Fedora 20 Update: certmonger-0.76.8-1.fc20
updates at fedoraproject.org
updates at fedoraproject.org
Wed Dec 3 01:02:42 UTC 2014
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2014-14948
2014-11-13 17:01:47
--------------------------------------------------------------------------------
Name : certmonger
Product : Fedora 20
Version : 0.76.8
Release : 1.fc20
URL : http://certmonger.fedorahosted.org
Summary : Certificate status monitor and PKI enrollment client
Description :
Certmonger is a service which is primarily concerned with getting your
system enrolled with a certificate authority (CA) and keeping it enrolled.
--------------------------------------------------------------------------------
Update Information:
This update teaches the certmonger daemon to optionally set up a dedicated listening socket, allowing it to accept requests directly from clients when the message bus service is not running. It corrects ordering so that post-save hooks for a certificate are run after the certificate's CA certificates are saved, in cases where the daemon is told to save them. When submitting requests to IPA servers, the client will now consult the IPA directory server for a list of CAs if the default can not be reached, and will use DNS-based service location to locate a directory server if the default can not be reached. A new helper (dogtag-submit) is available for communicating with generic Dogtag servers. Both Dogtag enrollment helpers can now take additional options which can be applied when they use agent credentials to approve signing requests.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Nov 18 2014 Nalin Dahyabhai <nalin at redhat.com> 0.76.8-1
- dogtag-submit: accept additional options to pass to the server when
approving requests using agent creds (#1165155, patch by Jan Cholasta)
- getcert: print help output when 'status' isn't given any args (#1163541)
* Tue Nov 11 2014 Nalin Dahyabhai <nalin at redhat.com> 0.76.7-1
- correctly read CA not-valid-after dates on 32-bit machines (also reported by
Natxo Asenjo), so that we don't spin on polling them
* Mon Nov 10 2014 Nalin Dahyabhai <nalin at redhat.com> 0.76.6-1
- don't discard the priority value in DNS SRV records
* Mon Nov 10 2014 Nalin Dahyabhai <nalin at redhat.com> 0.76.5-1
- avoid premature exit on CA data analysis failures (should fix an issue
reported by Natxo Asenjo)
* Mon Nov 10 2014 Nalin Dahyabhai <nalin at redhat.com> 0.76.4-1
- fix a failure in self-tests
* Mon Nov 10 2014 Nalin Dahyabhai <nalin at redhat.com> 0.76.3-1
- fixes for bugs found by static analysis
- handle IDN correctly when doing service location using SRV records
- documentation updates
* Wed Nov 5 2014 Nalin Dahyabhai <nalin at redhat.com>
- rework the state machine so that we save an issued certificate's associated
CA certificates, then re-read the certificate, then run the post hook and
issue notifications, in that order, instead of saving CA certificates after
running the post hook, which was always a surprising order (#1131700)
- add a generic dogtag-submit helper that doesn't include any IPA defaults,
to make it easier to know the difference between paramenters it requires
and parameters which are optional
* Tue Nov 4 2014 Nalin Dahyabhai <nalin at redhat.com> 0.76.2-1
- ipa-submit: when we fail to locate/contact LDAP or XML-RPC servers,
use discovery to find them (#1136900)
* Fri Oct 31 2014 Nalin Dahyabhai <nalin at redhat.com> 0.76.1-1
- allow for 'certmonger -P abstract:...' to work, too
* Fri Oct 31 2014 Nalin Dahyabhai <nalin at redhat.com> 0.76-1
- require a single certificate to be specified to 'getcert status' (#1148001)
- shorten the default help message which getcert prints when it's not given
a specific command (#1131704)
- add private listener (-l, -L, -P) mode to certmonger, to allow it to listen
for connections directly from clients running under the same UID
- add a command mode (-c) to certmonger, in which once it's started, it
launches a specified command, and after that command exits, the daemon exits
