SUSE: 2022:1709-1 suse/389-ds Security Update | LinuxSecurity.com

Advisories

SUSE Container Update Advisory: suse/389-ds
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:1709-1
Container Tags        : suse/389-ds:2.0 , suse/389-ds:2.0-14.31 , suse/389-ds:latest
Container Release     : 14.31
Severity              : important
Type                  : security
References            : 1192079 1192080 1192086 1192087 1192228 1198486 1200027 CVE-2022-31741
-----------------------------------------------------------------

The container suse/389-ds was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2595-1
Released:    Fri Jul 29 16:00:42 2022
Summary:     Security update for mozilla-nss
Type:        security
Severity:    important
References:  1192079,1192080,1192086,1192087,1192228,1198486,1200027,CVE-2022-31741
This update for mozilla-nss fixes the following issues:

Various FIPS 140-3 related fixes were backported from SUSE Linux Enterprise 15 SP4:

- Makes the PBKDF known answer test compliant with NIST SP800-132. (bsc#1192079). 
- FIPS: Add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck()
  (bsc#1198980).
- FIPS: mark algorithms as approved/non-approved according to security policy
  (bsc#1191546, bsc#1201298).
- FIPS: remove hard disabling of unapproved algorithms. This requirement is now
  fulfilled by the service level indicator (bsc#1200325).
- Run test suite at build time, and make it pass (bsc#1198486).
- FIPS: skip algorithms that are hard disabled in FIPS mode.
- Prevent expired PayPalEE cert from failing the tests.
- Allow checksumming to be disabled, but only if we entered FIPS mode
  due to NSS_FIPS being set, not if it came from /proc.
- FIPS: Make the PBKDF known answer test compliant with NIST SP800-132.
- Update FIPS validation string to version-release format.
- FIPS: remove XCBC MAC from list of FIPS approved algorithms.
- Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID
  for build.
- FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080).
- FIPS: allow testing of unapproved algorithms (bsc#1192228).
- FIPS: add version indicators. (bmo#1729550, bsc#1192086).
- FIPS: fix some secret clearing (bmo#1697303, bsc#1192087).

Version update to NSS 3.79:

- Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
- Update mercurial in clang-format docker image.
- Use of uninitialized pointer in lg_init after alloc fail.
- selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
- Add SECMOD_LockedModuleHasRemovableSlots.
- Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
- Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
- TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
- Correct invalid record inner and outer content type alerts.
- NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
- improve error handling after nssCKFWInstance_CreateObjectHandle.
- Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
- NSS 3.79 should depend on NSPR 4.34   

Version update to NSS 3.78.1:

- Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple

Version update to NSS 3.78:

- Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests.
- Reworked overlong record size checks and added TLS1.3 specific boundaries.
- Add ECH Grease Support to tstclnt
- Add a strict variant of moz::pkix::CheckCertHostname.
- Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
- Make SEC_PKCS12EnableCipher succeed
- Update zlib in NSS to 1.2.12.

Version update to NSS 3.77:

- Fix link to TLS page on wireshark wiki
- Add two D-TRUST 2020 root certificates.
- Add Telia Root CA v2 root certificate.
- Remove expired explicitly distrusted certificates from certdata.txt.
- support specific RSA-PSS parameters in mozilla::pkix
- Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
- Remove token member from NSSSlot struct.
- Provide secure variants of mpp_pprime and mpp_make_prime.
- Support UTF-8 library path in the module spec string.
- Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
- Update googletest to 1.11.0
- Add SetTls13GreaseEchSize to experimental API.
- TLS 1.3 Illegal legacy_version handling/alerts.
- Fix calculation of ECH HRR Transcript.
- Allow ld path to be set as environment variable.
- Ensure we don't read uninitialized memory in ssl gtests.
- Fix DataBuffer Move Assignment.
- internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3
- rework signature verification in mozilla::pkix

Version update to NSS 3.76.1

- Remove token member from NSSSlot struct.
- Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots.
- Check return value of PK11Slot_GetNSSToken.
- Use Wycheproof JSON for RSASSA-PSS
- Add SHA256 fingerprint comments to old certdata.txt entries.
- Avoid truncating files in nss-release-helper.py.
- Throw illegal_parameter alert for illegal extensions in handshake message.

