{"affected":[{"ecosystem_specific":{"binaries":[{"mozilla-nss-devel":"3.101.1-58.118.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Software Development Kit 12 SP5","name":"mozilla-nss","purl":"pkg:rpm/suse/mozilla-nss&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"3.101.1-58.118.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"libfreebl3":"3.101.1-58.118.1","libfreebl3-32bit":"3.101.1-58.118.1","libsoftokn3":"3.101.1-58.118.1","libsoftokn3-32bit":"3.101.1-58.118.1","mozilla-nss":"3.101.1-58.118.1","mozilla-nss-32bit":"3.101.1-58.118.1","mozilla-nss-certs":"3.101.1-58.118.1","mozilla-nss-certs-32bit":"3.101.1-58.118.1","mozilla-nss-devel":"3.101.1-58.118.1","mozilla-nss-sysinit":"3.101.1-58.118.1","mozilla-nss-sysinit-32bit":"3.101.1-58.118.1","mozilla-nss-tools":"3.101.1-58.118.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 12 SP5","name":"mozilla-nss","purl":"pkg:rpm/suse/mozilla-nss&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"3.101.1-58.118.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"libfreebl3":"3.101.1-58.118.1","libfreebl3-32bit":"3.101.1-58.118.1","libsoftokn3":"3.101.1-58.118.1","libsoftokn3-32bit":"3.101.1-58.118.1","mozilla-nss":"3.101.1-58.118.1","mozilla-nss-32bit":"3.101.1-58.118.1","mozilla-nss-certs":"3.101.1-58.118.1","mozilla-nss-certs-32bit":"3.101.1-58.118.1","mozilla-nss-devel":"3.101.1-58.118.1","mozilla-nss-sysinit":"3.101.1-58.118.1","mozilla-nss-sysinit-32bit":"3.101.1-58.118.1","mozilla-nss-tools":"3.101.1-58.118.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server for SAP Applications 12 SP5","name":"mozilla-nss","purl":"pkg:rpm/suse/mozilla-nss&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"3.101.1-58.118.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for mozilla-nss fixes the following issues:\n\n- Fixed startup crash of Firefox when using FIPS-mode (bsc#1223724).\n- Added 'Provides: nss' so other RPMs that require 'nss' can\n  be installed (jira PED-6358).\n\n- FIPS: added safe memsets (bsc#1222811)\n- FIPS: restrict AES-GCM (bsc#1222830)\n- FIPS: Updated FIPS approved cipher lists (bsc#1222813, bsc#1222814, bsc#1222821, bsc#1222822, bsc#1224118)\n- FIPS: Updated FIPS self tests (bsc#1222807, bsc#1222828, bsc#1222834)\n- FIPS: Updated FIPS approved cipher lists (bsc#1222804, bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116)\n\nupdate to NSS 3.101.1:\n\n* GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.\n\nupdate to NSS 3.101:\n\n* add diagnostic assertions for SFTKObject refcount.\n* freeing the slot in DeleteCertAndKey if authentication failed\n* fix formatting issues.\n* Add Firmaprofesional CA Root-A Web to NSS.\n* remove invalid acvp fuzz test vectors.\n* pad short P-384 and P-521 signatures gtests.\n* remove unused FreeBL ECC code.\n* pad short P-384 and P-521 signatures.\n* be less strict about ECDSA private key length.\n* Integrate HACL* P-521.\n* Integrate HACL* P-384.\n* memory leak in create_objects_from_handles.\n* ensure all input is consumed in a few places in mozilla::pkix\n* SMIME/CMS and PKCS #12 do not integrate with modern NSS policy\n* clean up escape handling\n* Use lib::pkix as default validator instead of the old-one\n* Need to add high level support for PQ signing.\n* Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation\n* SMIME/CMS and PKCS #12 do not integrate with modern NSS policy\n* Allow for non-full length ecdsa signature when using softoken\n* Modification of .taskcluster.yml due to mozlint indent defects\n* Implement support for PBMAC1 in PKCS#12\n* disable VLA warnings for fuzz builds.\n* remove redundant AllocItem implementation.\n* add PK11_ReadDistrustAfterAttribute.\n* - Clang-formatting of SEC_GetMgfTypeByOidTag update\n* Set SEC_ERROR_LIBRARY_FAILURE on self-test failure\n* sftk_getParameters(): Fix fallback to default variable after error with configfile.\n* Switch to the mozillareleases/image_builder image\n\n- switch from ec_field_GFp to ec_field_plain\n\nUpdate to NSS 3.100:\n\n* merge pk11_kyberSlotList into pk11_ecSlotList for faster Xyber operations.