System information

ManualsBrandsRed Hat ManualsConsumer electronicsCERTIFICATE 7.2 RELEASE NOTES

Release Date Errata Re-

lease

Bug Number Description

January 14,

2009

RHSA

2009:0006

249923

451998 (CVE

2008-2367)

452071

Red Hat Certificate System used insecure de-

fault file permissions on certain configuration

files, such as password.conf, that may con-

tain administrative passwords or other creden-

tials. A local user could use that information to

gain access to sensitive information stored in

Certificate System subsystems.

224732

451200 (CVE

2008-2368)

Red Hat Certificate System stored plain text

passwords in multiple log files, such as some

certificate profile logs and installation logs,

which had insufficient access restrictions to

prevent unauthorized users from viewing them.

A local user could access the plain text pass-

word to gain access to Certificate System in-

formation.

224904 Due to a regression, signing a certificate re-

vocation list (CRL) with approximately 150,000

records may have taken up to five minutes. In

these updated packages, signing such CRLs

takes approximately twenty seconds.

238514

306091

An OCSP client submitting an OCSP request

via the GET method may have caused a Null-

PointerException. This errata adds support for

processing OCSP requests submitted through

a GET method.

239876

308161

Because Certificate System subsystems could

not handling Online Certificate Status Protocol

(OCSP) requests in the GET method, OCSP

GET requests resulted in a 404 error. This was

also related to a problem which caused the

subsystem to use 100% CPU when processing

OCSP requests.

243939 OCSP requests are now logged to the debug

log file.

243804

451726

When a new certificate revocation list (CRL)

was being generated, new revocation requests

were processed but not properly added to the

CRL. This meant that certificates with higher

serial numbers (i.e., more recent certificates)

were not listed in the CRL and were not shown

as revoked until the next CRL was generated.

A user who had a revoked but otherwise valid

certificate could take advantage of this issue to

bypass the revocation list.

243807 Inefficient LDAP search methods caused

LDAP searches for 100,000 or more revoked

certificates to take twenty minutes or longer

during CRL generation. The LDAP search

method has been modified to greatly improve

Updates and Errata Releases for Red Hat Certi-

ficate System 7.2

17