Moderate: rhpki security and bug fix update

Updated rhpki-common packages that fix security issues are now available
for Red Hat Certificate System 7.3.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Red Hat Certificate System (RHCS) is an enterprise software system designed
to manage enterprise Public Key Infrastructure (PKI) deployments.

It was discovered that Red Hat Certificate System used insecure default
file permissions on certain configuration files (for example,
password.conf) that may contain authentication credentials. These
credentials should only be accessible to administrative and service users.
A local user could use this flaw to read Red Hat Certificate System
configuration files containing sensitive information. (CVE-2008-2367)

It was discovered that Red Hat Certificate System stored plain text
passwords in multiple debug log files with insufficient access restrictions
(for example, the UserDirEnrollment log and the RA wizard installer log). A
local user could use this flaw to extract plain text passwords from the Red
Hat Certificate System debug log files. (CVE-2008-2368)

It was discovered that the Token Processing System (TPS) component of the
Red Hat Certificate System did not properly verify the challenge response
received during the enrollment of a new security token. An attacker with
access to a blank token known to the TPS component and with privileges to
perform new token enrollments could use this flaw to complete the
enrollment procedure with a software-generated key instead of the key
stored in the hardware token. (CVE-2008-5082)

These updated packages fix the following bugs:

* The end-entities enrollment pages have been updated to support the
certenroll.dll library used on Microsoft Vista, so Internet Explorer can
be used on to enroll certificates on Vista.

* The password used by the LDAP publisher was improperly stored in the CA
configuration. This essentially required that the LDAP publishing password
had to be the same as the internal database (LDAP directory) password, or
LDAP publishing would break. A new parameter was added to the CA CS.cfg
file to define an LDAP publishing password parameter in the CA's
password.conf file.

* The secure ports used by subsystem interfaces — the administrative
console, agent pages, and end-entities pages — are, by default, the same.
It is possible with this errata to run those services on separate port,
which provides additional protection by prohibiting agents and users from
accessing the same TCP port and web services directory.

* The certificate policies extension was not processed by CMSServlet.

* Any IP Address defined in a certificate's SubjectAltName parameter was
improperly coded as an 8-byte number, with the last 4 bytes trailing zeros
(00 00 00 00).

* The subject name uniqueness plug-in in the CA profiles, which enforces
unique names for all active certificates, would reject a certificate
request which reused a subject name even if the previous certificate had
been revoked or expired.

* The TPS dependences have been changed from MozLDAP5 to MozLDAP6.

All users of Red Hat Certificate System 7.3 should upgrade to these updated
packages, which resolves these issues.

Users running Red Hat Certificate System on Red Hat Enterprise Linux:

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Users running Red Hat Certificate System on Sun Solaris:

Updated Solaris packages, in .pkg format, are available in the Red Hat
Certificate System Solaris channels on the Red Hat Network. This packages
should be installed or upgraded using Solaris-native package management
tools.

For detailed installation instructions, see Chapter 2, "Installation and
Configuration", of the Red Hat Certificate System 7.3 Administration Guide:
http://redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Installation_and_Configuration.html

451998 - CVE-2008-2367 Certificate System: insecure config file permissions
452000 - CVE-2008-2368 Certificate System: plain text passwords stored in debug log
459049 - rhcs71 - IP Address in Subject Alt Name is Incorrectly Coded with padding
475998 - CVE-2008-5082 Certificate System: missing public key challenge proof verification in the TPS component

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2367
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2368
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5082
http://www.redhat.com/security/updates/classification/#moderate