Table of Contents
Advertisement
Release Date Errata Re-
lease
January 14,
RHSA
2009
2009:0006
Updates and Errata Releases for Red Hat Certi-
Bug Number
Description
Red Hat Certificate System used insecure de-
249923
fault file permissions on certain configuration
451998 (CVE
files, such as password.conf, that may con-
2008-2367)
tain administrative passwords or other creden-
452071
tials. A local user could use that information to
gain access to sensitive information stored in
Certificate System subsystems.
Red Hat Certificate System stored plain text
224732
passwords in multiple log files, such as some
451200 (CVE
certificate profile logs and installation logs,
2008-2368)
which had insufficient access restrictions to
prevent unauthorized users from viewing them.
A local user could access the plain text pass-
word to gain access to Certificate System in-
formation.
224904
Due to a regression, signing a certificate re-
vocation list (CRL) with approximately 150,000
records may have taken up to five minutes. In
these updated packages, signing such CRLs
takes approximately twenty seconds.
An OCSP client submitting an OCSP request
238514
via the GET method may have caused a Null-
306091
PointerException. This errata adds support for
processing OCSP requests submitted through
a GET method.
Because Certificate System subsystems could
239876
not handling Online Certificate Status Protocol
308161
(OCSP) requests in the GET method, OCSP
GET requests resulted in a 404 error. This was
also related to a problem which caused the
subsystem to use 100% CPU when processing
OCSP requests.
243939
OCSP requests are now logged to the debug
log file.
When a new certificate revocation list (CRL)
243804
was being generated, new revocation requests
451726
were processed but not properly added to the
CRL. This meant that certificates with higher
serial numbers (i.e., more recent certificates)
were not listed in the CRL and were not shown
as revoked until the next CRL was generated.
A user who had a revoked but otherwise valid
certificate could take advantage of this issue to
bypass the revocation list.
243807
Inefficient LDAP search methods caused
LDAP searches for 100,000 or more revoked
certificates to take twenty minutes or longer
during CRL generation. The LDAP search
method has been modified to greatly improve
ficate System 7.2
17
Advertisement
Table of Contents
Related Manuals for Red Hat CERTIFICATE SYSTEM 7.2 - RELEASE NOTES
Related Products for Red Hat CERTIFICATE SYSTEM 7.2 - RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 7.1 - ADMINSISTRATOR
- Red Hat CERTIFICATE 7.3 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT
- Red Hat CERTIFICATE SYSTEM 8 - AGENTS GUIDE
- Red Hat CERTIFICATE 8.0 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
- Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE
- Red Hat CLUSTER SUITE - CONFIGURING AND MANAGING A CLUSTER 2006