SUSE-RU-2018:0264-1: moderate: Recommended update for mozilla-nss
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Mon Jan 29 13:07:05 MST 2018
SUSE Recommended Update: Recommended update for mozilla-nss
______________________________________________________________________________
Announcement ID: SUSE-RU-2018:0264-1
Rating: moderate
References: #1043853 #1049673 #1055271 #1074009
Affected Products:
SUSE Linux Enterprise Software Development Kit 12-SP3
SUSE Linux Enterprise Software Development Kit 12-SP2
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2
SUSE Linux Enterprise Server 12-SP3
SUSE Linux Enterprise Server 12-SP2
SUSE Linux Enterprise Desktop 12-SP3
SUSE Linux Enterprise Desktop 12-SP2
SUSE CaaS Platform ALL
______________________________________________________________________________
An update that has four recommended fixes can now be
installed.
Description:
This update for mozilla-nss provides the following fixes:
- Change DRBG to use the getrandom() kernel interface instead of
/dev/urandom (bsc#1043853).
- Add patches for strengthening and FIPS compliance (bsc#1055271,
bsc#1049673):
* Use getrandom() instead of /dev/random and /dev/urandom where
available.
* Remove continuous DRBG test. This is no longer required for FIPS
compliance.
* Add DSA known answer POST.
* Add ECDSA known answer POST.
* Use FIPS compliant hash length in pairwise consistency check.
* Make RSA key generation parameters more strict in order to meet FIPS
criteria.
* Add DH and ECDH known answer POSTs.
* Add KDF135 CAVS test.
* Add keywrapping CAVS test.
* Add KAS FFC CAVS test.
* Add KAS ECC CAVS test.
* Restrict number of bytes generated per GCM IV for FIPS compliance.
* Add helpers required by new CAVS tests.
* Add fixes to make DSA CAVS tests pass.
* Add fixes to make RSA CAVS tests pass.
* Add constructor POSTs.
* Disable weak ciphers in FIPS mode.
* Prevent wraparounds in CTR mode.
* Clear various sensitive parameters from memory when no longer in use.
* Allow TLS 1.0 PRF to work in FIPS mode, even though it relies on MD5,
which is
otherwise banned.
* Use strong random pool (/dev/random or getrandom() with GRND_RANDOM
instead of their more dilute counterparts) in FIPS mode.
- We allow AESNI by default now. This can be disabled at runtime by
defining NSS_DISABLE_HW_AES in the environment.
- Export NSS_FORCE_FIPS=1 for build, since this is needed now to prevent
NSS from passing
-DNSS_NO_INIT_SUPPORT, which disables on-load FIPS POSTs.
Patch Instructions:
To install this SUSE Recommended Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 12-SP3:
zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-184=1
- SUSE Linux Enterprise Software Development Kit 12-SP2:
zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-184=1
- SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:
zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-184=1
- SUSE Linux Enterprise Server 12-SP3:
zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-184=1
- SUSE Linux Enterprise Server 12-SP2:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-184=1
- SUSE Linux Enterprise Desktop 12-SP3:
zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-184=1
- SUSE Linux Enterprise Desktop 12-SP2:
zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-184=1
- SUSE CaaS Platform ALL:
zypper in -t patch SUSE-CAASP-ALL-2018-184=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64):
mozilla-nss-debuginfo-3.29.5-58.9.1
mozilla-nss-debugsource-3.29.5-58.9.1
mozilla-nss-devel-3.29.5-58.9.1
- SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64):
mozilla-nss-debuginfo-3.29.5-58.9.1
mozilla-nss-debugsource-3.29.5-58.9.1
mozilla-nss-devel-3.29.5-58.9.1
- SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64):
libfreebl3-3.29.5-58.9.1
libfreebl3-debuginfo-3.29.5-58.9.1
libfreebl3-hmac-3.29.5-58.9.1
libsoftokn3-3.29.5-58.9.1
libsoftokn3-debuginfo-3.29.5-58.9.1
libsoftokn3-hmac-3.29.5-58.9.1
mozilla-nss-3.29.5-58.9.1
mozilla-nss-certs-3.29.5-58.9.1
mozilla-nss-certs-debuginfo-3.29.5-58.9.1
mozilla-nss-debuginfo-3.29.5-58.9.1
mozilla-nss-debugsource-3.29.5-58.9.1
mozilla-nss-sysinit-3.29.5-58.9.1
mozilla-nss-sysinit-debuginfo-3.29.5-58.9.1
mozilla-nss-tools-3.29.5-58.9.1
mozilla-nss-tools-debuginfo-3.29.5-58.9.1
- SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64):
libfreebl3-3.29.5-58.9.1
libfreebl3-debuginfo-3.29.5-58.9.1
libfreebl3-hmac-3.29.5-58.9.1
libsoftokn3-3.29.5-58.9.1
libsoftokn3-debuginfo-3.29.5-58.9.1
libsoftokn3-hmac-3.29.5-58.9.1
mozilla-nss-3.29.5-58.9.1
mozilla-nss-certs-3.29.5-58.9.1
mozilla-nss-certs-debuginfo-3.29.5-58.9.1
mozilla-nss-debuginfo-3.29.5-58.9.1
mozilla-nss-debugsource-3.29.5-58.9.1
mozilla-nss-sysinit-3.29.5-58.9.1
mozilla-nss-sysinit-debuginfo-3.29.5-58.9.1
mozilla-nss-tools-3.29.5-58.9.1
mozilla-nss-tools-debuginfo-3.29.5-58.9.1
- SUSE Linux Enterprise Server 12-SP3 (s390x x86_64):
libfreebl3-32bit-3.29.5-58.9.1
libfreebl3-debuginfo-32bit-3.29.5-58.9.1
libfreebl3-hmac-32bit-3.29.5-58.9.1
libsoftokn3-32bit-3.29.5-58.9.1
libsoftokn3-debuginfo-32bit-3.29.5-58.9.1
libsoftokn3-hmac-32bit-3.29.5-58.9.1
mozilla-nss-32bit-3.29.5-58.9.1
mozilla-nss-certs-32bit-3.29.5-58.9.1
mozilla-nss-certs-debuginfo-32bit-3.29.5-58.9.1
mozilla-nss-debuginfo-32bit-3.29.5-58.9.1
mozilla-nss-sysinit-32bit-3.29.5-58.9.1
mozilla-nss-sysinit-debuginfo-32bit-3.29.5-58.9.1
- SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64):
libfreebl3-3.29.5-58.9.1
libfreebl3-debuginfo-3.29.5-58.9.1
libfreebl3-hmac-3.29.5-58.9.1
libsoftokn3-3.29.5-58.9.1
libsoftokn3-debuginfo-3.29.5-58.9.1
libsoftokn3-hmac-3.29.5-58.9.1
mozilla-nss-3.29.5-58.9.1
mozilla-nss-certs-3.29.5-58.9.1
mozilla-nss-certs-debuginfo-3.29.5-58.9.1
mozilla-nss-debuginfo-3.29.5-58.9.1
mozilla-nss-debugsource-3.29.5-58.9.1
mozilla-nss-sysinit-3.29.5-58.9.1
mozilla-nss-sysinit-debuginfo-3.29.5-58.9.1
