Red Hat Training

A Red Hat training course is available for Red Hat Linux

Chapter 61. Security

NSS accept malformed RSA PKCS#1 v1.5 signatures made with an RSA-PSS key

The Network Security Services (NSS) libraries do not check the type of an RSA public key used by a server when validating signatures made using a corresponding private key. Consequently, NSS accept malformed RSA PKCS#1 v1.5 signatures if they are made with an RSA-PSS key. (BZ#1510156)

Authentication using ssh-agent not from OpenSSH fails

OpenSSH since version 7.4 negotiates the SHA-2 signature extension by default. Consequently, if a signature is provided by the ssh-agent program that is not from the current OpenSSH suite and that does not know the SHA-2 extension, authentication fails. To work around this problem, use the OpenSSH ssh-agent to provide signatures. (BZ#1497680)

Parsing of OpenSSH public keys is more strict

Previously, the parsing of public keys was changed to be more strict. As a consequence, additional spaces between the key type string and the key blob string are no longer ignored, and login attempts with such keys now fail. To work around this problem, ensure that there is only one space character between the key type and the key blob. (BZ#1493406)

SCAP Workbench fails to generate results-based remediations from tailored profiles

The following error occurs when trying to generate results-based remediation roles from a customized profile using the the SCAP Workbench tool:
Error generating remediation role '.../remediation.sh': Exit code of 'oscap' was 1: [output truncated]
To work around this problem, use the oscap command with the --tailoring-file option. (BZ#1533108)

Clevis can log spurious Device is not initialized error messages

If the Clevis pluggable framework is in the initramfs image and if you have an encrypted volume configured to unlock during boot time and coincidently you have not configured the Clevis binding, then the boot log shows spurious Device is not initialized error messages. To work around this problem, perform the Clevis binding step, and the error messages for the volume disappear. (BZ#1538759)

Libreswan is not working properly with seccomp=enabled on all configurations

The set of allowed syscalls in the Libreswan SECCOMP support implementation is currently not complete. Consequently, when SECCOMP is enabled in the ipsec.conf file, the syscall filtering rejects even syscalls needed for proper functioning of the pluto daemon; the daemon is killed, and the ipsec service is restarted.
To work around this problem, set the seccomp= option back to the disabled state. SECCOMP support must remain disabled to run ipsec properly. (BZ#1544463)

OpenSCAP RPM verification rules do not work correctly with VM and container file systems

The rpminfo, rpmverify, and rpmverifyfile probes do not fully support offline mode. Consequently, OpenSCAP RPM verification rules do not work correctly when scanning virtual machine (VM) and container file systems in offline mode.
To work around this problem, disable the RPM verification rules or perform a manual check using a guidance in the SCAP Security Guide. Results of scanning VM and container file systems in offline mode might contain false negatives. (BZ#1556988)

Firefox and other applications using NSS become unresponsive when a smart card is inserted

The Network Security Services (NSS) libraries incorrectly handle smart card insertion events and states of such events. Consequently, the Firefox browser and other applications using NSS in the Gnome Display Manager (GDM) do not reliably detect the card insertion state and become unresponsive while requesting to wait for slot events.
To work around this problem, do not update the nss packages to version 3.34 and wait for the upstream version 3.36. The smart cards work correctly with the previous NSS version. (BZ#1557015)