diff options
author | Martin Kosek <mkosek@redhat.com> | 2013-07-26 10:58:52 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2013-07-26 12:51:10 +0200 |
commit | 6a0aabede5875ad23dab777d0c2f6bac05fa2599 (patch) | |
tree | 9910c39430ab1c922e0d96d1f341f28af5b6a08a | |
parent | 8a41b64a8c2f77d5d1245884cb7ef3d0a2e81f93 (diff) | |
download | freeipa.git-6a0aabede5875ad23dab777d0c2f6bac05fa2599.tar.gz freeipa.git-6a0aabede5875ad23dab777d0c2f6bac05fa2599.tar.xz freeipa.git-6a0aabede5875ad23dab777d0c2f6bac05fa2599.zip |
Free NSS objects in --external-ca scenario
In external CA installation, ipa-server-install leaked NSS objects
which caused an installation crash later when a subsequent call of
NSSConnection tried to free them.
Properly freeing the NSS objects avoid this crash.
https://fedorahosted.org/freeipa/ticket/3773
-rw-r--r-- | freeipa.spec.in | 5 | ||||
-rwxr-xr-x | install/tools/ipa-server-install | 5 |
2 files changed, 9 insertions, 1 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index 1b8122df..0afcdae8 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -134,7 +134,7 @@ Requires(post): systemd-units Requires: selinux-policy >= 3.12.1-65 Requires(post): selinux-policy-base Requires: slapi-nis >= 0.44 -Requires: pki-ca >= 10.0.2 +Requires: pki-ca >= 10.0.4 Requires: dogtag-pki-server-theme %if 0%{?rhel} Requires: subscription-manager @@ -829,6 +829,9 @@ fi %endif # ! %{ONLY_CLIENT} %changelog +* Fri Jul 26 2013 Martin Kosek <mkosek@redhat.com> - 3.2.99-12 +- Require pki-ca 10.0.4 which fixes external CA installation (#986901) + * Wed Jul 24 2013 Petr Viktorin <pviktori@redhat.com> - 3.2.99-11 - Add tar and xz dependencies to freeipa-tests diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 672369c5..fafa14ea 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -698,18 +698,23 @@ def main(): sys.exit(1) certdict = dict((DN(str(cert.subject)), cert) for cert in extchain) + del extchain certissuer = DN(str(extcert.issuer)) if certissuer not in certdict: print "The external certificate is not signed by the external CA (unknown issuer %s)." % certissuer sys.exit(1) cert = extcert + del extcert while cert.issuer != cert.subject: certissuer = DN(str(cert.issuer)) if certissuer not in certdict: print "The external CA chain is incomplete (%s is missing from the chain)." % certissuer sys.exit(1) + del cert cert = certdict[certissuer] + del certdict + del cert # We only set up the CA if the PKCS#12 options are not given. if options.dirsrv_pkcs12: |