Security update for mozilla-nss SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20030-1 Final 1 1 2025-02-03T08:51:41Z current 2025-02-03T08:51:41Z 2025-02-03T08:51:41Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for mozilla-nss This update for mozilla-nss fixes the following issues: - update to NSS 3.101.2 - ChaChaXor to return after the function - update to NSS 3.101.1 - missing sqlite header. - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. - update to NSS 3.101 - add diagnostic assertions for SFTKObject refcount. - freeing the slot in DeleteCertAndKey if authentication failed - fix formatting issues. - Add Firmaprofesional CA Root-A Web to NSS. - remove invalid acvp fuzz test vectors. - pad short P-384 and P-521 signatures gtests. - remove unused FreeBL ECC code. - pad short P-384 and P-521 signatures. - be less strict about ECDSA private key length. - Integrate HACL* P-521. - Integrate HACL* P-384. - memory leak in create_objects_from_handles. - ensure all input is consumed in a few places in mozilla::pkix - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy - clean up escape handling - Use lib::pkix as default validator instead of the old-one - Need to add high level support for PQ signing. - Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy - Allow for non-full length ecdsa signature when using softoken - Modification of .taskcluster.yml due to mozlint indent defects - Implement support for PBMAC1 in PKCS#12 - disable VLA warnings for fuzz builds. - remove redundant AllocItem implementation. - add PK11_ReadDistrustAfterAttribute. - Clang-formatting of SEC_GetMgfTypeByOidTag update - Set SEC_ERROR_LIBRARY_FAILURE on self-test failure - sftk_getParameters(): Fix fallback to default variable after error with configfile. - Switch to the mozillareleases/image_builder image - update to NSS 3.100 - merge pk11_kyberSlotList into pk11_ecSlotList for faster Xyber operations. - remove ckcapi. - avoid a potential PK11GenericObject memory leak. - Remove incomplete ESDH code. - Decrypt RSA OAEP encrypted messages. - Fix certutil CRLDP URI code. - Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys. - Add ability to encrypt and decrypt CMS messages using ECDH. - Correct Templates for key agreement in smime/cmsasn.c. - Moving the decodedCert allocation to NSS. - Allow developers to speed up repeated local execution of NSS tests that depend on certificates. - update to NSS 3.99 - Removing check for message len in ed25519 - add ed25519 to SECU_ecName2params. - add EdDSA wycheproof tests. - nss/lib layer code for EDDSA. - Adding EdDSA implementation. - Exporting Certificate Compression types - Updating ACVP docker to rust 1.74 - Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 - Add NSS_CMSRecipient_IsSupported. - update to NSS 3.98 - CVE-2023-5388: Timing attack against RSA decryption in TLS - Certificate Compression: enabling the check that the compression was advertised - Move Windows workers to nss-1/b-win2022-alpha - Remove Email trust bit from OISTE WISeKey Global Root GC CA - Replace `distutils.spawn.find_executable` with `shutil.which` within `mach` in `nss` - Certificate Compression: Updating nss_bogo_shim to support Certificate compression - TLS Certificate Compression (RFC 8879) Implementation - Add valgrind annotations to freebl kyber operations for constant-time execution tests - Set nssckbi version number to 2.66 - Add Telekom