OVMSA-2017-0065 - nss nss-util security update
| Type: | SECURITY |
| Impact: | CRITICAL |
| Release Date: | 2017-04-20 |
Description
nss
[3.28.4-1.0.1]
- Added nss-vendor.patch to change vendor
- Temporarily disable some tests until expired PayPalEE.cert is renewed
[3.28.4-1]
- Rebase to 3.28.4
[3.28.3-3]
- Fix crash with tstclnt -W
- Adjust gtests to run with our old softoken and downstream patches
[3.28.3-2]
- Avoid cipher suite ordering change, spotted by Hubert Kario
[3.28.3-1]
- Rebase to 3.28.3
- Remove upstreamed moz-1282627-rh-1294606.patch,
moz-1312141-rh-1387811.patch, moz-1315936.patch, and
moz-1318561.patch
- Remove no longer necessary nss-duplicate-ciphers.patch
- Disable X25519 and exclude tests using it
- Catch failed ASN1 decoding of RSA keys, by Kamil Dudka (#1427481)
[3.27.1-13]
- Update expired PayPalEE.cert
[3.27.1-12]
- Disable unsupported test cases in ssl_gtests
[3.27.1-11]
- Adjust the sslstress.txt filename so that it matches with the
disableSSL2tests patch ported from RHEL 7
- Exclude SHA384 and CHACHA20_POLY1305 ciphersuites from stress tests
- Don't add gtests and ssl_gtests to nss_tests, unless gtests are enabled
[3.27.1-10]
- Add patch to fix SSL CA name leaks, taken from NSS 3.27.2 release
- Add patch to fix bash syntax error in tests/ssl.sh
- Add patch to remove duplicate ciphersuites entries in sslinfo.c
- Add patch to abort selfserv/strsclnt/tstclnt on non-parsable version range
- Build with support for SSLKEYLOGFILE
[3.27.1-9]
- Update fix_multiple_open patch to fix regression in openldap client
- Remove pk11_genobj_leak patch, which caused crash with Firefox
- Add comment in the policy file to preserve the last empty line
- Disable SHA384 ciphersuites when CKM_TLS12_KEY_AND_MAC_DERIVE is not
provided by softoken; this superseds check_hash_impl patch
[3.27.1-8]
- Fix problem in check_hash_impl patch
[3.27.1-7]
- Add patch to check if hash algorithms are backed by a token
- Add patch to disable TLS_ECDHE_{RSA,ECDSA}_WITH_AES_128_CBC_SHA256,
which have never enabled in the past
[3.27.1-6]
- Add upstream patch to fix a crash. Mozilla #1315936
[3.27.1-5]
- Disable the use of RSA-PSS with SSL/TLS. #1390161
[3.27.1-4]
- Use updated upstream patch for RH bug 1387811
[3.27.1-3]
- Added upstream patches to fix RH bugs 1057388, 1294606, 1387811
[3.27.1-2]
- Enable gtests when requested
[3.27.1-1]
- Rebase to NSS 3.27.1
- Remove nss-646045.patch, which is not necessary
- Remove p-disable-md5-590364-reversed.patch,
which is no-op here, because the patched code is removed later in
%setup
- Remove disable_hw_gcm.patch, which is no-op here, because the
patched code is removed later in %setup. Also remove
NSS_DISABLE_HW_GCM setting, which was only required for RHEL 5
- Add Bug-1001841-disable-sslv2-libssl.patch and
Bug-1001841-disable-sslv2-tests.patch, which completedly disable
EXPORT ciphersuites. Ported from RHEL 7
- Remove disable-export-suites-tests.patch, which is covered by
Bug-1001841-disable-sslv2-tests.patch
- Remove nss-ca-2.6-enable-legacy.patch, as we decided to not allow
