RHBA-2010:0068 - Bug Fix Advisory

Topic

Updated coolkey packages that resolve several issues are now available.

Description

The coolkey packages contain driver support for CoolKey and Common Access
Card (CAC) smart card products.

These updated coolkey packages provide fixes for the following bugs:

• the Department of Defense's alternative CAC tokens are now supported by

CoolKey. (BZ#226790)

• the libcoolkeypk11.so shared object library, when it was not linked with

the pthreads library, became unresponsive when the C_Initialize() function
was called following a call to syslog(). This update ensures that
libcoolkeypk11.so does not hang when it is not linked with the pthreads
threading library and the aforementioned scenario occurs. (BZ#245529)

• CoolKey's PKCS#11 module failed to initialize when the C_Initialize()

function was called and the CKF_OS_LOCKING flag was set. This issue is
related to the fix for BZ#245529. With this update, the PKCS#11 module
successfully initializes. (BZ#443127)

• the Red Hat Enterprise Security Client (ESC) incorrectly identified CAC

cards as CoolKey cards, and mistakenly opened the Phone Home dialog after
doing so. With this update, CoolKey correctly identifies CAC cards and
assigns the correct functionality to them.

With this fix, it is still possible to view certificates and diagnostics
for CAC cards, though the management functions are now disabled. Finally,
note that the RHBA-2010:0066 esc update must be installed in order to fully
resolve this issue. (BZ#499976)

• CoolKeys is now able to recognize smart cards that use the T1 protocol,

such as the SafeNet 330J, in addition to the T0-protocol cards supported
previously. (BZ#514298)

• CoolKey now correctly handles cryptographic operations such as digital

signing when using cards with 2048-bit keys. Previously, only 1024-bit keys
were supported. (BZ#514299)

All users of coolkey are advised to upgrade to these updated packages,
which resolve these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 226790 - Coolkey/ESC not recognizing DoD alternative tokens.
• BZ - 245529 - coolkey hangs in C_Initialize() if pthreads library is not linked
• BZ - 440607 - there should be %{?dist} instead of %{dist} in the *.spec on the Release: line
• BZ - 443127 - coolkey PKCS#11 C_Initiailize fails with CKF_OS_LOCKING flag
• BZ - 499976 - CAC cards can be incorrectly identified as a Coolkey
• BZ - 514298 - Support protocol T1 cards in CoolKey
• BZ - 514299 - Problems using 2048-bit keys with CoolKey

CVEs

(none)

References

(none)