RHBA-2015:1379 - Bug Fix Advisory

Topic

Updated certmonger packages that fix two bugs and add various enhancements are
now available for Red Hat Enterprise Linux 6.

Description

The certmonger service monitors certificates, warns of their impending
expiration, and optionally attempts to renew certificates by enrolling the
system with a certificate authority (CA).

This update fixes the following bugs:

• Prior to this update, after the user upgraded from Red Hat Enterprise Linux

6.5 to Red Hat Enterprise Linux 6.6 and rebooted the system, certmonger in some
cases erroneously exited shortly after starting or performed a series of
unnecessary checks for new certificates. A patch has been applied to fix this
bug, and these problems no longer occur in the described situation. (BZ#1163023)

• Previously, the "getcert list" command did not display the "pre-save command"

and "post-save command" values. As a consequence, running "getcert list" could
return incomplete results. With this update, the problem has been fixed, and
running "getcert list" displays the "pre-save command" and "post-save command"
values as expected. (BZ#1178190)

In addition, this update adds the following enhancements:

• The certmonger service now supports the Simple Certificate Enrollment Protocol

(SCEP). For obtaining certificates from servers, the user can now offer
enrollment over SCEP. (BZ#1161768)

• Requesting a certificate using the getcert utility during an IdM client

kickstart enrollment no longer requires certmonger to be running. Previously, an
attempt to do this failed because certmonger was not running. With this update,
getcert can successfully request a certificate in the described situation, on
the condition that the D-Bus daemon is not running. Note that certmonger
requires a system reboot to start monitoring the certificate obtained in this
way. (BZ#1169806)

• Previously, after the user ran the "getcert list" command, the output included

the PIN value if it was set for the certificate. Consequently, the user could
unintentionally expose the PIN, for example by publicly sharing the output of
the command. With this update, the "getcert list" output only contains a note
that a PIN is set for the certificate. As a result, the PIN value itself is no
longer displayed in the "getcert list" output. (BZ#1222595)

Users of certmonger are advised to upgrade to these updated packages, which fix
these bugs and add these enhancements.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x

Fixes

• BZ - 1144082 - rebuild tests of tps-srpmtest test failing
• BZ - 1161768 - [RFE] certmonger: add support for scep for certificates auto enrollment
• BZ - 1163023 - certmonger 32 bits crashes after upgrading from 6.5 to 6.6
• BZ - 1178190 - pre and post commands do not display in getcert list
• BZ - 1219643 - certmonger 0.77.1/0.77.2 can lose private keys
• BZ - 1222595 - Suppress PIN values in 'getcert list' output

CVEs

(none)

References

(none)