1024 legacy CA certificates
- Remove ssl-server-min-key-sizes.patch, as we decided to support DH
key size greater than 1023 bits
- Remove nss-init-ss-sec-certs-null.patch, which appears to be no-op,
as it clears memory area allocated with PORT_ZAlloc()
- Remove nss-disable-sslv2-libssl.patch,
nss-disable-sslv2-tests.patch, sslauth-no-v2.patch, and
nss-sslstress-txt-ssl3-lower-value-in-range.patch as SSLv2 is
already disabled in upstream
- Remove fix-nss-test-filtering.patch, which is fixed in upstream
- Add nss-check-policy-file.patch from Fedora
nss-util
[3.28.4-1]
- Rebase to NSS 3.28.4 to accommodate base64 encoding fix
[3.28.3-1]
- Rebase to NSS 3.28.3
- Package new header eccutil.h
[3.27.1-3]
- Tolerate policy file without last empty line
[3.27.1-2]
- Add missing source files
[3.27.1-1]
- Rebase to NSS 3.26.0
- Remove upstreamed patch for CVE-2016-1950
- Remove p-disable-md5-590364-reversed.patch for bug 1335915
Related CVEs
Updated Packages
| Release/Architecture | Filename | sha256 | Superseded By Advisory | Channel Label |
|
| Oracle VM 3.3 (x86_64) | nss-3.28.4-1.0.1.el6_9.src.rpm | 78511228b0da98056ab46db7e0afe7696b6613c8e4614a14390a41696d097b4a | OVMSA-2023-0014 | ovm3_x86_64_3.3_patch |
| nss-util-3.28.4-1.el6_9.src.rpm | 43ac7c8b813f3905a8b79456cd332816472ade6e7da4312c1fee8d1ab03e42d9 | OVMBA-2019-0058 | ovm3_x86_64_3.3_patch |
| nss-3.28.4-1.0.1.el6_9.x86_64.rpm | 915e277a2b8063cd95fa0b1bed8e8f26e57284314eef9f5edc8478a3c02750b6 | OVMSA-2023-0014 | ovm3_x86_64_3.3_patch |
| nss-sysinit-3.28.4-1.0.1.el6_9.x86_64.rpm | 09489b7dcc3aa1d92164ab06e29b33b0562b7bad0ee4af1cb74cb446994092cb | OVMSA-2023-0014 | ovm3_x86_64_3.3_patch |
| nss-tools-3.28.4-1.0.1.el6_9.x86_64.rpm | 60ae2f79d59bc93e3917912fd82109377ba4baa068125cbbf05adf61137789c8 | OVMSA-2023-0014 | ovm3_x86_64_3.3_patch |
| nss-util-3.28.4-1.el6_9.x86_64.rpm | d2c52b58558fb3468b8ef795efef18bd36914d604fc2929ef9274e8c2fd9c063 | OVMBA-2019-0058 | ovm3_x86_64_3.3_patch |
|
| Oracle VM 3.4 (x86_64) | nss-3.28.4-1.0.1.el6_9.src.rpm | 78511228b0da98056ab46db7e0afe7696b6613c8e4614a14390a41696d097b4a | OVMSA-2023-0014 | ovm34_x86_64_latest |
| nss-util-3.28.4-1.el6_9.src.rpm | 43ac7c8b813f3905a8b79456cd332816472ade6e7da4312c1fee8d1ab03e42d9 | OVMBA-2019-0058 | ovm34_x86_64_latest |
| nss-3.28.4-1.0.1.el6_9.x86_64.rpm | 915e277a2b8063cd95fa0b1bed8e8f26e57284314eef9f5edc8478a3c02750b6 | OVMSA-2023-0014 | ovm34_x86_64_latest |
| nss-sysinit-3.28.4-1.0.1.el6_9.x86_64.rpm | 09489b7dcc3aa1d92164ab06e29b33b0562b7bad0ee4af1cb74cb446994092cb | OVMSA-2023-0014 | ovm34_x86_64_latest |
| nss-tools-3.28.4-1.0.1.el6_9.x86_64.rpm | 60ae2f79d59bc93e3917912fd82109377ba4baa068125cbbf05adf61137789c8 | OVMSA-2023-0014 | ovm34_x86_64_latest |
| nss-util-3.28.4-1.el6_9.x86_64.rpm | d2c52b58558fb3468b8ef795efef18bd36914d604fc2929ef9274e8c2fd9c063 | OVMBA-2019-0058 | ovm34_x86_64_latest |
This page is generated automatically and has not been checked for errors or omissions. For clarification
or corrections please contact the Oracle Linux ULN team
