Red Hat CERTIFICATE SYSTEM 7.2 - RELEASE NOTES Release Note page 18

Release Notes
Release Date Errata Re-
lease
July 2, 2008 RHSA
2008:0577
January 9, RHBA
2008 2000:0035
October 8, RHSA
2008 2007:0934
18
Bug Number Description
LDAP search times.
249229 The default OCSP verification path has
changed since Red Hat Certificate System 7.1.
These updated packages add support for certi-
ficates that use the old AuthorityInfoAccess
URL.
If an agent automatically approved a certificate
254232
signing request (CSR) using AgentCertAuth,
330261
the iisued certificate contained blank sub-
jectAltName extension fields. A manual enroll-
ment by the same agent produced a certificate
with the correct number of subjectAltName
fields, with no blank fields. This errata fixed
automated enrollements using the AgentCer-
tAuth profile so that the issued certificates do
not have any blank fields.
462143 The initial authentication to a security domain
failed during subsystem configuration.
462145 After its initial configuration, the TPS subsys-
tem failed to restart.
A flaw was found in the way Certificate System
440356
handled extensions in the certificate signing
442963
requests (CSR). All requested extensions were
445227
added to the issued certificate even if con-
445231
straints were defined in the certificate authority
CVE-
(CA) profile. An attacker could submit a CSR
2008-1676
for a subordinate CA certificate, even if the CA
configuration prohibited subordinate CA certi-
ficates. This led to a bypass of the intended
security policy, possibly simplifying man-
in-the-middle attacks against users that trust
Certificate System CAs.
330261 If an agent automatically approved a certificate
signing request (CSR) using AgentCertAuth,
the iisued certificate contained blank sub-
jectAltName extension fields. A manual enroll-
ment by the same agent produced a certificate
with the correct number of subjectAltName
fields, with no blank fields. This errata fixed
automated enrollements using the AgentCer-
tAuth profile so that the issued certificates do
not have any blank fields.
When a new certificate revocation list (CRL)
224904
was being generated, new revocation requests
243176
were processed but not properly added to the
243804
CRL. This meant that certificates with higher
243807
serial numbers (i.e., more recent certificates)
304571 (CVE
were not listed in the CRL and were not shown
2007:4994)
as revoked until the next CRL was generated.