mozilla-nss-tools-3.29.5-58.9.1
mozilla-nss-tools-debuginfo-3.29.5-58.9.1
- SUSE Linux Enterprise Server 12-SP2 (s390x x86_64):
libfreebl3-32bit-3.29.5-58.9.1
libfreebl3-debuginfo-32bit-3.29.5-58.9.1
libfreebl3-hmac-32bit-3.29.5-58.9.1
libsoftokn3-32bit-3.29.5-58.9.1
libsoftokn3-debuginfo-32bit-3.29.5-58.9.1
libsoftokn3-hmac-32bit-3.29.5-58.9.1
mozilla-nss-32bit-3.29.5-58.9.1
mozilla-nss-certs-32bit-3.29.5-58.9.1
mozilla-nss-certs-debuginfo-32bit-3.29.5-58.9.1
mozilla-nss-debuginfo-32bit-3.29.5-58.9.1
mozilla-nss-sysinit-32bit-3.29.5-58.9.1
mozilla-nss-sysinit-debuginfo-32bit-3.29.5-58.9.1
- SUSE Linux Enterprise Desktop 12-SP3 (x86_64):
libfreebl3-3.29.5-58.9.1
libfreebl3-32bit-3.29.5-58.9.1
libfreebl3-debuginfo-3.29.5-58.9.1
libfreebl3-debuginfo-32bit-3.29.5-58.9.1
libsoftokn3-3.29.5-58.9.1
libsoftokn3-32bit-3.29.5-58.9.1
libsoftokn3-debuginfo-3.29.5-58.9.1
libsoftokn3-debuginfo-32bit-3.29.5-58.9.1
mozilla-nss-3.29.5-58.9.1
mozilla-nss-32bit-3.29.5-58.9.1
mozilla-nss-certs-3.29.5-58.9.1
mozilla-nss-certs-32bit-3.29.5-58.9.1
mozilla-nss-certs-debuginfo-3.29.5-58.9.1
mozilla-nss-certs-debuginfo-32bit-3.29.5-58.9.1
mozilla-nss-debuginfo-3.29.5-58.9.1
mozilla-nss-debuginfo-32bit-3.29.5-58.9.1
mozilla-nss-debugsource-3.29.5-58.9.1
mozilla-nss-sysinit-3.29.5-58.9.1
mozilla-nss-sysinit-32bit-3.29.5-58.9.1
mozilla-nss-sysinit-debuginfo-3.29.5-58.9.1
mozilla-nss-sysinit-debuginfo-32bit-3.29.5-58.9.1
mozilla-nss-tools-3.29.5-58.9.1
mozilla-nss-tools-debuginfo-3.29.5-58.9.1
- SUSE Linux Enterprise Desktop 12-SP2 (x86_64):
libfreebl3-3.29.5-58.9.1
libfreebl3-32bit-3.29.5-58.9.1
libfreebl3-debuginfo-3.29.5-58.9.1
libfreebl3-debuginfo-32bit-3.29.5-58.9.1
libsoftokn3-3.29.5-58.9.1
libsoftokn3-32bit-3.29.5-58.9.1
libsoftokn3-debuginfo-3.29.5-58.9.1
libsoftokn3-debuginfo-32bit-3.29.5-58.9.1
mozilla-nss-3.29.5-58.9.1
mozilla-nss-32bit-3.29.5-58.9.1
mozilla-nss-certs-3.29.5-58.9.1
mozilla-nss-certs-32bit-3.29.5-58.9.1
mozilla-nss-certs-debuginfo-3.29.5-58.9.1
mozilla-nss-certs-debuginfo-32bit-3.29.5-58.9.1
mozilla-nss-debuginfo-3.29.5-58.9.1
mozilla-nss-debuginfo-32bit-3.29.5-58.9.1
mozilla-nss-debugsource-3.29.5-58.9.1
mozilla-nss-sysinit-3.29.5-58.9.1
mozilla-nss-sysinit-32bit-3.29.5-58.9.1
mozilla-nss-sysinit-debuginfo-3.29.5-58.9.1
mozilla-nss-sysinit-debuginfo-32bit-3.29.5-58.9.1
mozilla-nss-tools-3.29.5-58.9.1
mozilla-nss-tools-debuginfo-3.29.5-58.9.1
- SUSE CaaS Platform ALL (x86_64):
libfreebl3-3.29.5-58.9.1
libfreebl3-debuginfo-3.29.5-58.9.1
libsoftokn3-3.29.5-58.9.1
libsoftokn3-debuginfo-3.29.5-58.9.1
mozilla-nss-3.29.5-58.9.1
mozilla-nss-certs-3.29.5-58.9.1
mozilla-nss-certs-debuginfo-3.29.5-58.9.1
mozilla-nss-debuginfo-3.29.5-58.9.1
mozilla-nss-debugsource-3.29.5-58.9.1
References:
https://bugzilla.suse.com/1043853
https://bugzilla.suse.com/1049673
https://bugzilla.suse.com/1055271
https://bugzilla.suse.com/1074009
More information about the sle-updates
mailing list