SUSE-RU-2024:2564-1: moderate: Recommended update for mozilla-nss

SLE-UPDATES null at suse.de
Fri Jul 19 12:30:21 UTC 2024



# Recommended update for mozilla-nss

Announcement ID: SUSE-RU-2024:2564-1  
Rating: moderate  
References:

  * bsc#1214980
  * bsc#1222804
  * bsc#1222807
  * bsc#1222811
  * bsc#1222813
  * bsc#1222814
  * bsc#1222821
  * bsc#1222822
  * bsc#1222826
  * bsc#1222828
  * bsc#1222830
  * bsc#1222833
  * bsc#1222834
  * bsc#1223724
  * bsc#1224113
  * bsc#1224115
  * bsc#1224116
  * bsc#1224118
  * jsc#PED-6358

  
Cross-References:

  * CVE-2023-5388

  
CVSS scores:

  * CVE-2023-5388 ( SUSE ):  6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

  
Affected Products:

  * SUSE Linux Enterprise High Performance Computing 12 SP5
  * SUSE Linux Enterprise Server 12 SP5
  * SUSE Linux Enterprise Server for SAP Applications 12 SP5
  * SUSE Linux Enterprise Software Development Kit 12 SP5

  
  
An update that solves one vulnerability, contains one feature and has 17 fixes
can now be installed.

## Description:

This update for mozilla-nss fixes the following issues:

  * Fixed startup crash of Firefox when using FIPS-mode (bsc#1223724).
  * Added "Provides: nss" so other RPMs that require 'nss' can be installed
    (jira PED-6358).

  * FIPS: added safe memsets (bsc#1222811)

  * FIPS: restrict AES-GCM (bsc#1222830)
  * FIPS: Updated FIPS approved cipher lists (bsc#1222813, bsc#1222814,
    bsc#1222821, bsc#1222822, bsc#1224118)
  * FIPS: Updated FIPS self tests (bsc#1222807, bsc#1222828, bsc#1222834)
  * FIPS: Updated FIPS approved cipher lists (bsc#1222804, bsc#1222826,
    bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116)

update to NSS 3.101.1:

  * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.

update to NSS 3.101:

  * add diagnostic assertions for SFTKObject refcount.
  * freeing the slot in DeleteCertAndKey if authentication failed
  * fix formatting issues.
  * Add Firmaprofesional CA Root-A Web to NSS.
  * remove invalid acvp fuzz test vectors.
  * pad short P-384 and P-521 signatures gtests.
  * remove unused FreeBL ECC code.
  * pad short P-384 and P-521 signatures.
  * be less strict about ECDSA private key length.
  * Integrate HACL* P-521.
  * Integrate HACL* P-384.
  * memory leak in create_objects_from_handles.
  * ensure all input is consumed in a few places in mozilla::pkix
  * SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
  * clean up escape handling
  * Use lib::pkix as default validator instead of the old-one
  * Need to add high level support for PQ signing.
  * Certificate Compression: changing the allocation/freeing of buffer +
    Improving the documentation
  * SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
  * Allow for non-full length ecdsa signature when using softoken
  * Modification of .taskcluster.yml due to mozlint indent defects
  * Implement support for PBMAC1 in PKCS#12
  * disable VLA warnings for fuzz builds.
  * remove redundant AllocItem implementation.
  * add PK11_ReadDistrustAfterAttribute.
  *     * Clang-formatting of SEC_GetMgfTypeByOidTag update
  * Set SEC_ERROR_LIBRARY_FAILURE on self-test failure
  * sftk_getParameters(): Fix fallback to default variable after error with
    configfile.
  * Switch to the mozillareleases/image_builder image

  * switch from ec_field_GFp to ec_field_plain

Update to NSS 3.100:

  * merge pk11_kyberSlotList into pk11_ecSlotList for faster Xyber operations.
  * remove ckcapi.
  * avoid a potential PK11GenericObject memory leak.
  * Remove incomplete ESDH code.
  * Decrypt RSA OAEP encrypted messages.
  * Fix certutil CRLDP URI code.
  * Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys.
  * Add ability to encrypt and decrypt CMS messages using ECDH.
  * Correct Templates for key agreement in smime/cmsasn.c.
  * Moving the decodedCert allocation to NSS.
  * Allow developers to speed up repeated local execution of NSS tests that
    depend on certificates.

