- Issued:
- 2009-01-20
- Updated:
- 2009-01-20
RHBA-2009:0084 - Bug Fix Advisory
Synopsis
pkinit-nss bug fix update
Type/Severity
Bug Fix Advisory
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An updated pkinit-nss package is now available.
Description
The pkinit-nss package contains a plugin for the Kerberos package which
implements the PKINIT specification, allowing certificates and private keys
to be used for initial authentication to Kerberos.
This update includes the following fixes:
- While the PKINIT specification makes suggestions as to how to recognize
that a certificate and key are suitable for use with PKINIT, smart card and
PKI deployments often do not issue certificates which exactly meet the
described criteria. Under these circumstances, it will not be possible to
obtain a useable certificate for authentication. This update implements a
"pkinit_cert_match" option. This option can be used to configure how the
client determines which certificate (and matching private key) it should use.
- Some server implementations will only accept SignedData items with a
version number of "1" (MIT Kerberos 1.6.3's default plugin) when sent to a
KDC as part of an RFC4556-style request. Other server implementations (such
as Windows Server 2008) will only accept SignedData items with a version
number of "3". Likewise, some clients will only accept SignedData items
with a version number of "1". This update provides workarounds for these
situations by adding "pkinit_signed_data_version" and
"pkinit_kdc_signed_data_version" options. This update also implements
"pkinit_kdc_hostname" and "pkinit_eku_checking" options which can be used
to configure what criteria clients and servers will use to judge if a
certificate is suitable for use by a KDC. With this update installed, the
implementation of Kerberos on Red Hat Enterprise Linux 5 supports the
options necessary to successfully acquire a useable certificate for
authentication in these situations.
Users should upgrade this package to obtain these features.
Solution
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188
Affected Products
- Red Hat Enterprise Linux Server 5 x86_64
- Red Hat Enterprise Linux Server 5 ia64
- Red Hat Enterprise Linux Server 5 i386
- Red Hat Enterprise Linux Workstation 5 x86_64
- Red Hat Enterprise Linux Workstation 5 i386
- Red Hat Enterprise Linux Desktop 5 x86_64
- Red Hat Enterprise Linux Desktop 5 i386
- Red Hat Enterprise Linux for IBM z Systems 5 s390x
- Red Hat Enterprise Linux for Power, big endian 5 ppc
- Red Hat Enterprise Linux Server from RHUI 5 x86_64
- Red Hat Enterprise Linux Server from RHUI 5 i386
Fixes
- BZ - 242109 - Ensure Windows Server 2008 ("Longhorn") interoperability for krb5 / PK-Init
CVEs
(none)
References
(none)
Red Hat Enterprise Linux Server 5
SRPM | |
---|---|
pkinit-nss-0.7.6-1.el5.src.rpm | SHA-256: 2da907f2c7fefb0a0a29dde9419cbfe80cbba00a264b95eaa039e8544079e783 |
x86_64 | |
pkinit-nss-0.7.6-1.el5.x86_64.rpm | SHA-256: ac0c29f3c56f079fe3acef225bac4b8f8e525969e5fbb3a8e5cb2fa194cc0680 |
ia64 | |
pkinit-nss-0.7.6-1.el5.ia64.rpm | SHA-256: 184ebda61aa8516f0449e9cd5b69faf977b9f82b0e4eedf7fb707a336d8b0b0d |
i386 | |
pkinit-nss-0.7.6-1.el5.i386.rpm | SHA-256: f11a85454623369317b5f28effb13937eadb3801740f4be7868df84984ebc4e1 |
Red Hat Enterprise Linux Workstation 5
SRPM | |
---|---|
pkinit-nss-0.7.6-1.el5.src.rpm | SHA-256: 2da907f2c7fefb0a0a29dde9419cbfe80cbba00a264b95eaa039e8544079e783 |
x86_64 | |
pkinit-nss-0.7.6-1.el5.x86_64.rpm | SHA-256: ac0c29f3c56f079fe3acef225bac4b8f8e525969e5fbb3a8e5cb2fa194cc0680 |
i386 | |
pkinit-nss-0.7.6-1.el5.i386.rpm | SHA-256: f11a85454623369317b5f28effb13937eadb3801740f4be7868df84984ebc4e1 |
Red Hat Enterprise Linux Desktop 5
SRPM | |
---|---|
pkinit-nss-0.7.6-1.el5.src.rpm | SHA-256: 2da907f2c7fefb0a0a29dde9419cbfe80cbba00a264b95eaa039e8544079e783 |
x86_64 | |
pkinit-nss-0.7.6-1.el5.x86_64.rpm | SHA-256: ac0c29f3c56f079fe3acef225bac4b8f8e525969e5fbb3a8e5cb2fa194cc0680 |
i386 | |
pkinit-nss-0.7.6-1.el5.i386.rpm | SHA-256: f11a85454623369317b5f28effb13937eadb3801740f4be7868df84984ebc4e1 |
Red Hat Enterprise Linux for IBM z Systems 5
SRPM | |
---|---|
pkinit-nss-0.7.6-1.el5.src.rpm | SHA-256: 2da907f2c7fefb0a0a29dde9419cbfe80cbba00a264b95eaa039e8544079e783 |
s390x | |
pkinit-nss-0.7.6-1.el5.s390x.rpm | SHA-256: e883044e5c07f022751790ac93e056405a195d9ef8d3b9cdc78498e07c7eec4a |
Red Hat Enterprise Linux for Power, big endian 5
SRPM | |
---|---|
pkinit-nss-0.7.6-1.el5.src.rpm | SHA-256: 2da907f2c7fefb0a0a29dde9419cbfe80cbba00a264b95eaa039e8544079e783 |
ppc | |
pkinit-nss-0.7.6-1.el5.ppc.rpm | SHA-256: c61b4e9f3e4daf262ee8b47e257177ac0442501392b9e91c963941405c513d9a |
Red Hat Enterprise Linux Server from RHUI 5
SRPM | |
---|---|
pkinit-nss-0.7.6-1.el5.src.rpm | SHA-256: 2da907f2c7fefb0a0a29dde9419cbfe80cbba00a264b95eaa039e8544079e783 |
x86_64 | |
pkinit-nss-0.7.6-1.el5.x86_64.rpm | SHA-256: ac0c29f3c56f079fe3acef225bac4b8f8e525969e5fbb3a8e5cb2fa194cc0680 |
i386 | |
pkinit-nss-0.7.6-1.el5.i386.rpm | SHA-256: f11a85454623369317b5f28effb13937eadb3801740f4be7868df84984ebc4e1 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.