SUSE-SU-2016:2329-1: moderate: Security update for apache2-mod_nss
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Fri Sep 16 13:12:41 MDT 2016
SUSE Security Update: Security update for apache2-mod_nss
______________________________________________________________________________
Announcement ID: SUSE-SU-2016:2329-1
Rating: moderate
References: #975394 #979688
Cross-References: CVE-2013-4566 CVE-2014-3566
Affected Products:
SUSE OpenStack Cloud 5
SUSE Manager Proxy 2.1
SUSE Manager 2.1
SUSE Linux Enterprise Server 11-SP4
SUSE Linux Enterprise Server 11-SP3-LTSS
SUSE Linux Enterprise Server 11-SP2-LTSS
SUSE Linux Enterprise Point of Sale 11-SP3
SUSE Linux Enterprise Debuginfo 11-SP4
SUSE Linux Enterprise Debuginfo 11-SP3
SUSE Linux Enterprise Debuginfo 11-SP2
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update provides apache2-mod_nss 1.0.14, which brings several fixes
and enhancements:
- SHA256 cipher names change spelling from *_sha256 to *_sha_256.
- Drop mod_nss_migrate.pl and use upstream migrate script instead.
- Check for Apache user owner/group read permissions of NSS database at
startup.
- Update default ciphers to something more modern and secure.
- Check for host and netstat commands in gencert before trying to use them.
- Don't ignore NSSProtocol when NSSFIPS is enabled.
- Use proper shell syntax to avoid creating /0 in gencert.
- Add server support for DHE ciphers.
- Extract SAN from server/client certificates into env.
- Fix memory leaks and other coding issues caught by clang analyzer.
- Add support for Server Name Indication (SNI)
- Add support for SNI for reverse proxy connections.
- Add RenegBufferSize? option.
- Add support for TLS Session Tickets (RFC 5077).
- Implement a slew more OpenSSL cipher macros.
- Fix a number of illegal memory accesses and memory leaks.
- Support for SHA384 ciphers if they are available in the version of NSS
mod_nss is built against.
- Add the SECURE_RENEG environment variable.
- Add some hints when NSS database cannot be initialized.
- Code cleanup including trailing whitespace and compiler warnings.
- Modernize autotools configuration slightly, add config.h.
- Add small test suite for SNI.
- Add compatibility for mod_ssl-style cipher definitions.
- Add Camelia ciphers.
- Remove Fortezza ciphers.
- Add TLSv1.2-specific ciphers.
- Initialize cipher list when re-negotiating handshake.
- Completely remove support for SSLv2.
- Add support for sqlite NSS databases.
- Compare subject CN and VS hostname during server start up.
- Add support for enabling TLS v1.2.
- Don't enable SSL 3 by default. (CVE-2014-3566)
- Improve protocol testing.
- Add nss_pcache man page.
- Fix argument handling in nss_pcache.
- Support httpd 2.4+.
- Allow users to configure a helper to ask for certificate passphrases via
NSSPassPhraseDialog. (bsc#975394)
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE OpenStack Cloud 5:
zypper in -t patch sleclo50sp3-apache2-mod_nss-12751=1
- SUSE Manager Proxy 2.1:
zypper in -t patch slemap21-apache2-mod_nss-12751=1
- SUSE Manager 2.1:
zypper in -t patch sleman21-apache2-mod_nss-12751=1
- SUSE Linux Enterprise Server 11-SP4:
zypper in -t patch slessp4-apache2-mod_nss-12751=1
- SUSE Linux Enterprise Server 11-SP3-LTSS:
zypper in -t patch slessp3-apache2-mod_nss-12751=1
- SUSE Linux Enterprise Server 11-SP2-LTSS:
zypper in -t patch slessp2-apache2-mod_nss-12751=1
- SUSE Linux Enterprise Point of Sale 11-SP3:
zypper in -t patch sleposp3-apache2-mod_nss-12751=1
- SUSE Linux Enterprise Debuginfo 11-SP4:
zypper in -t patch dbgsp4-apache2-mod_nss-12751=1
- SUSE Linux Enterprise Debuginfo 11-SP3:
zypper in -t patch dbgsp3-apache2-mod_nss-12751=1
- SUSE Linux Enterprise Debuginfo 11-SP2:
zypper in -t patch dbgsp2-apache2-mod_nss-12751=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE OpenStack Cloud 5 (x86_64):
apache2-mod_nss-1.0.14-0.4.25.1
- SUSE Manager Proxy 2.1 (x86_64):
apache2-mod_nss-1.0.14-0.4.25.1
- SUSE Manager 2.1 (s390x x86_64):
apache2-mod_nss-1.0.14-0.4.25.1
- SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64):
apache2-mod_nss-1.0.14-0.4.25.1
- SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64):
apache2-mod_nss-1.0.14-0.4.25.1
- SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64):
apache2-mod_nss-1.0.14-0.4.25.1
- SUSE Linux Enterprise Point of Sale 11-SP3 (i586):
apache2-mod_nss-1.0.14-0.4.25.1
- SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64):
apache2-mod_nss-debuginfo-1.0.14-0.4.25.1
apache2-mod_nss-debugsource-1.0.14-0.4.25.1
- SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64):
apache2-mod_nss-debuginfo-1.0.14-0.4.25.1
apache2-mod_nss-debugsource-1.0.14-0.4.25.1
- SUSE Linux Enterprise Debuginfo 11-SP2 (i586 s390x x86_64):
apache2-mod_nss-debuginfo-1.0.14-0.4.25.1
apache2-mod_nss-debugsource-1.0.14-0.4.25.1
References:
https://www.suse.com/security/cve/CVE-2013-4566.html
https://www.suse.com/security/cve/CVE-2014-3566.html
https://bugzilla.suse.com/975394
https://bugzilla.suse.com/979688
More information about the sle-security-updates
mailing list