opencryptoki bug fix and enhancement update
| Advisory: | RHBA-2011:1572-2 |
|---|---|
| Type: | Bug Fix Advisory |
| Severity: | N/A |
| Issued on: | 2011-12-06 |
| Last updated on: | 2011-12-06 |
| Affected Products: | Red Hat Enterprise Linux Desktop (v. 6) Red Hat Enterprise Linux Server (v. 6) Red Hat Enterprise Linux Workstation (v. 6) |
Details
Updated opencryptoki packages that fix several bugs and add various enhancements
are now available for Red Hat Enterprise Linux 6.
The openCryptoki package contains version 2.11 of the PKCS#11 API, implemented
for IBM Cryptocards. This package includes support for the IBM 4758
Cryptographic CoProcessor (with the PKCS#11 firmware loaded), the IBM eServer
Cryptographic Accelerator (FC 4960 on IBM eServer System p), the IBM Crypto
Express2 (FC 0863 or FC 0870 on IBM System z), and the IBM CP Assist for
Cryptographic Function (FC 3863 on IBM System z).
These updated opencryptoki packages provide fixes for the following bugs:
* When setting the length of an RSA key for the IBM Cryptographic Accelerator
(ICA) token, initialization of the CKA_MODULUS_BITS internal attribute of
PKCS#11 was not properly tested and the RSA key length could have been set
incorrectly. As a consequence, RSA key verification in the ICA token failed. To
ensure that the RSA key is set correctly, two conditions have been added in the
respective function in the ICA specific library. The RSA key operations now work
properly on the ICA token. (BZ#734489)
* Prior to this update, the documentation provided with opencryptoki packages
stated that users using opencryptoki needed to be members of the "pkcs11" group
but did not mention the real privileges granted by adding a user to the group.
Consequently, it was not clear that the members of the "pkcs11" group are
assumed to be fully trusted. With this update opencryptoki(7) man page now
contains a security note. (BZ#730903)
* Prior to this update, an unnecessary check in the attach_shared_memory()
function was made which therefore required explicit group membership regardless
of the current effective privileges. Consequently, upon installation of the
opencryptoki packages and creation of the "pkcs11" group, the root user was
added to the group. However, root user should not need access to the group to be
able to access shared memory. With this update the shared memory checks have
been corrected and root user no longer requires membership of the "pkcs11"
group. (BZ#732756)
In addition, these updated packages provide the following enhancement:
* The openCryptoki package has been upgraded to upstream version 2.4, which
provides a number of bug fixes and enhancements over the previous version.
(BZ#693779)
Users are advised to upgrade to these updated packages, which fix these bugs and
add these enhancements.
Solution
