Security update for apache2-mod_nss

Announcement ID:	SUSE-SU-2016:2396-1
Rating:	moderate
References:	bsc#972968 bsc#975394 bsc#979688
Cross-References:	CVE-2013-4566 CVE-2014-3566 CVE-2015-5244 CVE-2016-3099
CVSS scores:	CVE-2014-3566 ( NVD ): 3.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N CVE-2016-3099 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Products:	SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 LTSS 12 SUSE Linux Enterprise Server for SAP Applications 12

An update that solves four vulnerabilities can now be installed.

Description:

This update provides apache2-mod_nss 1.0.14, which brings several fixes and enhancements:

• Fix OpenSSL ciphers stopped parsing at +. (CVE-2016-3099)
• Created valgrind suppression files to ease debugging.
• Implement SSL_PPTYPE_FILTER to call executables to get the key password pins.
• Improvements to migrate.pl.
• Update default ciphers to something more modern and secure.
• Check for host and netstat commands in gencert before trying to use them.
• Add server support for DHE ciphers.
• Extract SAN from server/client certificates into env
• Fix memory leaks and other coding issues caught by clang analyzer.
• Add support for Server Name Indication (SNI).
• Add support for SNI for reverse proxy connections.
• Add RenegBufferSize? option.
• Add support for TLS Session Tickets (RFC 5077).
• Fix logical AND support in OpenSSL cipher compatibility.
• Correctly handle disabled ciphers. (CVE-2015-5244)
• Implement a slew more OpenSSL cipher macros.
• Fix a number of illegal memory accesses and memory leaks.
• Support for SHA384 ciphers if they are available in NSS.
• Add compatibility for mod_ssl-style cipher definitions.
• Add TLSv1.2-specific ciphers.
• Completely remove support for SSLv2.
• Add support for sqlite NSS databases.
• Compare subject CN and VS hostname during server start up.
• Add support for enabling TLS v1.2.
• Don't enable SSL 3 by default. (CVE-2014-3566)
• Fix CVE-2013-4566.
• Move nss_pcache to /usr/libexec.
• Support httpd 2.4+.
• SHA256 cipher names change spelling from _sha256 to _sha_256.
• Use apache2-systemd-ask-pass to prompt for a certificate passphrase. (bsc#972968, bsc#975394)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server for SAP Applications 12
  zypper in -t patch SUSE-SLE-SAP-12-2016-1391=1
• SUSE Linux Enterprise Server 12 LTSS 12
  zypper in -t patch SUSE-SLE-SERVER-12-2016-1391=1

Package List:

• SUSE Linux Enterprise Server for SAP Applications 12 (x86_64)
  • apache2-mod_nss-debugsource-1.0.14-10.14.3
  • apache2-mod_nss-1.0.14-10.14.3
  • apache2-mod_nss-debuginfo-1.0.14-10.14.3
• SUSE Linux Enterprise Server 12 LTSS 12 (ppc64le s390x x86_64)
  • apache2-mod_nss-debugsource-1.0.14-10.14.3
  • apache2-mod_nss-1.0.14-10.14.3
  • apache2-mod_nss-debuginfo-1.0.14-10.14.3

References:

• https://www.suse.com/security/cve/CVE-2013-4566.html
• https://www.suse.com/security/cve/CVE-2014-3566.html
• https://www.suse.com/security/cve/CVE-2015-5244.html
• https://www.suse.com/security/cve/CVE-2016-3099.html
• https://bugzilla.suse.com/show_bug.cgi?id=972968
• https://bugzilla.suse.com/show_bug.cgi?id=975394
• https://bugzilla.suse.com/show_bug.cgi?id=979688