[rhelv6-list] [RHSA-2018:1979-01] Moderate: pki-core security, bug fix, and enhancement update
Pat Riehecky
riehecky at fnal.gov
Tue Jun 26 19:07:41 UTC 2018
Building this requires a newer version of nuxwdog than is in the source
repo.
Pat
On 06/26/2018 11:51 AM, Security announcements for all Red Hat products
and services. wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> =====================================================================
> Red Hat Security Advisory
>
> Synopsis: Moderate: pki-core security, bug fix, and enhancement update
> Advisory ID: RHSA-2018:1979-01
> Product: Red Hat Enterprise Linux
> Advisory URL: https://access.redhat.com/errata/RHSA-2018:1979
> Issue date: 2018-06-26
> CVE Names: CVE-2018-1080
> =====================================================================
>
> 1. Summary:
>
> An update for pki-core is now available for Red Hat Enterprise Linux 7.
>
> Red Hat Product Security has rated this update as having a security impact
> of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
> gives a detailed severity rating, is available for each vulnerability from
> the CVE link(s) in the References section.
>
> 2. Relevant releases/architectures:
>
> Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
> Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
> Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, x86_64
> Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x
> Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64
> Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch
> Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7) - aarch64, noarch, ppc64le
> Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7) - noarch, ppc64le, s390x
>
> 3. Description:
>
> The Public Key Infrastructure (PKI) Core contains fundamental packages
> required by Red Hat Certificate System.
>
> Security Fix(es):
>
> * pki-core: Mishandled ACL configuration in AAclAuthz.java reverses rules
> that allow and deny access (CVE-2018-1080)
>
> For more details about the security issue(s), including the impact, a CVSS
> score, and other related information, refer to the CVE page(s) listed in
> the References section.
>
> This issue was discovered by Fraser Tweedale (Red Hat).
>
> Bug Fix(es):
>
> * Previously, when ECC keys were enrolled, Certificate Management over CMS
> (CMC) authentication failed with a "TokenException: Unable to insert
> certificate into temporary database" error. As a consequence, the
> enrollment failed. This update fixes the problem. As a result, the
> mentioned bug no longer occurs. (BZ#1550581)
>
> * Previously, Certificate System used the same enrollment profiles for
> issuing RSA and ECC certificates. As a consequence, the key usage extension
> in issued certificates did not meet the Common Criteria standard. This
> update adds ECC-specific enrollment profiles where the key usage extension
> for TLS server and client certificates are different as described in RFC
> 6960. Additionally, the update changes existing profiles to issue only RSA
> certificates. As a result, the key usage extension in ECC certificates now
> meets the Common Criteria standard. (BZ#1554726)
>
> * The Certificate System server rejects saving invalid access control lists
> (ACL). As a consequence, when saving an ACL with an empty expression, the
> server rejected the update and the pkiconsole utility displayed an
> StringIndexOutOfBoundsException error. With this update, the utility
> rejects empty ACL expressions. As a result, invalid ACLs cannot be saved
> and the error is no longer displayed. (BZ#1557883)
>
> * Previously, due to a bug in the Certificate System installation
> procedure, installing a Key Recovery Authority (KRA) with ECC keys failed.
> To fix the problem, the installation process has been updated to handle
> both RSA and ECC subsystems automatically. As a result, installing
> subsystems with ECC keys no longer fail. (BZ#1581134)
>
> * Previously, during verification, Certificate System encoded the ECC
> public key incorrectly in CMC Certificate Request Message Format (CRMF)
> requests. As a consequence, requesting an ECC certificate with Certificate
> Management over CMS (CMC) in CRMF failed. The problem has been fixed, and
> as a result, CMC CRMF requests using ECC keys work as expected.
