[rhelv6-list] [RHSA-2018:1979-01] Moderate: pki-core security, bug fix, and enhancement update
Pat Riehecky
riehecky at fnal.gov
Tue Jun 26 19:10:30 UTC 2018
Forgot the link: https://git.centos.org/summary/rpms!nuxwdog.git
On 06/26/2018 02:07 PM, Pat Riehecky wrote:
> Building this requires a newer version of nuxwdog than is in the
> source repo.
>
> Pat
>
> On 06/26/2018 11:51 AM, Security announcements for all Red Hat
> products and services. wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> =====================================================================
>> Red Hat Security Advisory
>>
>> Synopsis: Moderate: pki-core security, bug fix, and
>> enhancement update
>> Advisory ID: RHSA-2018:1979-01
>> Product: Red Hat Enterprise Linux
>> Advisory URL:
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__access.redhat.com_errata_RHSA-2D2018-3A1979&d=DwICAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=OAMtP0DWou0nlXG7Kmxo2enjXJfwb1DXS9fwcaESuTE&m=D939zCi_QHlAtDy1F0iHbe5usPSLPrUPWZbUD0olqSc&s=Zi-W9cpea4LgiY7JDFh9K5aaeOT6NMQVyK4gCY4wT_8&e=
>> Issue date: 2018-06-26
>> CVE Names: CVE-2018-1080
>> =====================================================================
>>
>> 1. Summary:
>>
>> An update for pki-core is now available for Red Hat Enterprise Linux 7.
>>
>> Red Hat Product Security has rated this update as having a security
>> impact
>> of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
>> which
>> gives a detailed severity rating, is available for each vulnerability
>> from
>> the CVE link(s) in the References section.
>>
>> 2. Relevant releases/architectures:
>>
>> Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
>> Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
>> Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, x86_64
>> Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64,
>> ppc64le, s390x
>> Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64
>> Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch
>> Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v.
>> 7) - aarch64, noarch, ppc64le
>> Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server
>> Optional (v. 7) - noarch, ppc64le, s390x
>>
>> 3. Description:
>>
>> The Public Key Infrastructure (PKI) Core contains fundamental packages
>> required by Red Hat Certificate System.
>>
>> Security Fix(es):
>>
>> * pki-core: Mishandled ACL configuration in AAclAuthz.java reverses
>> rules
>> that allow and deny access (CVE-2018-1080)
>>
>> For more details about the security issue(s), including the impact, a
>> CVSS
>> score, and other related information, refer to the CVE page(s) listed in
>> the References section.
>>
>> This issue was discovered by Fraser Tweedale (Red Hat).
>>
>> Bug Fix(es):
>>
>> * Previously, when ECC keys were enrolled, Certificate Management
>> over CMS
>> (CMC) authentication failed with a "TokenException: Unable to insert
>> certificate into temporary database" error. As a consequence, the
>> enrollment failed. This update fixes the problem. As a result, the
>> mentioned bug no longer occurs. (BZ#1550581)
>>
>> * Previously, Certificate System used the same enrollment profiles for
>> issuing RSA and ECC certificates. As a consequence, the key usage
>> extension
>> in issued certificates did not meet the Common Criteria standard. This
>> update adds ECC-specific enrollment profiles where the key usage
>> extension
>> for TLS server and client certificates are different as described in RFC
>> 6960. Additionally, the update changes existing profiles to issue
>> only RSA
>> certificates. As a result, the key usage extension in ECC
>> certificates now
>> meets the Common Criteria standard. (BZ#1554726)
>>
>> * The Certificate System server rejects saving invalid access control
>> lists
>> (ACL). As a consequence, when saving an ACL with an empty expression,
>> the
>> server rejected the update and the pkiconsole utility displayed an
>> StringIndexOutOfBoundsException error. With this update, the utility
>> rejects empty ACL expressions. As a result, invalid ACLs cannot be saved
>> and the error is no longer displayed. (BZ#1557883)
>>
>> * Previously, due to a bug in the Certificate System installation
>> procedure, installing a Key Recovery Authority (KRA) with ECC keys
>> failed.
