SUSE-RU-2018:0264-1: moderate: Recommended update for mozilla-nss

sle-updates at lists.suse.com sle-updates at lists.suse.com
Mon Jan 29 13:07:05 MST 2018


   SUSE Recommended Update: Recommended update for mozilla-nss
______________________________________________________________________________

Announcement ID:    SUSE-RU-2018:0264-1
Rating:             moderate
References:         #1043853 #1049673 #1055271 #1074009 
Affected Products:
                    SUSE Linux Enterprise Software Development Kit 12-SP3
                    SUSE Linux Enterprise Software Development Kit 12-SP2
                    SUSE Linux Enterprise Server for Raspberry Pi 12-SP2
                    SUSE Linux Enterprise Server 12-SP3
                    SUSE Linux Enterprise Server 12-SP2
                    SUSE Linux Enterprise Desktop 12-SP3
                    SUSE Linux Enterprise Desktop 12-SP2
                    SUSE CaaS Platform ALL
______________________________________________________________________________

   An update that has four recommended fixes can now be
   installed.

Description:

   This update for mozilla-nss provides the following fixes:

   - Change DRBG to use the getrandom() kernel interface instead of
     /dev/urandom (bsc#1043853).
   - Add patches for strengthening and FIPS compliance (bsc#1055271,
     bsc#1049673):
     * Use getrandom() instead of /dev/random and /dev/urandom where
       available.
     * Remove continuous DRBG test. This is no longer required for FIPS
       compliance.
     * Add DSA known answer POST.
     * Add ECDSA known answer POST.
     * Use FIPS compliant hash length in pairwise consistency check.
     * Make RSA key generation parameters more strict in order to meet FIPS
       criteria.
     * Add DH and ECDH known answer POSTs.
     * Add KDF135 CAVS test.
     * Add keywrapping CAVS test.
     * Add KAS FFC CAVS test.
     * Add KAS ECC CAVS test.
     * Restrict number of bytes generated per GCM IV for FIPS compliance.
     * Add helpers required by new CAVS tests.
     * Add fixes to make DSA CAVS tests pass.
     * Add fixes to make RSA CAVS tests pass.
     * Add constructor POSTs.
     * Disable weak ciphers in FIPS mode.
     * Prevent wraparounds in CTR mode.
     * Clear various sensitive parameters from memory when no longer in use.
     * Allow TLS 1.0 PRF to work in FIPS mode, even though it relies on MD5,
       which is
       otherwise banned.
     * Use strong random pool (/dev/random or getrandom() with GRND_RANDOM
       instead of their more dilute counterparts) in FIPS mode.
   - We allow AESNI by default now. This can be disabled at runtime by
     defining NSS_DISABLE_HW_AES in the environment.
   - Export NSS_FORCE_FIPS=1 for build, since this is needed now to prevent
     NSS from passing
     -DNSS_NO_INIT_SUPPORT, which disables on-load FIPS POSTs.


Patch Instructions:

   To install this SUSE Recommended Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Software Development Kit 12-SP3:

      zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-184=1

   - SUSE Linux Enterprise Software Development Kit 12-SP2:

      zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-184=1

   - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:

      zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-184=1

   - SUSE Linux Enterprise Server 12-SP3:

      zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-184=1

   - SUSE Linux Enterprise Server 12-SP2:

      zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-184=1

   - SUSE Linux Enterprise Desktop 12-SP3:

      zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-184=1

   - SUSE Linux Enterprise Desktop 12-SP2:

      zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-184=1

   - SUSE CaaS Platform ALL:

      zypper in -t patch SUSE-CAASP-ALL-2018-184=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64):

      mozilla-nss-debuginfo-3.29.5-58.9.1
      mozilla-nss-debugsource-3.29.5-58.9.1
      mozilla-nss-devel-3.29.5-58.9.1

   - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64):

      mozilla-nss-debuginfo-3.29.5-58.9.1
      mozilla-nss-debugsource-3.29.5-58.9.1
      mozilla-nss-devel-3.29.5-58.9.1

   - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64):

      libfreebl3-3.29.5-58.9.1
      libfreebl3-debuginfo-3.29.5-58.9.1
      libfreebl3-hmac-3.29.5-58.9.1
      libsoftokn3-3.29.5-58.9.1
      libsoftokn3-debuginfo-3.29.5-58.9.1
      libsoftokn3-hmac-3.29.5-58.9.1
      mozilla-nss-3.29.5-58.9.1
      mozilla-nss-certs-3.29.5-58.9.1
      mozilla-nss-certs-debuginfo-3.29.5-58.9.1
      mozilla-nss-debuginfo-3.29.5-58.9.1
      mozilla-nss-debugsource-3.29.5-58.9.1
      mozilla-nss-sysinit-3.29.5-58.9.1
      mozilla-nss-sysinit-debuginfo-3.29.5-58.9.1
      mozilla-nss-tools-3.29.5-58.9.1
      mozilla-nss-tools-debuginfo-3.29.5-58.9.1

   - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64):

      libfreebl3-3.29.5-58.9.1
      libfreebl3-debuginfo-3.29.5-58.9.1
      libfreebl3-hmac-3.29.5-58.9.1
      libsoftokn3-3.29.5-58.9.1
      libsoftokn3-debuginfo-3.29.5-58.9.1
      libsoftokn3-hmac-3.29.5-58.9.1
      mozilla-nss-3.29.5-58.9.1
      mozilla-nss-certs-3.29.5-58.9.1
      mozilla-nss-certs-debuginfo-3.29.5-58.9.1
      mozilla-nss-debuginfo-3.29.5-58.9.1
      mozilla-nss-debugsource-3.29.5-58.9.1
      mozilla-nss-sysinit-3.29.5-58.9.1
      mozilla-nss-sysinit-debuginfo-3.29.5-58.9.1
      mozilla-nss-tools-3.29.5-58.9.1
      mozilla-nss-tools-debuginfo-3.29.5-58.9.1

   - SUSE Linux Enterprise Server 12-SP3 (s390x x86_64):

      libfreebl3-32bit-3.29.5-58.9.1
      libfreebl3-debuginfo-32bit-3.29.5-58.9.1
      libfreebl3-hmac-32bit-3.29.5-58.9.1
      libsoftokn3-32bit-3.29.5-58.9.1
      libsoftokn3-debuginfo-32bit-3.29.5-58.9.1
      libsoftokn3-hmac-32bit-3.29.5-58.9.1
      mozilla-nss-32bit-3.29.5-58.9.1
      mozilla-nss-certs-32bit-3.29.5-58.9.1
      mozilla-nss-certs-debuginfo-32bit-3.29.5-58.9.1
      mozilla-nss-debuginfo-32bit-3.29.5-58.9.1
      mozilla-nss-sysinit-32bit-3.29.5-58.9.1
      mozilla-nss-sysinit-debuginfo-32bit-3.29.5-58.9.1

   - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64):

      libfreebl3-3.29.5-58.9.1
      libfreebl3-debuginfo-3.29.5-58.9.1
      libfreebl3-hmac-3.29.5-58.9.1
      libsoftokn3-3.29.5-58.9.1
      libsoftokn3-debuginfo-3.29.5-58.9.1
      libsoftokn3-hmac-3.29.5-58.9.1
      mozilla-nss-3.29.5-58.9.1
      mozilla-nss-certs-3.29.5-58.9.1
      mozilla-nss-certs-debuginfo-3.29.5-58.9.1
      mozilla-nss-debuginfo-3.29.5-58.9.1
      mozilla-nss-debugsource-3.29.5-58.9.1
      mozilla-nss-sysinit-3.29.5-58.9.1
      mozilla-nss-sysinit-debuginfo-3.29.5-58.9.1
      mozilla-nss-tools-3.29.5-58.9.1
      mozilla-nss-tools-debuginfo-3.29.5-58.9.1

   - SUSE Linux Enterprise Server 12-SP2 (s390x x86_64):

      libfreebl3-32bit-3.29.5-58.9.1
      libfreebl3-debuginfo-32bit-3.29.5-58.9.1
      libfreebl3-hmac-32bit-3.29.5-58.9.1
      libsoftokn3-32bit-3.29.5-58.9.1
      libsoftokn3-debuginfo-32bit-3.29.5-58.9.1
      libsoftokn3-hmac-32bit-3.29.5-58.9.1
      mozilla-nss-32bit-3.29.5-58.9.1
      mozilla-nss-certs-32bit-3.29.5-58.9.1
      mozilla-nss-certs-debuginfo-32bit-3.29.5-58.9.1
      mozilla-nss-debuginfo-32bit-3.29.5-58.9.1
      mozilla-nss-sysinit-32bit-3.29.5-58.9.1
      mozilla-nss-sysinit-debuginfo-32bit-3.29.5-58.9.1

