opencryptoki-3.25.0-4.el9_7.2

エラータID: AXSA:2026-359:02

Release date: 
Monday, March 30, 2026 - 15:24
Subject: 
opencryptoki-3.25.0-4.el9_7.2
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

The opencryptoki packages contain version 2.11 of the PKCS#11 API, implemented for IBM Cryptocards, such as IBM 4764 and 4765 crypto cards. These packages includes support for the IBM 4758 Cryptographic CoProcessor (with the PKCS#11 firmware loaded), the IBM eServer Cryptographic Accelerator (FC 4960 on IBM eServer System p), the IBM Crypto Express2 (FC 0863 or FC 0870 on IBM System z), and the IBM CP Assist for Cryptographic Function (FC 3863 on IBM System z). The opencryptoki packages also bring a software token implementation that can be used without any cryptographic hardware. These packages contain the Slot Daemon (pkcsslotd) and general utilities.

Security Fix(es):

* openCryptoki: openCryptoki: Privilege Escalation or Data Exposure via Symlink Following (CVE-2026-23893)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2026-23893
openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. Versions 2.3.2 and above are vulnerable to symlink-following when running in privileged contexts. A token-group user can redirect file operations to arbitrary filesystem targets by planting symlinks in group-writable token directories, resulting in privilege escalation or data exposure. Token and lock directories are 0770 (group-writable for token users), so any token-group member can plant files and symlinks inside them. When run as root, the base code handling token directory file access, as well as several openCryptoki tools used for administrative purposes, may reset ownership or permissions on existing files inside the token directories. An attacker with token-group membership can exploit the system when an administrator runs a PKCS#11 application or administrative tool that performs chown on files inside the token directory during normal maintenance. This issue is fixed in commit 5e6e4b4, but has not been included in a released version at the time of publication.

Solution: 

Update packages.

CVEs: 
CVE-2026-23893
openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. Versions 2.3.2 and above are vulnerable to symlink-following when running in privileged contexts. A token-group user can redirect file operations to arbitrary filesystem targets by planting symlinks in group-writable token directories, resulting in privilege escalation or data exposure. Token and lock directories are 0770 (group-writable for token users), so any token-group member can plant files and symlinks inside them. When run as root, the base code handling token directory file access, as well as several openCryptoki tools used for administrative purposes, may reset ownership or permissions on existing files inside the token directories. An attacker with token-group membership can exploit the system when an administrator runs a PKCS#11 application or administrative tool that performs chown on files inside the token directory during normal maintenance. This issue is fixed in commit 5e6e4b4, but has not been included in a released version at the time of publication.
Additional Info: 

N/A

Download: 

SRPMS
  1. opencryptoki-3.25.0-4.el9_7.2.src.rpm
    MD5: 0a6e2416f6c4236058b89073ebfc9f4c
    SHA-256: 258efd1176a7d7ada6c7ede9a4c1f101832b4e7605bbc2ff9a3e5519f6000b86
    Size: 2.05 MB

Asianux Server 9 for x86_64
  1. opencryptoki-3.25.0-4.el9_7.2.x86_64.rpm
    MD5: 173f628cc66b757815665133188c7ade
    SHA-256: 4acea1b7b4ac94a7ee0db6fa8e423505a9863145391dd7c70a5636ac68929ae0
    Size: 305.47 kB
  2. opencryptoki-ccatok-3.25.0-4.el9_7.2.x86_64.rpm
    MD5: c1adf7cad37d790658923c744dd80606
    SHA-256: f9738793603b1a58993f398da696fe489d0ccc86864c857650ffec708388b2f1
    Size: 350.27 kB
  3. opencryptoki-devel-3.25.0-4.el9_7.2.i686.rpm
    MD5: e1b4916ff431bc8938955de0638eabf3
    SHA-256: 621bfa17ed1e189ae89308a729445068257dc5be512091116bfa8047d5432161
    Size: 27.00 kB
  4. opencryptoki-devel-3.25.0-4.el9_7.2.x86_64.rpm
    MD5: a6e5da616a17888c69bb9bf3ccef04df
    SHA-256: 776a6ec68e0911cfe7ceed136033e10b9c77cc09a6d6188d858a754420fd66b3
    Size: 26.97 kB
  5. opencryptoki-icsftok-3.25.0-4.el9_7.2.x86_64.rpm
    MD5: 44c7a4990f45bb08b642b71d66717c61
    SHA-256: 67da35706dd5744e80b9c4d5958d0b2f7532ac4d6048a82abf34e2aaf809102e
    Size: 149.86 kB
  6. opencryptoki-libs-3.25.0-4.el9_7.2.i686.rpm
    MD5: 61a0a9a1966f7fe1c5bb1839bff7269c
    SHA-256: 7b9cf37f4879d584730c5caf549badad4a76453f3be4f697b99c94f285bdf455
    Size: 85.15 kB
  7. opencryptoki-libs-3.25.0-4.el9_7.2.x86_64.rpm
    MD5: d1647d8f10d8a40a5b765b6ae7fc2a3c
    SHA-256: 6d3c62369d8252cb829a0bdbfd9ce243d694507fd2491ba4b55d4d852c1ea1a6
    Size: 89.49 kB
  8. opencryptoki-swtok-3.25.0-4.el9_7.2.x86_64.rpm
    MD5: 7680b1e235e62fe5dddceef818bc336e
    SHA-256: 9c559b944ef69b9a8b98dff7c3ecca2fc31e12896a1a728c8fc350deba1c6cdf
    Size: 259.36 kB