- Issued:
- 2014-10-13
- Updated:
- 2014-10-13
RHBA-2014:1549 - pki-core bug fix and enhancement update
Synopsis
pki-core bug fix and enhancement update
Type/Severity
Bug Fix Advisory
Topic
Updated pki-core packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
Description
Red Hat Certificate System is an enterprise software system designed to manage enterprise Public Key Infrastructure (PKI) deployments. PKI Core contains fundamental packages required by Red Hat Certificate System, which comprise the Certificate Authority (CA) subsystem.
Note: The Certificate Authority component provided by this advisory cannot be used as a standalone server. It is installed and operates as a part of Identity Management (the IPA component) in Red Hat Enterprise Linux.
This update fixes the following bugs:
-
Previously, the IPA CA certificate was created with SHA1 signing algorithm, instead of SHA256. A patch has been provided to fix this bug, and the certification is now correct. (BZ#1024462)
-
Prior to this update, IPA Replica installation failed when using an external CA certificate. The interoperability problems have been fixed, and IPA again works with external CA certificates. (BZ#1051382)
-
Previously, the pki utility generated copious debug log, filling up the /var/log file system with log messages. This update implements the log rotation functionality, thus fixing the bug. (BZ#1055080)
-
When the LANG variable for specifying a locale was set to "tr_TR.UTF8", the installation of IPA became unresponsive. This update prevents Lightweight Directory Access Protocol (LDAP) attributes from being affected by LANG, and IPA no longer hangs. (BZ#1083170)
-
Previously, the setup of the IPA replica failed during external CA Certificate setup with "unable to parse xml" error message. The underlying source code has been patched, and the setup of the replica system now works flawlessly. (BZ#1096142)
-
Due to Access Vector Cache (AVC) denial messages in the audit.log file, the certmonger daemon could not start tracking Public Key Infrastructure (PKI) certificates. Consequently, errors during FreeIPA installation occurred. This update provides a patch for AVC, and certmonger now starts tracking PKI certificates as intended. (BZ#1109181)
-
While installing the IPA Server, numerous Access Vector Cache (AVC) denial messages were stored in audit.log. However, AVC messages were not a blocker and installation proceeded successfully. The problematic source code has been patched, and IPA Public Key Infrastructure (PKI) clone certificate renewal no longer produces AVC denial messages. (BZ#1123811)
In addition, this update adds the following enhancement:
- With this update, the "CS.cfg" file is automatically backed up to "CS.cfg.bak" following a successful restart of any configured PKI instance. (BZ#1061442)
Users of pki-core are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Enterprise Linux for Scientific Computing | 6 | x86_64 |
| Red Hat Enterprise Linux Workstation | 6 | x86_64 |
| Red Hat Enterprise Linux Workstation | 6 | i386 |
| Red Hat Enterprise Linux Server | 6 | x86_64 |
| Red Hat Enterprise Linux Server | 6 | i386 |
| Red Hat Enterprise Linux Server from RHUI | 6 | x86_64 |
| Red Hat Enterprise Linux Server from RHUI | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | i386 |
| Red Hat Enterprise Linux Desktop | 6 | x86_64 |
| Red Hat Enterprise Linux Desktop | 6 | i386 |
Updated Packages
- pki-silent-9.0.3-37.el6.noarch.rpm
- pki-util-9.0.3-37.el6.noarch.rpm
- pki-common-9.0.3-37.el6.noarch.rpm
- pki-core-debuginfo-9.0.3-37.el6.x86_64.rpm
- pki-util-javadoc-9.0.3-37.el6.noarch.rpm
- pki-java-tools-9.0.3-37.el6.noarch.rpm
- pki-symkey-9.0.3-37.el6.x86_64.rpm
- pki-ca-9.0.3-37.el6.noarch.rpm
- pki-native-tools-9.0.3-37.el6.i686.rpm
- pki-java-tools-javadoc-9.0.3-37.el6.noarch.rpm
- pki-selinux-9.0.3-37.el6.noarch.rpm
- pki-native-tools-9.0.3-37.el6.x86_64.rpm
- pki-symkey-9.0.3-37.el6.i686.rpm
- pki-core-9.0.3-37.el6.src.rpm
- pki-setup-9.0.3-37.el6.noarch.rpm
- pki-core-debuginfo-9.0.3-37.el6.i686.rpm
- pki-common-javadoc-9.0.3-37.el6.noarch.rpm
Fixes
CVEs
(none)
References
(none)
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.