>> To fix the problem, the installation process has been updated to handle
>> both RSA and ECC subsystems automatically. As a result, installing
>> subsystems with ECC keys no longer fail. (BZ#1581134)
>>
>> * Previously, during verification, Certificate System encoded the ECC
>> public key incorrectly in CMC Certificate Request Message Format (CRMF)
>> requests. As a consequence, requesting an ECC certificate with
>> Certificate
>> Management over CMS (CMC) in CRMF failed. The problem has been fixed,
>> and
>> as a result, CMC CRMF requests using ECC keys work as expected.
>> (BZ#1585945)
>>
>> Enhancement(s):
>>
>> * The pkispawn man page has been updated and now describes the
>> - --skip-configuration and --skip-installation parameters. (BZ#1551067)
>>
>> * With this update, Certificate System adds the Subject Alternative Name
>> (SAN) extension by default to server certificates and sets it to the
>> Common
>> Name (CN) of the certificate. (BZ#1581135)
>>
>> * With this enhancement, users can create Certificate Request Message
>> Format (CRMF) requests without the key archival option when using the
>> CRMFPopClient utility. This feature increases flexibility because a Key
>> Recovery Authority (KRA) certificate is no longer required.
>> Previously, if
>> the user did not pass the "-b transport_certificate_file" option to
>> CRMFPopClient, the utility automatically used the KRA transport
>> certificate
>> stored in the transport.txt file. With this update, if "-b
>> transport_certificate_file" is not specified, Certificate System
>> creates a
>> request without using key archival. (BZ#1588945)
>>
>> 4. Solution:
>>
>> For details on how to apply this update, which includes the changes
>> described in this advisory, refer to:
>>
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__access.redhat.com_articles_11258&d=DwICAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=OAMtP0DWou0nlXG7Kmxo2enjXJfwb1DXS9fwcaESuTE&m=D939zCi_QHlAtDy1F0iHbe5usPSLPrUPWZbUD0olqSc&s=PN_sctXvAWGw2tnfzvDk5jC1ROO41w4ReK0BKxgKtPo&e=
>>
>>
>> 5. Bugs fixed
>> (https://urldefense.proofpoint.com/v2/url?u=https-3A__bugzilla.redhat.com_&d=DwICAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=OAMtP0DWou0nlXG7Kmxo2enjXJfwb1DXS9fwcaESuTE&m=D939zCi_QHlAtDy1F0iHbe5usPSLPrUPWZbUD0olqSc&s=nnyp_ALqlDQ0zVNTmodYSHyg7dBiKCSSYwW4Sm6OgIw&e=):
>>
>> 1550581 - CMCAuth throws org.mozilla.jss.crypto.TokenException:
>> Unable to insert certificate into temporary database [rhel-7.5.z]
>> 1551067 - [MAN] Add --skip-configuration and --skip-installation into
>> pkispawn man page. [rhel-7.5.z]
>> 1552241 - Make sslget aware of TLSv1_2 ciphers [rhel-7.5.z]
>> 1554726 - Need ECC-specific Enrollment Profiles for standard
>> conformance [rhel-7.5.z]
>> 1554727 - Permit additional FIPS ciphers to be enabled by default for
>> RSA . . . [rhel-7.5.z]
>> 1556657 - CVE-2018-1080 pki-core: Mishandled ACL configuration in
