[Oraclevm-errata] OVMSA-2014-0023 Important: Oracle VM 3.3 nss security update

Errata Announcements for Oracle VM oraclevm-errata at oss.oracle.com
Tue Sep 30 15:08:24 PDT 2014 

Oracle VM Security Advisory OVMSA-2014-0023

The following updated rpms for Oracle VM 3.3 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
nss-3.16.1-7.0.1.el6_5.x86_64.rpm
nss-softokn-3.14.3-12.el6_5.x86_64.rpm
nss-softokn-freebl-3.14.3-12.el6_5.i686.rpm
nss-softokn-freebl-3.14.3-12.el6_5.x86_64.rpm
nss-sysinit-3.16.1-7.0.1.el6_5.x86_64.rpm
nss-tools-3.16.1-7.0.1.el6_5.x86_64.rpm
nss-util-3.16.1-2.el6_5.x86_64.rpm


SRPMS:
http://oss.oracle.com/oraclevm/server/3.3/SRPMS-updates/nss-3.16.1-7.0.1.el6_5.src.rpm
http://oss.oracle.com/oraclevm/server/3.3/SRPMS-updates/nss-softokn-3.14.3-12.el6_5.src.rpm
http://oss.oracle.com/oraclevm/server/3.3/SRPMS-updates/nss-util-3.16.1-2.el6_5.src.rpm



Description of changes:

nss
[3.16.1-7.0.1.el6_5]
- Added nss-vendor.patch to change vendor

[3.16.1-7]
- Replace expired PayPal test certificate that breaks the build
- Resolves: Bug 1145431 - CVE-2014-1568

[3.16.1-6]
- Resolves: Bug 1145431 - CVE-2014-1568

[3.16.1-5]
- Removed listed but unused patches detected by the rpmdiff test
- Resolves: Bug 1099619

[3.16.1-4]
- Update some patches on account of the rebase
- Resolves: Bug 1099619

[3.16.1-3]
- Backport nss-3.12.6 upstream fix required by Firefox 31
- Resolves: Bug 1099619

[3.16.1-2]
- Remove two unused patches and apply a needed one that was missed
- Resolves: Bug 1112136 - Rebase nss in RHEL 6.5.Z to NSS 3.16.1

[3.16.1-1]
- Update to nss-3.16.1
- Resolves: Bug 1112136 - Rebase nss in RHEL 6.5.Z to NSS 3.16.1

[3.15.3-6]
- Make pem's derEncodingsMatch function work with encrypted keys
- Resolves: Bug 1048713 - [PEM] active FTPS with encrypted client key 
ends up with SSL_ERROR_TOKEN_INSERTION_REMOVAL

[3.15.3-5]
- Remove unused patches
- Resolves: Bug 1048713

[3.15.3-4]
- Resolves: Bug 1048713 - [PEM] active FTPS with encrypted client key 
ends up with SSL_ERROR_TOKEN_INSERTION_REMOVAL

[3.15.3-3]
- Revoke trust in one mis-issued anssi certificate
- Resolves: Bug 1042685 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 
2013-117) [rhel-6.6]

[3.15.3-2]
- Enable patch with fix for deadlock in trust domain lock and object lock
- Resolves: Bug 1036477 - deadlock in trust domain lock and object lock
- Disable hw gcm on rhel-5 based build environments where OS lacks support
- Rollback changes to build nss without softokn until Bug 689919 is approved
- Cipher suite was run as part of the nss-softokn build

[3.15.3-1]
- Update to NSS_3_15_3_RTM
- Resolves: Bug 1032470 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741

[3.15.1-15]
- Using export NSS_DISABLE_HW_GCM=1 to deal with some problemmatic build 
systems
- Resolves: rhbz#1016044 - nss.s390: primary link for libnssckbi.so must 
be /usr/lib64/libnssckbi.so

[3.15.1-14]
- Add s390x and ia64 to the %define multilib_arches list used for 
defining alt_ckbi
- Resolves: rhbz#1016044 - nss.s390: primary link for libnssckbi.so must 
be /usr/lib64/libnssckbi.so

[3.15.1-13]
- Add zero default value to DISABLETEST check and fix the TEST_FAILURES 
check and reporting
- Resolves: rhbz#990631 - file permissions of pkcs11.txt/secmod.db must 
be kept when modified by NSS
- Related: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for FF 24.x)

[3.15.1-12]
- Add a zero default value to the DISABLETEST and TEST_FAILURES checks
- Resolves: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for FF 24.x)

[3.15.1-11]
- Fix the test for zero failures in the %check section
- Resolves: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for FF 24.x)

[3.15.1-10]
- Restore a mistakenly removed patch
- Resolves: rhbz#961659 - SQL backend does not reload certificates

[3.15.1-9]
- Rebuild for the pem module to link with freel from 
nss-softokn-3.14.3-6.el6
- Related: rhbz#993441 - NSS needs to conform to new FIPS standard. 
[rhel-6.5.0]
- Related: rhbz#1010224 - NSS 3.15 breaks SSL in OpenLDAP clients

[3.15.1-8]
- Don't require nss-softokn-fips
- Resolves: rhbz#993441 - NSS needs to conform to new FIPS standard. 
[rhel-6.5.0]

