-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Certificate System security and bug fix update Advisory ID: RHSA-2021:0948-01 Product: Red Hat Certificate System Advisory URL: https://access.redhat.com/errata/RHSA-2021:0948 Issue date: 2021-03-22 CVE Names: CVE-2019-10178 CVE-2019-10180 CVE-2020-1696 ==================================================================== 1. Summary: An update for pki-console, pki-core, and redhat-pki-theme is now available for Red Hat Certificate System 9.4 EUS. Red Hat Certificate System 9.4 EUS is a special channel for the delivery of Red Hat Certificate System updates. Downgrading the installed packages is not supported. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Certificate System 9.4 EUS for Red Hat Enterprise Server 7 - noarch, x86_64 3. Description: The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System. Security Fix(es): * pki-core: stored Cross-site scripting (XSS) in the pki-tps web Activity tab (CVE-2019-10178) * pki-core: unsanitized token parameters in TPS resulting in stored XSS (CVE-2019-10180) * pki-core: Stored XSS in TPS profile creation (CVE-2020-1696) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Update Batch Update Information to Version 20 [RHCS 9.4.z] (BZ#1931149) * Not able to launch pkiconsole -- RHEL 7.6.z backport request [RHCS 9.4.z] (BZ#1931718) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1719042 - CVE-2019-10178 pki-core: stored Cross-site scripting (XSS) in the pki-tps web Activity tab 1721137 - CVE-2019-10180 pki-core: unsanitized token parameters in TPS resulting in stored XSS 1780707 - CVE-2020-1696 pki-core: Stored XSS in TPS profile creation 6. Package List: Red Hat Certificate System 9.4 EUS for Red Hat Enterprise Server 7: Source: idm-console-framework-1.1.17-4.el7dsrv.src.rpm pki-console-10.5.9-2.el7pki.src.rpm pki-core-10.5.9-15.el7pki.src.rpm redhat-pki-theme-10.5.9-5.el7pki.src.rpm noarch: idm-console-framework-1.1.17-4.el7dsrv.noarch.rpm pki-console-10.5.9-2.el7pki.noarch.rpm pki-ocsp-10.5.9-15.el7pki.noarch.rpm pki-tks-10.5.9-15.el7pki.noarch.rpm redhat-pki-console-theme-10.5.9-5.el7pki.noarch.rpm redhat-pki-server-theme-10.5.9-5.el7pki.noarch.rpm x86_64: pki-core-debuginfo-10.5.9-15.el7pki.x86_64.rpm pki-tps-10.5.9-15.el7pki.x86_64.rpm Red Hat Certificate System 9.4 EUS for Red Hat Enterprise Server 7: Source: pki-console-10.5.9-2.el7pki.src.rpm pki-core-10.5.9-15.el7pki.src.rpm redhat-pki-theme-10.5.9-5.el7pki.src.rpm noarch: pki-console-10.5.9-2.el7pki.noarch.rpm pki-ocsp-10.5.9-15.el7pki.noarch.rpm pki-tks-10.5.9-15.el7pki.noarch.rpm redhat-pki-console-theme-10.5.9-5.el7pki.noarch.rpm redhat-pki-server-theme-10.5.9-5.el7pki.noarch.rpm x86_64: pki-core-debuginfo-10.5.9-15.el7pki.x86_64.rpm pki-tps-10.5.9-15.el7pki.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-10178 https://access.redhat.com/security/cve/CVE-2019-10180 https://access.redhat.com/security/cve/CVE-2020-1696 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYFhdztzjgjWX9erEAQj6aA//bR+6+2CzjiglKDMwLrRzn4A0zL5hWJdV 5Vp7Di3ryqpxkTfNRiZDxpUoLRRUa1aNy9tqeZiAnP1VrqxfjM+HTtea7qCFDbsX MBdKj4LHSiONZlS/Af4A0oUVfPMqhppIy2ZiQLVEfjZEMFH67Xhlh6f1VzshFSVe uk+tcVG7TTOmTbjAW5i2CwpbzdTGxyOEXGcgWiQ0JiJ+tIJP2adRYiGfcu0A95ZF s5hL5okcWP9VEvOXXDfiQMjOw3fbsrTyn7ilL9wUEpD7zH0hBuvKqmRmirYt/4G9 g39/t7wUKJ2Jue1O0NbFhZ/gn1lpemXHN2z75p+4EUeH8lw9gTapciZD24VP7gDK djLXrErjzKr+R01BKKaw8tg0Mtvwq7HhXJS0+aEW+tytjBIsMAQyVwXWQqndRVJ8 pwq/UnU2tIVCx4/bsU0m6FDNPw3BiQAZZGZjefHKoHLtgrFgyIpLIxM2skIUsRcz TaL3P64NHLUSQAyrbHx2moeoO00hk3IoMKUMPxU9rbTOJ5Nl1WKQGIUmGjfl69g6 S9be1WwlWiwrCdFNbOmdMzm4/Go51Nn7INKwpqmLbLhJuRh8zkQE0bQPBc5mTKBj LOAOg0JsKhM0AId2M1Xy/88O1E2Xbb7b1+uWmcLVi7V7VY7PigDYiRD04W30B6Bo pswGYd8qNHA=xm9O -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce