Synopsis
Moderate: nss, nss-softokn, nss-util, and nspr security, bug fix, and enhancement update
Type/Severity
Security Advisory: Moderate
Topic
An update for nss, nss-softokn, nss-util, and nspr is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications.
Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities.
The following packages have been upgraded to a later upstream version: nss (3.44.0), nss-softokn (3.44.0), nss-util (3.44.0), nspr (4.21.0). (BZ#1645231, BZ#1692269, BZ#1692271, BZ#1692274)
Security Fix(es):
- ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries (CVE-2018-0495)
- nss: Cache side-channel variant of the Bleichenbacher attack (CVE-2018-12404)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing this update, applications using nss or nspr (for example, Firefox) must be restarted for this update to take effect.
Affected Products
-
Red Hat Enterprise Linux Server 7 x86_64
-
Red Hat Enterprise Linux Workstation 7 x86_64
-
Red Hat Enterprise Linux Desktop 7 x86_64
-
Red Hat Enterprise Linux for IBM z Systems 7 s390x
-
Red Hat Enterprise Linux for Power, big endian 7 ppc64
-
Red Hat Enterprise Linux for Scientific Computing 7 x86_64
-
Red Hat Enterprise Linux for Power, little endian 7 ppc64le
Fixes
- BZ - 1144186 - Cannot delete orphan private keys with certutil.
- BZ - 1212132 - Support for IKE/IPsec typical PKIX usage so libreswan can use nss without rejecting certs based on EKU
- BZ - 1431241 - Fully implement verification of RSA-PSS keys in certificates in tstclnt and selfserv [rhel-7]
- BZ - 1444136 - move NSS signtool to the unsupported tools in RHEL 7.6
- BZ - 1455288 - TLS 1.3 handshake fails with SSL_REQUIRE_SAFE_NEGOTIATION on
- BZ - 1508571 - Exporting RSA-PSS keys to PKCS#12 drops the rsa-pss identifier from them [rhel-7]
- BZ - 1508595 - Regression in handling unknown signature algorithms extensions
- BZ - 1509045 - selfserv refuses to use rsa-pss keys [rhel-7]
- BZ - 1509396 - RFC 5246 non compliance with CertificateVerify fallback to SHA-1 [rhel-7]
- BZ - 1510156 - RSA PKCS#1 v1.5 signatures made using rsa-pss keys are accepted as valid [rhel-7]
- BZ - 1514041 - certutil -O output isn't precise when the input is an ambiguous nickname used by multiple certificates
- BZ - 1533729 - [RFE] certutil capability: generate CSR from orphan private key
- BZ - 1538081 - Policy does not apply to MGF1 hash in RSA-PSS signatures [rhel-7]
- BZ - 1591163 - CVE-2018-0495 ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries
- BZ - 1639873 - mod_nss - TLS Session ID is still not maintained (ref bz 1461580)
- BZ - 1657164 - `certutil -u I` is not documented
- BZ - 1657913 - CVE-2018-12404 nss: Cache side-channel variant of the Bleichenbacher attack
- BZ - 1670239 - libpkix name constraints check treats CN as DNS name when it should not
- BZ - 1712876 - post handshake authentication with selfserv does not work if SSL_ENABLE_SESSION_TICKETS is set [rhel-7]
CVEs
References
Vulmon