Issued:
2011-12-06
Updated:
2011-12-06

RHBA-2011:1584 - nspr, nss, nss-softokn and nss-util bug fix and enhancement update

Synopsis

nspr, nss, nss-softokn and nss-util bug fix and enhancement update

Type/Severity

Bug Fix Advisory (none)

Topic

Updated nspr and nss related packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.

Description

Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. These facilities include threads, thread synchronization, normal file and network I/O, interval timing, calendar time, basic memory management (the malloc() and free() functions), and shared library linking.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSLv2, SSLv3, TLS, and other security standards.

The nss component has been upgraded to upstream version 3.12.10, which provides a number of bug fixes and enhancements. (BZ#712958)

The nss-util package has been upgraded to upstream version 3.12.10, which provides a number of bug fixes and enhancements.(BZ#712960)

The nspr component has been upgraded to upstream version 4.8.8, which provides a number of bug fixes and enhancements. (BZ#712963)

This update fixes these bugs:

  • The CMS message decoder lost the pointer to enveloped data when decoding a message encoded with CMS (Cryptographic Message Syntax) that contained enveloped data. Consequently, the decoder got into an infinite loop and decoding terminated due to a stack overflow. With this update, the underlying code has been modified and the problem no longer occurs. (BZ#668882)

  • The CMS routines failed to verify signed data when the SignerInfo object was using a subjectKeyID extension to indicate the signer and returned the following output:

    signer 0 status = SigningCertNotFound cmsutil: problem decoding: Unrecognized Object Identifier.

With this update, the subjectKeyID entries have been added to a temporary in-memory map of subjectKeyID values of certificates and the verification of such data now succeeds. (BZ#671266)

  • When running debug builds, the pem module occasionally terminated with a segmentation fault when attempting to write to its log file due to insufficient permissions. This happened when the module was initially used by an application with superuser privileges, which created the log file, and subsequently by an application with non-superuser privileges as the application could not access the logging file due to lower privileges. (BZ#695018)

  • When using the generateCRMFRequest tool to produce an RSA key larger than 2048, the process failed. This occurred because the crmf library used by generateCRMFRequest had the value for the maximum size for wrapped private keys (the MAX_WRAPPED_KEY_LEN property) hardcoded to 2048 bytes. The size is now adjusted based on the provided key attributes and the problem no longer occurs. (BZ#703658)

  • On a 64-bit CPU with native AES instruction support, the intel_aes_decrypt_cbc_256() function did not work correctly when input and output buffers were the same and the function call failed with the message "data mismatch". This update fixes the code and the same buffer can be used for input and output. (BZ#710298)

  • The health tests for deterministic random bit generator (DRBG) have been updated to better meet FIPS requirements. (BZ#747053)

  • On NSS initialization, the module loader incorrectly initialized the PKCS#11 module even if the module was not adding any persistent certificate or module databases. Consequently, an attempt to synchronize usernames and passwords on an IPA server with data on an Active Directory server failed with the error "{'desc': "Can't contact LDAP server"}". The NSS module loader now checks the relevant flags and the problem no longer occurs. (BZ#747387)

This update adds these enhancements:

  • NSS supports pluggable ECC (Error-Correcting Code) memory. (BZ#688423)

  • The nss-softokn, nss-util, nss, and nspr libraries have been built with partial RELRO support (-Wl,-z,relro). (BZ#724001, BZ#724002, BZ#724003, BZ#724004).

Users are advised to upgrade to these updated nspr and nss related packages, which fix the bugs and add the enhancements.

