SUSE: 2022:2536-1 moderate: mozilla-nspr, mozilla-nss | LinuxSecuri...

   SUSE Security Update: Security update for mozilla-nspr, mozilla-nss
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:2536-1
Rating:             moderate
References:         #1191546 #1192079 #1192080 #1192086 #1192087 
                    #1192228 #1193170 #1195040 #1198486 #1198980 
                    #1200325 #1201298 
Cross-References:   CVE-2021-43527
CVSS scores:
                    CVE-2021-43527 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-43527 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:
                    SUSE Linux Enterprise Server 12-SP2-BCL
                    SUSE Linux Enterprise Server 12-SP3-BCL
                    SUSE Linux Enterprise Server 12-SP4-LTSS
                    SUSE Linux Enterprise Server 12-SP5
                    SUSE Linux Enterprise Server for SAP 12-SP4
                    SUSE Linux Enterprise Server for SAP Applications 12-SP5
                    SUSE Linux Enterprise Software Development Kit 12-SP5
                    SUSE OpenStack Cloud 9
                    SUSE OpenStack Cloud Crowbar 9
______________________________________________________________________________

   An update that solves one vulnerability and has 11 fixes is
   now available.

Description:

   This update for mozilla-nspr, mozilla-nss fixes the following issues:

   mozilla-nss was updated to fix various issues:

   FIPS 140-3 enablement patches were backported from SUSE Linux Enterprise
   15.

   - FIPS: add on-demand integrity tests through
     sftk_FIPSRepeatIntegrityCheck() (bsc#1198980).
   - FIPS: mark algorithms as approved/non-approved according to security
     policy (bsc#1191546, bsc#1201298).
   - FISP: remove hard disabling of unapproved algorithms. This requirement
     is now fulfilled by the service level indicator (bsc#1200325).

   Version update to NSS 3.79

   - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
   - Update mercurial in clang-format docker image.
   - Use of uninitialized pointer in lg_init after alloc fail.
   - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
   - Add SECMOD_LockedModuleHasRemovableSlots.
   - Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
   - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat
     extension alerts.
   - TLS 1.3 Server: Send protocol_version alert on unsupported
     ClientHello.legacy_version.
   - Correct invalid record inner and outer content type alerts.
   - NSS does not properly import or export pkcs12 files with large passwords
     and pkcs5v2 encoding.
   - improve error handling after nssCKFWInstance_CreateObjectHandle.
   - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
   - NSS 3.79 should depend on NSPR 4.34

   Update to NSS 3.78.1

   - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple

   update to NSS 3.78

   - Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length
     record/fragment handling tests.
   - Reworked overlong record size checks and added TLS1.3 specific
     boundaries.
   - Add ECH Grease Support to tstclnt
   - Add a strict variant of moz::pkix::CheckCertHostname.
   - Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
   - Make SEC_PKCS12EnableCipher succeed
   - Update zlib in NSS to 1.2.12.

   Update to NSS 3.77:

   - resolve mpitests build failure on Windows.
   - Fix link to TLS page on wireshark wiki
   - Add two D-TRUST 2020 root certificates.
   - Add Telia Root CA v2 root certificate.
   - Remove expired explicitly distrusted certificates from certdata.txt.
   - support specific RSA-PSS parameters in mozilla::pkix
   - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
   - Remove token member from NSSSlot struct.
   - Provide secure variants of mpp_pprime and mpp_make_prime.
   - Support UTF-8 library path in the module spec string.
   - Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
   - Add a CI Target for gcc-11.
   - Change to makefiles for gcc-4.8.
   - Update googletest to 1.11.0
   - Add SetTls13GreaseEchSize to experimental API.
   - TLS 1.3 Illegal legacy_version handling/alerts.
   - Fix calculation of ECH HRR Transcript.
   - Allow ld path to be set as environment variable.
   - Ensure we don't read uninitialized memory in ssl gtests.
   - Fix DataBuffer Move Assignment.
   - internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3
   - rework signature verification in mozilla::pkix

   update to NSS 3.76.1

   - Remove token member from NSSSlot struct.

   NSS 3.76

   - Hold tokensLock through nssToken_GetSlot calls in
     nssTrustDomain_GetActiveSlots.
   - Check return value of PK11Slot_GetNSSToken.
   - Use Wycheproof JSON for RSASSA-PSS
   - Add SHA256 fingerprint comments to old certdata.txt entries.
   - Avoid truncating files in nss-release-helper.py.
   - Throw illegal_parameter alert for illegal extensions in handshake
     message.

   update to NSS 3.75

   - Make DottedOIDToCode.py compatible with python3.
   - Avoid undefined shift in SSL_CERT_IS while fuzzing.
   - Remove redundant key type check.
   - Update ABI expectations to match ECH changes.
   - Enable CKM_CHACHA20.
   - check return on NSS_NoDB_Init and NSS_Shutdown.
   - real move assignment operator.
   - Run ECDSA test vectors from bltest as part of the CI tests.
   - Add ECDSA test vectors to the bltest command line tool.
   - Allow to build using clang's integrated assembler.
   - Allow to override python for the build.
   - test HKDF output rather than input.
   - Use ASSERT macros to end failed tests early.
   - move assignment operator for DataBuffer.
   - Add test cases for ECH compression and unexpected extensions in SH.
   - Update tests for ECH-13.
   - Tidy up error handling.
   - Add tests for ECH HRR Changes.
   - Server only sends GREASE HRR extension if enabled by preference.
   - Update generation of the Associated Data for ECH-13.
   - When ECH is accepted, reject extensions which were only advertised in
     the Outer Client Hello.
   - Allow for compressed, non-contiguous, extensions.
   - Scramble the PSK extension in CHOuter.
   - Split custom extension handling for ECH.
   - Add ECH-13 HRR Handling.
   - Client side ECH padding.
   - Stricter ClientHelloInner Decompression.
   - Remove ECH_inner extension, use new enum format.
   - Update the version number for ECH-13 and adjust the ECHConfig size.