Update to NSS 3.99:

  * Removing check for message len in ed25519 (bmo#1325335)
  * add ed25519 to SECU_ecName2params. (bmo#1884276)
  * add EdDSA wycheproof tests. (bmo#1325335)
  * nss/lib layer code for EDDSA. (bmo#1325335)
  * Adding EdDSA implementation. (bmo#1325335)
  * Exporting Certificate Compression types (bmo#1881027)
  * Updating ACVP docker to rust 1.74 (bmo#1880857)
  * Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335)
  * Add NSS_CMSRecipient_IsSupported. (bmo#1877730)

Update to NSS 3.98:

  * (CVE-2023-5388) Timing attack against RSA decryption in TLS
  * Certificate Compression: enabling the check that the compression was
    advertised
  * Move Windows workers to nss-1/b-win2022-alpha
  * Remove Email trust bit from OISTE WISeKey Global Root GC CA
  * Replace `distutils.spawn.find_executable` with `shutil.which` within `mach`
    in `nss`
  * Certificate Compression: Updating nss_bogo_shim to support Certificate
    compression
  * TLS Certificate Compression (RFC 8879) Implementation
  * Add valgrind annotations to freebl kyber operations for constant-time
    execution tests
  * Set nssckbi version number to 2.66
  * Add Telekom Security roots
  * Add D-Trust 2022 S/MIME roots
  * Remove expired Security Communication RootCA1 root
  * move keys to a slot that supports concatenation in PK11_ConcatSymKeys
  * remove unmaintained tls-interop tests
  * bogo: add support for the -ipv6 and -shim-id shim flags
  * bogo: add support for the -curves shim flag and update Kyber expectations
  * bogo: adjust expectation for a key usage bit test
  * mozpkix: add option to ignore invalid subject alternative names
  * Fix selfserv not stripping `publicname:` from -X value
  * take ownership of ecckilla shims
  * add valgrind annotations to freebl/ec.c
  * PR_INADDR_ANY needs PR_htonl before assignment to inet.ip
  * Update zlib to 1.3.1

Update to NSS 3.97:

  * make Xyber768d00 opt-in by policy
  * add libssl support for xyber768d00
  * add PK11_ConcatSymKeys
  * add Kyber and a PKCS#11 KEM interface to softoken
  * add a FreeBL API for Kyber
  * part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff
  * part 1: add a script for vendoring kyber from pq-crystals repo
  * Removing the calls to RSA Blind from loader.*
  * fix worker type for level3 mac tasks
  * RSA Blind implementation
  * Remove DSA selftests
  * read KWP testvectors from JSON
  * Backed out changeset dcb174139e4f
  * Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation
  * Wrap CC shell commands in gyp expansions

Update to NSS 3.96.1:

  * Use pypi dependencies for MacOS worker in ./build_gyp.sh
  * p7sign: add -a hash and -u certusage (also p7verify cleanups)
  * add a defensive check for large ssl_DefSend return values
  * Add dependency to the taskcluster script for Darwin
  * Upgrade version of the MacOS worker for the CI

Update to NSS 3.95:

  * Bump builtins version number.
  * Remove Email trust bit from Autoridad de Certificacion Firmaprofesional CIF
    A62634068 root cert.
  * Remove 4 DigiCert (Symantec/Verisign) Root Certificates
  * Remove 3 TrustCor Root Certificates from NSS.
  * Remove Camerfirma root certificates from NSS.
  * Remove old Autoridad de Certificacion Firmaprofesional Certificate.
  * Add four Commscope root certificates to NSS.
  * Add TrustAsia Global Root CA G3 and G4 root certificates.
  * Include P-384 and P-521 Scalar Validation from HACL*
  * Include P-256 Scalar Validation from HACL*.
  * After the HACL 256 ECC patch, NSS incorrectly encodes 256 ECC without DER
    wrapping at the softoken level
  * Add means to provide library parameters to C_Initialize
  * add OSXSAVE and XCR0 tests to AVX2 detection.
  * Typo in ssl3_AppendHandshakeNumber
  * Introducing input check of ssl3_AppendHandshakeNumber
  * Fix Invalid casts in instance.c

Update to NSS 3.94:

  * Updated code and commit ID for HACL*
  * update ACVP fuzzed test vector: refuzzed with current NSS
  * Softoken C_ calls should use system FIPS setting to select NSC_ or FC_
    variants
  * NSS needs a database tool that can dump the low level representation of the
    database
  * declare string literals using char in pkixnames_tests.cpp
  * avoid implicit conversion for ByteString
  * update rust version for acvp docker
  * Moving the init function of the mpi_ints before clean-up in ec.c
  * P-256 ECDH and ECDSA from HACL*
  * Add ACVP test vectors to the repository
  * Stop relying on std::basic_string<uint8_t>
  * Transpose the PPC_ABI check from Makefile to gyp

Update to NSS 3.93:

  * Update zlib in NSS to 1.3.
  * softoken: iterate hashUpdate calls for long inputs.
  * regenerate NameConstraints test certificates (bsc#1214980).