Security roots - Add D-Trust 2022 S/MIME roots - Remove expired Security Communication RootCA1 root - move keys to a slot that supports concatenation in PK11_ConcatSymKeys - remove unmaintained tls-interop tests - bogo: add support for the -ipv6 and -shim-id shim flags - bogo: add support for the -curves shim flag and update Kyber expectations - bogo: adjust expectation for a key usage bit test - mozpkix: add option to ignore invalid subject alternative names - Fix selfserv not stripping `publicname:` from -X value - take ownership of ecckilla shims - add valgrind annotations to freebl/ec.c - PR_INADDR_ANY needs PR_htonl before assignment to inet.ip - Update zlib to 1.3.1 - update to NSS 3.97 - make Xyber768d00 opt-in by policy - add libssl support for xyber768d00 - add PK11_ConcatSymKeys - add Kyber and a PKCS#11 KEM interface to softoken - add a FreeBL API for Kyber - part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff - part 1: add a script for vendoring kyber from pq-crystals repo - Removing the calls to RSA Blind from loader.* - fix worker type for level3 mac tasks - RSA Blind implementation - Remove DSA selftests - read KWP testvectors from JSON - Backed out changeset dcb174139e4f - Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation - Wrap CC shell commands in gyp expansions - update to NSS 3.96.1 - Use pypi dependencies for MacOS worker in ./build_gyp.sh - p7sign: add -a hash and -u certusage (also p7verify cleanups) - add a defensive check for large ssl_DefSend return values - Add dependency to the taskcluster script for Darwin - Upgrade version of the MacOS worker for the CI - update to NSS 3.95 - Bump builtins version number. - Remove Email trust bit from Autoridad de Certificacion Firmaprofesional CIF A62634068 root cert. - Remove 4 DigiCert (Symantec/Verisign) Root Certificates - Remove 3 TrustCor Root Certificates from NSS. - Remove Camerfirma root certificates from NSS. - Remove old Autoridad de Certificacion Firmaprofesional Certificate. - Add four Commscope root certificates to NSS. - Add TrustAsia Global Root CA G3 and G4 root certificates. - Include P-384 and P-521 Scalar Validation from HACL* - Include P-256 Scalar Validation from HACL*. - After the HACL 256 ECC patch, NSS incorrectly encodes 256 ECC without DER wrapping at the softoken level - Add means to provide library parameters to C_Initialize - clang format - add OSXSAVE and XCR0 tests to AVX2 detection. - Typo in ssl3_AppendHandshakeNumber - Introducing input check of ssl3_AppendHandshakeNumber - Fix Invalid casts in instance.c - update to NSS 3.94 - Updated code and commit ID for HACL* - update ACVP fuzzed test vector: refuzzed with current NSS - Softoken C_ calls should use system FIPS setting to select NSC_ or FC_ variants - NSS needs a database tool that can dump the low level representation of the database - declare string literals using char in pkixnames_tests.cpp - avoid implicit conversion for ByteString - update rust version for acvp docker - Moving the init function of the mpi_ints before clean-up in ec.c - P-256 ECDH and ECDSA from HACL* - Add ACVP test vectors to the repository - Stop relying on std::basic_string<uint8_t> - Transpose the PPC_ABI check from Makefile to gyp - Update to NSS 3.93: - Update zlib in NSS to 1.3. - softoken: iterate hashUpdate calls for long inputs. - regenerate NameConstraints test certificates (bsc#1214980). - update to NSS 3.92 - Set nssckbi