Commit - freeipa - d4d8b98c3588b212db6a26610e690cccb3af84ca

    Secure AJP connector between Dogtag and Apache proxy
    
    AJP implementation in Tomcat is vulnerable to CVE-2020-1938 if used
    without shared secret. Set up a shared secret between localhost
    connector and Apache mod_proxy_ajp pass-through.
    
    For existing secured AJP pass-through make sure the option used for
    configuration on the tomcat side is up to date. Tomcat 9.0.31.0
    deprecated 'requiredSecret' option name in favor of 'secret'. Details
    can be found at https://tomcat.apache.org/migration-9.html#Upgrading_9.0.x
    
    Fixes: https://pagure.io/freeipa/issue/8221
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>

install/share/ipa-pki-proxy.conf.template

file modified

+6 -6

ipaplatform/base/paths.py

file modified

+2 -0

ipaplatform/debian/paths.py

file modified

+1 -0

ipaserver/install/cainstance.py

file modified

+2 -0

ipaserver/install/dogtaginstance.py

file modified

+80 -0

ipaserver/install/krainstance.py

file modified

+0 -2

ipaserver/install/server/upgrade.py

file modified

+8 -0

freeipa

Source Code

d4d8b98 Secure AJP connector between Dogtag and Apache proxy

7 files Authored by abbra 4 years ago, Committed by frenaud 4 years ago,

`d4d8b98` Secure AJP connector between Dogtag and Apache proxy