Issued:

2015-03-05

Updated:

2015-03-05

RHBA-2015:0364 - nss, nss-softokn, nss-util, and nspr bug fix and enhancement update

Synopsis

nss, nss-softokn, nss-util, and nspr bug fix and enhancement update

Type/Severity

Bug Fix Advisory

Topic

Updated nss, nss-softokn, nss-util, and nspr packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 7.

Description

Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities.

The nss, nss-softokn, and nss-util packages have been upgraded to upstream versions 3.16.2.3, and the nspr packages have been upgraded to upstream version 4.10.6. The upgraded versions provide a number of bug fixes and enhancements over the previous versions, including:

• Updating to Firefox 31.3 is possible.
• The softokn database code now checks the "NSS_SDB_USE_CACHE" environment variable. As a result, using libcurl and curl for HTTPS requests no longer results in unnecessary access system calls to non-existent paths, directories, and files. (BZ#1103250, BZ#1103251, BZ#1103252, BZ#1103925, BZ#1158161, BZ#1117959)

This update also fixes the following bugs:

• NSS changed the permissions of the /etc/pki/nssdb/pkcs11.txt file to the strict default value of 0600, even if the file had other permissions prior to this change. Consequently, users could not add security modules to their configuration under certain circumstances. NSS now only applies the strict default to new files and preserves existing permissions when replacing an existing pkcs11.txt. Users can make the necessary modifications to the NSS security module database. (BZ#1087926)

• The internal NSS stan_GetCERTCertificate() call did not properly ensure that objects were not removed until the operation was finished. Consequently, stan_GetCERTCertificate() could terminate unexpectedly in the 389 Directory Server (DS) under the replication replay failure condition. The source code has been modified to properly manage object references, and the crashes reported by 389 DS no longer occur. (BZ#1094468)

• The PKCS#12 decoder did not properly check the destination buffer length when decoding. Running the pk12util tool with the "-l" option to list the contents of certain PKCS#12-encoded files resulted in a segmentation fault. The decoder has been updated to perform the check, and pk12util now lists the encoded files as expected. (BZ#1174527)

• A build-time check for platforms without NSS initialization support was missing. The NSS security tools terminated unexpectedly with a core dump when running on the 64-bit PowerPC architecture. The build files now check for the "NSS_NO_INIT_SUPPORT" build-time environment variable, and if it is set, the platforms continue to function as expected. (BZ#1154232)

• The Softoken module did not correctly check the mechanism for user tokens. When both the client and the server worked in FIPS mode, the yum utility could not connect to OpenSSL-based servers, and the server returned the "decryption failed or bad record mac" error message. Softoken has been updated to allow user slots to have the full list of mechanisms just like the main slot, and yum is now able to connect to OpenSSL-based servers. (BZ#1131079)

• Certain changes to the nss-softokn.spec file were implemented using the dracut utility configuration syntax for Red Hat Enterprise Linux 6 instead of the Red Hat Enterprise Linux 7 syntax. Consequently, the user could not use the curl utility to download an HTTPS URL in the dracut environment. The spec file has been modified to use the correct syntax, and dracut users can now use curl in this situation as expected. (BZ#1169957)

In addition, this update adds the following enhancements:

• With this update, the nss-softokn module conforms to the FIPS-140 standard. (BZ#1004102, BZ#1004107)

• This update adds a mechanism that allows to derive a new symmetric key based on the encryption of some data with the original symmetric key. (BZ#1155340)

Users of nss, nss-softokn, nss-util, and nspr are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

