SUSE-RU-2023:2814-1: moderate: Recommended update for mozilla-nss
    sle-updates at lists.suse.com 
    sle-updates at lists.suse.com
       
    Thu Jul 13 12:41:50 UTC 2023
    
    
  
# Recommended update for mozilla-nss
Announcement ID: SUSE-RU-2023:2814-1  
Rating: moderate  
References:
  * #1185116
  * #1202118
  
Affected Products:
  * Basesystem Module 15-SP4
  * Basesystem Module 15-SP5
  * openSUSE Leap 15.4
  * openSUSE Leap 15.5
  * openSUSE Leap Micro 5.3
  * SUSE Linux Enterprise Desktop 15 SP4
  * SUSE Linux Enterprise Desktop 15 SP5
  * SUSE Linux Enterprise High Performance Computing 15 SP4
  * SUSE Linux Enterprise High Performance Computing 15 SP5
  * SUSE Linux Enterprise Micro 5.3
  * SUSE Linux Enterprise Micro 5.4
  * SUSE Linux Enterprise Micro for Rancher 5.3
  * SUSE Linux Enterprise Micro for Rancher 5.4
  * SUSE Linux Enterprise Real Time 15 SP4
  * SUSE Linux Enterprise Real Time 15 SP5
  * SUSE Linux Enterprise Server 15 SP4
  * SUSE Linux Enterprise Server 15 SP5
  * SUSE Linux Enterprise Server for SAP Applications 15 SP4
  * SUSE Linux Enterprise Server for SAP Applications 15 SP5
  * SUSE Manager Proxy 4.3
  * SUSE Manager Retail Branch Server 4.3
  * SUSE Manager Server 4.3
  
  
An update that has two recommended fixes can now be installed.
## Description:
This update for mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.90:
  * Add a constant time select function
  * Updating an old dbm with lots of certs with keys to sql results in a
    database that is slow to access.
  * output early build errors by default
  * Update the technical constraints for KamuSM
  * Add BJCA Global Root CA1 and CA2 root certificates
  * Enable default UBSan Checks
  * Add explicit handling of zero length records
  * Tidy up DTLS ACK Error Handling Path
  * Refactor zero length record tests
  * Fix compiler warning via correct assert
  * run linux tests on nss-t/t-linux-xlarge-gcp
  * In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the
    output size of the hash function used, or provide an indicator
  * Fix reading raw negative numbers
  * Repairing unreachable code in clang built with gyp
  * Integrate Vale Curve25519
  * Removing unused flags for Hacl*
  * Adding a better error message
  * Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6
  * Fall back to the softokn when writing certificate trust
  * FIPS-104-3 requires we restart post programmatically
  * cmd/ecperf: fix dangling pointer warning on gcc 13
  * Update ACVP dockerfile for compatibility with debian package changes
  * Add a CI task for tracking ECCKiila code status, update whitespace in
    ECCKiila files
  * Removed deprecated sprintf function and replaced with snprintf
  * fix rst warnings in nss doc
  * Fix incorrect pygment style
  * Change GYP directive to apply across platforms
  * Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag
  * Merge the libfreebl3-hmac and libsoftokn3-hmac packages into the respective
    libraries. (bsc#1185116)
update to NSS 3.89.1
  * Update the technical constraints for KamuSM.
  * Add BJCA Global Root CA1 and CA2 root certificates.