   Update to NSS 3.74:

   - mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses
   - Ensure clients offer consistent ciphersuites after HRR
   - NSS does not properly restrict server keys based on policy
   - Set nssckbi version number to 2.54
   - Replace Google Trust Services LLC (GTS) R4 root certificate
   - Replace Google Trust Services LLC (GTS) R3 root certificate
   - Replace Google Trust Services LLC (GTS) R2 root certificate
   - Replace Google Trust Services LLC (GTS) R1 root certificate
   - Replace GlobalSign ECC Root CA R4
   - Remove Expired Root Certificates - DST Root CA X3
   - Remove Expiring Cybertrust Global Root and GlobalSign root certificates
   - Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068
     root certificate
   - Add iTrusChina ECC root certificate
   - Add iTrusChina RSA root certificate
   - Add ISRG Root X2 root certificate
   - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
   - Avoid a clang 13 unused variable warning in opt build
   - Check for missing signedData field
   - Ensure DER encoded signatures are within size limits
   - enable key logging option (bsc#1195040)

   Update to NSS 3.73.1:

   - Add SHA-2 support to mozilla::pkix's OSCP implementation

   Update to NSS 3.73

   - check for missing signedData field.
   - Ensure DER encoded signatures are within size limits.
   - NSS needs FiPS 140-3 version indicators.
   - pkix_CacheCert_Lookup doesn't return cached certs
   - sunset Coverity from NSS

   MFSA 2021-51 (bsc#1193170) CVE-2021-43527: Memory corruption via
   DER-encoded DSA and RSA-PSS signatures

   Update to NSS 3.72

   - Fix nsinstall parallel failure.
   - Increase KDF cache size to mitigate perf regression in about:logins

   Update to NSS 3.71

   - Set nssckbi version number to 2.52.
   - Respect server requirements of
     tlsfuzzer/test-tls13-signature-algorithms.py
   - Import of PKCS#12 files with Camellia encryption is not supported
   - Add HARICA Client ECC Root CA 2021.
   - Add HARICA Client RSA Root CA 2021.
   - Add HARICA TLS ECC Root CA 2021.
   - Add HARICA TLS RSA Root CA 2021.
   - Add TunTrust Root CA certificate to NSS.

   update to NSS 3.70

   - Update test case to verify fix.
   - Explicitly disable downgrade check in
     TlsConnectStreamTls13.EchOuterWith12Max
   - Explicitly disable downgrade check in
     TlsConnectTest.DisableFalseStartOnFallback
   - Avoid using a lookup table in nssb64d.
   - Use HW accelerated SHA2 on AArch64 Big Endian.
   - Change default value of enableHelloDowngradeCheck to true.
   - Cache additional PBE entries.
   - Read HPKE vectors from official JSON.

   Update to NSS 3.69.1

   - Disable DTLS 1.0 and 1.1 by default
   - integrity checks in key4.db not happening on private components with
     AES_CBC

   NSS 3.69

   - Disable DTLS 1.0 and 1.1 by default (backed out again)
   - integrity checks in key4.db not happening on private components with
     AES_CBC (backed out again)
   - SSL handling of signature algorithms ignores environmental invalid
     algorithms.
   - sqlite 3.34 changed it's open semantics, causing nss failures.
   - Gtest update changed the gtest reports, losing gtest details in all.sh
     reports.
   - NSS incorrectly accepting 1536 bit DH primes in FIPS mode
   - SQLite calls could timeout in starvation situations.
   - Coverity/cpp scanner errors found in nss 3.67
   - Import the NSS documentation from MDN in nss/doc.
   - NSS using a tempdir to measure sql performance not active

   - FIPS: scan LD_LIBRARY_PATH for external libraries to be checksummed.
   - Run test suite at build time, and make it pass (bsc#1198486).
   - Enable FIPS during test certificate creation and disables the library
     checksum validation during same.
   - FIPS: allow checksumming to be disabled, but only if we entered FIPS
     mode due to NSS_FIPS being set, not if it came from /proc.
   - FIPS: This makes the PBKDF known answer test compliant with NIST
     SP800-132.
   - FIPS: update validation string to version-release format. (bsc#1192079).
   - FIPS: remove XCBC MAC from list of FIPS approved algorithms.
   - Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID for build.
   - FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080).
   - FIPS: allow testing of unapproved algorithms (bsc#1192228).
   - FIPS: adds FIPS version indicators. (bmo#1729550, bsc#1192086).
   - FIPS: Add CSP clearing (bmo#1697303, bsc#1192087).

   mozilla-nspr was updated to version 4.34:

   * add an API that returns a preferred loopback IP on hosts that have two
     IP stacks available.

   update to 4.33:
   * fixes to build system and export of private symbols


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud Crowbar 9:

      zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2022-2536=1

   - SUSE OpenStack Cloud 9:

      zypper in -t patch SUSE-OpenStack-Cloud-9-2022-2536=1

   - SUSE Linux Enterprise Software Development Kit 12-SP5:

      zypper in -t patch SUSE-SLE-SDK-12-SP5-2022-2536=1

   - SUSE Linux Enterprise Server for SAP 12-SP4:

      zypper in -t patch SUSE-SLE-SAP-12-SP4-2022-2536=1

   - SUSE Linux Enterprise Server 12-SP5:

      zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-2536=1

   - SUSE Linux Enterprise Server 12-SP4-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2022-2536=1

   - SUSE Linux Enterprise Server 12-SP3-BCL:

      zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2022-2536=1

   - SUSE Linux Enterprise Server 12-SP2-BCL:

      zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2022-2536=1



Package List:

   - SUSE OpenStack Cloud Crowbar 9 (x86_64):

      libfreebl3-3.79-58.75.1
      libfreebl3-32bit-3.79-58.75.1
      libfreebl3-debuginfo-3.79-58.75.1
      libfreebl3-debuginfo-32bit-3.79-58.75.1
      libfreebl3-hmac-3.79-58.75.1
      libfreebl3-hmac-32bit-3.79-58.75.1
      libsoftokn3-3.79-58.75.1
      libsoftokn3-32bit-3.79-58.75.1
      libsoftokn3-debuginfo-3.79-58.75.1
      libsoftokn3-debuginfo-32bit-3.79-58.75.1
      libsoftokn3-hmac-3.79-58.75.1
      libsoftokn3-hmac-32bit-3.79-58.75.1
      mozilla-nspr-32bit-4.34-19.21.1
      mozilla-nspr-4.34-19.21.1
      mozilla-nspr-debuginfo-32bit-4.34-19.21.1
      mozilla-nspr-debuginfo-4.34-19.21.1
      mozilla-nspr-debugsource-4.34-19.21.1
      mozilla-nspr-devel-4.34-19.21.1
      mozilla-nss-3.79-58.75.1
      mozilla-nss-32bit-3.79-58.75.1
      mozilla-nss-certs-3.79-58.75.1
      mozilla-nss-certs-32bit-3.79-58.75.1
      mozilla-nss-certs-debuginfo-3.79-58.75.1
      mozilla-nss-certs-debuginfo-32bit-3.79-58.75.1
      mozilla-nss-debuginfo-3.79-58.75.1
      mozilla-nss-debuginfo-32bit-3.79-58.75.1
      mozilla-nss-debugsource-3.79-58.75.1
      mozilla-nss-devel-3.79-58.75.1
      mozilla-nss-sysinit-3.79-58.75.1
      mozilla-nss-sysinit-32bit-3.79-58.75.1
      mozilla-nss-sysinit-debuginfo-3.79-58.75.1
      mozilla-nss-sysinit-debuginfo-32bit-3.79-58.75.1
      mozilla-nss-tools-3.79-58.75.1
      mozilla-nss-tools-debuginfo-3.79-58.75.1