- when getcert is invoked with no bus running, if it's running as root, run
certmonger in private listener mode with the same invocation of getcert as
the command to start and wait for (#1134497)
* Thu Aug 28 2014 Nalin Dahyabhai <nalin at redhat.com> 0.75.14-1
- make pathname canonicalization slightly smarter, to handle ".." in
locations (#1131758)
- updates to self-tests (#1144082)
* Thu Aug 21 2014 Kevin Fenzi <kevin at scrye.com> - 0.75.13-2
- Rebuild for rpm bug 1131960
* Mon Aug 18 2014 Nalin Dahyabhai <nalin at redhat.com> 0.75.13-1
- add a missing test case file (whoops)
* Mon Aug 18 2014 Nalin Dahyabhai <nalin at redhat.com> 0.75.12-1
- correct encoding/decoding of variant-typed data which we receive and send
as part of the org.freedesktop.DBus.Properties interface over the bus, and
add some tests for them (based on patch from David Kupka, ticket #36)
* Fri Aug 15 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.75.10-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Fri Aug 15 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.75.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Tue Aug 12 2014 Nalin Dahyabhai <nalin at redhat.com> 0.75.11-1
- when getcert is passed a -a flag, to indicate that CA root certificates
should be stored in the specified database, don't ignore locations which
don't include a storage scheme (#1129537)
- when called to 'start-tracking' with the -a or -F flags, if we have
applicable certificates on-hand for a CA that we're either told to use
or which we decide is the correct one, save the certificates (#1129696)
* Tue Aug 5 2014 Nalin Dahyabhai <nalin at redhat.com> 0.75.10-1
- when attempting to contact an IPA LDAP server, if no "ldap_uri" is set in
default.conf, and no "host" is set either, try to construct the server URI
using the "server" setting (#1126985)
* Thu Jul 31 2014 Nalin Dahyabhai <nalin at redhat.com> 0.75.9-1
- avoid potential use-after-free after a CA is removed dynamically (thanks to
Keenan Brock) (#1125342)
- add a "external-helper" property to CA objects
* Mon Jul 21 2014 Nalin Dahyabhai <nalin at redhat.com> 0.75.8-1
- add a 'refresh' option to the getcert command
- add a '-a' flag to the getcert command's 'refresh-ca' option
* Thu Jul 17 2014 Nalin Dahyabhai <nalin at redhat.com> 0.75.7-2
- reintroduce package Requires: on systemd-sysv on F19 and EL6 and older,
conditionalized it so that it's ignored on newer releases, and make
whether or not we call systemd-sysv-convert in triggers depend on that,
too (#1104138)
* Thu Jul 17 2014 Nalin Dahyabhai <nalin at redhat.com> 0.75.7-1
- fix an inconsistency in how we parse cookie values returned by CA helpers,
in that single-line values would lose the end-of-line after a daemon
restart, but not before
- handle timeout values and exit status values when calling CA helpers
in non-SUBMIT, non-POLL modes (#1118468)
- rework how we save CA certificates so that we save CA certificates associated
with end-entity certificates when we save that end-entity certificate, which
requires running all of the involved pre- and post-save commands
- drop package Requires: on systemd-sysv (#1104138)
* Thu Jun 26 2014 Nalin Dahyabhai <nalin at redhat.com> 0.75.6-1
- avoid potential use-after-free and read overrun after a CA is added
dynamically (thanks to Jan Cholasta)
* Fri Jun 20 2014 Nalin Dahyabhai <nalin at redhat.com> 0.75.5-1
- documentation updates
* Fri Jun 20 2014 Nalin Dahyabhai <nalin at redhat.com> 0.75.4-2
- add a %trigger to remove knowledge of the "dogtag-ipa-renew-agent" CA
when we detect certmonger versions prior to 0.58 being installed, to
avoid cases where some older versions choke on CAs with nicknames that
contain characters that can't legally be part of a D-Bus name (#948993)
* Thu Jun 19 2014 Nalin Dahyabhai <nalin at redhat.com> 0.75.4-1
- fix creation and packaging of the "local" CA's data directory
* Wed Jun 18 2014 Nalin Dahyabhai <nalin at redhat.com> 0.75.3-1