update to NSS 3.89
  * revert freebl/softoken RSA_MIN_MODULUS_BITS increase
  * PR_STATIC_ASSERT is cursed
  * Need to add policy control to keys lengths for signatures
  * Fix unreachable code warning in fuzz builds
  * Fix various compiler warnings in NSS
  * Enable various compiler warnings for clang builds
  * set PORT error after sftk_HMACCmp failure
  * Need to add policy control to keys lengths for signatures
  * remove data length assertion in sec_PKCS7Decrypt
  * Make high tag number assertion failure an error
  * CKM_SHA384_KEY_DERIVATION correction maximum key length from 284 to 384
  * Tolerate certificate_authorities xtn in ClientHello
  * Fix build failure on Windows
  * migrate Win 2012 tasks to Azure
  * fix title length in doc
  * Add interop tests for HRR and PSK to GREASE suite
  * Add presence/absence tests for TLS GREASE
  * Correct addition of GREASE value to ALPN xtn
  * CH extension permutation
  * TLS GREASE (RFC8701)
  * improve handling of unknown PKCS#12 safe bag types
  * use a different treeherder symbol for each docker image build task
  * remove nested table in rst doc
  * Export NSS_CMSSignerInfo_GetDigestAlgTag
  * build failure while implicitly casting SECStatus to PRUInt32
update to NSS 3.88.1
  * improve handling of unknown PKCS#12 safe bag types
update to NSS 3.88
  * remove nested table in rst doc
  * Export NSS_CMSSignerInfo_GetDigestAlgTag.
  * build failure while implicitly casting SECStatus to PRUInt32
  * Add check for ClientHello SID max length
  * Added EarlyData ALPN test support to BoGo shim
  * ECH client - Discard resumption TLS < 1.3 Session(IDs|Tickets) if ECH
    configs are setup
  * On HRR skip PSK incompatible with negotiated ciphersuites hash algorithm
  * ECH client: Send ech_required alert on server negotiating TLS 1.2. Fixed
    misleading Gtest, enabled corresponding BoGo test
  * Added Bogo ECH rejection test support
  * Added ECH 0Rtt support to BoGo shim
  * RSA OAEP Wycheproof JSON
  * RSA decrypt Wycheproof JSON
  * ECDSA Wycheproof JSON
  * ECDH Wycheproof JSON
  * PKCS#1v1.5 wycheproof json
  * Use X25519 wycheproof json
  * Move scripts to python3
  * Properly link FuzzingEngine for oss-fuzz.
  * Extending RSA-PSS bltest test coverage (Adding SHA-256 and SHA-384)
  * NSS needs to move off of DSA for integrity checks
  * Add initial testing with ACVP vector sets using acvp-rust
  * Don't clone libFuzzer, rely on clang instead
update to NSS 3.87
  * NULL password encoding incorrect
  * Fix rng stub signature for fuzzing builds
  * Updating the compiler parsing for build
  * Modification of supported compilers
  * tstclnt crashes when accessing gnutls server without a user cert in the
    database.
  * Add configuration option to enable source-based coverage sanitizer
  * Update ECCKiila generated files.
  * Add support for the LoongArch 64-bit architecture
  * add checks for zero-length RSA modulus to avoid memory errors and failed
    assertions later
  * Additional zero-length RSA modulus checks
update to NSS 3.86
  * conscious language removal in NSS
  * Set nssckbi version number to 2.60
  * Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3
    TrustCor Root Certificates
  * Remove Staat der Nederlanden EV Root CA from NSS
  * Remove EC-ACC root cert from NSS
  * Remove SwissSign Platinum CA - G2 from NSS
  * Remove Network Solutions Certificate Authority
  * compress docker image artifact with zstd
  * Migrate nss from AWS to GCP
  * Enable static builds in the CI
  * Removing SAW docker from the NSS build system
  * Initialising variables in the rsa blinding code
  * Implementation of the double-signing of the message for ECDSA
  * Adding exponent blinding for RSA.
update to NSS 3.85
  * Modification of the primes.c and dhe-params.c in order to have better
    looking tables
  * Update zlib in NSS to 1.2.13
  * Skip building modutil and shlibsign when building in Firefox
  * Use **STDC_VERSION** rather than **STDC** as a guard
  * Remove redundant variable definitions in lowhashtest
  * Add note about python executable to build instructions.
update to NSS 3.84
  * Bump minimum NSPR version to 4.35
  * Add a flag to disable building libnssckbi.
