RHSA-2016:2779

94346

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8635

GLSA-201701-46

Mozilla Firefox was updated to the Firefox ESR release 45.9. Mozilla NSS was updated to support TLS 1.3 (close to release draft) and various new ciphers, PRFs, Diffie Hellman key agreement and support for more hashes. Security issues fixed in Firefox (bsc#1035082)

  - MFSA 2017-11/CVE-2017-5469: Potential Buffer overflow in     flex-generated code

  - MFSA 2017-11/CVE-2017-5429: Memory safety bugs fixed in     Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1

  - MFSA 2017-11/CVE-2017-5439: Use-after-free in nsTArray     Length() during XSLT processing

  - MFSA 2017-11/CVE-2017-5438: Use-after-free in nsAutoPtr     during XSLT processing

  - MFSA 2017-11/CVE-2017-5437: Vulnerabilities in Libevent     library

  - MFSA 2017-11/CVE-2017-5436: Out-of-bounds write with     malicious font in Graphite 2

  - MFSA 2017-11/CVE-2017-5435: Use-after-free during     transaction processing in the editor

  - MFSA 2017-11/CVE-2017-5434: Use-after-free during focus     handling

  - MFSA 2017-11/CVE-2017-5433: Use-after-free in SMIL     animation functions

  - MFSA 2017-11/CVE-2017-5432: Use-after-free in text input     selection

  - MFSA 2017-11/CVE-2017-5464: Memory corruption with     accessibility and DOM manipulation

  - MFSA 2017-11/CVE-2017-5465: Out-of-bounds read in     ConvolvePixel

  - MFSA 2017-11/CVE-2017-5460: Use-after-free in frame     selection

  - MFSA 2017-11/CVE-2017-5448: Out-of-bounds write in     ClearKeyDecryptor

  - MFSA 2017-11/CVE-2017-5446: Out-of-bounds read when     HTTP/2 DATA frames are sent with incorrect data

  - MFSA 2017-11/CVE-2017-5447: Out-of-bounds read during     glyph processing

  - MFSA 2017-11/CVE-2017-5444: Buffer overflow while     parsing application/http-index-format content

  - MFSA 2017-11/CVE-2017-5445: Uninitialized values used     while parsing application/http-index-format content

  - MFSA 2017-11/CVE-2017-5442: Use-after-free during style     changes

  - MFSA 2017-11/CVE-2017-5443: Out-of-bounds write during     BinHex decoding

  - MFSA 2017-11/CVE-2017-5440: Use-after-free in     txExecutionState destructor during XSLT processing

  - MFSA 2017-11/CVE-2017-5441: Use-after-free with     selection during scroll events

  - MFSA 2017-11/CVE-2017-5459: Buffer overflow in WebGL     Mozilla NSS was updated to 3.29.5, bringing new features     and fixing bugs :

  - Update to NSS 3.29.5 :

  - MFSA 2017-11/CVE-2017-5461: Rare crashes in the base 64     decoder and encoder were fixed.

  - MFSA 2017-11/CVE-2017-5462: A carry over bug in the RNG     was fixed.

  - CVE-2016-9574: Remote DoS during session handshake when     using SessionTicket extention and ECDHE-ECDSA     (bsc#1015499).

  - requires NSPR >= 4.13.1

  - Update to NSS 3.29.3

  - enables TLS 1.3 by default

  - Fixed a bug in hash computation (and build with GCC 7     which complains about shifts of boolean values).
    (bsc#1030071, bmo#1348767)

  - Update to NSS 3.28.3 This is a patch release to fix     binary compatibility issues.

  - Update to NSS 3.28.1 This is a patch release to update     the list of root CA certificates.

  - The following CA certificates were Removed CN = Buypass     Class 2 CA 1 CN = Root CA Generalitat Valenciana OU =     RSA Security 2048 V3

  - The following CA certificates were Added OU = AC RAIZ     FNMT-RCM CN = Amazon Root CA 1 CN = Amazon Root CA 2 CN     = Amazon Root CA 3 CN = Amazon Root CA 4 CN = LuxTrust     Global Root 2 CN = Symantec Class 1 Public Primary     Certification Authority - G4 CN = Symantec Class 1     Public Primary Certification Authority - G6 CN =     Symantec Class 2 Public Primary Certification Authority
    - G4 CN = Symantec Class 2 Public Primary Certification     Authority - G6

  - The version number of the updated root CA list has been     set to 2.11

  - Update to NSS 3.28 New functionality :

  - NSS includes support for TLS 1.3 draft -18. This     includes a number of improvements to TLS 1.3 :

  - The signed certificate timestamp, used in certificate     transparency, is supported in TLS 1.3.

