Date:         Mon, 3 Aug 2015 19:16:26 +0000
Reply-To:     scientific-linux-users@listserv.fnal.gov
Sender:       Security Errata for Scientific Linux
              
From:         Connie Sieh 
Subject:      Security ERRATA Moderate: pki-core on SL6.x i386/x86_64
MIME-Version: 1.0
Message-ID:  <20150803191626.32715.74393@slpackages.fnal.gov>

Synopsis:          Moderate: pki-core security and bug fix update
Advisory ID:       SLSA-2015:1347-1
Issue Date:        2015-07-22
CVE Numbers:       CVE-2012-2662
--

Multiple cross-site scripting flaws were discovered in the Red Hat
Certificate System Agent and End Entity pages. An attacker could use these
flaws to perform a cross-site scripting (XSS) attack against victims using
the Certificate System's web interface. (CVE-2012-2662)

This update also fixes the following bugs:

* Previously, pki-core required the SSL version 3 (SSLv3) protocol ranges
to communicate with the 389-ds-base packages. However, recent changes to
389-ds-base disabled the default use of SSLv3 and enforced using protocol
ranges supported by secure protocols, such as the TLS protocol. As a
consequence, the CA failed to install during an Identity Management (IdM)
server installation. This update adds TLS-related parameters to the
server.xml file of the CA to fix this problem, and running the ipa-server-
install command now installs the CA as expected.

* Previously, the ipa-server-install script failed when attempting to
configure a stand-alone CA on systems with OpenJDK version 1.8.0
installed. The pki-core build and runtime dependencies have been modified
to use OpenJDK version 1.7.0 during the stand-alone CA configuration. As a
result, ipa-server-install no longer fails in this situation.

* Creating a Scientific Linux 7 replica from a Scientific Linux 6 replica
running the CA service sometimes failed in IdM deployments where the
initial Scientific Linux 6 CA master had been removed. This could cause
problems in some situations, such as when migrating from Scientific Linux
6 to Scientific Linux 7. The bug occurred due to a problem in a previous
version of IdM where the subsystem user, created during the initial CA
server installation, was removed together with the initial master. This
update adds the restore-subsystem-user.py script that restores the
subsystem user in the described situation, thus enabling administrators to
create a Scientific Linux 7 replica in this scenario.

* Several Java import statements specify wildcard arguments. However, due
to the use of wildcard arguments in the import statements of the source
code contained in the Scientific Linux 6 maintenance branch, a name space
collision created the potential for an incorrect class to be utilized. As
a consequence, the Token Processing System (TPS) rebuild test failed with
an error message. This update addresses the bug by supplying the fully
named class in all of the affected areas, and the TPS rebuild test no
longer fails.

* Previously, pki-core failed to build with the rebased version of the
CMake build system during the TPS rebuild test. The pki-core build files
have been updated to comply with the rebased version of CMake. As a
result, pki-core builds successfully in the described scenario.
--

SL6
  x86_64
    pki-core-debuginfo-9.0.3-43.el6.x86_64.rpm
    pki-native-tools-9.0.3-43.el6.x86_64.rpm
    pki-symkey-9.0.3-43.el6.x86_64.rpm
  i386
    pki-core-debuginfo-9.0.3-43.el6.i686.rpm
    pki-native-tools-9.0.3-43.el6.i686.rpm
    pki-symkey-9.0.3-43.el6.i686.rpm
  noarch
    pki-ca-9.0.3-43.el6.noarch.rpm
    pki-common-9.0.3-43.el6.noarch.rpm
    pki-common-javadoc-9.0.3-43.el6.noarch.rpm
    pki-java-tools-9.0.3-43.el6.noarch.rpm
    pki-java-tools-javadoc-9.0.3-43.el6.noarch.rpm
    pki-selinux-9.0.3-43.el6.noarch.rpm
    pki-setup-9.0.3-43.el6.noarch.rpm
    pki-silent-9.0.3-43.el6.noarch.rpm
    pki-util-9.0.3-43.el6.noarch.rpm
    pki-util-javadoc-9.0.3-43.el6.noarch.rpm

- Scientific Linux Development Team