RHBA-2012:0245 - Bug Fix Advisory

Topic

An updated certmonger package that fixes multiple bugs and adds one enhancement
is now available for Red Hat Enterprise Linux 5.

Description

The certmonger service monitors certificates as the date at which they become
invalid approaches, optionally attempting to re-enroll with a supported
certificate authority (CA) to keep the services which use the certificates
running without incident.

The certmonger service, which was initially introduced as a Technology Preview,
is now fully-supported. (BZ#665317)

This update fixes the following bugs:

• Prior to this update, ipa-getcert list calls from non-root users logged the

misleading message ""Number of certificates and requests being tracked: 0". This
update modifies the underlying code to display the correct message "Insufficient
access. Please retry operation as root." when non-root users call ipa-getcert
list. (BZ#712072)

• Prior to this update, starting the certmonger service as non-root user looged

the uninformative message "Error connecting to D-Bus.". This update modifies the
underlying code to display the correct message "Insufficient access. Please
retry operation as root." when non-root users start the certmonger service.
(BZ#756745)

• Prior to this update, the IPA web-based service was not compatibile with

certmonger. As a consequence, certmonger was unable to correctly submit
enrollment requests to IPA's CA. With this update, certmonger has been modified
and it now operates correctly with newer versions of IPA. (BZ#757883)

This update also adds the following enhancement:

• Prior to this update, libcurl could not delegate Kerberos tickets via XML-RPC

to authenticate with Identity, Policy and Audit (IPA). This update adds support
for the xmlrpc-c API to allow for Generic Security Services Application Program
Interface (GSSAPI) delegation. (BZ#727864)

All users of the certmonger service are advised to upgrade to this updated
package, which fixes these bugs and adds this enhancement.

Solution

Before applying this update, make sure all previously-released errata relevant
to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 712072 - Unexpected message from ipa-getcert with non-root user
• BZ - 712075 - Proper error message not displayed when non-root user starts certmonger service
• BZ - 727864 - Add support for new xmlrpc-c API to do GSSAPI delegation
• BZ - 756745 - certmonger segfaults when the second daemon is started and can't connect to D-Bus
• BZ - 757883 - certmonger: Requires client-side changes for server-side fixes (due to CVE-2011-3636) [rhel-5.8]

CVEs

(none)

References

(none)