1.98.1. RHBA-2011:0411: mod_nss bug fix update
An updated mod_nss package that fixes NSS database permissions when upgrading is now available for Red Hat Enterprise Linux 5.
The mod_nss module provides strong cryptography for the Apache HTTP Server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, using the Network Security Services (NSS) security library.
This update addresses the following bug:
* The NSS database initializing sequence changed in mod_nss 1.0.8. As of this version, the database is initialized in each Apache child rather than in the main process. This change adheres to the PKCS #11 specification which does not allow forking after a token is initialized. As a result the NSS database needs to be readable by the user that Apache runs as. When mod_nss 1.0.8 is newly installed, it generates a new database and ensures file ownership is correct (ie is root:apache, mode 0640).
Previously, however, a bug in the %postinstall script meant the necessary read permissions were not added correctly when upgrading from mod_nss 1.0.3 to 1.0.8. As a consequence, after upgrading from mod_nss 1.0.3 to mod_nss 1.0.8, the Apache server failed to start. This update corrects the error in the %postinstall script and upgrading from mod_install 1.0.3 to 1.0.8 now adds the necessary read permissions (and Apache starts as expected after upgrading).
Note: as described above, this bug only presented when upgrading from mod_install 1.0.3 to 1.0.8. New installs of 1.0.8 were not affected by this bug. (BZ#679748
All mod_nss users are advised to upgrade to this updated package, which resolves this issue.