Synopsis

Moderate: pki security and enhancement update

Type/Severity

Security Advisory: Moderate

Topic

Updated pki-common, pki-tps and pki-util packages that fix multiple
security issues and add one enhancement are now available for Red Hat
Certificate System 8.1.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Description

Red Hat Certificate System is an enterprise software system designed to
manage enterprise Public Key Infrastructure (PKI) deployments.

Multiple cross-site scripting flaws were discovered in the Red Hat
Certificate System Agent and End Entity pages. An attacker could use these
flaws to perform a cross-site scripting (XSS) attack against victims using
Certificate System's web interface. (CVE-2012-2662)

It was discovered that Red Hat Certificate System's Certificate Manager
did not properly check certificate revocation requests performed via its
web interface. An agent permitted to perform revocations of end entity
certificates could use this flaw to revoke the Certificate Authority (CA)
certificate. (CVE-2012-3367)

This update also adds the following enhancement:

• Red Hat Certificate System 8.1 did not previously allow using Red Hat
  Directory Server 9.0 as its internal database. This update adds support
  for Directory Server 9.0. (BZ#547527, BZ#819508)
  

All users of Red Hat Certificate System 8.1 are advised to upgrade to these
updated packages, which correct these issues and add this enhancement.
After installing this update, all Red Hat Certificate System subsystems
must be restarted for the update to take effect.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

• Red Hat Certificate System 8 x86_64
• Red Hat Certificate System 8 i386

Fixes

• BZ - 547527 - dogtag does not work with latest 389 DS
• BZ - 826646 - CVE-2012-2662 Certificate System: multiple XSS flaws
• BZ - 836268 - CVE-2012-3367 Certificate System: CA certificate can be revoked

CVEs

• CVE-2012-2662
• CVE-2012-3367

References

• https://access.redhat.com/security/updates/classification/#moderate

Red Hat Certificate System 8

SRPM
pki-common-8.1.1-1.el5pki.src.rpm	SHA-256: 9ad54b29a3847906cfaacb163779cf6e5f424d15c7d7a42340fe30db568fe62c
pki-tps-8.1.1-1.el5pki.src.rpm	SHA-256: 565c0be3cc9e2d0ac89cd6990e7bce83e8e01a4322ac21f0367a5ef3d4c34a20
pki-util-8.1.1-1.el5pki.src.rpm	SHA-256: 7baf175e081292f685a3d182d2ea1b3a9299b1bc1c5c1f9e48e9ba49db529e3b
x86_64
pki-common-8.1.1-1.el5pki.noarch.rpm	SHA-256: 9bf2199c4cb67faaeb6f895b44e097747225812844cbb4b03a6cfd56444fa15d
pki-common-javadoc-8.1.1-1.el5pki.noarch.rpm	SHA-256: 8ff59b0de364f63bbcc2c7ec60b6a9448dc1c8702797551c40f02259215a80e9
pki-tps-8.1.1-1.el5pki.x86_64.rpm	SHA-256: 383130a92d72f683a5b26b2d653a08ea13d0fd4e2d9fa2e3dfff60df7fce9b49
pki-util-8.1.1-1.el5pki.noarch.rpm	SHA-256: 5511d8f6959efe33313172da0154d25ce47c58119b921df385f1d750745cbd46
pki-util-javadoc-8.1.1-1.el5pki.noarch.rpm	SHA-256: 19688423964c7f6e6df1e834c9e23042111d4aaa04c53acb29c472be7966f79f
i386
pki-common-8.1.1-1.el5pki.noarch.rpm	SHA-256: 9bf2199c4cb67faaeb6f895b44e097747225812844cbb4b03a6cfd56444fa15d
pki-common-javadoc-8.1.1-1.el5pki.noarch.rpm	SHA-256: 8ff59b0de364f63bbcc2c7ec60b6a9448dc1c8702797551c40f02259215a80e9
pki-tps-8.1.1-1.el5pki.i386.rpm	SHA-256: e9d1663c67be86c1a4625ee3dbf61d3c8aa79629b62af5b995ff0e1f925ba436
pki-util-8.1.1-1.el5pki.noarch.rpm	SHA-256: 5511d8f6959efe33313172da0154d25ce47c58119b921df385f1d750745cbd46
pki-util-javadoc-8.1.1-1.el5pki.noarch.rpm	SHA-256: 19688423964c7f6e6df1e834c9e23042111d4aaa04c53acb29c472be7966f79f