Recommended update for mozilla-nss
Announcement ID: | SUSE-RU-2024:2564-1 |
---|---|
Rating: | moderate |
References: | |
Cross-References: | |
CVSS scores: |
|
Affected Products: |
|
An update that solves one vulnerability, contains one feature and has 17 fixes can now be installed.
Description:
This update for mozilla-nss fixes the following issues:
- Fixed startup crash of Firefox when using FIPS-mode (bsc#1223724).
-
Added "Provides: nss" so other RPMs that require 'nss' can be installed (jira PED-6358).
-
FIPS: added safe memsets (bsc#1222811)
- FIPS: restrict AES-GCM (bsc#1222830)
- FIPS: Updated FIPS approved cipher lists (bsc#1222813, bsc#1222814, bsc#1222821, bsc#1222822, bsc#1224118)
- FIPS: Updated FIPS self tests (bsc#1222807, bsc#1222828, bsc#1222834)
- FIPS: Updated FIPS approved cipher lists (bsc#1222804, bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116)
update to NSS 3.101.1:
- GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
update to NSS 3.101:
- add diagnostic assertions for SFTKObject refcount.
- freeing the slot in DeleteCertAndKey if authentication failed
- fix formatting issues.
- Add Firmaprofesional CA Root-A Web to NSS.
- remove invalid acvp fuzz test vectors.
- pad short P-384 and P-521 signatures gtests.
- remove unused FreeBL ECC code.
- pad short P-384 and P-521 signatures.
- be less strict about ECDSA private key length.
- Integrate HACL* P-521.
- Integrate HACL* P-384.
- memory leak in create_objects_from_handles.
- ensure all input is consumed in a few places in mozilla::pkix
- SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
- clean up escape handling
- Use lib::pkix as default validator instead of the old-one
- Need to add high level support for PQ signing.
- Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation
- SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
- Allow for non-full length ecdsa signature when using softoken
- Modification of .taskcluster.yml due to mozlint indent defects
- Implement support for PBMAC1 in PKCS#12
- disable VLA warnings for fuzz builds.
- remove redundant AllocItem implementation.
- add PK11_ReadDistrustAfterAttribute.
-
- Clang-formatting of SEC_GetMgfTypeByOidTag update
- Set SEC_ERROR_LIBRARY_FAILURE on self-test failure
- sftk_getParameters(): Fix fallback to default variable after error with configfile.
-
Switch to the mozillareleases/image_builder image
-
switch from ec_field_GFp to ec_field_plain
Update to NSS 3.100:
- merge pk11_kyberSlotList into pk11_ecSlotList for faster Xyber operations.
- remove ckcapi.
- avoid a potential PK11GenericObject memory leak.
- Remove incomplete ESDH code.
- Decrypt RSA OAEP encrypted messages.
- Fix certutil CRLDP URI code.
- Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys.
- Add ability to encrypt and decrypt CMS messages using ECDH.
- Correct Templates for key agreement in smime/cmsasn.c.
- Moving the decodedCert allocation to NSS.
- Allow developers to speed up repeated local execution of NSS tests that depend on certificates.
Update to NSS 3.99:
- Removing check for message len in ed25519 (bmo#1325335)
- add ed25519 to SECU_ecName2params. (bmo#1884276)
- add EdDSA wycheproof tests. (bmo#1325335)
- nss/lib layer code for EDDSA. (bmo#1325335)
- Adding EdDSA implementation. (bmo#1325335)
- Exporting Certificate Compression types (bmo#1881027)
- Updating ACVP docker to rust 1.74 (bmo#1880857)
- Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335)
- Add NSS_CMSRecipient_IsSupported. (bmo#1877730)
Update to NSS 3.98:
- (CVE-2023-5388) Timing attack against RSA decryption in TLS
- Certificate Compression: enabling the check that the compression was advertised
- Move Windows workers to nss-1/b-win2022-alpha
- Remove Email trust bit from OISTE WISeKey Global Root GC CA
- Replace
distutils.spawn.find_executable
withshutil.which
withinmach
innss
- Certificate Compression: Updating nss_bogo_shim to support Certificate compression
- TLS Certificate Compression (RFC 8879) Implementation
- Add valgrind annotations to freebl kyber operations for constant-time execution tests
- Set nssckbi version number to 2.66
- Add Telekom Security roots
- Add D-Trust 2022 S/MIME roots
- Remove expired Security Communication RootCA1 root
- move keys to a slot that supports concatenation in PK11_ConcatSymKeys
- remove unmaintained tls-interop tests
- bogo: add support for the -ipv6 and -shim-id shim flags
- bogo: add support for the -curves shim flag and update Kyber expectations
- bogo: adjust expectation for a key usage bit test
- mozpkix: add option to ignore invalid subject alternative names
- Fix selfserv not stripping
publicname:
from -X value - take ownership of ecckilla shims
- add valgrind annotations to freebl/ec.c
- PR_INADDR_ANY needs PR_htonl before assignment to inet.ip
- Update zlib to 1.3.1
Update to NSS 3.97:
- make Xyber768d00 opt-in by policy
- add libssl support for xyber768d00
- add PK11_ConcatSymKeys
- add Kyber and a PKCS#11 KEM interface to softoken
- add a FreeBL API for Kyber
- part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff
- part 1: add a script for vendoring kyber from pq-crystals repo
- Removing the calls to RSA Blind from loader.*
- fix worker type for level3 mac tasks
- RSA Blind implementation
- Remove DSA selftests
- read KWP testvectors from JSON
- Backed out changeset dcb174139e4f
- Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation
- Wrap CC shell commands in gyp expansions
Update to NSS 3.96.1:
- Use pypi dependencies for MacOS worker in ./build_gyp.sh
- p7sign: add -a hash and -u certusage (also p7verify cleanups)
- add a defensive check for large ssl_DefSend return values
- Add dependency to the taskcluster script for Darwin
- Upgrade version of the MacOS worker for the CI
Update to NSS 3.95:
- Bump builtins version number.
- Remove Email trust bit from Autoridad de Certificacion Firmaprofesional CIF A62634068 root cert.
- Remove 4 DigiCert (Symantec/Verisign) Root Certificates
- Remove 3 TrustCor Root Certificates from NSS.
- Remove Camerfirma root certificates from NSS.
- Remove old Autoridad de Certificacion Firmaprofesional Certificate.
- Add four Commscope root certificates to NSS.
- Add TrustAsia Global Root CA G3 and G4 root certificates.
- Include P-384 and P-521 Scalar Validation from HACL*
- Include P-256 Scalar Validation from HACL*.
- After the HACL 256 ECC patch, NSS incorrectly encodes 256 ECC without DER wrapping at the softoken level
- Add means to provide library parameters to C_Initialize
- add OSXSAVE and XCR0 tests to AVX2 detection.
- Typo in ssl3_AppendHandshakeNumber
- Introducing input check of ssl3_AppendHandshakeNumber
- Fix Invalid casts in instance.c
Update to NSS 3.94:
- Updated code and commit ID for HACL*
- update ACVP fuzzed test vector: refuzzed with current NSS
- Softoken C_ calls should use system FIPS setting to select NSC_ or FC_ variants
- NSS needs a database tool that can dump the low level representation of the database
- declare string literals using char in pkixnames_tests.cpp
- avoid implicit conversion for ByteString
- update rust version for acvp docker
- Moving the init function of the mpi_ints before clean-up in ec.c
- P-256 ECDH and ECDSA from HACL*
- Add ACVP test vectors to the repository
- Stop relying on std::basic_string<uint8_t>
- Transpose the PPC_ABI check from Makefile to gyp
Update to NSS 3.93:
- Update zlib in NSS to 1.3.
- softoken: iterate hashUpdate calls for long inputs.
- regenerate NameConstraints test certificates (bsc#1214980).
Update to NSS 3.92:
- Set nssckbi version number to 2.62
- Add 4 Atos TrustedRoot Root CA certificates to NSS
- Add 4 SSL.com Root CA certificates
- Add Sectigo E46 and R46 Root CA certificates
- Add LAWtrust Root CA2 (4096)
- Remove E-Tugra Certification Authority root
- Remove Camerfirma Chambers of Commerce Root.
