Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

Red Hat Enterprise Linux 8: RHSA-2019-1951-01 Moderate Security Fixes

red hat
Calendar Grey July 30, 2019
Dist Redhat Esm H88
Red Hat Security Advisory concerning moderate updates for nss and nspr, aimed at resolving various security vulnerabilities and improvements.
An update for nss and nspr is now available for Red Hat Enterprise Linux 8

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, applications using NSS or NSPR (for example, Firefox) must be restarted for this update to take effect.

Summary

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications.
Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities.
The following packages have been upgraded to a later upstream version: nss (3.44.0), nspr (4.21.0). (BZ#1713187, BZ#1713188)
Security Fix(es):
* nss: NULL pointer dereference in several CMS functions resulting in a denial of service (CVE-2018-18508)
* nss: Out-of-bounds read when importing curve25519 private key (CVE-2019-11719)
* nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (CVE-2019-11729)
* nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 (CVE-2019-11727)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* PQG verify fails when create DSA PQG parameters because the counts aren't returned correctly. (BZ#1685325)
* zeroization of AES context missing (BZ#1719629)
* RSA Pairwise consistency test (BZ#1719630)
* FIPS updated for nss-softoken POST (BZ#1722373)
* DH/ECDH key tests missing for the PG parameters (BZ#1722374)
* NSS should implement continuous random test on it's seed data or use the kernel AF_ALG interface for random (BZ#1725059)
* support setting supported signature algorithms in strsclnt utility (BZ#1725110)
* certutil -F with no parameters is killed with segmentation fault message (BZ#1725115)
* NSS: Support for IKE/IPsec typical PKIX usage so libreswan can use nss without rejecting certs based on EKU (BZ#1725116)
* NSS should use getentropy() for seeding its RNG, not /dev/urandom. Needs update to NSS 3.37 (BZ#1725117)
* Disable TLS 1.3 in FIPS mode (BZ#1725773)
* Wrong alert sent when client uses PKCS#1 signatures in TLS 1.3 (BZ#1728259)
* x25519 allowed in FIPS mode (BZ#1728260)
* post handshake authentication with selfserv does not work if SSL_ENABLE_SESSION_TICKETS is set (BZ#1728261)
Enhancement(s):
* Move IKEv1 and IKEv2 KDF's from libreswan to nss-softkn (BZ#1719628)

Topics%20covered

Topics Covered

security advisory moderate security issue bug fix Red Hat Enterprise Linux nspr nss

References

https://access.redhat.com/security/cve/CVE-2018-18508 https://access.redhat.com/security/cve/CVE-2019-11719 https://access.redhat.com/security/cve/CVE-2019-11727 https://access.redhat.com/security/cve/CVE-2019-11729 https://access.redhat.com/security/updates/classification/#moderate

Package List

Red Hat Enterprise Linux AppStream (v. 8):
Source: nspr-4.21.0-2.el8_0.src.rpm nss-3.44.0-7.el8_0.src.rpm
aarch64: nspr-4.21.0-2.el8_0.aarch64.rpm nspr-debuginfo-4.21.0-2.el8_0.aarch64.rpm nspr-debugsource-4.21.0-2.el8_0.aarch64.rpm nspr-devel-4.21.0-2.el8_0.aarch64.rpm nss-3.44.0-7.el8_0.aarch64.rpm nss-debuginfo-3.44.0-7.el8_0.aarch64.rpm nss-debugsource-3.44.0-7.el8_0.aarch64.rpm nss-devel-3.44.0-7.el8_0.aarch64.rpm nss-softokn-3.44.0-7.el8_0.aarch64.rpm nss-softokn-debuginfo-3.44.0-7.el8_0.aarch64.rpm nss-softokn-devel-3.44.0-7.el8_0.aarch64.rpm nss-softokn-freebl-3.44.0-7.el8_0.aarch64.rpm nss-softokn-freebl-debuginfo-3.44.0-7.el8_0.aarch64.rpm nss-softokn-freebl-devel-3.44.0-7.el8_0.aarch64.rpm nss-sysinit-3.44.0-7.el8_0.aarch64.rpm nss-sysinit-debuginfo-3.44.0-7.el8_0.aarch64.rpm nss-tools-3.44.0-7.el8_0.aarch64.rpm nss-tools-debuginfo-3.44.0-7.el8_0.aarch64.rpm nss-util-3.44.0-7.el8_0.aarch64.rpm nss-util-debuginfo-3.44.0-7.el8_0.aarch64.rpm nss-util-devel-3.44.0-7.el8_0.aarch64.rpm
ppc64le: nspr-4.21.0-2.el8_0.ppc64le.rpm nspr-debuginfo-4.21.0-2.el8_0.ppc64le.rpm nspr-debugsource-4.21.0-2.el8_0.ppc64le.rpm nspr-devel-4.21.0-2.el8_0.ppc64le.rpm nss-3.44.0-7.el8_0.ppc64le.rpm nss-debuginfo-3.44.0-7.el8_0.ppc64le.rpm nss-debugsource-3.44.0-7.el8_0.ppc64le.rpm

Read the Full Advisory


Advisory ID: RHSA-2019:1951-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2019:1951
Issue date: 2019-07-30

Topic

An update for nss and nspr is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory moderate security issue bug fix Red Hat Enterprise Linux nspr nss

Relevant Releases Architectures

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

Bugs Fixed

1671310 - CVE-2018-18508 nss: NULL pointer dereference in several CMS functions resulting in a denial of service

1685325 - PQG verify fails when create DSA PQG parameters because the counts aren't returned correctly.

1719629 - zeroization of AES context missing [rhel-8.0.0.z]

1719630 - RSA Pairwise consistency test [rhel-8.0.0.z]

1722373 - FIPS updated for nss-softoken POST [rhel-8.0.0.z]

1722374 - DH/ECDH key tests missing for the PG parameters [rhel-8.0.0.z]

1725059 - NSS should implement continuous random test on it's seed data or use the kernel AF_ALG interface for random [rhel-8.0.0.z]

1725110 - support setting supported signature algorithms in strsclnt utility [rhel-8.0.0.z]

1725115 - certutil -F with no parameters is killed with segmentation fault message [rhel-8.0.0.z]

1725116 - NSS: Support for IKE/IPsec typical PKIX usage so libreswan can use nss without rejecting certs based on EKU [rhel-8.0.0.z]

1728259 - Wrong alert sent when client uses PKCS#1 signatures in TLS 1.3 [rhel-8.0.0.z]

1728260 - x25519 allowed in FIPS mode [rhel-8.0.0.z]

1728261 - post handshake authentication with selfserv does not work if SSL_ENABLE_SESSION_TICKETS is set [rhel-8.0.0.z]

1728436 - CVE-2019-11719 nss: Out-of-bounds read when importing curve25519 private key

1728437 - CVE-2019-11729 nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault

1730988 - CVE-2019-11727 nss: PKCS#1 v1.5 signatures can be used for TLS 1.3

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here