>> AAclAuthz.java reverses rules that allow and deny access
>> 1557880 - [MAN] Missing Man pages for tools CMCRequest, CMCResponse,
>> CMCSharedToken [rhel-7.5.z]
>> 1557883 - Console: Adding ACL from pki-console gives
>> StringIndexOutOfBoundsException (RHEL) [rhel-7.5.z]
>> 1558919 - Not able to generate certificate request with ECC using pki
>> client-cert-request [rhel-7.5.z]
>> 1571582 - [MAN] Missing Man pages for tools CMCRequest, CMCResponse,
>> CMCSharedToken (typos) [rhel-7.5.z]
>> 1572548 - IPA install with external-CA is failing when FIPS mode
>> enabled. [rhel-7.5.z]
>> 1581134 - ECC installation for non CA subsystems needs improvement
>> [rhel-7.5.z]
>> 1581135 - SAN in internal SSL server certificate in pkispawn
>> configuration step [rhel-7.5.z]
>> 1585945 - CMC CRMF requests result in InvalidKeyFormatException when
>> signing algorithm is ECC [rhel-7.5.z]
>> 1587826 - ExternalCA: Installation failed during csr generation with
>> ecc [rhel-7.5.z]
>> 1588944 - Cert validation for installation with external CA cert
>> [rhel-7.5.z]
>> 1588945 - CRMFPopClient tool - should allow option to do no key
>> archival [rhel-7.5.z]
>>
>> 6. Package List:
>>
>> Red Hat Enterprise Linux Client Optional (v. 7):
>>
>> Source:
>> pki-core-10.5.1-13.1.el7_5.src.rpm
>>
>> noarch:
>> pki-base-10.5.1-13.1.el7_5.noarch.rpm
>> pki-base-java-10.5.1-13.1.el7_5.noarch.rpm
>> pki-ca-10.5.1-13.1.el7_5.noarch.rpm
>> pki-javadoc-10.5.1-13.1.el7_5.noarch.rpm
>> pki-kra-10.5.1-13.1.el7_5.noarch.rpm
>> pki-server-10.5.1-13.1.el7_5.noarch.rpm
>>
>> x86_64:
>> pki-core-debuginfo-10.5.1-13.1.el7_5.x86_64.rpm
>> pki-symkey-10.5.1-13.1.el7_5.x86_64.rpm
>> pki-tools-10.5.1-13.1.el7_5.x86_64.rpm
>>
>> Red Hat Enterprise Linux ComputeNode Optional (v. 7):
>>
>> Source:
>> pki-core-10.5.1-13.1.el7_5.src.rpm
>>
>> noarch:
>> pki-base-10.5.1-13.1.el7_5.noarch.rpm
>> pki-base-java-10.5.1-13.1.el7_5.noarch.rpm
>> pki-ca-10.5.1-13.1.el7_5.noarch.rpm
>> pki-javadoc-10.5.1-13.1.el7_5.noarch.rpm
>> pki-kra-10.5.1-13.1.el7_5.noarch.rpm
>> pki-server-10.5.1-13.1.el7_5.noarch.rpm
>>
>> x86_64:
>> pki-core-debuginfo-10.5.1-13.1.el7_5.x86_64.rpm
>> pki-symkey-10.5.1-13.1.el7_5.x86_64.rpm
>> pki-tools-10.5.1-13.1.el7_5.x86_64.rpm
>>
>> Red Hat Enterprise Linux Server (v. 7):
>>
>> Source:
>> pki-core-10.5.1-13.1.el7_5.src.rpm
>>
>> noarch:
>> pki-base-10.5.1-13.1.el7_5.noarch.rpm
>> pki-base-java-10.5.1-13.1.el7_5.noarch.rpm
>> pki-ca-10.5.1-13.1.el7_5.noarch.rpm
>> pki-kra-10.5.1-13.1.el7_5.noarch.rpm
>> pki-server-10.5.1-13.1.el7_5.noarch.rpm
>>
>> ppc64le:
>> pki-core-debuginfo-10.5.1-13.1.el7_5.ppc64le.rpm
>> pki-tools-10.5.1-13.1.el7_5.ppc64le.rpm
>>
>> x86_64:
>> pki-core-debuginfo-10.5.1-13.1.el7_5.x86_64.rpm
>> pki-symkey-10.5.1-13.1.el7_5.x86_64.rpm
>> pki-tools-10.5.1-13.1.el7_5.x86_64.rpm
>>
>> Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v.
