Bug 1012655

Summary:	(this bug is unnecessary if rebase bug 1012656 gets approved) - RHEL 7 initial release should reject MD5 based signatures in OCSP responses
Product:	Red Hat Enterprise Linux 7	Reporter:	Kai Engert (:kaie) (inactive account) <kengert>
Component:	nss	Assignee:	Elio Maldonado Batiz <emaldona>
Status:	CLOSED DUPLICATE	QA Contact:	BaseOS QE Security Team <qe-baseos-security>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	7.0	CC:	emaldona, eparis, hkario, huzaifas, ksrot, rrelyea, sforsber
Target Milestone:	rc	Keywords:	Rebase
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Rebase: Bug Fixes and Enhancements
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-10-21 16:27:38 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Kai Engert (:kaie) (inactive account) 2013-09-26 19:59:10 UTC

upstream NSS 3.15.2 includes a fix, that will reject MD5 signatures in OCSP responses.

We should include that fix in the initial release of RHEL7, to avoid that customers might potentially later complain about a change of behaviour.

Two options:
- either pick up NSS 3.15.2 for RHEL 7 initial release
- or add the patch from https://bugzilla.mozilla.org/show_bug.cgi?id=663313

The fix is inside the main NSS package (not softokn, not util)

Comment 2 Kai Engert (:kaie) (inactive account) 2013-09-26 20:51:31 UTC

We want to try to rather rebase RHEL 7 to NSS 3.15.2

Should rebase bug 1012656 get approved, this bug is unnecessary.

Comment 3 Elio Maldonado Batiz 2013-10-21 16:20:36 UTC

Kai is right. We could make that other one a blocker of this one or close this one. In any event, it's been in my plans to work on the rebase this week.

Comment 4 Kai Engert (:kaie) (inactive account) 2013-10-21 16:27:38 UTC

(In reply to Elio Maldonado Batiz from comment #3)
> Kai is right. We could make that other one a blocker of this one or close
> this one. In any event, it's been in my plans to work on the rebase this
> week.

If you work on bug 1012656 (and it's two blocker bugs for nss-util and nss-softokn), then I'd set this bug to status "closed / duplicate of 1012656".

Comment 5 Kai Engert (:kaie) (inactive account) 2013-10-21 16:28:09 UTC


*** This bug has been marked as a duplicate of bug 1012656 ***

Comment 6 Douglas Silas 2013-11-11 18:55:12 UTC

If this feature or issue should be documented in the Release or Technical Notes for RHEL 7.0 Beta, please select the correct Doc Type from the drop-down menu and enter a description in Doc Text.

For info about the differences between known issues, driver updates, deprecated functionality, release notes and Technology Previews, see:

https://engineering.redhat.com/docs/en-US/Policy/70.ecs/html-single/Describing_Errata_Release_and_Technical_Notes_for_Engineers/index.html#bh-known_issue

If you have questions, please email rhel-notes.

Comment 7 Elio Maldonado Batiz 2013-11-11 19:05:29 UTC

Needed documentation will be supplied in the doc text for Bug 1012656.