Bug 757883 - certmonger: Requires client-side changes for server-side fixes (due to CVE-2011-3636) [rhel-5.8]
Summary: certmonger: Requires client-side changes for server-side fixes (due to CVE-20...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: certmonger
Version: 5.8
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Nalin Dahyabhai
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks: CVE-2011-3636 758797 767573
TreeView+ depends on / blocked
 
Reported: 2011-11-28 21:34 UTC by Vincent Danen
Modified: 2012-02-21 06:17 UTC (History)
10 users (show)

Fixed In Version: certmonger-0.50-2.el5
Doc Type: Bug Fix
Doc Text:
Clone Of: 752226
Environment:
Last Closed: 2012-02-21 06:17:27 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0245 0 normal SHIPPED_LIVE certmonger bug fix and enhancement update 2012-02-20 15:07:20 UTC

Comment 4 Jenny Severance 2011-12-06 13:32:41 UTC 
Nalin:
ipa-admintools not available on RHEL 5.X.  Can browser administration be used to verify this? If so, can you please provide steps?
Thanks
Comment 6 Kaleem 2011-12-15 07:27:23 UTC 
Verified.

Verification steps taken from Bug #752226

HTTP Request is successful.

Host: ipa62server.pnq.redhat.com
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/2.1.3
Referer: https://ipa62server.pnq.redhat.com/ipa/xml
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 476

Version:
[root@ipa58client1 ~]# rpm -q certmonger ipa-client xmlrpc-c curl
certmonger-0.50-3.el5
ipa-client-2.1.3-1.el5
xmlrpc-c-1.16.24-1206.1840.4.el5
curl-7.15.5-15.el5
curl-7.15.5-15.el5
[root@ipa58client1 ~]#

No regressions found.
Comment 7 Nalin Dahyabhai 2011-12-15 15:32:20 UTC 
(In reply to comment #6)
> Verified.
> 
> Verification steps taken from Bug #752226
> 
> HTTP Request is successful.
> 
> Host: ipa62server.pnq.redhat.com
> Accept: */*
> Content-Type: text/xml
> User-Agent: ipa-join/2.1.3
> Referer: https://ipa62server.pnq.redhat.com/ipa/xml
> X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
> Content-Length: 476

This is the join request sent by ipa-join as part of the domain join, and I wouldn't expect it to be affected by whether or not the patch had been made in certmonger.

The simple test is to verify that the older version can't obtain a certificate from the server (one which has the recent CVE fixed -- I suspect but haven't verified that you should get a fault with error code 911 when this happens) and that the newer version can (even for the same request, if you use the 'resubmit' option).

The more complicated test involves configuring certmonger to submit IPA enrollment requests to a responder URI which doesn't necessarily perform the desired function, but which logs the headers that the client supplies in its request.  We could then examine the log to check if it supplied the header 'User-Agent: certmonger/<VERSION>'.
Comment 9 errata-xmlrpc 2012-02-21 06:17:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0245.html
Note You need to log in before you can comment on or make changes to this bug.