757883 – certmonger: Requires client-side changes for server-side fixes (due to CVE-2011-3636) [rhel-5.8]

Bug 757883 - certmonger: Requires client-side changes for server-side fixes (due to CVE-2011-3636) [rhel-5.8]

Summary: certmonger: Requires client-side changes for server-side fixes (due to CVE-20...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	certmonger
Sub Component:
Version:	5.8
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Nalin Dahyabhai
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	CVE-2011-3636 758797 767573
TreeView+	depends on / blocked

Reported:	2011-11-28 21:34 UTC by Vincent Danen
Modified:	2012-02-21 06:17 UTC (History)
CC List:	10 users (show)
Fixed In Version:	certmonger-0.50-2.el5
Doc Type:	Bug Fix
Doc Text:
Clone Of:	752226
Environment:
Last Closed:	2012-02-21 06:17:27 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0245	0	normal	SHIPPED_LIVE	certmonger bug fix and enhancement update	2012-02-20 15:07:20 UTC

Comment 4 Jenny Severance 2011-12-06 13:32:41 UTC

Nalin:
ipa-admintools not available on RHEL 5.X.  Can browser administration be used to verify this? If so, can you please provide steps?
Thanks

Comment 6 Kaleem 2011-12-15 07:27:23 UTC

Verified.

Verification steps taken from Bug #752226

HTTP Request is successful.

Host: ipa62server.pnq.redhat.com
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/2.1.3
Referer: https://ipa62server.pnq.redhat.com/ipa/xml
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 476

Version:
[root@ipa58client1 ~]# rpm -q certmonger ipa-client xmlrpc-c curl
certmonger-0.50-3.el5
ipa-client-2.1.3-1.el5
xmlrpc-c-1.16.24-1206.1840.4.el5
curl-7.15.5-15.el5
curl-7.15.5-15.el5
[root@ipa58client1 ~]#

No regressions found.

Comment 7 Nalin Dahyabhai 2011-12-15 15:32:20 UTC

(In reply to comment #6)
> Verified.
> 
> Verification steps taken from Bug #752226
> 
> HTTP Request is successful.
> 
> Host: ipa62server.pnq.redhat.com
> Accept: */*
> Content-Type: text/xml
> User-Agent: ipa-join/2.1.3
> Referer: https://ipa62server.pnq.redhat.com/ipa/xml
> X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
> Content-Length: 476

This is the join request sent by ipa-join as part of the domain join, and I wouldn't expect it to be affected by whether or not the patch had been made in certmonger.

The simple test is to verify that the older version can't obtain a certificate from the server (one which has the recent CVE fixed -- I suspect but haven't verified that you should get a fault with error code 911 when this happens) and that the newer version can (even for the same request, if you use the 'resubmit' option).

The more complicated test involves configuring certmonger to submit IPA enrollment requests to a responder URI which doesn't necessarily perform the desired function, but which logs the headers that the client supplies in its request.  We could then examine the log to check if it supplied the header 'User-Agent: certmonger/<VERSION>'.

Comment 9 errata-xmlrpc 2012-02-21 06:17:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0245.html

Note You need to log in before you can comment on or make changes to this bug.