1012656 – pick up NSS 3.15.2 to (a) fix CVE-2013-1739 (moderate) and (b) to disable MD5 in OCSP/CRL

Bug 1012656 - pick up NSS 3.15.2 to (a) fix CVE-2013-1739 (moderate) and (b) to disable MD5 in OCSP/CRL

Summary: pick up NSS 3.15.2 to (a) fix CVE-2013-1739 (moderate) and (b) to disable MD5...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	nss
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Elio Maldonado Batiz
QA Contact:	Hubert Kario
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1012655 (view as bug list)
Depends On:	1012678 1012679
Blocks:
TreeView+	depends on / blocked

Reported:	2013-09-26 19:59 UTC by Kai Engert (:kaie) (inactive account)
Modified:	2015-04-17 13:57 UTC (History)
CC List:	8 users (show)
Fixed In Version:	nss-3.15.2-1.el7
Doc Type:	Rebase: Bug Fixes and Enhancements
Doc Text:	Rebase package(s) to version: nss-3.15.2 Highlights, important fixes, or notable enhancements: A security-relevant bug has been resolved in NSS 3.15.2. (CVE-2013-1739) Avoid uninitialized data read in the event of a decryption failure. Upstream URL: https://bugzilla.mozilla.org/show_bug.cgi?id=894370 MD2, MD4, and MD5 signatures are no longer accepted for OCSP or CRLs, consistent with their handling for general certificate signatures. AES-GCM Ciphersuites: AES-GCM cipher suite (RFC 5288 and RFC 5289) support has been added when TLS 1.2 is negotiated. Specifically, the following cipher suites are now supported: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256
Clone Of:
Environment:
Last Closed:	2015-04-17 13:57:23 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1012655	0	unspecified	CLOSED	(this bug is unnecessary if rebase bug 1012656 gets approved) - RHEL 7 initial release should reject MD5 based signature...	2021-02-22 00:41:40 UTC

Internal Links: 1012655

Description Kai Engert (:kaie) (inactive account) 2013-09-26 19:59:13 UTC

This proposes to pick up the NSS fix CVE-2013-1739 released by upstream in NSS 3.15.2 from https://bugzilla.mozilla.org/show_bug.cgi?id=894370

The bug is not yet publicly visible.

The patch is small and changes the SSL library contained in the NSS main package (not softokn, not util).

Two options:
- either pick up NSS 3.15.2 for RHEL 7 initial release
- or add the patch from https://bugzilla.mozilla.org/show_bug.cgi?id=894370

Comment 2 Kai Engert (:kaie) (inactive account) 2013-09-26 20:49:59 UTC

After discussing on IRC:
We'd prefer to rebase RHEL 7 to NSS 3.15.2

This will require also to update the nss-util and nss-softokn packages, which should be trivial?

Comment 9 Kai Engert (:kaie) (inactive account) 2013-10-21 16:28:09 UTC

*** Bug 1012655 has been marked as a duplicate of this bug. ***

Comment 13 Douglas Silas 2013-11-11 18:56:03 UTC

If this feature or issue should be documented in the Release or Technical Notes for RHEL 7.0 Beta, please select the correct Doc Type from the drop-down menu and enter a description in Doc Text.

For info about the differences between known issues, driver updates, deprecated functionality, release notes and Technology Previews, see:

https://engineering.redhat.com/docs/en-US/Policy/70.ecs/html-single/Describing_Errata_Release_and_Technical_Notes_for_Engineers/index.html#bh-known_issue

If you have questions, please email rhel-notes.

Note You need to log in before you can comment on or make changes to this bug.