\n* remove ckcapi.\n* avoid a potential PK11GenericObject memory leak.\n* Remove incomplete ESDH code.\n* Decrypt RSA OAEP encrypted messages.\n* Fix certutil CRLDP URI code.\n* Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys.\n* Add ability to encrypt and decrypt CMS messages using ECDH.\n* Correct Templates for key agreement in smime/cmsasn.c.\n* Moving the decodedCert allocation to NSS.\n* Allow developers to speed up repeated local execution of NSS tests that depend on certificates.\n\nUpdate to NSS 3.99:\n\n* Removing check for message len in ed25519 (bmo#1325335)\n* add ed25519 to SECU_ecName2params. (bmo#1884276)\n* add EdDSA wycheproof tests. (bmo#1325335)\n* nss/lib layer code for EDDSA. (bmo#1325335)\n* Adding EdDSA implementation. (bmo#1325335)\n* Exporting Certificate Compression types (bmo#1881027)\n* Updating ACVP docker to rust 1.74 (bmo#1880857)\n* Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335)\n* Add NSS_CMSRecipient_IsSupported. (bmo#1877730)\n\nUpdate to NSS 3.98:\n\n* (CVE-2023-5388) Timing attack against RSA decryption in TLS\n* Certificate Compression: enabling the check that the compression was advertised\n* Move Windows workers to nss-1/b-win2022-alpha\n* Remove Email trust bit from OISTE WISeKey Global Root GC CA\n* Replace `distutils.spawn.find_executable` with `shutil.which` within `mach` in `nss`\n* Certificate Compression: Updating nss_bogo_shim to support Certificate compression\n* TLS Certificate Compression (RFC 8879) Implementation\n* Add valgrind annotations to freebl kyber operations for constant-time execution tests\n* Set nssckbi version number to 2.66\n* Add Telekom Security roots\n* Add D-Trust 2022 S/MIME roots\n* Remove expired Security Communication RootCA1 root\n* move keys to a slot that supports concatenation in PK11_ConcatSymKeys\n* remove unmaintained tls-interop tests\n* bogo: add support for the -ipv6 and -shim-id shim flags\n* bogo: add support for the -curves shim flag and update Kyber expectations\n* bogo: adjust expectation for a key usage bit test\n* mozpkix: add option to ignore invalid subject alternative names\n* Fix selfserv not stripping `publicname:` from -X value\n* take ownership of ecckilla shims\n* add valgrind annotations to freebl/ec.c\n* PR_INADDR_ANY needs PR_htonl before assignment to inet.ip\n* Update zlib to 1.3.1\n\nUpdate to NSS 3.97:\n\n* make Xyber768d00 opt-in by policy\n* add libssl support for xyber768d00\n* add PK11_ConcatSymKeys\n* add Kyber and a PKCS#11 KEM interface to softoken\n* add a FreeBL API for Kyber\n* part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff\n* part 1: add a script for vendoring kyber from pq-crystals repo\n* Removing the calls to RSA Blind from loader.*\n* fix worker type for level3 mac tasks\n* RSA Blind implementation\n* Remove DSA selftests\n* read KWP testvectors from JSON\n* Backed out changeset dcb174139e4f\n* Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation\n* Wrap CC shell commands in gyp expansions\n\nUpdate to NSS 3.96.1:\n\n* Use pypi dependencies for MacOS worker in ./build_gyp.sh\n* p7sign: add -a hash and -u certusage (also p7verify cleanups)\n* add a defensive check for large ssl_DefSend return values\n* Add dependency to the taskcluster script for Darwin\n* Upgrade version of the MacOS worker for the CI\n\nUpdate to NSS 3.95:\n\n* Bump builtins version number.\n* Remove Email trust bit from Autoridad de Certificacion Firmaprofesional CIF A62634068 root cert.\n* Remove 4 DigiCert (Symantec/Verisign) Root Certificates\n* Remove 3 TrustCor Root Certificates from NSS.\n* Remove Camerfirma root certificates from NSS.\n* Remove old Autoridad de Certificacion Firmaprofesional Certificate.\n* Add four Commscope root certificates to NSS.\n* Add TrustAsia Global Root CA G3 and G4 root certificates.\n* Include P-384 and P-521 Scalar Validation from HACL*\n* Include P-256 Scalar Validation from HACL*.