Bug 1012656 - pick up NSS 3.15.2 to (a) fix CVE-2013-1739 (moderate) and (b) to disable MD5 in OCSP/CRL
pick up NSS 3.15.2 to (a) fix CVE-2013-1739 (moderate) and (b) to disable MD5...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nss (Show other bugs)
7.0
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Elio Maldonado Batiz
Hubert Kario
: Rebase
: 1012655 (view as bug list)
Depends On: 1012678 1012679
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-26 15:59 EDT by Kai Engert (:kaie)
Modified: 2015-04-17 09:57 EDT (History)
8 users (show)

See Also:
Fixed In Version: nss-3.15.2-1.el7
Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
Rebase package(s) to version: nss-3.15.2 Highlights, important fixes, or notable enhancements: A security-relevant bug has been resolved in NSS 3.15.2. (CVE-2013-1739) Avoid uninitialized data read in the event of a decryption failure. Upstream URL: https://bugzilla.mozilla.org/show_bug.cgi?id=894370 MD2, MD4, and MD5 signatures are no longer accepted for OCSP or CRLs, consistent with their handling for general certificate signatures. AES-GCM Ciphersuites: AES-GCM cipher suite (RFC 5288 and RFC 5289) support has been added when TLS 1.2 is negotiated. Specifically, the following cipher suites are now supported: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-04-17 09:57:23 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kai Engert (:kaie) 2013-09-26 15:59:13 EDT
This proposes to pick up the NSS fix CVE-2013-1739 released by upstream in NSS 3.15.2 from https://bugzilla.mozilla.org/show_bug.cgi?id=894370

The bug is not yet publicly visible.

The patch is small and changes the SSL library contained in the NSS main package (not softokn, not util).

Two options:
- either pick up NSS 3.15.2 for RHEL 7 initial release
- or add the patch from https://bugzilla.mozilla.org/show_bug.cgi?id=894370
Comment 2 Kai Engert (:kaie) 2013-09-26 16:49:59 EDT
After discussing on IRC:
We'd prefer to rebase RHEL 7 to NSS 3.15.2

This will require also to update the nss-util and nss-softokn packages, which should be trivial?
Comment 9 Kai Engert (:kaie) 2013-10-21 12:28:09 EDT
*** Bug 1012655 has been marked as a duplicate of this bug. ***
Comment 13 Douglas Silas 2013-11-11 13:56:03 EST
If this feature or issue should be documented in the Release or Technical Notes for RHEL 7.0 Beta, please select the correct Doc Type from the drop-down menu and enter a description in Doc Text.

For info about the differences between known issues, driver updates, deprecated functionality, release notes and Technology Previews, see:

https://engineering.redhat.com/docs/en-US/Policy/70.ecs/html-single/Describing_Errata_Release_and_Technical_Notes_for_Engineers/index.html#bh-known_issue

If you have questions, please email rhel-notes@redhat.com.

Note You need to log in before you can comment on or make changes to this bug.