SUSE-RU-2021:3115-2: moderate: Recommended update for mozilla-nspr, mozilla-nss

sle-updates at lists.suse.com sle-updates at lists.suse.com
Tue Sep 21 20:20:33 UTC 2021


   SUSE Recommended Update: Recommended update for mozilla-nspr, mozilla-nss
______________________________________________________________________________

Announcement ID:    SUSE-RU-2021:3115-2
Rating:             moderate
References:         #1029961 #1174697 #1176206 #1176934 #1179382 
                    #1188891 
Affected Products:
                    SUSE MicroOS 5.1
______________________________________________________________________________

   An update that has 6 recommended fixes can now be installed.

Description:

   This update for mozilla-nspr fixes the following issues:

   mozilla-nspr was updated to version 4.32:

   * implement new socket option PR_SockOpt_DontFrag
   * support larger DNS records by increasing the default buffer size for DNS
     queries
   * Lock access to PRCallOnceType members in PR_CallOnce* for thread safety
     bmo#1686138
   * PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get
     information about the operating system build version.


   Mozilla NSS was updated to version 3.68:

   * bmo#1713562 - Fix test leak.
   * bmo#1717452 - NSS 3.68 should depend on NSPR 4.32.
   * bmo#1693206 - Implement PKCS8 export of ECDSA keys.
   * bmo#1712883 - DTLS 1.3 draft-43.
   * bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension.
   * bmo#1713562 - Validate ECH public names.
   * bmo#1717610 - Add function to get seconds from epoch from pkix::Time.

   update to NSS 3.67

   * bmo#1683710 - Add a means to disable ALPN.
   * bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be
     incremented in 3.66).
   * bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja.
   * bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c.
   * bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more
     than 255-byte.

   update to NSS 3.66

   * bmo#1710716 - Remove Expired Sonera Class2 CA from NSS.
   * bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root
     Certification Authority.
   * bmo#1708307 - Remove Trustis FPS Root CA from NSS.
   * bmo#1707097 - Add Certum Trusted Root CA to NSS.
   * bmo#1707097 - Add Certum EC-384 CA to NSS.
   * bmo#1703942 - Add ANF Secure Server Root CA to NSS.
   * bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS.
   * bmo#1712184 - NSS tools manpages need to be updated to reflect that
     sqlite is the default database.
   * bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler.
   * bmo#1712211 - Strict prototype error when trying to compile nss code
     that includes blapi.h.
   * bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators.
   * bmo#1709291 - Add VerifyCodeSigningCertificateChain.

   update to NSS 3.65

   * bmo#1709654 - Update for NetBSD configuration.
   * bmo#1709750 - Disable HPKE test when fuzzing.
   * bmo#1566124 - Optimize AES-GCM for ppc64le.
   * bmo#1699021 - Add AES-256-GCM to HPKE.
   * bmo#1698419 - ECH -10 updates.
   * bmo#1692930 - Update HPKE to final version.
   * bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by
     default.
   * bmo#1703936 - New coverity/cpp scanner errors.
   * bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3
     standards.
   * bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
   * bmo#1705119 - Deadlock when using GCM and non-thread safe tokens.

   update to NSS 3.64

   * bmo#1705286 - Properly detect mips64.
   * bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and disable_crypto_vsx.
   * bmo#1698320 - replace __builtin_cpu_supports("vsx") with
     ppc_crypto_support() for clang.
   * bmo#1613235 - Add POWER ChaCha20 stream cipher vector acceleration.