>> 7):
>>
>> Source:
>> pki-core-10.5.1-13.1.el7_5.src.rpm
>>
>> aarch64:
>> pki-core-debuginfo-10.5.1-13.1.el7_5.aarch64.rpm
>> pki-symkey-10.5.1-13.1.el7_5.aarch64.rpm
>> pki-tools-10.5.1-13.1.el7_5.aarch64.rpm
>>
>> noarch:
>> pki-base-10.5.1-13.1.el7_5.noarch.rpm
>> pki-base-java-10.5.1-13.1.el7_5.noarch.rpm
>> pki-ca-10.5.1-13.1.el7_5.noarch.rpm
>> pki-kra-10.5.1-13.1.el7_5.noarch.rpm
>> pki-server-10.5.1-13.1.el7_5.noarch.rpm
>>
>> ppc64le:
>> pki-core-debuginfo-10.5.1-13.1.el7_5.ppc64le.rpm
>> pki-tools-10.5.1-13.1.el7_5.ppc64le.rpm
>>
>> Red Hat Enterprise Linux Server Optional (v. 7):
>>
>> Source:
>> pki-core-10.5.1-13.1.el7_5.src.rpm
>>
>> noarch:
>> pki-base-10.5.1-13.1.el7_5.noarch.rpm
>> pki-base-java-10.5.1-13.1.el7_5.noarch.rpm
>> pki-ca-10.5.1-13.1.el7_5.noarch.rpm
>> pki-javadoc-10.5.1-13.1.el7_5.noarch.rpm
>> pki-kra-10.5.1-13.1.el7_5.noarch.rpm
>> pki-server-10.5.1-13.1.el7_5.noarch.rpm
>>
>> ppc64:
>> pki-core-debuginfo-10.5.1-13.1.el7_5.ppc64.rpm
>> pki-symkey-10.5.1-13.1.el7_5.ppc64.rpm
>> pki-tools-10.5.1-13.1.el7_5.ppc64.rpm
>>
>> ppc64le:
>> pki-core-debuginfo-10.5.1-13.1.el7_5.ppc64le.rpm
>> pki-symkey-10.5.1-13.1.el7_5.ppc64le.rpm
>>
>> s390x:
>> pki-core-debuginfo-10.5.1-13.1.el7_5.s390x.rpm
>> pki-symkey-10.5.1-13.1.el7_5.s390x.rpm
>> pki-tools-10.5.1-13.1.el7_5.s390x.rpm
>>
>> Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server
>> Optional (v. 7):
>>
>> Source:
>> pki-core-10.5.1-13.1.el7_5.src.rpm
>>
>> noarch:
>> pki-base-10.5.1-13.1.el7_5.noarch.rpm
>> pki-base-java-10.5.1-13.1.el7_5.noarch.rpm
>> pki-ca-10.5.1-13.1.el7_5.noarch.rpm
>> pki-javadoc-10.5.1-13.1.el7_5.noarch.rpm
>> pki-kra-10.5.1-13.1.el7_5.noarch.rpm
>> pki-server-10.5.1-13.1.el7_5.noarch.rpm
>>
>> ppc64le:
>> pki-core-debuginfo-10.5.1-13.1.el7_5.ppc64le.rpm
>> pki-symkey-10.5.1-13.1.el7_5.ppc64le.rpm
>>
>> s390x:
>> pki-core-debuginfo-10.5.1-13.1.el7_5.s390x.rpm
>> pki-symkey-10.5.1-13.1.el7_5.s390x.rpm
>> pki-tools-10.5.1-13.1.el7_5.s390x.rpm
>>
>> Red Hat Enterprise Linux Workstation (v. 7):
>>
>> Source:
>> pki-core-10.5.1-13.1.el7_5.src.rpm
>>
>> noarch:
>> pki-base-10.5.1-13.1.el7_5.noarch.rpm
>> pki-base-java-10.5.1-13.1.el7_5.noarch.rpm
>> pki-ca-10.5.1-13.1.el7_5.noarch.rpm
>> pki-kra-10.5.1-13.1.el7_5.noarch.rpm
>> pki-server-10.5.1-13.1.el7_5.noarch.rpm
>>
>> x86_64:
>> pki-core-debuginfo-10.5.1-13.1.el7_5.x86_64.rpm
>> pki-symkey-10.5.1-13.1.el7_5.x86_64.rpm
>> pki-tools-10.5.1-13.1.el7_5.x86_64.rpm
>>
>> Red Hat Enterprise Linux Workstation Optional (v. 7):
>>
>> noarch:
>> pki-javadoc-10.5.1-13.1.el7_5.noarch.rpm
>>
>> These packages are GPG signed by Red Hat for security. Our key and
>> details on how to verify the signature are available from
