ELSA-2025-9188

Опубликовано: 18 июн. 2025

Источник: oracle-oval

Платформа: Oracle Linux 8

Описание

ELSA-2025-9188: idm:DL1 security update (IMPORTANT)

bind-dyndb-ldap [11.6-6]

Fix rpminspect warnings Resolves: RHEL-22497

custodia ipa [4.9.13-18.0.1]

Set IPAPLATFORM=rhel when build on Oracle Linux [Orabug: 29516674]

[4.9.13-18]

Set krbCanonicalName admin@REALM on the admin user Resolves: RHEL-89895

[4.9.13-17]

kdb: keeep ipadb_get_connection() from succeding with null LDAP context Resolves: RHEL-58453

ipa-healthcheck opendnssec [2.1.7-2]

Don't creat /var/run/opendnssec directory
Resolves: RHEL-12163

python-jwcrypto python-kdcproxy [0.4-5.1]

Log KDC timeout only once per request Resolves: RHEL-68634

python-qrcode python-yubico pyusb slapi-nis softhsm

Обновленные пакеты

Oracle Linux 8

Oracle Linux aarch64

Module idm:DL1 is enabled

bind-dyndb-ldap

11.6-6.module+el8.10.0+90553+1bd85afa

custodia

0.6.0-3.module+el8.9.0+90094+20819f5a

ipa-client

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

ipa-client-common

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

ipa-client-epn

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

ipa-client-samba

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

ipa-common

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

ipa-healthcheck

0.12-5.module+el8.10.0+90621+268b66c9

ipa-healthcheck-core

0.12-5.module+el8.10.0+90621+268b66c9

ipa-python-compat

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

ipa-selinux

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

ipa-server

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

ipa-server-common

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

ipa-server-dns

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

ipa-server-trust-ad

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

opendnssec

2.1.7-2.module+el8.10.0+90553+1bd85afa

python3-custodia

0.6.0-3.module+el8.9.0+90094+20819f5a

python3-ipaclient

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

python3-ipalib

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

python3-ipaserver

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

python3-ipatests

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

python3-jwcrypto

0.5.0-2.module+el8.10.0+90573+7d6bd8da

python3-kdcproxy

0.4-5.module+el8.10.0+90553+1bd85afa.1

python3-pyusb

1.0.0-9.1.module+el8.9.0+90094+20819f5a

python3-qrcode

5.3-1.module+el8.10.0+90621+268b66c9

python3-qrcode-core

5.3-1.module+el8.10.0+90621+268b66c9

python3-yubico

1.3.2-9.1.module+el8.9.0+90094+20819f5a

slapi-nis

0.60.0-4.module+el8.10.0+90297+bfe93ccc

softhsm

2.6.0-5.module+el8.9.0+90094+20819f5a

softhsm-devel

2.6.0-5.module+el8.9.0+90094+20819f5a

Oracle Linux x86_64

Module idm:DL1 is enabled

bind-dyndb-ldap

11.6-6.module+el8.10.0+90553+1bd85afa

custodia

0.6.0-3.module+el8.9.0+90094+20819f5a

ipa-client

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

ipa-client-common

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

ipa-client-epn

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

ipa-client-samba

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

ipa-common

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

ipa-healthcheck

0.12-5.module+el8.10.0+90621+268b66c9

ipa-healthcheck-core

0.12-5.module+el8.10.0+90621+268b66c9

ipa-python-compat

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

ipa-selinux

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

ipa-server

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

ipa-server-common

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

ipa-server-dns

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

ipa-server-trust-ad

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

opendnssec

2.1.7-2.module+el8.10.0+90553+1bd85afa

python3-custodia

0.6.0-3.module+el8.9.0+90094+20819f5a

python3-ipaclient

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

python3-ipalib

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

python3-ipaserver

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

python3-ipatests

4.9.13-18.0.1.module+el8.10.0+90621+268b66c9

python3-jwcrypto

0.5.0-2.module+el8.10.0+90573+7d6bd8da

python3-kdcproxy

0.4-5.module+el8.10.0+90553+1bd85afa.1

python3-pyusb

1.0.0-9.1.module+el8.9.0+90094+20819f5a

python3-qrcode

5.3-1.module+el8.10.0+90621+268b66c9

python3-qrcode-core

5.3-1.module+el8.10.0+90621+268b66c9

python3-yubico

1.3.2-9.1.module+el8.9.0+90094+20819f5a

slapi-nis

0.60.0-4.module+el8.10.0+90297+bfe93ccc

softhsm

2.6.0-5.module+el8.9.0+90094+20819f5a

softhsm-devel

2.6.0-5.module+el8.9.0+90094+20819f5a

Связанные CVE

CVE-2025-4404

Ссылки на источники

Связанные уязвимости

CVE-2025-4404

CVSS3: 9.1

ubuntu

около 2 месяцев назад

A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.