Release Date
Errata Re-
lease
Bug Number
Description
LDAP search times.
249229
The default OCSP verification path has
changed since Red Hat Certificate System 7.1.
These updated packages add support for certi-
ficates that use the old AuthorityInfoAccess
URL.
254232
330261
If an agent automatically approved a certificate
signing request (CSR) using AgentCertAuth,
the iisued certificate contained blank sub-
jectAltName extension fields. A manual enroll-
ment by the same agent produced a certificate
with the correct number of subjectAltName
fields, with no blank fields. This errata fixed
automated enrollements using the AgentCer-
tAuth profile so that the issued certificates do
not have any blank fields.
462143
The initial authentication to a security domain
failed during subsystem configuration.
462145
After its initial configuration, the TPS subsys-
tem failed to restart.
July 2, 2008
RHSA
2008:0577
440356
442963
445227
445231
CVE-
2008-1676
A flaw was found in the way Certificate System
handled extensions in the certificate signing
requests (CSR). All requested extensions were
added to the issued certificate even if con-
straints were defined in the certificate authority
(CA) profile. An attacker could submit a CSR
for a subordinate CA certificate, even if the CA
configuration prohibited subordinate CA certi-
ficates. This led to a bypass of the intended
security policy, possibly simplifying man-
in-the-middle attacks against users that trust
Certificate System CAs.
January 9,
2008
RHBA
2000:0035
330261
If an agent automatically approved a certificate
signing request (CSR) using AgentCertAuth,
the iisued certificate contained blank sub-
jectAltName extension fields. A manual enroll-
ment by the same agent produced a certificate
with the correct number of subjectAltName
fields, with no blank fields. This errata fixed
automated enrollements using the AgentCer-
tAuth profile so that the issued certificates do
not have any blank fields.
October 8,
2008
RHSA
2007:0934
224904
243176
243804
243807
304571 (CVE
2007:4994)
When a new certificate revocation list (CRL)
was being generated, new revocation requests
were processed but not properly added to the
CRL. This meant that certificates with higher
serial numbers (i.e., more recent certificates)
were not listed in the CRL and were not shown
as revoked until the next CRL was generated.
Release Notes
18