Add release notes for security releases

Security releases for CVE-2023-5455. Signed-off-by: Antonio Torres <antorres@redhat.com>
freeipa · Jan 10, 2024 · ffdc132 · ffdc132
1 parent f61a5e4
commit ffdc132
Show file tree

Hide file tree

Showing 5 changed files with 330 additions and 0 deletions.
diff --git a/src/index.rst b/src/index.rst
@@ -52,6 +52,10 @@ Releases
 .. toctree::
    :titlesonly:
 
+   /release-notes/4-11-1.rst
+   /release-notes/4-10-3.rst
+   /release-notes/4-9-14.rst
+   /release-notes/4-6-10.rst
    /release-notes/4-9-13.rst
    /release-notes/4-11-0.rst
    /release-notes/4-11-0-beta.rst

diff --git a/src/release-notes/4-10-3.rst b/src/release-notes/4-10-3.rst
@@ -0,0 +1,79 @@
+FreeIPA 4.10.3
+==============
+
+.. raw:: mediawiki
+
+   {{ReleaseDate|2024-01-10}}
+
+The FreeIPA team would like to announce FreeIPA 4.10.3 release!
+
+It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
+for Fedora distributions will be available from the official repository
+soon.
+
+.. _highlights_in_4.10.3:
+
+Highlights in 4.10.3
+--------------------
+
+-  CVE-2023-5455
+
+During community penetration testing it was found that for certain HTTP
+end-points FreeIPA does not ensure CSRF protection. Due to
+implementation details one cannot use this flaw for reflection of a
+cookie representing already logged-in user. An attacker would always
+have to go through a new authentication attempt.
+
+The overall severity of this issue is marked as MODERATE by Red Hat
+Product Security. FreeIPA team would like to thank Egor Uvarov for
+discovering and reporting this issue.
+
+Bug fixes
+~~~~~~~~~
+
+FreeIPA 4.10.3 is a security fix release.
+
+Details of the bug-fixes can be seen in the list of resolved tickets
+below.
+
+Upgrading
+---------
+
+Upgrade instructions are available on
+`Upgrade <https://www.freeipa.org/page/Upgrade>`__ page.
+
+Feedback
+--------
+
+Please provide comments, bugs and other feedback via the freeipa-users
+mailing list
+(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/)
+or #freeipa channel on libera.chat.
+
+.. _resolved_tickets:
+
+Resolved tickets
+----------------
+
+.. _detailed_changelog_since_4.10.3:
+
+Detailed changelog since 4.10.2
+-------------------------------
+
+.. _antonio_torres_1:
+
+Antonio Torres (1)
+~~~~~~~~~~~~~~~~~~
+
+-  Become IPA 4.10.3
+   `commit <https://pagure.io/freeipa/c/74710a8ed24b4b8a14a07ca0642507d260039b30>`__
+
+.. _rob_crittenden_2:
+
+Rob Crittenden (2)
+~~~~~~~~~~~~~~~~~~
+
+-  Integration tests for verifying Referer header in the UI
+   `commit <https://pagure.io/freeipa/c/48ec350051ead9c17e58a91405b3ab6935347f1b>`__
+-  Check the HTTP Referer header on all requests
+   `commit <https://pagure.io/freeipa/c/363fd5de98e883800ac08b2760e8c3150783e7e2>`__
diff --git a/src/release-notes/4-11-1.rst b/src/release-notes/4-11-1.rst
@@ -0,0 +1,79 @@
+FreeIPA 4.11.1
+==============
+
+.. raw:: mediawiki
+
+   {{ReleaseDate|2024-01-10}}
+
+The FreeIPA team would like to announce FreeIPA 4.11.1 release!
+
+It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
+for Fedora distributions will be available from the official repository
+soon.
+
+.. _highlights_in_4.11.1:
+
+Highlights in 4.11.1
+--------------------
+
+-  CVE-2023-5455
+
+During community penetration testing it was found that for certain HTTP
+end-points FreeIPA does not ensure CSRF protection. Due to
+implementation details one cannot use this flaw for reflection of a
+cookie representing already logged-in user. An attacker would always
+have to go through a new authentication attempt.
+
+The overall severity of this issue is marked as MODERATE by Red Hat
+Product Security. FreeIPA team would like to thank Egor Uvarov for
+discovering and reporting this issue.
+
+Bug fixes
+~~~~~~~~~
+
+FreeIPA 4.11.1 is a security fix release.
+
+Details of the bug-fixes can be seen in the list of resolved tickets
+below.
+
+Upgrading
+---------
+
+Upgrade instructions are available on
+`Upgrade <https://www.freeipa.org/page/Upgrade>`__ page.
+
+Feedback
+--------
+
+Please provide comments, bugs and other feedback via the freeipa-users
+mailing list
+(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/)
+or #freeipa channel on libera.chat.
+
+.. _resolved_tickets:
+
+Resolved tickets
+----------------
+
+.. _detailed_changelog_since_4.11.0:
+
+Detailed changelog since 4.11.0
+-------------------------------
+
+.. _antonio_torres_1:
+
+Antonio Torres (1)
+~~~~~~~~~~~~~~~~~~
+
+-  Become IPA 4.11.1
+   `commit <https://pagure.io/freeipa/c/e18ac3538e2f06f82a1f4eda7980e56e91017d47>`__
+
+.. _rob_crittenden_2:
+
+Rob Crittenden (2)
+~~~~~~~~~~~~~~~~~~
+
+-  Integration tests for verifying Referer header in the UI
