ELSA-2021-0851

ELSA-2021-0851 - pki-core security and bug fix update

Type:SECURITY
Severity:IMPORTANT
Release Date:2021-03-17

Description


[10.5.18-12]
- Change variable 'TPS' to 'tps'
- ##########################################################################
- # RHEL 7.9:
- ##########################################################################
- Bugzilla Bug 1883639 - Add KRA Transport and Storage Certificates
profiles, audit for IPA (edewata)
- ##########################################################################
- # Backported CVEs (ascheel):
- ##########################################################################
- Bugzilla Bug 1724697 - CVE-2019-10180 pki-core: unsanitized token
parameters in TPS resulting in stored XSS [certificate_system_9-default]
(edewata, ascheel)
- Bugzilla Bug 1725128 - CVE-2019-10178 pki-core: stored Cross-site
scripting (XSS) in the pki-tps web Activity tab
[certificate_system_9-default] (edewata, ascheel)
- Bugzilla Bug 1791100 - CVE-2020-1696 pki-core: Stored XSS in TPS profile
creation [certificate_system_9-default] (edewata, ascheel)
- Bugzilla Bug 1724688 - CVE-2019-10146 pki-core: Reflected Cross-Site
Scripting in 'path length' constraint field in CA's Agent page
[rhel-7.9.z] (dmoluguw, ascheel)
- Bugzilla Bug 1789843 - CVE-2019-10221 pki-core: reflected cross site
scripting in getcookies?url= endpoint in CA [rhel-7.9.z]
(dmoluguw, ascheel)
- Bugzilla Bug 1724713 - CVE-2019-10179 pki-core: pki-core/pki-kra:
Reflected XSS in recoveryID search field at KRA's DRM agent page in
authorize recovery tab [rhel-7.9.z] (ascheel)
- Bugzilla Bug 1798011 - CVE-2020-1721 pki-core: KRA vulnerable to
reflected XSS via the getPk12 page [rhel-7.9.z] (ascheel,jmagne)
- ##########################################################################
- Update to jquery v3.4.1 (ascheel)
- Update to jquery-i18n-properties v1.2.7 (ascheel)
- Update to backbone v1.4.0 (ascheel)
- Upgrade to underscore v1.9.2 (ascheel)
- Update to patternfly v3.59.3 (ascheel)
- Update to jQuery v3.5.1 (ascheel)
- Upgrade to bootstrap v3.4.1 (ascheel)
- Link in new Bootstrap CSS file (ascheel)
- ##########################################################################
- # RHCS 9.7:
- ##########################################################################
- # Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme, pki-core, and

[10.5.18-11]
- ##########################################################################
- # RHEL 7.9:
- ##########################################################################
- Bugzilla Bug 1883639 - Add KRA Transport and Storage Certificates
profiles, audit for IPA (edewata)
- ##########################################################################
- # Backported CVEs (ascheel):
- ##########################################################################
- Bugzilla Bug 1724697 - CVE-2019-10180 pki-core: unsanitized token
parameters in TPS resulting in stored XSS [certificate_system_9-default]
(edewata, ascheel)
- Bugzilla Bug 1725128 - CVE-2019-10178 pki-core: stored Cross-site
scripting (XSS) in the pki-tps web Activity tab
[certificate_system_9-default] (edewata, ascheel)
- Bugzilla Bug 1791100 - CVE-2020-1696 pki-core: Stored XSS in TPS profile
creation [certificate_system_9-default] (edewata, ascheel)
- Bugzilla Bug 1724688 - CVE-2019-10146 pki-core: Reflected Cross-Site
Scripting in 'path length' constraint field in CA's Agent page
[rhel-7.9.z] (dmoluguw, ascheel)
- Bugzilla Bug 1789843 - CVE-2019-10221 pki-core: reflected cross site
scripting in getcookies?url= endpoint in CA [rhel-7.9.z]
(dmoluguw, ascheel)
- Bugzilla Bug 1724713 - CVE-2019-10179 pki-core: pki-core/pki-kra:
Reflected XSS in recoveryID search field at KRA's DRM agent page in
authorize recovery tab [rhel-7.9.z] (ascheel)
- Bugzilla Bug 1798011 - CVE-2020-1721 pki-core: KRA vulnerable to
reflected XSS via the getPk12 page [rhel-7.9.z] (ascheel,jmagne)
- ##########################################################################
- Update to jquery v3.4.1 (ascheel)
- Update to jquery-i18n-properties v1.2.7 (ascheel)
- Update to backbone v1.4.0 (ascheel)
- Upgrade to underscore v1.9.2 (ascheel)
- Update to patternfly v3.59.3 (ascheel)
- Update to jQuery v3.5.1 (ascheel)
- Upgrade to bootstrap v3.4.1 (ascheel)
- Link in new Bootstrap CSS file (ascheel)
- ##########################################################################
- # RHCS 9.7:
- ##########################################################################
- # Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme, pki-core, and

