Lucene search

K
suseSuseSUSE-SU-2022:2533-1
HistoryJul 22, 2022 - 12:00 a.m.

Security update for mozilla-nss (important)

2022-07-2200:00:00
lists.opensuse.org
44
mozilla-nss
security update
fips 140-3
nss 3.79
nss 3.78.1
nss 3.78
nss 3.77
vulnerability fixes

EPSS

0.008

Percentile

81.4%

An update that solves one vulnerability and has 6 fixes is
now available.

Description:

This update for mozilla-nss fixes the following issues:

Various FIPS 140-3 related fixes were backported from SUSE Linux
Enterprise 15 SP4:

  • Makes the PBKDF known answer test compliant with NIST SP800-132.
    (bsc#1192079).
  • FIPS: Add on-demand integrity tests through
    sftk_FIPSRepeatIntegrityCheck() (bsc#1198980).
  • FIPS: mark algorithms as approved/non-approved according to security
    policy (bsc#1191546, bsc#1201298).
  • FIPS: remove hard disabling of unapproved algorithms. This requirement
    is now fulfilled by the service level indicator (bsc#1200325).
  • Run test suite at build time, and make it pass (bsc#1198486).
  • FIPS: skip algorithms that are hard disabled in FIPS mode.
  • Prevent expired PayPalEE cert from failing the tests.
  • Allow checksumming to be disabled, but only if we entered FIPS mode due
    to NSS_FIPS being set, not if it came from /proc.
  • FIPS: Make the PBKDF known answer test compliant with NIST SP800-132.
  • Update FIPS validation string to version-release format.
  • FIPS: remove XCBC MAC from list of FIPS approved algorithms.
  • Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID for build.
  • FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080).
  • FIPS: allow testing of unapproved algorithms (bsc#1192228).
  • FIPS: add version indicators. (bmo#1729550, bsc#1192086).
  • FIPS: fix some secret clearing (bmo#1697303, bsc#1192087).

Version update to NSS 3.79:

  • Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
  • Update mercurial in clang-format docker image.
  • Use of uninitialized pointer in lg_init after alloc fail.
  • selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
  • Add SECMOD_LockedModuleHasRemovableSlots.
  • Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
  • Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat
    extension alerts.
  • TLS 1.3 Server: Send protocol_version alert on unsupported
    ClientHello.legacy_version.
  • Correct invalid record inner and outer content type alerts.
  • NSS does not properly import or export pkcs12 files with large passwords
    and pkcs5v2 encoding.
  • improve error handling after nssCKFWInstance_CreateObjectHandle.
  • Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
  • NSS 3.79 should depend on NSPR 4.34

Version update to NSS 3.78.1:

  • Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple

Version update to NSS 3.78:

  • Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length
    record/fragment handling tests.
  • Reworked overlong record size checks and added TLS1.3 specific
    boundaries.
  • Add ECH Grease Support to tstclnt
  • Add a strict variant of moz::pkix::CheckCertHostname.
  • Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
  • Make SEC_PKCS12EnableCipher succeed
  • Update zlib in NSS to 1.2.12.

Version update to NSS 3.77:

  • Fix link to TLS page on wireshark wiki
  • Add two D-TRUST 2020 root certificates.
  • Add Telia Root CA v2 root certificate.
  • Remove expired explicitly distrusted certificates from certdata.txt.
  • support specific RSA-PSS parameters in mozilla::pkix
  • Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
  • Remove token member from NSSSlot struct.
  • Provide secure variants of mpp_pprime and mpp_make_prime.
  • Support UTF-8 library path in the module spec string.
  • Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
  • Update googletest to 1.11.0
  • Add SetTls13GreaseEchSize to experimental API.
  • TLS 1.3 Illegal legacy_version handling/alerts.
  • Fix calculation of ECH HRR Transcript.
  • Allow ld path to be set as environment variable.
  • Ensure we don’t read uninitialized memory in ssl gtests.
  • Fix DataBuffer Move Assignment.
  • internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3
  • rework signature verification in mozilla::pkix

Version update to NSS 3.76.1

  • Remove token member from NSSSlot struct.
  • Hold tokensLock through nssToken_GetSlot calls in
    nssTrustDomain_GetActiveSlots.
  • Check return value of PK11Slot_GetNSSToken.
  • Use Wycheproof JSON for RSASSA-PSS
  • Add SHA256 fingerprint comments to old certdata.txt entries.
  • Avoid truncating files in nss-release-helper.py.
  • Throw illegal_parameter alert for illegal extensions in handshake
    message.