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__access.redhat.com_security_team_key_&d=DwICAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=OAMtP0DWou0nlXG7Kmxo2enjXJfwb1DXS9fwcaESuTE&m=D939zCi_QHlAtDy1F0iHbe5usPSLPrUPWZbUD0olqSc&s=lavayuSHASWopLlP_QCeyXnjdwqMj0prwwZQ9tGy8T8&e=
>>
>>
>> 7. References:
>>
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__access.redhat.com_security_cve_CVE-2D2018-2D1080&d=DwICAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=OAMtP0DWou0nlXG7Kmxo2enjXJfwb1DXS9fwcaESuTE&m=D939zCi_QHlAtDy1F0iHbe5usPSLPrUPWZbUD0olqSc&s=ctSoAJJoFwgYYTJav0AtQHvON9n9x1uV_LIC0vNNP84&e=
>>
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__access.redhat.com_security_updates_classification_-23moderate&d=DwICAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=OAMtP0DWou0nlXG7Kmxo2enjXJfwb1DXS9fwcaESuTE&m=D939zCi_QHlAtDy1F0iHbe5usPSLPrUPWZbUD0olqSc&s=P5MFkJVpwvo93ixcGLSFZKHn7pNnNuZ3SjmO8vsoemM&e=
>>
>>
>> 8. Contact:
>>
>> The Red Hat security contact is <secalert at redhat.com>. More contact
>> details at
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__access.redhat.com_security_team_contact_&d=DwICAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=OAMtP0DWou0nlXG7Kmxo2enjXJfwb1DXS9fwcaESuTE&m=D939zCi_QHlAtDy1F0iHbe5usPSLPrUPWZbUD0olqSc&s=K_8QjnkzoR1mZj5A5i2ej7BHhObGunV_DuLFrbCYza8&e=
>>
>> Copyright 2018 Red Hat, Inc.
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>>
>> iQIVAwUBWzJu/tzjgjWX9erEAQg1lxAAlxDc87fRo/w35qOiFXbnbqh7kwUo1lTM
>> GDoWmjiZ/+0Z472coRNmMmRoKoZFW9t5aY3rCwvF+rUNCfj6KWUwPzGcgp4nqu2b
>> XCB9eiXl/8npMMr1UghPMzl1XaP2s8YSOi4P2SWmmq5Ir0MC4YJGfWoF1DUWybbh
>> eT4NRwMPyWH3r0go2Q0GmpFMYSLrfN2J0C8t8xZ0XfYtDXHZFWiLL/1K+FpunJv9
>> cHBvcBOIouXSsXD1xmvqLic8Kap+YoRNwdFPCeizwHTiJ3pXOCzF0asrtJ3cl0HB
>> OllXtCMChsdg3WIYybPcbflJqObq48zcEyFWC3w4VT7IOwkgKTe6CCLE3CuYbgkE
>> iubWTArf7JtjdEFqY6oXLC49lPQQH0QePj3w2WCyrA2TJoca/wtN/5Gq9fdWthFf
>> Y8BP3tP76sJyTfaoMAlY8HQKcIOJrXsVmGmU29WKEpWldOZkyEyxrryVDX6AruIR
>> gzgY9yAwtrywAb1qw4olJbnUTzWVUrT9jGfJdM81gsMSe1Pdkku2i3zrH4vq/Xaz
>> LycExgYXk8jqsIhuaHpf9FMRQBVX2Ieg/DdzarBkmZnhhBdaMglIbWOPZ7ecnvsN
>> Bf/QDZc3/OKyGAgpYF0Mc+020vUWEsJFAwEKW2BbYHx7rtVABZmHRNVslJc8bXcR
>> D+0oGC7mnpk=
>> =DUm5
>> -----END PGP SIGNATURE-----
>>
>> --
>> RHSA-announce mailing list
>> RHSA-announce at redhat.com
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.redhat.com_mailman_listinfo_rhsa-2Dannounce&d=DwICAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=OAMtP0DWou0nlXG7Kmxo2enjXJfwb1DXS9fwcaESuTE&m=D939zCi_QHlAtDy1F0iHbe5usPSLPrUPWZbUD0olqSc&s=inx07a-uY06xkttGpl5_2_Y_chjMMu_EkQU9wnrd08Y&e=
>>
>
--
Pat Riehecky
Fermi National Accelerator Laboratory
www.fnal.gov
www.scientificlinux.org
More information about the rhelv6-list
mailing list