version number to 2.62 - Add 4 Atos TrustedRoot Root CA certificates to NSS - Add 4 SSL.com Root CA certificates - Add Sectigo E46 and R46 Root CA certificates - Add LAWtrust Root CA2 (4096) - Remove E-Tugra Certification Authority root - Remove Camerfirma Chambers of Commerce Root. - Remove Hongkong Post Root CA 1 - Remove E-Tugra Global Root CA ECC v3 and RSA v3 - Avoid redefining BYTE_ORDER on hppa Linux - update to NSS 3.91 - Implementation of the HW support check for ADX instruction - Removing the support of Curve25519 - Fix comment about the addition of ticketSupportsEarlyData - Adding args to enable-legacy-db build - dbtests.sh failure in "certutil dump keys with explicit default trust flags" - Initialize flags in slot structures - Improve the length check of RSA input to avoid heap overflow - Followup Fixes - avoid processing unexpected inputs by checking for m_exptmod base sign - add a limit check on order_k to avoid infinite loop - Update HACL* to commit 5f6051d2 - add SHA3 to cryptohi and softoken - HACL SHA3 - Disabling ASM C25519 for A but X86_64 - update to NSS 3.90.3 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. - clean up escape handling. - remove redundant AllocItem implementation. - Disable ASM support for Curve25519. - Disable ASM support for Curve25519 for all but X86_64. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-59 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520030-1/ Link for SUSE-SU-2025:20030-1 https://lists.suse.com/pipermail/sle-security-updates/2025-June/021346.html E-Mail link for SUSE-SU-2025:20030-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1214980 SUSE Bug 1214980 https://bugzilla.suse.com/1216198 SUSE Bug 1216198 https://bugzilla.suse.com/1222804 SUSE Bug 1222804 https://bugzilla.suse.com/1222807 SUSE Bug 1222807 https://bugzilla.suse.com/1222811 SUSE Bug 1222811 https://bugzilla.suse.com/1222813 SUSE Bug 1222813 https://bugzilla.suse.com/1222814 SUSE Bug 1222814 https://bugzilla.suse.com/1222821 SUSE Bug 1222821 https://bugzilla.suse.com/1222822 SUSE Bug 1222822 https://bugzilla.suse.com/1222826 SUSE Bug 1222826 https://bugzilla.suse.com/1222828 SUSE Bug 1222828 https://bugzilla.suse.com/1222830 SUSE Bug 1222830 https://bugzilla.suse.com/1222833 SUSE Bug 1222833 https://bugzilla.suse.com/1222834 SUSE Bug 1222834 https://bugzilla.suse.com/1223724 SUSE Bug 1223724 https://bugzilla.suse.com/1224113 SUSE Bug 1224113 https://bugzilla.suse.com/1224115 SUSE Bug 1224115 https://bugzilla.suse.com/1224116 SUSE Bug 1224116 https://bugzilla.suse.com/1224118 SUSE Bug 1224118 https://bugzilla.suse.com/1227918 SUSE Bug 1227918 https://bugzilla.suse.com/1325335 SUSE Bug 1325335 https://bugzilla.suse.com/1548723 SUSE Bug 1548723 https://bugzilla.suse.com/1573097 SUSE Bug 1573097 https://bugzilla.suse.com/1615555 SUSE Bug 1615555 https://bugzilla.suse.com/1748105 SUSE Bug 1748105 https://bugzilla.suse.com/1753026 SUSE Bug 1753026 https://bugzilla.suse.com/1757758 SUSE Bug 1757758 https://bugzilla.suse.com/1774659 SUSE Bug 1774659 https://bugzilla.suse.com/1775046 SUSE Bug 1775046 https://bugzilla.suse.com/1780432 SUSE Bug 1780432 https://bugzilla.suse.com/1784253 SUSE Bug 1784253 https://bugzilla.suse.com/1793811 SUSE Bug 1793811 https://bugzilla.suse.com/1813401 SUSE Bug 1813401 https://bugzilla.suse.com/1818766 SUSE Bug 1818766 https://bugzilla.suse.com/1822450 SUSE Bug 1822450 https://bugzilla.suse.com/1822935 SUSE Bug 1822935 https://bugzilla.suse.com/1822936 SUSE Bug 1822936 https://bugzilla.suse.com/1826451 SUSE Bug 1826451 https://bugzilla.suse.com/1826652 SUSE Bug 1826652 https://bugzilla.suse.com/1827224 SUSE Bug 1827224 https://bugzilla.suse.com/1827303 SUSE Bug 1827303 https://bugzilla.suse.com/1827444 SUSE Bug 1827444 https://bugzilla.suse.com/1829112 SUSE Bug 1829112 https://bugzilla.suse.com/1830415 SUSE Bug 1830415 https://bugzilla.suse.com/1830978 SUSE Bug 1830978 https://bugzilla.suse.com/1831552 SUSE Bug 1831552 https://bugzilla.suse.com/1833270 SUSE Bug 1833270 https://bugzilla.suse.com/1834851 SUSE Bug 1834851 https://bugzilla.suse.com/1835357 SUSE Bug 1835357 https://bugzilla.suse.com/1835425 SUSE Bug 1835425 https://bugzilla.suse.com/1835828 SUSE Bug 1835828 https://bugzilla.suse.com/1836781 SUSE Bug 1836781 https://bugzilla.suse.com/1836925 SUSE Bug 1836925 https://bugzilla.suse.com/1837431 SUSE Bug 1837431 https://bugzilla.suse.com/1837617 SUSE Bug 1837617 https://bugzilla.suse.com/1837987 SUSE Bug 1837987 https://bugzilla.suse.com/1839327 SUSE Bug 1839327 https://bugzilla.suse.com/1839795 SUSE Bug 1839795 https://bugzilla.suse.com/1839992 SUSE Bug 1839992 https://bugzilla.suse.com/1840429 SUSE Bug 1840429 https://bugzilla.suse.com/1840437 SUSE Bug 1840437 https://bugzilla.suse.com/1840505 SUSE Bug 1840505 https://bugzilla.suse.com/1840510 SUSE Bug 1840510 https://bugzilla.suse.com/1841029 SUSE Bug 1841029 https://bugzilla.suse.com/1842928 SUSE Bug 1842928 https://bugzilla.suse.com/1842932 SUSE Bug 1842932 https://bugzilla.suse.com/1842935 SUSE Bug 1842935 https://bugzilla.suse.com/1842937 SUSE Bug 1842937 https://bugzilla.suse.com/1847845 SUSE Bug 1847845 https://bugzilla.suse.com/1848183 SUSE Bug 1848183 https://bugzilla.suse.com/1849077 SUSE Bug 1849077 https://bugzilla.suse.com/1849471 SUSE Bug 1849471 https://bugzilla.suse.com/1850598 SUSE Bug 1850598 https://bugzilla.suse.com/1850982 SUSE Bug 1850982 https://bugzilla.suse.com/1851044 SUSE Bug 1851044 https://bugzilla.suse.com/1851049 SUSE Bug 1851049 https://bugzilla.suse.com/1852011 SUSE Bug 1852011 https://bugzilla.suse.com/1852179 SUSE Bug 1852179 https://bugzilla.suse.com/1853737 SUSE Bug 1853737 https://bugzilla.suse.com/1854438 SUSE Bug 1854438 https://bugzilla.suse.com/1854439 SUSE Bug 1854439 https://bugzilla.suse.com/1854795 SUSE Bug 1854795 https://bugzilla.suse.com/1855318 SUSE Bug 1855318 https://bugzilla.suse.com/1858241 SUSE Bug 1858241 https://bugzilla.suse.com/1860670 SUSE Bug 1860670 https://bugzilla.suse.com/1861265 SUSE Bug 1861265 https://bugzilla.suse.com/1861728 SUSE Bug 1861728 https://bugzilla.suse.com/1863605 SUSE Bug 1863605 https://bugzilla.suse.com/1865450 SUSE Bug 1865450 https://bugzilla.suse.com/1867408 SUSE Bug 1867408 https://bugzilla.suse.com/1869378 SUSE Bug 1869378 https://bugzilla.suse.com/1869408 SUSE Bug 1869408 https://bugzilla.suse.com/1869642 SUSE Bug 1869642 https://bugzilla.suse.com/1870673 SUSE Bug 1870673 https://bugzilla.suse.com/1871152 SUSE Bug 1871152 https://bugzilla.suse.com/1871219 SUSE Bug 1871219 https://bugzilla.suse.com/1871630 SUSE Bug 1871630 https://bugzilla.suse.com/1871631 SUSE Bug 1871631 https://bugzilla.suse.com/1873095 SUSE Bug 1873095 https://bugzilla.suse.com/1873296 SUSE Bug 1873296 https://bugzilla.suse.com/1874017 SUSE Bug 1874017 https://bugzilla.suse.com/1874111 SUSE Bug 1874111 https://bugzilla.suse.com/1874458 SUSE Bug 