  - Key exporters for TLS 1.3 are supported. This includes     the early key exporter, which can be used if 0-RTT is     enabled. Note that there is a difference between TLS 1.3     and key exporters in older versions of TLS. TLS 1.3 does     not distinguish between an empty context and no context.

  - The TLS 1.3 (draft) protocol can be enabled, by defining     NSS_ENABLE_TLS_1_3=1 when building NSS.

  - NSS includes support for the X25519 key exchange     algorithm, which is supported and enabled by default in     all versions of TLS. Notable Changes :

  - NSS can no longer be compiled with support for     additional elliptic curves. This was previously possible     by replacing certain NSS source files.

  - NSS will now detect the presence of tokens that support     additional elliptic curves and enable those curves for     use in TLS. Note that this detection has a one-off     performance cost, which can be avoided by using the     SSL_NamedGroupConfig function to limit supported groups     to those that NSS provides.

  - PKCS#11 bypass for TLS is no longer supported and has     been removed.

  - Support for 'export' grade SSL/TLS cipher suites has     been removed.

  - NSS now uses the signature schemes definition in TLS     1.3. This also affects TLS 1.2. NSS will now only     generate signatures with the combinations of hash and     signature scheme that are defined in TLS 1.3, even when     negotiating TLS 1.2.

  - This means that SHA-256 will only be used with P-256     ECDSA certificates, SHA-384 with P-384 certificates, and     SHA-512 with P-521 certificates. SHA-1 is permitted (in     TLS 1.2 only) with any certificate for backward     compatibility reasons.

  - NSS will now no longer assume that default signature     schemes are supported by a peer if there was no commonly     supported signature scheme.

  - NSS will now check if RSA-PSS signing is supported by     the token that holds the private key prior to using it     for TLS.

  - The certificate validation code contains checks to no     longer trust certificates that are issued by old WoSign     and StartCom CAs after October 21, 2016. This is     equivalent to the behavior that Mozilla will release     with Firefox 51.

  - Update to NSS 3.27.2

  - Fixed SSL_SetTrustAnchors leaks (bmo#1318561)

  - raised the minimum softokn/freebl version to 3.28 as     reported in (boo#1021636)

  - Update to NSS 3.26.2 New Functionality :

  - the selfserv test utility has been enhanced to support     ALPN (HTTP/1.1) and 0-RTT

  - added support for the System-wide crypto policy     available on Fedora Linux see     http://fedoraproject.org/wiki/Changes/CryptoPolicy

  - introduced build flag NSS_DISABLE_LIBPKIX that allows     compilation of NSS without the libpkix library Notable     Changes :

  - The following CA certificate was Added CN = ISRG Root X1

  - NPN is disabled and ALPN is enabled by default

  - the NSS test suite now completes with the experimental     TLS 1.3 code enabled

  - several test improvements and additions, including a     NIST known answer test Changes in 3.26.2

  - MD5 signature algorithms sent by the server in     CertificateRequest messages are now properly ignored.
    Previously, with rare server configurations, an MD5     signature algorithm might have been selected for client     authentication and caused the client to abort the     connection soon after.

  - Update to NSS 3.25 New functionality :

  - Implemented DHE key agreement for TLS 1.3

  - Added support for ChaCha with TLS 1.3

  - Added support for TLS 1.2 ciphersuites that use SHA384     as the PRF

  - In previous versions, when using client authentication     with TLS 1.2, NSS only supported certificate_verify     messages that used the same signature hash algorithm as     used by the PRF. This limitation has been removed.
    Notable changes :

  - An SSL socket can no longer be configured to allow both     TLS 1.3 and SSLv3

  - Regression fix: NSS no longer reports a failure if an     application attempts to disable the SSLv2 protocol.

  - The list of trusted CA certificates has been updated to     version 2.8

  - The following CA certificate was Removed Sonera Class1     CA

  - The following CA certificates were Added Hellenic     Academic and Research Institutions RootCA 2015 Hellenic     Academic and Research Institutions ECC RootCA 2015     Certplus Root CA G1 Certplus Root CA G2 OpenTrust Root     CA G1 OpenTrust Root CA G2 OpenTrust Root CA G3

  - Update to NSS 3.24 New functionality :

  - NSS softoken has been updated with the latest National     Institute of Standards and Technology (NIST) guidance     (as of 2015) :

  - Software integrity checks and POST functions are     executed on shared library load. These checks have been     disabled by default, as they can cause a performance     regression. To enable these checks, you must define     symbol NSS_FORCE_FIPS when building NSS.

  - Counter mode and Galois/Counter Mode (GCM) have checks     to prevent counter overflow.

  - Additional CSPs are zeroed in the code.

  - NSS softoken uses new guidance for how many Rabin-Miller     tests are needed to verify a prime based on prime size.