Version update to NSS 3.75

- Make DottedOIDToCode.py compatible with python3.
- Avoid undefined shift in SSL_CERT_IS while fuzzing.
- Remove redundant key type check.
- Update ABI expectations to match ECH changes.
- Enable CKM_CHACHA20.
- check return on NSS_NoDB_Init and NSS_Shutdown.
- Run ECDSA test vectors from bltest as part of the CI tests.
- Add ECDSA test vectors to the bltest command line tool.
- Allow to build using clang's integrated assembler.
- Allow to override python for the build.
- test HKDF output rather than input.
- Use ASSERT macros to end failed tests early.
- move assignment operator for DataBuffer.
- Add test cases for ECH compression and unexpected extensions in SH.
- Update tests for ECH-13.
- Tidy up error handling.
- Add tests for ECH HRR Changes.
- Server only sends GREASE HRR extension if enabled by preference.
- Update generation of the Associated Data for ECH-13.
- When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello.
- Allow for compressed, non-contiguous, extensions.
- Scramble the PSK extension in CHOuter.
- Split custom extension handling for ECH.
- Add ECH-13 HRR Handling.
- Client side ECH padding.
- Stricter ClientHelloInner Decompression.
- Remove ECH_inner extension, use new enum format.
- Update the version number for ECH-13 and adjust the ECHConfig size.

Version update to NSS 3.74

- mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses
- Ensure clients offer consistent ciphersuites after HRR
- NSS does not properly restrict server keys based on policy
- Set nssckbi version number to 2.54
- Replace Google Trust Services LLC (GTS) R4 root certificate
- Replace Google Trust Services LLC (GTS) R3 root certificate
- Replace Google Trust Services LLC (GTS) R2 root certificate
- Replace Google Trust Services LLC (GTS) R1 root certificate
- Replace GlobalSign ECC Root CA R4
- Remove Expired Root Certificates - DST Root CA X3
- Remove Expiring Cybertrust Global Root and GlobalSign root certificates
- Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate
- Add iTrusChina ECC root certificate
- Add iTrusChina RSA root certificate
- Add ISRG Root X2 root certificate
- Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
- Avoid a clang 13 unused variable warning in opt build
- Check for missing signedData field
- Ensure DER encoded signatures are within size limits

- enable key logging option (boo#1195040)

Version update to NSS 3.73.1:

- Add SHA-2 support to mozilla::pkix's OSCP implementation

Version update to NSS 3.73

- check for missing signedData field.
- Ensure DER encoded signatures are within size limits.
- NSS needs FiPS 140-3 version indicators.
- pkix_CacheCert_Lookup doesn't return cached certs
- sunset Coverity from NSS

Fixed MFSA 2021-51 (bsc#1193170) CVE-2021-43527: Memory corruption via DER-encoded DSA and RSA-PSS signatures

Version update to NSS 3.72

- Fix nsinstall parallel failure.
- Increase KDF cache size to mitigate perf regression in about:logins

Version update to NSS 3.71

- Set nssckbi version number to 2.52.
- Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
- Import of PKCS#12 files with Camellia encryption is not supported
- Add HARICA Client ECC Root CA 2021.
- Add HARICA Client RSA Root CA 2021.
- Add HARICA TLS ECC Root CA 2021.
- Add HARICA TLS RSA Root CA 2021.
- Add TunTrust Root CA certificate to NSS.

Version update to NSS 3.70

- Update test case to verify fix.
- Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
- Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
- Avoid using a lookup table in nssb64d.
- Use HW accelerated SHA2 on AArch64 Big Endian.
- Change default value of enableHelloDowngradeCheck to true.
- Cache additional PBE entries.
- Read HPKE vectors from official JSON.

Version update to NSS 3.69.1:

- Disable DTLS 1.0 and 1.1 by default
- integrity checks in key4.db not happening on private components with AES_CBC

NSS 3.69:

- Disable DTLS 1.0 and 1.1 by default (backed out again)
- integrity checks in key4.db not happening on private components with AES_CBC (backed out again)
- SSL handling of signature algorithms ignores environmental invalid algorithms.
- sqlite 3.34 changed it's open semantics, causing nss failures.
- Gtest update changed the gtest reports, losing gtest details in all.sh reports.
- NSS incorrectly accepting 1536 bit DH primes in FIPS mode
- SQLite calls could timeout in starvation situations.
- Coverity/cpp scanner errors found in nss 3.67
- Import the NSS documentation from MDN in nss/doc.
- NSS using a tempdir to measure sql performance not active

Version Update to 3.68.4 (bsc#1200027)

- CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.  (bmo#1767590)




The following package changes have been done:

- libfreebl3-3.79-150400.3.7.1 updated
- libfreebl3-hmac-3.79-150400.3.7.1 updated
- mozilla-nss-certs-3.79-150400.3.7.1 updated
- libsoftokn3-3.79-150400.3.7.1 updated
- mozilla-nss-3.79-150400.3.7.1 updated
- mozilla-nss-tools-3.79-150400.3.7.1 updated
- libsoftokn3-hmac-3.79-150400.3.7.1 updated
- container:sles15-image-15.0.0-27.11.7 updated

SUSE: 2022:1709-1 suse/389-ds Security Update

July 30, 2022
The container suse/389-ds was updated

Summary

Advisory ID: SUSE-SU-2022:2595-1 Released: Fri Jul 29 16:00:42 2022 Summary: Security update for mozilla-nss Type: security Severity: important

References

References : 1192079 1192080 1192086 1192087 1192228 1198486 1200027 CVE-2022-31741

1192079,1192080,1192086,1192087,1192228,1198486,1200027,CVE-2022-31741

This update for mozilla-nss fixes the following issues:

Various FIPS 140-3 related fixes were backported from SUSE Linux Enterprise 15 SP4:

- Makes the PBKDF known answer test compliant with NIST SP800-132. (bsc#1192079).

