Freeipa: delegation rules allow a proxy service to impersonate any user to access another target service
A vulnerability was found in FreeIPA in how the initial implementation of MS-SFU by MIT Kerberos was missing a condition for granting the "forwardable" flag on S4U2Self tickets. Fixing this mistake required adding a special case for the check_allowed_to_delegate() function: If the target service argument is NULL, then it means the KDC is probing for general constrained delegation rules and not checking a specific S4U2Proxy request. In FreeIPA 4.11.0, the behavior of ipadb_match_acl() was modified to match the changes from upstream MIT Kerberos 1.20. However, a mistake resulting in this mechanism applies in cases where the target service argument is set AND where it is unset. This results in S4U2Proxy requests being accepted regardless of whether or not there is a matching service delegation rule.
Affected products
- *
- <4.12.1
- <4.11.2
- *
Matching in nixpkgs
pkgs.ipam
Cli based IPAM written in Go with PowerDNS support
-
nixos-unstable -
- nixpkgs-unstable 0.3.0-1
pkgs.ipafont
Japanese font package with Mincho and Gothic fonts
-
nixos-unstable -
- nixpkgs-unstable 003.03
pkgs.ipatool
Command-line tool that allows searching and downloading app packages (known as ipa files) from the iOS App Store
-
nixos-unstable -
- nixpkgs-unstable 2.2.0
pkgs.codipack
Fast gradient evaluation in C++ based on Expression Templates
-
nixos-unstable -
- nixpkgs-unstable 3.0.0
pkgs.gruut-ipa
Library for manipulating pronunciations using the International Phonetic Alphabet (IPA)
-
nixos-unstable -
- nixpkgs-unstable 0.13.0
pkgs.ipaexfont
Japanese font package with Mincho and Gothic fonts
-
nixos-unstable -
- nixpkgs-unstable 004.01
pkgs.uriparser
Strictly RFC 3986 compliant URI parsing library
-
nixos-unstable -
- nixpkgs-unstable 0.9.8
pkgs.frangipanni
Convert lines of text into a tree structure
-
nixos-unstable -
- nixpkgs-unstable 0.5.0
pkgs.ipad_charge
Apple device USB charging utility for Linux
-
nixos-unstable -
- nixpkgs-unstable 2015-02-03
pkgs.nucleiparser
Nuclei output parser for CLI
-
nixos-unstable -
- nixpkgs-unstable 0.2.1
pkgs.multipath-tools
Tools for the Linux multipathing storage driver
-
nixos-unstable -
- nixpkgs-unstable 0.11.1
pkgs.ripasso-cursive
Simple password manager written in Rust
-
nixos-unstable -
- nixpkgs-unstable 0.7.0
pkgs.multipart-parser-c
Http multipart parser implemented in C
-
nixos-unstable -
- nixpkgs-unstable 2015-12-14
pkgs.haskellPackages.ipa
Internal Phonetic Alphabet (IPA)
-
nixos-unstable -
- nixpkgs-unstable 0.3.1.1
pkgs.python312Packages.nipap
Neat IP Address Planner
-
nixos-unstable -
- nixpkgs-unstable 0.32.7
pkgs.python313Packages.nipap
Neat IP Address Planner
-
nixos-unstable -
- nixpkgs-unstable 0.32.7
pkgs.python312Packages.ipaddr
IP address manipulation library
-
nixos-unstable -
- nixpkgs-unstable 2.2.0
pkgs.python312Packages.ipadic
Contemporary Written Japanese dictionary
-
nixos-unstable -
- nixpkgs-unstable 1.0.0
pkgs.python313Packages.ipaddr
IP address manipulation library
-
nixos-unstable -
- nixpkgs-unstable 2.2.0
pkgs.python313Packages.ipadic
Contemporary Written Japanese dictionary
-
nixos-unstable -
- nixpkgs-unstable 1.0.0
pkgs.haskellPackages.multipart
Parsers for the HTTP multipart format
-
nixos-unstable -
- nixpkgs-unstable 0.2.1
pkgs.python312Packages.pynipap
Python client library for Neat IP Address Planner
-
nixos-unstable -
- nixpkgs-unstable 0.32.7
