make sure GSSAPI delegation
+ support is in
+
* Tue Aug 2 2011 Endi S. Dewata <edewata@redhat.com> - 2.0.90-10
- Add *.ico files
diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c
index 95f2939..f6ca693 100644
--- a/ipa-client/ipa-join.c
+++ b/ipa-client/ipa-join.c
@@ -149,11 +149,13 @@ callRPC(xmlrpc_env * const envP,
curlXportParmsP->no_ssl_verifypeer = 1;
curlXportParmsP->no_ssl_verifyhost = 1;
curlXportParmsP->cainfo = "/etc/ipa/ca.crt";
+ /* Enable GSSAPI credentials delegation */
+ curlXportParmsP->gssapi_delegation = 1;
clientparms.transport = "curl";
clientparms.transportparmsP = (struct xmlrpc_xportparms *)
curlXportParmsP;
- clientparms.transportparm_size = XMLRPC_CXPSIZE(cainfo);
+ clientparms.transportparm_size = XMLRPC_CXPSIZE(gssapi_delegation);
xmlrpc_client_create(envP, XMLRPC_CLIENT_NO_FLAGS, NAME, VERSION,
&clientparms, sizeof(clientparms),
&clientP);