RHBA-2015:1094 - Bug Fix Advisory

Topic

Updated Red Hat Directory Server packages that fix several bugs and add various enhancements are now available for Red Hat Directory Server 10.

Description

Red Hat Directory Server is an LDAPv3-compliant directory server. The suite of packages includes the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration, the Administration Server HTTP agent package, and the GUI console packages.

This update fixes the following bugs:

• Previously, the Directory Server used the SSLv3 protocol. Due to a vulnerability in the design of Secure Sockets Layer (SSL) version 3.0 known as the Poodlebleed bug, SSLv3 is not considered secure, and the Transport Layer Security (TLS) protocol 1.1 or newer should be used. With this update, the SSLv3 protocol is disabled by default, and support for TLS 1.1 or newer has been added to the Admin Server, AdminUtil, and the Directory Server Console. (BZ#1173240, 1184175)
• Prior to this update, importing a certification authority (CA) certificate via the Console when a CA certificate with the same name already existed in the certificate database caused the security common gateway interface (CGI) to terminate unexpectedly. A patch has been applied, and CGI no longer crashes in this scenario. (BZ#903979)
• Due to a bug in the underlying code, clicking the “Manage Certificates” button in the Console after installing a certificate led to unexpected termination of the Admin Server. A patch has been applied, and the Admin Server no longer crashes in this situation. (BZ#979419)
• Formerly, the Directory Server Console did not correctly disable SSL. Consequently, the Directory Server could not be started from the Console after adding and removing certificates for SSL. To fix this bug, a patch has been applied, and the Directory Server can now be restarted as expected. (BZ#1134688)
• Previously, reconfiguring the Admin Server overwrote the security files. Consequently, the SSL was broken. This has now been fixed. It is recommended to back up the security files when reconfiguring and restore them at the end of reconfiguration. (BZ#1173252)
• Prior to this update, the configuration tab was not functional when the FIPS mode was enabled. Information about the FIPS mode has been added to the Admin Server security CGI to fix this bug, and FIPS mode is now supported. (BZ#1173244)
• A bug in accessing the hardware security module (HSM) in the Admin Server security CGI has been fixed, and it is now possible to configure nCipher HSMs using the redhat-idm-console command. (BZ#1173242)
• Previously, when editing Application Centric Infrastructures (ACIs) from the Console, the edited ACIs were deleted if one of them was invalid. A patch has been applied to fix this bug, and the deletion no longer occurs. (BZ#1183789)
• A patch has been applied to enable the Console to support passwords containing 8-bit characters. (BZ#1173277)
• Formerly, an incorrect error message was displayed when attempting to change the NSS security database password from the Console. This has been amended, and changing the password now works as expected. (BZ#965129)
• Prior to this update, using the "nsslapd-allow-anonymous-access: rootdse" command caused the first administrator login to fail. A patch has been applied, and the login no longer fails when anonymous bind access is restricted. (BZ#1116439)
• The register-ds-admin.pl utility now supports registration to remote Directory Servers. (BZ#1173249)

In addition, this update adds the following enhancements:

• The Certificate Revocation List (CRL) / Compromised Key List (CKL) import dialog now specifies the required file format, which is Privacy Enhanced Mail (PEM), and informs that the file must exist in the server security directory. (BZ#966958)
• The RSA key size values are now 2048, 3072, and 4096. The default value, previously 1024, is now 2048. The new signing algorithm values are SHA-1 (default), SHA-256, SHA-384, and SHA-512. (BZ#844764)

Users of Red Hat Directory Server are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

To update all RPMs for your architecture, run the following command where [filenames] is a list of the RPMs you wish to upgrade:

rpm -Fvh [filenames]

Only the RPMs which are currently installed will be updated. RPMs that are
not installed, but are included in the list, will not be updated. Note that you can use wildcards (*.rpm) if your current directory contains only the desired RPMs.

This update is available also via the Red Hat Network. Using the Red Hat Network is a convenient way to apply updates. To use it, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will upgrade the appropriate
RPMs on your system.

Affected Products

• Red Hat Directory Server 10 x86_64

Fixes

• BZ - 694681 - register-ds-admin.pl--map value of ServerAdminID for key as_uid did not map to value...
• BZ - 846448 - admin-serv logs filling with "admserv_host_ip_check: ap_get_remote_host could not resolve <ip address>"
• BZ - 1201586 - Directory Server Admin Console: plaintext password logged in debug mode
• BZ - 1203411 - Add "+all" and "-TLS_RSA_WITH_AES_128_GCM_SHA256" to Console Cipher Preference for TLS
• BZ - 1208694 - [Console only] drop support for legacy replication
• BZ - 1217015 - remove-ds-admin.pl removes files in the rpm
• BZ - 1219220 - idm-console-framework: remove versioned jars from %{_javadir}
• BZ - 1222019 - Missing text in context menu items
• BZ - 1223845 - register-ds-admin.pl script prints clear text password in the terminal
• BZ - 1225042 - Adding an OU from console is throwing missing attribute aliasedObjectName error
• BZ - 1225800 - Link is incorrect for Documentation Home in Help

CVEs

(none)

References

• http://www.redhat.com/security/updates/classification/#normal