SuSE 11.2 Security Update : Mozilla NSS (SAT Patch Number 8484)
Medium Nessus Plugin ID 70937
SynopsisThe remote SuSE 11 host is missing one or more security updates.
DescriptionMozilla NSS has been updated to 3.15.2 (bnc#847708) bringing various features and bugfixes :
The main feature is TLS 1.2 support and its dependent algorithms.
- Support for AES-GCM ciphersuites that use the SHA-256 PRF
- MD2, MD4, and MD5 signatures are no longer accepted for OCSP or CRLs
- Add PK11_CipherFinal macro
- sizeof() used incorrectly
- nssutil_ReadSecmodDB() leaks memory
- Allow SSL_HandshakeNegotiatedExtension to be called before the handshake is finished.
- Deprecate the SSL cipher policy code
- Avoid uninitialized data read in the event of a decryption failure. (CVE-2013-1739) Changes coming with version 3.15.1 :
- TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites (RFC 5246 and RFC 5289) are supported, allowing TLS to be used without MD5 and SHA-1. Note the following limitations: The hash function used in the signature for TLS 1.2 client authentication must be the hash function of the TLS 1.2 PRF, which is always SHA-256 in NSS 3.15.1. AES GCM cipher suites are not yet supported.
- some bugfixes and improvements Changes with version 3.15
- New Functionality
- Support for OCSP Stapling (RFC 6066, Certificate Status Request) has been added for both client and server sockets. TLS client applications may enable this via a call to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
- Added function SECITEM_ReallocItemV2. It replaces function SECITEM_ReallocItem, which is now declared as obsolete.
- Support for single-operation (eg: not multi-part) symmetric key encryption and decryption, via PK11_Encrypt and PK11_Decrypt.
- certutil has been updated to support creating name constraints extensions.
SolutionApply SAT patch number 8484.