+   `commit <https://pagure.io/freeipa/c/e4ae6881da3cdfb2be35300ab1326313bac256d5>`__
+-  Check the HTTP Referer header on all requests
+   `commit <https://pagure.io/freeipa/c/08e6fb3a2c1d28dc7efcd3395aaf4b705fec4305>`__
diff --git a/src/release-notes/4-6-10.rst b/src/release-notes/4-6-10.rst
@@ -0,0 +1,81 @@
+FreeIPA 4.6.10
+==============
+
+.. raw:: mediawiki
+
+   {{ReleaseDate|2024-01-10}}
+
+The FreeIPA team would like to announce FreeIPA 4.6.10 release!
+
+It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
+for Fedora distributions will be available from the official repository
+soon.
+
+.. _highlights_in_4.6.10:
+
+Highlights in 4.6.10
+--------------------
+
+-  CVE-2023-5455
+
+During community penetration testing it was found that for certain HTTP
+end-points FreeIPA does not ensure CSRF protection. Due to
+implementation details one cannot use this flaw for reflection of a
+cookie representing already logged-in user. An attacker would always
+have to go through a new authentication attempt.
+
+The overall severity of this issue is marked as MODERATE by Red Hat
+Product Security. FreeIPA team would like to thank Egor Uvarov for
+discovering and reporting this issue.
+
+.. _bug_fixes:
+
+Bug fixes
+~~~~~~~~~
+
+FreeIPA 4.6.10 is a security fix release.
+
+Details of the bug-fixes can be seen in the list of resolved tickets
+below.
+
+Upgrading
+---------
+
+Upgrade instructions are available on
+`Upgrade <https://www.freeipa.org/page/Upgrade>`__ page.
+
+Feedback
+--------
+
+Please provide comments, bugs and other feedback via the freeipa-users
+mailing list
+(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/)
+or #freeipa channel on libera.chat.
+
+.. _resolved_tickets:
+
+Resolved tickets
+----------------
+
+.. _detailed_changelog_since_4.6.9:
+
+Detailed changelog since 4.6.9
+------------------------------
+
+.. _antonio_torres_1:
+
+Antonio Torres (1)
+~~~~~~~~~~~~~~~~~~
+
+-  Become IPA 4.6.10
+   `commit <https://pagure.io/freeipa/c/9c617675d6676fcdb0e9d67fed6bb801e0066bfe>`__
+
+.. _florence_blanc_renaud_2:
+
+Florence Blanc-Renaud (2)
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  Integration tests for verifying Referer header in the UI
+   `commit <https://pagure.io/freeipa/c/c86dcf42bc7109baacb17642753fb6c597c6325a>`__
+-  Check the HTTP Referer header on all requests
+   `commit <https://pagure.io/freeipa/c/cc3a1dbdbcbf7f5c73c472068dad68d8abb6b677>`__
diff --git a/src/release-notes/4-9-14.rst b/src/release-notes/4-9-14.rst
@@ -0,0 +1,87 @@
+FreeIPA 4.9.14
+==============
+
+.. raw:: mediawiki
+
+   {{ReleaseDate|2024-01-10}}
+
+The FreeIPA team would like to announce FreeIPA 4.9.14 release!
+
+It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
+for Fedora distributions will be available from the official repository
+soon.
+
+.. _highlights_in_4.9.14:
+
+Highlights in 4.9.14
+--------------------
+
+-  CVE-2023-5455
+
+During community penetration testing it was found that for certain HTTP
+end-points FreeIPA does not ensure CSRF protection. Due to
+implementation details one cannot use this flaw for reflection of a
+cookie representing already logged-in user. An attacker would always
+have to go through a new authentication attempt.
+
+The overall severity of this issue is marked as MODERATE by Red Hat
+Product Security. FreeIPA team would like to thank Egor Uvarov for
+discovering and reporting this issue.
+
+Bug fixes
+~~~~~~~~~
+
+FreeIPA 4.9.14 is a security fix release.
+
+Details of the bug-fixes can be seen in the list of resolved tickets
+below.
+
+Upgrading
+---------
+
+Upgrade instructions are available on
+`Upgrade <https://www.freeipa.org/page/Upgrade>`__ page.
+
+Feedback
+--------
+
+Please provide comments, bugs and other feedback via the freeipa-users
+mailing list
+(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/)
+or #freeipa channel on libera.chat.
+
+.. _resolved_tickets:
+
+Resolved tickets
+----------------
+
+.. _detailed_changelog_since_4.9.13:
+
+Detailed changelog since 4.9.13
+-------------------------------
+
+.. _antonio_torres_1:
+
+Antonio Torres (1)
+~~~~~~~~~~~~~~~~~~
+
+-  Become IPA 4.9.14
+   `commit <https://pagure.io/freeipa/c/deec13573d02c9e7eabd19201b7adb1e1eccd7e3>`__
+
+.. _julien_rische_1:
+
+Julien Rische (1)
+~~~~~~~~~~~~~~~~~
+
+-  ipa-kdb: Detect and block Bronze-Bit attacks
+   `commit <https://pagure.io/freeipa/c/5854b7381c7ee683d1437058cc7632f1034551ed>`__
+
+.. _rob_crittenden_2:
+
+Rob Crittenden (2)
+~~~~~~~~~~~~~~~~~~
+
+-  Integration tests for verifying Referer header in the UI
+   `commit <https://pagure.io/freeipa/c/51eb02a7758d5be8ad7ae9c402dc44dc19da93ab>`__
+-  Check the HTTP Referer header on all requests
+   `commit <https://pagure.io/freeipa/c/fc30a0f0356e632d23e9064d6770234201794781>`__