Security update for apache2-mod_nss
| Announcement ID: | SUSE-SU-2016:2329-1 |
|---|---|
| Rating: | moderate |
| References: | |
| Cross-References: | |
| CVSS scores: |
|
| Affected Products: |
|
An update that solves two vulnerabilities can now be installed.
Description:
This update provides apache2-mod_nss 1.0.14, which brings several fixes and enhancements:
- SHA256 cipher names change spelling from _sha256 to _sha_256.
- Drop mod_nss_migrate.pl and use upstream migrate script instead.
- Check for Apache user owner/group read permissions of NSS database at startup.
- Update default ciphers to something more modern and secure.
- Check for host and netstat commands in gencert before trying to use them.
- Don't ignore NSSProtocol when NSSFIPS is enabled.
- Use proper shell syntax to avoid creating /0 in gencert.
- Add server support for DHE ciphers.
- Extract SAN from server/client certificates into env.
- Fix memory leaks and other coding issues caught by clang analyzer.
- Add support for Server Name Indication (SNI)
- Add support for SNI for reverse proxy connections.
- Add RenegBufferSize? option.
- Add support for TLS Session Tickets (RFC 5077).
- Implement a slew more OpenSSL cipher macros.
- Fix a number of illegal memory accesses and memory leaks.
- Support for SHA384 ciphers if they are available in the version of NSS mod_nss is built against.
- Add the SECURE_RENEG environment variable.
- Add some hints when NSS database cannot be initialized.
- Code cleanup including trailing whitespace and compiler warnings.
- Modernize autotools configuration slightly, add config.h.
- Add small test suite for SNI.
- Add compatibility for mod_ssl-style cipher definitions.
- Add Camelia ciphers.
- Remove Fortezza ciphers.
- Add TLSv1.2-specific ciphers.
- Initialize cipher list when re-negotiating handshake.
- Completely remove support for SSLv2.
- Add support for sqlite NSS databases.
- Compare subject CN and VS hostname during server start up.
- Add support for enabling TLS v1.2.
- Don't enable SSL 3 by default. (CVE-2014-3566)
- Improve protocol testing.
- Add nss_pcache man page.
- Fix argument handling in nss_pcache.
- Support httpd 2.4+.
- Allow users to configure a helper to ask for certificate passphrases via NSSPassPhraseDialog. (bsc#975394)
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
SUSE Linux Enterprise Point of Service 11 SP3
zypper in -t patch sleposp3-apache2-mod_nss-12751=1 -
SUSE Linux Enterprise Server 11 SP2 LTSS 11-SP2
zypper in -t patch slessp2-apache2-mod_nss-12751=1 -
SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3
zypper in -t patch slessp3-apache2-mod_nss-12751=1 -
SUSE Linux Enterprise Server 11 SP4
zypper in -t patch slessp4-apache2-mod_nss-12751=1 -
SLES for SAP Applications 11-SP4
zypper in -t patch slessp4-apache2-mod_nss-12751=1 -
SUSE Cloud 5
zypper in -t patch sleclo50sp3-apache2-mod_nss-12751=1 -
SUSE Manager Server 2.1
zypper in -t patch sleman21-apache2-mod_nss-12751=1 -
SUSE Manager Proxy 2.1
zypper in -t patch slemap21-apache2-mod_nss-12751=1
Package List:
-
SUSE Linux Enterprise Point of Service 11 SP3 (i586)
- apache2-mod_nss-1.0.14-0.4.25.1
-
SUSE Linux Enterprise Server 11 SP2 LTSS 11-SP2 (s390x x86_64 i586)
- apache2-mod_nss-1.0.14-0.4.25.1
-
SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (s390x x86_64 i586)
- apache2-mod_nss-1.0.14-0.4.25.1
-
SUSE Linux Enterprise Server 11 SP4 (s390x x86_64 i586 ppc64 ia64)
- apache2-mod_nss-1.0.14-0.4.25.1
-
SLES for SAP Applications 11-SP4 (ppc64 x86_64)
- apache2-mod_nss-1.0.14-0.4.25.1
-
SUSE Cloud 5 (x86_64)
- apache2-mod_nss-1.0.14-0.4.25.1
-
SUSE Manager Server 2.1 (s390x x86_64)
- apache2-mod_nss-1.0.14-0.4.25.1
-
SUSE Manager Proxy 2.1 (x86_64)
- apache2-mod_nss-1.0.14-0.4.25.1