Updated Packages

• nss-softokn-3.16.2.3-9.el7.i686.rpm
• nss-tools-3.16.2.3-5.el7.x86_64.rpm
• nss-3.16.2.3-5.el7.ppc64.rpm
• nspr-4.10.6-3.el7.x86_64.rpm
• nspr-debuginfo-4.10.6-3.el7.ppc.rpm
• nspr-4.10.6-3.el7.ppc64.rpm
• nss-softokn-devel-3.16.2.3-9.el7.ppc.rpm
• nspr-4.10.6-3.el7.ppc.rpm
• nss-util-debuginfo-3.16.2.3-2.el7.x86_64.rpm
• nss-debuginfo-3.16.2.3-5.el7.x86_64.rpm
• nss-softokn-freebl-devel-3.16.2.3-9.el7.i686.rpm
• nss-softokn-debuginfo-3.16.2.3-9.el7.i686.rpm
• nspr-4.10.6-3.el7.i686.rpm
• nss-debuginfo-3.16.2.3-5.el7.ppc.rpm
• nss-util-3.16.2.3-2.el7.i686.rpm
• nss-softokn-debuginfo-3.16.2.3-9.el7.s390.rpm
• nss-debuginfo-3.16.2.3-5.el7.s390x.rpm
• nss-debuginfo-3.16.2.3-5.el7.s390.rpm
• nss-tools-3.16.2.3-5.el7.s390x.rpm
• nss-sysinit-3.16.2.3-5.el7.s390x.rpm
• nss-util-3.16.2.3-2.el7.s390.rpm
• nspr-4.10.6-3.el7.s390.rpm
• nss-util-devel-3.16.2.3-2.el7.s390x.rpm
• nss-3.16.2.3-5.el7.src.rpm
• nss-util-devel-3.16.2.3-2.el7.i686.rpm
• nspr-devel-4.10.6-3.el7.x86_64.rpm
• nss-util-3.16.2.3-2.el7.s390x.rpm
• nss-softokn-debuginfo-3.16.2.3-9.el7.ppc.rpm
• nss-softokn-3.16.2.3-9.el7.s390.rpm
• nss-softokn-devel-3.16.2.3-9.el7.s390.rpm
• nss-devel-3.16.2.3-5.el7.s390.rpm
• nss-softokn-freebl-3.16.2.3-9.el7.s390.rpm
• nss-pkcs11-devel-3.16.2.3-5.el7.x86_64.rpm
• nss-debuginfo-3.16.2.3-5.el7.i686.rpm
• nss-util-devel-3.16.2.3-2.el7.x86_64.rpm
• nss-util-debuginfo-3.16.2.3-2.el7.s390.rpm
• nspr-4.10.6-3.el7.src.rpm
• nss-softokn-devel-3.16.2.3-9.el7.ppc64.rpm
• nss-util-devel-3.16.2.3-2.el7.ppc.rpm
• nss-util-3.16.2.3-2.el7.src.rpm
• nspr-debuginfo-4.10.6-3.el7.ppc64.rpm
• nss-sysinit-3.16.2.3-5.el7.ppc64.rpm
• nspr-debuginfo-4.10.6-3.el7.s390x.rpm
• nss-softokn-devel-3.16.2.3-9.el7.x86_64.rpm
• nss-softokn-devel-3.16.2.3-9.el7.i686.rpm
• nss-debuginfo-3.16.2.3-5.el7.ppc64.rpm
• nss-softokn-freebl-3.16.2.3-9.el7.i686.rpm
• nss-pkcs11-devel-3.16.2.3-5.el7.s390.rpm
• nspr-4.10.6-3.el7.s390x.rpm
• nss-softokn-freebl-devel-3.16.2.3-9.el7.s390.rpm
• nss-tools-3.16.2.3-5.el7.ppc64.rpm
• nss-softokn-debuginfo-3.16.2.3-9.el7.s390x.rpm
• nss-softokn-3.16.2.3-9.el7.ppc64.rpm
• nss-softokn-freebl-devel-3.16.2.3-9.el7.x86_64.rpm
• nss-pkcs11-devel-3.16.2.3-5.el7.i686.rpm
• nss-devel-3.16.2.3-5.el7.ppc64.rpm
• nspr-debuginfo-4.10.6-3.el7.x86_64.rpm
• nss-util-debuginfo-3.16.2.3-2.el7.s390x.rpm
• nspr-debuginfo-4.10.6-3.el7.i686.rpm
• nspr-devel-4.10.6-3.el7.i686.rpm
• nss-util-3.16.2.3-2.el7.ppc.rpm
• nss-softokn-freebl-devel-3.16.2.3-9.el7.ppc64.rpm