Update to NSS 3.92:

  * Set nssckbi version number to 2.62
  * Add 4 Atos TrustedRoot Root CA certificates to NSS
  * Add 4 SSL.com Root CA certificates
  * Add Sectigo E46 and R46 Root CA certificates
  * Add LAWtrust Root CA2 (4096)
  * Remove E-Tugra Certification Authority root
  * Remove Camerfirma Chambers of Commerce Root.
  * Remove Hongkong Post Root CA 1
  * Remove E-Tugra Global Root CA ECC v3 and RSA v3
  * Avoid redefining BYTE_ORDER on hppa Linux

Update to NSS 3.91:

  * Implementation of the HW support check for ADX instruction
  * Removing the support of Curve25519
  * Fix comment about the addition of ticketSupportsEarlyData
  * Adding args to enable-legacy-db build
  * dbtests.sh failure in "certutil dump keys with explicit default trust flags"
  * Initialize flags in slot structures
  * Improve the length check of RSA input to avoid heap overflow
  * Followup Fixes
  * avoid processing unexpected inputs by checking for m_exptmod base sign
  * add a limit check on order_k to avoid infinite loop
  * Update HACL* to commit 5f6051d2
  * add SHA3 to cryptohi and softoken
  * HACL SHA3
  * Disabling ASM C25519 for A but X86_64

Update to NSS 3.90.3:

  * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
  * clean up escape handling.
  * remove redundant AllocItem implementation.
  * Disable ASM support for Curve25519.
  * Disable ASM support for Curve25519 for all but X86_64.

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Enterprise Software Development Kit 12 SP5  
    zypper in -t patch SUSE-SLE-SDK-12-SP5-2024-2564=1

  * SUSE Linux Enterprise High Performance Computing 12 SP5  
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-2564=1

  * SUSE Linux Enterprise Server 12 SP5  
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-2564=1

  * SUSE Linux Enterprise Server for SAP Applications 12 SP5  
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-2564=1

