(RHSA-2021:0947) Moderate: pki-core and redhat-pki-theme security and bug fix update

The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System.

Security Fix(es):

• pki-core: stored Cross-site scripting (XSS) in the pki-tps web Activity tab (CVE-2019-10178)

• pki-core: unsanitized token parameters in TPS resulting in stored XSS (CVE-2019-10180)

• pki-core: Stored XSS in TPS profile creation (CVE-2020-1696)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

• TPS - Add logging to tdbAddCertificatesForCUID if adding or searching for cert record fails (BZ#1710978)

• TPS - Update Error Codes returned to client (CIW/ESC) to Match CS8 (BZ#1858860)

• TPS - Server side key generation is not working for Identity only tokens - Missing some commits (BZ#1858861)

• TPS does not check token cuid on the user registration record during PIN reset (BZ#1858867)

• Update RHCS version of CA, KRA, OCSP, and TKS so that it can be identified using a browser [RHCS 9.7.z BU 2] (BZ#1895104)

• Update RHCS version of CA, KRA, OCSP, and TKS so that it can be identified using a browser [RHCS 9.7.z BU 4] (BZ#1914474)