Chapter 61. Security
NSS
accept malformed RSA PKCS#1 v1.5 signatures made with an RSA-PSS key
The
Network Security Services
(NSS) libraries do not check the type of an RSA public key used by a server when validating signatures made using a corresponding private key. Consequently, NSS
accept malformed RSA PKCS#1 v1.5 signatures if they are made with an RSA-PSS key. (BZ#1510156)
Authentication using ssh-agent
not from OpenSSH
fails
OpenSSH
since version 7.4 negotiates the SHA-2 signature extension by default. Consequently, if a signature is provided by the ssh-agent
program that is not from the current OpenSSH
suite and that does not know the SHA-2 extension, authentication fails. To work around this problem, use the OpenSSH ssh-agent
to provide signatures. (BZ#1497680)
Parsing of OpenSSH
public keys is more strict
Previously, the parsing of public keys was changed to be more strict. As a consequence, additional spaces between the key type string and the key blob string are no longer ignored, and login attempts with such keys now fail. To work around this problem, ensure that there is only one space character between the key type and the key blob. (BZ#1493406)
SCAP Workbench
fails to generate results-based remediations from tailored profiles
The following error occurs when trying to generate results-based remediation roles from a customized profile using the the
SCAP Workbench
tool:
Error generating remediation role '.../remediation.sh': Exit code of 'oscap' was 1: [output truncated]
Clevis
can log spurious Device is not initialized
error messages
If the
Clevis
pluggable framework is in the initramfs
image and if you have an encrypted volume configured to unlock during boot time and coincidently you have not configured the Clevis
binding, then the boot log shows spurious Device is not initialized
error messages. To work around this problem, perform the Clevis
binding step, and the error messages for the volume disappear. (BZ#1538759)
Libreswan
is not working properly with seccomp=enabled
on all configurations
The set of allowed syscalls in the
Libreswan
SECCOMP support implementation is currently not complete. Consequently, when SECCOMP is enabled in the ipsec.conf
file, the syscall filtering rejects even syscalls needed for proper functioning of the pluto
daemon; the daemon is killed, and the ipsec
service is restarted.
To work around this problem, set the
seccomp=
option back to the disabled
state. SECCOMP support must remain disabled to run ipsec
properly. (BZ#1544463)
OpenSCAP
RPM verification rules do not work correctly with VM and container file systems
The
rpminfo
, rpmverify
, and rpmverifyfile
probes do not fully support offline mode. Consequently, OpenSCAP
RPM verification rules do not work correctly when scanning virtual machine (VM) and container file systems in offline mode.
To work around this problem, disable the RPM verification rules or perform a manual check using a guidance in the
SCAP Security Guide
. Results of scanning VM and container file systems in offline mode might contain false negatives. (BZ#1556988)
Firefox
and other applications using NSS
become unresponsive when a smart card is inserted
The
Network Security Services
(NSS) libraries incorrectly handle smart card insertion events and states of such events. Consequently, the Firefox
browser and other applications using NSS
in the Gnome Display Manager (GDM) do not reliably detect the card insertion state and become unresponsive while requesting to wait for slot events.
To work around this problem, do not update the nss packages to version 3.34 and wait for the upstream version 3.36. The smart cards work correctly with the previous
NSS
version. (BZ#1557015)