- FIPS: Add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck()

(bsc#1198980).

- FIPS: mark algorithms as approved/non-approved according to security policy

(bsc#1191546, bsc#1201298).

- FIPS: remove hard disabling of unapproved algorithms. This requirement is now

fulfilled by the service level indicator (bsc#1200325).

- Run test suite at build time, and make it pass (bsc#1198486).

- FIPS: skip algorithms that are hard disabled in FIPS mode.

- Prevent expired PayPalEE cert from failing the tests.

- Allow checksumming to be disabled, but only if we entered FIPS mode

due to NSS_FIPS being set, not if it came from /proc.

- FIPS: Make the PBKDF known answer test compliant with NIST SP800-132.

- Update FIPS validation string to version-release format.

- FIPS: remove XCBC MAC from list of FIPS approved algorithms.

- Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID

for build.

- FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080).

- FIPS: allow testing of unapproved algorithms (bsc#1192228).

- FIPS: add version indicators. (bmo#1729550, bsc#1192086).

- FIPS: fix some secret clearing (bmo#1697303, bsc#1192087).

Version update to NSS 3.79:

- Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.

- Update mercurial in clang-format docker image.

- Use of uninitialized pointer in lg_init after alloc fail.

- selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.

- Add SECMOD_LockedModuleHasRemovableSlots.

- Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.

- Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.

- TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.

- Correct invalid record inner and outer content type alerts.

- NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.

- improve error handling after nssCKFWInstance_CreateObjectHandle.

- Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.

- NSS 3.79 should depend on NSPR 4.34

Version update to NSS 3.78.1:

- Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple

Version update to NSS 3.78:

- Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests.

- Reworked overlong record size checks and added TLS1.3 specific boundaries.

- Add ECH Grease Support to tstclnt

- Add a strict variant of moz::pkix::CheckCertHostname.

- Change SSL_REUSE_SERVER_ECDHE_KEY default to false.

- Make SEC_PKCS12EnableCipher succeed

- Update zlib in NSS to 1.2.12.

Version update to NSS 3.77:

- Fix link to TLS page on wireshark wiki

- Add two D-TRUST 2020 root certificates.

- Add Telia Root CA v2 root certificate.

- Remove expired explicitly distrusted certificates from certdata.txt.

- support specific RSA-PSS parameters in mozilla::pkix

- Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.

- Remove token member from NSSSlot struct.

- Provide secure variants of mpp_pprime and mpp_make_prime.

- Support UTF-8 library path in the module spec string.

- Update nssUTF8_Length to RFC 3629 and fix buffer overrun.

- Update googletest to 1.11.0

- Add SetTls13GreaseEchSize to experimental API.

- TLS 1.3 Illegal legacy_version handling/alerts.

- Fix calculation of ECH HRR Transcript.

- Allow ld path to be set as environment variable.

- Ensure we don't read uninitialized memory in ssl gtests.

- Fix DataBuffer Move Assignment.

- internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3

- rework signature verification in mozilla::pkix

Version update to NSS 3.76.1

- Remove token member from NSSSlot struct.

- Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots.

- Check return value of PK11Slot_GetNSSToken.

- Use Wycheproof JSON for RSASSA-PSS

- Add SHA256 fingerprint comments to old certdata.txt entries.

- Avoid truncating files in nss-release-helper.py.

- Throw illegal_parameter alert for illegal extensions in handshake message.

Version update to NSS 3.75

- Make DottedOIDToCode.py compatible with python3.

- Avoid undefined shift in SSL_CERT_IS while fuzzing.

- Remove redundant key type check.

- Update ABI expectations to match ECH changes.

- Enable CKM_CHACHA20.

- check return on NSS_NoDB_Init and NSS_Shutdown.

- Run ECDSA test vectors from bltest as part of the CI tests.

- Add ECDSA test vectors to the bltest command line tool.

- Allow to build using clang's integrated assembler.

- Allow to override python for the build.

- test HKDF output rather than input.

- Use ASSERT macros to end failed tests early.

- move assignment operator for DataBuffer.

