Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

4.113. nss

Updated nss and nspr packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security enabled client and server applications.
Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities.

Note

The nss-util package has been upgraded to upstream version 3.13, which provides a number of enhancements over the previous version. (BZ#788670)
The nss packages have been upgraded to upstream version 3.13, which provides a number of bug fixes and enhancements over the previous version. (BZ#788673, BZ#788964, BZ#788672)
The nspr package has been upgraded to upstream version 4.8.9, which provides a number of enhancements over the previous version. (BZ#788674)

Bug Fixes

BZ#789043
A lack of robustness flaw caused crashes in the administration server for Red Hat Directory Server because the mod_nss module made nss calls before initializing nss per documented API. With this update, nss protects itself against being called before it as been properly initialized by the caller.
BZ#786436
Previously, due to a bug in the FreeBL library, Openswan could generate a Key Exchange payload that was one byte shorter than what was required by the Diffie Hellman (DH) protocol. As a consequence, Openswan dropped connections during such payloads. With this update, the size of the payload is set to zero by default, and the Softoken module is queried for the size. Connections are no longer dropped by Openswan in the described scenario.
All users of nss and nspr are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.
Updated nss packages that fix a bug are now available for Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6.
Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security enabled client and server applications.

Bug Fix

BZ#798461, BZ#798462
Crashes were reported in the messaging daemon (qpidd) included in Red Hat Enterprise MRG after a recent update to nss. This occurred as qpidd made nss calls before initializing nss. These updated packages prevent qpidd, and other affected processes that call nss without initializing as mandated by the API, from crashing.
All users of nss are advised to upgrade to these updated packages, which fix these bugs.
Updated nss and nspr packages that fix two bugs and add one enhancement are now available for Red Hat Enterprise Linux 5.
Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities.

Bug Fixes

BZ#633519
Due to errors in the Netscape Portable Runtime (NSPR) code responsible for thread synchronization, memory corruption sometimes occurred. Consequently, the web server daemon (httpd) sometimes terminated unexpectedly with a segmentation fault after making more than 1023 calls to the NSPR library. With this update, an improvement to the way NSPR frees previously allocated memory has been made and httpd no longer crashes in the scenario described.
BZ#797939
Some Network Security Services (NSS) clients call NSS without initializing first as mandated by the API and NSS did not protect itself against such improper usage. Consequently, this caused unexpected terminations on shutdown as some variables had not been properly initialized. Such crashes were reported in the messaging daemon (qpidd), included in Red Hat Enterprise MRG, after a recent update to the nss package. This occurred as qpidd made NSS calls before initializing NSS. With this update, NSS now protects itself against potential improper use by client code. As a result, NSS prevents qpidd, and other processes that may call NSS without initializing as mandated by the API, from crashing.

Enhancement

BZ#820684
The certutil tool was enhanced to support creation of Elliptic Curve (EC) key pairs on Hardware Security Modules.
All nss and nspr users should upgrade to these updated packages, which fix these bugs and add this enhancement. After installing the update, applications using NSS and NSPR must be restarted for the changes to take effect.
Updated nss and nspr packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities.

Security Fix

CVE-2012-0441
A flaw was found in the way the ASN.1 (Abstract Syntax Notation One) decoder in NSS handled zero length items. This flaw could cause the decoder to incorrectly skip or replace certain items with a default value, or could cause an application to crash if, for example, it received a specially-crafted OCSP (Online Certificate Status Protocol) response.
It was found that a Certificate Authority (CA) issued a subordinate CA certificate to its customer, that could be used to issue certificates for any name. This update renders the subordinate CA certificate as untrusted. (BZ#798533)
Note: The BZ#798533 fix only applies to applications using the NSS Builtin Object Token. It does not render the certificates untrusted for applications that use the NSS library, but do not use the NSS Builtin Object Token.

Note

The nspr package has been upgraded to upstream version 4.9.1, and the nss package has been upgraded to upstream version 3.13.5. These updates provide a number of bug fixes and enhancements over the previous versions. (BZ#834220, BZ#834219)
All NSS and NSPR users should upgrade to these updated packages, which correct these issues and add these enhancements. After installing the update, applications using NSS and NSPR must be restarted for the changes to take effect.