- Issued:
- 2010-03-25
- Updated:
- 2010-03-25
RHBA-2010:0169 - Bug Fix Advisory
Synopsis
pki-ca, redhat-pki-ca-ui, pki-common, pki-setup, pki-selinux bug fix update
Type/Severity
Bug Fix Advisory
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
Updated pki-ca, pki-common, redhat-pki-ca-ui, pki-setup, and pki-selinux
packages are now available for Red Hat Certificate System 8.0.
Description
Red Hat Certificate System (RHCS) is an enterprise software system
designed to manage enterprise public key infrastructure (PKI) deployments.
The NSS packages released as RHSA-2010:0165 address a session renegotiation
flaw in the TLS/SSL protocols (CVE-2009-3555) by implementing the TLS
Renegotiation Indication Extension, as defined in RFC 5746. With these
updated packages installed, session renegotiations will fail unless both
the client and server have been updated to implement the new protocol
extension.
This affects the CA subsystem end-entity pages. Server-initiated session
renegotiation occurs when a user connects to the end-entity pages (which
do not require client authentication) and requests an enrollment profile
that requires client authentication. Unless the client (such as a web
browser) has been updated to use the new protocol, the session
renegotiation will fail, and the enrollment request will fail.
To prevent this failure, the updated Certificate System packages introduce
a new port that always requires client authentication and that would be
used for end-entity operations. When the user submits data for an
enrollment profile that requires client authentication, the enrollment will
be directed to this new port, thus eliminating the need for
server-initiated
TLS session renegotiation. (BZ#545935)
Note: This scenario does not affect communication between Certificate
System subsystems, as long as all the Certificate System subsystems are
updated with the new NSS packages.
In addition, some profiles which are used internally by the installation
wizard to create system certificates were incorrectly set to be visible on
the end-entity pages. This has been corrected.
The changes in this errata will be applied to all new Certificate System
8.0 CA instances created. For existing instances, required reconfiguration
steps have been detailed in this Red Hat Knowledgebase article:
Solution
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259
Affected Products
- Red Hat Certificate System 8 x86_64
- Red Hat Certificate System 8 i386
Fixes
(none)CVEs
(none)
References
Red Hat Certificate System 8
| SRPM | |
|---|---|
| pki-ca-8.0.6-1.el5pki.src.rpm | SHA-256: c5e3c5475977c531281540e06d06ab7ca813d6bb3e652b9c02e421f726cec56e |
| pki-common-8.0.4-1.el5pki.src.rpm | SHA-256: 4a14cd7bdf9dd19c948bbb85b9964ddc185166edac9b89c940840f92e34c4047 |
| pki-selinux-8.0.4-1.el5pki.src.rpm | SHA-256: 6f9efa7340cc5e9cc882a600d760a1acf804cbe6ac09768faf874a659e6f29e3 |
| pki-setup-8.0.4-1.el5pki.src.rpm | SHA-256: b88a933c5de7182ba01bebd85cde20efe6ecd0601bb14e0fec2cd80b50abb502 |
| redhat-pki-ca-ui-8.0.2-1.el5pki.src.rpm | SHA-256: c8030f4329ab4344bdbf47dff1554f7076e1da9f9f0510217ba665634651a251 |
| x86_64 | |
| pki-ca-8.0.6-1.el5pki.noarch.rpm | SHA-256: ee329f991f37a4559a4e557b7c5b500b943981c0d86ad886e390599442c665e7 |
| pki-common-8.0.4-1.el5pki.noarch.rpm | SHA-256: a8575406479fc3258e774a6cb953bfa111cde4fcb0c8f1f845a77497b106fb1e |
| pki-common-javadoc-8.0.4-1.el5pki.noarch.rpm | SHA-256: c15c12535a025059267fe737152927b34155a69b321b2375c150b65df4f330c7 |
| pki-selinux-8.0.4-1.el5pki.noarch.rpm | SHA-256: 6f78395908b341a79f64e72e87e9c1fed718b50f9a308fbb338633014d2839e5 |
| pki-setup-8.0.4-1.el5pki.noarch.rpm | SHA-256: 0e8d6d9bcde293f19fa4699df6cd732b0fc47dec3bd0d02b95cb550772094e2f |
| redhat-pki-ca-ui-8.0.2-1.el5pki.noarch.rpm | SHA-256: 180b8d71c04aa82cd4354f7be1667c81c314068fc14f07313db9a79d2dddb1a5 |
| i386 | |
| pki-ca-8.0.6-1.el5pki.noarch.rpm | SHA-256: ee329f991f37a4559a4e557b7c5b500b943981c0d86ad886e390599442c665e7 |
| pki-common-8.0.4-1.el5pki.noarch.rpm | SHA-256: a8575406479fc3258e774a6cb953bfa111cde4fcb0c8f1f845a77497b106fb1e |
| pki-common-javadoc-8.0.4-1.el5pki.noarch.rpm | SHA-256: c15c12535a025059267fe737152927b34155a69b321b2375c150b65df4f330c7 |
| pki-selinux-8.0.4-1.el5pki.noarch.rpm | SHA-256: 6f78395908b341a79f64e72e87e9c1fed718b50f9a308fbb338633014d2839e5 |
| pki-setup-8.0.4-1.el5pki.noarch.rpm | SHA-256: 0e8d6d9bcde293f19fa4699df6cd732b0fc47dec3bd0d02b95cb550772094e2f |
| redhat-pki-ca-ui-8.0.2-1.el5pki.noarch.rpm | SHA-256: 180b8d71c04aa82cd4354f7be1667c81c314068fc14f07313db9a79d2dddb1a5 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.