Solution

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at This content is not included.https://access.redhat.com/kb/docs/DOC-11259

Affected Products

ProductVersionArch
Red Hat Enterprise Linux for Scientific Computing6x86_64
Red Hat Enterprise Linux for Power, big endian6ppc64
Red Hat Enterprise Linux for IBM z Systems6s390x
Red Hat Enterprise Linux Workstation6x86_64
Red Hat Enterprise Linux Workstation6i386
Red Hat Enterprise Linux Server6x86_64
Red Hat Enterprise Linux Server6i386
Red Hat Enterprise Linux Server from RHUI6x86_64
Red Hat Enterprise Linux Server from RHUI6i386
Red Hat Enterprise Linux Server - Retired Extended Life Cycle Support6x86_64
Red Hat Enterprise Linux Server - Extended Life Cycle Support6x86_64
Red Hat Enterprise Linux Server - Extended Life Cycle Support6i386
Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension6x86_64
Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension6i386
Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems)6s390x
Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems)6s390x
Red Hat Enterprise Linux Desktop6x86_64
Red Hat Enterprise Linux Desktop6i386

Updated Packages

  • nss-softokn-debuginfo-3.12.9-11.el6.x86_64.rpm
  • nss-pkcs11-devel-3.12.10-16.el6.i686.rpm
  • nss-util-debuginfo-3.12.10-2.el6.ppc64.rpm
  • nss-sysinit-3.12.10-16.el6.ppc64.rpm
  • nss-pkcs11-devel-3.12.10-16.el6.s390.rpm
  • nss-debuginfo-3.12.10-16.el6.x86_64.rpm
  • nspr-4.8.8-3.el6.s390.rpm
  • nspr-devel-4.8.8-3.el6.i686.rpm
  • nss-softokn-3.12.9-11.el6.ppc.rpm
  • nss-util-3.12.10-2.el6.x86_64.rpm
  • nspr-debuginfo-4.8.8-3.el6.x86_64.rpm
  • nss-util-devel-3.12.10-2.el6.x86_64.rpm
  • nspr-4.8.8-3.el6.x86_64.rpm
  • nss-util-3.12.10-2.el6.ppc.rpm
  • nss-softokn-debuginfo-3.12.9-11.el6.s390.rpm
  • nss-3.12.10-16.el6.ppc64.rpm
  • nss-util-3.12.10-2.el6.s390x.rpm
  • nss-sysinit-3.12.10-16.el6.i686.rpm
  • nss-debuginfo-3.12.10-16.el6.s390x.rpm
  • nss-util-debuginfo-3.12.10-2.el6.i686.rpm
  • nspr-4.8.8-3.el6.src.rpm
  • nss-util-3.12.10-2.el6.src.rpm
  • nss-softokn-devel-3.12.9-11.el6.ppc.rpm
  • nss-pkcs11-devel-3.12.10-16.el6.x86_64.rpm
  • nss-pkcs11-devel-3.12.10-16.el6.s390x.rpm
  • nss-tools-3.12.10-16.el6.s390x.rpm
  • nspr-debuginfo-4.8.8-3.el6.s390.rpm
  • nss-softokn-debuginfo-3.12.9-11.el6.s390x.rpm
  • nss-tools-3.12.10-16.el6.i686.rpm
  • nss-softokn-debuginfo-3.12.9-11.el6.ppc64.rpm
  • nspr-devel-4.8.8-3.el6.ppc64.rpm
  • nss-3.12.10-16.el6.ppc.rpm
  • nspr-devel-4.8.8-3.el6.ppc.rpm
  • nss-softokn-freebl-devel-3.12.9-11.el6.ppc.rpm
  • nss-debuginfo-3.12.10-16.el6.ppc.rpm
  • nss-sysinit-3.12.10-16.el6.s390x.rpm
  • nss-softokn-3.12.9-11.el6.i686.rpm
  • nss-softokn-3.12.9-11.el6.src.rpm
