Bug 304571 (CVE-2007-4994) - CVE-2007-4994 rhcs CRL can get corrupted
Summary: CVE-2007-4994 rhcs CRL can get corrupted
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-4994
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 243176 304581 304591
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-09-25 08:12 UTC by Mark J. Cox
Modified: 2019-09-29 12:21 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-01-14 16:19:19 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0934 0 normal SHIPPED_LIVE Moderate: rhpki-util, rhpki-common, rhpki-ca security update 2007-10-08 07:44:34 UTC
Red Hat Product Errata RHSA-2008:0566 0 normal SHIPPED_LIVE Moderate: rhpki-util, rhpki-common, and rhpki-ca security and bug fix update 2008-07-21 19:16:51 UTC

Description Mark J. Cox 2007-09-25 08:12:30 UTC 
New revocations performed while a CRL is being generated
could potentially cause revoked certificates at the upper
end of the serial number range to not appear on the CRL.

In subsequent CRLs, those missing certificates could again
appear on the CRL.
Comment 2 Mark J. Cox 2007-09-25 08:15:51 UTC 
CVSS base score 3.6:

AccessVector: Network
AccessComplexity: High (you have no way of making a particular certificate
become unrevoked, just chance)
Authentication: Single (you need an otherwise valid but revoked certificate)
ConfImpact: Partial
AvailImpact: None
IntegImpact: Partial
Comment 5 Mark J. Cox 2007-10-08 07:31:55 UTC 
removing embargo.
Comment 6 Red Hat Product Security 2008-01-14 16:19:19 UTC 
This issue was addressed in:

Red Hat Certificate System:
  http://rhn.redhat.com/errata/RHSA-2007-0934.html
Note You need to log in before you can comment on or make changes to this bug.