Chapter 33. Security
CardOS 5.3 smart cards with ECDSA support work correctly in OpenSC
Previously, OpenSC did not correctly parse the ECDSA algorithm in the
TokenInfo
information provided by CardOS 5.3 smart cards. As a consequence, OpenSC did not detect these cards. The TokenInfo
parser has been updated and now complies with the PKCS #15 specification. As a result, CardOS 5.3 smart cards with ECDSA support work correctly in OpenSC. (BZ#1562277)
Non-CCID-compliant smart card readers work in OpenSC
Certain smart card readers implement PIN pad functionality that does not follow the chip card interface device (CCID) specification. Previously, OpenSC detected the PIN pad of such smart card readers, but the reader could not be used with OpenSC. With this update, the PIN pad detection has been disabled in OpenSC by default. As a result, non-CCID-compliant smart card readers can be used, but without the PIN pad feature. (BZ#1547117)
The pkcs11-tool
utility now supports mechanism IDs and handles ECDSA keys correctly
Previously, the
pkcs11-tool
utility incorrectly handled EC_POINT
values and support for certain vendor-specific mechanisms was missing. As a consequence, these mechanisms and certain ECDSA keys in hardware security modules (HSM) and smart cards were not supported by pkcs11-tool
. With this update, the pkcs11-tool
now handles EC_POINT
values and vendor-specific mechanisms correctly. As a result, the utility now supports mechanism IDs and handles ECDSA keys correctly. (BZ#1562572)
OpenSCAP
RPM verification rules no longer work incorrectly with VM and container file systems
Previously, the
rpminfo
, rpmverify
, and rpmverifyfile
probes did not fully support offline mode. As a consequence, OpenSCAP
RPM verification rules did not work correctly when scanning virtual machine (VM) and container file systems in offline mode. With this update, support for offline mode has been fixed, and results of scanning VM and container file systems in offline mode no longer contain false negatives. (BZ#1556988)
sudo
no longer blocks poll()
for /dev/ptmx
Previously, when running a command through
sudo
that had the I/O logging enabled, a parent process of the command was occasionally blocked in the poll()
function execution, waiting for an event on the /dev/ptmx
file descriptor. Consequently, a deadlock occurred and sudo
might leave the process of the command in an unresponsive state. This update adds a pseudoterminal cleanup logic, and sudo no longer causes a deadlock in the described scenario. (BZ#1560657)