SUSE Security Update: Security update for mozilla-nss
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:2595-1
Rating:             important
References:         #1192079 #1192080 #1192086 #1192087 #1192228 
                    #1198486 #1200027 
Cross-References:   CVE-2022-31741
CVSS scores:
                    CVE-2022-31741 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products:
                    SUSE Linux Enterprise Desktop 15-SP4
                    SUSE Linux Enterprise High Performance Computing 15-SP4
                    SUSE Linux Enterprise Module for Basesystem 15-SP4
                    SUSE Linux Enterprise Server 15-SP4
                    SUSE Linux Enterprise Server for SAP Applications 15-SP4
                    SUSE Manager Proxy 4.3
                    SUSE Manager Retail Branch Server 4.3
                    SUSE Manager Server 4.3
                    openSUSE Leap 15.4
______________________________________________________________________________

   An update that solves one vulnerability and has 6 fixes is
   now available.

Description:

   This update for mozilla-nss fixes the following issues:

   Various FIPS 140-3 related fixes were backported from SUSE Linux
   Enterprise 15 SP4:

   - Makes the PBKDF known answer test compliant with NIST SP800-132.
     (bsc#1192079).
   - FIPS: Add on-demand integrity tests through
     sftk_FIPSRepeatIntegrityCheck() (bsc#1198980).
   - FIPS: mark algorithms as approved/non-approved according to security
     policy (bsc#1191546, bsc#1201298).
   - FIPS: remove hard disabling of unapproved algorithms. This requirement
     is now fulfilled by the service level indicator (bsc#1200325).
   - Run test suite at build time, and make it pass (bsc#1198486).
   - FIPS: skip algorithms that are hard disabled in FIPS mode.
   - Prevent expired PayPalEE cert from failing the tests.
   - Allow checksumming to be disabled, but only if we entered FIPS mode due
     to NSS_FIPS being set, not if it came from /proc.
   - FIPS: Make the PBKDF known answer test compliant with NIST SP800-132.
   - Update FIPS validation string to version-release format.
   - FIPS: remove XCBC MAC from list of FIPS approved algorithms.
   - Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID for build.
   - FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080).
   - FIPS: allow testing of unapproved algorithms (bsc#1192228).
   - FIPS: add version indicators. (bmo#1729550, bsc#1192086).
   - FIPS: fix some secret clearing (bmo#1697303, bsc#1192087).

   Version update to NSS 3.79:

   - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
   - Update mercurial in clang-format docker image.
   - Use of uninitialized pointer in lg_init after alloc fail.
   - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
   - Add SECMOD_LockedModuleHasRemovableSlots.
   - Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
   - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat
     extension alerts.
   - TLS 1.3 Server: Send protocol_version alert on unsupported
     ClientHello.legacy_version.
   - Correct invalid record inner and outer content type alerts.
   - NSS does not properly import or export pkcs12 files with large passwords
     and pkcs5v2 encoding.
   - improve error handling after nssCKFWInstance_CreateObjectHandle.
   - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
   - NSS 3.79 should depend on NSPR 4.34

   Version update to NSS 3.78.1:

   - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple

   Version update to NSS 3.78:

   - Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length
     record/fragment handling tests.
   - Reworked overlong record size checks and added TLS1.3 specific
     boundaries.
   - Add ECH Grease Support to tstclnt
   - Add a strict variant of moz::pkix::CheckCertHostname.
   - Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
   - Make SEC_PKCS12EnableCipher succeed
   - Update zlib in NSS to 1.2.12.

   Version update to NSS 3.77:

   - Fix link to TLS page on wireshark wiki
   - Add two D-TRUST 2020 root certificates.
   - Add Telia Root CA v2 root certificate.
   - Remove expired explicitly distrusted certificates from certdata.txt.
   - support specific RSA-PSS parameters in mozilla::pkix
   - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
   - Remove token member from NSSSlot struct.
   - Provide secure variants of mpp_pprime and mpp_make_prime.
   - Support UTF-8 library path in the module spec string.
   - Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
   - Update googletest to 1.11.0
   - Add SetTls13GreaseEchSize to experimental API.
   - TLS 1.3 Illegal legacy_version handling/alerts.
   - Fix calculation of ECH HRR Transcript.
   - Allow ld path to be set as environment variable.
   - Ensure we don't read uninitialized memory in ssl gtests.
   - Fix DataBuffer Move Assignment.
   - internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3
   - rework signature verification in mozilla::pkix

   Version update to NSS 3.76.1

   - Remove token member from NSSSlot struct.
   - Hold tokensLock through nssToken_GetSlot calls in
     nssTrustDomain_GetActiveSlots.
   - Check return value of PK11Slot_GetNSSToken.
   - Use Wycheproof JSON for RSASSA-PSS
   - Add SHA256 fingerprint comments to old certdata.txt entries.
   - Avoid truncating files in nss-release-helper.py.
   - Throw illegal_parameter alert for illegal extensions in handshake
     message.

