Bug 1012656 - pick up NSS 3.15.2 to (a) fix CVE-2013-1739 (moderate) and (b) to disable MD5 in OCSP/CRL
Summary: pick up NSS 3.15.2 to (a) fix CVE-2013-1739 (moderate) and (b) to disable MD5...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nss
Version: 7.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Elio Maldonado Batiz
QA Contact: Hubert Kario
: 1012655 (view as bug list)
Depends On: 1012678 1012679
TreeView+ depends on / blocked
Reported: 2013-09-26 19:59 UTC by Kai Engert (:kaie) (inactive account)
Modified: 2015-04-17 13:57 UTC (History)
8 users (show)

Fixed In Version: nss-3.15.2-1.el7
Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
Rebase package(s) to version: nss-3.15.2 Highlights, important fixes, or notable enhancements: A security-relevant bug has been resolved in NSS 3.15.2. (CVE-2013-1739) Avoid uninitialized data read in the event of a decryption failure. Upstream URL: https://bugzilla.mozilla.org/show_bug.cgi?id=894370 MD2, MD4, and MD5 signatures are no longer accepted for OCSP or CRLs, consistent with their handling for general certificate signatures. AES-GCM Ciphersuites: AES-GCM cipher suite (RFC 5288 and RFC 5289) support has been added when TLS 1.2 is negotiated. Specifically, the following cipher suites are now supported: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256
Clone Of:
Last Closed: 2015-04-17 13:57:23 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1012655 0 unspecified CLOSED (this bug is unnecessary if rebase bug 1012656 gets approved) - RHEL 7 initial release should reject MD5 based signature... 2021-02-22 00:41:40 UTC

Internal Links: 1012655

Description Kai Engert (:kaie) (inactive account) 2013-09-26 19:59:13 UTC
This proposes to pick up the NSS fix CVE-2013-1739 released by upstream in NSS 3.15.2 from https://bugzilla.mozilla.org/show_bug.cgi?id=894370

The bug is not yet publicly visible.

The patch is small and changes the SSL library contained in the NSS main package (not softokn, not util).

Two options:
- either pick up NSS 3.15.2 for RHEL 7 initial release
- or add the patch from https://bugzilla.mozilla.org/show_bug.cgi?id=894370

Comment 2 Kai Engert (:kaie) (inactive account) 2013-09-26 20:49:59 UTC
After discussing on IRC:
We'd prefer to rebase RHEL 7 to NSS 3.15.2

This will require also to update the nss-util and nss-softokn packages, which should be trivial?

Comment 9 Kai Engert (:kaie) (inactive account) 2013-10-21 16:28:09 UTC
*** Bug 1012655 has been marked as a duplicate of this bug. ***

Comment 13 Douglas Silas 2013-11-11 18:56:03 UTC
If this feature or issue should be documented in the Release or Technical Notes for RHEL 7.0 Beta, please select the correct Doc Type from the drop-down menu and enter a description in Doc Text.

For info about the differences between known issues, driver updates, deprecated functionality, release notes and Technology Previews, see:


If you have questions, please email rhel-notes@redhat.com.

Note You need to log in before you can comment on or make changes to this bug.