Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

oracle-oval логотип

ELSA-2021-0851

Опубликовано: 17 мар. 2021
Источник: oracle-oval
Платформа: Oracle Linux 7

Описание

ELSA-2021-0851: pki-core security and bug fix update (IMPORTANT)

[10.5.18-12]

  • Change variable 'TPS' to 'tps'
  • ##########################################################################

  • RHEL 7.9:

  • ##########################################################################
  • Bugzilla Bug 1883639 - Add KRA Transport and Storage Certificates profiles, audit for IPA (edewata)
  • ##########################################################################

  • Backported CVEs (ascheel):

  • ##########################################################################
  • Bugzilla Bug 1724697 - CVE-2019-10180 pki-core: unsanitized token parameters in TPS resulting in stored XSS [certificate_system_9-default] (edewata, ascheel)
  • Bugzilla Bug 1725128 - CVE-2019-10178 pki-core: stored Cross-site scripting (XSS) in the pki-tps web Activity tab [certificate_system_9-default] (edewata, ascheel)
  • Bugzilla Bug 1791100 - CVE-2020-1696 pki-core: Stored XSS in TPS profile creation [certificate_system_9-default] (edewata, ascheel)
  • Bugzilla Bug 1724688 - CVE-2019-10146 pki-core: Reflected Cross-Site Scripting in 'path length' constraint field in CA's Agent page [rhel-7.9.z] (dmoluguw, ascheel)
  • Bugzilla Bug 1789843 - CVE-2019-10221 pki-core: reflected cross site scripting in getcookies?url= endpoint in CA [rhel-7.9.z] (dmoluguw, ascheel)
  • Bugzilla Bug 1724713 - CVE-2019-10179 pki-core: pki-core/pki-kra: Reflected XSS in recoveryID search field at KRA's DRM agent page in authorize recovery tab [rhel-7.9.z] (ascheel)
  • Bugzilla Bug 1798011 - CVE-2020-1721 pki-core: KRA vulnerable to reflected XSS via the getPk12 page [rhel-7.9.z] (ascheel,jmagne)
  • ##########################################################################
  • Update to jquery v3.4.1 (ascheel)
  • Update to jquery-i18n-properties v1.2.7 (ascheel)
  • Update to backbone v1.4.0 (ascheel)
  • Upgrade to underscore v1.9.2 (ascheel)
  • Update to patternfly v3.59.3 (ascheel)
  • Update to jQuery v3.5.1 (ascheel)
  • Upgrade to bootstrap v3.4.1 (ascheel)
  • Link in new Bootstrap CSS file (ascheel)
  • ##########################################################################

  • RHCS 9.7:

  • ##########################################################################

  • Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme, pki-core, and

[10.5.18-11]

  • ##########################################################################

  • RHEL 7.9:

  • ##########################################################################
  • Bugzilla Bug 1883639 - Add KRA Transport and Storage Certificates profiles, audit for IPA (edewata)
  • ##########################################################################

  • Backported CVEs (ascheel):

  • ##########################################################################
  • Bugzilla Bug 1724697 - CVE-2019-10180 pki-core: unsanitized token parameters in TPS resulting in stored XSS [certificate_system_9-default] (edewata, ascheel)
  • Bugzilla Bug 1725128 - CVE-2019-10178 pki-core: stored Cross-site scripting (XSS) in the pki-tps web Activity tab [certificate_system_9-default] (edewata, ascheel)
  • Bugzilla Bug 1791100 - CVE-2020-1696 pki-core: Stored XSS in TPS profile creation [certificate_system_9-default] (edewata, ascheel)
  • Bugzilla Bug 1724688 - CVE-2019-10146 pki-core: Reflected Cross-Site Scripting in 'path length' constraint field in CA's Agent page [rhel-7.9.z] (dmoluguw, ascheel)
  • Bugzilla Bug 1789843 - CVE-2019-10221 pki-core: reflected cross site scripting in getcookies?url= endpoint in CA [rhel-7.9.z] (dmoluguw, ascheel)
  • Bugzilla Bug 1724713 - CVE-2019-10179 pki-core: pki-core/pki-kra: Reflected XSS in recoveryID search field at KRA's DRM agent page in authorize recovery tab [rhel-7.9.z] (ascheel)
  • Bugzilla Bug 1798011 - CVE-2020-1721 pki-core: KRA vulnerable to reflected XSS via the getPk12 page [rhel-7.9.z] (ascheel,jmagne)
  • ##########################################################################
  • Update to jquery v3.4.1 (ascheel)
  • Update to jquery-i18n-properties v1.2.7 (ascheel)
  • Update to backbone v1.4.0 (ascheel)
  • Upgrade to underscore v1.9.2 (ascheel)
  • Update to patternfly v3.59.3 (ascheel)
  • Update to jQuery v3.5.1 (ascheel)
  • Upgrade to bootstrap v3.4.1 (ascheel)
  • Link in new Bootstrap CSS file (ascheel)
  • ##########################################################################