pkgs.python313Packages.pynipap
Python client library for Neat IP Address Planner
-
nixos-unstable -
- nixpkgs-unstable 0.32.7
pkgs.python312Packages.iniparse
Accessing and Modifying INI files
-
nixos-unstable -
- nixpkgs-unstable 0.5
pkgs.python313Packages.iniparse
Accessing and Modifying INI files
-
nixos-unstable -
- nixpkgs-unstable 0.5
pkgs.graylogPlugins.ipanonymizer
Graylog-server plugin that replaces the last octet of IP addresses in messages with xxx
-
nixos-unstable -
- nixpkgs-unstable 1.1.2
pkgs.haskellPackages.unipatterns
Helpers which allow safe partial pattern matching in lambdas
-
nixos-unstable -
- nixpkgs-unstable 0.0.0.0
pkgs.python312Packages.gruut-ipa
Library for manipulating pronunciations using the International Phonetic Alphabet (IPA)
-
nixos-unstable -
- nixpkgs-unstable 0.13.0
pkgs.python312Packages.multipart
Parser for multipart/form-data
-
nixos-unstable -
- nixpkgs-unstable 1.3.0
pkgs.python313Packages.gruut-ipa
Library for manipulating pronunciations using the International Phonetic Alphabet (IPA)
-
nixos-unstable -
- nixpkgs-unstable 0.13.0
pkgs.python313Packages.multipart
Parser for multipart/form-data
-
nixos-unstable -
- nixpkgs-unstable 1.3.0
pkgs.typstPackages.ascii-ipa_1_0_0
Converter for ASCII representations of the International Phonetic Alphabet (IPA
-
nixos-unstable -
- nixpkgs-unstable 1.0.0
pkgs.typstPackages.ascii-ipa_1_1_0
Converter for ASCII representations of the International Phonetic Alphabet (IPA
-
nixos-unstable -
- nixpkgs-unstable 1.1.0
pkgs.typstPackages.ascii-ipa_1_1_1
Converter for ASCII representations of the International Phonetic Alphabet (IPA
-
nixos-unstable -
- nixpkgs-unstable 1.1.1
pkgs.typstPackages.ascii-ipa_2_0_0
Converter for ASCII representations of the International Phonetic Alphabet (IPA
-
nixos-unstable -
- nixpkgs-unstable 2.0.0
pkgs.haskellPackages.multipart-names
Handling of multipart names in various casing styles
-
nixos-unstable -
- nixpkgs-unstable 0.0.1
pkgs.haskellPackages.servant-multipart
multipart/form-data (e.g file upload) support for servant
-
nixos-unstable -
- nixpkgs-unstable 0.12.1
pkgs.python312Packages.flask-principal
Identity management for flask
-
nixos-unstable -
- nixpkgs-unstable 0.4.0
pkgs.python312Packages.types-ipaddress
Typing stubs for ipaddress
-
nixos-unstable -
- nixpkgs-unstable 1.0.8
pkgs.python313Packages.flask-principal
Identity management for flask
-
nixos-unstable -
- nixpkgs-unstable 0.4.0
pkgs.python313Packages.types-ipaddress
Typing stubs for ipaddress
-
nixos-unstable -
- nixpkgs-unstable 1.0.8
pkgs.python312Packages.cached-ipaddress
Cache construction of ipaddress objects
-
nixos-unstable -
- nixpkgs-unstable 0.10.0
pkgs.python312Packages.python-multipart
Streaming multipart parser for Python
-
nixos-unstable -
- nixpkgs-unstable 0.0.20
pkgs.python312Packages.python-vipaccess
Free software implementation of Symantec's VIP Access application and protocol
-
nixos-unstable -
- nixpkgs-unstable 0.14.2
pkgs.python312Packages.sansio-multipart
Parser for multipart/form-data
-
nixos-unstable -
- nixpkgs-unstable 0.3
pkgs.python313Packages.cached-ipaddress
Cache construction of ipaddress objects
-
nixos-unstable -
- nixpkgs-unstable 0.10.0
pkgs.python313Packages.python-multipart
Streaming multipart parser for Python
-
nixos-unstable -
- nixpkgs-unstable 0.0.20
pkgs.python313Packages.python-vipaccess
Free software implementation of Symantec's VIP Access application and protocol
-
nixos-unstable -
