Environment
NetIQ eDirectory 8.8.6.5
NetIQ eDirectory 8.8.7
RedHat 6.2
RedHat 5.8
Situation
Unable to patch eDir 8.8.6 on RedHat 6.2 after applying latest RedHat updates.
install.sh aborts with the following:
error: ./Linux64/novell-kerberos-base.x86_64.rpm: rpmReadSignature failed: sigh load: BAD
error: ./Linux64/novell-kerberos-base.x86_64.rpm: not an rpm package (or package manifest)
| ./Linux64/novell-kerberos-base.x86_64.rpm ============================================ ERROR ===========================================
Internal Error: isPackageInList() was not passed two parameters.
rpm package is version: rpm.x86_64 0:4.8.0-19.el6_2.1
Attempting to use --nosignature or --force, does not install the novell-kerberos rpms
NOTE: This problem also occurs on RedHat 5.8 fully patched.
The message is a little different.
Installing novell-kerberos-base... %%% Unable to install /software/edir887/eDirectory/setup/novell-kerberos-base-1.5-49.x86_64.rpm , Exiting...
RedHat 5.8 updated packages are:
rpm-4.4.2.3-28.el5_8
rpm-libs-4.4.2.3-28.el5_8
install.sh aborts with the following:
error: ./Linux64/novell-kerberos-base.x86_64.rpm: rpmReadSignature failed: sigh load: BAD
error: ./Linux64/novell-kerberos-base.x86_64.rpm: not an rpm package (or package manifest)
| ./Linux64/novell-kerberos-base.x86_64.rpm ============================================ ERROR ===========================================
Internal Error: isPackageInList() was not passed two parameters.
rpm package is version: rpm.x86_64 0:4.8.0-19.el6_2.1
Attempting to use --nosignature or --force, does not install the novell-kerberos rpms
NOTE: This problem also occurs on RedHat 5.8 fully patched.
The message is a little different.
Installing novell-kerberos-base... %%% Unable to install /software/edir887/eDirectory/setup/novell-kerberos-base-1.5-49.x86_64.rpm , Exiting...
RedHat 5.8 updated packages are:
rpm-4.4.2.3-28.el5_8
rpm-libs-4.4.2.3-28.el5_8
Resolution
This issue has been resolved by repackaging the kerberos rpms. They are available on at https://dl.netiq.com by using patch finder to access patches to eDirectory 8.8.6 or 8.8.7.
Workaround:
Use the rpm libs from the rpm-libs-4.8.0-19.el6 package that applies to the RedHat particular platform being used.
Steps:
1. Create a temporary directory.
EX: mkdir /tmp/rpmlibs
2. Copy the 4.8.0-19.el6 version of rpm-libs to the temporary directory.
EX: cp rpm-libs-4.8.0-19.el6.x86_64.rpm /tmp/rpmlibs
NOTE: For RedHat 5.8 use: rpm-libs-4.4.2.3-27.el5
3. Change directories to the temporary directory.
EX: cp /tmp/rpmlibs
4. Extract the files in the rpm to the temporary directory.
EX: rpm2cpio rpm-libs-4.8.0-19.el6.x86_64.rpm | cpio -idmv
5. Set the LD_LIBRARY_PATH to include the temporary directory as the first directory in the path
EX: export LD_LIBRARY_PATH=/tmp/rpmlibs/usr/lib64:$LD_LIBRARY_PATH
6. Stop ndsd
EX: /etc/init.d/ndsd stop
7. From the same terminal window used in step 5 (so that the modified LD_LIBRARY_PATH is being used), change directories to where the eDirectory 8.8.6.5 patch is extracted and run the install.sh from the eDirectory 8.8.6.5 patch with the --force switch.
EX: cd /software/edir8865
./install.sh --force
Possible messages In verify section:
warning: ./Linux64/novell-kerberos-base.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
| ./Linux64/novell-kerberos-base.x86_64.rpm | 1.5.0.49 [ OK* ]
warning: ./Linux64/novell-kerberos-ldap-extensions.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
| ./Linux64/novell-kerberos-ldap-extensions.x86_64.rpm | 1.5.0.49 [ OK* ]
In Verifying versions installed section:
warning: ./Linux64/novell-kerberos-base.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
warning: ./Linux64/novell-kerberos-base.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
| novell-kerberos-base | 1.5.0.41 [EQUAL VERSION]
warning: ./Linux64/novell-kerberos-ldap-extensions.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
warning: ./Linux64/novell-kerberos-ldap-extensions.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
| novell-kerberos-ldap-extensions | 1.5.0.41 [EQUAL VERSION]
In the Removing installed packages section:
warning: ./Linux64/novell-kerberos-base.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
warning: ./Linux64/novell-kerberos-base.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
| novell-kerberos-base | 1.5.0.41 [ SKIPPED ]
warning: ./Linux64/novell-kerberos-ldap-extensions.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
warning: ./Linux64/novell-kerberos-ldap-extensions.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
| novell-kerberos-ldap-extensions | 1.5.0.41 [ SKIPPED ]
In order to have the novell-kerberos packages updated to the 1.5.0.49 version, use install.sh with the --force option. This will force the removal the novell-kerberos packages and the install of the current version.
