RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

On 64-bit systems, the shared-system-certs feature, which is implemented by the p11-kit-trust.so module, is never active for 32-bit applications,
because the p11-kit-trust package is available only as a 64-bit package.

For example, on x86_64, the p11-kit-trust.x86_64.rpm package is available,
but the p11-kit-trust.i686.rpm package isn't.

As a result, 32-bit applications using NSS will always use the statically built NSS version of the root CA list.

Expected: 32-bit applications using NSS on a 64-bit system should use the dynamically provided CA list.

In order to fix this bug, the p11-kit-trust package must be made available as a 32-bit version on multiarch systems

I'm adding devel ack, since seems that there is a scenario which is currently blocked. Rel-eng needs to add a multilib whitelist for this specific package + remaining p11-kit-trust.

Is PM okay witch such change (it will result into shipping i686 rpms, which we haven't previously shipped).

Also closing https://projects.engineering.redhat.com/browse/RCM-13414 in favour of this bug.

Lubos

Right thing would be to deliver this update via advisory. Do we have any update, or will we re-push last advisory for p11-kit-trust?

Fixed in https://code.engineering.redhat.com/gerrit/142223

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3014