- Issued:
- 2009-07-20
- Updated:
- 2009-07-20
RHBA-2009:1161 - nspr and nss bug fix and enhancement update
Synopsis
nspr and nss bug fix and enhancement update
Type/Severity
Bug Fix Advisory
Topic
Updated nspr and nss packages that fix several bugs and add an enhancement are now available
Description
Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. These facilities include threads, thread synchronization, normal file and network I/O, interval timing, calendar time, basic memory management (malloc and free), and shared library linking.
Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSLv2, SSLv3, TLS, and other security standards.
These updated packages upgrade nss from the previous version, 3.12.2, to a prerelease of version 3.12.4. The version of nspr has also been upgraded, from 4.7.3 to 4.7.4. These version upgrades provide fixes for the following bugs:
- SSL client authentication failed against an Apache server when it was using the mod_nss module and configured for NSSOCSP.
On the client side, the user agent received an error message that referenced "Error Code: -12271" and stated that establishing an encrypted connection had failed because the certificate had been rejected by the host.
On the server side, the nss_error_log under /var/log/httpd/ contained the following message: "[error] Re-negotiation handshake failed: Not accepted by client!?"
Also, /var/log/httpd/error_log contained this error message: "SSL Library Error: -8071 The OCSP server experienced an internal error."
With these updated packages, the dependency problem which caused this failure has been resolved so that SSL client authentication with an Apache web server using mod_nss which is configured for NSSOCSP succeeds as expected. Note that if the presented client certificate is expired, then access is denied, the user agent is presented with an error message about the invalid certificate, and the OCSP queries are seen in the OCSP responder. Also, similar OCSP status verification happens for SSL server certificates used in Apache upon instance start or restart. (BZ#499052)
-
Attempting client authorization with a certificate authority when using ECC (Elliptic Curve Cryptography) on a machine with a hardware security module (HSM) failed with an error message stating that the browser (the test agent in this case) was unable to authenticate to the agent URL. This has been fixed in these updated packages so that agents are once again able to authenticate with certificate authorities when using the ECC algorithm on machines with an HSM. (BZ#223279)
-
In addition, these updated packages provide an enhancement to update cryptography services required by the Openswan package. (BZ#502201)
All users of nspr and nss are advised to upgrade to these updated packages, which resolve these issues and provide these enhancements.
Solution
Before applying this update, make sure that all previously-released errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use Red Hat Network to apply this update are available at This content is not included.http://kbase.redhat.com/faq/docs/DOC-1125.
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Enterprise Linux for x86_64 - Extended Update Support | 5.3 | x86_64 |
| Red Hat Enterprise Linux for x86_64 - Extended Update Support | 5.3 | ia64 |
| Red Hat Enterprise Linux for x86_64 - Extended Update Support | 5.3 | i386 |
| Red Hat Enterprise Linux for Power, big endian | 5 | ppc |
| Red Hat Enterprise Linux for Power, big endian - Extended Update Support | 5.3 | ppc |
| Red Hat Enterprise Linux for IBM z Systems | 5 | s390x |
| Red Hat Enterprise Linux for IBM z Systems - Extended Update Support | 5.3 | s390x |
| Red Hat Enterprise Linux Workstation | 5 | x86_64 |
| Red Hat Enterprise Linux Workstation | 5 | i386 |
| Red Hat Enterprise Linux Server | 5 | x86_64 |
| Red Hat Enterprise Linux Server | 5 | ia64 |
| Red Hat Enterprise Linux Server | 5 | i386 |
| Red Hat Enterprise Linux Server from RHUI | 5 | x86_64 |
| Red Hat Enterprise Linux Server from RHUI | 5 | i386 |
| Red Hat Enterprise Linux Server - AUS | 5.3 | x86_64 |
| Red Hat Enterprise Linux Server - AUS | 5.3 | ia64 |
| Red Hat Enterprise Linux Server - AUS | 5.3 | i386 |
| Red Hat Enterprise Linux Desktop | 5 | x86_64 |
| Red Hat Enterprise Linux Desktop | 5 | i386 |
Updated Packages
- nss-devel-3.12.3.99.3-1.el5_3.2.ppc.rpm
- nss-devel-3.12.3.99.3-1.el5_3.2.s390x.rpm
- nss-devel-3.12.3.99.3-1.el5_3.2.x86_64.rpm
- nspr-4.7.4-1.el5_3.1.ia64.rpm
- nss-3.12.3.99.3-1.el5_3.2.src.rpm
- nss-tools-3.12.3.99.3-1.el5_3.2.i386.rpm
- nss-pkcs11-devel-3.12.3.99.3-1.el5_3.2.ppc.rpm
- nss-3.12.3.99.3-1.el5_3.2.ppc64.rpm
- nss-pkcs11-devel-3.12.3.99.3-1.el5_3.2.s390x.rpm
- nss-tools-3.12.3.99.3-1.el5_3.2.ia64.rpm
- nss-devel-3.12.3.99.3-1.el5_3.2.ppc64.rpm
- nspr-devel-4.7.4-1.el5_3.1.s390x.rpm
- nspr-4.7.4-1.el5_3.1.s390x.rpm
- nspr-4.7.4-1.el5_3.1.src.rpm
- nspr-4.7.4-1.el5_3.1.i386.rpm
- nss-pkcs11-devel-3.12.3.99.3-1.el5_3.2.s390.rpm
- nss-tools-3.12.3.99.3-1.el5_3.2.ppc.rpm
- nss-tools-3.12.3.99.3-1.el5_3.2.s390x.rpm
- nss-devel-3.12.3.99.3-1.el5_3.2.s390.rpm
- nspr-4.7.4-1.el5_3.1.x86_64.rpm
- nss-3.12.3.99.3-1.el5_3.2.ppc.rpm
- nss-tools-3.12.3.99.3-1.el5_3.2.x86_64.rpm
- nspr-4.7.4-1.el5_3.1.ppc64.rpm
- nspr-4.7.4-1.el5_3.1.s390.rpm
- nspr-devel-4.7.4-1.el5_3.1.s390.rpm
- nspr-devel-4.7.4-1.el5_3.1.x86_64.rpm
- nss-pkcs11-devel-3.12.3.99.3-1.el5_3.2.x86_64.rpm
- nss-3.12.3.99.3-1.el5_3.2.s390x.rpm
- nss-devel-3.12.3.99.3-1.el5_3.2.ia64.rpm
- nss-devel-3.12.3.99.3-1.el5_3.2.i386.rpm
- nss-pkcs11-devel-3.12.3.99.3-1.el5_3.2.i386.rpm
- nspr-devel-4.7.4-1.el5_3.1.ia64.rpm
- nspr-devel-4.7.4-1.el5_3.1.ppc64.rpm
- nss-3.12.3.99.3-1.el5_3.2.s390.rpm
- nspr-devel-4.7.4-1.el5_3.1.i386.rpm
- nss-pkcs11-devel-3.12.3.99.3-1.el5_3.2.ia64.rpm
- nss-3.12.3.99.3-1.el5_3.2.ia64.rpm
- nss-3.12.3.99.3-1.el5_3.2.x86_64.rpm
- nspr-devel-4.7.4-1.el5_3.1.ppc.rpm
- nspr-4.7.4-1.el5_3.1.ppc.rpm
- nss-pkcs11-devel-3.12.3.99.3-1.el5_3.2.ppc64.rpm
- nss-3.12.3.99.3-1.el5_3.2.i386.rpm
Fixes
- This content is not included.BZ - 502201
- This content is not included.BZ - 506085
- This content is not included.BZ - 511862
- This content is not included.BZ - 511868
CVEs
(none)
References
(none)
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.