EX: ./install.sh --force
Workaround:
Use the rpm libs from the rpm-libs-4.8.0-19.el6 package that applies to the RedHat particular platform being used.
Steps:
1. Create a temporary directory.
EX: mkdir /tmp/rpmlibs
2. Copy the 4.8.0-19.el6 version of rpm-libs to the temporary directory.
EX: cp rpm-libs-4.8.0-19.el6.x86_64.rpm /tmp/rpmlibs
NOTE: For RedHat 5.8 use: rpm-libs-4.4.2.3-27.el5
3. Change directories to the temporary directory.
EX: cp /tmp/rpmlibs
4. Extract the files in the rpm to the temporary directory.
EX: rpm2cpio rpm-libs-4.8.0-19.el6.x86_64.rpm | cpio -idmv
5. Set the LD_LIBRARY_PATH to include the temporary directory as the first directory in the path
EX: export LD_LIBRARY_PATH=/tmp/rpmlibs/usr/lib64:$LD_LIBRARY_PATH
6. Stop ndsd
EX: /etc/init.d/ndsd stop
7. From the same terminal window used in step 5 (so that the modified LD_LIBRARY_PATH is being used), change directories to where the eDirectory 8.8.6.5 patch is extracted and run the install.sh from the eDirectory 8.8.6.5 patch with the --force switch.
EX: cd /software/edir8865
./install.sh --force
Possible messages In verify section:
warning: ./Linux64/novell-kerberos-base.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
| ./Linux64/novell-kerberos-base.x86_64.rpm | 1.5.0.49 [ OK* ]
warning: ./Linux64/novell-kerberos-ldap-extensions.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
| ./Linux64/novell-kerberos-ldap-extensions.x86_64.rpm | 1.5.0.49 [ OK* ]
In Verifying versions installed section:
warning: ./Linux64/novell-kerberos-base.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
warning: ./Linux64/novell-kerberos-base.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
| novell-kerberos-base | 1.5.0.41 [EQUAL VERSION]
warning: ./Linux64/novell-kerberos-ldap-extensions.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
warning: ./Linux64/novell-kerberos-ldap-extensions.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
| novell-kerberos-ldap-extensions | 1.5.0.41 [EQUAL VERSION]
In the Removing installed packages section:
warning: ./Linux64/novell-kerberos-base.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
warning: ./Linux64/novell-kerberos-base.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
| novell-kerberos-base | 1.5.0.41 [ SKIPPED ]
warning: ./Linux64/novell-kerberos-ldap-extensions.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
warning: ./Linux64/novell-kerberos-ldap-extensions.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7e2e3b05: NOKEY
| novell-kerberos-ldap-extensions | 1.5.0.41 [ SKIPPED ]
In order to have the novell-kerberos packages updated to the 1.5.0.49 version, use install.sh with the --force option. This will force the removal the novell-kerberos packages and the install of the current version.
EX: ./install.sh --force
Note: For additional installation requirements to ensure a smooth installation of eDirectory 8.8 SP7 on Red Hat servers please refer to:
https://www.netiq.com/documentation/imanager/imanager_install/?page=/documentation/imanager/imanager_install/data/hk42s9ot.html
https://www.netiq.com/documentation/imanager/imanager_install/?page=/documentation/imanager/imanager_install/data/hk42s9ot.html
Cause
These security changes went into rpm-4.8.0-19_2.1:
* Mon Feb 27 2012 Panu Matilainen <pmatilai@redhat.com> - 4.8.0-19.1
- Proper region tag validation on package/header read (CVE-2012-0060)
- Double-check region size against header size (CVE-2012-0061)
- Validate negated offsets too in headerVerifyInfo() (CVE-2012-0815)
It appears a change in one of these fixes is now considering the novell-kerberos rpms as BAD instead of NOKEY.
* Mon Feb 27 2012 Panu Matilainen <pmatilai@redhat.com> - 4.8.0-19.1
- Proper region tag validation on package/header read (CVE-2012-0060)
- Double-check region size against header size (CVE-2012-0061)
- Validate negated offsets too in headerVerifyInfo() (CVE-2012-0815)
It appears a change in one of these fixes is now considering the novell-kerberos rpms as BAD instead of NOKEY.