> (BZ#1585945)
>
> Enhancement(s):
>
> * The pkispawn man page has been updated and now describes the
> - --skip-configuration and --skip-installation parameters. (BZ#1551067)
>
> * With this update, Certificate System adds the Subject Alternative Name
> (SAN) extension by default to server certificates and sets it to the Common
> Name (CN) of the certificate. (BZ#1581135)
>
> * With this enhancement, users can create Certificate Request Message
> Format (CRMF) requests without the key archival option when using the
> CRMFPopClient utility. This feature increases flexibility because a Key
> Recovery Authority (KRA) certificate is no longer required. Previously, if
> the user did not pass the "-b transport_certificate_file" option to
> CRMFPopClient, the utility automatically used the KRA transport certificate
> stored in the transport.txt file. With this update, if "-b
> transport_certificate_file" is not specified, Certificate System creates a
> request without using key archival. (BZ#1588945)
>
> 4. Solution:
>
> For details on how to apply this update, which includes the changes
> described in this advisory, refer to:
>
> https://access.redhat.com/articles/11258
>
> 5. Bugs fixed (https://bugzilla.redhat.com/):
>
> 1550581 - CMCAuth throws org.mozilla.jss.crypto.TokenException: Unable to insert certificate into temporary database [rhel-7.5.z]
> 1551067 - [MAN] Add --skip-configuration and --skip-installation into pkispawn man page. [rhel-7.5.z]
> 1552241 - Make sslget aware of TLSv1_2 ciphers [rhel-7.5.z]
> 1554726 - Need ECC-specific Enrollment Profiles for standard conformance [rhel-7.5.z]
> 1554727 - Permit additional FIPS ciphers to be enabled by default for RSA . . . [rhel-7.5.z]
> 1556657 - CVE-2018-1080 pki-core: Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access
> 1557880 - [MAN] Missing Man pages for tools CMCRequest, CMCResponse, CMCSharedToken [rhel-7.5.z]
> 1557883 - Console: Adding ACL from pki-console gives StringIndexOutOfBoundsException (RHEL) [rhel-7.5.z]
> 1558919 - Not able to generate certificate request with ECC using pki client-cert-request [rhel-7.5.z]
> 1571582 - [MAN] Missing Man pages for tools CMCRequest, CMCResponse, CMCSharedToken (typos) [rhel-7.5.z]
> 1572548 - IPA install with external-CA is failing when FIPS mode enabled. [rhel-7.5.z]
> 1581134 - ECC installation for non CA subsystems needs improvement [rhel-7.5.z]
> 1581135 - SAN in internal SSL server certificate in pkispawn configuration step [rhel-7.5.z]
> 1585945 - CMC CRMF requests result in InvalidKeyFormatException when signing algorithm is ECC [rhel-7.5.z]
> 1587826 - ExternalCA: Installation failed during csr generation with ecc [rhel-7.5.z]
> 1588944 - Cert validation for installation with external CA cert [rhel-7.5.z]
> 1588945 - CRMFPopClient tool - should allow option to do no key archival [rhel-7.5.z]
>
