Security Alert: rhpki-common – the Red Hat PKI Common Framework

by on June 3, 2008 · 0 comments· LAST UPDATED July 3, 2008

in , ,

Red Hat has issues urgent security update for rhpki package -- the Red Hat PKI Common Framework. This update has been rated as having important security impact by the Red Hat Security Response Team.

Red Hat Certificate System (RHCS) is an enterprise software system designed to manage enterprise Public Key Infrastructure (PKI) deployments. rhpki-common -- the Red Hat PKI Common Framework -- is required by the following four RHCS subsystems: the Red Hat Certificate Authority; the Red
Hat Data Recovery Manager; the Red Hat Online Certificate Status Protocol Manager; and the Red Hat Token Key Service.

A flaw was found in the way Red Hat Certificate System handled Extensions in the certificate signing requests (CSR). All requested Extensions were added to the issued certificate even if constraints were defined in the Certificate Authority (CA) profile. An attacker could submit a CSR for a
subordinate CA certificate even if the CA configuration prohibited subordinate CA certificates. This lead to a bypass of the intended security policy, possibly simplifying man-in-the-middle attacks against users that trust Certificate Authorities managed by Red Hat Certificate System.

How do I update my system?

Simply type the following command:
# yum update
Sample output:

Loading "rhnplugin" plugin
Loading "security" plugin
rhel-x86_64-server-vt-5   100% |=========================| 1.2 kB    00:00
rhel-x86_64-server-5      100% |=========================| 1.2 kB    00:00
Skipping security plugin, no data
Setting up Update Process
Resolving Dependencies
Skipping security plugin, no data
--> Running transaction check
---> Package yelp.x86_64 0:2.16.0-19.el5 set to be updated
---> Package nspr.i386 0:4.7.1-1.el5 set to be updated
---> Package nspr.x86_64 0:4.7.1-1.el5 set to be updated
---> Package nss.i386 0:3.12.0.3-1.el5 set to be updated
---> Package nss-tools.x86_64 0:3.12.0.3-1.el5 set to be updated
---> Package nss.x86_64 0:3.12.0.3-1.el5 set to be updated
---> Package xulrunner.x86_64 0:1.9-1.el5 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
=============================================================================
 Package                 Arch       Version          Repository        Size
=============================================================================
Updating:
 nspr                    i386       4.7.1-1.el5      rhel-x86_64-server-5  119 k
 nspr                    x86_64     4.7.1-1.el5      rhel-x86_64-server-5  117 k
 nss                     i386       3.12.0.3-1.el5   rhel-x86_64-server-5  1.1 M
 nss                     x86_64     3.12.0.3-1.el5   rhel-x86_64-server-5  1.1 M
 nss-tools               x86_64     3.12.0.3-1.el5   rhel-x86_64-server-5  2.2 M
 xulrunner               x86_64     1.9-1.el5        rhel-x86_64-server-5   10 M
 yelp                    x86_64     2.16.0-19.el5    rhel-x86_64-server-5  583 k
Transaction Summary
=============================================================================
Install      0 Package(s)
Update       7 Package(s)
Remove       0 Package(s)
Total download size: 16 M
Is this ok [y/N]: y
Downloading Packages:
(1/7): xulrunner-1.9-1.el 100% |=========================|  10 MB    00:09
(2/7): nss-3.12.0.3-1.el5 100% |=========================| 1.1 MB    00:00
(3/7): nss-tools-3.12.0.3 100% |=========================| 2.2 MB    00:02
(4/7): nss-3.12.0.3-1.el5 100% |=========================| 1.1 MB    00:00
(5/7): nspr-4.7.1-1.el5.x 100% |=========================| 117 kB    00:00
(6/7): nspr-4.7.1-1.el5.i 100% |=========================| 119 kB    00:00
(7/7): yelp-2.16.0-19.el5 100% |=========================| 583 kB    00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating  : nspr                         ####################### [ 1/14]
  Updating  : nss                          ####################### [ 2/14]
  Updating  : xulrunner                    ####################### [ 3/14]
  Updating  : nspr                         ####################### [ 4/14]
  Updating  : yelp                         ####################### [ 5/14]
  Updating  : nss-tools                    ####################### [ 6/14]
  Updating  : nss                          ####################### [ 7/14]
warning: /etc/pki/nssdb/cert8.db created as /etc/pki/nssdb/cert8.db.rpmnew
warning: /etc/pki/nssdb/key3.db created as /etc/pki/nssdb/key3.db.rpmnew
  Cleanup   : yelp                         ####################### [ 8/14]
  Cleanup   : nspr                         ####################### [ 9/14]
  Cleanup   : nspr                         ####################### [10/14]
  Cleanup   : nss                          ####################### [11/14]
  Cleanup   : nss-tools                    ####################### [12/14]
  Cleanup   : nss                          ####################### [13/14]
  Cleanup   : xulrunner                    ####################### [14/14]
Updated: nspr.i386 0:4.7.1-1.el5 nspr.x86_64 0:4.7.1-1.el5 nss.i386 0:3.12.0.3-1.el5 nss.x86_64 0:3.12.0.3-1.el5 nss-tools.x86_64 0:3.12.0.3-1.el5 xulrunner.x86_64 0:1.9-1.el5 yelp.x86_64 0:2.16.0-19.el5
Complete!
TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 0 comments… add one now }

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , ,

Previous post:

Next post: