Bug 799161 - Firefox not working with S4U2Proxy
Firefox not working with S4U2Proxy
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: krb5 (Show other bugs)
6.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Nalin Dahyabhai
Jenny Galipeau
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-01 17:49 EST by Rob Crittenden
Modified: 2012-10-12 04:43 EDT (History)
8 users (show)

See Also:
Fixed In Version: krb5-1.9-29.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-20 10:27:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
upstream Kerberos patch (6.26 KB, patch)
2012-03-01 17:51 EST, Rob Crittenden
no flags Details | Diff

  None (edit)
Description Rob Crittenden 2012-03-01 17:49:37 EST
This bug is created as a clone of upstream ipa ticket:
https://fedorahosted.org/freeipa/ticket/2472

Firefox is not working with IPA and S4U2Proxy. This is because it passes in an empty mech. This results in no credentials acquired because it doesn't know which one to pick.

What we see in mod_auth_kerb is GSS_C_DELEG_FLAG is not in the return flags and no delegated credential.

There is an upstream patch which addresses this.
Comment 1 Rob Crittenden 2012-03-01 17:51:29 EST
Created attachment 566961 [details]
upstream Kerberos patch

More sensical mech selection for gss_acquire_cred/accept_sec_context

If a caller passes an empty mech set to gss_acquire_cred, get a cred for all mechs instead of just the krb5 mech, as we don't know what mechanism the cred is going to be used with (particularly in the acceptor case).  As a related fix, if a caller passes a credential to gss_accept_sec_context and it does not contain a mech-specific cred for the token's mech, error out instead of using the default cred with the token's mechanism.
Comment 3 Nalin Dahyabhai 2012-03-12 12:42:29 EDT
On which versions is this known to work without backporting?  Is it expected to work if the client's ticket isn't forwardable (i.e., obtained using a TGT which was obtained by running 'kinit -F', or with [libdefaults] not set up to default to requesting forwardable tickets)?
Comment 4 Jenny Galipeau 2012-03-12 13:02:51 EDT
Is it sufficient to just remove the defined delegation uri configuration in about:config ... and make sure you can access the IPA Administration Web UI to verify this bug?
Comment 5 Rob Crittenden 2012-03-12 13:46:17 EDT
Nalin: versions of what, Firefox or krb5-server? S4U2Proxy needs a forwardable ticket to work (it just doesn't require the full TGT). From a client perspective we just set the flags GSS_C_MUTUAL_FLAG and GSS_C_SEQUENCE_FLAG, not GSS_C_DELEG_FLAG.

Jenny: It depends. If you start out with a fresh install and have never authenticated then yes. Or you can run ipactl restart to be sure that we haven't cached a TGT from a previous request. You can also look in /var/log/krb5kdc.log and look for CONSTRAINED DELEGATION lines. These mean that your user was properly authenticated without sending a TGT.
Comment 6 Nalin Dahyabhai 2012-03-12 18:21:22 EDT
(In reply to comment #5)
> Nalin: versions of what, Firefox or krb5-server? S4U2Proxy needs a forwardable
> ticket to work (it just doesn't require the full TGT). From a client
> perspective we just set the flags GSS_C_MUTUAL_FLAG and GSS_C_SEQUENCE_FLAG,
> not GSS_C_DELEG_FLAG.

Firefox and mod_auth_kerb, mainly, as we're not patching the KDC as part of fixing this bug.  If mod_auth_kerb doesn't get a suitable ticket from the client, shouldn't it be attempting to get one by using S4U2Self?
Comment 7 Rob Crittenden 2012-03-13 09:31:35 EDT
I don't understand. It looks like this patch is applied in krb5-1.9-29 which should address this bug. AFAIK no additional changes to mod_auth_kerb or Firefox are required (though a version of mod_auth_kerb that supports and is configured for S4U2Proxy, is required).
Comment 8 Simo Sorce 2012-03-13 09:48:03 EDT
(In reply to comment #6)
> (In reply to comment #5)
> > Nalin: versions of what, Firefox or krb5-server? S4U2Proxy needs a forwardable
> > ticket to work (it just doesn't require the full TGT). From a client
> > perspective we just set the flags GSS_C_MUTUAL_FLAG and GSS_C_SEQUENCE_FLAG,
> > not GSS_C_DELEG_FLAG.
> 
> Firefox and mod_auth_kerb, mainly, as we're not patching the KDC as part of
> fixing this bug.  If mod_auth_kerb doesn't get a suitable ticket from the
> client, shouldn't it be attempting to get one by using S4U2Self?

Firefox needs no fixes at all.

mod_auth_kerb needs to be the right version that supports s4u2proxy, s4u2self is not allowed.

libkrb5 needs to be patched. If patches are not backported from 1.10 it will never work as firfox force spnego as a mechanism and libgssapi_krb5 has bugs dealing with delegate credentials when spnego is used.
Comment 9 Nalin Dahyabhai 2012-03-13 11:09:27 EDT
(In reply to comment #8)
> (In reply to comment #6)
> > (In reply to comment #5)
> > > Nalin: versions of what, Firefox or krb5-server? S4U2Proxy needs a forwardable
> > > ticket to work (it just doesn't require the full TGT). From a client
> > > perspective we just set the flags GSS_C_MUTUAL_FLAG and GSS_C_SEQUENCE_FLAG,
> > > not GSS_C_DELEG_FLAG.
> > 
> > Firefox and mod_auth_kerb, mainly, as we're not patching the KDC as part of
> > fixing this bug.  If mod_auth_kerb doesn't get a suitable ticket from the
> > client, shouldn't it be attempting to get one by using S4U2Self?
> 
> Firefox needs no fixes at all.

That's good to hear.  Which version are you using when you're testing this?

> mod_auth_kerb needs to be the right version that supports s4u2proxy, s4u2self
> is not allowed.

Which version is that?

Why is s4u2self not allowed, if things still don't work without it when the user-supplied ticket doesn't have the forwardable flag set in it?
 
> libkrb5 needs to be patched. If patches are not backported from 1.10 it will
> never work as firfox force spnego as a mechanism and libgssapi_krb5 has bugs
> dealing with delegate credentials when spnego is used.

Yes, that's why this bug is here.  I'm trying to establish a baseline against which I can compare the results of applying the patch from this bug.  As the krb5 component is being patched here, the name-version-release information for the other parts which are involved would be useful.
Comment 10 Simo Sorce 2012-03-13 11:44:57 EDT
(In reply to comment #9)
> (In reply to comment #8)
> > (In reply to comment #6)
> > > (In reply to comment #5)
> > > > Nalin: versions of what, Firefox or krb5-server? S4U2Proxy needs a forwardable
> > > > ticket to work (it just doesn't require the full TGT). From a client
> > > > perspective we just set the flags GSS_C_MUTUAL_FLAG and GSS_C_SEQUENCE_FLAG,
> > > > not GSS_C_DELEG_FLAG.
> > > 
> > > Firefox and mod_auth_kerb, mainly, as we're not patching the KDC as part of
> > > fixing this bug.  If mod_auth_kerb doesn't get a suitable ticket from the
> > > client, shouldn't it be attempting to get one by using S4U2Self?
> > 
> > Firefox needs no fixes at all.
> 
> That's good to hear.  Which version are you using when you're testing this?

Any version is the same, that code hasn't changed in ages in Firefox.
We used FF10

> > mod_auth_kerb needs to be the right version that supports s4u2proxy, s4u2self
> > is not allowed.
> 
> Which version is that?

I think mod_auth_kerb-5.4-9.fc16 has all needed code, I am not sure which RHEL version it corresponds to.

> Why is s4u2self not allowed, if things still don't work without it when the
> user-supplied ticket doesn't have the forwardable flag set in it?

s4u2self would give the proxy the ability to arbitrarily impersonate any user, we do not want that, the proxy need an actual evidence ticket from a user to be able to use s4u2proxy.

The user-supplied ticket must have the forwardable flag set.
Comment 11 Nalin Dahyabhai 2012-03-13 13:33:57 EDT
(In reply to comment #10)
> (In reply to comment #9)
> > Why is s4u2self not allowed, if things still don't work without it when the
> > user-supplied ticket doesn't have the forwardable flag set in it?
> 
> s4u2self would give the proxy the ability to arbitrarily impersonate any user,
> we do not want that, the proxy need an actual evidence ticket from a user to be
> able to use s4u2proxy.

s4u2self, by itself, does not grant that ability.  The KDC won't issue a forwardable ticket to the service via s4u2self if the ok-to-auth-as-delegate flag is not set for the service -- it will instead issue a non-forwardable ticket.  A forwardable evidence ticket is required for making an s4u2proxy request, so a non-forwardable s4u2self ticket could not be used for s4u2proxy.

> The user-supplied ticket must have the forwardable flag set.

For IPA, for now.  This doesn't automatically apply to all users of mod_auth_kerb.
Comment 12 Simo Sorce 2012-03-13 13:49:36 EDT
(In reply to comment #11)
> (In reply to comment #10)
> > (In reply to comment #9)
> > > Why is s4u2self not allowed, if things still don't work without it when the
> > > user-supplied ticket doesn't have the forwardable flag set in it?
> > 
> > s4u2self would give the proxy the ability to arbitrarily impersonate any user,
> > we do not want that, the proxy need an actual evidence ticket from a user to be
> > able to use s4u2proxy.
> 
> s4u2self, by itself, does not grant that ability.  The KDC won't issue a
> forwardable ticket to the service via s4u2self if the ok-to-auth-as-delegate
> flag is not set for the service -- it will instead issue a non-forwardable
> ticket.  A forwardable evidence ticket is required for making an s4u2proxy
> request, so a non-forwardable s4u2self ticket could not be used for s4u2proxy.

Sure, but in that case the s4u2self obtained ticket would be useless to us.
So it is not an interesting case to allow.

> > The user-supplied ticket must have the forwardable flag set.
> 
> For IPA, for now.  This doesn't automatically apply to all users of
> mod_auth_kerb.

In what case s4u2self is interesting for mod_auth_kerb ?
Comment 13 Nalin Dahyabhai 2012-03-13 14:58:07 EDT
(In reply to comment #12)
> In what case s4u2self is interesting for mod_auth_kerb ?

I don't have an exhaustive list of the situations and applications where mod_auth_kerb is used, so I don't rule it out.
Comment 15 Jenny Galipeau 2012-05-15 10:22:07 EDT
I do believe that forms based authentication would not work with out s4u2proxy ... and testing of this should be sufficient for verification.  Do you agree Nalin?

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: TEST PROTOCOL
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Test run ID   : 5557773
:: [   LOG    ] :: Package       : ipa-server
:: [   LOG    ] :: Installed:    : ipa-server-2.2.0-11.el6.i686
:: [   LOG    ] :: Test started  : 2012-04-30 12:18:59 EDT
:: [   LOG    ] :: Test finished : 2012-04-30 12:23:20 EDT
:: [   LOG    ] :: Test name     : /CoreOS/ipa-server/acceptance/forms-cli
:: [   LOG    ] :: Distro:       : Red Hat Enterprise Linux Server release 6.3 Beta (Santiago)
:: [   LOG    ] :: Hostname      : dell-pe1750-1.testrelm.com
:: [   LOG    ] :: Architecture  : i686

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test description
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

PURPOSE of /CoreOS/ipa-server/acceptance/forms-cli
Description: Tests creation and usage of kerberos forms
Author: Michael Gregg <mgregg@redhat.com>


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: forms-cli startup: Check for ipa-server package
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Checking for the presence of ipa-server rpm
:: [   PASS   ] :: Creating tmp directory
:: [   PASS   ] :: Running 'pushd /tmp/tmp.1jl5RnNjga'
:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Kinit as admin user
:: [   LOG    ] :: Duration: 4s
:: [   LOG    ] :: Assertions: 4 good, 0 bad
:: [   PASS   ] :: RESULT: forms-cli startup: Check for ipa-server package

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: forms-cli-01: Destroy credentials
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Destroy kinit.
:: [   PASS   ] :: destroy any credentials that may already exist
:: [   LOG    ] :: Duration: 0s
:: [   LOG    ] :: Assertions: 1 good, 0 bad
:: [   PASS   ] :: RESULT: forms-cli-01: Destroy credentials

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: forms-cli-02: Ensure that json script does not work without a valid session ID
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Make sure that the output of the curl request seems to have failed
:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Kinit as admin user
:: [   PASS   ] :: Make sure that admin is unable to find the new user 
:: [   PASS   ] :: destroy any credentials that may already exist
:: [   LOG    ] :: Duration: 11s
:: [   LOG    ] :: Assertions: 4 good, 0 bad
:: [   PASS   ] :: RESULT: forms-cli-02: Ensure that json script does not work without a valid session ID

