--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2018-5a53fd17e3
2018-08-11 18:38:12.394485
--------------------------------------------------------------------------------
Name : pki-core
Product : Fedora 27
Version : 10.5.11
Release : 1.fc27
URL :
http://pki.fedoraproject.org/
Summary : Certificate System - PKI Core Components
Description :
==================================
|| ABOUT "CERTIFICATE SYSTEM" ||
==================================
Certificate System (CS) is an enterprise software system designed
to manage enterprise Public Key Infrastructure (PKI) deployments.
PKI Core contains ALL top-level java-based Tomcat PKI components:
* pki-symkey
* pki-base
* pki-base-python2 (alias for pki-base)
* pki-base-python3
* pki-base-java
* pki-tools
* pki-server
* pki-ca
* pki-kra
* pki-ocsp
* pki-tks
* pki-tps
* pki-javadoc
which comprise the following corresponding PKI subsystems:
* Certificate Authority (CA)
* Key Recovery Authority (KRA)
* Online Certificate Status Protocol (OCSP) Manager
* Token Key Service (TKS)
* Token Processing Service (TPS)
Python clients need only install the pki-base package. This
package contains the python REST client packages and the client
upgrade framework.
Java clients should install the pki-base-java package. This package
contains the legacy and REST Java client packages. These clients
should also consider installing the pki-tools package, which contain
native and Java-based PKI tools and utilities.
Certificate Server instances require the fundamental classes and
modules in pki-base and pki-base-java, as well as the utilities in
pki-tools. The main server classes are in pki-server, with subsystem
specific Java classes and resources in pki-ca, pki-kra, pki-ocsp etc.
Finally, if Certificate System is being deployed as an individual or
set of standalone rather than embedded server(s)/service(s), it is
strongly recommended (though not explicitly required) to include at
least one PKI Theme package:
* dogtag-pki-theme (Dogtag Certificate System deployments)
* dogtag-pki-server-theme
* redhat-pki-server-theme (Red Hat Certificate System deployments)
* redhat-pki-server-theme
* customized pki theme (Customized Certificate System deployments)
* <customized>-pki-server-theme
NOTE: As a convenience for standalone deployments, top-level meta
packages may be provided which bind a particular theme to
these certificate server packages.
--------------------------------------------------------------------------------
Update Information:
Resolves: dogtagpki Pagure Issues #2915
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jul 31 2018 Dogtag Team <pki-devel(a)redhat.com> 10.5.11-1
- dogtagpki Pagure Issue #2915 - keyGen fails when only Identity
certificate exists (jmagne)
* Mon Jul 2 2018 Dogtag Team <pki-devel(a)redhat.com> 10.5.10-1
- Updated "jss" build and runtime requirements (mharmsen)
- Updated "tomcatjss" build and runtime requirements (mharmsen)
- dogtagpki Pagure Issue #2865 X500Name.directoryStringEncodingOrder
overridden by CSR encoding (cfu)
- dogtagpki Pagure Issue #2920 Part2 of SharedToken Audit (cfu)
- dogtagpki Pagure Issue #2922 IPAddressName: fix construction from
String (ftweedal)
- dogtagpki Pagure Issue #2959 Address pkispawn ECC profile overrides (cfu)
- dogtagpki Pagure Issue #2992 CMC Simple request profiles and CMCResponse
to support simple response (cfu)
- dogtagpki Pagure Issue #3003 AuditVerify failure due to line breaks (cfu)
- dogtagpki Pagure Issue #3037 CMC SharedToken SubjectDN default (cfu)
* Fri Jun 8 2018 Dogtag Team <pki-devel(a)redhat.com> 10.5.9-1
- dogtagpki Pagure Issue #2922 - Name Constraints: Using a Netmask
produces an odd entry in a certifcate (ftweedal)
- dogtagpki Pagure Issue #2941 - ExternalCA: Installation failed during
csr generation with ecc (rrelyea, gkapoor)
- dogtagpki Pagure Issue #2999 - Cert validation for installation with
external CA cert (edewata)
- dogtagpki Pagure Issue #3028 - CMC CRMF request results in