> 6. Package List:
>
> Red Hat Enterprise Linux Client Optional (v. 7):
>
> Source:
> pki-core-10.5.1-13.1.el7_5.src.rpm
>
> noarch:
> pki-base-10.5.1-13.1.el7_5.noarch.rpm
> pki-base-java-10.5.1-13.1.el7_5.noarch.rpm
> pki-ca-10.5.1-13.1.el7_5.noarch.rpm
> pki-javadoc-10.5.1-13.1.el7_5.noarch.rpm
> pki-kra-10.5.1-13.1.el7_5.noarch.rpm
> pki-server-10.5.1-13.1.el7_5.noarch.rpm
>
> x86_64:
> pki-core-debuginfo-10.5.1-13.1.el7_5.x86_64.rpm
> pki-symkey-10.5.1-13.1.el7_5.x86_64.rpm
> pki-tools-10.5.1-13.1.el7_5.x86_64.rpm
>
> Red Hat Enterprise Linux ComputeNode Optional (v. 7):
>
> Source:
> pki-core-10.5.1-13.1.el7_5.src.rpm
>
> noarch:
> pki-base-10.5.1-13.1.el7_5.noarch.rpm
> pki-base-java-10.5.1-13.1.el7_5.noarch.rpm
> pki-ca-10.5.1-13.1.el7_5.noarch.rpm
> pki-javadoc-10.5.1-13.1.el7_5.noarch.rpm
> pki-kra-10.5.1-13.1.el7_5.noarch.rpm
> pki-server-10.5.1-13.1.el7_5.noarch.rpm
>
> x86_64:
> pki-core-debuginfo-10.5.1-13.1.el7_5.x86_64.rpm
> pki-symkey-10.5.1-13.1.el7_5.x86_64.rpm
> pki-tools-10.5.1-13.1.el7_5.x86_64.rpm
>
> Red Hat Enterprise Linux Server (v. 7):
>
> Source:
> pki-core-10.5.1-13.1.el7_5.src.rpm
>
> noarch:
> pki-base-10.5.1-13.1.el7_5.noarch.rpm
> pki-base-java-10.5.1-13.1.el7_5.noarch.rpm
> pki-ca-10.5.1-13.1.el7_5.noarch.rpm
> pki-kra-10.5.1-13.1.el7_5.noarch.rpm
> pki-server-10.5.1-13.1.el7_5.noarch.rpm
>
> ppc64le:
> pki-core-debuginfo-10.5.1-13.1.el7_5.ppc64le.rpm
> pki-tools-10.5.1-13.1.el7_5.ppc64le.rpm
>
> x86_64:
> pki-core-debuginfo-10.5.1-13.1.el7_5.x86_64.rpm
> pki-symkey-10.5.1-13.1.el7_5.x86_64.rpm
> pki-tools-10.5.1-13.1.el7_5.x86_64.rpm
>
> Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7):
>
> Source:
> pki-core-10.5.1-13.1.el7_5.src.rpm
>
> aarch64:
> pki-core-debuginfo-10.5.1-13.1.el7_5.aarch64.rpm
> pki-symkey-10.5.1-13.1.el7_5.aarch64.rpm
> pki-tools-10.5.1-13.1.el7_5.aarch64.rpm
>
> noarch:
> pki-base-10.5.1-13.1.el7_5.noarch.rpm
> pki-base-java-10.5.1-13.1.el7_5.noarch.rpm
> pki-ca-10.5.1-13.1.el7_5.noarch.rpm
> pki-kra-10.5.1-13.1.el7_5.noarch.rpm
> pki-server-10.5.1-13.1.el7_5.noarch.rpm
>
> ppc64le:
> pki-core-debuginfo-10.5.1-13.1.el7_5.ppc64le.rpm
> pki-tools-10.5.1-13.1.el7_5.ppc64le.rpm
>
> Red Hat Enterprise Linux Server Optional (v. 7):
>
> Source:
> pki-core-10.5.1-13.1.el7_5.src.rpm
>
> noarch:
> pki-base-10.5.1-13.1.el7_5.noarch.rpm
> pki-base-java-10.5.1-13.1.el7_5.noarch.rpm
> pki-ca-10.5.1-13.1.el7_5.noarch.rpm
> pki-javadoc-10.5.1-13.1.el7_5.noarch.rpm
> pki-kra-10.5.1-13.1.el7_5.noarch.rpm
> pki-server-10.5.1-13.1.el7_5.noarch.rpm
>
> ppc64:
> pki-core-debuginfo-10.5.1-13.1.el7_5.ppc64.rpm
> pki-symkey-10.5.1-13.1.el7_5.ppc64.rpm
> pki-tools-10.5.1-13.1.el7_5.ppc64.rpm
>
> ppc64le:
> pki-core-debuginfo-10.5.1-13.1.el7_5.ppc64le.rpm
> pki-symkey-10.5.1-13.1.el7_5.ppc64le.rpm
>
> s390x:
> pki-core-debuginfo-10.5.1-13.1.el7_5.s390x.rpm