   Version update to NSS 3.75

   - Make DottedOIDToCode.py compatible with python3.
   - Avoid undefined shift in SSL_CERT_IS while fuzzing.
   - Remove redundant key type check.
   - Update ABI expectations to match ECH changes.
   - Enable CKM_CHACHA20.
   - check return on NSS_NoDB_Init and NSS_Shutdown.
   - Run ECDSA test vectors from bltest as part of the CI tests.
   - Add ECDSA test vectors to the bltest command line tool.
   - Allow to build using clang's integrated assembler.
   - Allow to override python for the build.
   - test HKDF output rather than input.
   - Use ASSERT macros to end failed tests early.
   - move assignment operator for DataBuffer.
   - Add test cases for ECH compression and unexpected extensions in SH.
   - Update tests for ECH-13.
   - Tidy up error handling.
   - Add tests for ECH HRR Changes.
   - Server only sends GREASE HRR extension if enabled by preference.
   - Update generation of the Associated Data for ECH-13.
   - When ECH is accepted, reject extensions which were only advertised in
     the Outer Client Hello.
   - Allow for compressed, non-contiguous, extensions.
   - Scramble the PSK extension in CHOuter.
   - Split custom extension handling for ECH.
   - Add ECH-13 HRR Handling.
   - Client side ECH padding.
   - Stricter ClientHelloInner Decompression.
   - Remove ECH_inner extension, use new enum format.
   - Update the version number for ECH-13 and adjust the ECHConfig size.

   Version update to NSS 3.74

   - mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses
   - Ensure clients offer consistent ciphersuites after HRR
   - NSS does not properly restrict server keys based on policy
   - Set nssckbi version number to 2.54
   - Replace Google Trust Services LLC (GTS) R4 root certificate
   - Replace Google Trust Services LLC (GTS) R3 root certificate
   - Replace Google Trust Services LLC (GTS) R2 root certificate
   - Replace Google Trust Services LLC (GTS) R1 root certificate
   - Replace GlobalSign ECC Root CA R4
   - Remove Expired Root Certificates - DST Root CA X3
   - Remove Expiring Cybertrust Global Root and GlobalSign root certificates
   - Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068
     root certificate
   - Add iTrusChina ECC root certificate
   - Add iTrusChina RSA root certificate
   - Add ISRG Root X2 root certificate
   - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
   - Avoid a clang 13 unused variable warning in opt build
   - Check for missing signedData field
   - Ensure DER encoded signatures are within size limits

   - enable key logging option (boo#1195040)

   Version update to NSS 3.73.1:

   - Add SHA-2 support to mozilla::pkix's OSCP implementation

   Version update to NSS 3.73

   - check for missing signedData field.
   - Ensure DER encoded signatures are within size limits.
   - NSS needs FiPS 140-3 version indicators.
   - pkix_CacheCert_Lookup doesn't return cached certs
   - sunset Coverity from NSS

   Fixed MFSA 2021-51 (bsc#1193170) CVE-2021-43527: Memory corruption via
   DER-encoded DSA and RSA-PSS signatures

   Version update to NSS 3.72

   - Fix nsinstall parallel failure.
   - Increase KDF cache size to mitigate perf regression in about:logins

   Version update to NSS 3.71

   - Set nssckbi version number to 2.52.
   - Respect server requirements of
     tlsfuzzer/test-tls13-signature-algorithms.py
   - Import of PKCS#12 files with Camellia encryption is not supported
   - Add HARICA Client ECC Root CA 2021.
   - Add HARICA Client RSA Root CA 2021.
   - Add HARICA TLS ECC Root CA 2021.
   - Add HARICA TLS RSA Root CA 2021.
   - Add TunTrust Root CA certificate to NSS.