- nixpkgs-unstable 0.14.2
pkgs.python313Packages.sansio-multipart
Parser for multipart/form-data
-
nixos-unstable -
- nixpkgs-unstable 0.3
pkgs.haskellPackages.http-client-multipart
Generate multipart uploads for http-client. (deprecated)
-
nixos-unstable -
- nixpkgs-unstable 0.3.0.0
pkgs.haskellPackages.servant-multipart-api
multipart/form-data (e.g file upload) support for servant
-
nixos-unstable -
- nixpkgs-unstable 0.12.1
pkgs.haskellPackages.servant-multipart-client
multipart/form-data (e.g file upload) support for servant
-
nixos-unstable -
- nixpkgs-unstable 0.12.2
pkgs.python312Packages.nested-multipart-parser
Parser for nested data for 'multipart/form'
-
nixos-unstable -
- nixpkgs-unstable 1.5.0
pkgs.python313Packages.nested-multipart-parser
Parser for nested data for 'multipart/form'
-
nixos-unstable -
- nixpkgs-unstable 1.5.0
pkgs.haskellPackages.amazonka-connectparticipant
Amazon Connect Participant Service SDK
-
nixos-unstable -
- nixpkgs-unstable 2.0
pkgs.haskellPackages.autodocodec-servant-multipart
Autodocodec interpreters for Servant Multipart
-
nixos-unstable -
- nixpkgs-unstable 0.0.0.1
pkgs.python312Packages.mypy-boto3-connectparticipant
Type annotations for boto3 connectparticipant
-
nixos-unstable -
- nixpkgs-unstable boto3-connectparticipant-1.40.18
pkgs.python313Packages.mypy-boto3-connectparticipant
Type annotations for boto3 connectparticipant
-
nixos-unstable -
- nixpkgs-unstable boto3-connectparticipant-1.40.18
pkgs.chickenPackages_5.chickenEggs.multipart-form-data
Reads & decodes HTTP multipart/form-data requests.
-
nixos-unstable -
- nixpkgs-unstable 0.2
pkgs.python312Packages.types-aiobotocore-connectparticipant
Type annotations for aiobotocore connectparticipant
-
nixos-unstable -
- nixpkgs-unstable 2.23.2
pkgs.python313Packages.types-aiobotocore-connectparticipant
Type annotations for aiobotocore connectparticipant
-
nixos-unstable -
- nixpkgs-unstable 2.23.2
pkgs.python312Packages.microsoft-kiota-serialization-multipart
Multipart serialization implementation for Kiota clients in Python
-
nixos-unstable -
- nixpkgs-unstable 1.9.5
pkgs.python313Packages.microsoft-kiota-serialization-multipart
Multipart serialization implementation for Kiota clients in Python
-
nixos-unstable -
- nixpkgs-unstable 1.9.5
Package maintainers
-
@athas Troels Henriksen <athas@sigkill.dk>
-
@siraben Siraphob Phipathananunth <bensiraphob@gmail.com>
-
@benley Benjamin Staffin <benley@gmail.com>
-
@s1341 Shmarya Rubenstein <s1341@shmarya.net>
-
@fadenb Tristan Helmich <tristan.helmich+nixos@gmail.com>
-
@Mic92 Jörg Thalheim <joerg@thalheim.io>
-
@stephen-huan Stephen Huan <stephen.huan@cgdct.moe>
-
@auntieNeo Jonathan Glines <auntieNeo@gmail.com>
-
@gaelreyrol Gaël Reyrol <me@gaelreyrol.dev>
-
@lukegb Luke Granger-Brown <nix@lukegb.com>
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
-
@danbst Danylo Hlynskyi <abcz2.uprola@gmail.com>
-
@astro Astro <astro@spaceboyz.net>
-
@Laurent2916 Laurent Fainsin <laurent.nixpkgs@fainsin.bzh>
-
@dotlambda Robert Schütz <rschuetz17@gmail.com>
-
@mbalatsko Maksym Balatsko <mbalatsko@gmail.com>
-
@risicle Robert Scott <code@humanleg.org.uk>
-
@herrwiese Andreas Wiese <aw-nixos@meterriblecrew.net>
-
@jpetrucciani Jacobi Petrucciani <j@cobi.dev>
-
@stigtsp Stig Palmquist <stig@stig.io>
-
@luftmensch-luftmensch Valentino Bocchetti <valentinobocchetti59@gmail.com>
-
@L-Trump Luo Chen <ltrump@163.com>
-
@cherrypiejam Gongqi Huang
-
@bosu Boris Sukholitko <boriss@gmail.com>