- Issued:
- 2011-12-06
- Updated:
- 2011-12-06
RHBA-2011:1572 - opencryptoki bug fix and enhancement update
Synopsis
opencryptoki bug fix and enhancement update
Type/Severity
Bug Fix Advisory (none)
Topic
Updated opencryptoki packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
Description
The openCryptoki package contains version 2.11 of the PKCS#11 API, implemented for IBM Cryptocards. This package includes support for the IBM 4758 Cryptographic CoProcessor (with the PKCS#11 firmware loaded), the IBM eServer Cryptographic Accelerator (FC 4960 on IBM eServer System p), the IBM Crypto Express2 (FC 0863 or FC 0870 on IBM System z), and the IBM CP Assist for Cryptographic Function (FC 3863 on IBM System z).
These updated opencryptoki packages provide fixes for the following bugs:
-
When setting the length of an RSA key for the IBM Cryptographic Accelerator (ICA) token, initialization of the CKA_MODULUS_BITS internal attribute of PKCS#11 was not properly tested and the RSA key length could have been set incorrectly. As a consequence, RSA key verification in the ICA token failed. To ensure that the RSA key is set correctly, two conditions have been added in the respective function in the ICA specific library. The RSA key operations now work properly on the ICA token. (BZ#734489)
-
Prior to this update, the documentation provided with opencryptoki packages stated that users using opencryptoki needed to be members of the "pkcs11" group but did not mention the real privileges granted by adding a user to the group. Consequently, it was not clear that the members of the "pkcs11" group are assumed to be fully trusted. With this update opencryptoki(7) man page now contains a security note. (BZ#730903)
-
Prior to this update, an unnecessary check in the attach_shared_memory() function was made which therefore required explicit group membership regardless of the current effective privileges. Consequently, upon installation of the opencryptoki packages and creation of the "pkcs11" group, the root user was added to the group. However, root user should not need access to the group to be able to access shared memory. With this update the shared memory checks have been corrected and root user no longer requires membership of the "pkcs11" group. (BZ#732756)
In addition, these updated packages provide the following enhancement:
- The openCryptoki package has been upgraded to upstream version 2.4, which provides a number of bug fixes and enhancements over the previous version. (BZ#693779)
Users are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.
Solution
Before applying this update, make sure all previously-released errata relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at This content is not included.http://kbase.redhat.com/faq/docs/DOC-11259
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Enterprise Linux for Power, big endian | 6 | ppc64 |
| Red Hat Enterprise Linux for IBM z Systems | 6 | s390x |
| Red Hat Enterprise Linux Workstation | 6 | x86_64 |
| Red Hat Enterprise Linux Workstation | 6 | i386 |
| Red Hat Enterprise Linux Server | 6 | x86_64 |
| Red Hat Enterprise Linux Server | 6 | i386 |
| Red Hat Enterprise Linux Server from RHUI | 6 | x86_64 |
| Red Hat Enterprise Linux Server from RHUI | 6 | i386 |
| Red Hat Enterprise Linux Server - Retired Extended Life Cycle Support | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) | 6 | s390x |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) | 6 | s390x |
| Red Hat Enterprise Linux Desktop | 6 | x86_64 |
| Red Hat Enterprise Linux Desktop | 6 | i386 |
Updated Packages
- opencryptoki-debuginfo-2.4-2.el6.s390x.rpm
- opencryptoki-2.4-2.el6.x86_64.rpm
- opencryptoki-devel-2.4-2.el6.i686.rpm
- opencryptoki-devel-2.4-2.el6.x86_64.rpm
- opencryptoki-2.4-2.el6.i686.rpm
- opencryptoki-debuginfo-2.4-2.el6.ppc.rpm
- opencryptoki-libs-2.4-2.el6.ppc64.rpm
- opencryptoki-2.4-2.el6.s390x.rpm
- opencryptoki-devel-2.4-2.el6.ppc64.rpm
- opencryptoki-debuginfo-2.4-2.el6.ppc64.rpm
- opencryptoki-2.4-2.el6.ppc64.rpm
- opencryptoki-debuginfo-2.4-2.el6.s390.rpm
- opencryptoki-libs-2.4-2.el6.ppc.rpm
- opencryptoki-libs-2.4-2.el6.s390x.rpm
- opencryptoki-debuginfo-2.4-2.el6.i686.rpm
- opencryptoki-libs-2.4-2.el6.x86_64.rpm
- opencryptoki-2.4-2.el6.src.rpm
- opencryptoki-devel-2.4-2.el6.s390.rpm
- opencryptoki-devel-2.4-2.el6.ppc.rpm
- opencryptoki-debuginfo-2.4-2.el6.x86_64.rpm
- opencryptoki-devel-2.4-2.el6.s390x.rpm
- opencryptoki-libs-2.4-2.el6.s390.rpm
- opencryptoki-libs-2.4-2.el6.i686.rpm
Fixes
CVEs
(none)
References
(none)
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.