ELSA-2021-0851
- ULN >
- Oracle Linux Errata repository >
- ELSA-2021-0851
ELSA-2021-0851 - pki-core security and bug fix update
| Type: | SECURITY |
| Severity: | IMPORTANT |
| Release Date: | 2021-03-17 |
Description
[10.5.18-12]
- Change variable 'TPS' to 'tps'
- ##########################################################################
- # RHEL 7.9:
- ##########################################################################
- Bugzilla Bug 1883639 - Add KRA Transport and Storage Certificates
profiles, audit for IPA (edewata)
- ##########################################################################
- # Backported CVEs (ascheel):
- ##########################################################################
- Bugzilla Bug 1724697 - CVE-2019-10180 pki-core: unsanitized token
parameters in TPS resulting in stored XSS [certificate_system_9-default]
(edewata, ascheel)
- Bugzilla Bug 1725128 - CVE-2019-10178 pki-core: stored Cross-site
scripting (XSS) in the pki-tps web Activity tab
[certificate_system_9-default] (edewata, ascheel)
- Bugzilla Bug 1791100 - CVE-2020-1696 pki-core: Stored XSS in TPS profile
creation [certificate_system_9-default] (edewata, ascheel)
- Bugzilla Bug 1724688 - CVE-2019-10146 pki-core: Reflected Cross-Site
Scripting in 'path length' constraint field in CA's Agent page
[rhel-7.9.z] (dmoluguw, ascheel)
- Bugzilla Bug 1789843 - CVE-2019-10221 pki-core: reflected cross site
scripting in getcookies?url= endpoint in CA [rhel-7.9.z]
(dmoluguw, ascheel)
- Bugzilla Bug 1724713 - CVE-2019-10179 pki-core: pki-core/pki-kra:
Reflected XSS in recoveryID search field at KRA's DRM agent page in
authorize recovery tab [rhel-7.9.z] (ascheel)
- Bugzilla Bug 1798011 - CVE-2020-1721 pki-core: KRA vulnerable to
reflected XSS via the getPk12 page [rhel-7.9.z] (ascheel,jmagne)
- ##########################################################################
- Update to jquery v3.4.1 (ascheel)
- Update to jquery-i18n-properties v1.2.7 (ascheel)
- Update to backbone v1.4.0 (ascheel)
- Upgrade to underscore v1.9.2 (ascheel)
- Update to patternfly v3.59.3 (ascheel)
- Update to jQuery v3.5.1 (ascheel)
- Upgrade to bootstrap v3.4.1 (ascheel)
- Link in new Bootstrap CSS file (ascheel)
- ##########################################################################
- # RHCS 9.7:
- ##########################################################################
- # Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
[10.5.18-11]
- ##########################################################################
- # RHEL 7.9:
- ##########################################################################
- Bugzilla Bug 1883639 - Add KRA Transport and Storage Certificates
profiles, audit for IPA (edewata)
- ##########################################################################
- # Backported CVEs (ascheel):
- ##########################################################################
- Bugzilla Bug 1724697 - CVE-2019-10180 pki-core: unsanitized token
parameters in TPS resulting in stored XSS [certificate_system_9-default]
(edewata, ascheel)
- Bugzilla Bug 1725128 - CVE-2019-10178 pki-core: stored Cross-site
scripting (XSS) in the pki-tps web Activity tab
[certificate_system_9-default] (edewata, ascheel)
- Bugzilla Bug 1791100 - CVE-2020-1696 pki-core: Stored XSS in TPS profile
creation [certificate_system_9-default] (edewata, ascheel)
- Bugzilla Bug 1724688 - CVE-2019-10146 pki-core: Reflected Cross-Site
Scripting in 'path length' constraint field in CA's Agent page
[rhel-7.9.z] (dmoluguw, ascheel)
- Bugzilla Bug 1789843 - CVE-2019-10221 pki-core: reflected cross site
scripting in getcookies?url= endpoint in CA [rhel-7.9.z]
(dmoluguw, ascheel)