   Version update to NSS 3.70

   - Update test case to verify fix.
   - Explicitly disable downgrade check in
     TlsConnectStreamTls13.EchOuterWith12Max
   - Explicitly disable downgrade check in
     TlsConnectTest.DisableFalseStartOnFallback
   - Avoid using a lookup table in nssb64d.
   - Use HW accelerated SHA2 on AArch64 Big Endian.
   - Change default value of enableHelloDowngradeCheck to true.
   - Cache additional PBE entries.
   - Read HPKE vectors from official JSON.

   Version update to NSS 3.69.1:

   - Disable DTLS 1.0 and 1.1 by default
   - integrity checks in key4.db not happening on private components with
     AES_CBC

   NSS 3.69:

   - Disable DTLS 1.0 and 1.1 by default (backed out again)
   - integrity checks in key4.db not happening on private components with
     AES_CBC (backed out again)
   - SSL handling of signature algorithms ignores environmental invalid
     algorithms.
   - sqlite 3.34 changed it's open semantics, causing nss failures.
   - Gtest update changed the gtest reports, losing gtest details in all.sh
     reports.
   - NSS incorrectly accepting 1536 bit DH primes in FIPS mode
   - SQLite calls could timeout in starvation situations.
   - Coverity/cpp scanner errors found in nss 3.67
   - Import the NSS documentation from MDN in nss/doc.
   - NSS using a tempdir to measure sql performance not active

   Version Update to 3.68.4 (bsc#1200027)

   - CVE-2022-31741: Initialize pointers passed to
     NSS_CMSDigestContext_FinishMultiple.  (bmo#1767590)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.4:

      zypper in -t patch openSUSE-SLE-15.4-2022-2595=1

   - SUSE Linux Enterprise Module for Basesystem 15-SP4:

      zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2022-2595=1



Package List:

   - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):

      libfreebl3-3.79-150400.3.7.1
      libfreebl3-debuginfo-3.79-150400.3.7.1
      libfreebl3-hmac-3.79-150400.3.7.1
      libsoftokn3-3.79-150400.3.7.1
      libsoftokn3-debuginfo-3.79-150400.3.7.1
      libsoftokn3-hmac-3.79-150400.3.7.1
      mozilla-nss-3.79-150400.3.7.1
      mozilla-nss-certs-3.79-150400.3.7.1
      mozilla-nss-certs-debuginfo-3.79-150400.3.7.1
      mozilla-nss-debuginfo-3.79-150400.3.7.1
      mozilla-nss-debugsource-3.79-150400.3.7.1
      mozilla-nss-devel-3.79-150400.3.7.1
      mozilla-nss-sysinit-3.79-150400.3.7.1
      mozilla-nss-sysinit-debuginfo-3.79-150400.3.7.1
      mozilla-nss-tools-3.79-150400.3.7.1
      mozilla-nss-tools-debuginfo-3.79-150400.3.7.1

   - openSUSE Leap 15.4 (x86_64):

      libfreebl3-32bit-3.79-150400.3.7.1
      libfreebl3-32bit-debuginfo-3.79-150400.3.7.1
      libfreebl3-hmac-32bit-3.79-150400.3.7.1
      libsoftokn3-32bit-3.79-150400.3.7.1
      libsoftokn3-32bit-debuginfo-3.79-150400.3.7.1
      libsoftokn3-hmac-32bit-3.79-150400.3.7.1
      mozilla-nss-32bit-3.79-150400.3.7.1
      mozilla-nss-32bit-debuginfo-3.79-150400.3.7.1
      mozilla-nss-certs-32bit-3.79-150400.3.7.1
      mozilla-nss-certs-32bit-debuginfo-3.79-150400.3.7.1
      mozilla-nss-sysinit-32bit-3.79-150400.3.7.1
      mozilla-nss-sysinit-32bit-debuginfo-3.79-150400.3.7.1

   - SUSE Linux Enterprise Module for Basesystem 15-SP4 (aarch64 ppc64le s390x x86_64):

      libfreebl3-3.79-150400.3.7.1
      libfreebl3-debuginfo-3.79-150400.3.7.1
      libfreebl3-hmac-3.79-150400.3.7.1
      libsoftokn3-3.79-150400.3.7.1
      libsoftokn3-debuginfo-3.79-150400.3.7.1
      libsoftokn3-hmac-3.79-150400.3.7.1
      mozilla-nss-3.79-150400.3.7.1
      mozilla-nss-certs-3.79-150400.3.7.1
      mozilla-nss-certs-debuginfo-3.79-150400.3.7.1
      mozilla-nss-debuginfo-3.79-150400.3.7.1
      mozilla-nss-debugsource-3.79-150400.3.7.1
      mozilla-nss-devel-3.79-150400.3.7.1
      mozilla-nss-sysinit-3.79-150400.3.7.1
      mozilla-nss-sysinit-debuginfo-3.79-150400.3.7.1
      mozilla-nss-tools-3.79-150400.3.7.1
      mozilla-nss-tools-debuginfo-3.79-150400.3.7.1