[3.15.1-7]
- Additional syntax fixes in nss-versus-softoken-test.patch
- Resolves: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for FF 24.x)

[3.15.1-6]
- Fix all.sh test for which application was last build by updating 
nss-versus-softoken-test.path
- Resolves: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for FF 24.x)

[3.15.1-5]
- Disable the cipher suite already run as part of the nss-softokn build
- Resolves: rhbz#993441 - NSS needs to conform to new FIPS standard. 
[rhel-6.5.0]

[3.15.1-4]
- Require nss-softokn-fips
- Resolves: rhbz#993441 - NSS needs to conform to new FIPS standard. 
[rhel-6.5.0]

[3.15.1-3]
- Require nspr-4.10.0
- Related: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for FF 24.x)

[3.15.1-2]
- Fix relative path in %check section to prevent undetected test failures
- Resolves: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for FF 24.x)

[3.15.1-1]
- Rebase to NSS_3.15.1_RTM
- Resolves: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for FF 24.x)
- Update patches on account of the shallow tree with the rebase to 3.15.1
- Update the pem module sources nss-pem-20130405.tar.bz2 with latest 
patches applied
- Remove patches rendered obsolete by the nss rebase and the updated 
nss-pem sources
- Enable the iquote.patch to access newly introduced types

[3.14.3-37]
- Do not hold issuer certificate handles in the crl cache
- Resolves: rhbz#961659 - SQL backend does not reload certificates

[3.14.3-36]
- Resolves: rhbz#977341 - nss-tools certutil -H does not list all options

[3.14.3-35]
- Resolves: rhbz#702083 - dont require unique file basenames

[3.14.3-34]
- Fix race condition in cert code related to smart cards
- Resolves: rhbz#903017 - Firefox hang when CAC/PIV smart card 
certificates are viewed in the certificate manager

[3.14.3-33]
- Configure libnssckbi.so to use the alternatives system
in order to prepare for a drop in replacement.
Please ensure that older packages that don't use the alternatives
system for libnssckbi.so have a smaller n-v-r.

[3.14.3-5]
- Syncup with uptream changes for aes gcm and ecc suiteb
- Enable ecc support for suite b
- Apply several upstream AES GCM fixes
- Use the pristine nss upstream sources with ecc included
- Export NSS_ENABLE_ECC=1 in both the build and the check sections
- Make failed requests for unsupoprted ssl pkcs 11 bypass non fatal
- Resolves: rhbz#882408 - NSS_NO_PKCS11_BYPASS must preserve ABI
- Related: rhbz#918950 - rebase nss to 3.14.3

nss-softokn
[3.14.3-12]
- Adjust patch to be compatible with legacy softokn API.
- Resolves: Bug 1145431 - CVE-2014-1568

[3.14.3-11]
- Resolves: Bug 1145431 - CVE-2014-1568

[3.14.3-10]
- Skip calls to CHECK_FORK in {C & NSC}_GetFunctionList
- Resolves: Bug 1082900 - Admin server segfault when configuration DS 
configured on SSL port
- Add workaround to %check
unset DISPLAY
section for RHEL-5 based build machines where kernel lacks support for 
hardware GCM

[3.14.3-9]
- back out -fips package changes

[3.14.3-8]
- Enable new packaging but don't apply nss-fips-post.patch
- Related: rhbz#1008513 - Unable to login in fips mode

[3.14.3-7]
- Fix the PR_Access stub to actually access the correct permissions
- Resolves: rhbz#1008513 - Unable to login in fips mode
- Run the lowhash tests
- Require nspr-4.0.0 and nss-util-3.15.1

[3.14.3-6]
- create -fips packages
- patch submitted by Bob Relyea
- fix the script that splits softoken off from nss
- patch nss/cmd/lib/basicutil.c to build against nss-util-3.15.1
- Resolves: rhbz#993441 - NSS needs to conform to new FIPS standard. 
[rhel-6.5.0]

[3.14.3-5]
- Resolves: rhbz#976572 - Pick up various upstream GCM code fixes 
applied since nss-3.14.3 was released
- Display cpuifo as part of the tests and make NSS_DISABLE_HW_GCM the 
environment variable to test for
- When appling the patches use a backup file suffix that better 
describes the patch purpose

[3.14.3-4]
- Enable ECC support for suite b and add upstream fixes for aec gcm
- Use the unstripped upstream sources with ecc support
- Limit the ECC support to suite b
- Apply several upstream aes gcm fixes
- Rename macros EC_MIN_KEY_BITS and EC_MAX_KEY_BITS per upstream
- Resolves: rhbz#960208 - Enable ECC in nss-softoken
- Related: rhbz#919172

nss-util
[3.16.1-2]
- Resolves: bug 1145431 - CVE-2014-1568

[3.15.6-1]
- Update to nss-3.16.1
- Resolves: rhbz#1112136

[3.15.3-1]
- Update to NSS_3_15_3_RTM
- Resolves: rhbz#1032470 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741

[3.15.1-3]
- Preserve existing permissions when replacing existing pkcs11.txt file, 
but keep strict default permissions for new files
- Resolves: rhbz#990631 - file permissions of pkcs11.txt/secmod.db must 
be kept when modified by NSS

More information about the Oraclevm-errata mailing list