update to NSS 3.83
  * Remove set-but-unused variables from SEC_PKCS12DecoderValidateBags
  * Set nssckbi version number to 2.58
  * Add two SECOM root certificates to NSS
  * Add two DigitalSign root certificates to NSS
  * Remove Camerfirma Global Chambersign Root from NSS
  * Added bug reference and description to disabled UnsolicitedServerNameAck
    bogo ECH test
  * Removed skipping of ECH on equality of private and public server name
  * Added comment and bug reference to ECHRandomHRRExtension bogo test
  * Added Bogo shim client HRR test support. Fixed overwriting of CHInner.random
    on HRR
  * Added check for server only sending ECH extension with retry configs in
    EncryptedExtensions and if not accepting ECH. Changed config setting
    behavior to skip configs with unsupported mandatory extensions instead of
    failing
  * Added ECH client support to BoGo shim. Changed CHInner creation to skip TLS
    1.2 only extensions to comply with BoGo
  * Added ECH server support to BoGo shim. Fixed NSS ECH server
    accept_confirmation bugs
  * Update BoGo tests to recent BoringSSL version
  * Bump minimum NSPR version to 4.34.1
update to NSS 3.82
  * check for null template in sec_asn1{d,e}_push_state
  * QuickDER: Forbid NULL tags with non-zero length
  * Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite
  * Cast the result of GetProcAddress
  * pk11wrap: Tighten certificate lookup based on PKCS #11 URI.
update to NSS 3.81
  * Enable aarch64 hardware crypto support on OpenBSD
  * make NSS_SecureMemcmp 0/1 valued
  * Add no_application_protocol alert handler and test client error code is set
  * Gracefully handle null nickname in CERT_GetCertNicknameWithValidity
  * required for Firefox 104
  * raised NSPR requirement to 4.34.1
  * changing some Requires from (pre) to generic as (pre) is not sufficient
    (bsc#1202118)
update to NSS 3.80
  * Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h.
  * Add support for asynchronous client auth hooks.
  * nss-policy-check: make unknown keyword check optional.
  * GatherBuffer: Reduced plaintext buffer allocations by allocating it on
    initialization. Replaced redundant code with assert. Debug builds: Added
    buffer freeing/allocation for each record.
  * Mark 3.79 as an ESR release.
  * Bump nssckbi version number for June.
  * Remove Hellenic Academic 2011 Root.
  * Add E-Tugra Roots.
  * Add Certainly Roots.
  * Add DigitCert Roots.
  * Protect SFTKSlot needLogin with slotLock.
  * Compare signature and signatureAlgorithm fields in legacy certificate
    verifier.
  * Uninitialized value in cert_VerifyCertChainOld.
  * Unchecked return code in sec_DecodeSigAlg.
  * Uninitialized value in cert_ComputeCertType.
  * Avoid data race on primary password change.
  * Replace ppc64 dcbzl intrinisic.
  * Allow LDFLAGS override in makefile builds.
## Patch Instructions:
To install this SUSE Moderate update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:
  * openSUSE Leap Micro 5.3  
    zypper in -t patch openSUSE-Leap-Micro-5.3-2023-2814=1
  * openSUSE Leap 15.4  
    zypper in -t patch openSUSE-SLE-15.4-2023-2814=1
  * openSUSE Leap 15.5  
    zypper in -t patch openSUSE-SLE-15.5-2023-2814=1
  * SUSE Linux Enterprise Micro for Rancher 5.3  
    zypper in -t patch SUSE-SLE-Micro-5.3-2023-2814=1
  * SUSE Linux Enterprise Micro 5.3  
    zypper in -t patch SUSE-SLE-Micro-5.3-2023-2814=1
  * SUSE Linux Enterprise Micro for Rancher 5.4  
    zypper in -t patch SUSE-SLE-Micro-5.4-2023-2814=1
  * SUSE Linux Enterprise Micro 5.4  
    zypper in -t patch SUSE-SLE-Micro-5.4-2023-2814=1
  * Basesystem Module 15-SP4  
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2023-2814=1
  * Basesystem Module 15-SP5  
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2023-2814=1
## Package List:
  * openSUSE Leap Micro 5.3 (aarch64 x86_64)
    * mozilla-nss-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-tools-3.90-150400.3.32.1
