Bug 757883
Summary: | certmonger: Requires client-side changes for server-side fixes (due to CVE-2011-3636) [rhel-5.8] | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Vincent Danen <vdanen> |
Component: | certmonger | Assignee: | Nalin Dahyabhai <nalin> |
Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | 5.8 | CC: | bressers, ckannan, cww, dpal, jgalipea, ksiddiqu, nsoman, rcritten, security-response-team, vdanen |
Target Milestone: | rc | Keywords: | ZStream |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | certmonger-0.50-2.el5 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | 752226 | Environment: | |
Last Closed: | 2012-02-21 06:17:27 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 747710, 758797, 767573 |
Comment 4
Jenny Severance
2011-12-06 13:32:41 UTC
Verified. Verification steps taken from Bug #752226 HTTP Request is successful. Host: ipa62server.pnq.redhat.com Accept: */* Content-Type: text/xml User-Agent: ipa-join/2.1.3 Referer: https://ipa62server.pnq.redhat.com/ipa/xml X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 Content-Length: 476 Version: [root@ipa58client1 ~]# rpm -q certmonger ipa-client xmlrpc-c curl certmonger-0.50-3.el5 ipa-client-2.1.3-1.el5 xmlrpc-c-1.16.24-1206.1840.4.el5 curl-7.15.5-15.el5 curl-7.15.5-15.el5 [root@ipa58client1 ~]# No regressions found. (In reply to comment #6) > Verified. > > Verification steps taken from Bug #752226 > > HTTP Request is successful. > > Host: ipa62server.pnq.redhat.com > Accept: */* > Content-Type: text/xml > User-Agent: ipa-join/2.1.3 > Referer: https://ipa62server.pnq.redhat.com/ipa/xml > X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 > Content-Length: 476 This is the join request sent by ipa-join as part of the domain join, and I wouldn't expect it to be affected by whether or not the patch had been made in certmonger. The simple test is to verify that the older version can't obtain a certificate from the server (one which has the recent CVE fixed -- I suspect but haven't verified that you should get a fault with error code 911 when this happens) and that the newer version can (even for the same request, if you use the 'resubmit' option). The more complicated test involves configuring certmonger to submit IPA enrollment requests to a responder URI which doesn't necessarily perform the desired function, but which logs the headers that the client supplies in its request. We could then examine the log to check if it supplied the header 'User-Agent: certmonger/<VERSION>'. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0245.html |