Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3847 jss security update 16 October 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: jss Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux WS/Desktop 7 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-14823 Original Bulletin: https://access.redhat.com/errata/RHSA-2019:3067 Comment: This advisory references vulnerabilities in products which run on platforms other than Red Hat. It is recommended that administrators running Java Security Services check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: jss security update Advisory ID: RHSA-2019:3067-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:3067 Issue date: 2019-10-15 CVE Names: CVE-2019-14823 ===================================================================== 1. Summary: An update for jss is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: Java Security Services (JSS) provides an interface between Java Virtual Machine and Network Security Services (NSS). It supports most of the security standards and encryption technologies supported by NSS including communication through SSL/TLS network protocols. JSS is primarily utilized by the Certificate Server as a part of the Identity Management System. Security Fix(es): * JSS: OCSP policy "Leaf and Chain" implicitly trusts the root certificate (CVE-2019-14823) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1747435 - CVE-2019-14823 JSS: OCSP policy "Leaf and Chain" implicitly trusts the root certificate 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: jss-4.4.6-3.el7_7.src.rpm x86_64: jss-4.4.6-3.el7_7.x86_64.rpm jss-debuginfo-4.4.6-3.el7_7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: jss-debuginfo-4.4.6-3.el7_7.x86_64.rpm jss-javadoc-4.4.6-3.el7_7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: jss-4.4.6-3.el7_7.src.rpm x86_64: jss-4.4.6-3.el7_7.x86_64.rpm jss-debuginfo-4.4.6-3.el7_7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: jss-debuginfo-4.4.6-3.el7_7.x86_64.rpm jss-javadoc-4.4.6-3.el7_7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: jss-4.4.6-3.el7_7.src.rpm ppc64: jss-4.4.6-3.el7_7.ppc64.rpm jss-debuginfo-4.4.6-3.el7_7.ppc64.rpm ppc64le: jss-4.4.6-3.el7_7.ppc64le.rpm jss-debuginfo-4.4.6-3.el7_7.ppc64le.rpm s390x: jss-4.4.6-3.el7_7.s390x.rpm jss-debuginfo-4.4.6-3.el7_7.s390x.rpm x86_64: jss-4.4.6-3.el7_7.x86_64.rpm jss-debuginfo-4.4.6-3.el7_7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: jss-debuginfo-4.4.6-3.el7_7.ppc64.rpm jss-javadoc-4.4.6-3.el7_7.ppc64.rpm ppc64le: jss-debuginfo-4.4.6-3.el7_7.ppc64le.rpm jss-javadoc-4.4.6-3.el7_7.ppc64le.rpm s390x: jss-debuginfo-4.4.6-3.el7_7.s390x.rpm jss-javadoc-4.4.6-3.el7_7.s390x.rpm x86_64: jss-debuginfo-4.4.6-3.el7_7.x86_64.rpm jss-javadoc-4.4.6-3.el7_7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: jss-4.4.6-3.el7_7.src.rpm x86_64: jss-4.4.6-3.el7_7.x86_64.rpm jss-debuginfo-4.4.6-3.el7_7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: jss-debuginfo-4.4.6-3.el7_7.x86_64.rpm jss-javadoc-4.4.6-3.el7_7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-14823 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXaYG2dzjgjWX9erEAQgl4g//ewrQoDnHj/0NSspcLsuSGJXO8QdmejJz StEKgBRw7oEKYKY3nVabUv0VKewaNtiaL8ZyxzQAq7Kp1+CnG2dA3mp08qA8Qua3 3KvjKN7d+/Y1BqfzIhom3uPqDWxTigkePbx9Ln2WnT+Yhv04zqbxsT9Dcuv6YbET AxxHQvwiSDDiCiHNAQi0DAXncBWfW1hjWIGAIofYuI5HHzlOo6BOyWkMNtnLFgcZ ljSHMcvLVbgFbSjpSIM2wM/bSUZXJhxxiCdA3T8Shi8EL04UB7uEsCpCEUKJ9wed 1kLWvhKG1hLnaAl9L0taKUlMStMWVmzIgBr2vsoDpdJOpaQn3In8VmTBnQIQj/A+ CgAp7NzZg+pRbKtGaQg0fTTktXTef2NlahSye41v1GVaxgJeyeGcxlVzVPFibBQt T3OFe0hXKMjPmO99Rz+cr/cDJpD2m1uXrOnAGfkTAewXVyBNPOrpG50hodMda7gP q2mtO5FCmExX7dQm1LyxitKNKg6dJbXwCi+QYTcqyPT1mY3pf7cXfrFVZ8ZXO+xY 7PPB3+L/09vBt1vSvSfndzBXx+aMt3zQq1D+l4Y3MfXXkm0nTTUj3ZKKymyNS1ey AFeBpxt181bvq42pH1xqNTQXH8EZZmNTIeaXe9sK7N7/4HYZ/MVSf2DcZ1JopFP+ ypW9kz0D1CM= =AWDo - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXaZwfWaOgq3Tt24GAQgANhAAzKIcwyH2uj+NNm/rAJT08gRKsNwxuBqz BRlm/2qi6tVpUI+NetrKdiVsY9waZEqgfHSumOVnivu4nFCpI3jHVs7ucpb9njxl BqaBb6i9s5PjxEb47z5dN9bvwT0eaLhjW+WD6M1apUlXDrEuAXKxTPGT4M/q+ful Ra+YWPJX69TjSA7X1VjRH6fjw3u39MUfR51pqhcRHMdKoLUfJkze71b2KyyQEiwf ET2se68ejHMlVA1uiYYdmaXAxIfeE7ugjp2kdzNer3CXM72V6OlqoIXjscFFKyOC zmu9GJVMCtN9jQ3kaSMjIBnNBMtpQbx6eAM5kPqU2wopjC+TtAEJBH4VioHzna/q JS5X+e/TFElFUHIZ74B0jpJhWse5n+Womx7iL4+EIvunyXO03LsakHHKR9NdBp9R FKHfJXgljEOwE0j9GWzCe7EoxHbIEt6ICU61E22p47zLvhx9aH4QjTzWnQ97rki2 i3wMmRe46I/LE0cgHOlgk151C28YquqLvWn0DQM9pOAdpsAWB4MaIzCLocnPGWfs DF1tG7RfgRIeKTW4pv9JEpk6gf6u1iip51MdAfe0IzhisYItPSyHX/2wJuZ81Wvg PuvMX9Tmv2Ss/QJKPbm2qLh+0FMcLotlGLxypzxVvhdeaboM3JaaNnSJquiMngcz kJ2OC7WtUN4= =XHWJ -----END PGP SIGNATURE-----