   - SUSE Linux Enterprise Module for Basesystem 15-SP4 (x86_64):

      libfreebl3-32bit-3.79-150400.3.7.1
      libfreebl3-32bit-debuginfo-3.79-150400.3.7.1
      libfreebl3-hmac-32bit-3.79-150400.3.7.1
      libsoftokn3-32bit-3.79-150400.3.7.1
      libsoftokn3-32bit-debuginfo-3.79-150400.3.7.1
      libsoftokn3-hmac-32bit-3.79-150400.3.7.1
      mozilla-nss-32bit-3.79-150400.3.7.1
      mozilla-nss-32bit-debuginfo-3.79-150400.3.7.1
      mozilla-nss-certs-32bit-3.79-150400.3.7.1
      mozilla-nss-certs-32bit-debuginfo-3.79-150400.3.7.1


References:

   https://www.suse.com/security/cve/CVE-2022-31741.html
   https://bugzilla.suse.com/1192079
   https://bugzilla.suse.com/1192080
   https://bugzilla.suse.com/1192086
   https://bugzilla.suse.com/1192087
   https://bugzilla.suse.com/1192228
   https://bugzilla.suse.com/1198486
   https://bugzilla.suse.com/1200027

SUSE: 2022:2595-1 important: mozilla-nss

July 29, 2022
An update that solves one vulnerability and has 6 fixes is now available

