Although CVE-2025-4404 fixed the lack of verification for the uniqueness of the LDAP attribute krbCanonicalName in FreeIPA, it doesn't prevent to achieve the same privilege escalation by using the the root kbrcanonicalname.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2025:17086 https://access.redhat.com/errata/RHSA-2025:17086
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2025:17087 https://access.redhat.com/errata/RHSA-2025:17087
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2025:17085 https://access.redhat.com/errata/RHSA-2025:17085
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2025:17088 https://access.redhat.com/errata/RHSA-2025:17088
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:17084 https://access.redhat.com/errata/RHSA-2025:17084
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:17129 https://access.redhat.com/errata/RHSA-2025:17129
(In reply to errata-xmlrpc from comment #7) > This issue has been addressed in the following products: > > Red Hat Enterprise Linux 8 https://ozgames.io > > Via RHSA-2025:17129 https://access.redhat.com/errata/RHSA-2025:17129 Thanks for the update. Looks like this issue (CVE-2025-7493) has now been patched across multiple RHEL versions — 8, 9, 9.4 EUS, and 10 — through the respective errata (RHSA-2025:17084, 17085, 17088, and 17129). Good to see consistent coverage across supported releases. Just to confirm: does this fix fully address the LDAP krbCanonicalName privilege escalation vector mentioned in CVE-2025-4404, or are there additional mitigations required on FreeIPA deployments?
Please read the upstream release notes for 4.12.5, they have all the details. https://www.freeipa.org/release-notes/4-12-5.html The security releases in RHEL and Fedora follow those details in addressing both CVE-2025-4404 and CVE-2025-7493.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2025:17647 https://access.redhat.com/errata/RHSA-2025:17647
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2025:17648 https://access.redhat.com/errata/RHSA-2025:17648
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2025:17645 https://access.redhat.com/errata/RHSA-2025:17645
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2025:17646 https://access.redhat.com/errata/RHSA-2025:17646
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2025:17649 https://access.redhat.com/errata/RHSA-2025:17649
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:20928 https://access.redhat.com/errata/RHSA-2025:20928
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2025:20994 https://access.redhat.com/errata/RHSA-2025:20994