Issued:: 2010-03-25
Updated:: 2010-03-25

RHBA-2010:0169 - Bug Fix Advisory

Overview
Updated Packages

Synopsis

pki-ca, redhat-pki-ca-ui, pki-common, pki-setup, pki-selinux bug fix update

Type/Severity

Bug Fix Advisory

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated pki-ca, pki-common, redhat-pki-ca-ui, pki-setup, and pki-selinux
packages are now available for Red Hat Certificate System 8.0.

Description

Red Hat Certificate System (RHCS) is an enterprise software system
designed to manage enterprise public key infrastructure (PKI) deployments.

The NSS packages released as RHSA-2010:0165 address a session renegotiation
flaw in the TLS/SSL protocols (CVE-2009-3555) by implementing the TLS
Renegotiation Indication Extension, as defined in RFC 5746. With these
updated packages installed, session renegotiations will fail unless both
the client and server have been updated to implement the new protocol
extension.

This affects the CA subsystem end-entity pages. Server-initiated session
renegotiation occurs when a user connects to the end-entity pages (which
do not require client authentication) and requests an enrollment profile
that requires client authentication. Unless the client (such as a web
browser) has been updated to use the new protocol, the session
renegotiation will fail, and the enrollment request will fail.

To prevent this failure, the updated Certificate System packages introduce
a new port that always requires client authentication and that would be
used for end-entity operations. When the user submits data for an
enrollment profile that requires client authentication, the enrollment will
be directed to this new port, thus eliminating the need for
server-initiated
TLS session renegotiation. (BZ#545935)

Note: This scenario does not affect communication between Certificate
System subsystems, as long as all the Certificate System subsystems are
updated with the new NSS packages.

In addition, some profiles which are used internally by the installation
wizard to create system certificates were incorrectly set to be visible on
the end-entity pages. This has been corrected.

The changes in this errata will be applied to all new Certificate System
8.0 CA instances created. For existing instances, required reconfiguration
steps have been detailed in this Red Hat Knowledgebase article:

http://kbase.redhat.com/faq/docs/DOC-28439

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

Red Hat Certificate System 8 x86_64
Red Hat Certificate System 8 i386

Fixes

(none)

CVEs

(none)

References

http://kbase.redhat.com/faq/docs/DOC-28439

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Certificate System 8

SRPM
pki-ca-8.0.6-1.el5pki.src.rpm	SHA-256: c5e3c5475977c531281540e06d06ab7ca813d6bb3e652b9c02e421f726cec56e
pki-common-8.0.4-1.el5pki.src.rpm	SHA-256: 4a14cd7bdf9dd19c948bbb85b9964ddc185166edac9b89c940840f92e34c4047
pki-selinux-8.0.4-1.el5pki.src.rpm	SHA-256: 6f9efa7340cc5e9cc882a600d760a1acf804cbe6ac09768faf874a659e6f29e3
pki-setup-8.0.4-1.el5pki.src.rpm	SHA-256: b88a933c5de7182ba01bebd85cde20efe6ecd0601bb14e0fec2cd80b50abb502
redhat-pki-ca-ui-8.0.2-1.el5pki.src.rpm	SHA-256: c8030f4329ab4344bdbf47dff1554f7076e1da9f9f0510217ba665634651a251
x86_64
pki-ca-8.0.6-1.el5pki.noarch.rpm	SHA-256: ee329f991f37a4559a4e557b7c5b500b943981c0d86ad886e390599442c665e7
pki-common-8.0.4-1.el5pki.noarch.rpm	SHA-256: a8575406479fc3258e774a6cb953bfa111cde4fcb0c8f1f845a77497b106fb1e
pki-common-javadoc-8.0.4-1.el5pki.noarch.rpm	SHA-256: c15c12535a025059267fe737152927b34155a69b321b2375c150b65df4f330c7
pki-selinux-8.0.4-1.el5pki.noarch.rpm	SHA-256: 6f78395908b341a79f64e72e87e9c1fed718b50f9a308fbb338633014d2839e5
pki-setup-8.0.4-1.el5pki.noarch.rpm	SHA-256: 0e8d6d9bcde293f19fa4699df6cd732b0fc47dec3bd0d02b95cb550772094e2f
redhat-pki-ca-ui-8.0.2-1.el5pki.noarch.rpm	SHA-256: 180b8d71c04aa82cd4354f7be1667c81c314068fc14f07313db9a79d2dddb1a5
i386
pki-ca-8.0.6-1.el5pki.noarch.rpm	SHA-256: ee329f991f37a4559a4e557b7c5b500b943981c0d86ad886e390599442c665e7
pki-common-8.0.4-1.el5pki.noarch.rpm	SHA-256: a8575406479fc3258e774a6cb953bfa111cde4fcb0c8f1f845a77497b106fb1e
pki-common-javadoc-8.0.4-1.el5pki.noarch.rpm	SHA-256: c15c12535a025059267fe737152927b34155a69b321b2375c150b65df4f330c7
pki-selinux-8.0.4-1.el5pki.noarch.rpm	SHA-256: 6f78395908b341a79f64e72e87e9c1fed718b50f9a308fbb338633014d2839e5
pki-setup-8.0.4-1.el5pki.noarch.rpm	SHA-256: 0e8d6d9bcde293f19fa4699df6cd732b0fc47dec3bd0d02b95cb550772094e2f
redhat-pki-ca-ui-8.0.2-1.el5pki.noarch.rpm	SHA-256: 180b8d71c04aa82cd4354f7be1667c81c314068fc14f07313db9a79d2dddb1a5

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation