Security Alert: rhpki-common - the Red Hat PKI Common Framework
Red Hat has issues urgent security update for rhpki package -- the Red Hat PKI Common Framework. This update has been rated as having important security impact by the Red Hat Security Response Team.
Red Hat Certificate System (RHCS) is an enterprise software system designed to manage enterprise Public Key Infrastructure (PKI) deployments. rhpki-common -- the Red Hat PKI Common Framework -- is required by the following four RHCS subsystems: the Red Hat Certificate Authority; the Red
Hat Data Recovery Manager; the Red Hat Online Certificate Status Protocol Manager; and the Red Hat Token Key Service.
A flaw was found in the way Red Hat Certificate System handled Extensions in the certificate signing requests (CSR). All requested Extensions were added to the issued certificate even if constraints were defined in the Certificate Authority (CA) profile. An attacker could submit a CSR for a
subordinate CA certificate even if the CA configuration prohibited subordinate CA certificates. This lead to a bypass of the intended security policy, possibly simplifying man-in-the-middle attacks against users that trust Certificate Authorities managed by Red Hat Certificate System.
How do I update my system?
Simply type the following command:
# yum update
Sample output:
Loading "rhnplugin" plugin Loading "security" plugin rhel-x86_64-server-vt-5 100% |=========================| 1.2 kB 00:00 rhel-x86_64-server-5 100% |=========================| 1.2 kB 00:00 Skipping security plugin, no data Setting up Update Process Resolving Dependencies Skipping security plugin, no data --> Running transaction check ---> Package yelp.x86_64 0:2.16.0-19.el5 set to be updated ---> Package nspr.i386 0:4.7.1-1.el5 set to be updated ---> Package nspr.x86_64 0:4.7.1-1.el5 set to be updated ---> Package nss.i386 0:3.12.0.3-1.el5 set to be updated ---> Package nss-tools.x86_64 0:3.12.0.3-1.el5 set to be updated ---> Package nss.x86_64 0:3.12.0.3-1.el5 set to be updated ---> Package xulrunner.x86_64 0:1.9-1.el5 set to be updated --> Finished Dependency Resolution Dependencies Resolved ============================================================================= Package Arch Version Repository Size ============================================================================= Updating: nspr i386 4.7.1-1.el5 rhel-x86_64-server-5 119 k nspr x86_64 4.7.1-1.el5 rhel-x86_64-server-5 117 k nss i386 3.12.0.3-1.el5 rhel-x86_64-server-5 1.1 M nss x86_64 3.12.0.3-1.el5 rhel-x86_64-server-5 1.1 M nss-tools x86_64 3.12.0.3-1.el5 rhel-x86_64-server-5 2.2 M xulrunner x86_64 1.9-1.el5 rhel-x86_64-server-5 10 M yelp x86_64 2.16.0-19.el5 rhel-x86_64-server-5 583 k Transaction Summary ============================================================================= Install 0 Package(s) Update 7 Package(s) Remove 0 Package(s) Total download size: 16 M Is this ok [y/N]: y Downloading Packages: (1/7): xulrunner-1.9-1.el 100% |=========================| 10 MB 00:09 (2/7): nss-3.12.0.3-1.el5 100% |=========================| 1.1 MB 00:00 (3/7): nss-tools-3.12.0.3 100% |=========================| 2.2 MB 00:02 (4/7): nss-3.12.0.3-1.el5 100% |=========================| 1.1 MB 00:00 (5/7): nspr-4.7.1-1.el5.x 100% |=========================| 117 kB 00:00 (6/7): nspr-4.7.1-1.el5.i 100% |=========================| 119 kB 00:00 (7/7): yelp-2.16.0-19.el5 100% |=========================| 583 kB 00:00 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Updating : nspr ####################### [ 1/14] Updating : nss ####################### [ 2/14] Updating : xulrunner ####################### [ 3/14] Updating : nspr ####################### [ 4/14] Updating : yelp ####################### [ 5/14] Updating : nss-tools ####################### [ 6/14] Updating : nss ####################### [ 7/14] warning: /etc/pki/nssdb/cert8.db created as /etc/pki/nssdb/cert8.db.rpmnew warning: /etc/pki/nssdb/key3.db created as /etc/pki/nssdb/key3.db.rpmnew Cleanup : yelp ####################### [ 8/14] Cleanup : nspr ####################### [ 9/14] Cleanup : nspr ####################### [10/14] Cleanup : nss ####################### [11/14] Cleanup : nss-tools ####################### [12/14] Cleanup : nss ####################### [13/14] Cleanup : xulrunner ####################### [14/14] Updated: nspr.i386 0:4.7.1-1.el5 nspr.x86_64 0:4.7.1-1.el5 nss.i386 0:3.12.0.3-1.el5 nss.x86_64 0:3.12.0.3-1.el5 nss-tools.x86_64 0:3.12.0.3-1.el5 xulrunner.x86_64 0:1.9-1.el5 yelp.x86_64 0:2.16.0-19.el5 Complete!
E-mail this to a Friend
Printable Version
You may also be interested in other helpful articles:
- Redhat website gets face lift
- Project Spacewalk: Red Hat Open Sourced RHN Software
- Open source and a society that shares - India’s tradition of knowledge
- How to deal with common PHP database problems
- Red Hat Open Sourced Identity, Policy, Auditing Management Security Framework Tool
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
Tags: attacker, ca certificate, ca certificates, certificate authorities, certificate authority, certificate status, CVE-2008-1676, enterprise software system, important security, infrastructure pki, key service, protocol manager, public key infrastructure, red hat security, security response team, urgent security, yum
Recent Comments
Today ~ 10 Comments
Today ~ 18 Comments
Today ~ 7 Comments
Today ~ 11 Comments
Today ~ 12 Comments