- Add test cases for ECH compression and unexpected extensions in SH.

- Update tests for ECH-13.

- Tidy up error handling.

- Add tests for ECH HRR Changes.

- Server only sends GREASE HRR extension if enabled by preference.

- Update generation of the Associated Data for ECH-13.

- When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello.

- Allow for compressed, non-contiguous, extensions.

- Scramble the PSK extension in CHOuter.

- Split custom extension handling for ECH.

- Add ECH-13 HRR Handling.

- Client side ECH padding.

- Stricter ClientHelloInner Decompression.

- Remove ECH_inner extension, use new enum format.

- Update the version number for ECH-13 and adjust the ECHConfig size.

Version update to NSS 3.74

- mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses

- Ensure clients offer consistent ciphersuites after HRR

- NSS does not properly restrict server keys based on policy

- Set nssckbi version number to 2.54

- Replace Google Trust Services LLC (GTS) R4 root certificate

- Replace Google Trust Services LLC (GTS) R3 root certificate

- Replace Google Trust Services LLC (GTS) R2 root certificate

- Replace Google Trust Services LLC (GTS) R1 root certificate

- Replace GlobalSign ECC Root CA R4

- Remove Expired Root Certificates - DST Root CA X3

- Remove Expiring Cybertrust Global Root and GlobalSign root certificates

- Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate

- Add iTrusChina ECC root certificate

- Add iTrusChina RSA root certificate

- Add ISRG Root X2 root certificate

- Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate

- Avoid a clang 13 unused variable warning in opt build

- Check for missing signedData field

- Ensure DER encoded signatures are within size limits

- enable key logging option (boo#1195040)

Version update to NSS 3.73.1:

- Add SHA-2 support to mozilla::pkix's OSCP implementation

Version update to NSS 3.73

- check for missing signedData field.

- Ensure DER encoded signatures are within size limits.

- NSS needs FiPS 140-3 version indicators.

- pkix_CacheCert_Lookup doesn't return cached certs

- sunset Coverity from NSS

Fixed MFSA 2021-51 (bsc#1193170) CVE-2021-43527: Memory corruption via DER-encoded DSA and RSA-PSS signatures

Version update to NSS 3.72

- Fix nsinstall parallel failure.

- Increase KDF cache size to mitigate perf regression in about:logins

Version update to NSS 3.71

- Set nssckbi version number to 2.52.

- Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py

- Import of PKCS#12 files with Camellia encryption is not supported

- Add HARICA Client ECC Root CA 2021.

- Add HARICA Client RSA Root CA 2021.

- Add HARICA TLS ECC Root CA 2021.

- Add HARICA TLS RSA Root CA 2021.

- Add TunTrust Root CA certificate to NSS.

Version update to NSS 3.70

- Update test case to verify fix.

- Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max

- Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback

- Avoid using a lookup table in nssb64d.

- Use HW accelerated SHA2 on AArch64 Big Endian.

- Change default value of enableHelloDowngradeCheck to true.

- Cache additional PBE entries.

- Read HPKE vectors from official JSON.

Version update to NSS 3.69.1:

- Disable DTLS 1.0 and 1.1 by default

- integrity checks in key4.db not happening on private components with AES_CBC

NSS 3.69:

- Disable DTLS 1.0 and 1.1 by default (backed out again)

- integrity checks in key4.db not happening on private components with AES_CBC (backed out again)

- SSL handling of signature algorithms ignores environmental invalid algorithms.

- sqlite 3.34 changed it's open semantics, causing nss failures.

- Gtest update changed the gtest reports, losing gtest details in all.sh reports.

- NSS incorrectly accepting 1536 bit DH primes in FIPS mode

- SQLite calls could timeout in starvation situations.

- Coverity/cpp scanner errors found in nss 3.67

- Import the NSS documentation from MDN in nss/doc.

- NSS using a tempdir to measure sql performance not active

Version Update to 3.68.4 (bsc#1200027)

- CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590)

The following package changes have been done:

- libfreebl3-3.79-150400.3.7.1 updated

- libfreebl3-hmac-3.79-150400.3.7.1 updated

- mozilla-nss-certs-3.79-150400.3.7.1 updated

- libsoftokn3-3.79-150400.3.7.1 updated

- mozilla-nss-3.79-150400.3.7.1 updated

- mozilla-nss-tools-3.79-150400.3.7.1 updated

- libsoftokn3-hmac-3.79-150400.3.7.1 updated

- container:sles15-image-15.0.0-27.11.7 updated

Severity
Container Advisory ID : SUSE-CU-2022:1709-1
Container Tags : suse/389-ds:2.0 , suse/389-ds:2.0-14.31 , suse/389-ds:latest
Container Release : 14.31
Severity : important
Type : security

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.