   Fixed in 3.63

   * bmo#1697380 - Make a clang-format run on top of helpful contributions.
   * bmo#1683520 - ECCKiila P384, change syntax of nested structs
     initialization to prevent build isses with GCC 4.8.
   * bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual scalar
     multiplication.
   * bmo#1683520 - ECCKiila P521, change syntax of nested structs
     initialization to prevent build isses with GCC 4.8.
   * bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual scalar
     multiplication.
   * bmo#1696800 - HACL* update March 2021 -
     c95ab70fcb2bc21025d8845281bc4bc8987ca683.
   * bmo#1694214 - tstclnt can't enable middlebox compat mode.
   * bmo#1694392 - NSS does not work with PKCS #11 modules not supporting
     profiles.
   * bmo#1685880 - Minor fix to prevent unused variable on early return.
   * bmo#1685880 - Fix for the gcc compiler version 7 to support setenv with
     nss build.
   * bmo#1693217 - Increase nssckbi.h version number for March 2021 batch
   		of root CA changes, CA list version 2.48.
   * bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's
     'Chambers of Commerce' and 'Global Chambersign' roots.
   * bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER.
   * bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS.
   * bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS.
   * bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs
     from NSS.
   * bmo#1687822 - Turn off Websites trust bit for the “Staat der
     Nederlanden Root CA - G3” root cert in NSS.
   * bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce Root
     - 2008' and 'Global Chambersign Root - 2008’.
   * bmo#1694291 - Tracing fixes for ECH.

   update to NSS 3.62

   * bmo#1688374 - Fix parallel build NSS-3.61 with make
   * bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add() can
     corrupt "cachedCertTable"
   * bmo#1690583 - Fix CH padding extension size calculation
   * bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail
   * bmo#1690421 - Install packaged libabigail in docker-builds image
   * bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing
   * bmo#1674819 - Fixup a51fae403328, enum type may be signed
   * bmo#1681585 - Add ECH support to selfserv
   * bmo#1681585 - Update ECH to Draft-09
   * bmo#1678398 - Add Export/Import functions for HPKE context
   * bmo#1678398 - Update HPKE to draft-07

   update to NSS 3.61

   * bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key
     values under certain conditions.
   * bmo#1684300 - Fix default PBE iteration count when NSS is compiled with
     NSS_DISABLE_DBM.
   * bmo#1651411 - Improve constant-timeness in RSA operations.
   * bmo#1677207 - Upgrade Google Test version to latest release.
   * bmo#1654332 - Add aarch64-make target to nss-try.

   Update to NSS 3.60.1:

   Notable changes in NSS 3.60:
   * TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support has been
     added, replacing the previous ESNI (draft-ietf-tls-esni-01)
     implementation. See bmo#1654332 for more information.
   * December 2020 batch of Root CA changes, builtins library updated to
     version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769 for more
     information.

   Update to NSS 3.59.1:

   * bmo#1679290 - Fix potential deadlock with certain third-party PKCS11
     modules

   Update to NSS 3.59:

   Notable changes:

   * Exported two existing functions from libnss:
     CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData

   Bugfixes

   * bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race
   * bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
   * bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent
   * bmo#1670835 - Support enabling and disabling signatures via Crypto Policy
   * bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed root
     certs when SHA1 signatures are disabled.
   * bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to solve
     some test intermittents
   * bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in
   		our CVE-2020-25648 fix that broke purple-discord (boo#1179382)
   * bmo#1666891 - Support key wrap/unwrap with RSA-OAEP
   * bmo#1667989 - Fix gyp linking on Solaris
   * bmo#1668123 - Export CERT_AddCertToListHeadWithData and
     CERT_AddCertToListTailWithData from libnss
   * bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA
   * bmo#1663091 - Remove unnecessary assertions in the streaming ASN.1
     decoder that affected decoding certain PKCS8 private keys when using NSS
     debug builds
   *  bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS.

   update to NSS 3.58

   Bugs fixed:

   * bmo#1641480 (CVE-2020-25648) Tighten CCS handling for middlebox
     compatibility mode.
   * bmo#1631890 - Add support for Hybrid Public Key Encryption
     (draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello
     (draft-ietf-tls-esni).
   * bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto extensions.
   * bmo#1668328 - Handle spaces in the Python path name when using gyp on
     Windows.
   * bmo#1667153 - Add PK11_ImportDataKey for data object import.
   * bmo#1665715 - Pass the embedded SCT list extension (if present) to
     TrustDomain::CheckRevocation instead of the notBefore value.