InvalidKeyFormatException when signing algorithm is ECC (cfu)
- dogtagpki Pagure Issue #3033 - CRMFPopClient tool - should allow
option to do no key archival (cfu)
* Wed May 23 2018 Dogtag Team <pki-devel(a)redhat.com> 10.5.8-1
- Updated "jss" build and runtime requirements (mharmsen)
- dogtagpki Pagure Issue #1576 - subsystem -> subsystem SSL handshake
issue with TLS_ECDHE_RSA_* on Thales HSM (cfu)
- dogtagpki Pagure Issue #1741 - ECDSA Certificates Generated by
Certificate System fail NIST validation test with parameter field. (cfu)
- dogtagpki Pagure Issue #2940 - [MAN] Missing Man pages for tools
CMCRequest, CMCResponse, CMCSharedToken (cfu)
- dogtagpki Pagure Issue #2992 - servlet profileSubmitCMCSimple throws
NPE (cfu)
- dogtagpki Pagure Issue #2995 - SAN in internal SSL server certificate in
pkispawn configuration step (cfu)
- dogtagpki Pagure Issue #2996 - ECC installation for non CA subsystems
needs improvement (jmagne)
- dogtagpki Pagure Issue #2997 - Token name normalization problem in
pki-server subsystem-cert-validate (edewata)
- dogtagpki Pagure Issue #3018 - CMC profiles: Some CMC profiles have
wrong input class_id (cfu)
* Tue Apr 10 2018 Dogtag Team <pki-devel(a)redhat.com> 10.5.7-2
- dogtagpki Pagure Issue #2940 -[MAN] Missing Man pages for tools
CMCRequest, CMCResponse, CMCSharedToken (cfu)
- dogtagpki Pagure Issue #2946 - libtps does not directly depend on libz
(build failure with nss-3.35) (ftweedal, cfu)
- dogtagpki Pagure Issue #2950 - Need ECC-specific Enrollment Profiles
for standard conformance (cfu)
* Fri Mar 23 2018 Dogtag Team <pki-devel(a)redhat.com> 10.5.7-1
- dogtagpki Pagure Issue #2918 - Make sslget aware of TLSv1_2 ciphers
(cheimes, mharmsen)
- dogtagpki Pagure Issue #2922 - Name Constraints: Using a Netmask
produces an odd entry in a certificate (ftweedal)
- dogtagpki Pagure Issue #2938 - [MAN] Add --skip-configuration
and --skip-installation into pkispawn man page. (edewata)
- dogtagpki Pagure Issue #2940 -[MAN] Missing Man pages for tools
CMCRequest, CMCResponse, CMCSharedToken (cfu)
- dogtagpki Pagure Issue #2949 - CMCAuth throws
org.mozilla.jss.crypto.TokenException: Unable to insert certificate
into temporary database (cfu)
- dogtagpki Pagure Issue #2950 - Need ECC-specific Enrollment Profiles
for standard conformance (cfu)
- dogtagpki Pagure Issue #2952 - Permit additional FIPS ciphers to be
enabled by default for RSA . . . (mharmsen, cfu)
- dogtagpki Pagure Issue #2957 - Console: Adding ACL from pki-console
gives StringIndexOutOfBoundsException (ftweedal)
- dogtagpki Pagure Issue #2975 - Not able to generate certificate
request with ECC using pki client-cert-request (akahat)
* Wed Feb 21 2018 Dogtag Team <pki-devel(a)redhat.com> 10.5.6-2
- dogtagpki Pagure Issue #2946 - libtps does not directly depend on libz
(build failure with nss-3.35)
* Mon Feb 19 2018 Dogtag Team <pki-devel(a)redhat.com> 10.5.6-1
- dogtagpki Pagure Issue #2656 - Updating list of default audit events
(edewata)
- dogtagpki Pagure Issue #2884 - Inconsistent key ID encoding
(edewata)
- dogtagpki Pagure Issue #2929 - Regression in lightweight CA
key replication (ftweedal)
- dogtagpki Pagure Issue #2944 - External OCSP Installation failure
with HSM and FIPS (edewata)
* Mon Feb 5 2018 Dogtag Team <pki-devel(a)redhat.com> 10.5.5-1
- dogtagpki Pagure Issue #2656 - Updating list of default audit events
(edewata)
- dogtagpki Pagure Issue #2838 - Inconsistent CERT_REQUEST_PROCESSED
outcomes. (edewata)
- dogtagpki Pagure Issue #2844 - TPS CS.cfg should be reflected with the
changes after an in-place upgrade (jmagne)
- dogtagpki Pagure Issue #2855 - restrict default cipher suite to those
ciphers permitted in fips mode (mharmsen)
- dogtagpki Pagure Issue #2878 - Missing faillure resumption detection and
audit event logging at startup (jmagne)
- dogtagpki Pagure Issue #2880 - Need to record CMC requests and responses
(cfu)
- dogtagpki Pagure Issue #2889 - Unable to have non "pkiuser" owned CA
instance (alee)
- dogtagpki Pagure Issue #2901 - Installing subsystems with external CMC