[10.5.18-10]
- Bugzilla Bug #1883639 - additional fix to upgrade script (edewata)

[10.5.18-9]
- Bugzilla Bug #1883639 - additional support on upgrade for audit
cert profile and auditProfileUpgrade + auditProfileUpgrade part 2 (cfu)

[10.5.18-8]
- ##########################################################################
- # RHEL 7.9:
- ##########################################################################
- Bugzilla Bug #1883639 - add profile caAuditSigningCert (cfu)
- ##########################################################################
- # RHCS 9.7:
- ##########################################################################
- # Bugzilla Bug #1710978 - TPS - Add logging to tdbAddCertificatesForCUID if
- # Bugzilla Bug #1858860 - TPS - Update Error Codes returned to client
- # Bugzilla Bug #1858861 - TPS - Server side key generation is not working
- # Bugzilla Bug #1858867 - TPS does not check token cuid on the user


Related CVEs


CVE-2019-10146
CVE-2019-10179
CVE-2019-10221
CVE-2020-1721
CVE-2020-25715
CVE-2021-20179

Updated Packages


Release/ArchitectureFilenameMD5sumSuperseded By Advisory
Oracle Linux 7 (aarch64) pki-core-10.5.18-12.el7_9.src.rpmd9ccc8ecfc4e6e5849e9ade5be97dc96-
pki-base-10.5.18-12.el7_9.noarch.rpm8088fd5d37a7eb7ba0a5bb157a15f98f-
pki-base-java-10.5.18-12.el7_9.noarch.rpmf7e0c171ca7d92e67b9b1c7e9ca1479d-
pki-ca-10.5.18-12.el7_9.noarch.rpm26ec1bb0208b773021ff9f194b8be3d6-
pki-javadoc-10.5.18-12.el7_9.noarch.rpm2a2017f1d64d8a81187d15743e9b38e4-
pki-kra-10.5.18-12.el7_9.noarch.rpmd891569f67d1f865591a4ece12c9e099-
pki-server-10.5.18-12.el7_9.noarch.rpm8af7fae4ee923837515e28a7f7dd3317-
pki-symkey-10.5.18-12.el7_9.aarch64.rpm7a0097247c012dcffd8b7361482f323b-
pki-tools-10.5.18-12.el7_9.aarch64.rpm01087ea36c62d2ab37cfe8b37c0f95cf-
Oracle Linux 7 (x86_64) pki-core-10.5.18-12.el7_9.src.rpmd9ccc8ecfc4e6e5849e9ade5be97dc96-
pki-base-10.5.18-12.el7_9.noarch.rpm8088fd5d37a7eb7ba0a5bb157a15f98f-
pki-base-java-10.5.18-12.el7_9.noarch.rpmf7e0c171ca7d92e67b9b1c7e9ca1479d-
pki-ca-10.5.18-12.el7_9.noarch.rpm26ec1bb0208b773021ff9f194b8be3d6-
pki-javadoc-10.5.18-12.el7_9.noarch.rpm2a2017f1d64d8a81187d15743e9b38e4-
pki-kra-10.5.18-12.el7_9.noarch.rpmd891569f67d1f865591a4ece12c9e099-
pki-server-10.5.18-12.el7_9.noarch.rpm8af7fae4ee923837515e28a7f7dd3317-
pki-symkey-10.5.18-12.el7_9.x86_64.rpma147ed3f3fe59b6f28ee7f7031a030db-
pki-tools-10.5.18-12.el7_9.x86_64.rpm65569212c53bb8246be78a21ca362595-



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete