Bug 757883

Summary: certmonger: Requires client-side changes for server-side fixes (due to CVE-2011-3636) [rhel-5.8]
Product: Red Hat Enterprise Linux 5 Reporter: Vincent Danen <vdanen>
Component: certmongerAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 5.8CC: bressers, ckannan, cww, dpal, jgalipea, ksiddiqu, nsoman, rcritten, security-response-team, vdanen
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: certmonger-0.50-2.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 752226 Environment:
Last Closed: 2012-02-21 06:17:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 747710, 758797, 767573    

Comment 4 Jenny Severance 2011-12-06 13:32:41 UTC 
Nalin:
ipa-admintools not available on RHEL 5.X.  Can browser administration be used to verify this? If so, can you please provide steps?
Thanks
Comment 6 Kaleem 2011-12-15 07:27:23 UTC 
Verified.

Verification steps taken from Bug #752226

HTTP Request is successful.

Host: ipa62server.pnq.redhat.com
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/2.1.3
Referer: https://ipa62server.pnq.redhat.com/ipa/xml
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 476

Version:
[root@ipa58client1 ~]# rpm -q certmonger ipa-client xmlrpc-c curl
certmonger-0.50-3.el5
ipa-client-2.1.3-1.el5
xmlrpc-c-1.16.24-1206.1840.4.el5
curl-7.15.5-15.el5
curl-7.15.5-15.el5
[root@ipa58client1 ~]#

No regressions found.
Comment 7 Nalin Dahyabhai 2011-12-15 15:32:20 UTC 
(In reply to comment #6)
> Verified.
> 
> Verification steps taken from Bug #752226
> 
> HTTP Request is successful.
> 
> Host: ipa62server.pnq.redhat.com
> Accept: */*
> Content-Type: text/xml
> User-Agent: ipa-join/2.1.3
> Referer: https://ipa62server.pnq.redhat.com/ipa/xml
> X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
> Content-Length: 476

This is the join request sent by ipa-join as part of the domain join, and I wouldn't expect it to be affected by whether or not the patch had been made in certmonger.

The simple test is to verify that the older version can't obtain a certificate from the server (one which has the recent CVE fixed -- I suspect but haven't verified that you should get a fault with error code 911 when this happens) and that the newer version can (even for the same request, if you use the 'resubmit' option).

The more complicated test involves configuring certmonger to submit IPA enrollment requests to a responder URI which doesn't necessarily perform the desired function, but which logs the headers that the client supplies in its request.  We could then examine the log to check if it supplied the header 'User-Agent: certmonger/<VERSION>'.
Comment 9 errata-xmlrpc 2012-02-21 06:17:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0245.html