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: forms-cli-03: ensure that you cannot get a valid session id with bad credentials.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Make sure that the response header does not appear to have a session id in it
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 1 good, 0 bad
:: [   PASS   ] :: RESULT: forms-cli-03: ensure that you cannot get a valid session id with bad credentials.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: forms-cli-04: attempt to create a new group with bad credentials.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Kinit as admin user
:: [   PASS   ] :: Make sure that admin is not able to find the new group lookgt
:: [   LOG    ] :: Duration: 11s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: forms-cli-04: attempt to create a new group with bad credentials.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: forms-cli-05: Get a valid session id with good credentials.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Make sure that the response header contains a session id in it
:: [   LOG    ] :: new admin session ID is 1641a217e4aabed19ccfd98cf12dc1c0
:: [   LOG    ] :: Duration: 7s
:: [   LOG    ] :: Assertions: 1 good, 0 bad
:: [   PASS   ] :: RESULT: forms-cli-05: Get a valid session id with good credentials.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: forms-cli-06: Create a new user with the aquired session id. ie, retry forms-cli-02 with valid credentials.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Kinit as admin user
:: [   PASS   ] :: Make sure that admin is able to find the new user 
:: [   PASS   ] :: Delete the test user 
:: [   LOG    ] :: Duration: 25s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: forms-cli-06: Create a new user with the aquired session id. ie, retry forms-cli-02 with valid credentials.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: forms-cli-07: Create a new group with the aquired session id. ie, retry forms-cli-03 with valid credentials.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Kinit as admin user
:: [   PASS   ] :: Make sure that admin is able to find the new group lookgt
:: [   LOG    ] :: Duration: 17s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: forms-cli-07: Create a new group with the aquired session id. ie, retry forms-cli-03 with valid credentials.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: forms-cli-08: Delete the group created in the last step using valid credentials in a form.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Kinit as admin user
:: [   PASS   ] :: Make sure that admin is not able to find the new group lookgt
:: [   LOG    ] :: Duration: 17s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: forms-cli-08: Delete the group created in the last step using valid credentials in a form.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: forms-cli-09: Add a good A record with forms based authentication.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Kinit as admin user
:: [   PASS   ] :: Make sure that the new ipa address seems to be in the server
:: [   LOG    ] :: Duration: 34s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: forms-cli-09: Add a good A record with forms based authentication.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: forms-cli-10: Add a second good A record with forms based authentication.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Kinit as admin user
:: [   PASS   ] :: Make sure that the original ip address seems to be in the server
:: [   PASS   ] :: Make sure that the new ip address seems to be in the server
:: [   LOG    ] :: Duration: 32s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: forms-cli-10: Add a second good A record with forms based authentication.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: forms-cli-11: Try to add a bad ip a record with forma based auth.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Kinit as admin user
:: [   PASS   ] :: Make sure that the first original ip address seems to be in the server
:: [   PASS   ] :: Make sure that the second original ip address seems to be in the server
:: [   PASS   ] :: Make sure that the bad ip address isn't on the server
:: [   LOG    ] :: Duration: 32s
:: [   LOG    ] :: Assertions: 4 good, 0 bad
:: [   PASS   ] :: RESULT: forms-cli-11: Try to add a bad ip a record with forma based auth.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: forms-cli-12: Delete A record with forms based authentication.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Kinit as admin user
:: [   PASS   ] :: Make sure that the original ip address has been removed the server
:: [   PASS   ] :: Make sure that the new ip address seems to be in the server
:: [   PASS   ] :: Make sure that the bad ip address isn't on the server
:: [   PASS   ] :: cleanup the second added a record.
:: [   LOG    ] :: Duration: 50s
:: [   LOG    ] :: Assertions: 5 good, 0 bad
:: [   PASS   ] :: RESULT: forms-cli-12: Delete A record with forms based authentication.
No crash detected.
report saved as: /tmp/rhts.report.30839.txt
================ final pass/fail report =================
   Test Date: Mon Apr 30 12:23:23 EDT 2012 
   Total : [13] 
   Passed: [13] 
   Failed: [0] 
   Abort : [0]
   Crash : [0]
---------------------------------------------------------
   [   PASS   ]      forms-cli startup  Check for ipa-server package
   [   PASS   ]      forms-cli-01  Destroy credentials
   [   PASS   ]      forms-cli-02  Ensure that json script does not work without a valid session ID
   [   PASS   ]      forms-cli-03  ensure that you cannot get a valid session id with bad credentials.
   [   PASS   ]      forms-cli-04  attempt to create a new group with bad credentials.
   [   PASS   ]      forms-cli-05  Get a valid session id with good credentials.
   [   PASS   ]      forms-cli-06  Create a new user with the aquired session id. ie, retry forms-cli-02 with valid credentials.
   [   PASS   ]      forms-cli-07  Create a new group with the aquired session id. ie, retry forms-cli-03 with valid credentials.
   [   PASS   ]      forms-cli-08  Delete the group created in the last step using valid credentials in a form.
   [   PASS   ]      forms-cli-09  Add a good A record with forms based authentication.
   [   PASS   ]      forms-cli-10  Add a second good A record with forms based authentication.
   [   PASS   ]      forms-cli-11  Try to add a bad ip a record with forma based auth.
   [   PASS   ]      forms-cli-12  Delete A record with forms based authentication.
Comment 16 Simo Sorce 2012-05-15 10:36:05 EDT
(In reply to comment #15)
> I do believe that forms based authentication would not work with out s4u2proxy
> ... and testing of this should be sufficient for verification.  Do you agree
>

Forms based authentication is completely independent from s4u2proxy, however normal SSO auth from Firefox setting degalte-uris to no value will use s4u2proxy.
Comment 17 Nalin Dahyabhai 2012-05-15 11:02:42 EDT
(In reply to comment #15)
> I do believe that forms based authentication would not work with out s4u2proxy
> ... and testing of this should be sufficient for verification.  Do you agree
> Nalin?

The erratum includes information about testing general S4U2Proxy functionality in a non-IPA environment, and those tests should suffice for the general cases.

If I'm reading the patch right, whether or not this was triggered depended in part on how the client and server used the GSSAPI library to talk to each other, and the combination of Firefox and mod_auth_kerb would trigger the bug at the server.  So long as the form fails if mod_auth_kerb can't supply S4U2Proxy credentials for it, I think the test should cover it.
Comment 19 Jenny Galipeau 2012-05-18 07:37:40 EDT
per comments .. marking bug verified. Thanks
Comment 20 errata-xmlrpc 2012-06-20 10:27:31 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0921.html

Note You need to log in before you can comment on or make changes to this bug.