    * libfreebl3-3.90-150400.3.32.1
    * libsoftokn3-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-3.90-150400.3.32.1
    * mozilla-nss-tools-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-debugsource-3.90-150400.3.32.1
    * libsoftokn3-3.90-150400.3.32.1
    * libfreebl3-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-certs-3.90-150400.3.32.1
    * mozilla-nss-certs-debuginfo-3.90-150400.3.32.1
  * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
    * mozilla-nss-sysinit-3.90-150400.3.32.1
    * mozilla-nss-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-tools-3.90-150400.3.32.1
    * libfreebl3-3.90-150400.3.32.1
    * libsoftokn3-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-3.90-150400.3.32.1
    * mozilla-nss-sysinit-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-tools-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-debugsource-3.90-150400.3.32.1
    * libsoftokn3-3.90-150400.3.32.1
    * libfreebl3-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-devel-3.90-150400.3.32.1
    * mozilla-nss-certs-3.90-150400.3.32.1
    * mozilla-nss-certs-debuginfo-3.90-150400.3.32.1
  * openSUSE Leap 15.4 (x86_64)
    * mozilla-nss-sysinit-32bit-debuginfo-3.90-150400.3.32.1
    * libsoftokn3-32bit-3.90-150400.3.32.1
    * mozilla-nss-32bit-3.90-150400.3.32.1
    * libsoftokn3-32bit-debuginfo-3.90-150400.3.32.1
    * libfreebl3-32bit-3.90-150400.3.32.1
    * mozilla-nss-certs-32bit-3.90-150400.3.32.1
    * mozilla-nss-certs-32bit-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-32bit-debuginfo-3.90-150400.3.32.1
    * libfreebl3-32bit-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-sysinit-32bit-3.90-150400.3.32.1
  * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
    * mozilla-nss-sysinit-3.90-150400.3.32.1
    * mozilla-nss-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-tools-3.90-150400.3.32.1
    * libfreebl3-3.90-150400.3.32.1
    * libsoftokn3-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-3.90-150400.3.32.1
    * mozilla-nss-sysinit-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-tools-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-debugsource-3.90-150400.3.32.1
    * libsoftokn3-3.90-150400.3.32.1
    * libfreebl3-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-devel-3.90-150400.3.32.1
    * mozilla-nss-certs-3.90-150400.3.32.1
    * mozilla-nss-certs-debuginfo-3.90-150400.3.32.1
  * openSUSE Leap 15.5 (x86_64)
    * mozilla-nss-sysinit-32bit-debuginfo-3.90-150400.3.32.1
    * libsoftokn3-32bit-3.90-150400.3.32.1
    * mozilla-nss-32bit-3.90-150400.3.32.1
    * libsoftokn3-32bit-debuginfo-3.90-150400.3.32.1
    * libfreebl3-32bit-3.90-150400.3.32.1
    * mozilla-nss-certs-32bit-3.90-150400.3.32.1
    * mozilla-nss-certs-32bit-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-32bit-debuginfo-3.90-150400.3.32.1
    * libfreebl3-32bit-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-sysinit-32bit-3.90-150400.3.32.1
  * SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64)
    * mozilla-nss-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-tools-3.90-150400.3.32.1
    * libfreebl3-3.90-150400.3.32.1
    * libsoftokn3-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-3.90-150400.3.32.1
    * mozilla-nss-tools-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-debugsource-3.90-150400.3.32.1
    * libsoftokn3-3.90-150400.3.32.1
    * libfreebl3-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-certs-3.90-150400.3.32.1
    * mozilla-nss-certs-debuginfo-3.90-150400.3.32.1
  * SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64)
    * mozilla-nss-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-tools-3.90-150400.3.32.1
    * libfreebl3-3.90-150400.3.32.1
    * libsoftokn3-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-3.90-150400.3.32.1
    * mozilla-nss-tools-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-debugsource-3.90-150400.3.32.1
