- Issued:
- 2013-11-20
- Updated:
- 2013-11-20
RHEA-2013:1626 - new packages: p11-kit
Synopsis
new packages: p11-kit
Type/Severity
Product Enhancement Advisory (none)
Topic
New p11-kit packages are now available for Red Hat Enterprise Linux 6.
Description
The p11-kit package provides a mechanism to manage PKCS#11 modules. The p11-kit-trust subpackage includes a PKCS#11 trust module that provides certificate anchors and black lists based on configuration files.
This enhancement update adds the p11-kit packages to Red Hat Enterprise Linux 6. (BZ#915798)
- Red Hat Enterprise Linux 6.5 provides the p11-kit package to implement the Shared System Certificates feature. If enabled by the administrator, it ensures system-wide trust store of static data that is used by crypto toolkits as input for certificate trust decisions. (BZ#977886)
These new packages had several bugs fixed during testing:
-
Support for using the freebl3 library for the SHA1 and MD5 cryptographic hash functions has been added even though the hashing is done in a strictly non-cryptographic context. (BZ#983384)
-
All file handles opened by p11-kit are created with the O_CLOEXEC flag, so that they are automatically closed on the execve() function and do not leak to subprocesses. (BZ#984986)
-
When expanding the "$HOME" variable or the "~/" path for SUID and SGID programs, the expand_home() function returns NULL. This change allows for avoiding vulnerabilities that could occur if SUID or SGID programs accidentally trusted this environment. Also, documentation concerning the fact that user directories are not read for SUID/SGID programs has been added. (BZ#985014)
-
Users need to use the standard environment $TMPDIR variable for locating the temp directory. (BZ#985017)
-
If a critical module fails to initialize, module initialization stops and the user is informed about the failure. (BZ#985023)
-
The p11_kit_space_strlen() function returns a "0" value for empty strings. (BZ#985416)
-
Arguments of the size_t variable are correctly passed to the "p11_hash_xxx" functions. (BZ#985421)
-
Changes in the code ensures that the memdup() function is not called with a zero length or NULL pointers. (BZ#985433)
All users who require the Shared System Certificates feature are advised to install these new packages.
Solution
Before applying this update, make sure all previously-released errata relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Enterprise Linux for Scientific Computing | 6 | x86_64 |
| Red Hat Enterprise Linux for Power, big endian | 6 | ppc64 |
| Red Hat Enterprise Linux for IBM z Systems | 6 | s390x |
| Red Hat Enterprise Linux Workstation | 6 | x86_64 |
| Red Hat Enterprise Linux Workstation | 6 | i386 |
| Red Hat Enterprise Linux Server | 6 | x86_64 |
| Red Hat Enterprise Linux Server | 6 | i386 |
| Red Hat Enterprise Linux Server from RHUI | 6 | x86_64 |
| Red Hat Enterprise Linux Server from RHUI | 6 | i386 |
| Red Hat Enterprise Linux Server - Retired Extended Life Cycle Support | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) | 6 | s390x |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) | 6 | s390x |
| Red Hat Enterprise Linux Desktop | 6 | x86_64 |
| Red Hat Enterprise Linux Desktop | 6 | i386 |
Updated Packages
- p11-kit-devel-0.18.5-2.el6.x86_64.rpm
- p11-kit-debuginfo-0.18.5-2.el6.i686.rpm
- p11-kit-0.18.5-2.el6.ppc64.rpm
- p11-kit-devel-0.18.5-2.el6.s390.rpm
- p11-kit-0.18.5-2.el6.src.rpm
- p11-kit-0.18.5-2.el6.s390x.rpm
- p11-kit-trust-0.18.5-2.el6.s390x.rpm
- p11-kit-debuginfo-0.18.5-2.el6.s390.rpm
- p11-kit-0.18.5-2.el6.x86_64.rpm
- p11-kit-debuginfo-0.18.5-2.el6.ppc.rpm
- p11-kit-devel-0.18.5-2.el6.ppc.rpm
- p11-kit-0.18.5-2.el6.i686.rpm
- p11-kit-debuginfo-0.18.5-2.el6.x86_64.rpm
- p11-kit-debuginfo-0.18.5-2.el6.ppc64.rpm
- p11-kit-devel-0.18.5-2.el6.ppc64.rpm
- p11-kit-trust-0.18.5-2.el6.ppc64.rpm
- p11-kit-trust-0.18.5-2.el6.x86_64.rpm
- p11-kit-debuginfo-0.18.5-2.el6.s390x.rpm
- p11-kit-devel-0.18.5-2.el6.i686.rpm
- p11-kit-trust-0.18.5-2.el6.i686.rpm
- p11-kit-devel-0.18.5-2.el6.s390x.rpm
- p11-kit-0.18.5-2.el6.s390.rpm
- p11-kit-0.18.5-2.el6.ppc.rpm
Fixes
- This content is not included.BZ - 985017
- This content is not included.BZ - 985023
- This content is not included.BZ - 985416
- This content is not included.BZ - 985421
- This content is not included.BZ - 985433
CVEs
(none)
References
(none)
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.