   - SUSE OpenStack Cloud 9 (x86_64):

      libfreebl3-3.79-58.75.1
      libfreebl3-32bit-3.79-58.75.1
      libfreebl3-debuginfo-3.79-58.75.1
      libfreebl3-debuginfo-32bit-3.79-58.75.1
      libfreebl3-hmac-3.79-58.75.1
      libfreebl3-hmac-32bit-3.79-58.75.1
      libsoftokn3-3.79-58.75.1
      libsoftokn3-32bit-3.79-58.75.1
      libsoftokn3-debuginfo-3.79-58.75.1
      libsoftokn3-debuginfo-32bit-3.79-58.75.1
      libsoftokn3-hmac-3.79-58.75.1
      libsoftokn3-hmac-32bit-3.79-58.75.1
      mozilla-nspr-32bit-4.34-19.21.1
      mozilla-nspr-4.34-19.21.1
      mozilla-nspr-debuginfo-32bit-4.34-19.21.1
      mozilla-nspr-debuginfo-4.34-19.21.1
      mozilla-nspr-debugsource-4.34-19.21.1
      mozilla-nspr-devel-4.34-19.21.1
      mozilla-nss-3.79-58.75.1
      mozilla-nss-32bit-3.79-58.75.1
      mozilla-nss-certs-3.79-58.75.1
      mozilla-nss-certs-32bit-3.79-58.75.1
      mozilla-nss-certs-debuginfo-3.79-58.75.1
      mozilla-nss-certs-debuginfo-32bit-3.79-58.75.1
      mozilla-nss-debuginfo-3.79-58.75.1
      mozilla-nss-debuginfo-32bit-3.79-58.75.1
      mozilla-nss-debugsource-3.79-58.75.1
      mozilla-nss-devel-3.79-58.75.1
      mozilla-nss-sysinit-3.79-58.75.1
      mozilla-nss-sysinit-32bit-3.79-58.75.1
      mozilla-nss-sysinit-debuginfo-3.79-58.75.1
      mozilla-nss-sysinit-debuginfo-32bit-3.79-58.75.1
      mozilla-nss-tools-3.79-58.75.1
      mozilla-nss-tools-debuginfo-3.79-58.75.1

   - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64):

      mozilla-nspr-debuginfo-4.34-19.21.1
      mozilla-nspr-debugsource-4.34-19.21.1
      mozilla-nspr-devel-4.34-19.21.1
      mozilla-nss-debuginfo-3.79-58.75.1
      mozilla-nss-debugsource-3.79-58.75.1
      mozilla-nss-devel-3.79-58.75.1

   - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64):

      libfreebl3-3.79-58.75.1
      libfreebl3-debuginfo-3.79-58.75.1
      libfreebl3-hmac-3.79-58.75.1
      libsoftokn3-3.79-58.75.1
      libsoftokn3-debuginfo-3.79-58.75.1
      libsoftokn3-hmac-3.79-58.75.1
      mozilla-nspr-4.34-19.21.1
      mozilla-nspr-debuginfo-4.34-19.21.1
      mozilla-nspr-debugsource-4.34-19.21.1
      mozilla-nspr-devel-4.34-19.21.1
      mozilla-nss-3.79-58.75.1
      mozilla-nss-certs-3.79-58.75.1
      mozilla-nss-certs-debuginfo-3.79-58.75.1
      mozilla-nss-debuginfo-3.79-58.75.1
      mozilla-nss-debugsource-3.79-58.75.1
      mozilla-nss-devel-3.79-58.75.1
      mozilla-nss-sysinit-3.79-58.75.1
      mozilla-nss-sysinit-debuginfo-3.79-58.75.1
      mozilla-nss-tools-3.79-58.75.1
      mozilla-nss-tools-debuginfo-3.79-58.75.1

   - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64):

      libfreebl3-32bit-3.79-58.75.1
      libfreebl3-debuginfo-32bit-3.79-58.75.1
      libfreebl3-hmac-32bit-3.79-58.75.1
      libsoftokn3-32bit-3.79-58.75.1
      libsoftokn3-debuginfo-32bit-3.79-58.75.1
      libsoftokn3-hmac-32bit-3.79-58.75.1
      mozilla-nspr-32bit-4.34-19.21.1
      mozilla-nspr-debuginfo-32bit-4.34-19.21.1
      mozilla-nss-32bit-3.79-58.75.1
      mozilla-nss-certs-32bit-3.79-58.75.1
      mozilla-nss-certs-debuginfo-32bit-3.79-58.75.1
      mozilla-nss-debuginfo-32bit-3.79-58.75.1
      mozilla-nss-sysinit-32bit-3.79-58.75.1
      mozilla-nss-sysinit-debuginfo-32bit-3.79-58.75.1

   - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):

      libfreebl3-3.79-58.75.1
      libfreebl3-debuginfo-3.79-58.75.1
      libfreebl3-hmac-3.79-58.75.1
      libsoftokn3-3.79-58.75.1
      libsoftokn3-debuginfo-3.79-58.75.1
      libsoftokn3-hmac-3.79-58.75.1
      mozilla-nspr-4.34-19.21.1
      mozilla-nspr-debuginfo-4.34-19.21.1
      mozilla-nspr-debugsource-4.34-19.21.1
      mozilla-nspr-devel-4.34-19.21.1
      mozilla-nss-3.79-58.75.1
      mozilla-nss-certs-3.79-58.75.1
      mozilla-nss-certs-debuginfo-3.79-58.75.1
      mozilla-nss-debuginfo-3.79-58.75.1
      mozilla-nss-debugsource-3.79-58.75.1
      mozilla-nss-devel-3.79-58.75.1
      mozilla-nss-sysinit-3.79-58.75.1
      mozilla-nss-sysinit-debuginfo-3.79-58.75.1
      mozilla-nss-tools-3.79-58.75.1
      mozilla-nss-tools-debuginfo-3.79-58.75.1

   - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64):

      libfreebl3-32bit-3.79-58.75.1
      libfreebl3-debuginfo-32bit-3.79-58.75.1
      libfreebl3-hmac-32bit-3.79-58.75.1
      libsoftokn3-32bit-3.79-58.75.1
      libsoftokn3-debuginfo-32bit-3.79-58.75.1
      libsoftokn3-hmac-32bit-3.79-58.75.1
      mozilla-nspr-32bit-4.34-19.21.1
      mozilla-nspr-debuginfo-32bit-4.34-19.21.1
      mozilla-nss-32bit-3.79-58.75.1
      mozilla-nss-certs-32bit-3.79-58.75.1
      mozilla-nss-certs-debuginfo-32bit-3.79-58.75.1
      mozilla-nss-debuginfo-32bit-3.79-58.75.1
      mozilla-nss-sysinit-32bit-3.79-58.75.1
      mozilla-nss-sysinit-debuginfo-32bit-3.79-58.75.1

   - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64):

      libfreebl3-3.79-58.75.1
      libfreebl3-debuginfo-3.79-58.75.1
      libfreebl3-hmac-3.79-58.75.1
      libsoftokn3-3.79-58.75.1
      libsoftokn3-debuginfo-3.79-58.75.1
      libsoftokn3-hmac-3.79-58.75.1
      mozilla-nspr-4.34-19.21.1
      mozilla-nspr-debuginfo-4.34-19.21.1
      mozilla-nspr-debugsource-4.34-19.21.1
      mozilla-nspr-devel-4.34-19.21.1
      mozilla-nss-3.79-58.75.1
      mozilla-nss-certs-3.79-58.75.1
      mozilla-nss-certs-debuginfo-3.79-58.75.1
      mozilla-nss-debuginfo-3.79-58.75.1
      mozilla-nss-debugsource-3.79-58.75.1
      mozilla-nss-devel-3.79-58.75.1
      mozilla-nss-sysinit-3.79-58.75.1
      mozilla-nss-sysinit-debuginfo-3.79-58.75.1
      mozilla-nss-tools-3.79-58.75.1
      mozilla-nss-tools-debuginfo-3.79-58.75.1

   - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64):

      libfreebl3-32bit-3.79-58.75.1
      libfreebl3-debuginfo-32bit-3.79-58.75.1
      libfreebl3-hmac-32bit-3.79-58.75.1
      libsoftokn3-32bit-3.79-58.75.1
      libsoftokn3-debuginfo-32bit-3.79-58.75.1
      libsoftokn3-hmac-32bit-3.79-58.75.1
      mozilla-nspr-32bit-4.34-19.21.1
      mozilla-nspr-debuginfo-32bit-4.34-19.21.1
      mozilla-nss-32bit-3.79-58.75.1
      mozilla-nss-certs-32bit-3.79-58.75.1
      mozilla-nss-certs-debuginfo-32bit-3.79-58.75.1
      mozilla-nss-debuginfo-32bit-3.79-58.75.1
      mozilla-nss-sysinit-32bit-3.79-58.75.1
      mozilla-nss-sysinit-debuginfo-32bit-3.79-58.75.1

   - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64):

      libfreebl3-3.79-58.75.1
      libfreebl3-32bit-3.79-58.75.1
      libfreebl3-debuginfo-3.79-58.75.1
      libfreebl3-debuginfo-32bit-3.79-58.75.1
      libfreebl3-hmac-3.79-58.75.1
      libfreebl3-hmac-32bit-3.79-58.75.1
      libsoftokn3-3.79-58.75.1
      libsoftokn3-32bit-3.79-58.75.1
      libsoftokn3-debuginfo-3.79-58.75.1
      libsoftokn3-debuginfo-32bit-3.79-58.75.1
      libsoftokn3-hmac-3.79-58.75.1
      libsoftokn3-hmac-32bit-3.79-58.75.1
      mozilla-nspr-32bit-4.34-19.21.1
      mozilla-nspr-4.34-19.21.1
      mozilla-nspr-debuginfo-32bit-4.34-19.21.1
      mozilla-nspr-debuginfo-4.34-19.21.1
      mozilla-nspr-debugsource-4.34-19.21.1
      mozilla-nss-3.79-58.75.1
      mozilla-nss-32bit-3.79-58.75.1
      mozilla-nss-certs-3.79-58.75.1
      mozilla-nss-certs-32bit-3.79-58.75.1
      mozilla-nss-certs-debuginfo-3.79-58.75.1
      mozilla-nss-certs-debuginfo-32bit-3.79-58.75.1
      mozilla-nss-debuginfo-3.79-58.75.1
      mozilla-nss-debuginfo-32bit-3.79-58.75.1
      mozilla-nss-debugsource-3.79-58.75.1
      mozilla-nss-sysinit-3.79-58.75.1
      mozilla-nss-sysinit-32bit-3.79-58.75.1
      mozilla-nss-sysinit-debuginfo-3.79-58.75.1
      mozilla-nss-sysinit-debuginfo-32bit-3.79-58.75.1
      mozilla-nss-tools-3.79-58.75.1
      mozilla-nss-tools-debuginfo-3.79-58.75.1

   - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64):

