ELBA-2015-1379
- ULN >
- Oracle Linux Errata repository >
- ELBA-2015-1379
ELBA-2015-1379 - certmonger bug fix and enhancement update
| Type: | BUG |
| Impact: | NA |
| Release Date: | 2015-07-28 |
Description
[0.77.5-1]
- pass to enrollment helpers if the signing request
includes IP address subjectAltName values
- correctly verify signatures on SCEP server replies when the signer is neither
the top-level CA nor the RA (feedback in #1161768)
- correctly verify signatures on SCEP server replies when there is more than
one certificate in the chain between the RA and the top-level CA (feedback in
[0.77.4-1]
- don't display PINs in 'getcert list' output (ticket #42, #1222595)
- clean up launching of a private instance in 'getcert'
- expand on the don't-delete-private-key fix from 0.77.3 by letting NSS's
own safety checks have an effect
- backport record-keeping of key generation dates and counts of how many
times we've gotten certificates using a given key pair
[0.77.3-1]
- fix a data loss bug when saving renewed certificates to NSS databases - the
private key could be removed in error since 0.77
- fixes for bugs found by static analysis
- fix self-tests when built with OpenSSL 1.0.2
[0.77.2-1]
- expose the certificate's not-valid-before and not-valid-after dates as a
property over D-Bus (ticket #41)
- give the local signer its own configuration option to set the lifetime
of its signing certificate, falling back to the lifetime configured for
the self-signer as a default to match the previous behavior
- fix a potential read segfault parsing the output of an enrollment helper,
introduced in 0.77 (thanks to Steve Neuharth)
- read the ns-certtype extension value in certificates
- request an enrollment certtype extension to CSRs if we have a profile name
that we want to use (ticket #17, possibly part of IPA ticket #57)
[0.77.1-1]
- update to 0.77
- add initial, still rough, SCEP support (#1140241,#1161768)
- add an scep-submit helper to handle part of it
- getcert: add add-ca/add-scep-ca/modify-ca/remove-ca commands
- getcert: add -l, -L flags to request/resubmit/start-tracking commands
to provide a way to set a ChallengePassword in signing requests
- lay some groundwork for rekeying support
- bundled dogtag enrollment helpers now output debugging info to stderr (#)
- ipa-getcert: fix a crash when using DNS discovery to locate servers (#39)
- getcert: fix displaying of pre-request pre-/post-save commands (#1178190,
- use Zanata for translations
- getcert list: list the certificate's profile name, if it contains one
[0.76.8-1]
- dogtag-submit: accept additional options to pass to the server when
approving requests using agent creds (#1165155, patch by Jan Cholasta)
- getcert: print help output when 'status' isn't given any args (#1163541)
[0.76.7-1]
- correctly read CA not-valid-after dates on 32-bit machines (also reported by
Natxo Asenjo), so that we don't spin on polling them (#1163023)
[0.76.6-1]
- don't discard the priority value in DNS SRV records
[0.76.5-1]
- avoid premature exit on CA data analysis failures (should fix an issue
reported by Natxo Asenjo)
[0.76.4-1]
- fix a failure in self-tests
[0.76.3-1]
- fixes for bugs found by static analysis
- handle IDN correctly when doing service location using SRV records
- documentation updates
* Wed Nov 05 2014 Nalin Dahyabhai
- rework the state machine so that we save an issued certificate's associated
CA certificates, then re-read the certificate, then run the post hook and
issue notifications, in that order, instead of saving CA certificates after
running the post hook, which was always a surprising order (#1131700)
- add a generic dogtag-submit helper that doesn't include any IPA defaults,
to make it easier to know the difference between paramenters it requires
and parameters which are optional (#12)
[0.76.2-1]
- ipa-submit: when we fail to locate/contact LDAP or XML-RPC servers,
use discovery to find them (#1136900)
[0.76.1-1]
- allow for 'certmonger -P abstract:...' to work, too
[0.76-1]
- require a single certificate to be specified to 'getcert status' (#1148001,
- shorten the default help message which getcert prints when it's not given
a specific command (#1131704)
- add private listener (-l, -L, -P) mode to certmonger, to allow it to listen
for connections directly from clients running under the same UID
- add a command mode (-c) to certmonger, in which once it's started, it
launches a specified command, and after that command exits, the daemon exits
- when getcert is invoked with no bus running, if it's running as root, run
certmonger in private listener mode with the same invocation of getcert as
the command to start and wait for (#1134497)
[0.75.14-1]
- make pathname canonicalization slightly smarter, to handle '..' in
locations (#1131758)
- updates to self-tests (#1144082)
[0.75.13-2]
- Rebuild for rpm bug 1131960
Updated Packages
| Release/Architecture | Filename | sha256 | Superseded By Advisory | Channel Label |
| Oracle Linux 6 (i386) | certmonger-0.77.5-1.el6.src.rpm | 27d3e827480bcf4d97d6a4e68ab32245c73f8268f42693d1e1f84b4ba2a893dc | ELBA-2017-0663 | ol6_i386_latest_archive |
| certmonger-0.77.5-1.el6.src.rpm | 27d3e827480bcf4d97d6a4e68ab32245c73f8268f42693d1e1f84b4ba2a893dc | ELBA-2017-0663 | ol6_u7_i386_base | |
| certmonger-0.77.5-1.el6.i686.rpm | ebef5b519c725fa37bba0354fe23d3d69366c68a7f35b03be86077c93ffc2afa | ELBA-2017-0663 | ol6_i386_latest_archive | |
| certmonger-0.77.5-1.el6.i686.rpm | ebef5b519c725fa37bba0354fe23d3d69366c68a7f35b03be86077c93ffc2afa | ELBA-2017-0663 | ol6_u7_i386_base | |
| Oracle Linux 6 (x86_64) | certmonger-0.77.5-1.el6.src.rpm | 27d3e827480bcf4d97d6a4e68ab32245c73f8268f42693d1e1f84b4ba2a893dc | ELBA-2017-0663 | ol6_u7_x86_64_base |
| certmonger-0.77.5-1.el6.src.rpm | 27d3e827480bcf4d97d6a4e68ab32245c73f8268f42693d1e1f84b4ba2a893dc | ELBA-2017-0663 | ol6_x86_64_latest_archive | |
| certmonger-0.77.5-1.el6.x86_64.rpm | e726fcc35fa93a73709b3098a9862ba104c22c64839922eb07c328aeab38d821 | ELBA-2017-0663 | ol6_u7_x86_64_base | |
| certmonger-0.77.5-1.el6.x86_64.rpm | e726fcc35fa93a73709b3098a9862ba104c22c64839922eb07c328aeab38d821 | ELBA-2017-0663 | ol6_x86_64_latest_archive | |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team
