8.126. nss and nspr

Updated nss and nspr packages that fix a number of bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities.

Note

The nss family of packages, consisting of nss, nss-softokn, and nss-util, has been upgraded to the higher upstream versions, which provide a number of bug fixes and enhancements over the previous versions:
  • The nss package has been upgraded to the upstream version 3.15.1. (BZ#918950, BZ#1002645)
  • The nss-softokn package has been upgraded to the upstream version 3.14.3 (BZ#919172)
  • The nss-util package has been upgraded to the upstream version 3.15.1 (BZ#919174, BZ#1002644)
The nspr package has been upgraded to upstream version 4.10, which provides a number of bug fixes and enhancements over the previous version. (BZ#919180, BZ#1002643)

Bug Fixes

BZ#702083
The PEM module imposed restrictions on client applications to use unique base file names upon which certificates were derived. Consequently, client applications certifications and keys with the same base name but different file paths failed to load because they were incorrectly deemed to be duplicates. The comparison algorithm has been modified and the PEM module now correctly determines uniqueness regardless of how users name their files.
BZ#882408
Due to differences in the upstream version of the nss package, an attempt to enable the unsupported SSL PKCS#11 bypass feature failed with a fatal error message. This behavior could break the semantics of certain calls, thus breaking the Application Binary Interface (ABI) compatibility. With this update, the nss package has been modified to preserve the upstream behavior. As a result, an attempt to enable SSL PKCS#11 bypass no longer fails.
BZ#903017
Previously, there was a race condition in the certification code related to smart cards. Consequently, when Common Access Card (CAC) or Personal Identity Verification (PIV) smart cards certificates were viewed in the Firefox certificate manager, the Firefox web browser became unresponsive. The underlying source code has been modified to fix the race condition and Firefox no longer hangs in the described scenario.
BZ#905013
Due to errors in the Netscape Portable Runtime (NSPR) code responsible for thread synchronization, memory corruption sometimes occurred. Consequently, the web server daemon (httpd) sometimes terminated unexpectedly with a segmentation fault after making more than 1023 calls to the NSPR library. With this update, an improvement to the way NSPR frees previously allocated memory has been made and httpd no longer crashes in the described scenario.
BZ#918136
With the 3.14 upstream version of the nss package, support for certificate signatures using the MD5 hash algorithm in digital signatures has been disabled by default. However, certain websites still use MD5-based signatures and therefore an attempt to access such a website failed with an error. With this update, MD5 hash algorithm in digital signatures is supported again so that users can connect to the websites using this algorithm as expected.
BZ#976572
With this update, fixes to the implementation of Galois/Counter Mode (GCM) have been backported to the nss package since the upstream version 3.14.1. As a result, users can use GCM without any problems already documented and fixed in the upstream version.
BZ#977341
Previously, the output of the certutil -H command, which is a list of options and arguments used by the certutil utility, did not describe the -F option. This information has been added and the option is now properly described in the output of certutil -H.
BZ#988083
Previously, the pkcs11n.h header was missing certain constants to support the Transport Layer Security (TLS) 1.2 protocol. The constants have been added to the nss-util package and NSS now supports TLS 1.2 as expected.
BZ#990631
Previously, Network Security Service (NSS) reverted the permission rights for the pkcs11.txt file so that only the owner of the file could read it and write to it. This behavior overwrote other permissions specified by the user. Consequently, users were prevented from adding security modules to their own configuration using the system-wide security databases. This update provides a patch to fix this bug. As a result, NSS preserves the existing permissions for pkcs11.txt and users are now able to modify the NSS security module database.
BZ#1008534
Due to a bug in Network Security Services (NSS), the installation of the IPA (Identity, Policy, Audit) server terminated unexpectedly and an error was returned. This bug has been fixed with this update and installation of the IPA server now proceeds as expected.
BZ#1010224
The NSS softoken cryptographic module did not ensure whether the freebl library had been properly initialized before running its self test. Consequently, certain clients, such as the Lightweight Directory Access Protocol (LDAP) client, could initialize and finalize NSS. In such a case, freebl was cleaned up and unloaded. When the library was loaded again, an attempt to run the test terminated unexpectedly causing client failures such as Transport Layer Security (TLS) connection errors. This bug has been fixed and softoken now correctly initializes freebl before running self tests. As a result, the failures no longer occur in the described scenario.

Enhancements

BZ#960193, BZ#960208
Network Security Services's (NSS) own internal cryptographic module in Red Hat Enterprise Linux 6.5 now supports the NIST Suite B set of recommended algorithms for Elliptic curve cryptography (ECC).
Users of nss and nsrp are advised to upgrade to these updated packages, which fix these bugs and add these enhancements. After installing this update, applications using NSS or NSPR must be restarted for this update to take effect.