- Bugzilla Bug 1724713 - CVE-2019-10179 pki-core: pki-core/pki-kra:
Reflected XSS in recoveryID search field at KRA's DRM agent page in
authorize recovery tab [rhel-7.9.z] (ascheel)
- Bugzilla Bug 1798011 - CVE-2020-1721 pki-core: KRA vulnerable to
reflected XSS via the getPk12 page [rhel-7.9.z] (ascheel,jmagne)
- ##########################################################################
- Update to jquery v3.4.1 (ascheel)
- Update to jquery-i18n-properties v1.2.7 (ascheel)
- Update to backbone v1.4.0 (ascheel)
- Upgrade to underscore v1.9.2 (ascheel)
- Update to patternfly v3.59.3 (ascheel)
- Update to jQuery v3.5.1 (ascheel)
- Upgrade to bootstrap v3.4.1 (ascheel)
- Link in new Bootstrap CSS file (ascheel)
- ##########################################################################
- # RHCS 9.7:
- ##########################################################################
- # Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
[10.5.18-10]
- Bugzilla Bug #1883639 - additional fix to upgrade script (edewata)
[10.5.18-9]
- Bugzilla Bug #1883639 - additional support on upgrade for audit
cert profile and auditProfileUpgrade + auditProfileUpgrade part 2 (cfu)
[10.5.18-8]
- ##########################################################################
- # RHEL 7.9:
- ##########################################################################
- Bugzilla Bug #1883639 - add profile caAuditSigningCert (cfu)
- ##########################################################################
- # RHCS 9.7:
- ##########################################################################
- # Bugzilla Bug #1710978 - TPS - Add logging to tdbAddCertificatesForCUID if
- # Bugzilla Bug #1858860 - TPS - Update Error Codes returned to client
- # Bugzilla Bug #1858861 - TPS - Server side key generation is not working
- # Bugzilla Bug #1858867 - TPS does not check token cuid on the user
Related CVEs
| CVE-2019-10146 |
| CVE-2019-10179 |
| CVE-2019-10221 |
| CVE-2020-1721 |
| CVE-2020-25715 |
| CVE-2021-20179 |
Updated Packages
| Release/Architecture | Filename | MD5sum | Superseded By Advisory |
| Oracle Linux 7 (aarch64) | pki-core-10.5.18-12.el7_9.src.rpm | d9ccc8ecfc4e6e5849e9ade5be97dc96 | - |
| pki-base-10.5.18-12.el7_9.noarch.rpm | 8088fd5d37a7eb7ba0a5bb157a15f98f | - | |
| pki-base-java-10.5.18-12.el7_9.noarch.rpm | f7e0c171ca7d92e67b9b1c7e9ca1479d | - | |
| pki-ca-10.5.18-12.el7_9.noarch.rpm | 26ec1bb0208b773021ff9f194b8be3d6 | - | |
| pki-javadoc-10.5.18-12.el7_9.noarch.rpm | 2a2017f1d64d8a81187d15743e9b38e4 | - | |
| pki-kra-10.5.18-12.el7_9.noarch.rpm | d891569f67d1f865591a4ece12c9e099 | - | |
| pki-server-10.5.18-12.el7_9.noarch.rpm | 8af7fae4ee923837515e28a7f7dd3317 | - | |
| pki-symkey-10.5.18-12.el7_9.aarch64.rpm | 7a0097247c012dcffd8b7361482f323b | - | |
| pki-tools-10.5.18-12.el7_9.aarch64.rpm | 01087ea36c62d2ab37cfe8b37c0f95cf | - | |
| Oracle Linux 7 (x86_64) | pki-core-10.5.18-12.el7_9.src.rpm | d9ccc8ecfc4e6e5849e9ade5be97dc96 | - |
| pki-base-10.5.18-12.el7_9.noarch.rpm | 8088fd5d37a7eb7ba0a5bb157a15f98f | - | |
| pki-base-java-10.5.18-12.el7_9.noarch.rpm | f7e0c171ca7d92e67b9b1c7e9ca1479d | - | |
| pki-ca-10.5.18-12.el7_9.noarch.rpm | 26ec1bb0208b773021ff9f194b8be3d6 | - | |
| pki-javadoc-10.5.18-12.el7_9.noarch.rpm | 2a2017f1d64d8a81187d15743e9b38e4 | - | |
| pki-kra-10.5.18-12.el7_9.noarch.rpm | d891569f67d1f865591a4ece12c9e099 | - | |
| pki-server-10.5.18-12.el7_9.noarch.rpm | 8af7fae4ee923837515e28a7f7dd3317 | - | |
| pki-symkey-10.5.18-12.el7_9.x86_64.rpm | a147ed3f3fe59b6f28ee7f7031a030db | - | |
| pki-tools-10.5.18-12.el7_9.x86_64.rpm | 65569212c53bb8246be78a21ca362595 | - | |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team
