Oracle Linux 6 : pki-core (ELSA-2015-1347)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Synopsis :

The remote Oracle Linux host is missing one or more security updates.

Description :

From Red Hat Security Advisory 2015:1347 :

Updated pki-core packages that fix one security issue and several bugs
are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate
security impact. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available from the
CVE link in the References section.

Red Hat Certificate System is an enterprise software system designed
to manage enterprise public key infrastructure (PKI) deployments. PKI
Core contains fundamental packages required by Red Hat Certificate
System, which comprise the Certificate Authority (CA) subsystem.

Multiple cross-site scripting flaws were discovered in the Red Hat
Certificate System Agent and End Entity pages. An attacker could use
these flaws to perform a cross-site scripting (XSS) attack against
victims using the Certificate System's web interface. (CVE-2012-2662)

This update also fixes the following bugs :

* Previously, pki-core required the SSL version 3 (SSLv3) protocol
ranges to communicate with the 389-ds-base packages. However, recent
changes to 389-ds-base disabled the default use of SSLv3 and enforced
using protocol ranges supported by secure protocols, such as the TLS
protocol. As a consequence, the CA failed to install during an
Identity Management (IdM) server installation. This update adds
TLS-related parameters to the server.xml file of the CA to fix this
problem, and running the ipa-server-install command now installs the
CA as expected. (BZ#1171848)

* Previously, the ipa-server-install script failed when attempting to
configure a stand-alone CA on systems with OpenJDK version 1.8.0
installed. The pki-core build and runtime dependencies have been
modified to use OpenJDK version 1.7.0 during the stand-alone CA
configuration. As a result, ipa-server-install no longer fails in this
situation. (BZ#1212557)

* Creating a Red Hat Enterprise Linux 7 replica from a Red Hat
Enterprise Linux 6 replica running the CA service sometimes failed in
IdM deployments where the initial Red Hat Enterprise Linux 6 CA master
had been removed. This could cause problems in some situations, such
as when migrating from Red Hat Enterprise Linux 6 to Red Hat
Enterprise Linux 7. The bug occurred due to a problem in a previous
version of IdM where the subsystem user, created during the initial CA
server installation, was removed together with the initial master.
This update adds the script that restores
the subsystem user in the described situation, thus enabling
administrators to create a Red Hat Enterprise Linux 7 replica in this
scenario. (BZ#1225589)

* Several Java import statements specify wildcard arguments. However,
due to the use of wildcard arguments in the import statements of the
source code contained in the Red Hat Enterprise Linux 6 maintenance
branch, a name space collision created the potential for an incorrect
class to be utilized. As a consequence, the Token Processing System
(TPS) rebuild test failed with an error message. This update addresses
the bug by supplying the fully named class in all of the affected
areas, and the TPS rebuild test no longer fails. (BZ#1144188)

* Previously, pki-core failed to build with the rebased version of the
CMake build system during the TPS rebuild test. The pki-core build
files have been updated to comply with the rebased version of CMake.
As a result, pki-core builds successfully in the described scenario.

Users of pki-core are advised to upgrade to these updated packages,
which contain backported patches to correct these issues.

See also :

Solution :

Update the affected pki-core packages.

Risk factor :

Medium / CVSS Base Score : 4.3
CVSS Temporal Score : 3.2
Public Exploit Available : false

Family: Oracle Linux Local Security Checks

Nessus Plugin ID: 85101 ()

Bugtraq ID: 54608

CVE ID: CVE-2012-2662

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now