      libfreebl3-3.79-58.75.1
      libfreebl3-32bit-3.79-58.75.1
      libfreebl3-debuginfo-3.79-58.75.1
      libfreebl3-debuginfo-32bit-3.79-58.75.1
      libfreebl3-hmac-3.79-58.75.1
      libfreebl3-hmac-32bit-3.79-58.75.1
      libsoftokn3-3.79-58.75.1
      libsoftokn3-32bit-3.79-58.75.1
      libsoftokn3-debuginfo-3.79-58.75.1
      libsoftokn3-debuginfo-32bit-3.79-58.75.1
      libsoftokn3-hmac-3.79-58.75.1
      libsoftokn3-hmac-32bit-3.79-58.75.1
      mozilla-nspr-32bit-4.34-19.21.1
      mozilla-nspr-4.34-19.21.1
      mozilla-nspr-debuginfo-32bit-4.34-19.21.1
      mozilla-nspr-debuginfo-4.34-19.21.1
      mozilla-nspr-debugsource-4.34-19.21.1
      mozilla-nss-3.79-58.75.1
      mozilla-nss-32bit-3.79-58.75.1
      mozilla-nss-certs-3.79-58.75.1
      mozilla-nss-certs-32bit-3.79-58.75.1
      mozilla-nss-certs-debuginfo-3.79-58.75.1
      mozilla-nss-certs-debuginfo-32bit-3.79-58.75.1
      mozilla-nss-debuginfo-3.79-58.75.1
      mozilla-nss-debuginfo-32bit-3.79-58.75.1
      mozilla-nss-debugsource-3.79-58.75.1
      mozilla-nss-sysinit-3.79-58.75.1
      mozilla-nss-sysinit-32bit-3.79-58.75.1
      mozilla-nss-sysinit-debuginfo-3.79-58.75.1
      mozilla-nss-sysinit-debuginfo-32bit-3.79-58.75.1
      mozilla-nss-tools-3.79-58.75.1
      mozilla-nss-tools-debuginfo-3.79-58.75.1


References:

   https://www.suse.com/security/cve/CVE-2021-43527.html
   https://bugzilla.suse.com/1191546
   https://bugzilla.suse.com/1192079
   https://bugzilla.suse.com/1192080
   https://bugzilla.suse.com/1192086
   https://bugzilla.suse.com/1192087
   https://bugzilla.suse.com/1192228
   https://bugzilla.suse.com/1193170
   https://bugzilla.suse.com/1195040
   https://bugzilla.suse.com/1198486
   https://bugzilla.suse.com/1198980
   https://bugzilla.suse.com/1200325
   https://bugzilla.suse.com/1201298

SUSE: 2022:2536-1 moderate: mozilla-nspr, mozilla-nss

July 22, 2022
An update that solves one vulnerability and has 11 fixes is now available