    * libsoftokn3-3.90-150400.3.32.1
    * libfreebl3-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-certs-3.90-150400.3.32.1
    * mozilla-nss-certs-debuginfo-3.90-150400.3.32.1
  * SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64)
    * mozilla-nss-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-tools-3.90-150400.3.32.1
    * libfreebl3-3.90-150400.3.32.1
    * libsoftokn3-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-3.90-150400.3.32.1
    * mozilla-nss-tools-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-debugsource-3.90-150400.3.32.1
    * libsoftokn3-3.90-150400.3.32.1
    * libfreebl3-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-certs-3.90-150400.3.32.1
    * mozilla-nss-certs-debuginfo-3.90-150400.3.32.1
  * SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64)
    * mozilla-nss-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-tools-3.90-150400.3.32.1
    * libfreebl3-3.90-150400.3.32.1
    * libsoftokn3-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-3.90-150400.3.32.1
    * mozilla-nss-tools-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-debugsource-3.90-150400.3.32.1
    * libsoftokn3-3.90-150400.3.32.1
    * libfreebl3-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-certs-3.90-150400.3.32.1
    * mozilla-nss-certs-debuginfo-3.90-150400.3.32.1
  * Basesystem Module 15-SP4 (aarch64 ppc64le s390x x86_64)
    * mozilla-nss-sysinit-3.90-150400.3.32.1
    * mozilla-nss-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-tools-3.90-150400.3.32.1
    * libfreebl3-3.90-150400.3.32.1
    * libsoftokn3-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-3.90-150400.3.32.1
    * mozilla-nss-sysinit-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-tools-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-debugsource-3.90-150400.3.32.1
    * libsoftokn3-3.90-150400.3.32.1
    * libfreebl3-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-devel-3.90-150400.3.32.1
    * mozilla-nss-certs-3.90-150400.3.32.1
    * mozilla-nss-certs-debuginfo-3.90-150400.3.32.1
  * Basesystem Module 15-SP4 (x86_64)
    * libsoftokn3-32bit-3.90-150400.3.32.1
    * mozilla-nss-32bit-3.90-150400.3.32.1
    * libsoftokn3-32bit-debuginfo-3.90-150400.3.32.1
    * libfreebl3-32bit-3.90-150400.3.32.1
    * mozilla-nss-certs-32bit-3.90-150400.3.32.1
    * mozilla-nss-certs-32bit-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-32bit-debuginfo-3.90-150400.3.32.1
    * libfreebl3-32bit-debuginfo-3.90-150400.3.32.1
  * Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64)
    * mozilla-nss-sysinit-3.90-150400.3.32.1
    * mozilla-nss-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-tools-3.90-150400.3.32.1
    * libfreebl3-3.90-150400.3.32.1
    * libsoftokn3-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-3.90-150400.3.32.1
    * mozilla-nss-sysinit-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-tools-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-debugsource-3.90-150400.3.32.1
    * libsoftokn3-3.90-150400.3.32.1
    * libfreebl3-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-devel-3.90-150400.3.32.1
    * mozilla-nss-certs-3.90-150400.3.32.1
    * mozilla-nss-certs-debuginfo-3.90-150400.3.32.1
  * Basesystem Module 15-SP5 (x86_64)
    * libsoftokn3-32bit-3.90-150400.3.32.1
    * mozilla-nss-32bit-3.90-150400.3.32.1
    * libsoftokn3-32bit-debuginfo-3.90-150400.3.32.1
    * libfreebl3-32bit-3.90-150400.3.32.1
    * mozilla-nss-certs-32bit-3.90-150400.3.32.1
    * mozilla-nss-certs-32bit-debuginfo-3.90-150400.3.32.1
    * mozilla-nss-32bit-debuginfo-3.90-150400.3.32.1
    * libfreebl3-32bit-debuginfo-3.90-150400.3.32.1
## References:
  * https://bugzilla.suse.com/show_bug.cgi?id=1185116
  * https://bugzilla.suse.com/show_bug.cgi?id=1202118
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20230713/daab8fda/attachment.htm>
    
    
More information about the sle-updates
mailing list