• nss-softokn-freebl-devel-3.16.2.3-9.el7.ppc.rpm
• nss-util-3.16.2.3-2.el7.ppc64.rpm
• nss-softokn-freebl-devel-3.16.2.3-9.el7.s390x.rpm
• nss-util-devel-3.16.2.3-2.el7.s390.rpm
• nss-devel-3.16.2.3-5.el7.x86_64.rpm
• nss-devel-3.16.2.3-5.el7.s390x.rpm
• nss-util-debuginfo-3.16.2.3-2.el7.ppc64.rpm
• nss-3.16.2.3-5.el7.s390x.rpm
• nss-3.16.2.3-5.el7.i686.rpm
• nss-softokn-freebl-3.16.2.3-9.el7.s390x.rpm
• nss-devel-3.16.2.3-5.el7.i686.rpm
• nspr-debuginfo-4.10.6-3.el7.s390.rpm
• nss-softokn-freebl-3.16.2.3-9.el7.ppc64.rpm
• nss-softokn-3.16.2.3-9.el7.src.rpm
• nss-softokn-debuginfo-3.16.2.3-9.el7.ppc64.rpm
• nspr-devel-4.10.6-3.el7.s390.rpm
• nss-util-debuginfo-3.16.2.3-2.el7.ppc.rpm
• nss-pkcs11-devel-3.16.2.3-5.el7.s390x.rpm
• nss-3.16.2.3-5.el7.s390.rpm
• nss-3.16.2.3-5.el7.x86_64.rpm
• nspr-devel-4.10.6-3.el7.s390x.rpm
• nss-softokn-3.16.2.3-9.el7.x86_64.rpm
• nss-devel-3.16.2.3-5.el7.ppc.rpm
• nss-util-devel-3.16.2.3-2.el7.ppc64.rpm
• nspr-devel-4.10.6-3.el7.ppc64.rpm
• nspr-devel-4.10.6-3.el7.ppc.rpm
• nss-softokn-devel-3.16.2.3-9.el7.s390x.rpm
• nss-softokn-freebl-3.16.2.3-9.el7.ppc.rpm
• nss-util-debuginfo-3.16.2.3-2.el7.i686.rpm
• nss-softokn-3.16.2.3-9.el7.s390x.rpm
• nss-sysinit-3.16.2.3-5.el7.x86_64.rpm
• nss-pkcs11-devel-3.16.2.3-5.el7.ppc64.rpm
• nss-softokn-debuginfo-3.16.2.3-9.el7.x86_64.rpm
• nss-pkcs11-devel-3.16.2.3-5.el7.ppc.rpm
• nss-softokn-3.16.2.3-9.el7.ppc.rpm
• nss-util-3.16.2.3-2.el7.x86_64.rpm
• nss-softokn-freebl-3.16.2.3-9.el7.x86_64.rpm
• nss-3.16.2.3-5.el7.ppc.rpm

Fixes

• This content is not included.BZ - 1004102
• This content is not included.BZ - 1004107
• This content is not included.BZ - 1087507
• This content is not included.BZ - 1087926
• This content is not included.BZ - 1094468
• This content is not included.BZ - 1103250
• This content is not included.BZ - 1103251
• This content is not included.BZ - 1103252
• This content is not included.BZ - 1103925
• This content is not included.BZ - 1109793
• This content is not included.BZ - 1117959
• This content is not included.BZ - 1131079
• This content is not included.BZ - 1150645
• This content is not included.BZ - 1154232
• This content is not included.BZ - 1155340
• This content is not included.BZ - 1156406
• This content is not included.BZ - 1158161
• This content is not included.BZ - 1169957
• This content is not included.BZ - 1174527

CVEs

• CVE-2014-1545
• CVE-2014-3566

References

(none)

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.