- read and cache whether or not we saw a noOCSPcheck extension in certificates
- documentation updates
* Mon Jun 16 2014 Nalin Dahyabhai <nalin at redhat.com> 0.75.2-1
- when generating keys using OpenSSL, if key generation fails, try
again with the default key size, in case we're in FIPS mode
- documentation updates
* Sat Jun 14 2014 Nalin Dahyabhai <nalin at redhat.com> 0.75.1-1
- log the state in 'getcert status' verbose mode
* Fri Jun 13 2014 Nalin Dahyabhai <nalin at redhat.com> 0.75-1
- add a -w (wait) flag to the getcert's request/resubmit/start-tracking
commands, and add a non-waiting status command
* Wed Jun 11 2014 Nalin Dahyabhai <nalin at redhat.com> 0.74.96-1
- make the trust settings we apply to CA-supplied certificates while
saving them to NSS databases run-time configurable
- fix compiling against EL5-era OpenSSL
- when saving CA certificates we pull from an IPA server, nickname
it using the realm name with " IPA CA" appended rather than just
naming it "IPA CA"
- fix the local signer so that when it issues itself a new certificate,
it uses the same subject name
- add a -w flag to getcert's request, resubmit, and start-tracking
commands, telling it to wait until either the certificate is issued,
we get to a state where we know that we won't be able to get one, or
we are waiting for a CA
* Mon Jun 9 2014 Nalin Dahyabhai <nalin at redhat.com> 0.74.95-1
- add the "local" signer, a local toy CA that signs anything you'll
ask it to sign
* Sat Jun 7 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.74-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Fri Jun 6 2014 Nalin Dahyabhai <nalin at redhat.com> 0.74.94-1
- fix self-test errors that we trigger with new OpenSSL
- fix a build error that would sometimes happen when we're told to
build PIE binaries
- quiet a compile warning
* Thu Jun 5 2014 Nalin Dahyabhai <nalin at redhat.com> 0.74.93-1
- add some self-tests
- simplify the internal submit-to-CA logic
- fixes for more problems found through static analysis
* Tue Jun 3 2014 Nalin Dahyabhai <nalin at redhat.com> 0.74.92-1
- retrieve CA information from CAs, if the helpers can do so, and
add a command to explicitly refresh that data: "getcert refresh-ca"
- offer to save CA certificates to files and databases, when specified with
new -a and -F flags to getcert request/resubmit/start-tracking (#1098208,
trac #31)
- add IP address subject alternate names when getcert request/resubmit
is passed the -A option (trac #35)
- read and cache the freshestCRL extension in certificates
- properly interpret KDC-unreachable errors encountered in the IPA
submission error as a server-unreachable error that we will retry,
rather than a misconfiguration error which we won't
- don't let tests get tripped up by new formatting used in dos2unix status
messages (#1099080)
- updated translations
- be explicit that we are going to use bashisms in test scripts by calling
the shell interpreter as 'bash' rather than 'sh' (trac #27)
* Thu Apr 3 2014 Nalin Dahyabhai <nalin at redhat.com> 0.74-1
- also save state when we exit due to SIGHUP
- don't get tripped up when enrollment helpers hand us certificates which
include CRLF line terminators (ticket #25)
- be tolerant of certificate issuer names, subject names, DNS, email, and
Kerberos principal namem subjectAltNames, and crl distribution point URLs
that contain newlines
- read and cache the certificate template extension in certificates
- enforce different minimum key sizes depending on the type of key we're
trying to generate
- store DER versions of subject, issuer and template subject, if we have
them (Jan Cholasta, ticket #26)
- when generating signing requests with subject names that don't quite parse
as subject names, encode what we're given as PrintableString rather than
as a UTF8String
- always chdir() to a known location at startup, even if we're not becoming
a daemon
- fix a couple of memory leaks (static analysis)
- add missing buildrequires: on which
* Thu Feb 20 2014 Nalin Dahyabhai <nalin at redhat.com> 0.73-1
- updates to 0.73
- getcert no longer claims to be stuck when a CA is unreachable,
because the daemon isn't actually stuck
* Mon Feb 17 2014 Nalin Dahyabhai <nalin at redhat.com>
- updates to 0.73
- also pass the key type to enrollment helpers in the environment as
a the value of "CERTMONGER_KEY_TYPE"
* Mon Feb 10 2014 Nalin Dahyabhai <nalin at redhat.com>
- move the tmpfiles.d file from /etc/tmpfiles.d to %{_tmpfilesdir},
where it belongs
* Mon Feb 10 2014 Nalin Dahyabhai <nalin at redhat.com>
- updates for 0.73
- set the flag to encode EC public key parameters using named curves
instead of the default of all-the-details when using OpenSSL
- don't break when NSS supports secp521r1 but OpenSSL doesn't
- also pass the CA nickname to enrollment helpers in the environment as
a text value in "CERTMONGER_CA_NICKNAME", so they can use that value
when reading configuration settings
- also pass the SPKAC value to enrollment helpers in the environment as
a base64 value in "CERTMONGER_SPKAC"
- also pass the request's SubjectPublicKeyInfo value to enrollment helpers
in the environment as a base64 value in "CERTMONGER_SPKI"
- when generating signing requests using NSS, be more accommodating of
requested subject names that don't parse properly
* Mon Feb 3 2014 Nalin Dahyabhai <nalin at redhat.com> 0.72-1
- update to 0.72
- support generating DSA parameters and keys on sufficiently-new OpenSSL
and NSS
- support generating EC keys when OpenSSL and NSS support it, using key
size to select the curve to use from among secp256r1, secp384r1,
secp521r1 (which are the ones that are usually available, though
secp521r1 isn't always, even if the other two are)
- stop trying to cache public key parameters at all and instead cache public
key info properly
- encode the friendlyName attribute in signing requests as a BMPString,
not as a PrintableString
- catch more filesystem permissions problems earlier (more of #996581)
* Mon Jan 27 2014 Nalin Dahyabhai <nalin at redhat.com> 0.71-1
- check for cases where we fail to allocate memory while reading a request
or CA entry from disk (John Haxby)
- only handle one watch at a time, which should avoid abort() during
attempts to reconnect to the message bus after losing our connection
to it (#1055521)
* Fri Jan 24 2014 Daniel Mach <dmach at redhat.com> - 0.70-2
- Mass rebuild 2014-01-24
* Thu Jan 2 2014 Nalin Dahyabhai <nalin at redhat.com> 0.70-1
- add a --with-homedir option to configure, and use it, since subprocesses
which we run and which use NSS may attempt to write to $HOME/.pki, and
0.69's strategy of setting that to "/" was rightly hitting SELinux policy
denials (#1047798)
* Fri Dec 27 2013 Daniel Mach <dmach at redhat.com> - 0.69-2
- Mass rebuild 2013-12-27
* Mon Dec 9 2013 Nalin Dahyabhai <nalin at redhat.com> 0.69-1
- tweak how we decide whether we're on the master or a minion when we're
told to use certmaster as a CA
- clean up one of the tests so that it doesn't have to work around internal
logging producing duplicate messages
- when logging errors while setting up to contact xmlrpc servers, explicitly
note that the error is client-side
- don't abort() due to incorrect locking when an attempt to save an issued
certificate to the designated location fails (part of #1032760/#1033333,
ticket #22)
- when reading an issued certificate from an enrollment helper, ignore
noise before or after the certificate itself (more of #1032760/1033333,
ticket #22)
- run subprocesses in a cleaned-up environment (more of #1032760/1033333,
ticket #22)
- clear the ca-error that we saved when we had an error talking to the CA if we
subsequently succeed in talking to the CA
- various other static-analysis fixes
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1163541 - [abrt] certmonger: _dbus_abort(): getcert killed by SIGABRT
https://bugzilla.redhat.com/show_bug.cgi?id=1163541
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update certmonger' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the package-announce
mailing list