Summary

This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to fix various issues: FIPS 140-3 enablement patches were backported from SUSE Linux Enterprise 15. - FIPS: add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck() (bsc#1198980). - FIPS: mark algorithms as approved/non-approved according to security policy (bsc#1191546, bsc#1201298). - FISP: remove hard disabling of unapproved algorithms. This requirement is now fulfilled by the service level indicator (bsc#1200325). Version update to NSS 3.79 - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls. - Update mercurial in clang-format docker image. - Use of uninitialized pointer in lg_init after alloc fail. - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo. - Add SECMOD_LockedModuleHasRemovableSlots. - Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP. - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts. - TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version. - Correct invalid record inner and outer content type alerts. - NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding. - improve error handling after nssCKFWInstance_CreateObjectHandle. - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. - NSS 3.79 should depend on NSPR 4.34 Update to NSS 3.78.1 - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple update to NSS 3.78 - Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests. - Reworked overlong record size checks and added TLS1.3 specific boundaries. - Add ECH Grease Support to tstclnt - Add a strict variant of moz::pkix::CheckCertHostname. - Change SSL_REUSE_SERVER_ECDHE_KEY default to false. - Make SEC_PKCS12EnableCipher succeed - Update zlib in NSS to 1.2.12. Update to NSS 3.77: - resolve mpitests build failure on Windows. - Fix link to TLS page on wireshark wiki - Add two D-TRUST 2020 root certificates. - Add Telia Root CA v2 root certificate. - Remove expired explicitly distrusted certificates from certdata.txt. - support specific RSA-PSS parameters in mozilla::pkix - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate. - Remove token member from NSSSlot struct. - Provide secure variants of mpp_pprime and mpp_make_prime. - Support UTF-8 library path in the module spec string. - Update nssUTF8_Length to RFC 3629 and fix buffer overrun. - Add a CI Target for gcc-11. - Change to makefiles for gcc-4.8. - Update googletest to 1.11.0 - Add SetTls13GreaseEchSize to experimental API. - TLS 1.3 Illegal legacy_version handling/alerts. - Fix calculation of ECH HRR Transcript. - Allow ld path to be set as environment variable. - Ensure we don't read uninitialized memory in ssl gtests. - Fix DataBuffer Move Assignment. - internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3 - rework signature verification in mozilla::pkix update to NSS 3.76.1 - Remove token member from NSSSlot struct. NSS 3.76 - Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots. - Check return value of PK11Slot_GetNSSToken. - Use Wycheproof JSON for RSASSA-PSS - Add SHA256 fingerprint comments to old certdata.txt entries. - Avoid truncating files in nss-release-helper.py. - Throw illegal_parameter alert for illegal extensions in handshake message. update to NSS 3.75 - Make DottedOIDToCode.py compatible with python3. - Avoid undefined shift in SSL_CERT_IS while fuzzing. - Remove redundant key type check. - Update ABI expectations to match ECH changes. - Enable CKM_CHACHA20. - check return on NSS_NoDB_Init and NSS_Shutdown. - real move assignment operator. - Run ECDSA test vectors from bltest as part of the CI tests. - Add ECDSA test vectors to the bltest command line tool. - Allow to build using clang's integrated assembler. - Allow to override python for the build. - test HKDF output rather than input. - Use ASSERT macros to end failed tests early. - move assignment operator for DataBuffer. - Add test cases for ECH compression and unexpected extensions in SH. - Update tests for ECH-13. - Tidy up error handling. - Add tests for ECH HRR Changes. - Server only sends GREASE HRR extension if enabled by preference. - Update generation of the Associated Data for ECH-13. - When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello. - Allow for compressed, non-contiguous, extensions. - Scramble the PSK extension in CHOuter. - Split custom extension handling for ECH. - Add ECH-13 HRR Handling. - Client side ECH padding. - Stricter ClientHelloInner Decompression. - Remove ECH_inner extension, use new enum format. - Update the version number for ECH-13 and adjust the ECHConfig size. Update to NSS 3.74: - mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses - Ensure clients offer consistent ciphersuites after HRR - NSS does not properly restrict server keys based on policy - Set nssckbi version number to 2.54 - Replace Google Trust Services LLC (GTS) R4 root certificate - Replace Google Trust Services LLC (GTS) R3 root certificate - Replace Google Trust Services LLC (GTS) R2 root certificate - Replace Google Trust Services LLC (GTS) R1 root certificate - Replace GlobalSign ECC Root CA R4 - Remove Expired Root Certificates - DST Root CA X3 - Remove Expiring Cybertrust Global Root and GlobalSign root certificates - Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate - Add iTrusChina ECC root certificate - Add iTrusChina RSA root certificate - Add ISRG Root X2 root certificate - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate - Avoid a clang 13 unused variable warning in opt build - Check for missing signedData field - Ensure DER encoded signatures are within size limits - enable key logging option (bsc#1195040) Update to NSS 3.73.1: - Add SHA-2 support to mozilla::pkix's OSCP implementation Update to NSS 3.73 - check for missing signedData field. - Ensure DER encoded signatures are within size limits. - NSS needs FiPS 140-3 version indicators. - pkix_CacheCert_Lookup doesn't return cached certs - sunset Coverity from NSS MFSA 2021-51 (bsc#1193170) CVE-2021-43527: Memory corruption via DER-encoded DSA and RSA-PSS signatures Update to NSS 3.72 - Fix nsinstall parallel failure. - Increase KDF cache size to mitigate perf regression in about:logins Update to NSS 3.71 - Set nssckbi version number to 2.52. - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py - Import of PKCS#12 files with Camellia encryption is not supported - Add HARICA Client ECC Root CA 2021. - Add HARICA Client RSA Root CA 2021. - Add HARICA TLS ECC Root CA 2021. - Add HARICA TLS RSA Root CA 2021. - Add TunTrust Root CA certificate to NSS. update to NSS 3.70 - Update test case to verify fix. - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback - Avoid using a lookup table in nssb64d. - Use HW accelerated SHA2 on AArch64 Big Endian. - Change default value of enableHelloDowngradeCheck to true. - Cache additional PBE entries. - Read HPKE vectors from official JSON. Update to NSS 3.69.1 - Disable DTLS 1.0 and 1.1 by default - integrity checks in key4.db not happening on private components with AES_CBC NSS 3.69 - Disable DTLS 1.0 and 1.1 by default (backed out again) - integrity checks in key4.db not happening on private components with AES_CBC (backed out again) - SSL handling of signature algorithms ignores environmental invalid algorithms. - sqlite 3.34 changed it's open semantics, causing nss failures. - Gtest update changed the gtest reports, losing gtest details in all.sh reports. - NSS incorrectly accepting 1536 bit DH primes in FIPS mode - SQLite calls could timeout in starvation situations. - Coverity/cpp scanner errors found in nss 3.67 - Import the NSS documentation from MDN in nss/doc. - NSS using a tempdir to measure sql performance not active - FIPS: scan LD_LIBRARY_PATH for external libraries to be checksummed. - Run test suite at build time, and make it pass (bsc#1198486). - Enable FIPS during test certificate creation and disables the library checksum validation during same. - FIPS: allow checksumming to be disabled, but only if we entered FIPS mode due to NSS_FIPS being set, not if it came from /proc. - FIPS: This makes the PBKDF known answer test compliant with NIST SP800-132. - FIPS: update validation string to version-release format. (bsc#1192079). - FIPS: remove XCBC MAC from list of FIPS approved algorithms. - Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID for build. - FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080). - FIPS: allow testing of unapproved algorithms (bsc#1192228). - FIPS: adds FIPS version indicators. (bmo#1729550, bsc#1192086). - FIPS: Add CSP clearing (bmo#1697303, bsc#1192087). mozilla-nspr was updated to version 4.34: * add an API that returns a preferred loopback IP on hosts that have two IP stacks available. update to 4.33: * fixes to build system and export of private symbols Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2022-2536=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2022-2536=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2022-2536=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2022-2536=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-2536=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2022-2536=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2022-2536=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2022-2536=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): libfreebl3-3.79-58.75.1 libfreebl3-32bit-3.79-58.75.1 libfreebl3-debuginfo-3.79-58.75.1 libfreebl3-debuginfo-32bit-3.79-58.75.1 libfreebl3-hmac-3.79-58.75.1 libfreebl3-hmac-32bit-3.79-58.75.1 libsoftokn3-3.79-58.75.1 libsoftokn3-32bit-3.79-58.75.1 libsoftokn3-debuginfo-3.79-58.75.1 libsoftokn3-debuginfo-32bit-3.79-58.75.1 libsoftokn3-hmac-3.79-58.75.1 libsoftokn3-hmac-32bit-3.79-58.75.1 mozilla-nspr-32bit-4.34-19.21.1 mozilla-nspr-4.34-19.21.1 mozilla-nspr-debuginfo-32bit-4.34-19.21.1 mozilla-nspr-debuginfo-4.34-19.21.1 mozilla-nspr-debugsource-4.34-19.21.1 mozilla-nspr-devel-4.34-19.21.1 mozilla-nss-3.79-58.75.1 mozilla-nss-32bit-3.79-58.75.1 mozilla-nss-certs-3.79-58.75.1 mozilla-nss-certs-32bit-3.79-58.75.1 mozilla-nss-certs-debuginfo-3.79-58.75.1 mozilla-nss-certs-debuginfo-32bit-3.79-58.75.1 mozilla-nss-debuginfo-3.79-58.75.1 mozilla-nss-debuginfo-32bit-3.79-58.75.1 mozilla-nss-debugsource-3.79-58.75.1 mozilla-nss-devel-3.79-58.75.1 mozilla-nss-sysinit-3.79-58.75.1 mozilla-nss-sysinit-32bit-3.79-58.75.1 mozilla-nss-sysinit-debuginfo-3.79-58.75.1 mozilla-nss-sysinit-debuginfo-32bit-3.79-58.75.1 mozilla-nss-tools-3.79-58.75.1 mozilla-nss-tools-debuginfo-3.79-58.75.1 - SUSE OpenStack Cloud 9 (x86_64): libfreebl3-3.79-58.75.1 libfreebl3-32bit-3.79-58.75.1 libfreebl3-debuginfo-3.79-58.75.1 libfreebl3-debuginfo-32bit-3.79-58.75.1 libfreebl3-hmac-3.79-58.75.1 libfreebl3-hmac-32bit-3.79-58.75.1 libsoftokn3-3.79-58.75.1 libsoftokn3-32bit-3.79-58.75.1 libsoftokn3-debuginfo-3.79-58.75.1 libsoftokn3-debuginfo-32bit-3.79-58.75.1 libsoftokn3-hmac-3.79-58.75.1 libsoftokn3-hmac-32bit-3.79-58.75.1 mozilla-nspr-32bit-4.34-19.21.1 mozilla-nspr-4.34-19.21.1 mozilla-nspr-debuginfo-32bit-4.34-19.21.1 mozilla-nspr-debuginfo-4.34-19.21.1 mozilla-nspr-debugsource-4.34-19.21.1 mozilla-nspr-devel-4.34-19.21.1 mozilla-nss-3.79-58.75.1 mozilla-nss-32bit-3.79-58.75.1 mozilla-nss-certs-3.79-58.75.1 mozilla-nss-certs-32bit-3.79-58.75.1 mozilla-nss-certs-debuginfo-3.79-58.75.1 mozilla-nss-certs-debuginfo-32bit-3.79-58.75.1 mozilla-nss-debuginfo-3.79-58.75.1 mozilla-nss-debuginfo-32bit-3.79-58.75.1 mozilla-nss-debugsource-3.79-58.75.1 mozilla-nss-devel-3.79-58.75.1 mozilla-nss-sysinit-3.79-58.75.1 mozilla-nss-sysinit-32bit-3.79-58.75.1 mozilla-nss-sysinit-debuginfo-3.79-58.75.1 mozilla-nss-sysinit-debuginfo-32bit-3.79-58.75.1 mozilla-nss-tools-3.79-58.75.1 mozilla-nss-tools-debuginfo-3.79-58.75.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): mozilla-nspr-debuginfo-4.34-19.21.1 mozilla-nspr-debugsource-4.34-19.21.1 mozilla-nspr-devel-4.34-19.21.1 mozilla-nss-debuginfo-3.79-58.75.1 mozilla-nss-debugsource-3.79-58.75.1 mozilla-nss-devel-3.79-58.75.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): libfreebl3-3.79-58.75.1 libfreebl3-debuginfo-3.79-58.75.1 libfreebl3-hmac-3.79-58.75.1 libsoftokn3-3.79-58.75.1 libsoftokn3-debuginfo-3.79-58.75.1 libsoftokn3-hmac-3.79-58.75.1 mozilla-nspr-4.34-19.21.1 mozilla-nspr-debuginfo-4.34-19.21.1 mozilla-nspr-debugsource-4.34-19.21.1 mozilla-nspr-devel-4.34-19.21.1 mozilla-nss-3.79-58.75.1 mozilla-nss-certs-3.79-58.75.1 mozilla-nss-certs-debuginfo-3.79-58.75.1 mozilla-nss-debuginfo-3.79-58.75.1 mozilla-nss-debugsource-3.79-58.75.1 mozilla-nss-devel-3.79-58.75.1 mozilla-nss-sysinit-3.79-58.75.1 mozilla-nss-sysinit-debuginfo-3.79-58.75.1 mozilla-nss-tools-3.79-58.75.1 mozilla-nss-tools-debuginfo-3.79-58.75.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): libfreebl3-32bit-3.79-58.75.1 libfreebl3-debuginfo-32bit-3.79-58.75.1 libfreebl3-hmac-32bit-3.79-58.75.1 libsoftokn3-32bit-3.79-58.75.1 libsoftokn3-debuginfo-32bit-3.79-58.75.1 libsoftokn3-hmac-32bit-3.79-58.75.1 mozilla-nspr-32bit-4.34-19.21.1 mozilla-nspr-debuginfo-32bit-4.34-19.21.1 mozilla-nss-32bit-3.79-58.75.1 mozilla-nss-certs-32bit-3.79-58.75.1 mozilla-nss-certs-debuginfo-32bit-3.79-58.75.1 mozilla-nss-debuginfo-32bit-3.79-58.75.1 mozilla-nss-sysinit-32bit-3.79-58.75.1 mozilla-nss-sysinit-debuginfo-32bit-3.79-58.75.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libfreebl3-3.79-58.75.1 libfreebl3-debuginfo-3.79-58.75.1 libfreebl3-hmac-3.79-58.75.1 libsoftokn3-3.79-58.75.1 libsoftokn3-debuginfo-3.79-58.75.1 libsoftokn3-hmac-3.79-58.75.1 mozilla-nspr-4.34-19.21.1 mozilla-nspr-debuginfo-4.34-19.21.1 mozilla-nspr-debugsource-4.34-19.21.1 mozilla-nspr-devel-4.34-19.21.1 mozilla-nss-3.79-58.75.1 mozilla-nss-certs-3.79-58.75.1 mozilla-nss-certs-debuginfo-3.79-58.75.1 mozilla-nss-debuginfo-3.79-58.75.1 mozilla-nss-debugsource-3.79-58.75.1 mozilla-nss-devel-3.79-58.75.1 mozilla-nss-sysinit-3.79-58.75.1 mozilla-nss-sysinit-debuginfo-3.79-58.75.1 mozilla-nss-tools-3.79-58.75.1 mozilla-nss-tools-debuginfo-3.79-58.75.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libfreebl3-32bit-3.79-58.75.1 libfreebl3-debuginfo-32bit-3.79-58.75.1 libfreebl3-hmac-32bit-3.79-58.75.1 libsoftokn3-32bit-3.79-58.75.1 libsoftokn3-debuginfo-32bit-3.79-58.75.1 libsoftokn3-hmac-32bit-3.79-58.75.1 mozilla-nspr-32bit-4.34-19.21.1 mozilla-nspr-debuginfo-32bit-4.34-19.21.1 mozilla-nss-32bit-3.79-58.75.1 mozilla-nss-certs-32bit-3.79-58.75.1 mozilla-nss-certs-debuginfo-32bit-3.79-58.75.1 mozilla-nss-debuginfo-32bit-3.79-58.75.1 mozilla-nss-sysinit-32bit-3.79-58.75.1 mozilla-nss-sysinit-debuginfo-32bit-3.79-58.75.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): libfreebl3-3.79-58.75.1 libfreebl3-debuginfo-3.79-58.75.1 libfreebl3-hmac-3.79-58.75.1 libsoftokn3-3.79-58.75.1 libsoftokn3-debuginfo-3.79-58.75.1 libsoftokn3-hmac-3.79-58.75.1 mozilla-nspr-4.34-19.21.1 mozilla-nspr-debuginfo-4.34-19.21.1 mozilla-nspr-debugsource-4.34-19.21.1 mozilla-nspr-devel-4.34-19.21.1 mozilla-nss-3.79-58.75.1 mozilla-nss-certs-3.79-58.75.1 mozilla-nss-certs-debuginfo-3.79-58.75.1 mozilla-nss-debuginfo-3.79-58.75.1 mozilla-nss-debugsource-3.79-58.75.1 mozilla-nss-devel-3.79-58.75.1 mozilla-nss-sysinit-3.79-58.75.1 mozilla-nss-sysinit-debuginfo-3.79-58.75.1 mozilla-nss-tools-3.79-58.75.1 mozilla-nss-tools-debuginfo-3.79-58.75.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64): libfreebl3-32bit-3.79-58.75.1 libfreebl3-debuginfo-32bit-3.79-58.75.1 libfreebl3-hmac-32bit-3.79-58.75.1 libsoftokn3-32bit-3.79-58.75.1 libsoftokn3-debuginfo-32bit-3.79-58.75.1 libsoftokn3-hmac-32bit-3.79-58.75.1 mozilla-nspr-32bit-4.34-19.21.1 mozilla-nspr-debuginfo-32bit-4.34-19.21.1 mozilla-nss-32bit-3.79-58.75.1 mozilla-nss-certs-32bit-3.79-58.75.1 mozilla-nss-certs-debuginfo-32bit-3.79-58.75.1 mozilla-nss-debuginfo-32bit-3.79-58.75.1 mozilla-nss-sysinit-32bit-3.79-58.75.1 mozilla-nss-sysinit-debuginfo-32bit-3.79-58.75.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libfreebl3-3.79-58.75.1 libfreebl3-32bit-3.79-58.75.1 libfreebl3-debuginfo-3.79-58.75.1 libfreebl3-debuginfo-32bit-3.79-58.75.1 libfreebl3-hmac-3.79-58.75.1 libfreebl3-hmac-32bit-3.79-58.75.1 libsoftokn3-3.79-58.75.1 libsoftokn3-32bit-3.79-58.75.1 libsoftokn3-debuginfo-3.79-58.75.1 libsoftokn3-debuginfo-32bit-3.79-58.75.1 libsoftokn3-hmac-3.79-58.75.1 libsoftokn3-hmac-32bit-3.79-58.75.1 mozilla-nspr-32bit-4.34-19.21.1 mozilla-nspr-4.34-19.21.1 mozilla-nspr-debuginfo-32bit-4.34-19.21.1 mozilla-nspr-debuginfo-4.34-19.21.1 mozilla-nspr-debugsource-4.34-19.21.1 mozilla-nss-3.79-58.75.1 mozilla-nss-32bit-3.79-58.75.1 mozilla-nss-certs-3.79-58.75.1 mozilla-nss-certs-32bit-3.79-58.75.1 mozilla-nss-certs-debuginfo-3.79-58.75.1 mozilla-nss-certs-debuginfo-32bit-3.79-58.75.1 mozilla-nss-debuginfo-3.79-58.75.1 mozilla-nss-debuginfo-32bit-3.79-58.75.1 mozilla-nss-debugsource-3.79-58.75.1 mozilla-nss-sysinit-3.79-58.75.1 mozilla-nss-sysinit-32bit-3.79-58.75.1 mozilla-nss-sysinit-debuginfo-3.79-58.75.1 mozilla-nss-sysinit-debuginfo-32bit-3.79-58.75.1 mozilla-nss-tools-3.79-58.75.1 mozilla-nss-tools-debuginfo-3.79-58.75.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libfreebl3-3.79-58.75.1 libfreebl3-32bit-3.79-58.75.1 libfreebl3-debuginfo-3.79-58.75.1 libfreebl3-debuginfo-32bit-3.79-58.75.1 libfreebl3-hmac-3.79-58.75.1 libfreebl3-hmac-32bit-3.79-58.75.1 libsoftokn3-3.79-58.75.1 libsoftokn3-32bit-3.79-58.75.1 libsoftokn3-debuginfo-3.79-58.75.1 libsoftokn3-debuginfo-32bit-3.79-58.75.1 libsoftokn3-hmac-3.79-58.75.1 libsoftokn3-hmac-32bit-3.79-58.75.1 mozilla-nspr-32bit-4.34-19.21.1 mozilla-nspr-4.34-19.21.1 mozilla-nspr-debuginfo-32bit-4.34-19.21.1 mozilla-nspr-debuginfo-4.34-19.21.1 mozilla-nspr-debugsource-4.34-19.21.1 mozilla-nss-3.79-58.75.1 mozilla-nss-32bit-3.79-58.75.1 mozilla-nss-certs-3.79-58.75.1 mozilla-nss-certs-32bit-3.79-58.75.1 mozilla-nss-certs-debuginfo-3.79-58.75.1 mozilla-nss-certs-debuginfo-32bit-3.79-58.75.1 mozilla-nss-debuginfo-3.79-58.75.1 mozilla-nss-debuginfo-32bit-3.79-58.75.1 mozilla-nss-debugsource-3.79-58.75.1 mozilla-nss-sysinit-3.79-58.75.1 mozilla-nss-sysinit-32bit-3.79-58.75.1 mozilla-nss-sysinit-debuginfo-3.79-58.75.1 mozilla-nss-sysinit-debuginfo-32bit-3.79-58.75.1 mozilla-nss-tools-3.79-58.75.1 mozilla-nss-tools-debuginfo-3.79-58.75.1

