1012655 – (this bug is unnecessary if rebase bug 1012656 gets approved) - RHEL 7 initial release should reject MD5 based signatures in OCSP responses

Bug 1012655 - (this bug is unnecessary if rebase bug 1012656 gets approved) - RHEL 7 initial release should reject MD5 based signatures in OCSP responses

Summary: (this bug is unnecessary if rebase bug 1012656 gets approved) - RHEL 7 initia...

Keywords:
Status:	CLOSED DUPLICATE of bug 1012656
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	nss
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Elio Maldonado Batiz
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-09-26 19:59 UTC by Kai Engert (:kaie) (inactive account)
Modified:	2013-11-13 10:03 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Rebase: Bug Fixes and Enhancements
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-10-21 16:27:38 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1012656	0	medium	CLOSED	pick up NSS 3.15.2 to (a) fix CVE-2013-1739 (moderate) and (b) to disable MD5 in OCSP/CRL	2021-02-22 00:41:40 UTC

Internal Links: 1012656

Description Kai Engert (:kaie) (inactive account) 2013-09-26 19:59:10 UTC

upstream NSS 3.15.2 includes a fix, that will reject MD5 signatures in OCSP responses.

We should include that fix in the initial release of RHEL7, to avoid that customers might potentially later complain about a change of behaviour.

Two options:
- either pick up NSS 3.15.2 for RHEL 7 initial release
- or add the patch from https://bugzilla.mozilla.org/show_bug.cgi?id=663313

The fix is inside the main NSS package (not softokn, not util)

Comment 2 Kai Engert (:kaie) (inactive account) 2013-09-26 20:51:31 UTC

We want to try to rather rebase RHEL 7 to NSS 3.15.2

Should rebase bug 1012656 get approved, this bug is unnecessary.

Comment 3 Elio Maldonado Batiz 2013-10-21 16:20:36 UTC

Kai is right. We could make that other one a blocker of this one or close this one. In any event, it's been in my plans to work on the rebase this week.

Comment 4 Kai Engert (:kaie) (inactive account) 2013-10-21 16:27:38 UTC

(In reply to Elio Maldonado Batiz from comment #3)
> Kai is right. We could make that other one a blocker of this one or close
> this one. In any event, it's been in my plans to work on the rebase this
> week.

If you work on bug 1012656 (and it's two blocker bugs for nss-util and nss-softokn), then I'd set this bug to status "closed / duplicate of 1012656".

Comment 5 Kai Engert (:kaie) (inactive account) 2013-10-21 16:28:09 UTC


*** This bug has been marked as a duplicate of bug 1012656 ***

Comment 6 Douglas Silas 2013-11-11 18:55:12 UTC

If this feature or issue should be documented in the Release or Technical Notes for RHEL 7.0 Beta, please select the correct Doc Type from the drop-down menu and enter a description in Doc Text.

For info about the differences between known issues, driver updates, deprecated functionality, release notes and Technology Previews, see:

https://engineering.redhat.com/docs/en-US/Policy/70.ecs/html-single/Describing_Errata_Release_and_Technical_Notes_for_Engineers/index.html#bh-known_issue

If you have questions, please email rhel-notes.

Comment 7 Elio Maldonado Batiz 2013-11-11 19:05:29 UTC

Needed documentation will be supplied in the doc text for Bug 1012656.

Note You need to log in before you can comment on or make changes to this bug.