   update to NSS 3.57

   * The following CA certificates were Added: bmo#1663049 - CN=Trustwave
     Global Certification Authority SHA-256 Fingerprint:
     97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8
     bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority
     SHA-256 Fingerprint:
     945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4
     bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority
     SHA-256 Fingerprint:
     55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
   * The following CA certificates were Removed: bmo#1651211 - CN=EE
     Certification Centre Root CA SHA-256 Fingerprint:
     3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76
     bmo#1656077 - O=Government Root Certification Authority; C=TW SHA-256
     Fingerprint:
     7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
   * Trust settings for the following CA certificates were Modified:
     bmo#1653092 - CN=OISTE WISeKey Global Root GA CA Websites (server
     authentication) trust bit removed.
   *
   https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_rele
     ase_notes

   update to NSS 3.56

   Notable changes

   * bmo#1650702 - Support SHA-1 HW acceleration on ARMv8
   * bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS.
   * bmo#1654142 - Add CPU feature detection for Intel SHA extension.
   * bmo#1648822 - Add stricter validation of DH keys in FIPS mode.
   * bmo#1656986 - Properly detect arm64 during GYP build architecture
     detection.
   * bmo#1652729 - Add build flag to disable RC2 and relocate to
     lib/freebl/deprecated.
   * bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay.
   * bmo#1588941 - Send empty certificate message when scheme selection fails.
   * bmo#1652032 - Fix failure to build in Windows arm64 makefile
     cross-compilation.
   * bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent.
   * bmo#1653975 - Fix 3.53 regression by setting "all" as the default
     makefile target.
   * bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert.
   * bmo#1659814 - Fix interop.sh failures with newer tls-interop commit and
     dependencies.
   * bmo#1656519 - NSPR dependency updated to 4.28

   update to NSS 3.55

   Notable changes
   * P384 and P521 elliptic curve implementations are replaced with
     verifiable implementations from Fiat-Crypto [0] and ECCKiila [1].
   * PK11_FindCertInSlot is added. With this function, a given slot can be
     queried with a DER-Encoded certificate, providing performance and
     usability improvements over other mechanisms. (bmo#1649633)
   * DTLS 1.3 implementation is updated to draft-38. (bmo#1647752)

   Relevant Bugfixes

   * bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and P521 with
     new, verifiable implementations from Fiat-Crypto and ECCKiila.
   * bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature.
   * bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding.
   * bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part ChaCha20
     (which was not functioning correctly) and more strictly enforce tag
     length.
   * bmo#1649648 - Don't memcpy zero bytes (sanitizer fix).
   * bmo#1649316 - Don't memcpy zero bytes (sanitizer fix).
   * bmo#1649322 - Don't memcpy zero bytes (sanitizer fix).
   * bmo#1653202 - Fix initialization bug in blapitest when compiled with
     NSS_DISABLE_DEPRECATED_SEED.
   * bmo#1646594 - Fix AVX2 detection in makefile builds.
   * bmo#1649633 - Add PK11_FindCertInSlot to search a given slot for a
     DER-encoded certificate.
   * bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo.
   * bmo#1647752 - Update DTLS 1.3 implementation to draft-38.
   * bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle
     in CI.
   * bmo#1649226 - Add Wycheproof ECDSA tests.
   * bmo#1637222 - Consistently enforce IV requirements for DES and 3DES.
   * bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in
     RSA_CheckSignRecover.
   * bmo#1646324 - Advertise PKCS#1 schemes for certificates in the
     signature_algorithms extension.

   update to NSS 3.54

   Notable changes

   * Support for TLS 1.3 external pre-shared keys (bmo#1603042).
   * Use ARM Cryptography Extension for SHA256, when available (bmo#1528113)
   * The following CA certificates were Added: bmo#1645186 - certSIGN Root CA
     G2. bmo#1645174 - e-Szigno Root CA 2017. bmo#1641716 - Microsoft ECC
     Root Certificate Authority 2017. bmo#1641716 - Microsoft RSA Root
     Certificate Authority 2017.
   * The following CA certificates were Removed: bmo#1645199 - AddTrust Class
     1 CA Root. bmo#1645199 - AddTrust External CA Root. bmo#1641718 -
     LuxTrust Global Root 2. bmo#1639987 - Staat der Nederlanden Root CA -
     G2. bmo#1618402 - Symantec Class 2 Public Primary Certification
     Authority - G4. bmo#1618402 - Symantec Class 1 Public Primary
     Certification Authority - G4. bmo#1618402 - VeriSign Class 3 Public
     Primary Certification Authority - G3.

   * A number of certificates had their Email trust bit disabled. See
     bmo#1618402 for a complete list.

   Bugs fixed

   * bmo#1528113 - Use ARM Cryptography Extension for SHA256.
   * bmo#1603042 - Add TLS 1.3 external PSK support.
   * bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows.
   * bmo#1645186 - Add "certSIGN Root CA G2" root certificate.
   * bmo#1645174 - Add Microsec's "e-Szigno Root CA 2017" root certificate.
   * bmo#1641716 - Add Microsoft's non-EV root certificates.
   * bmo1621151 - Disable email trust bit for "O=Government Root
     Certification Authority; C=TW" root.
   * bmo#1645199 - Remove AddTrust root certificates.
   * bmo#1641718 - Remove "LuxTrust Global Root 2" root certificate.
   * bmo#1639987 - Remove "Staat der Nederlanden Root CA - G2" root
     certificate.
   * bmo#1618402 - Remove Symantec root certificates and disable email trust
     bit.
   * bmo#1640516 - NSS 3.54 should depend on NSPR 4.26.
   * bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c.
   * bmo#1642153 - Fix infinite recursion building NSS.
   * bmo#1642638 - Fix fuzzing assertion crash.
   * bmo#1642871 - Enable SSL_SendSessionTicket after resumption.
   * bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs.
   * bmo#1643557 - Fix numerous compile warnings in NSS.
   * bmo#1644774 - SSL gtests to use ClearServerCache when resetting
     self-encrypt keys.
   * bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c.
   * bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding.


Patch Instructions:

   To install this SUSE Recommended Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE MicroOS 5.1:

      zypper in -t patch SUSE-SUSE-MicroOS-5.1-2021-3115=1



Package List:

   - SUSE MicroOS 5.1 (aarch64 s390x x86_64):

      libfreebl3-3.68-3.56.1
      libfreebl3-debuginfo-3.68-3.56.1
      libfreebl3-hmac-3.68-3.56.1
      libsoftokn3-3.68-3.56.1
      libsoftokn3-debuginfo-3.68-3.56.1
      libsoftokn3-hmac-3.68-3.56.1
      mozilla-nspr-4.32-3.20.1
      mozilla-nspr-debuginfo-4.32-3.20.1
      mozilla-nspr-debugsource-4.32-3.20.1
      mozilla-nss-3.68-3.56.1
      mozilla-nss-certs-3.68-3.56.1
      mozilla-nss-certs-debuginfo-3.68-3.56.1
      mozilla-nss-debuginfo-3.68-3.56.1
      mozilla-nss-debugsource-3.68-3.56.1
      mozilla-nss-tools-3.68-3.56.1
      mozilla-nss-tools-debuginfo-3.68-3.56.1


References:

   https://bugzilla.suse.com/1029961
   https://bugzilla.suse.com/1174697
   https://bugzilla.suse.com/1176206
   https://bugzilla.suse.com/1176934
   https://bugzilla.suse.com/1179382
   https://bugzilla.suse.com/1188891



More information about the sle-updates mailing list