certificates in HSM environment shows import error (edewata)
- dogtagpki Pagure Issue #2909 - ProfileService: config values with
backslashes have backslashes removed (ftweedal)
- dogtagpki Pagure Issue #2916 - ExternalCA: Failures when installed with
hsm (edewata)
- dogtagpki Pagure Issue #2920 - CMC: Audit Events needed for failures in
SharedToken scenarios (cfu)
- dogtagpki Pagure Issue #2921 - CMC: Revocation works with an unknown
revRequest.issuer (cfu)
* Tue Jan 23 2018 Dogtag Team <pki-devel(a)redhat.com> 10.5.4-1
- dogtagpki Pagure Issue #2557 -CA Cloning: Failed to update number range
in few cases (ftweedal)
- dogtagpki Pagure Issue #2604 - RFE: shared token storage and retrieval
mechanism (cfu)
- dogtagpki Pagure Issue #2661 -HAProxy rejects OCSP responses due to
missing nextupdate field (ftweedal)
- dogtagpki Pagure Issue #2835 - pkidestroy does not work with nuxwdog
(vakwetu)
- dogtagpki Pagure Issue #2870 - Adjust requirement for openssl to latest
version to include latest openssl fixes for FIPS SSL (mharmsen)
- dogtagpki Pagure Issue #2872 -PR_FILE_NOT_FOUND_ERROR during
pkispawn (vakwetu)
- dogtagpki Pagure Issue #2873 - p12 admin certificate is missing when
certificate is signed Externally (edewata)
- dogtagpki Pagure Issue #2887 -Not able to setup CA with ECC (mharmsen)
- dogtagpki Pagure Issue #2889 - Unable to have non "pkiuser" owned CA
instance (vakwetu)
- dogtagpki Pagure Issue #2904 - Adjust dependencies to require the latest
nuxwdog (mharmsen)
- dogtagpki Pagure Issue #2910 - pkispawn fails to mask specified parameter
values under the [DEFAULT] section (vakwetu)
- dogtagpki Pagure Issue #2911 -Adjust dependencies to require the latest
JSS (mharmsen)
* Mon Dec 11 2017 Dogtag Team <pki-devel(a)redhat.com> 10.5.3-1
- Re-base Dogtag to 10.5.3
- dogtagpki Pagure Issue #2735 - Secure removal of secret data storage
(jmagne)
- dogtagpki Pagure Issue #2856 - Pylint flags seobject failures
(cheimes, mharmsen)
- dogtagpki Pagure Issue #2861 -ExternalCA: Failures in ExternalCA when
tried to setup with CMC signed certificates (cfu)
- dogtagpki Pagure Issue #2862 - Create a mechanism to select the
default NSS DB type (jmagne, mharmsen)
- dogtagpki Pagure Issue #2874 - nuxwdog won't start on Fedora
(alee, mharmsen)
* Mon Nov 27 2017 Dogtag Team <pki-devel(a)redhat.com> 10.5.2-1
- Re-base Dogtag to 10.5.2
* Tue Nov 14 2017 Troy Dawson <tdawson(a)redhat.com> - 10.5.1-3
- dogtagpki Pagure Issue #2853 - Cleanup spec file conditionals
* Wed Nov 8 2017 Dogtag Team <pki-devel(a)redhat.com> 10.5.1-2
- Patch applying check-ins since 10.5.1-1
* Thu Nov 2 2017 Dogtag Team <pki-devel(a)redhat.com> 10.5.1-1
- Re-base Dogtag to 10.5.1
* Thu Oct 19 2017 Dogtag Team <pki-devel(a)redhat.com> 10.5.0-1
- Re-base Dogtag to 10.5.0
* Mon Sep 18 2017 Dogtag Team <pki-devel(a)redhat.com> 10.4.8-7
- dogtagpki Pagure Issue #2809 - PKCS #12 files incompatible with
NSS >= 3.31 (ftweedal)
* Tue Sep 12 2017 Dogtag Team <pki-devel(a)redhat.com> 10.4.8-6
- Require "jss >= 4.4.2-5" as a build and runtime requirement
- dogtagpki Pagure Issue #2796 - lightweight CA replication fails with a
NullPointerException (ftweedal)
- dogtagpki Pagure Issue #2788 - Missing CN in user signing cert would cause
error in cmc user-signed (cfu)
- dogtagpki Pagure Issue #2789 - FixDeploymentDescriptor upgrade scriptlet can
fail (ftweedal)
- dogtagpki Pagure Issue #2664 - PKCS12: upgrade to at least AES and SHA2
(FIPS) (ftweedal)
- dogtagpki Pagure Issue #2764 - py3: pki.key.archive_encrypted_data:
TypeError: ... is not JSON serializable (ftweedal)
- dogtagpki Pagure Issue #2772 - TPS incorrectly assigns "tokenOrigin" and
"tokenType" certificate attribute for recovered certificates. (cfu)
- dogtagpki Pagure Issue #2793 - TPS UI: need to display tokenType and
tokenOrigin for token certificates on TPS UI (edewata)
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2018-5a53fd17e3' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------