Synopsis: Moderate: ipa security and bug fix update
Issue Date: 2011-12-06
CVE Numbers: CVE-2011-3636
A Cross-Site Request Forgery (CSRF) flaw was found in IPA.
If a remote attacker could trick a user, who was logged into
the management web interface, into visiting a specially-crafted URL, the
attacker could perform Red Hat Identity Management configuration changes
with the privileges of the logged in user. (CVE-2011-3636)
Due to the changes required to fix CVE-2011-3636, client tools will need to
be updated for client systems to communicate with updated IPA servers.
New client systems will need to have the updated ipa-client package installed
to be enrolled. Already enrolled client systems will need to have the updated
certmonger package installed to be able to renew their system certificate. Note
that system certificates are valid for two years by default.
– Scientific Linux Development Team