--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-10721
2011-08-12 10:34:46
--------------------------------------------------------------------------------
Name : certmonger
Product : Fedora 15
Version : 0.45
Release : 1.fc15
URL :
http://certmonger.fedorahosted.org
Summary : Certificate status monitor and PKI enrollment client
Description :
Certmonger is a service which is primarily concerned with getting your
system enrolled with a certificate authority (CA) and keeping it enrolled.
--------------------------------------------------------------------------------
Update Information:
This update rolls up a large number of bug fixes, but the main user-visible changes are:
* the "getcert" command now suppresses the technical details of certain error
messages unless it is now invoked with the "-v" flag
* if key generation fails because the daemon can't access an NSS database due to an
incorrect or missing PIN, the daemon will now recover if the correct PIN is supplied via
the "getcert resubmit" command
--------------------------------------------------------------------------------
ChangeLog:
* Thu Aug 11 2011 Nalin Dahyabhai <nalin(a)redhat.com> 0.45-1
- modify the systemd .service file to be a proper 'dbus' service (more
of #718172)
* Thu Aug 11 2011 Nalin Dahyabhai <nalin(a)redhat.com> 0.44-1
- check specifically for cases where a specified token that we need to
use just isn't present for whatever reason (#697058)
* Wed Aug 10 2011 Nalin Dahyabhai <nalin(a)redhat.com> 0.43-1
- add a -K option to ipa-submit, to use the current ccache, which makes
it easier to test
* Fri Aug 5 2011 Nalin Dahyabhai <nalin(a)redhat.com>
- if xmlrpc-c's struct xmlrpc_curl_xportparms has a gss_delegate field, set
it to TRUE when we're doing Negotiate auth (#727864, #727863, #727866)
* Wed Jul 13 2011 Nalin Dahyabhai <nalin(a)redhat.com>
- treat the ability to access keys in an NSS database without using a PIN,
when we've been told we need one, as an error (#692766)
- when handling "getcert resubmit" requests, if we don't have a key yet,
make sure we go all the way back to generating one (#694184)
- getcert: try to clean up tests for NSS and PEM file locations (#699059)
- don't try to set reconnect-on-exit policy unless we managed to connect
to the bus (#712500)
- handle cases where we specify a token but the storage token isn't
known (#699552)
- getcert: recognize -i and storage options to narrow down which requests
the user wants to know about (#698772)
- output hints when the daemon has startup problems, too (#712075)
- add flags to specify whether we're bus-activated or not, so that we can
exit if we have nothing to do after handling a request received over
the bus if some specified amount of time has passed
- explicitly disallow non-root access in the D-Bus configuration (#712072)
- migrate to systemd on releases newer than Fedora 15 or RHEL 6 (#718172)
- fix a couple of incorrect calls to talloc_asprintf() (#721392)
* Wed Apr 13 2011 Nalin Dahyabhai <nalin(a)redhat.com> 0.42-1
- getcert: fix a buffer overrun preparing a request for the daemon when
there are more parameters to encode than space in the array (#696185)
- updated translations: de, es, id, pl, ru, uk
* Mon Apr 11 2011 Nalin Dahyabhai <nalin(a)redhat.com> 0.41-1
- read information about the keys we've just generated before proceeding
to generating a CSR (part of #694184, part of #695675)
- when processing a "resubmit" request from getcert, go back to key
generation if we don't have keys yet, else go back to CSR generation as
before (#694184, #695675)
- configure with --with-tmpdir=/var/run/certmonger and own /var/run/certmonger
(#687899), and add a systemd tmpfiles.d control file for creating
/var/run/certmonger on Fedora 15 and later
- let session instances exit when they get disconnected from the bus
- use a lock file to make sure there's only one session instance messing
around with the user's files at a time
- fix errors saving certificates to NSS databases when there's already a
certificate there with the same nickname (#695672)
- make key and certificate location output from 'getcert list' more properly
translatable (#7)
* Mon Mar 28 2011 Nalin Dahyabhai <nalin(a)redhat.com> 0.40-1
- update to 0.40
- fix validation check on EKU OIDs in getcert (#691351)
- get session bus mode sorted
- add a list of recognized EKU values to the getcert-request man page
* Fri Mar 25 2011 Nalin Dahyabhai <nalin(a)redhat.com> 0.39-1
- update to 0.39
- fix use of an uninitialized variable in the xmlrpc-based submission
helpers (#690886)
* Thu Mar 24 2011 Nalin Dahyabhai <nalin(a)redhat.com> 0.38-1
- update to 0.38
- catch cases where we can't read a PIN file, but we never have to log
in to the token to access the private key (more of #688229)
* Tue Mar 22 2011 Nalin Dahyabhai <nalin(a)redhat.com> 0.37-1
- update to 0.37
- be more careful about checking if we can read a PIN file successfully
before we even call an API that might need us to try (#688229)
- fix strict aliasing warnings
* Tue Mar 22 2011 Nalin Dahyabhai <nalin(a)redhat.com> 0.36-1
- update to 0.36
- fix some use-after-free bugs in the daemon (#689776)
- fix a copy/paste error in certmonger-ipa-submit(8)
- getcert now suppresses error details when not given its new -v option
(#683926, more of #681641/#652047)
- updated translations
- de, es, pl, ru, uk
- indonesian translation is now for "id" rather than "in"
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update certmonger' at the command line.
For more information, refer to "Managing Software with yum",
available at
http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------