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259
Updated packages
| Red Hat Enterprise Linux Desktop (v. 6) | |
| SRPMS: | |
| opencryptoki-2.4-2.el6.src.rpm | MD5: 80f8581853122c7a4fde1e4e433fb429 SHA-256: 1381541193d8ec79b8c1bb896150eec7feca1edf0a54332cabf4a0deb5967bd7 |
| IA-32: | |
| opencryptoki-2.4-2.el6.i686.rpm | MD5: 8d7d79eb1253d160dd334c084db9149c SHA-256: 35b681f4215c8c021a22c27118af026d30678b0b405b7a1f1c977c592eed71c0 |
| opencryptoki-debuginfo-2.4-2.el6.i686.rpm | MD5: b3a17b9689b259d66643004e463fe810 SHA-256: 136ab8ed9959f657a50e0fa5c72ebfd1870dfb5e503e617eab369a35c3d84b16 |
| opencryptoki-devel-2.4-2.el6.i686.rpm | MD5: d95d065275b59d40846f6a95da6dfa9c SHA-256: 406e8cbfb47a0b96b7df7613b88249b6c4c72d7910d0003daf1fa4d164e52af2 |
| opencryptoki-libs-2.4-2.el6.i686.rpm | MD5: d09e883728537c985c569789d9975e10 SHA-256: c42994613a8a5025c410a1cc98357814141f89978efb56a1ddcecc6be3d22a3f |
| x86_64: | |
| opencryptoki-2.4-2.el6.x86_64.rpm | MD5: 4824371bc4663b710903554d25dee48c SHA-256: 292314a354d8a3624dd66f4e31323326ff372e5412345c2da8e647791d63142e |
| opencryptoki-debuginfo-2.4-2.el6.i686.rpm | MD5: b3a17b9689b259d66643004e463fe810 SHA-256: 136ab8ed9959f657a50e0fa5c72ebfd1870dfb5e503e617eab369a35c3d84b16 |
| opencryptoki-debuginfo-2.4-2.el6.x86_64.rpm | MD5: 0728ec54656e7f034ef522069001d4ff SHA-256: fadda10c1c5921fcdbac7976a04bd31dd1a79b30cfbe399f54e1a54393f9dd95 |
| opencryptoki-devel-2.4-2.el6.i686.rpm | MD5: d95d065275b59d40846f6a95da6dfa9c SHA-256: 406e8cbfb47a0b96b7df7613b88249b6c4c72d7910d0003daf1fa4d164e52af2 |
| opencryptoki-devel-2.4-2.el6.x86_64.rpm | MD5: cce7967314bc840d2ddedeea6f8ffb4c SHA-256: a263a2da9ad1bf82ba33f56825295c54871fd32e2e66ecb5ab28e68e90b580b2 |
| opencryptoki-libs-2.4-2.el6.i686.rpm | MD5: d09e883728537c985c569789d9975e10 SHA-256: c42994613a8a5025c410a1cc98357814141f89978efb56a1ddcecc6be3d22a3f |
| opencryptoki-libs-2.4-2.el6.x86_64.rpm | MD5: dcfa79fc18f778bdeab9743149e57ffc SHA-256: 88c42fca06f641c5a22abb85d881c7fc88f8dad4a4ab0e2e0bec320226f26d8a |
| Red Hat Enterprise Linux Server (v. 6) | |
| SRPMS: | |
| opencryptoki-2.4-2.el6.src.rpm | MD5: 80f8581853122c7a4fde1e4e433fb429 SHA-256: 1381541193d8ec79b8c1bb896150eec7feca1edf0a54332cabf4a0deb5967bd7 |
| IA-32: | |
| opencryptoki-2.4-2.el6.i686.rpm | MD5: 8d7d79eb1253d160dd334c084db9149c SHA-256: 35b681f4215c8c021a22c27118af026d30678b0b405b7a1f1c977c592eed71c0 |
| opencryptoki-debuginfo-2.4-2.el6.i686.rpm | MD5: b3a17b9689b259d66643004e463fe810 SHA-256: 136ab8ed9959f657a50e0fa5c72ebfd1870dfb5e503e617eab369a35c3d84b16 |
| opencryptoki-devel-2.4-2.el6.i686.rpm | MD5: d95d065275b59d40846f6a95da6dfa9c SHA-256: 406e8cbfb47a0b96b7df7613b88249b6c4c72d7910d0003daf1fa4d164e52af2 |
| opencryptoki-libs-2.4-2.el6.i686.rpm | MD5: d09e883728537c985c569789d9975e10 SHA-256: c42994613a8a5025c410a1cc98357814141f89978efb56a1ddcecc6be3d22a3f |