> pki-symkey-10.5.1-13.1.el7_5.s390x.rpm
> pki-tools-10.5.1-13.1.el7_5.s390x.rpm
>
> Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7):
>
> Source:
> pki-core-10.5.1-13.1.el7_5.src.rpm
>
> noarch:
> pki-base-10.5.1-13.1.el7_5.noarch.rpm
> pki-base-java-10.5.1-13.1.el7_5.noarch.rpm
> pki-ca-10.5.1-13.1.el7_5.noarch.rpm
> pki-javadoc-10.5.1-13.1.el7_5.noarch.rpm
> pki-kra-10.5.1-13.1.el7_5.noarch.rpm
> pki-server-10.5.1-13.1.el7_5.noarch.rpm
>
> ppc64le:
> pki-core-debuginfo-10.5.1-13.1.el7_5.ppc64le.rpm
> pki-symkey-10.5.1-13.1.el7_5.ppc64le.rpm
>
> s390x:
> pki-core-debuginfo-10.5.1-13.1.el7_5.s390x.rpm
> pki-symkey-10.5.1-13.1.el7_5.s390x.rpm
> pki-tools-10.5.1-13.1.el7_5.s390x.rpm
>
> Red Hat Enterprise Linux Workstation (v. 7):
>
> Source:
> pki-core-10.5.1-13.1.el7_5.src.rpm
>
> noarch:
> pki-base-10.5.1-13.1.el7_5.noarch.rpm
> pki-base-java-10.5.1-13.1.el7_5.noarch.rpm
> pki-ca-10.5.1-13.1.el7_5.noarch.rpm
> pki-kra-10.5.1-13.1.el7_5.noarch.rpm
> pki-server-10.5.1-13.1.el7_5.noarch.rpm
>
> x86_64:
> pki-core-debuginfo-10.5.1-13.1.el7_5.x86_64.rpm
> pki-symkey-10.5.1-13.1.el7_5.x86_64.rpm
> pki-tools-10.5.1-13.1.el7_5.x86_64.rpm
>
> Red Hat Enterprise Linux Workstation Optional (v. 7):
>
> noarch:
> pki-javadoc-10.5.1-13.1.el7_5.noarch.rpm
>
> These packages are GPG signed by Red Hat for security. Our key and
> details on how to verify the signature are available from
> https://access.redhat.com/security/team/key/
>
> 7. References:
>
> https://access.redhat.com/security/cve/CVE-2018-1080
> https://access.redhat.com/security/updates/classification/#moderate
>
> 8. Contact:
>
> The Red Hat security contact is <secalert at redhat.com>. More contact
> details at https://access.redhat.com/security/team/contact/
>
> Copyright 2018 Red Hat, Inc.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIVAwUBWzJu/tzjgjWX9erEAQg1lxAAlxDc87fRo/w35qOiFXbnbqh7kwUo1lTM
> GDoWmjiZ/+0Z472coRNmMmRoKoZFW9t5aY3rCwvF+rUNCfj6KWUwPzGcgp4nqu2b
> XCB9eiXl/8npMMr1UghPMzl1XaP2s8YSOi4P2SWmmq5Ir0MC4YJGfWoF1DUWybbh
> eT4NRwMPyWH3r0go2Q0GmpFMYSLrfN2J0C8t8xZ0XfYtDXHZFWiLL/1K+FpunJv9
> cHBvcBOIouXSsXD1xmvqLic8Kap+YoRNwdFPCeizwHTiJ3pXOCzF0asrtJ3cl0HB
> OllXtCMChsdg3WIYybPcbflJqObq48zcEyFWC3w4VT7IOwkgKTe6CCLE3CuYbgkE
> iubWTArf7JtjdEFqY6oXLC49lPQQH0QePj3w2WCyrA2TJoca/wtN/5Gq9fdWthFf
> Y8BP3tP76sJyTfaoMAlY8HQKcIOJrXsVmGmU29WKEpWldOZkyEyxrryVDX6AruIR
> gzgY9yAwtrywAb1qw4olJbnUTzWVUrT9jGfJdM81gsMSe1Pdkku2i3zrH4vq/Xaz
> LycExgYXk8jqsIhuaHpf9FMRQBVX2Ieg/DdzarBkmZnhhBdaMglIbWOPZ7ecnvsN
> Bf/QDZc3/OKyGAgpYF0Mc+020vUWEsJFAwEKW2BbYHx7rtVABZmHRNVslJc8bXcR
> D+0oGC7mnpk=
> =DUm5
> -----END PGP SIGNATURE-----
>
> --
> RHSA-announce mailing list
> RHSA-announce at redhat.com
> https://www.redhat.com/mailman/listinfo/rhsa-announce
--
Pat Riehecky
Fermi National Accelerator Laboratory
www.fnal.gov
www.scientificlinux.org
More information about the rhelv6-list
mailing list