Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 757883 - certmonger: Requires client-side changes for server-side fixes (due to CVE-2011-3636) [rhel-5.8]
certmonger: Requires client-side changes for server-side fixes (due to CVE-20...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: certmonger (Show other bugs)
5.8
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Nalin Dahyabhai
IDM QE LIST
: ZStream
Depends On:
Blocks: CVE-2011-3636 758797 767573
  Show dependency treegraph
 
Reported: 2011-11-28 16:34 EST by Vincent Danen
Modified: 2012-02-21 01:17 EST (History)
10 users (show)

See Also:
Fixed In Version: certmonger-0.50-2.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 752226
Environment:
Last Closed: 2012-02-21 01:17:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0245 normal SHIPPED_LIVE certmonger bug fix and enhancement update 2012-02-20 10:07:20 EST

  None (edit)
Comment 4 Jenny Galipeau 2011-12-06 08:32:41 EST 
Nalin:
ipa-admintools not available on RHEL 5.X.  Can browser administration be used to verify this? If so, can you please provide steps?
Thanks
Comment 6 Kaleem 2011-12-15 02:27:23 EST 
Verified.

Verification steps taken from Bug #752226

HTTP Request is successful.

Host: ipa62server.pnq.redhat.com
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/2.1.3
Referer: https://ipa62server.pnq.redhat.com/ipa/xml
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 476

Version:
[root@ipa58client1 ~]# rpm -q certmonger ipa-client xmlrpc-c curl
certmonger-0.50-3.el5
ipa-client-2.1.3-1.el5
xmlrpc-c-1.16.24-1206.1840.4.el5
curl-7.15.5-15.el5
curl-7.15.5-15.el5
[root@ipa58client1 ~]#

No regressions found.
Comment 7 Nalin Dahyabhai 2011-12-15 10:32:20 EST 
(In reply to comment #6)
> Verified.
> 
> Verification steps taken from Bug #752226
> 
> HTTP Request is successful.
> 
> Host: ipa62server.pnq.redhat.com
> Accept: */*
> Content-Type: text/xml
> User-Agent: ipa-join/2.1.3
> Referer: https://ipa62server.pnq.redhat.com/ipa/xml
> X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
> Content-Length: 476

This is the join request sent by ipa-join as part of the domain join, and I wouldn't expect it to be affected by whether or not the patch had been made in certmonger.

The simple test is to verify that the older version can't obtain a certificate from the server (one which has the recent CVE fixed -- I suspect but haven't verified that you should get a fault with error code 911 when this happens) and that the newer version can (even for the same request, if you use the 'resubmit' option).

The more complicated test involves configuring certmonger to submit IPA enrollment requests to a responder URI which doesn't necessarily perform the desired function, but which logs the headers that the client supplies in its request.  We could then examine the log to check if it supplied the header 'User-Agent: certmonger/<VERSION>'.
Comment 9 errata-xmlrpc 2012-02-21 01:17:27 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0245.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.