  • nss-sysinit-3.12.10-16.el6.x86_64.rpm
  • nss-softokn-devel-3.12.9-11.el6.x86_64.rpm
  • nss-softokn-freebl-devel-3.12.9-11.el6.s390.rpm
  • nss-util-3.12.10-2.el6.s390.rpm
  • nss-softokn-freebl-devel-3.12.9-11.el6.i686.rpm
  • nss-util-devel-3.12.10-2.el6.i686.rpm
  • nss-3.12.10-16.el6.i686.rpm
  • nss-util-3.12.10-2.el6.i686.rpm
  • nss-softokn-freebl-devel-3.12.9-11.el6.x86_64.rpm
  • nss-util-debuginfo-3.12.10-2.el6.x86_64.rpm
  • nss-softokn-3.12.9-11.el6.ppc64.rpm
  • nss-util-devel-3.12.10-2.el6.ppc64.rpm
  • nss-util-3.12.10-2.el6.ppc64.rpm
  • nss-softokn-debuginfo-3.12.9-11.el6.i686.rpm
  • nss-tools-3.12.10-16.el6.x86_64.rpm
  • nss-3.12.10-16.el6.s390.rpm
  • nspr-debuginfo-4.8.8-3.el6.i686.rpm
  • nss-devel-3.12.10-16.el6.s390.rpm
  • nspr-debuginfo-4.8.8-3.el6.ppc64.rpm
  • nss-softokn-3.12.9-11.el6.s390x.rpm
  • nss-softokn-freebl-3.12.9-11.el6.ppc.rpm
  • nss-softokn-freebl-3.12.9-11.el6.ppc64.rpm
  • nss-tools-3.12.10-16.el6.ppc64.rpm
  • nspr-devel-4.8.8-3.el6.s390x.rpm
  • nss-3.12.10-16.el6.x86_64.rpm
  • nss-softokn-devel-3.12.9-11.el6.s390.rpm
  • nss-util-devel-3.12.10-2.el6.s390x.rpm
  • nss-devel-3.12.10-16.el6.x86_64.rpm
  • nspr-4.8.8-3.el6.ppc64.rpm
  • nss-util-debuginfo-3.12.10-2.el6.s390.rpm
  • nss-util-devel-3.12.10-2.el6.s390.rpm
  • nss-softokn-freebl-devel-3.12.9-11.el6.ppc64.rpm
  • nss-softokn-devel-3.12.9-11.el6.i686.rpm
  • nss-softokn-freebl-3.12.9-11.el6.i686.rpm
  • nss-pkcs11-devel-3.12.10-16.el6.ppc64.rpm
  • nss-debuginfo-3.12.10-16.el6.i686.rpm
  • nspr-4.8.8-3.el6.i686.rpm
  • nss-softokn-freebl-3.12.9-11.el6.s390.rpm
  • nss-debuginfo-3.12.10-16.el6.ppc64.rpm
  • nss-pkcs11-devel-3.12.10-16.el6.ppc.rpm
  • nss-softokn-freebl-devel-3.12.9-11.el6.s390x.rpm
  • nss-3.12.10-16.el6.src.rpm
  • nspr-4.8.8-3.el6.ppc.rpm
  • nss-util-devel-3.12.10-2.el6.ppc.rpm
  • nss-softokn-freebl-3.12.9-11.el6.s390x.rpm
  • nspr-4.8.8-3.el6.s390x.rpm
  • nspr-devel-4.8.8-3.el6.x86_64.rpm
  • nss-softokn-devel-3.12.9-11.el6.s390x.rpm
  • nss-softokn-devel-3.12.9-11.el6.ppc64.rpm
  • nss-3.12.10-16.el6.s390x.rpm
  • nss-softokn-3.12.9-11.el6.x86_64.rpm
  • nspr-devel-4.8.8-3.el6.s390.rpm
  • nss-util-debuginfo-3.12.10-2.el6.ppc.rpm
  • nss-softokn-3.12.9-11.el6.s390.rpm
  • nss-devel-3.12.10-16.el6.s390x.rpm
  • nss-devel-3.12.10-16.el6.ppc.rpm
  • nss-devel-3.12.10-16.el6.ppc64.rpm
  • nss-util-debuginfo-3.12.10-2.el6.s390x.rpm
  • nss-softokn-debuginfo-3.12.9-11.el6.ppc.rpm
  • nss-debuginfo-3.12.10-16.el6.s390.rpm
  • nss-devel-3.12.10-16.el6.i686.rpm
  • nss-softokn-freebl-3.12.9-11.el6.x86_64.rpm
  • nspr-debuginfo-4.8.8-3.el6.ppc.rpm
  • nspr-debuginfo-4.8.8-3.el6.s390x.rpm

Fixes

CVEs

(none)

References

(none)

Additional information