- Remove Hongkong Post Root CA 1
- Remove E-Tugra Global Root CA ECC v3 and RSA v3
- Avoid redefining BYTE_ORDER on hppa Linux
Update to NSS 3.91:
- Implementation of the HW support check for ADX instruction
- Removing the support of Curve25519
- Fix comment about the addition of ticketSupportsEarlyData
- Adding args to enable-legacy-db build
- dbtests.sh failure in "certutil dump keys with explicit default trust flags"
- Initialize flags in slot structures
- Improve the length check of RSA input to avoid heap overflow
- Followup Fixes
- avoid processing unexpected inputs by checking for m_exptmod base sign
- add a limit check on order_k to avoid infinite loop
- Update HACL* to commit 5f6051d2
- add SHA3 to cryptohi and softoken
- HACL SHA3
- Disabling ASM C25519 for A but X86_64
Update to NSS 3.90.3:
- GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
- clean up escape handling.
- remove redundant AllocItem implementation.
- Disable ASM support for Curve25519.
- Disable ASM support for Curve25519 for all but X86_64.
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
SUSE Linux Enterprise Software Development Kit 12 SP5
zypper in -t patch SUSE-SLE-SDK-12-SP5-2024-2564=1
-
SUSE Linux Enterprise High Performance Computing 12 SP5
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-2564=1
-
SUSE Linux Enterprise Server 12 SP5
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-2564=1
-
SUSE Linux Enterprise Server for SAP Applications 12 SP5
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-2564=1
Package List:
-
SUSE Linux Enterprise Software Development Kit 12 SP5 (aarch64 ppc64le s390x x86_64)
- mozilla-nss-devel-3.101.1-58.118.1
- mozilla-nss-debugsource-3.101.1-58.118.1
- mozilla-nss-debuginfo-3.101.1-58.118.1
-
SUSE Linux Enterprise High Performance Computing 12 SP5 (aarch64 x86_64)
- mozilla-nss-devel-3.101.1-58.118.1
- mozilla-nss-3.101.1-58.118.1
- mozilla-nss-sysinit-3.101.1-58.118.1
- mozilla-nss-tools-3.101.1-58.118.1
- mozilla-nss-debuginfo-3.101.1-58.118.1
- mozilla-nss-certs-3.101.1-58.118.1
- mozilla-nss-sysinit-debuginfo-3.101.1-58.118.1
- libfreebl3-debuginfo-3.101.1-58.118.1
- mozilla-nss-debugsource-3.101.1-58.118.1
- libfreebl3-3.101.1-58.118.1
- libsoftokn3-3.101.1-58.118.1
- libsoftokn3-debuginfo-3.101.1-58.118.1
- mozilla-nss-certs-debuginfo-3.101.1-58.118.1
- mozilla-nss-tools-debuginfo-3.101.1-58.118.1
-
SUSE Linux Enterprise High Performance Computing 12 SP5 (x86_64)
- libfreebl3-32bit-3.101.1-58.118.1
- mozilla-nss-debuginfo-32bit-3.101.1-58.118.1
- libfreebl3-debuginfo-32bit-3.101.1-58.118.1
- libsoftokn3-32bit-3.101.1-58.118.1
- mozilla-nss-sysinit-32bit-3.101.1-58.118.1
- libsoftokn3-debuginfo-32bit-3.101.1-58.118.1
- mozilla-nss-certs-32bit-3.101.1-58.118.1
- mozilla-nss-certs-debuginfo-32bit-3.101.1-58.118.1
- mozilla-nss-sysinit-debuginfo-32bit-3.101.1-58.118.1
- mozilla-nss-32bit-3.101.1-58.118.1
-
SUSE Linux Enterprise Server 12 SP5 (aarch64 ppc64le s390x x86_64)
- mozilla-nss-devel-3.101.1-58.118.1
- mozilla-nss-3.101.1-58.118.1
- mozilla-nss-sysinit-3.101.1-58.118.1
