Fedora 25 : ca-certificates (2016-d1408c3ba3)

2016-11-15T00:00:00
ID FEDORA_2016-D1408C3BA3.NASL
Type nessus
Reporter Tenable
Modified 2016-11-15T00:00:00

Description

This is an update to the Mozilla CA certificates list version 2.9, which has been published as part of Mozilla NSS 3.26.

This update reverts the CA list to the unmodified upstream CA list. The legacy CA modifications, which had previously been shipped with Fedora, have been reverted to an empty list. Because the certificate verification libraries shipped in Fedora have already been updated to find alternative chains of trust, trusting the legacy CAs with 1024-bit RSA keys should no longer be necessary.

The ca-legacy tool is kept, and existing configuration on systems will be preserved. However, the ca-legacy system configuration will have no effect after this update, as long as the legacy CA list is empty. The tool and the configuration are kept, because potentially it might be useful again, if other CAs must be treated as legacy CAs in the future.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory FEDORA-2016-d1408c3ba3.
#

include("compat.inc");

if (description)
{
  script_id(94864);
  script_version("$Revision: 2.1 $");
  script_cvs_date("$Date: 2016/11/15 14:40:20 $");

  script_xref(name:"FEDORA", value:"2016-d1408c3ba3");

  script_name(english:"Fedora 25 : ca-certificates (2016-d1408c3ba3)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This is an update to the Mozilla CA certificates list version 2.9,
which has been published as part of Mozilla NSS 3.26.

This update reverts the CA list to the unmodified upstream CA list.
The legacy CA modifications, which had previously been shipped with
Fedora, have been reverted to an empty list. Because the certificate
verification libraries shipped in Fedora have already been updated to
find alternative chains of trust, trusting the legacy CAs with
1024-bit RSA keys should no longer be necessary.

The ca-legacy tool is kept, and existing configuration on systems will
be preserved. However, the ca-legacy system configuration will have no
effect after this update, as long as the legacy CA list is empty. The
tool and the configuration are kept, because potentially it might be
useful again, if other CAs must be treated as legacy CAs in the
future.

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-d1408c3ba3"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected ca-certificates package."
  );
  script_set_attribute(attribute:"risk_factor", value:"High");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:ca-certificates");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25");

  script_set_attribute(attribute:"patch_publication_date", value:"2016/09/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/15");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016 Tenable Network Security, Inc.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);


flag = 0;
if (rpm_check(release:"FC25", reference:"ca-certificates-2016.2.9-1.1.fc25")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ca-certificates");
}