SciLinux: SLSA-2017-2335-1 Moderate Issue in pki-core Certificate Auth

It was found that a mock CMC authentication plugin with a hardcoded secret was accidentally enabled by default in the pki-core package. An attacker could potentially use this flaw to bypass the regular authentication process and trick the CA server into issuing certificates. (CVE-2017-7537) SL7 x86_64 pki-core-debuginfo-10.4.1-11.el7.x86_64.rpm pki-symkey-10.4.1-11.el7.x86_64.rpm [More...]

Synopsis:          Moderate: pki-core security update
Advisory ID:       SLSA-2017:2335-1
Issue Date:        2017-08-01
CVE Numbers:       CVE-2017-7537
--

Security Fix(es):

* It was found that a mock CMC authentication plugin with a hardcoded
secret was accidentally enabled by default in the pki-core package. An
attacker could potentially use this flaw to bypass the regular
authentication process and trick the CA server into issuing certificates.
(CVE-2017-7537)
--

SL7
  x86_64
    pki-core-debuginfo-10.4.1-11.el7.x86_64.rpm
    pki-symkey-10.4.1-11.el7.x86_64.rpm
    pki-tools-10.4.1-11.el7.x86_64.rpm
  noarch
    pki-base-10.4.1-11.el7.noarch.rpm
    pki-base-java-10.4.1-11.el7.noarch.rpm
    pki-ca-10.4.1-11.el7.noarch.rpm
    pki-javadoc-10.4.1-11.el7.noarch.rpm
    pki-kra-10.4.1-11.el7.noarch.rpm
    pki-server-10.4.1-11.el7.noarch.rpm

- Scientific Linux Development Team