Version update to NSS 3.75

  • Make DottedOIDToCode.py compatible with python3.
  • Avoid undefined shift in SSL_CERT_IS while fuzzing.
  • Remove redundant key type check.
  • Update ABI expectations to match ECH changes.
  • Enable CKM_CHACHA20.
  • check return on NSS_NoDB_Init and NSS_Shutdown.
  • Run ECDSA test vectors from bltest as part of the CI tests.
  • Add ECDSA test vectors to the bltest command line tool.
  • Allow to build using clang’s integrated assembler.
  • Allow to override python for the build.
  • test HKDF output rather than input.
  • Use ASSERT macros to end failed tests early.
  • move assignment operator for DataBuffer.
  • Add test cases for ECH compression and unexpected extensions in SH.
  • Update tests for ECH-13.
  • Tidy up error handling.
  • Add tests for ECH HRR Changes.
  • Server only sends GREASE HRR extension if enabled by preference.
  • Update generation of the Associated Data for ECH-13.
  • When ECH is accepted, reject extensions which were only advertised in
    the Outer Client Hello.
  • Allow for compressed, non-contiguous, extensions.
  • Scramble the PSK extension in CHOuter.
  • Split custom extension handling for ECH.
  • Add ECH-13 HRR Handling.
  • Client side ECH padding.
  • Stricter ClientHelloInner Decompression.
  • Remove ECH_inner extension, use new enum format.
  • Update the version number for ECH-13 and adjust the ECHConfig size.

Version update to NSS 3.74

  • mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses

  • Ensure clients offer consistent ciphersuites after HRR

  • NSS does not properly restrict server keys based on policy

  • Set nssckbi version number to 2.54

  • Replace Google Trust Services LLC (GTS) R4 root certificate

  • Replace Google Trust Services LLC (GTS) R3 root certificate

  • Replace Google Trust Services LLC (GTS) R2 root certificate

  • Replace Google Trust Services LLC (GTS) R1 root certificate

  • Replace GlobalSign ECC Root CA R4

  • Remove Expired Root Certificates - DST Root CA X3

  • Remove Expiring Cybertrust Global Root and GlobalSign root certificates

  • Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068
    root certificate

  • Add iTrusChina ECC root certificate

  • Add iTrusChina RSA root certificate

  • Add ISRG Root X2 root certificate

  • Add Chunghwa Telecom’s HiPKI Root CA - G1 root certificate

  • Avoid a clang 13 unused variable warning in opt build

  • Check for missing signedData field

  • Ensure DER encoded signatures are within size limits

  • enable key logging option (boo#1195040)

Version update to NSS 3.73.1:

  • Add SHA-2 support to mozilla::pkix’s OSCP implementation

Version update to NSS 3.73

  • check for missing signedData field.
  • Ensure DER encoded signatures are within size limits.
  • NSS needs FiPS 140-3 version indicators.
  • pkix_CacheCert_Lookup doesn’t return cached certs
  • sunset Coverity from NSS

Fixed MFSA 2021-51 (bsc#1193170) CVE-2021-43527: Memory corruption via
DER-encoded DSA and RSA-PSS signatures

Version update to NSS 3.72

  • Fix nsinstall parallel failure.
  • Increase KDF cache size to mitigate perf regression in about:logins

Version update to NSS 3.71

  • Set nssckbi version number to 2.52.
  • Respect server requirements of
    tlsfuzzer/test-tls13-signature-algorithms.py
  • Import of PKCS#12 files with Camellia encryption is not supported
  • Add HARICA Client ECC Root CA 2021.
  • Add HARICA Client RSA Root CA 2021.
  • Add HARICA TLS ECC Root CA 2021.
  • Add HARICA TLS RSA Root CA 2021.
  • Add TunTrust Root CA certificate to NSS.

Version update to NSS 3.70

  • Update test case to verify fix.
  • Explicitly disable downgrade check in
    TlsConnectStreamTls13.EchOuterWith12Max
  • Explicitly disable downgrade check in
    TlsConnectTest.DisableFalseStartOnFallback
  • Avoid using a lookup table in nssb64d.
  • Use HW accelerated SHA2 on AArch64 Big Endian.
  • Change default value of enableHelloDowngradeCheck to true.
  • Cache additional PBE entries.
  • Read HPKE vectors from official JSON.

Version update to NSS 3.69.1:

  • Disable DTLS 1.0 and 1.1 by default
  • integrity checks in key4.db not happening on private components with
    AES_CBC

NSS 3.69:

  • Disable DTLS 1.0 and 1.1 by default (backed out again)
  • integrity checks in key4.db not happening on private components with
    AES_CBC (backed out again)
  • SSL handling of signature algorithms ignores environmental invalid
    algorithms.
  • sqlite 3.34 changed it’s open semantics, causing nss failures.
  • Gtest update changed the gtest reports, losing gtest details in all.sh
    reports.
  • NSS incorrectly accepting 1536 bit DH primes in FIPS mode
  • SQLite calls could timeout in starvation situations.
  • Coverity/cpp scanner errors found in nss 3.67
  • Import the NSS documentation from MDN in nss/doc.
  • NSS using a tempdir to measure sql performance not active

Version Update to 3.68.4 (bsc#1200027)

  • CVE-2022-31741: Initialize pointers passed to
    NSS_CMSDigestContext_FinishMultiple. (bmo#1767590)

Mozilla NSPR was updated to version 4.34:

  • add an API that returns a preferred loopback IP on hosts that have two
    IP stacks available.

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

  • openSUSE Leap 15.4:

    zypper in -t patch openSUSE-SLE-15.4-2022-2533=1

  • openSUSE Leap 15.3:

    zypper in -t patch openSUSE-SLE-15.3-2022-2533=1

  • SUSE Manager Server 4.1:

    zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-2533=1

  • SUSE Manager Retail Branch Server 4.1:

    zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-2533=1

  • SUSE Manager Proxy 4.1:

    zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-2533=1

  • SUSE Linux Enterprise Server for SAP 15-SP2:

    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-2533=1

  • SUSE Linux Enterprise Server for SAP 15-SP1:

    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2022-2533=1

  • SUSE Linux Enterprise Server for SAP 15:

    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2022-2533=1

  • SUSE Linux Enterprise Server 15-SP2-LTSS:

    zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-2533=1

  • SUSE Linux Enterprise Server 15-SP2-BCL:

    zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-2533=1

  • SUSE Linux Enterprise Server 15-SP1-LTSS:

    zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2022-2533=1

  • SUSE Linux Enterprise Server 15-SP1-BCL:

    zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2022-2533=1

  • SUSE Linux Enterprise Server 15-LTSS:

    zypper in -t patch SUSE-SLE-Product-SLES-15-2022-2533=1

  • SUSE Linux Enterprise Module for Server Applications 15-SP3:

    zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2022-2533=1

  • SUSE Linux Enterprise Module for Basesystem 15-SP4:

    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2022-2533=1

  • SUSE Linux Enterprise Module for Basesystem 15-SP3:

    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-2533=1

  • SUSE Linux Enterprise Micro 5.2:

    zypper in -t patch SUSE-SUSE-MicroOS-5.2-2022-2533=1

  • SUSE Linux Enterprise Micro 5.1:

    zypper in -t patch SUSE-SUSE-MicroOS-5.1-2022-2533=1

  • SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS:

    zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-2533=1

  • SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS:

    zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-2533=1

  • SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS:

    zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2022-2533=1

  • SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS:

    zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2022-2533=1

  • SUSE Linux Enterprise High Performance Computing 15-LTSS:

    zypper in -t patch SUSE-SLE-Product-HPC-15-2022-2533=1

  • SUSE Linux Enterprise High Performance Computing 15-ESPOS:

    zypper in -t patch SUSE-SLE-Product-HPC-15-2022-2533=1

  • SUSE Enterprise Storage 7:

    zypper in -t patch SUSE-Storage-7-2022-2533=1

  • SUSE Enterprise Storage 6:

    zypper in -t patch SUSE-Storage-6-2022-2533=1

  • SUSE CaaS Platform 4.0:

    To install this update, use the SUSE CaaS Platform ‘skuba’ tool. It
    will inform you if it detects new updates and let you then trigger
    updating of the complete cluster in a controlled way.

OSVersionArchitecturePackageVersionFilename
openSUSE Leap15.4aarch64< - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):.aarch64.rpm
openSUSE Leap15.4ppc64le< - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):.ppc64le.rpm
openSUSE Leap15.4s390x< - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):.s390x.rpm
openSUSE Leap15.4x86_64< - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):.x86_64.rpm
openSUSE Leap15.4x86_64< - openSUSE Leap 15.4 (x86_64):- openSUSE Leap 15.4 (x86_64):.x86_64.rpm
openSUSE Leap15.3aarch64< - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):.aarch64.rpm
openSUSE Leap15.3ppc64le< - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):.ppc64le.rpm
openSUSE Leap15.3s390x< - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):.s390x.rpm
openSUSE Leap15.3x86_64< - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):.x86_64.rpm
openSUSE Leap15.3x86_64< - openSUSE Leap 15.3 (x86_64):- openSUSE Leap 15.3 (x86_64):.x86_64.rpm
Rows per page:
1-10 of 841