   - SUSE Linux Enterprise Desktop 12-SP3 (x86_64):

      libfreebl3-3.29.5-58.9.1
      libfreebl3-32bit-3.29.5-58.9.1
      libfreebl3-debuginfo-3.29.5-58.9.1
      libfreebl3-debuginfo-32bit-3.29.5-58.9.1
      libsoftokn3-3.29.5-58.9.1
      libsoftokn3-32bit-3.29.5-58.9.1
      libsoftokn3-debuginfo-3.29.5-58.9.1
      libsoftokn3-debuginfo-32bit-3.29.5-58.9.1
      mozilla-nss-3.29.5-58.9.1
      mozilla-nss-32bit-3.29.5-58.9.1
      mozilla-nss-certs-3.29.5-58.9.1
      mozilla-nss-certs-32bit-3.29.5-58.9.1
      mozilla-nss-certs-debuginfo-3.29.5-58.9.1
      mozilla-nss-certs-debuginfo-32bit-3.29.5-58.9.1
      mozilla-nss-debuginfo-3.29.5-58.9.1
      mozilla-nss-debuginfo-32bit-3.29.5-58.9.1
      mozilla-nss-debugsource-3.29.5-58.9.1
      mozilla-nss-sysinit-3.29.5-58.9.1
      mozilla-nss-sysinit-32bit-3.29.5-58.9.1
      mozilla-nss-sysinit-debuginfo-3.29.5-58.9.1
      mozilla-nss-sysinit-debuginfo-32bit-3.29.5-58.9.1
      mozilla-nss-tools-3.29.5-58.9.1
      mozilla-nss-tools-debuginfo-3.29.5-58.9.1

   - SUSE Linux Enterprise Desktop 12-SP2 (x86_64):

      libfreebl3-3.29.5-58.9.1
      libfreebl3-32bit-3.29.5-58.9.1
      libfreebl3-debuginfo-3.29.5-58.9.1
      libfreebl3-debuginfo-32bit-3.29.5-58.9.1
      libsoftokn3-3.29.5-58.9.1
      libsoftokn3-32bit-3.29.5-58.9.1
      libsoftokn3-debuginfo-3.29.5-58.9.1
      libsoftokn3-debuginfo-32bit-3.29.5-58.9.1
      mozilla-nss-3.29.5-58.9.1
      mozilla-nss-32bit-3.29.5-58.9.1
      mozilla-nss-certs-3.29.5-58.9.1
      mozilla-nss-certs-32bit-3.29.5-58.9.1
      mozilla-nss-certs-debuginfo-3.29.5-58.9.1
      mozilla-nss-certs-debuginfo-32bit-3.29.5-58.9.1
      mozilla-nss-debuginfo-3.29.5-58.9.1
      mozilla-nss-debuginfo-32bit-3.29.5-58.9.1
      mozilla-nss-debugsource-3.29.5-58.9.1
      mozilla-nss-sysinit-3.29.5-58.9.1
      mozilla-nss-sysinit-32bit-3.29.5-58.9.1
      mozilla-nss-sysinit-debuginfo-3.29.5-58.9.1
      mozilla-nss-sysinit-debuginfo-32bit-3.29.5-58.9.1
      mozilla-nss-tools-3.29.5-58.9.1
      mozilla-nss-tools-debuginfo-3.29.5-58.9.1

   - SUSE CaaS Platform ALL (x86_64):

      libfreebl3-3.29.5-58.9.1
      libfreebl3-debuginfo-3.29.5-58.9.1
      libsoftokn3-3.29.5-58.9.1
      libsoftokn3-debuginfo-3.29.5-58.9.1
      mozilla-nss-3.29.5-58.9.1
      mozilla-nss-certs-3.29.5-58.9.1
      mozilla-nss-certs-debuginfo-3.29.5-58.9.1
      mozilla-nss-debuginfo-3.29.5-58.9.1
      mozilla-nss-debugsource-3.29.5-58.9.1


References:

   https://bugzilla.suse.com/1043853
   https://bugzilla.suse.com/1049673
   https://bugzilla.suse.com/1055271
   https://bugzilla.suse.com/1074009



More information about the sle-updates mailing list