RHBA-2014:1512 - Bug Fix Advisory

Topic

Updated certmonger packages that fix several bugs and add various enhancements
are now available for Red Hat Enterprise Linux 6.

Description

The certmonger service monitors certificates, warning of their impending
expiration, and optionally attempting to re-enroll with supported
Certificate Authorities (CA).

The certmonger packages have been upgraded to upstream version 0.75.13, which
provides a number of bug fixes and enhancements over the previous version
including:

• support for retrieving an IPA server's root certificate and optionally

storing it to specified locations

• improvements in how the certmonger daemon handles disconnection from

the system message bus

• improvements in how the certmonger daemon runs enrollment helpers and parses

results returned by them

• fixed bug causing unexpected termination if an attempt to save a certificate

failed

• fixed incorrect use of the libdbus library that triggered the _dbus_abort()

function

• fixed segmentation fault with incorrectly structured entries in the

/var/lib/certmonger/cas/ directory
(BZ#1098208, BZ#948993, BZ#1032760, BZ#1103090, BZ#1115831)

This update also fixes the following bugs:

• This update fixes the implementation of the remove_known_ca dbus call in the

certmonger package to prevent the certmonger daemon from terminating
unexpectedly when called by remove_known_ca. (BZ#1125342)

In addition, this update adds the following enhancements:

• This update adds the certmonger_selinux manual page to document the effect

that
SELinux has in limiting the allowed access to locations for the certmonger
daemon. Also, the selinux.txt document has been added to the certmonger
package to provide more details about interaction with SELinux. A reference to
certmonger_selinux and selinux.txt has been added to other certmonger man pages.
(BZ#1027265)

Users of certmonger are advised to upgrade to these updated packages, which fix
these bugs and add these enhancements.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x

Fixes

• BZ - 948993 - certmonger failing after IPA uninstall and reinstall
• BZ - 1027265 - Certmonger man pages need a note about SELinux
• BZ - 1032760 - Certmonger crashes when trying to decode certificate with invalid data in header
• BZ - 1098208 - Rebase certmonger to include the ability to add IPA CA cert to NSS database (and files)
• BZ - 1103090 - certmonger coredumps -- dbus related
• BZ - 1118468 - [RFE] Add the ability to poll on FETCH_ROOT
• BZ - 1125342 - Support remove_known_ca dbus call
• BZ - 1126985 - ipa-submit helper fails if ldap_url is not present in default.conf
• BZ - 1129537 - CA not saved to specified nss db location
• BZ - 1129696 - start-tracking does not saves the CA cert to specified file location

CVEs

(none)

References

(none)