  - NSS softoken has also been updated to allow NSS to run     in FIPS Level 1 (no password). This mode is triggered by     setting the database password to the empty string. In     FIPS mode, you may move from Level 1 to Level 2 (by     setting an appropriate password), but not the reverse.

  - A SSL_ConfigServerCert function has been added for     configuring SSL/TLS server sockets with a certificate     and private key. Use this new function in place of     SSL_ConfigSecureServer,     SSL_ConfigSecureServerWithCertChain,     SSL_SetStapledOCSPResponses, and     SSL_SetSignedCertTimestamps. SSL_ConfigServerCert     automatically determines the certificate type from the     certificate and private key. The caller is no longer     required to use SSLKEAType explicitly to select a 'slot'     into which the certificate is configured (which     incorrectly identifies a key agreement type rather than     a certificate). Separate functions for configuring     Online Certificate Status Protocol (OCSP) responses or     Signed Certificate Timestamps are not needed, since     these can be added to the optional     SSLExtraServerCertData struct provided to     SSL_ConfigServerCert. Also, partial support for RSA     Probabilistic Signature Scheme (RSA-PSS) certificates     has been added. Although these certificates can be     configured, they will not be used by NSS in this     version.

  - Deprecate the member attribute authAlgorithm of type     SSLCipherSuiteInfo. Instead, applications should use the     newly added attribute authType.

  - Add a shared library (libfreeblpriv3) on Linux platforms     that define FREEBL_LOWHASH.

  - Remove most code related to SSL v2, including the     ability to actively send a SSLv2-compatible client     hello. However, the server-side implementation of the     SSL/TLS protocol still supports processing of received     v2-compatible client hello messages.

  - Disable (by default) NSS support in optimized builds for     logging SSL/TLS key material to a logfile if the     SSLKEYLOGFILE environment variable is set. To enable the     functionality in optimized builds, you must define the     symbol NSS_ALLOW_SSLKEYLOGFILE when building NSS.

  - Update NSS to protect it against the Cachebleed attack.

  - Disable support for DTLS compression.

  - Improve support for TLS 1.3. This includes support for     DTLS 1.3. Note that TLS 1.3 support is experimental and     not suitable for production use.

  - Update to NSS 3.23 New functionality :

  - ChaCha20/Poly1305 cipher and TLS cipher suites now     supported

  - Experimental-only support TLS 1.3 1-RTT mode (draft-11).
    This code is not ready for production use. Notable     changes :

  - The list of TLS extensions sent in the TLS handshake has     been reordered to increase compatibility of the Extended     Master Secret with with servers

  - The build time environment variable NSS_ENABLE_ZLIB has     been renamed to NSS_SSL_ENABLE_ZLIB

  - The build time environment variable     NSS_DISABLE_CHACHAPOLY was added, which can be used to     prevent compilation of the ChaCha20/Poly1305 code.

  - The following CA certificates were Removed

  - Staat der Nederlanden Root CA

  - NetLock Minositett Kozjegyzoi (Class QA)     Tanusitvanykiado

  - NetLock Kozjegyzoi (Class A) Tanusitvanykiado

  - NetLock Uzleti (Class B) Tanusitvanykiado

  - NetLock Expressz (Class C) Tanusitvanykiado

  - VeriSign Class 1 Public PCA - G2

  - VeriSign Class 3 Public PCA

  - VeriSign Class 3 Public PCA - G2

  - CA Disig

  - The following CA certificates were Added

  + SZAFIR ROOT CA2

  + Certum Trusted Network CA 2

  - The following CA certificate had the Email trust bit     turned on

  + Actalis Authentication Root CA Security fixes :

  - CVE-2016-2834: Memory safety bugs (boo#983639)     MFSA-2016-61 bmo#1206283 bmo#1221620 bmo#1241034     bmo#1241037

  - Update to NSS 3.22.3

  - Increase compatibility of TLS extended master secret,     don't send an empty TLS extension last in the handshake     (bmo#1243641)

  - Fixed a heap-based buffer overflow related to the     parsing of certain ASN.1 structures. An attacker could     create a specially crafted certificate which, when     parsed by NSS, would cause a crash or execution of     arbitrary code with the permissions of the user.
    (CVE-2016-1950, bmo#1245528)

  - Update to NSS 3.22.2 New functionality :

  - RSA-PSS signatures are now supported (bmo#1215295)

  - Pseudorandom functions based on hashes other than SHA-1     are now supported

  - Enforce an External Policy on NSS from a config file     (bmo#1009429)

  - CVE-2016-8635: Fix for DH small subgroup confinement     attack (bsc#1015547) Mozilla NSPR was updated to version     4.13.1: The previously released version 4.13 had changed     pipes to be nonblocking by default, and as a     consequence, PollEvent was changed to not block on     clear. The NSPR development team received reports that     these changes caused regressions in some applications     that use NSPR, and it has been decided to revert the     changes made in NSPR 4.13. NSPR 4.13.1 restores the     traditional behavior of pipes and PollEvent. Mozilla     NSPR update to version 4.13 had these changes :

  - PL_strcmp (and others) were fixed to return consistent     results when one of the arguments is NULL.

  - PollEvent was fixed to not block on clear.

  - Pipes are always nonblocking.

  - PR_GetNameForIdentity: added thread safety lock and     bound checks.

  - Removed the PLArena freelist.

  - Avoid some integer overflows.

  - fixed several comments. This update also contains     java-1_8_0-openjdk that needed to be rebuilt against the     new mozilla-nss version.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Mozilla Firefox was updated to the Firefox ESR release 45.9. Mozilla NSS was updated to support TLS 1.3 (close to release draft) and various new ciphers, PRFs, Diffie Hellman key agreement and support for more hashes. Security issues fixed in Firefox (bsc#1035082)

  - MFSA 2017-11/CVE-2017-5469: Potential Buffer overflow in     flex-generated code

  - MFSA 2017-11/CVE-2017-5429: Memory safety bugs fixed in     Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1

  - MFSA 2017-11/CVE-2017-5439: Use-after-free in nsTArray     Length() during XSLT processing

  - MFSA 2017-11/CVE-2017-5438: Use-after-free in nsAutoPtr     during XSLT processing

  - MFSA 2017-11/CVE-2017-5437: Vulnerabilities in Libevent     library

  - MFSA 2017-11/CVE-2017-5436: Out-of-bounds write with     malicious font in Graphite 2

  - MFSA 2017-11/CVE-2017-5435: Use-after-free during     transaction processing in the editor

  - MFSA 2017-11/CVE-2017-5434: Use-after-free during focus     handling

  - MFSA 2017-11/CVE-2017-5433: Use-after-free in SMIL     animation functions

  - MFSA 2017-11/CVE-2017-5432: Use-after-free in text input     selection

  - MFSA 2017-11/CVE-2017-5464: Memory corruption with     accessibility and DOM manipulation

  - MFSA 2017-11/CVE-2017-5465: Out-of-bounds read in     ConvolvePixel

  - MFSA 2017-11/CVE-2017-5460: Use-after-free in frame     selection

  - MFSA 2017-11/CVE-2017-5448: Out-of-bounds write in     ClearKeyDecryptor

  - MFSA 2017-11/CVE-2017-5446: Out-of-bounds read when     HTTP/2 DATA frames are sent with incorrect data

  - MFSA 2017-11/CVE-2017-5447: Out-of-bounds read during     glyph processing

  - MFSA 2017-11/CVE-2017-5444: Buffer overflow while     parsing application/http-index-format content

  - MFSA 2017-11/CVE-2017-5445: Uninitialized values used     while parsing application/http-index-format content

  - MFSA 2017-11/CVE-2017-5442: Use-after-free during style     changes

  - MFSA 2017-11/CVE-2017-5443: Out-of-bounds write during     BinHex decoding

  - MFSA 2017-11/CVE-2017-5440: Use-after-free in     txExecutionState destructor during XSLT processing

  - MFSA 2017-11/CVE-2017-5441: Use-after-free with     selection during scroll events

  - MFSA 2017-11/CVE-2017-5459: Buffer overflow in WebGL     Mozilla NSS was updated to 3.29.5, bringing new features     and fixing bugs :

  - Update to NSS 3.29.5 :

  - MFSA 2017-11/CVE-2017-5461: Rare crashes in the base 64     decoder and encoder were fixed.

  - MFSA 2017-11/CVE-2017-5462: A carry over bug in the RNG     was fixed.

  - CVE-2016-9574: Remote DoS during session handshake when     using SessionTicket extention and ECDHE-ECDSA     (bsc#1015499).

  - requires NSPR >= 4.13.1

  - Update to NSS 3.29.3

  - enables TLS 1.3 by default

  - Fixed a bug in hash computation (and build with GCC 7     which complains about shifts of boolean values).
    (bsc#1030071, bmo#1348767)

  - Update to NSS 3.28.3 This is a patch release to fix     binary compatibility issues.

  - Update to NSS 3.28.1 This is a patch release to update     the list of root CA certificates.

  - The following CA certificates were Removed CN = Buypass     Class 2 CA 1 CN = Root CA Generalitat Valenciana OU =     RSA Security 2048 V3

  - The following CA certificates were Added OU = AC RAIZ     FNMT-RCM CN = Amazon Root CA 1 CN = Amazon Root CA 2 CN     = Amazon Root CA 3 CN = Amazon Root CA 4 CN = LuxTrust     Global Root 2 CN = Symantec Class 1 Public Primary     Certification Authority - G4 CN = Symantec Class 1     Public Primary Certification Authority - G6 CN =     Symantec Class 2 Public Primary Certification Authority
    - G4 CN = Symantec Class 2 Public Primary Certification     Authority - G6

  - The version number of the updated root CA list has been     set to 2.11

  - Update to NSS 3.28 New functionality :

  - NSS includes support for TLS 1.3 draft -18. This     includes a number of improvements to TLS 1.3 :

  - The signed certificate timestamp, used in certificate     transparency, is supported in TLS 1.3.

  - Key exporters for TLS 1.3 are supported. This includes     the early key exporter, which can be used if 0-RTT is     enabled. Note that there is a difference between TLS 1.3     and key exporters in older versions of TLS. TLS 1.3 does     not distinguish between an empty context and no context.

  - The TLS 1.3 (draft) protocol can be enabled, by defining     NSS_ENABLE_TLS_1_3=1 when building NSS.

  - NSS includes support for the X25519 key exchange     algorithm, which is supported and enabled by default in     all versions of TLS. Notable Changes :

  - NSS can no longer be compiled with support for     additional elliptic curves. This was previously possible     by replacing certain NSS source files.

  - NSS will now detect the presence of tokens that support     additional elliptic curves and enable those curves for     use in TLS. Note that this detection has a one-off     performance cost, which can be avoided by using the     SSL_NamedGroupConfig function to limit supported groups     to those that NSS provides.

  - PKCS#11 bypass for TLS is no longer supported and has     been removed.

  - Support for 'export' grade SSL/TLS cipher suites has     been removed.

  - NSS now uses the signature schemes definition in TLS     1.3. This also affects TLS 1.2. NSS will now only     generate signatures with the combinations of hash and     signature scheme that are defined in TLS 1.3, even when     negotiating TLS 1.2.

  - This means that SHA-256 will only be used with P-256     ECDSA certificates, SHA-384 with P-384 certificates, and     SHA-512 with P-521 certificates. SHA-1 is permitted (in     TLS 1.2 only) with any certificate for backward     compatibility reasons.

  - NSS will now no longer assume that default signature     schemes are supported by a peer if there was no commonly     supported signature scheme.

  - NSS will now check if RSA-PSS signing is supported by     the token that holds the private key prior to using it     for TLS.

  - The certificate validation code contains checks to no     longer trust certificates that are issued by old WoSign     and StartCom CAs after October 21, 2016. This is     equivalent to the behavior that Mozilla will release     with Firefox 51.

  - Update to NSS 3.27.2

  - Fixed SSL_SetTrustAnchors leaks (bmo#1318561)

  - raised the minimum softokn/freebl version to 3.28 as     reported in (boo#1021636)

  - Update to NSS 3.26.2 New Functionality :

  - the selfserv test utility has been enhanced to support     ALPN (HTTP/1.1) and 0-RTT

  - added support for the System-wide crypto policy     available on Fedora Linux see     http://fedoraproject.org/wiki/Changes/CryptoPolicy

  - introduced build flag NSS_DISABLE_LIBPKIX that allows     compilation of NSS without the libpkix library Notable     Changes :

  - The following CA certificate was Added CN = ISRG Root X1

  - NPN is disabled and ALPN is enabled by default

  - the NSS test suite now completes with the experimental     TLS 1.3 code enabled

  - several test improvements and additions, including a     NIST known answer test Changes in 3.26.2

  - MD5 signature algorithms sent by the server in     CertificateRequest messages are now properly ignored.
    Previously, with rare server configurations, an MD5     signature algorithm might have been selected for client     authentication and caused the client to abort the     connection soon after.

  - Update to NSS 3.25 New functionality :

  - Implemented DHE key agreement for TLS 1.3

  - Added support for ChaCha with TLS 1.3

  - Added support for TLS 1.2 ciphersuites that use SHA384     as the PRF

  - In previous versions, when using client authentication     with TLS 1.2, NSS only supported certificate_verify     messages that used the same signature hash algorithm as     used by the PRF. This limitation has been removed.
    Notable changes :

  - An SSL socket can no longer be configured to allow both     TLS 1.3 and SSLv3

  - Regression fix: NSS no longer reports a failure if an     application attempts to disable the SSLv2 protocol.

  - The list of trusted CA certificates has been updated to     version 2.8

  - The following CA certificate was Removed Sonera Class1     CA

  - The following CA certificates were Added Hellenic     Academic and Research Institutions RootCA 2015 Hellenic     Academic and Research Institutions ECC RootCA 2015     Certplus Root CA G1 Certplus Root CA G2 OpenTrust Root     CA G1 OpenTrust Root CA G2 OpenTrust Root CA G3

  - Update to NSS 3.24 New functionality :

  - NSS softoken has been updated with the latest National     Institute of Standards and Technology (NIST) guidance     (as of 2015) :

  - Software integrity checks and POST functions are     executed on shared library load. These checks have been     disabled by default, as they can cause a performance     regression. To enable these checks, you must define     symbol NSS_FORCE_FIPS when building NSS.

  - Counter mode and Galois/Counter Mode (GCM) have checks     to prevent counter overflow.

  - Additional CSPs are zeroed in the code.

  - NSS softoken uses new guidance for how many Rabin-Miller     tests are needed to verify a prime based on prime size.

  - NSS softoken has also been updated to allow NSS to run     in FIPS Level 1 (no password). This mode is triggered by     setting the database password to the empty string. In     FIPS mode, you may move from Level 1 to Level 2 (by     setting an appropriate password), but not the reverse.

  - A SSL_ConfigServerCert function has been added for     configuring SSL/TLS server sockets with a certificate     and private key. Use this new function in place of     SSL_ConfigSecureServer,     SSL_ConfigSecureServerWithCertChain,     SSL_SetStapledOCSPResponses, and     SSL_SetSignedCertTimestamps. SSL_ConfigServerCert     automatically determines the certificate type from the     certificate and private key. The caller is no longer     required to use SSLKEAType explicitly to select a 'slot'     into which the certificate is configured (which     incorrectly identifies a key agreement type rather than     a certificate). Separate functions for configuring     Online Certificate Status Protocol (OCSP) responses or     Signed Certificate Timestamps are not needed, since     these can be added to the optional     SSLExtraServerCertData struct provided to     SSL_ConfigServerCert. Also, partial support for RSA     Probabilistic Signature Scheme (RSA-PSS) certificates     has been added. Although these certificates can be     configured, they will not be used by NSS in this     version.

  - Deprecate the member attribute authAlgorithm of type     SSLCipherSuiteInfo. Instead, applications should use the     newly added attribute authType.

  - Add a shared library (libfreeblpriv3) on Linux platforms     that define FREEBL_LOWHASH.

  - Remove most code related to SSL v2, including the     ability to actively send a SSLv2-compatible client     hello. However, the server-side implementation of the     SSL/TLS protocol still supports processing of received     v2-compatible client hello messages.

  - Disable (by default) NSS support in optimized builds for     logging SSL/TLS key material to a logfile if the     SSLKEYLOGFILE environment variable is set. To enable the     functionality in optimized builds, you must define the     symbol NSS_ALLOW_SSLKEYLOGFILE when building NSS.

  - Update NSS to protect it against the Cachebleed attack.

  - Disable support for DTLS compression.

  - Improve support for TLS 1.3. This includes support for     DTLS 1.3. Note that TLS 1.3 support is experimental and     not suitable for production use.

  - Update to NSS 3.23 New functionality :

  - ChaCha20/Poly1305 cipher and TLS cipher suites now     supported

  - Experimental-only support TLS 1.3 1-RTT mode (draft-11).
    This code is not ready for production use. Notable     changes :

  - The list of TLS extensions sent in the TLS handshake has     been reordered to increase compatibility of the Extended     Master Secret with with servers

  - The build time environment variable NSS_ENABLE_ZLIB has     been renamed to NSS_SSL_ENABLE_ZLIB

  - The build time environment variable     NSS_DISABLE_CHACHAPOLY was added, which can be used to     prevent compilation of the ChaCha20/Poly1305 code.

  - The following CA certificates were Removed

  - Staat der Nederlanden Root CA

  - NetLock Minositett Kozjegyzoi (Class QA)     Tanusitvanykiado

  - NetLock Kozjegyzoi (Class A) Tanusitvanykiado

  - NetLock Uzleti (Class B) Tanusitvanykiado

  - NetLock Expressz (Class C) Tanusitvanykiado

  - VeriSign Class 1 Public PCA - G2

  - VeriSign Class 3 Public PCA

  - VeriSign Class 3 Public PCA - G2

  - CA Disig

  - The following CA certificates were Added

  + SZAFIR ROOT CA2

  + Certum Trusted Network CA 2

  - The following CA certificate had the Email trust bit     turned on

  + Actalis Authentication Root CA Security fixes :

  - CVE-2016-2834: Memory safety bugs (boo#983639)     MFSA-2016-61 bmo#1206283 bmo#1221620 bmo#1241034     bmo#1241037

  - Update to NSS 3.22.3

  - Increase compatibility of TLS extended master secret,     don't send an empty TLS extension last in the handshake     (bmo#1243641)

  - Fixed a heap-based buffer overflow related to the     parsing of certain ASN.1 structures. An attacker could     create a specially crafted certificate which, when     parsed by NSS, would cause a crash or execution of     arbitrary code with the permissions of the user.
    (CVE-2016-1950, bmo#1245528)

  - Update to NSS 3.22.2 New functionality :

  - RSA-PSS signatures are now supported (bmo#1215295)

  - Pseudorandom functions based on hashes other than SHA-1     are now supported

  - Enforce an External Policy on NSS from a config file     (bmo#1009429)

  - CVE-2016-8635: Fix for DH small subgroup confinement     attack (bsc#1015547) Mozilla NSPR was updated to version     4.13.1: The previously released version 4.13 had changed     pipes to be nonblocking by default, and as a     consequence, PollEvent was changed to not block on     clear. The NSPR development team received reports that     these changes caused regressions in some applications     that use NSPR, and it has been decided to revert the     changes made in NSPR 4.13. NSPR 4.13.1 restores the     traditional behavior of pipes and PollEvent. Mozilla     NSPR update to version 4.13 had these changes :

  - PL_strcmp (and others) were fixed to return consistent     results when one of the arguments is NULL.

  - PollEvent was fixed to not block on clear.

  - Pipes are always nonblocking.

  - PR_GetNameForIdentity: added thread safety lock and     bound checks.

  - Removed the PLArena freelist.

  - Avoid some integer overflows.

  - fixed several comments.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the nss nss-util packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Multiple buffer handling flaws were found in the way     NSS handled cryptographic data from the network. A     remote attacker could use these flaws to crash an     application using NSS or, possibly, execute arbitrary     code with the permission of the user running the     application. (CVE-2016-2834)

  - A NULL pointer dereference flaw was found in the way     NSS handled invalid Diffie-Hellman keys. A remote     client could use this flaw to crash a TLS/SSL server     using NSS. (CVE-2016-5285)

  - It was found that Diffie Hellman Client key exchange     handling in NSS was vulnerable to small subgroup     confinement attack. An attacker could use this flaw to     recover private keys by confining the client DH key to     small subgroup of the desired group. (CVE-2016-8635)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201701-46 (Mozilla Network Security Service (NSS): Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in NSS. Please review the       CVE identifiers and technical papers referenced below for details.
  Impact :

    Remote attackers could conduct man-in-the-middle attacks, obtain access       to private key information, or cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

It was discovered that NSS incorrectly handled certain invalid Diffie-Hellman keys. A remote attacker could possibly use this flaw to cause NSS to crash, resulting in a denial of service. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
(CVE-2016-5285)

Hubert Kario discovered that NSS incorrectly handled Diffie Hellman client key exchanges. A remote attacker could possibly use this flaw to perform a small subgroup confinement attack and recover private keys. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-8635)

Franziskus Kiefer discovered that NSS incorrectly mitigated certain timing side-channel attacks. A remote attacker could possibly use this flaw to recover private keys. (CVE-2016-9074)

This update refreshes the NSS package to version 3.26.2 which includes the latest CA certificate bundle.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

CVE-2016-2834 nss: Multiple security flaws (MFSA 2016-61)

Multiple buffer handling flaws were found in the way NSS handled cryptographic data from the network. A remote attacker could use these flaws to crash an application using NSS or, possibly, execute arbitrary code with the permission of the user running the application.

CVE-2016-8635 nss: small-subgroups attack flaw

It was found that Diffie Hellman Client key exchange handling in NSS was vulnerable to small subgroup confinement attack. An attacker could use this flaw to recover private keys by confining the client DH key to small subgroup of the desired group.

CVE-2016-5285 nss: Missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime causes server crash

A NULL pointer dereference flaw was found in the way NSS handled invalid Diffie-Hellman keys. A remote client could use this flaw to crash a TLS/SSL server using NSS.

The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries.

The following packages have been upgraded to a newer upstream version:
nss (3.12.3), nss-util (3.12.3).

Security Fix(es) :

  - Multiple buffer handling flaws were found in the way NSS     handled cryptographic data from the network. A remote     attacker could use these flaws to crash an application     using NSS or, possibly, execute arbitrary code with the     permission of the user running the application.
    (CVE-2016-2834)

  - A NULL pointer dereference flaw was found in the way NSS     handled invalid Diffie-Hellman keys. A remote client     could use this flaw to crash a TLS/SSL server using NSS.
    (CVE-2016-5285)

  - It was found that Diffie Hellman Client key exchange     handling in NSS was vulnerable to small subgroup     confinement attack. An attacker could use this flaw to     recover private keys by confining the client DH key to     small subgroup of the desired group. (CVE-2016-8635)

An update for nss and nss-util is now available for Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications.

The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries.

The following packages have been upgraded to a newer upstream version:
nss (3.21.3), nss-util (3.21.3).

Security Fix(es) :

* Multiple buffer handling flaws were found in the way NSS handled cryptographic data from the network. A remote attacker could use these flaws to crash an application using NSS or, possibly, execute arbitrary code with the permission of the user running the application. (CVE-2016-2834)

* A NULL pointer dereference flaw was found in the way NSS handled invalid Diffie-Hellman keys. A remote client could use this flaw to crash a TLS/SSL server using NSS. (CVE-2016-5285)

* It was found that Diffie Hellman Client key exchange handling in NSS was vulnerable to small subgroup confinement attack. An attacker could use this flaw to recover private keys by confining the client DH key to small subgroup of the desired group. (CVE-2016-8635)

Red Hat would like to thank the Mozilla project for reporting CVE-2016-2834. The CVE-2016-8635 issue was discovered by Hubert Kario (Red Hat). Upstream acknowledges Tyson Smith and Jed Davis as the original reporter of CVE-2016-2834.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Mozilla #1314604 / Red Hat (CVE-2016-8635)

  - Rebase to NSS 3.21.3

  - Resolves: Bug 1347908

The remote OracleVM system is missing necessary patches to address critical security updates :

nss

  - Added nss-vendor.patch to change vendor

  - Mozilla #1314604 / Red Hat (CVE-2016-8635)

  - remove disable_hw_gcm.patch which hasn't been used since     3.16.1

  - Rebase to NSS 3.21.3

  - Resolves: #1383885

nss-util

  - Rebase to nss-3.21.3

  - Remove patch for CVE-2016-1950, which is included in the     release

  - Related: Bug 1347908

  - Added upstream patch for (CVE-2016-1950)

  - Rebase to nss-util from nss 3.21

  - Resolves: Bug 1297890 - Rebase RHEL 6.8 to NSS-util 3.21     in preparation for Firefox 45

From Red Hat Security Advisory 2016:2779 :

An update for nss and nss-util is now available for Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications.

The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries.

The following packages have been upgraded to a newer upstream version:
nss (3.21.3), nss-util (3.21.3).

Security Fix(es) :

* Multiple buffer handling flaws were found in the way NSS handled cryptographic data from the network. A remote attacker could use these flaws to crash an application using NSS or, possibly, execute arbitrary code with the permission of the user running the application. (CVE-2016-2834)

* A NULL pointer dereference flaw was found in the way NSS handled invalid Diffie-Hellman keys. A remote client could use this flaw to crash a TLS/SSL server using NSS. (CVE-2016-5285)

* It was found that Diffie Hellman Client key exchange handling in NSS was vulnerable to small subgroup confinement attack. An attacker could use this flaw to recover private keys by confining the client DH key to small subgroup of the desired group. (CVE-2016-8635)

Red Hat would like to thank the Mozilla project for reporting CVE-2016-2834. The CVE-2016-8635 issue was discovered by Hubert Kario (Red Hat). Upstream acknowledges Tyson Smith and Jed Davis as the original reporter of CVE-2016-2834.

ID	Name	Product	Family	Severity
100151	SUSE SLED12 / SLES12 Security Update : MozillaFirefox, mozilla-nss, mozilla-nspr, java-1_8_0-openjdk (SUSE-SU-2017:1248-1)	Nessus	SuSE Local Security Checks	high
99992	SUSE SLES11 Security Update : MozillaFirefox, mozilla-nss, mozilla-nspr (SUSE-SU-2017:1175-1)	Nessus	SuSE Local Security Checks	high
99843	EulerOS 2.0 SP1 : nss nss-util (EulerOS-SA-2016-1084)	Nessus	Huawei Local Security Checks	high
96643	GLSA-201701-46 : Mozilla Network Security Service (NSS): Multiple vulnerabilities (Logjam) (SLOTH)	Nessus	Gentoo Local Security Checks	medium
96304	Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : nss vulnerabilities (USN-3163-1)	Nessus	Ubuntu Local Security Checks	medium
95894	Amazon Linux AMI : nss-util / nss,nss-softokn (ALAS-2016-774)	Nessus	Amazon Linux Local Security Checks	high
95052	Scientific Linux Security Update : nss and nss-util on SL5.x, SL6.x, SL7.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
94981	CentOS 5 / 6 / 7 : nss / nss-util (CESA-2016:2779)	Nessus	CentOS Local Security Checks	high
94931	OracleVM 3.2 : nss (OVMSA-2016-0160)	Nessus	OracleVM Local Security Checks	medium
94930	OracleVM 3.3 / 3.4 : nssnss-util (OVMSA-2016-0159)	Nessus	OracleVM Local Security Checks	medium
94927	Oracle Linux 5 / 6 / 7 : nss / nss-util (ELSA-2016-2779)	Nessus	Oracle Linux Local Security Checks	high
94912	RHEL 5 / 6 / 7 : nss and nss-util (RHSA-2016:2779)	Nessus	Red Hat Local Security Checks	high

CVE-2016-8635

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins