A pki-core:10.6 security update has been released for Rocky Linux 8.
RLSA-2021:2235 Important: pki-core:10.6 security update
Name:
RLSA-2021:2235
Synopsis:
Important: pki-core:10.6 security update
Severity:
Important
Topic:
An update for the pki-core:10.6 module is now available for Rocky Linux 8.
Rocky Linux Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description:
The Public Key Infrastructure (PKI) Core contains fundamental packages required by Rocky Linux Certificate System.
The PKI installer "pkispawn" logs admin credentials into a
world-readable log file. It also looks like the installer is passing the
password as an insecure command line argument. The credentials are the
389-DS LDAP server's Directory Manager credentials. The Directory
Manager is 389-DS' equivalent of unrestricted root account. The user
bypasses permission checks and grants full access to data. In an IdM /
FreeIPA installation the DM user is able to read and manipulate Kerberos
KDC master password, Kerberos keytabs, hashed user passwords, and more.
Any and all IdM and FreeIPA installations with PKI 10.10 should be
considered compromised.
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected products:Publish date:
- Rocky Linux 8
2021-07-22
RPMS:
- jss-4.8.1-2.module+el8.4.0+418+b7ae1d4a.aarch64.rpm
- jss-4.8.1-2.module+el8.4.0+418+b7ae1d4a.src.rpm
- jss-4.8.1-2.module+el8.4.0+418+b7ae1d4a.x86_64.rpm
- jss-debuginfo-4.8.1-2.module+el8.4.0+418+b7ae1d4a.aarch64.rpm
- jss-debuginfo-4.8.1-2.module+el8.4.0+418+b7ae1d4a.x86_64.rpm
- jss-debugsource-4.8.1-2.module+el8.4.0+418+b7ae1d4a.aarch64.rpm
- jss-debugsource-4.8.1-2.module+el8.4.0+418+b7ae1d4a.x86_64.rpm
- jss-javadoc-4.8.1-2.module+el8.4.0+418+b7ae1d4a.aarch64.rpm
- jss-javadoc-4.8.1-2.module+el8.4.0+418+b7ae1d4a.x86_64.rpm
- ldapjdk-4.22.0-1.module+el8.4.0+418+b7ae1d4a.noarch.rpm
- ldapjdk-4.22.0-1.module+el8.4.0+418+b7ae1d4a.src.rpm
- ldapjdk-javadoc-4.22.0-1.module+el8.4.0+418+b7ae1d4a.noarch.rpm
- pki-acme-10.10.5-3.module+el8.4.0+554+92b527a1.noarch.rpm
- pki-base-10.10.5-3.module+el8.4.0+554+92b527a1.noarch.rpm
- pki-base-java-10.10.5-3.module+el8.4.0+554+92b527a1.noarch.rpm
- pki-ca-10.10.5-3.module+el8.4.0+554+92b527a1.noarch.rpm
- pki-core-10.10.5-3.module+el8.4.0+554+92b527a1.src.rpm
- pki-core-debuginfo-10.10.5-3.module+el8.4.0+554+92b527a1.aarch64.rpm
- pki-core-debuginfo-10.10.5-3.module+el8.4.0+554+92b527a1.x86_64.rpm
- pki-core-debugsource-10.10.5-3.module+el8.4.0+554+92b527a1.aarch64.rpm
- pki-core-debugsource-10.10.5-3.module+el8.4.0+554+92b527a1.x86_64.rpm
- pki-kra-10.10.5-3.module+el8.4.0+554+92b527a1.noarch.rpm
- pki-server-10.10.5-3.module+el8.4.0+554+92b527a1.noarch.rpm
- pki-symkey-10.10.5-3.module+el8.4.0+554+92b527a1.aarch64.rpm
- pki-symkey-10.10.5-3.module+el8.4.0+554+92b527a1.x86_64.rpm
- pki-symkey-debuginfo-10.10.5-3.module+el8.4.0+554+92b527a1.aarch64.rpm
- pki-symkey-debuginfo-10.10.5-3.module+el8.4.0+554+92b527a1.x86_64.rpm
- pki-tools-10.10.5-3.module+el8.4.0+554+92b527a1.aarch64.rpm
- pki-tools-10.10.5-3.module+el8.4.0+554+92b527a1.x86_64.rpm
- pki-tools-debuginfo-10.10.5-3.module+el8.4.0+554+92b527a1.aarch64.rpm
- pki-tools-debuginfo-10.10.5-3.module+el8.4.0+554+92b527a1.x86_64.rpm
- python3-pki-10.10.5-3.module+el8.4.0+554+92b527a1.noarch.rpm
- tomcatjss-7.6.1-1.module+el8.4.0+418+b7ae1d4a.noarch.rpm
- tomcatjss-7.6.1-1.module+el8.4.0+418+b7ae1d4a.src.rpm
