RHBA-2011:0735 - Bug Fix Advisory

Topic

An updated mod_nss package that fixes various bugs is now available for Red Hat
Enterprise Linux 6.

Description

The mod_nss module provides strong cryptography for the Apache HTTP Server via
the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols,
using the Network Security Services (NSS) security library.

This update fixes the following bugs:

• During the Apache HTTP Server startup, a race condition could prevent one or

more child processes from receiving the token PIN, rendering such processes
unable to use SSL. With this update, the race condition no longer occurs, and
all child processes of the Apache HTTP Server can enable SSL as expected.
(BZ#677700)

• Due to an incorrect use of the memcpy() function in the mod_nss module,

running the Apache HTTP Server with this module enabled could cause some
requests to fail with the following message written to the error_log file:

request failed: error reading the headers

This update applies a patch to ensure that the memcpy() function is now used in
accordance with the current specification, and using the mod_nss module no
longer causes HTTP requests to fail. (BZ#682326)

• Under certain circumstances, a large "POST" request could cause the mod_nss

module to enter an infinite loop. With this update, the underlying source code
has been adapted to address this issue, and mod_nss now works as expected.
(BZ#634687)

• The mod_nss module is shipped with the gencert utility that generates the

default NSS database. Prior to this update, this utility was installed without
any documentation on its usage. This error has been fixed, and a manual page for
gencert is now included as expected. (BZ#605376)

All users of mod_nss are advised to upgrade to this updated package, which fixes
these bugs.

Solution

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) 6 s390x

Fixes

• BZ - 605376 - mod_nss lacks a man page for gencert
• BZ - 634687 - Large POST may cause loop in mod_nss
• BZ - 677700 - Lack of interlock between nss processes to pcache causes httpd failure
• BZ - 682326 - https://server.testrelm/ipa/xml: Bad Request intermittent errors

CVEs

(none)

References

(none)