SUSE-SU-2016:2396-1: moderate: Security update for apache2-mod_nss

sle-updates at sle-updates at
Tue Sep 27 11:15:07 MDT 2016

   SUSE Security Update: Security update for apache2-mod_nss

Announcement ID:    SUSE-SU-2016:2396-1
Rating:             moderate
References:         #972968 #975394 #979688 
Cross-References:   CVE-2013-4566 CVE-2014-3566 CVE-2015-5244
Affected Products:
                    SUSE Linux Enterprise Server for SAP 12
                    SUSE Linux Enterprise Server 12-LTSS

   An update that fixes four vulnerabilities is now available.


   This update provides apache2-mod_nss 1.0.14, which brings several fixes
   and enhancements:

   - Fix OpenSSL ciphers stopped parsing at +. (CVE-2016-3099)
   - Created valgrind suppression files to ease debugging.
   - Implement SSL_PPTYPE_FILTER to call executables to get the key password
   - Improvements to
   - Update default ciphers to something more modern and secure.
   - Check for host and netstat commands in gencert before trying to use them.
   - Add server support for DHE ciphers.
   - Extract SAN from server/client certificates into env
   - Fix memory leaks and other coding issues caught by clang analyzer.
   - Add support for Server Name Indication (SNI).
   - Add support for SNI for reverse proxy connections.
   - Add RenegBufferSize? option.
   - Add support for TLS Session Tickets (RFC 5077).
   - Fix logical AND support in OpenSSL cipher compatibility.
   - Correctly handle disabled ciphers. (CVE-2015-5244)
   - Implement a slew more OpenSSL cipher macros.
   - Fix a number of illegal memory accesses and memory leaks.
   - Support for SHA384 ciphers if they are available in NSS.
   - Add compatibility for mod_ssl-style cipher definitions.
   - Add TLSv1.2-specific ciphers.
   - Completely remove support for SSLv2.
   - Add support for sqlite NSS databases.
   - Compare subject CN and VS hostname during server start up.
   - Add support for enabling TLS v1.2.
   - Don't enable SSL 3 by default. (CVE-2014-3566)
   - Fix CVE-2013-4566.
   - Move nss_pcache to /usr/libexec.
   - Support httpd 2.4+.
   - SHA256 cipher names change spelling from *_sha256 to *_sha_256.
   - Use apache2-systemd-ask-pass to prompt for a certificate passphrase.
     (bsc#972968, bsc#975394)

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server for SAP 12:

      zypper in -t patch SUSE-SLE-SAP-12-2016-1391=1

   - SUSE Linux Enterprise Server 12-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-2016-1391=1

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Linux Enterprise Server for SAP 12 (x86_64):


   - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64):



More information about the sle-updates mailing list