This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.
The remote Red Hat host is missing one or more security updates.
Updated pki-core packages that fix multiple security issues, two bugs,
and add various enhancements are now available for Red Hat Enterprise
The Red Hat Security Response Team has rated this update as having
moderate security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from
the CVE link in the References section.
Red Hat Certificate System is an enterprise software system designed
to manage enterprise public key infrastructure (PKI) deployments. PKI
Core contains fundamental packages required by Red Hat Certificate
System, which comprise the Certificate Authority (CA) subsystem.
Note: The Certificate Authority component provided by this advisory
cannot be used as a standalone server. It is installed and operates as
a part of Identity Management (the IPA component) in Red Hat
Multiple cross-site scripting flaws were discovered in Certificate
System. An attacker could use these flaws to perform a cross-site
scripting (XSS) attack against victims using Certificate System's web
This update also fixes the following bugs :
* Previously, due to incorrect conversion of large integers while
generating a new serial number, some of the most significant bits in
the serial number were truncated. Consequently, the serial number
generated for certificates was sometimes smaller than expected and
this incorrect conversion in turn led to a collision if a certificate
with the smaller number already existed in the database. This update
removes the incorrect integer conversion so that no serial numbers are
truncated. As a result, the installation wizard proceeds as expected.
* The certificate authority used a different profile for issuing the
audit certificate than it used for renewing it. The issuing profile
was for two years, and the renewal was for six months. They should
both be for two years. This update sets the default and constraint
parameters in the caSignedLogCert.cfg audit certificate renewal
profile to two years. (BZ#844459)
This update also adds the following enhancements :
* IPA (Identity, Policy and Audit) now provides an improved way to
determine that PKI is up and ready to service requests. Checking the
service status was not sufficient. This update creates a mechanism for
clients to determine that the PKI subsystem is up using the
getStatus() function to query the cs.startup_state in CS.cfg.
* This update increases the default root CA validity period from eight
years to twenty years. (BZ#891985)
All users of pki-core are advised to upgrade to these updated
packages, which fix these issues and add these enhancements.
See also :
Update the affected packages.
Risk factor :
Medium / CVSS Base Score : 4.3
CVSS Temporal Score : 3.6
Public Exploit Available : true