El-errata: ELSA-2021-0851 Important: Oracle Linux 7 pki-core security and bug fix update (aarch64)
Oracle Linux Security Advisory ELSA-2021-0851
http://linux.oracle.com/errata/ELSA-2021-0851.html
The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:
aarch64:
pki-base-10.5.18-12.el7_9.noarch.rpm
pki-base-java-10.5.18-12.el7_9.noarch.rpm
pki-ca-10.5.18-12.el7_9.noarch.rpm
pki-kra-10.5.18-12.el7_9.noarch.rpm
pki-server-10.5.18-12.el7_9.noarch.rpm
pki-symkey-10.5.18-12.el7_9.aarch64.rpm
pki-tools-10.5.18-12.el7_9.aarch64.rpm
pki-javadoc-10.5.18-12.el7_9.noarch.rpm
SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/pki-core-10.5.18-12.el7_9.src.rpm
Description of changes:
[10.5.18-12]
- Change variable 'TPS' to 'tps'
- ##########################################################################
- # RHEL 7.9:
- ##########################################################################
- Bugzilla Bug 1883639 - Add KRA Transport and Storage Certificates
profiles, audit for IPA (edewata)
- ##########################################################################
- # Backported CVEs (ascheel):
- ##########################################################################
- Bugzilla Bug 1724697 - CVE-2019-10180 pki-core: unsanitized token
parameters in TPS resulting in stored XSS [certificate_system_9-default]
(edewata, ascheel)
- Bugzilla Bug 1725128 - CVE-2019-10178 pki-core: stored Cross-site
scripting (XSS) in the pki-tps web Activity tab
[certificate_system_9-default] (edewata, ascheel)
- Bugzilla Bug 1791100 - CVE-2020-1696 pki-core: Stored XSS in TPS profile
creation [certificate_system_9-default] (edewata, ascheel)
- Bugzilla Bug 1724688 - CVE-2019-10146 pki-core: Reflected Cross-Site
Scripting in 'path length' constraint field in CA's Agent page
[rhel-7.9.z] (dmoluguw, ascheel)
- Bugzilla Bug 1789843 - CVE-2019-10221 pki-core: reflected cross site
scripting in getcookies?url= endpoint in CA [rhel-7.9.z]
(dmoluguw, ascheel)
- Bugzilla Bug 1724713 - CVE-2019-10179 pki-core: pki-core/pki-kra:
Reflected XSS in recoveryID search field at KRA's DRM agent page in
authorize recovery tab [rhel-7.9.z] (ascheel)
- Bugzilla Bug 1798011 - CVE-2020-1721 pki-core: KRA vulnerable to
reflected XSS via the getPk12 page [rhel-7.9.z] (ascheel,jmagne)
- ##########################################################################
- Update to jquery v3.4.1 (ascheel)
- Update to jquery-i18n-properties v1.2.7 (ascheel)
- Update to backbone v1.4.0 (ascheel)
- Upgrade to underscore v1.9.2 (ascheel)
- Update to patternfly v3.59.3 (ascheel)
- Update to jQuery v3.5.1 (ascheel)
- Upgrade to bootstrap v3.4.1 (ascheel)
- Link in new Bootstrap CSS file (ascheel)
- ##########################################################################
- # RHCS 9.7:
- ##########################################################################
- # Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme,
pki-core, and
[10.5.18-11]
- ##########################################################################
- # RHEL 7.9:
- ##########################################################################
- Bugzilla Bug 1883639 - Add KRA Transport and Storage Certificates
profiles, audit for IPA (edewata)
- ##########################################################################
- # Backported CVEs (ascheel):
- ##########################################################################
- Bugzilla Bug 1724697 - CVE-2019-10180 pki-core: unsanitized token
parameters in TPS resulting in stored XSS [certificate_system_9-default]
(edewata, ascheel)
- Bugzilla Bug 1725128 - CVE-2019-10178 pki-core: stored Cross-site
scripting (XSS) in the pki-tps web Activity tab
[certificate_system_9-default] (edewata, ascheel)
- Bugzilla Bug 1791100 - CVE-2020-1696 pki-core: Stored XSS in TPS profile
creation [certificate_system_9-default] (edewata, ascheel)
- Bugzilla Bug 1724688 - CVE-2019-10146 pki-core: Reflected Cross-Site
Scripting in 'path length' constraint field in CA's Agent page
[rhel-7.9.z] (dmoluguw, ascheel)
- Bugzilla Bug 1789843 - CVE-2019-10221 pki-core: reflected cross site
scripting in getcookies?url= endpoint in CA [rhel-7.9.z]
(dmoluguw, ascheel)
- Bugzilla Bug 1724713 - CVE-2019-10179 pki-core: pki-core/pki-kra:
Reflected XSS in recoveryID search field at KRA's DRM agent page in
authorize recovery tab [rhel-7.9.z] (ascheel)
- Bugzilla Bug 1798011 - CVE-2020-1721 pki-core: KRA vulnerable to
reflected XSS via the getPk12 page [rhel-7.9.z] (ascheel,jmagne)
- ##########################################################################
- Update to jquery v3.4.1 (ascheel)
- Update to jquery-i18n-properties v1.2.7 (ascheel)
- Update to backbone v1.4.0 (ascheel)
- Upgrade to underscore v1.9.2 (ascheel)
- Update to patternfly v3.59.3 (ascheel)
- Update to jQuery v3.5.1 (ascheel)
- Upgrade to bootstrap v3.4.1 (ascheel)
- Link in new Bootstrap CSS file (ascheel)
- ##########################################################################
- # RHCS 9.7:
- ##########################################################################
- # Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme,
pki-core, and
[10.5.18-10]
- Bugzilla Bug #1883639 - additional fix to upgrade script (edewata)
[10.5.18-9]
- Bugzilla Bug #1883639 - additional support on upgrade for audit
cert profile and auditProfileUpgrade + auditProfileUpgrade part 2 (cfu)
[10.5.18-8]
- ##########################################################################
- # RHEL 7.9:
- ##########################################################################
- Bugzilla Bug #1883639 - add profile caAuditSigningCert (cfu)
- ##########################################################################
- # RHCS 9.7:
- ##########################################################################
- # Bugzilla Bug #1710978 - TPS - Add logging to
tdbAddCertificatesForCUID if
- # Bugzilla Bug #1858860 - TPS - Update Error Codes returned to client
- # Bugzilla Bug #1858861 - TPS - Server side key generation is not working
- # Bugzilla Bug #1858867 - TPS does not check token cuid on the user
A pki-core security and bug fix update (aarch64) has been released for Oracle Linux 7.