4.198. nspr, nss, nss-softokn, and nss-util

Updated nspr and nss related packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. These facilities include threads, thread synchronization, normal file and network I/O, interval timing, calendar time, basic memory management (the malloc() and free() functions), and shared library linking.
Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSLv2, SSLv3, TLS, and other security standards.
The nss component has been upgraded to upstream version 3.12.10, which provides a number of bug fixes and enhancements. (BZ#712958)
The nss-util package has been upgraded to upstream version 3.12.10, which provides a number of bug fixes and enhancements.(BZ#712960)
The nspr component has been upgraded to upstream version 4.8.8, which provides a number of bug fixes and enhancements. (BZ#712963)

Bug Fixes

The CMS message decoder lost the pointer to enveloped data when decoding a message encoded with CMS (Cryptographic Message Syntax) that contained enveloped data. Consequently, the decoder got into an infinite loop and decoding terminated due to a stack overflow. With this update, the underlying code has been modified and the problem no longer occurs.
The CMS routines failed to verify signed data when the SignerInfo object was using a subjectKeyID extension to indicate the signer and returned the following output:
signer 0 status = SigningCertNotFound cmsutil: problem decoding: Unrecognized Object Identifier.
With this update, the subjectKeyID entries have been added to a temporary in-memory map of subjectKeyID values of certificates and the verification of such data now succeeds.
When running debug builds, the pem module occasionally terminated with a segmentation fault when attempting to write to its log file due to insufficient permissions. This happened when the module was initially used by an application with superuser privileges, which created the log file, and subsequently by an application with non-superuser privileges as the application could not access the logging file due to lower privileges.
When using the generateCRMFRequest tool to produce an RSA key larger than 2048, the process failed. This occurred because the crmf library used by generateCRMFRequest had the value for the maximum size for wrapped private keys (the MAX_WRAPPED_KEY_LEN property) hardcoded to 2048 bytes. The size is now adjusted based on the provided key attributes and the problem no longer occurs.
On a 64-bit CPU with native AES instruction support, the intel_aes_decrypt_cbc_256() function did not work correctly when input and output buffers were the same and the function call failed with the message "data mismatch". This update fixes the code and the same buffer can be used for input and output.
The health tests for deterministic random bit generator (DRBG) have been updated to better meet FIPS requirements.
On NSS initialization, the module loader incorrectly initialized the PKCS#11 module even if the module was not adding any persistent certificate or module databases. Consequently, an attempt to synchronize usernames and passwords on an IPA server with data on an Active Directory server failed with the error "{'desc': "Can't contact LDAP server"}". The NSS module loader now checks the relevant flags and the problem no longer occurs.


NSS supports pluggable ECC (Error-Correcting Code) memory.
BZ#724001, BZ#724002, BZ#724003, BZ#724004
The nss-softokn, nss-util, nss, and nspr libraries have been built with partial RELRO support (-Wl,-z,relro).
Users are advised to upgrade to these updated nspr and nss related packages, which fix the bugs and add the enhancements.