  • RHCS 9.7:

  • ##########################################################################

  • Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme, pki-core, and

[10.5.18-10]

  • Bugzilla Bug #1883639 - additional fix to upgrade script (edewata)

[10.5.18-9]

  • Bugzilla Bug #1883639 - additional support on upgrade for audit cert profile and auditProfileUpgrade + auditProfileUpgrade part 2 (cfu)

[10.5.18-8]

  • ##########################################################################

  • RHEL 7.9:

  • ##########################################################################
  • Bugzilla Bug #1883639 - add profile caAuditSigningCert (cfu)
  • ##########################################################################

  • RHCS 9.7:

  • ##########################################################################

  • Bugzilla Bug #1710978 - TPS - Add logging to tdbAddCertificatesForCUID if

    • Bugzilla Bug #1858860 - TPS - Update Error Codes returned to client

    • Bugzilla Bug #1858861 - TPS - Server side key generation is not working

    • Bugzilla Bug #1858867 - TPS does not check token cuid on the user

Обновленные пакеты

Oracle Linux 7

Oracle Linux aarch64

pki-base

10.5.18-12.el7_9

pki-base-java

10.5.18-12.el7_9

pki-ca

10.5.18-12.el7_9

pki-javadoc

10.5.18-12.el7_9

pki-kra

10.5.18-12.el7_9

pki-server

10.5.18-12.el7_9

pki-symkey

10.5.18-12.el7_9

pki-tools

10.5.18-12.el7_9

Oracle Linux x86_64

pki-base

10.5.18-12.el7_9

pki-base-java

10.5.18-12.el7_9

pki-ca

10.5.18-12.el7_9

pki-javadoc

10.5.18-12.el7_9

pki-kra

10.5.18-12.el7_9

pki-server

10.5.18-12.el7_9

pki-symkey

10.5.18-12.el7_9

pki-tools

10.5.18-12.el7_9

Связанные CVE

CVE-2019-10221
CVE-2019-10179
CVE-2020-1721
CVE-2020-25715
CVE-2021-20179
CVE-2019-10146

Ссылки на источники

Связанные уязвимости

rocky логотип

RLSA-2020:4847

rocky
больше 4 лет назад

Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update

oracle-oval логотип

ELSA-2020-4847

oracle-oval
больше 4 лет назад

ELSA-2020-4847: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (MODERATE)

ubuntu логотип

CVE-2019-10221

CVSS3: 4.3
ubuntu
около 5 лет назад

A Reflected Cross Site Scripting vulnerability was found in all pki-core 10.x.x versions, where the pki-ca module from the pki-core server. This flaw is caused by missing sanitization of the GET URL parameters. An attacker could abuse this flaw to trick an authenticated user into clicking a specially crafted link which can execute arbitrary code when viewed in a browser.

redhat логотип

CVE-2019-10221

CVSS3: 4.3
redhat
больше 5 лет назад

A Reflected Cross Site Scripting vulnerability was found in all pki-core 10.x.x versions, where the pki-ca module from the pki-core server. This flaw is caused by missing sanitization of the GET URL parameters. An attacker could abuse this flaw to trick an authenticated user into clicking a specially crafted link which can execute arbitrary code when viewed in a browser.

nvd логотип

CVE-2019-10221

CVSS3: 4.3
nvd
около 5 лет назад

A Reflected Cross Site Scripting vulnerability was found in all pki-core 10.x.x versions, where the pki-ca module from the pki-core server. This flaw is caused by missing sanitization of the GET URL parameters. An attacker could abuse this flaw to trick an authenticated user into clicking a specially crafted link which can execute arbitrary code when viewed in a browser.

Уязвимость ELSA-2021-0851