| PPC: | |
| opencryptoki-2.4-2.el6.ppc64.rpm | MD5: 847d365ef90d55f23b0d55cffe5f1083 SHA-256: fbd2ecfa883693178966138da4823743729306f857f8fd7492181a38fadcacf1 |
| opencryptoki-debuginfo-2.4-2.el6.ppc.rpm | MD5: 125057cc621cf3878c0e081dc5df4dc7 SHA-256: b3cf369fec7abaf329c90a606d5c684bfa6881745dc65501935b88277ab1ce39 |
| opencryptoki-debuginfo-2.4-2.el6.ppc64.rpm | MD5: 7e97c4772977ec70b25e53d8e8b5ff03 SHA-256: c4594278d6bb68351a4267796d79b7791519844264bebb4f9a61c6d1def8cd97 |
| opencryptoki-devel-2.4-2.el6.ppc.rpm | MD5: 7e968ed6ee52d776a76b37b3bf55769e SHA-256: 21ff42de6ffd5a4ce5ebb8603dbe2f15388272e478a5c4db4d6447344a0561c3 |
| opencryptoki-devel-2.4-2.el6.ppc64.rpm | MD5: 68bf88d0a90a676d040a4072d45878ed SHA-256: 46325c5b148f22d92c577ac168012c25d108cfb1b295df054a770345138f4678 |
| opencryptoki-libs-2.4-2.el6.ppc.rpm | MD5: 3ba4ed158cf7ddc83ecdaec4b6a3e648 SHA-256: c4a75bc7e3552a7ac41f6f4c471debfb9720b2002eb1fe152a06c3c1a5c2a7cc |
| opencryptoki-libs-2.4-2.el6.ppc64.rpm | MD5: 66b2ac2bc0c0e4eb2efcfb256daada40 SHA-256: 439b745634998517758f9d98acf17df839f3e7766c9dda579f00a791405086f5 |
| s390x: | |
| opencryptoki-2.4-2.el6.s390x.rpm | MD5: 8110af5773c56f6bf48a4ba1d78ce875 SHA-256: decc14e1fea6a5b53e73390737f5dd152f0e971985eed05cd2e0c2685d575efa |
| opencryptoki-debuginfo-2.4-2.el6.s390.rpm | MD5: 12215dc2fb6025fe04e487c555980d20 SHA-256: 0d08a259c71ccdcfc53065030b60f0919e1a2646a8cc4ae16b8274d4cc1b6ebd |
| opencryptoki-debuginfo-2.4-2.el6.s390x.rpm | MD5: e43158c20e5e764402b152b4327ce9eb SHA-256: 13e348a7d6ab95b31dffb23f527eaa4d3be6d8a2a39d38f424e3400697f146fb |
| opencryptoki-devel-2.4-2.el6.s390.rpm | MD5: 58b27acc4b97f4f2b47975030a9151c3 SHA-256: b8e5482baa1c95dbcbed1ca9d52633b6873843b847fa5867e9799fddbc43380a |
| opencryptoki-devel-2.4-2.el6.s390x.rpm | MD5: cfea8d0a2f4f1893ec2a785ef1292657 SHA-256: 44d288c20f340881429188145541d6cb9e12ec326320f5806ded5c951e3cad80 |
| opencryptoki-libs-2.4-2.el6.s390.rpm | MD5: 70d3661a7c787e45b92b849985f73697 SHA-256: 5cb69e4d421de1bbae38f96a69cfbf24f54b5ea13309ee2fd692a7d35cdb67da |
| opencryptoki-libs-2.4-2.el6.s390x.rpm | MD5: 74535ba5abd0acac0514af58842bf74d SHA-256: ef5e11738c15a5f3be8481cb6345a8fbe619ab13ebb5a270ee5b3e7fc87fa6ee |
| x86_64: | |
| opencryptoki-2.4-2.el6.x86_64.rpm | MD5: 4824371bc4663b710903554d25dee48c SHA-256: 292314a354d8a3624dd66f4e31323326ff372e5412345c2da8e647791d63142e |
| opencryptoki-debuginfo-2.4-2.el6.i686.rpm | MD5: b3a17b9689b259d66643004e463fe810 SHA-256: 136ab8ed9959f657a50e0fa5c72ebfd1870dfb5e503e617eab369a35c3d84b16 |
| opencryptoki-debuginfo-2.4-2.el6.x86_64.rpm | MD5: 0728ec54656e7f034ef522069001d4ff SHA-256: fadda10c1c5921fcdbac7976a04bd31dd1a79b30cfbe399f54e1a54393f9dd95 |
| opencryptoki-devel-2.4-2.el6.i686.rpm | MD5: d95d065275b59d40846f6a95da6dfa9c SHA-256: 406e8cbfb47a0b96b7df7613b88249b6c4c72d7910d0003daf1fa4d164e52af2 |
