Bug 1012656

Summary: pick up NSS 3.15.2 to (a) fix CVE-2013-1739 (moderate) and (b) to disable MD5 in OCSP/CRL
Product: Red Hat Enterprise Linux 7 Reporter: Kai Engert (:kaie) (inactive account) <kengert>
Component: nssAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED CURRENTRELEASE QA Contact: Hubert Kario <hkario>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: emaldona, eparis, hkario, huzaifas, ksrot, lmiksik, rrelyea, sforsber
Target Milestone: rcKeywords: Rebase
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nss-3.15.2-1.el7 Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
Rebase package(s) to version: nss-3.15.2 Highlights, important fixes, or notable enhancements: A security-relevant bug has been resolved in NSS 3.15.2. (CVE-2013-1739) Avoid uninitialized data read in the event of a decryption failure. Upstream URL: https://bugzilla.mozilla.org/show_bug.cgi?id=894370 MD2, MD4, and MD5 signatures are no longer accepted for OCSP or CRLs, consistent with their handling for general certificate signatures. AES-GCM Ciphersuites: AES-GCM cipher suite (RFC 5288 and RFC 5289) support has been added when TLS 1.2 is negotiated. Specifically, the following cipher suites are now supported: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-17 13:57:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1012678, 1012679    
Bug Blocks:    

Description Kai Engert (:kaie) (inactive account) 2013-09-26 19:59:13 UTC 
This proposes to pick up the NSS fix CVE-2013-1739 released by upstream in NSS 3.15.2 from https://bugzilla.mozilla.org/show_bug.cgi?id=894370

The bug is not yet publicly visible.

The patch is small and changes the SSL library contained in the NSS main package (not softokn, not util).

Two options:
- either pick up NSS 3.15.2 for RHEL 7 initial release
- or add the patch from https://bugzilla.mozilla.org/show_bug.cgi?id=894370
Comment 2 Kai Engert (:kaie) (inactive account) 2013-09-26 20:49:59 UTC 
After discussing on IRC:
We'd prefer to rebase RHEL 7 to NSS 3.15.2

This will require also to update the nss-util and nss-softokn packages, which should be trivial?
Comment 9 Kai Engert (:kaie) (inactive account) 2013-10-21 16:28:09 UTC 
*** Bug 1012655 has been marked as a duplicate of this bug. ***
Comment 13 Douglas Silas 2013-11-11 18:56:03 UTC 
If this feature or issue should be documented in the Release or Technical Notes for RHEL 7.0 Beta, please select the correct Doc Type from the drop-down menu and enter a description in Doc Text.

For info about the differences between known issues, driver updates, deprecated functionality, release notes and Technology Previews, see:

https://engineering.redhat.com/docs/en-US/Policy/70.ecs/html-single/Describing_Errata_Release_and_Technical_Notes_for_Engineers/index.html#bh-known_issue

If you have questions, please email rhel-notes.