Chapter 33. Security

CardOS 5.3 smart cards with ECDSA support work correctly in OpenSC

Previously, OpenSC did not correctly parse the ECDSA algorithm in the TokenInfo information provided by CardOS 5.3 smart cards. As a consequence, OpenSC did not detect these cards. The TokenInfo parser has been updated and now complies with the PKCS #15 specification. As a result, CardOS 5.3 smart cards with ECDSA support work correctly in OpenSC. (BZ#1562277)

Non-CCID-compliant smart card readers work in OpenSC

Certain smart card readers implement PIN pad functionality that does not follow the chip card interface device (CCID) specification. Previously, OpenSC detected the PIN pad of such smart card readers, but the reader could not be used with OpenSC. With this update, the PIN pad detection has been disabled in OpenSC by default. As a result, non-CCID-compliant smart card readers can be used, but without the PIN pad feature. (BZ#1547117)

The pkcs11-tool utility now supports mechanism IDs and handles ECDSA keys correctly

Previously, the pkcs11-tool utility incorrectly handled EC_POINT values and support for certain vendor-specific mechanisms was missing. As a consequence, these mechanisms and certain ECDSA keys in hardware security modules (HSM) and smart cards were not supported by pkcs11-tool. With this update, the pkcs11-tool now handles EC_POINT values and vendor-specific mechanisms correctly. As a result, the utility now supports mechanism IDs and handles ECDSA keys correctly. (BZ#1562572)

OpenSCAP RPM verification rules no longer work incorrectly with VM and container file systems

Previously, the rpminfo, rpmverify, and rpmverifyfile probes did not fully support offline mode. As a consequence, OpenSCAP RPM verification rules did not work correctly when scanning virtual machine (VM) and container file systems in offline mode. With this update, support for offline mode has been fixed, and results of scanning VM and container file systems in offline mode no longer contain false negatives. (BZ#1556988)

sudo no longer blocks poll() for /dev/ptmx

Previously, when running a command through sudo that had the I/O logging enabled, a parent process of the command was occasionally blocked in the poll() function execution, waiting for an event on the /dev/ptmx file descriptor. Consequently, a deadlock occurred and sudo might leave the process of the command in an unresponsive state. This update adds a pseudoterminal cleanup logic, and sudo no longer causes a deadlock in the described scenario. (BZ#1560657)