- Issued:
- 2010-03-25
- Updated:
- 2010-03-25
RHBA-2010:0169 - pki-ca, redhat-pki-ca-ui, pki-common, pki-setup, pki-selinux bug fix update
Synopsis
pki-ca, redhat-pki-ca-ui, pki-common, pki-setup, pki-selinux bug fix update
Type/Severity
Bug Fix Advisory
Topic
Updated pki-ca, pki-common, redhat-pki-ca-ui, pki-setup, and pki-selinux packages are now available for Red Hat Certificate System 8.0.
Description
Red Hat Certificate System (RHCS) is an enterprise software system designed to manage enterprise public key infrastructure (PKI) deployments.
The NSS packages released as RHSA-2010:0165 address a session renegotiation flaw in the TLS/SSL protocols (CVE-2009-3555) by implementing the TLS Renegotiation Indication Extension, as defined in RFC 5746. With these updated packages installed, session renegotiations will fail unless both the client and server have been updated to implement the new protocol extension.
This affects the CA subsystem end-entity pages. Server-initiated session renegotiation occurs when a user connects to the end-entity pages (which do not require client authentication) and requests an enrollment profile that requires client authentication. Unless the client (such as a web browser) has been updated to use the new protocol, the session renegotiation will fail, and the enrollment request will fail.
To prevent this failure, the updated Certificate System packages introduce a new port that always requires client authentication and that would be used for end-entity operations. When the user submits data for an enrollment profile that requires client authentication, the enrollment will be directed to this new port, thus eliminating the need for server-initiated TLS session renegotiation. (BZ#545935)
Note: This scenario does not affect communication between Certificate System subsystems, as long as all the Certificate System subsystems are updated with the new NSS packages.
In addition, some profiles which are used internally by the installation wizard to create system certificates were incorrectly set to be visible on the end-entity pages. This has been corrected.
The changes in this errata will be applied to all new Certificate System 8.0 CA instances created. For existing instances, required reconfiguration steps have been detailed in this Red Hat Knowledgebase article:
This content is not included.http://kbase.redhat.com/faq/docs/DOC-28439
Solution
Before applying this update, make sure that all previously-released errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at This content is not included.http://kbase.redhat.com/faq/docs/DOC-11259
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Certificate System | 8 | x86_64 |
| Red Hat Certificate System | 8 | i386 |
Updated Packages
- pki-ca-8.0.6-1.el5pki.noarch.rpm
- redhat-pki-ca-ui-8.0.2-1.el5pki.noarch.rpm
- pki-setup-8.0.4-1.el5pki.noarch.rpm
- pki-selinux-8.0.4-1.el5pki.noarch.rpm
- pki-common-8.0.4-1.el5pki.noarch.rpm
- pki-common-8.0.4-1.el5pki.src.rpm
- pki-selinux-8.0.4-1.el5pki.src.rpm
- pki-setup-8.0.4-1.el5pki.src.rpm
- pki-ca-8.0.6-1.el5pki.src.rpm
- pki-common-javadoc-8.0.4-1.el5pki.noarch.rpm
- redhat-pki-ca-ui-8.0.2-1.el5pki.src.rpm
Fixes
(none)
CVEs
(none)
References
- This content is not included.This content is not included.http://kbase.redhat.com/faq/docs/DOC-28439
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.