- mozilla-nss-tools-3.101.1-58.118.1
- mozilla-nss-debuginfo-3.101.1-58.118.1
- mozilla-nss-certs-3.101.1-58.118.1
- mozilla-nss-sysinit-debuginfo-3.101.1-58.118.1
- libfreebl3-debuginfo-3.101.1-58.118.1
- mozilla-nss-debugsource-3.101.1-58.118.1
- libfreebl3-3.101.1-58.118.1
- libsoftokn3-3.101.1-58.118.1
- libsoftokn3-debuginfo-3.101.1-58.118.1
- mozilla-nss-certs-debuginfo-3.101.1-58.118.1
- mozilla-nss-tools-debuginfo-3.101.1-58.118.1
-
SUSE Linux Enterprise Server 12 SP5 (x86_64)
- libfreebl3-32bit-3.101.1-58.118.1
- mozilla-nss-debuginfo-32bit-3.101.1-58.118.1
- libfreebl3-debuginfo-32bit-3.101.1-58.118.1
- libsoftokn3-32bit-3.101.1-58.118.1
- mozilla-nss-sysinit-32bit-3.101.1-58.118.1
- libsoftokn3-debuginfo-32bit-3.101.1-58.118.1
- mozilla-nss-certs-32bit-3.101.1-58.118.1
- mozilla-nss-certs-debuginfo-32bit-3.101.1-58.118.1
- mozilla-nss-sysinit-debuginfo-32bit-3.101.1-58.118.1
- mozilla-nss-32bit-3.101.1-58.118.1
-
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64)
- mozilla-nss-devel-3.101.1-58.118.1
- mozilla-nss-3.101.1-58.118.1
- mozilla-nss-sysinit-3.101.1-58.118.1
- mozilla-nss-tools-3.101.1-58.118.1
- mozilla-nss-debuginfo-3.101.1-58.118.1
- mozilla-nss-certs-3.101.1-58.118.1
- mozilla-nss-sysinit-debuginfo-3.101.1-58.118.1
- libfreebl3-debuginfo-3.101.1-58.118.1
- mozilla-nss-debugsource-3.101.1-58.118.1
- libfreebl3-3.101.1-58.118.1
- libsoftokn3-3.101.1-58.118.1
- libsoftokn3-debuginfo-3.101.1-58.118.1
- mozilla-nss-certs-debuginfo-3.101.1-58.118.1
- mozilla-nss-tools-debuginfo-3.101.1-58.118.1
-
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (x86_64)
- libfreebl3-32bit-3.101.1-58.118.1
- mozilla-nss-debuginfo-32bit-3.101.1-58.118.1
- libfreebl3-debuginfo-32bit-3.101.1-58.118.1
- libsoftokn3-32bit-3.101.1-58.118.1
- mozilla-nss-sysinit-32bit-3.101.1-58.118.1
- libsoftokn3-debuginfo-32bit-3.101.1-58.118.1
- mozilla-nss-certs-32bit-3.101.1-58.118.1
- mozilla-nss-certs-debuginfo-32bit-3.101.1-58.118.1
- mozilla-nss-sysinit-debuginfo-32bit-3.101.1-58.118.1
- mozilla-nss-32bit-3.101.1-58.118.1
References:
- https://www.suse.com/security/cve/CVE-2023-5388.html
- https://bugzilla.suse.com/show_bug.cgi?id=1214980
- https://bugzilla.suse.com/show_bug.cgi?id=1222804
- https://bugzilla.suse.com/show_bug.cgi?id=1222807
- https://bugzilla.suse.com/show_bug.cgi?id=1222811
- https://bugzilla.suse.com/show_bug.cgi?id=1222813
- https://bugzilla.suse.com/show_bug.cgi?id=1222814
- https://bugzilla.suse.com/show_bug.cgi?id=1222821
- https://bugzilla.suse.com/show_bug.cgi?id=1222822
- https://bugzilla.suse.com/show_bug.cgi?id=1222826
- https://bugzilla.suse.com/show_bug.cgi?id=1222828
- https://bugzilla.suse.com/show_bug.cgi?id=1222830
- https://bugzilla.suse.com/show_bug.cgi?id=1222833
- https://bugzilla.suse.com/show_bug.cgi?id=1222834
- https://bugzilla.suse.com/show_bug.cgi?id=1223724
- https://bugzilla.suse.com/show_bug.cgi?id=1224113
- https://bugzilla.suse.com/show_bug.cgi?id=1224115
- https://bugzilla.suse.com/show_bug.cgi?id=1224116
- https://bugzilla.suse.com/show_bug.cgi?id=1224118
- https://jira.suse.com/browse/PED-6358