Skip to navigation

Security Advisory Moderate: pki security update

Advisory: RHSA-2012:1550-1
Type: Security Advisory
Severity: Moderate
Issued on: 2012-12-06
Last updated on: 2012-12-06
Affected Products: Red Hat Certificate System v8
CVEs (cve.mitre.org): CVE-2012-4543
CVE-2012-4555
CVE-2012-4556

Details

Updated pki-common and pki-tps packages that fix multiple security issues
are now available for Red Hat Certificate System 8.1.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Red Hat Certificate System (RHCS) is an enterprise software system designed
to manage enterprise Public Key Infrastructure (PKI) deployments.

Multiple cross-site scripting flaws were discovered in the Red Hat
Certificate System. An attacker could use these flaws to perform a
cross-site scripting (XSS) attack against victims using Certificate
System's web interface. (CVE-2012-4543)

Multiple denial of service flaws were found in the Red Hat Certificate
System token processing. A Certificate System user could use these flaws
to crash the Apache httpd web server child process, possibly interrupting
the processing of other users' requests. (CVE-2012-4555, CVE-2012-4556)

Red Hat would like to thank Patrick Raspante and Ryan Millay of GDC4S for
reporting the CVE-2012-4555 and CVE-2012-4556 issues.

All users of Red Hat Certificate System are advised to upgrade to these
updated packages, which correct these issues. After installing this update,
all Red Hat Certificate System subsystems must be restarted ("/etc/init.d
/[instance-name] restart") for the update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

Red Hat Certificate System v8

SRPMS:
pki-common-8.1.3-2.el5pki.src.rpm
File outdated by:  RHEA-2013:1871
    MD5: c880ebeb18be786970df25972456df16
SHA-256: 8154f203c136b502946f704dca160358d469adedc754407a25e887ad3e9ee876
pki-tps-8.1.3-2.el5pki.src.rpm
File outdated by:  RHEA-2013:1871
    MD5: 248d305440ff2cc726cac770c63a21b0
SHA-256: fa125cfa18dfb3ee96eb4c0c0e0f6e2cc717d8eef02c64622a36edfbcef273aa
 
IA-32:
pki-common-8.1.3-2.el5pki.noarch.rpm
File outdated by:  RHEA-2013:1871
    MD5: 71c3fbb28d0ce2fb49496af50099e72a
SHA-256: e8e8451b86addf4ff109eb582b8cbe8f935713603c623d90f9d6b7fa78567b28
pki-common-javadoc-8.1.3-2.el5pki.noarch.rpm
File outdated by:  RHEA-2013:1871
    MD5: c404317319e3050d2843f24d83750303
SHA-256: f4158ca669780847bd8ef4c26e2ccc22a7e189c947157b6dc1c0cce29bcc93f3
pki-tps-8.1.3-2.el5pki.i386.rpm
File outdated by:  RHEA-2013:1871
    MD5: 6d12971a621aa91894d31c5322691606
SHA-256: d246b51b9b684ea635d363cd1828e8b4265595a21741bf08e1b768969aeb41ed
 
x86_64:
pki-common-8.1.3-2.el5pki.noarch.rpm
File outdated by:  RHEA-2013:1871
    MD5: 71c3fbb28d0ce2fb49496af50099e72a
SHA-256: e8e8451b86addf4ff109eb582b8cbe8f935713603c623d90f9d6b7fa78567b28
pki-common-javadoc-8.1.3-2.el5pki.noarch.rpm
File outdated by:  RHEA-2013:1871
    MD5: c404317319e3050d2843f24d83750303
SHA-256: f4158ca669780847bd8ef4c26e2ccc22a7e189c947157b6dc1c0cce29bcc93f3
pki-tps-8.1.3-2.el5pki.x86_64.rpm
File outdated by:  RHEA-2013:1871
    MD5: 2a125ea580acea961ddcf5e5716594d6
SHA-256: 2f9ccbbc153fc9f2cea92c91ee22328bb7a76eb8354cf57e3919c663754a1466
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

864397 - CVE-2012-4543 Certificate System: Multiple cross-site scripting flaws by displaying CRL or processing profile
869570 - CVE-2012-4555 pki-tps: Temporary denial of service on interrupted token format operations
869579 - CVE-2012-4556 pki-tps: Connection reset when performing empty certificate search in TPS


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/