Issued:
2011-12-06
Updated:
2011-12-06

RHBA-2011:1656 - Bug Fix Advisory

Synopsis

mod_nss bug fix update

Type/Severity

Bug Fix Advisory

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An updated mod_nss package that fixes several bugs is now available for Red Hat
Enterprise Linux 6.

Description

The mod_nss module provides strong cryptography for the Apache HTTP Server via
the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols,
using the Network Security Services (NSS) security library.

This update fixes the following bugs:

  • When the NSS library was not initialized and mod_nss tried to clear its SSL

cache on start-up, mod_nss terminated unexpectedly when the NSS library was
built with debugging enabled. With this update, mod_nss does not try to clear
the SSL cache in the described scenario, thus preventing this bug. (BZ#691502)

  • Previously, a static array containing the arguments for launching the

nss_pcache command was overflowing the size by one. This could lead to a variety
of issues including unexpected termination. This bug has been fixed, and mod_nss
now uses properly sized static array when launching nss_pcache. (BZ#714154)

  • Prior to this update, client certificates were only retrieved during the

initial SSL handshake if the NSSVerifyClient option was set to "require" or
"optional". Also, the FakeBasicAuth option only retrieved Common Name rather
than the entire certificate subject. Consequently, it was possible to spoof an
identity using that option. This bug has been fixed, the FakeBasicAuth option is
now prefixed with "/" and is thus compatible with OpenSSL, and certificates are
now retrieved on all subsequent requests beyond the first one. (BZ#702437)

Users of mod_nss are advised to upgrade to this updated package, which fixes
these bugs.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

  • Red Hat Enterprise Linux Server 6 x86_64
  • Red Hat Enterprise Linux Server 6 i386
  • Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
  • Red Hat Enterprise Linux Workstation 6 x86_64
  • Red Hat Enterprise Linux Workstation 6 i386
  • Red Hat Enterprise Linux Desktop 6 x86_64
  • Red Hat Enterprise Linux Desktop 6 i386
  • Red Hat Enterprise Linux for IBM z Systems 6 s390x
  • Red Hat Enterprise Linux for Power, big endian 6 ppc64
  • Red Hat Enterprise Linux for Scientific Computing 6 x86_64
  • Red Hat Enterprise Linux Server from RHUI 6 x86_64
  • Red Hat Enterprise Linux Server from RHUI 6 i386
  • Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
  • Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x

Fixes

  • BZ - 702437 - may be possible to spoof mod_nss FakeBasicAuth
  • BZ - 714154 - overrunning array when executing nss_pcache

References

(none)

Red Hat Enterprise Linux Server 6

SRPM
mod_nss-1.0.8-13.el6.src.rpm SHA-256: dc3658f6ea40a6cd109f82d97fa5a6a5db80eaf017e145bc1b117f7d0407b1ae
x86_64
mod_nss-1.0.8-13.el6.x86_64.rpm SHA-256: 01c0947adbdb85818956f66cc1d7f132a5b6adcfdfc7f7dada46263be1c97ed3
mod_nss-debuginfo-1.0.8-13.el6.x86_64.rpm SHA-256: 19d020e82af0f803a56d3939e586c53351adf8cfe2bd5783ee5aedfde9719cf1
i386
mod_nss-1.0.8-13.el6.i686.rpm SHA-256: bf03c6b40feffcc178256d1bf976595763c29f0dc9f657440789f53e1f25e15a
mod_nss-debuginfo-1.0.8-13.el6.i686.rpm SHA-256: 0899ed0624da5b1a52cff5cce76c7a07b62a3dd20d8ae7cb5b90cdffa70858dc

Red Hat Enterprise Linux Server from RHUI 6

SRPM
mod_nss-1.0.8-13.el6.src.rpm SHA-256: dc3658f6ea40a6cd109f82d97fa5a6a5db80eaf017e145bc1b117f7d0407b1ae
x86_64
mod_nss-1.0.8-13.el6.x86_64.rpm SHA-256: 01c0947adbdb85818956f66cc1d7f132a5b6adcfdfc7f7dada46263be1c97ed3
mod_nss-debuginfo-1.0.8-13.el6.x86_64.rpm SHA-256: 19d020e82af0f803a56d3939e586c53351adf8cfe2bd5783ee5aedfde9719cf1
i386
mod_nss-1.0.8-13.el6.i686.rpm SHA-256: bf03c6b40feffcc178256d1bf976595763c29f0dc9f657440789f53e1f25e15a
mod_nss-debuginfo-1.0.8-13.el6.i686.rpm SHA-256: 0899ed0624da5b1a52cff5cce76c7a07b62a3dd20d8ae7cb5b90cdffa70858dc

Red Hat Enterprise Linux Server - Extended Life Cycle Support 6

SRPM
mod_nss-1.0.8-13.el6.src.rpm SHA-256: dc3658f6ea40a6cd109f82d97fa5a6a5db80eaf017e145bc1b117f7d0407b1ae
x86_64
mod_nss-1.0.8-13.el6.x86_64.rpm SHA-256: 01c0947adbdb85818956f66cc1d7f132a5b6adcfdfc7f7dada46263be1c97ed3
mod_nss-debuginfo-1.0.8-13.el6.x86_64.rpm SHA-256: 19d020e82af0f803a56d3939e586c53351adf8cfe2bd5783ee5aedfde9719cf1
i386
mod_nss-1.0.8-13.el6.i686.rpm SHA-256: bf03c6b40feffcc178256d1bf976595763c29f0dc9f657440789f53e1f25e15a
mod_nss-debuginfo-1.0.8-13.el6.i686.rpm SHA-256: 0899ed0624da5b1a52cff5cce76c7a07b62a3dd20d8ae7cb5b90cdffa70858dc

Red Hat Enterprise Linux Workstation 6

SRPM
mod_nss-1.0.8-13.el6.src.rpm SHA-256: dc3658f6ea40a6cd109f82d97fa5a6a5db80eaf017e145bc1b117f7d0407b1ae
x86_64
mod_nss-1.0.8-13.el6.x86_64.rpm SHA-256: 01c0947adbdb85818956f66cc1d7f132a5b6adcfdfc7f7dada46263be1c97ed3
mod_nss-debuginfo-1.0.8-13.el6.x86_64.rpm SHA-256: 19d020e82af0f803a56d3939e586c53351adf8cfe2bd5783ee5aedfde9719cf1
i386
mod_nss-1.0.8-13.el6.i686.rpm SHA-256: bf03c6b40feffcc178256d1bf976595763c29f0dc9f657440789f53e1f25e15a
mod_nss-debuginfo-1.0.8-13.el6.i686.rpm SHA-256: 0899ed0624da5b1a52cff5cce76c7a07b62a3dd20d8ae7cb5b90cdffa70858dc

Red Hat Enterprise Linux Desktop 6

SRPM
mod_nss-1.0.8-13.el6.src.rpm SHA-256: dc3658f6ea40a6cd109f82d97fa5a6a5db80eaf017e145bc1b117f7d0407b1ae
x86_64
mod_nss-1.0.8-13.el6.x86_64.rpm SHA-256: 01c0947adbdb85818956f66cc1d7f132a5b6adcfdfc7f7dada46263be1c97ed3
mod_nss-debuginfo-1.0.8-13.el6.x86_64.rpm SHA-256: 19d020e82af0f803a56d3939e586c53351adf8cfe2bd5783ee5aedfde9719cf1
i386
mod_nss-1.0.8-13.el6.i686.rpm SHA-256: bf03c6b40feffcc178256d1bf976595763c29f0dc9f657440789f53e1f25e15a
mod_nss-debuginfo-1.0.8-13.el6.i686.rpm SHA-256: 0899ed0624da5b1a52cff5cce76c7a07b62a3dd20d8ae7cb5b90cdffa70858dc

Red Hat Enterprise Linux for IBM z Systems 6

SRPM
mod_nss-1.0.8-13.el6.src.rpm SHA-256: dc3658f6ea40a6cd109f82d97fa5a6a5db80eaf017e145bc1b117f7d0407b1ae
s390x
mod_nss-1.0.8-13.el6.s390x.rpm SHA-256: 588a1404e9050c63af5fda060c2767ff0a77f26ddb5022ffab4dbc2d1cc61c79
mod_nss-debuginfo-1.0.8-13.el6.s390x.rpm SHA-256: 6014f949f2bae00b4977b26178be8ce9ea5939bdfa2627f4679ce6d7fbbc5ede

Red Hat Enterprise Linux for Power, big endian 6

SRPM
mod_nss-1.0.8-13.el6.src.rpm SHA-256: dc3658f6ea40a6cd109f82d97fa5a6a5db80eaf017e145bc1b117f7d0407b1ae
ppc64
mod_nss-1.0.8-13.el6.ppc64.rpm SHA-256: beaacac86f2f21b345759e634fb881402fc03f563708ea3edc7cc90b01bc13f7
mod_nss-debuginfo-1.0.8-13.el6.ppc64.rpm SHA-256: 79fbec105a654b65bab0503aaa4052626907504a28c732425b3365b21f602299

Red Hat Enterprise Linux for Scientific Computing 6

SRPM
mod_nss-1.0.8-13.el6.src.rpm SHA-256: dc3658f6ea40a6cd109f82d97fa5a6a5db80eaf017e145bc1b117f7d0407b1ae
x86_64
mod_nss-1.0.8-13.el6.x86_64.rpm SHA-256: 01c0947adbdb85818956f66cc1d7f132a5b6adcfdfc7f7dada46263be1c97ed3
mod_nss-debuginfo-1.0.8-13.el6.x86_64.rpm SHA-256: 19d020e82af0f803a56d3939e586c53351adf8cfe2bd5783ee5aedfde9719cf1

Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6

SRPM
mod_nss-1.0.8-13.el6.src.rpm SHA-256: dc3658f6ea40a6cd109f82d97fa5a6a5db80eaf017e145bc1b117f7d0407b1ae
s390x
mod_nss-1.0.8-13.el6.s390x.rpm SHA-256: 588a1404e9050c63af5fda060c2767ff0a77f26ddb5022ffab4dbc2d1cc61c79
mod_nss-debuginfo-1.0.8-13.el6.s390x.rpm SHA-256: 6014f949f2bae00b4977b26178be8ce9ea5939bdfa2627f4679ce6d7fbbc5ede

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.