1874458 https://bugzilla.suse.com/1874937 SUSE Bug 1874937 https://bugzilla.suse.com/1875356 SUSE Bug 1875356 https://bugzilla.suse.com/1875506 SUSE Bug 1875506 https://bugzilla.suse.com/1875965 SUSE Bug 1875965 https://bugzilla.suse.com/1876179 SUSE Bug 1876179 https://bugzilla.suse.com/1876390 SUSE Bug 1876390 https://bugzilla.suse.com/1876800 SUSE Bug 1876800 https://bugzilla.suse.com/1877344 SUSE Bug 1877344 https://bugzilla.suse.com/1877730 SUSE Bug 1877730 https://bugzilla.suse.com/1879513 SUSE Bug 1879513 https://bugzilla.suse.com/1879945 SUSE Bug 1879945 https://bugzilla.suse.com/1880857 SUSE Bug 1880857 https://bugzilla.suse.com/1881027 SUSE Bug 1881027 https://bugzilla.suse.com/1884276 SUSE Bug 1884276 https://bugzilla.suse.com/1884444 SUSE Bug 1884444 https://bugzilla.suse.com/1885404 SUSE Bug 1885404 https://bugzilla.suse.com/1887996 SUSE Bug 1887996 https://bugzilla.suse.com/1889671 SUSE Bug 1889671 https://bugzilla.suse.com/1890069 SUSE Bug 1890069 https://bugzilla.suse.com/1893029 SUSE Bug 1893029 https://bugzilla.suse.com/1893162 SUSE Bug 1893162 https://bugzilla.suse.com/1893334 SUSE Bug 1893334 https://bugzilla.suse.com/1893404 SUSE Bug 1893404 https://bugzilla.suse.com/1893752 SUSE Bug 1893752 https://bugzilla.suse.com/1894572 SUSE Bug 1894572 https://bugzilla.suse.com/1895012 SUSE Bug 1895012 https://bugzilla.suse.com/1895032 SUSE Bug 1895032 https://bugzilla.suse.com/1896353 SUSE Bug 1896353 https://bugzilla.suse.com/1897487 SUSE Bug 1897487 https://bugzilla.suse.com/1898074 SUSE Bug 1898074 https://bugzilla.suse.com/1898627 SUSE Bug 1898627 https://bugzilla.suse.com/1898825 SUSE Bug 1898825 https://bugzilla.suse.com/1898830 SUSE Bug 1898830 https://bugzilla.suse.com/1898858 SUSE Bug 1898858 https://bugzilla.suse.com/1899593 SUSE Bug 1899593 https://bugzilla.suse.com/1899759 SUSE Bug 1899759 https://bugzilla.suse.com/1899883 SUSE Bug 1899883 https://bugzilla.suse.com/1900413 SUSE Bug 1900413 https://bugzilla.suse.com/1901080 SUSE Bug 1901080 https://bugzilla.suse.com/1901932 SUSE Bug 1901932 https://bugzilla.suse.com/1905691 SUSE Bug 1905691 https://bugzilla.suse.com/215997 SUSE Bug 215997 https://bugzilla.suse.com/671060 SUSE Bug 671060 https://bugzilla.suse.com/676100 SUSE Bug 676100 https://bugzilla.suse.com/676118 SUSE Bug 676118 https://bugzilla.suse.com/864039 SUSE Bug 864039 https://www.suse.com/security/cve/CVE-2023-5388/ SUSE CVE CVE-2023-5388 page SUSE Linux Micro 6.0 libfreebl3-3.101.2-1.1 libsoftokn3-3.101.2-1.1 mozilla-nss-3.101.2-1.1 mozilla-nss-certs-3.101.2-1.1 mozilla-nss-tools-3.101.2-1.1 libfreebl3-3.101.2-1.1 as a component of SUSE Linux Micro 6.0 libsoftokn3-3.101.2-1.1 as a component of SUSE Linux Micro 6.0 mozilla-nss-3.101.2-1.1 as a component of SUSE Linux Micro 6.0 mozilla-nss-certs-3.101.2-1.1 as a component of SUSE Linux Micro 6.0 mozilla-nss-tools-3.101.2-1.1 as a component of SUSE Linux Micro 6.0 NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. CVE-2023-5388 SUSE Linux Micro 6.0:libfreebl3-3.101.2-1.1 SUSE Linux Micro 6.0:libsoftokn3-3.101.2-1.1 SUSE Linux Micro 6.0:mozilla-nss-3.101.2-1.1 SUSE Linux Micro 6.0:mozilla-nss-certs-3.101.2-1.1 SUSE Linux Micro 6.0:mozilla-nss-tools-3.101.2-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520030-1/ https://www.suse.com/security/cve/CVE-2023-5388.html CVE-2023-5388 https://bugzilla.suse.com/1216198 SUSE Bug 1216198 https://bugzilla.suse.com/1221327 SUSE Bug 1221327