RHEA-2017:1432 - Product Enhancement Advisory

Topic

An updated ca-certificates package that adds one enhancement is now available for Red Hat Enterprise Linux 6.

Description

The ca-certificates package contains a set of Certification Authority (CA) certificates chosen by the Mozilla Foundation for use with the Internet Public Key Infrastructure (PKI).

The ca-certificates package has been upgraded to upstream version 2.14, which provides one enhancement over the previous version. Notably, the package now contains the following modification:

• The Certificate Authority (CA) list has been updated to meet the recommendations as published with the latest Mozilla Firefox Extended Support Release (ESR) as part of the Network Security Services (NSS) version 3.28.5. The updated CA list improves compatibility with the certificates that are used in the Internet Public Key Infrastructure (PKI).

For compatibility reasons, several root CA certificates with an RSA key size of 1024 bits have been kept as trusted by default to ensure compatibility with existing PKI deployments and with software based on OpenSSL or GnuTLS. To avoid certificate validation refusals, Red Hat recommends installing the updated CA list on June 12, 2017.

The ca-certificates package also includes the "ca-legacy" command, which can be used to disable the mentioned compatibility modifications. See the ca-legacy(8) manual page for more information on how to use the command.

Users who intend to disable the legacy modifications are also advised to refer to the following Knowledge Base article, which provides details about these modifications and the potential consequences of disabling them:

https://access.redhat.com/articles/1413643

Note that using the unified CA store is required to be able to use the "ca-legacy" command. See the update-ca-trust(8) manual page to learn how to enable the unified CA store.

(BZ#1425543)

Users of ca-certificates are advised to upgrade to this updated package, which adds this enhancement.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x

Fixes

• BZ - 1425543 - Rebase CA-CERTIFICATES in RHEL 6.x to the version required by Firefox 52

CVEs

(none)

References

• https://access.redhat.com/articles/1413643