- Issued:
- 2021-03-22
- Updated:
- 2021-03-22
RHSA-2021:0948 - Security Advisory
Synopsis
Moderate: Red Hat Certificate System security and bug fix update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An update for pki-console, pki-core, and redhat-pki-theme is now available for Red Hat Certificate System 9.4 EUS.
Red Hat Certificate System 9.4 EUS is a special channel for the delivery of Red Hat Certificate System updates. Downgrading the installed packages is not supported.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System.
Security Fix(es):
- pki-core: stored Cross-site scripting (XSS) in the pki-tps web Activity tab (CVE-2019-10178)
- pki-core: unsanitized token parameters in TPS resulting in stored XSS (CVE-2019-10180)
- pki-core: Stored XSS in TPS profile creation (CVE-2020-1696)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- Update Batch Update Information to Version 20 [RHCS 9.4.z] (BZ#1931149)
- Not able to launch pkiconsole -- RHEL 7.6.z backport request [RHCS 9.4.z] (BZ#1931718)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
Affected Products
- Red Hat Certificate System - Extended Update Support 9 for RHEL 7.6 x86_64
Fixes
- BZ - 1719042 - CVE-2019-10178 pki-core: stored Cross-site scripting (XSS) in the pki-tps web Activity tab
- BZ - 1721137 - CVE-2019-10180 pki-core: unsanitized token parameters in TPS resulting in stored XSS
- BZ - 1780707 - CVE-2020-1696 pki-core: Stored XSS in TPS profile creation
Red Hat Certificate System - Extended Update Support 9 for RHEL 7.6
| SRPM | |
|---|---|
| idm-console-framework-1.1.17-4.el7dsrv.src.rpm | SHA-256: 7ea3cea7c8ea2b1c5b1f91f16584c89a773072c144e1978ba8ac2f75ca723e22 |
| pki-console-10.5.9-2.el7pki.src.rpm | SHA-256: 1f7f72f02a0c1893a58c0b48ba4374caee40242c49add43403c9cac89e8ecd60 |
| pki-core-10.5.9-15.el7pki.src.rpm | SHA-256: 3d830dafb037bd62f0221da45dac295c2c5b87f270f0461907a470d712c0a357 |
| redhat-pki-theme-10.5.9-5.el7pki.src.rpm | SHA-256: 665570d78e9962253796dea468a7b615a8947c64f1617caf63ad83569a1ee33d |
| x86_64 | |
| idm-console-framework-1.1.17-4.el7dsrv.noarch.rpm | SHA-256: 8c463f8af2f33194574323fb21c201fbbf262bba44f20f2dfb8bcbbe765c3172 |
| pki-console-10.5.9-2.el7pki.noarch.rpm | SHA-256: b17da2c56f9fa2014aa9e93d46aff954fa159b7028025a02bb90a7ce55771a13 |
| pki-core-debuginfo-10.5.9-15.el7pki.x86_64.rpm | SHA-256: 897a1677321b7bab29cbfb30346612e2bb9aeae89264b7ed1c997eb794082302 |
| pki-ocsp-10.5.9-15.el7pki.noarch.rpm | SHA-256: a615eb64742d0d633bcfec3a05ee51e82e8ab475679644aaada3ca992a04edd7 |
| pki-tks-10.5.9-15.el7pki.noarch.rpm | SHA-256: 964ddb936383de348fee8b89e67164c307790862b2e00b95ea0a93b56b12fde8 |
| pki-tps-10.5.9-15.el7pki.x86_64.rpm | SHA-256: b622d422979cb5cfedb983638dd022316d4e03ad6c49698075b9ebed1b770432 |
| redhat-pki-console-theme-10.5.9-5.el7pki.noarch.rpm | SHA-256: d2bcbe1ab08b176d9e965fd636d45cf74a44149027e841f243d4a97123e23bfe |
| redhat-pki-server-theme-10.5.9-5.el7pki.noarch.rpm | SHA-256: 0d4abf91d996f9b134ba4b3a36d45959fe70f8eac8c42e3c1d93445bc9dcbcbb |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
