RHBA-2015:1480 - Bug Fix Advisory

Topic

Updated Red Hat Directory Server packages that fix several bugs and add various
enhancements are now available for Red Hat Directory Server 9.

Description

Red Hat Directory Server is an LDAPv3-compliant directory server. The suite of
packages includes the Lightweight Directory Access Protocol (LDAP) server and
command-line utilities for server administration, the Administration Server HTTP
agent package, and the GUI console packages.

The following packages have been upgraded to version RHDS9.1.1.: 389-ds-console,
389-admin-console, 389-admin, 389-adminutil, 389-console, redhat-ds-console,
redhat-admin-console, redhat-ds-admin, idm-console-framework, redhat-ds,
redhat-ds-base, and redhat-idm-console. The most notable bug fixes and
enhancements include:

• Importing a certificate authority (CA) certificate using the Console when a CA

certificate with the same name already exists in the certificate database no
longer causes the security common gateway interface (CGI) to terminate
unexpectedly.

• Clicking the "Manage Certificates" button in the Console after installing a

certificate no longer causes the Admin Server to terminate unexpectedly.

• The Directory Server can now be restarted as expected from the Console after

adding and removing certificates for SSL.

• Reconfiguring the Admin Server no longer overwrites the security files, thus

no longer breaking SSL. It is recommended to back up the security files when
reconfiguring and restore them at the end of reconfiguration.

• When editing Application Centric Infrastructures (ACIs) from the Console, the

edited ACIs are no longer deleted if one of them is invalid.

• The Console now supports passwords containing 8-bit characters.
• Attempting to change the Network Security Services (NSS) security database

password from the Console no longer displays an incorrect error message.

• Using the "nsslapd-allow-anonymous-access: rootdse" attribute no longer causes

the first administrator login to fail when anonymous bind access is restricted.

• The register-ds-admin.pl utility now supports registration to remote Directory

Servers.

• The Certificate Revocation List (CRL) / Compromised Key List (CKL) import

dialog now specifies the required file format, which is Privacy Enhanced Mail
(PEM), and informs that the file must exist in the server security directory.

• The RSA key size values are now 2048, 3072, and 4096. The default value,

previously 1024, is now 2048. The new signing algorithm values are SHA-1
(default), SHA-256, SHA-384, and SHA-512.

(BZ#1195503, BZ#1195505, BZ#1195508, BZ#1195511, BZ#1195512, BZ#1195513,
BZ#1195514, BZ#1195515, BZ#1195517, BZ#1195518, BZ#1195519, BZ#1195520)

This update fixes the following bugs:

• A bug in accessing the hardware security module (HSM) in the Admin Server

security CGI has been fixed, and it is now possible to configure nCipher HSMs
using the redhat-idm-console command. (BZ#622957)

• The configuration tab was not functional when the FIPS mode was enabled.

Information about the FIPS mode has been added to the Admin Server security CGI
to fix this bug, and FIPS mode is now supported. (BZ#951708)

• The remove-ds-admin.pl(8) man page did not include the description for the

"-a" option. Also, the description for "-a" displayed by the "remove-ds-admin.pl

• -help" command was not sufficient. This update adds the description for "-a" to

the man page and extends the "-a" description displayed by "remove-ds-admin.pl

• -help". (BZ#981573)
• Previously, the Directory Server used the SSL protocol version 3 (SSLv3).

SSLv3 is no longer considered secure, and the TLS protocol 1.1 (TLSv1.1) or
later should be used. With this update, the SSLv3 protocol is disabled by
default, and support for TLSv1.1 or later has been added to the Admin Server,
AdminUtil, and the Directory Server Console. (BZ#1172312)

Users of Red Hat Directory Server are advised to upgrade to these updated
packages, which fix these bugs and add these enhancements.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Affected Products

• Red Hat Directory Server 9 x86_64
• Red Hat Directory Server 9 i386

Fixes

• BZ - 1195503 - Rebase 389-ds-console to version RHDS9.1.1
• BZ - 1195505 - Rebase 389-admin-console to version RHDS9.1.1
• BZ - 1195508 - Rebase 389-admin to version RHDS9.1.1
• BZ - 1195511 - Rebase 389-adminutil to version RHDS9.1.1
• BZ - 1195512 - Rebase 389-console to version RHDS9.1.1
• BZ - 1195513 - Rebase redhat-ds-console to version RHDS9.1.1
• BZ - 1195514 - Rebase redhat-admin-console to version RHDS9.1.1
• BZ - 1195515 - Rebase redhat-ds-admin to version RHDS9.1.1
• BZ - 1195517 - Rebase idm-console-framework to version RHDS9.1.1
• BZ - 1195518 - Rebase redhat-ds to version RHDS9.1.1
• BZ - 1195519 - Rebase redhat-ds-base to version RHDS9.1.1
• BZ - 1195520 - Rebase redhat-idm-console to version RHDS9.1.1

CVEs

(none)

References

(none)