| opencryptoki-devel-2.4-2.el6.x86_64.rpm | MD5: cce7967314bc840d2ddedeea6f8ffb4c SHA-256: a263a2da9ad1bf82ba33f56825295c54871fd32e2e66ecb5ab28e68e90b580b2 |
| opencryptoki-libs-2.4-2.el6.i686.rpm | MD5: d09e883728537c985c569789d9975e10 SHA-256: c42994613a8a5025c410a1cc98357814141f89978efb56a1ddcecc6be3d22a3f |
| opencryptoki-libs-2.4-2.el6.x86_64.rpm | MD5: dcfa79fc18f778bdeab9743149e57ffc SHA-256: 88c42fca06f641c5a22abb85d881c7fc88f8dad4a4ab0e2e0bec320226f26d8a |
| Red Hat Enterprise Linux Workstation (v. 6) | |
| SRPMS: | |
| opencryptoki-2.4-2.el6.src.rpm | MD5: 80f8581853122c7a4fde1e4e433fb429 SHA-256: 1381541193d8ec79b8c1bb896150eec7feca1edf0a54332cabf4a0deb5967bd7 |
| IA-32: | |
| opencryptoki-2.4-2.el6.i686.rpm | MD5: 8d7d79eb1253d160dd334c084db9149c SHA-256: 35b681f4215c8c021a22c27118af026d30678b0b405b7a1f1c977c592eed71c0 |
| opencryptoki-debuginfo-2.4-2.el6.i686.rpm | MD5: b3a17b9689b259d66643004e463fe810 SHA-256: 136ab8ed9959f657a50e0fa5c72ebfd1870dfb5e503e617eab369a35c3d84b16 |
| opencryptoki-devel-2.4-2.el6.i686.rpm | MD5: d95d065275b59d40846f6a95da6dfa9c SHA-256: 406e8cbfb47a0b96b7df7613b88249b6c4c72d7910d0003daf1fa4d164e52af2 |
| opencryptoki-libs-2.4-2.el6.i686.rpm | MD5: d09e883728537c985c569789d9975e10 SHA-256: c42994613a8a5025c410a1cc98357814141f89978efb56a1ddcecc6be3d22a3f |
| x86_64: | |
| opencryptoki-2.4-2.el6.x86_64.rpm | MD5: 4824371bc4663b710903554d25dee48c SHA-256: 292314a354d8a3624dd66f4e31323326ff372e5412345c2da8e647791d63142e |
| opencryptoki-debuginfo-2.4-2.el6.i686.rpm | MD5: b3a17b9689b259d66643004e463fe810 SHA-256: 136ab8ed9959f657a50e0fa5c72ebfd1870dfb5e503e617eab369a35c3d84b16 |
| opencryptoki-debuginfo-2.4-2.el6.x86_64.rpm | MD5: 0728ec54656e7f034ef522069001d4ff SHA-256: fadda10c1c5921fcdbac7976a04bd31dd1a79b30cfbe399f54e1a54393f9dd95 |
| opencryptoki-devel-2.4-2.el6.i686.rpm | MD5: d95d065275b59d40846f6a95da6dfa9c SHA-256: 406e8cbfb47a0b96b7df7613b88249b6c4c72d7910d0003daf1fa4d164e52af2 |
| opencryptoki-devel-2.4-2.el6.x86_64.rpm | MD5: cce7967314bc840d2ddedeea6f8ffb4c SHA-256: a263a2da9ad1bf82ba33f56825295c54871fd32e2e66ecb5ab28e68e90b580b2 |
| opencryptoki-libs-2.4-2.el6.i686.rpm | MD5: d09e883728537c985c569789d9975e10 SHA-256: c42994613a8a5025c410a1cc98357814141f89978efb56a1ddcecc6be3d22a3f |
| opencryptoki-libs-2.4-2.el6.x86_64.rpm | MD5: dcfa79fc18f778bdeab9743149e57ffc SHA-256: 88c42fca06f641c5a22abb85d881c7fc88f8dad4a4ab0e2e0bec320226f26d8a |
| (The unlinked packages above are only available from the Red Hat Network) | |
Bugs fixed (see bugzilla for more information)
730903 - opencryptoki: document implications of the pkcs11 group membership
732756 - opencryptoki: don't add root to pkcs11 group
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package
The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/