\n* After the HACL 256 ECC patch, NSS incorrectly encodes 256 ECC without DER wrapping at the softoken level\n* Add means to provide library parameters to C_Initialize\n* add OSXSAVE and XCR0 tests to AVX2 detection.\n* Typo in ssl3_AppendHandshakeNumber\n* Introducing input check of ssl3_AppendHandshakeNumber\n* Fix Invalid casts in instance.c\n\nUpdate to NSS 3.94:\n\n* Updated code and commit ID for HACL*\n* update ACVP fuzzed test vector: refuzzed with current NSS\n* Softoken C_ calls should use system FIPS setting to select NSC_ or FC_ variants\n* NSS needs a database tool that can dump the low level representation of the database\n* declare string literals using char in pkixnames_tests.cpp\n* avoid implicit conversion for ByteString\n* update rust version for acvp docker\n* Moving the init function of the mpi_ints before clean-up in ec.c\n* P-256 ECDH and ECDSA from HACL*\n* Add ACVP test vectors to the repository\n* Stop relying on std::basic_string<uint8_t>\n* Transpose the PPC_ABI check from Makefile to gyp\n\nUpdate to NSS 3.93:\n\n* Update zlib in NSS to 1.3.\n* softoken: iterate hashUpdate calls for long inputs.\n* regenerate NameConstraints test certificates (bsc#1214980).\n\nUpdate to NSS 3.92:\n\n* Set nssckbi version number to 2.62\n* Add 4 Atos TrustedRoot Root CA certificates to NSS\n* Add 4 SSL.com Root CA certificates\n* Add Sectigo E46 and R46 Root CA certificates\n* Add LAWtrust Root CA2 (4096)\n* Remove E-Tugra Certification Authority root\n* Remove Camerfirma Chambers of Commerce Root.\n* Remove Hongkong Post Root CA 1\n* Remove E-Tugra Global Root CA ECC v3 and RSA v3\n* Avoid redefining BYTE_ORDER on hppa Linux\n\nUpdate to NSS 3.91:\n\n* Implementation of the HW support check for ADX instruction\n* Removing the support of Curve25519\n* Fix comment about the addition of ticketSupportsEarlyData\n* Adding args to enable-legacy-db build\n* dbtests.sh failure in 'certutil dump keys with explicit default trust flags'\n* Initialize flags in slot structures\n* Improve the length check of RSA input to avoid heap overflow\n* Followup Fixes\n* avoid processing unexpected inputs by checking for m_exptmod base sign\n* add a limit check on order_k to avoid infinite loop\n* Update HACL* to commit 5f6051d2\n* add SHA3 to cryptohi and softoken\n* HACL SHA3\n* Disabling ASM C25519 for A but X86_64\n\nUpdate to NSS 3.90.3:\n\n* GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.\n* clean up escape handling.\n* remove redundant AllocItem implementation.\n* Disable ASM support for Curve25519.\n* Disable ASM support for Curve25519 for all but X86_64. \n","id":"SUSE-RU-2024:2564-1","modified":"2024-07-19T11:16:01Z","published":"2024-07-19T11:16:01Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/-2024-2564/suse-ru-20242564-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1214980"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222804"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222807"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222811"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222813"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222814"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222821"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222822"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222826"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222828"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222830"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222833"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222834"},{"type":"REPORT","url":"https://bugzilla.suse.com/1223724"},{"type":"REPORT","url":"https://bugzilla.suse.com/1224113"},{"type":"REPORT","url":"https://bugzilla.suse.com/1224115"},{"type":"REPORT","url":"https://bugzilla.suse.com/1224116"},{"type":"REPORT","url":"https://bugzilla.suse.com/1224118"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-5388"}],"related":["CVE-2023-5388"],"summary":"Recommended update for mozilla-nss","upstream":["CVE-2023-5388"]}