References

#1191546 #1192079 #1192080 #1192086 #1192087

#1192228 #1193170 #1195040 #1198486 #1198980

#1200325 #1201298

Cross- CVE-2021-43527

CVSS scores:

CVE-2021-43527 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2021-43527 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:

SUSE Linux Enterprise Server 12-SP2-BCL

SUSE Linux Enterprise Server 12-SP3-BCL

SUSE Linux Enterprise Server 12-SP4-LTSS

SUSE Linux Enterprise Server 12-SP5

SUSE Linux Enterprise Server for SAP 12-SP4

SUSE Linux Enterprise Server for SAP Applications 12-SP5

SUSE Linux Enterprise Software Development Kit 12-SP5

SUSE OpenStack Cloud 9

SUSE OpenStack Cloud Crowbar 9

https://www.suse.com/security/cve/CVE-2021-43527.html

https://bugzilla.suse.com/1191546

https://bugzilla.suse.com/1192079

https://bugzilla.suse.com/1192080

https://bugzilla.suse.com/1192086

https://bugzilla.suse.com/1192087

https://bugzilla.suse.com/1192228

https://bugzilla.suse.com/1193170

https://bugzilla.suse.com/1195040

https://bugzilla.suse.com/1198486

https://bugzilla.suse.com/1198980

https://bugzilla.suse.com/1200325

https://bugzilla.suse.com/1201298

Severity
Announcement ID: SUSE-SU-2022:2536-1
Rating: moderate

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.