## Package List:

  * SUSE Linux Enterprise Software Development Kit 12 SP5 (aarch64 ppc64le s390x
    x86_64)
    * mozilla-nss-devel-3.101.1-58.118.1
    * mozilla-nss-debugsource-3.101.1-58.118.1
    * mozilla-nss-debuginfo-3.101.1-58.118.1
  * SUSE Linux Enterprise High Performance Computing 12 SP5 (aarch64 x86_64)
    * mozilla-nss-devel-3.101.1-58.118.1
    * mozilla-nss-3.101.1-58.118.1
    * mozilla-nss-sysinit-3.101.1-58.118.1
    * mozilla-nss-tools-3.101.1-58.118.1
    * mozilla-nss-debuginfo-3.101.1-58.118.1
    * mozilla-nss-certs-3.101.1-58.118.1
    * mozilla-nss-sysinit-debuginfo-3.101.1-58.118.1
    * libfreebl3-debuginfo-3.101.1-58.118.1
    * mozilla-nss-debugsource-3.101.1-58.118.1
    * libfreebl3-3.101.1-58.118.1
    * libsoftokn3-3.101.1-58.118.1
    * libsoftokn3-debuginfo-3.101.1-58.118.1
    * mozilla-nss-certs-debuginfo-3.101.1-58.118.1
    * mozilla-nss-tools-debuginfo-3.101.1-58.118.1
  * SUSE Linux Enterprise High Performance Computing 12 SP5 (x86_64)
    * libfreebl3-32bit-3.101.1-58.118.1
    * mozilla-nss-debuginfo-32bit-3.101.1-58.118.1
    * libfreebl3-debuginfo-32bit-3.101.1-58.118.1
    * libsoftokn3-32bit-3.101.1-58.118.1
    * mozilla-nss-sysinit-32bit-3.101.1-58.118.1
    * libsoftokn3-debuginfo-32bit-3.101.1-58.118.1
    * mozilla-nss-certs-32bit-3.101.1-58.118.1
    * mozilla-nss-certs-debuginfo-32bit-3.101.1-58.118.1
    * mozilla-nss-sysinit-debuginfo-32bit-3.101.1-58.118.1
    * mozilla-nss-32bit-3.101.1-58.118.1
  * SUSE Linux Enterprise Server 12 SP5 (aarch64 ppc64le s390x x86_64)
    * mozilla-nss-devel-3.101.1-58.118.1
    * mozilla-nss-3.101.1-58.118.1
    * mozilla-nss-sysinit-3.101.1-58.118.1
    * mozilla-nss-tools-3.101.1-58.118.1
    * mozilla-nss-debuginfo-3.101.1-58.118.1
    * mozilla-nss-certs-3.101.1-58.118.1
    * mozilla-nss-sysinit-debuginfo-3.101.1-58.118.1
    * libfreebl3-debuginfo-3.101.1-58.118.1
    * mozilla-nss-debugsource-3.101.1-58.118.1
    * libfreebl3-3.101.1-58.118.1
    * libsoftokn3-3.101.1-58.118.1
    * libsoftokn3-debuginfo-3.101.1-58.118.1
    * mozilla-nss-certs-debuginfo-3.101.1-58.118.1
    * mozilla-nss-tools-debuginfo-3.101.1-58.118.1
  * SUSE Linux Enterprise Server 12 SP5 (x86_64)
    * libfreebl3-32bit-3.101.1-58.118.1
    * mozilla-nss-debuginfo-32bit-3.101.1-58.118.1
    * libfreebl3-debuginfo-32bit-3.101.1-58.118.1
    * libsoftokn3-32bit-3.101.1-58.118.1
    * mozilla-nss-sysinit-32bit-3.101.1-58.118.1
    * libsoftokn3-debuginfo-32bit-3.101.1-58.118.1
    * mozilla-nss-certs-32bit-3.101.1-58.118.1
    * mozilla-nss-certs-debuginfo-32bit-3.101.1-58.118.1
    * mozilla-nss-sysinit-debuginfo-32bit-3.101.1-58.118.1
    * mozilla-nss-32bit-3.101.1-58.118.1
  * SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64)
    * mozilla-nss-devel-3.101.1-58.118.1
    * mozilla-nss-3.101.1-58.118.1
    * mozilla-nss-sysinit-3.101.1-58.118.1
    * mozilla-nss-tools-3.101.1-58.118.1
    * mozilla-nss-debuginfo-3.101.1-58.118.1
    * mozilla-nss-certs-3.101.1-58.118.1
    * mozilla-nss-sysinit-debuginfo-3.101.1-58.118.1
    * libfreebl3-debuginfo-3.101.1-58.118.1
    * mozilla-nss-debugsource-3.101.1-58.118.1
    * libfreebl3-3.101.1-58.118.1
    * libsoftokn3-3.101.1-58.118.1
    * libsoftokn3-debuginfo-3.101.1-58.118.1
    * mozilla-nss-certs-debuginfo-3.101.1-58.118.1
    * mozilla-nss-tools-debuginfo-3.101.1-58.118.1
  * SUSE Linux Enterprise Server for SAP Applications 12 SP5 (x86_64)
    * libfreebl3-32bit-3.101.1-58.118.1
    * mozilla-nss-debuginfo-32bit-3.101.1-58.118.1
    * libfreebl3-debuginfo-32bit-3.101.1-58.118.1
    * libsoftokn3-32bit-3.101.1-58.118.1
    * mozilla-nss-sysinit-32bit-3.101.1-58.118.1
    * libsoftokn3-debuginfo-32bit-3.101.1-58.118.1
    * mozilla-nss-certs-32bit-3.101.1-58.118.1
    * mozilla-nss-certs-debuginfo-32bit-3.101.1-58.118.1
    * mozilla-nss-sysinit-debuginfo-32bit-3.101.1-58.118.1
    * mozilla-nss-32bit-3.101.1-58.118.1

## References:

  * https://www.suse.com/security/cve/CVE-2023-5388.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1214980
  * https://bugzilla.suse.com/show_bug.cgi?id=1222804
  * https://bugzilla.suse.com/show_bug.cgi?id=1222807
  * https://bugzilla.suse.com/show_bug.cgi?id=1222811
  * https://bugzilla.suse.com/show_bug.cgi?id=1222813
  * https://bugzilla.suse.com/show_bug.cgi?id=1222814
  * https://bugzilla.suse.com/show_bug.cgi?id=1222821
  * https://bugzilla.suse.com/show_bug.cgi?id=1222822
  * https://bugzilla.suse.com/show_bug.cgi?id=1222826
  * https://bugzilla.suse.com/show_bug.cgi?id=1222828
  * https://bugzilla.suse.com/show_bug.cgi?id=1222830
  * https://bugzilla.suse.com/show_bug.cgi?id=1222833
  * https://bugzilla.suse.com/show_bug.cgi?id=1222834
  * https://bugzilla.suse.com/show_bug.cgi?id=1223724
  * https://bugzilla.suse.com/show_bug.cgi?id=1224113
  * https://bugzilla.suse.com/show_bug.cgi?id=1224115
  * https://bugzilla.suse.com/show_bug.cgi?id=1224116
  * https://bugzilla.suse.com/show_bug.cgi?id=1224118
  * https://jira.suse.com/browse/PED-6358

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20240719/2019c9e8/attachment.htm>


More information about the sle-updates mailing list