Summary

This update for mozilla-nss fixes the following issues: Various FIPS 140-3 related fixes were backported from SUSE Linux Enterprise 15 SP4: - Makes the PBKDF known answer test compliant with NIST SP800-132. (bsc#1192079). - FIPS: Add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck() (bsc#1198980). - FIPS: mark algorithms as approved/non-approved according to security policy (bsc#1191546, bsc#1201298). - FIPS: remove hard disabling of unapproved algorithms. This requirement is now fulfilled by the service level indicator (bsc#1200325). - Run test suite at build time, and make it pass (bsc#1198486). - FIPS: skip algorithms that are hard disabled in FIPS mode. - Prevent expired PayPalEE cert from failing the tests. - Allow checksumming to be disabled, but only if we entered FIPS mode due to NSS_FIPS being set, not if it came from /proc. - FIPS: Make the PBKDF known answer test compliant with NIST SP800-132. - Update FIPS validation string to version-release format. - FIPS: remove XCBC MAC from list of FIPS approved algorithms. - Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID for build. - FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080). - FIPS: allow testing of unapproved algorithms (bsc#1192228). - FIPS: add version indicators. (bmo#1729550, bsc#1192086). - FIPS: fix some secret clearing (bmo#1697303, bsc#1192087). Version update to NSS 3.79: - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls. - Update mercurial in clang-format docker image. - Use of uninitialized pointer in lg_init after alloc fail. - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo. - Add SECMOD_LockedModuleHasRemovableSlots. - Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP. - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts. - TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version. - Correct invalid record inner and outer content type alerts. - NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding. - improve error handling after nssCKFWInstance_CreateObjectHandle. - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. - NSS 3.79 should depend on NSPR 4.34 Version update to NSS 3.78.1: - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple Version update to NSS 3.78: - Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests. - Reworked overlong record size checks and added TLS1.3 specific boundaries. - Add ECH Grease Support to tstclnt - Add a strict variant of moz::pkix::CheckCertHostname. - Change SSL_REUSE_SERVER_ECDHE_KEY default to false. - Make SEC_PKCS12EnableCipher succeed - Update zlib in NSS to 1.2.12. Version update to NSS 3.77: - Fix link to TLS page on wireshark wiki - Add two D-TRUST 2020 root certificates. - Add Telia Root CA v2 root certificate. - Remove expired explicitly distrusted certificates from certdata.txt. - support specific RSA-PSS parameters in mozilla::pkix - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate. - Remove token member from NSSSlot struct. - Provide secure variants of mpp_pprime and mpp_make_prime. - Support UTF-8 library path in the module spec string. - Update nssUTF8_Length to RFC 3629 and fix buffer overrun. - Update googletest to 1.11.0 - Add SetTls13GreaseEchSize to experimental API. - TLS 1.3 Illegal legacy_version handling/alerts. - Fix calculation of ECH HRR Transcript. - Allow ld path to be set as environment variable. - Ensure we don't read uninitialized memory in ssl gtests. - Fix DataBuffer Move Assignment. - internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3 - rework signature verification in mozilla::pkix Version update to NSS 3.76.1 - Remove token member from NSSSlot struct. - Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots. - Check return value of PK11Slot_GetNSSToken. - Use Wycheproof JSON for RSASSA-PSS - Add SHA256 fingerprint comments to old certdata.txt entries. - Avoid truncating files in nss-release-helper.py. - Throw illegal_parameter alert for illegal extensions in handshake message. Version update to NSS 3.75 - Make DottedOIDToCode.py compatible with python3. - Avoid undefined shift in SSL_CERT_IS while fuzzing. - Remove redundant key type check. - Update ABI expectations to match ECH changes. - Enable CKM_CHACHA20. - check return on NSS_NoDB_Init and NSS_Shutdown. - Run ECDSA test vectors from bltest as part of the CI tests. - Add ECDSA test vectors to the bltest command line tool. - Allow to build using clang's integrated assembler. - Allow to override python for the build. - test HKDF output rather than input. - Use ASSERT macros to end failed tests early. - move assignment operator for DataBuffer. - Add test cases for ECH compression and unexpected extensions in SH. - Update tests for ECH-13. - Tidy up error handling. - Add tests for ECH HRR Changes. - Server only sends GREASE HRR extension if enabled by preference. - Update generation of the Associated Data for ECH-13. - When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello. - Allow for compressed, non-contiguous, extensions. - Scramble the PSK extension in CHOuter. - Split custom extension handling for ECH. - Add ECH-13 HRR Handling. - Client side ECH padding. - Stricter ClientHelloInner Decompression. - Remove ECH_inner extension, use new enum format. - Update the version number for ECH-13 and adjust the ECHConfig size. Version update to NSS 3.74 - mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses - Ensure clients offer consistent ciphersuites after HRR - NSS does not properly restrict server keys based on policy - Set nssckbi version number to 2.54 - Replace Google Trust Services LLC (GTS) R4 root certificate - Replace Google Trust Services LLC (GTS) R3 root certificate - Replace Google Trust Services LLC (GTS) R2 root certificate - Replace Google Trust Services LLC (GTS) R1 root certificate - Replace GlobalSign ECC Root CA R4 - Remove Expired Root Certificates - DST Root CA X3 - Remove Expiring Cybertrust Global Root and GlobalSign root certificates - Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate - Add iTrusChina ECC root certificate - Add iTrusChina RSA root certificate - Add ISRG Root X2 root certificate - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate - Avoid a clang 13 unused variable warning in opt build - Check for missing signedData field - Ensure DER encoded signatures are within size limits - enable key logging option (boo#1195040) Version update to NSS 3.73.1: - Add SHA-2 support to mozilla::pkix's OSCP implementation Version update to NSS 3.73 - check for missing signedData field. - Ensure DER encoded signatures are within size limits. - NSS needs FiPS 140-3 version indicators. - pkix_CacheCert_Lookup doesn't return cached certs - sunset Coverity from NSS Fixed MFSA 2021-51 (bsc#1193170) CVE-2021-43527: Memory corruption via DER-encoded DSA and RSA-PSS signatures Version update to NSS 3.72 - Fix nsinstall parallel failure. - Increase KDF cache size to mitigate perf regression in about:logins Version update to NSS 3.71 - Set nssckbi version number to 2.52. - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py - Import of PKCS#12 files with Camellia encryption is not supported - Add HARICA Client ECC Root CA 2021. - Add HARICA Client RSA Root CA 2021. - Add HARICA TLS ECC Root CA 2021. - Add HARICA TLS RSA Root CA 2021. - Add TunTrust Root CA certificate to NSS. Version update to NSS 3.70 - Update test case to verify fix. - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback - Avoid using a lookup table in nssb64d. - Use HW accelerated SHA2 on AArch64 Big Endian. - Change default value of enableHelloDowngradeCheck to true. - Cache additional PBE entries. - Read HPKE vectors from official JSON. Version update to NSS 3.69.1: - Disable DTLS 1.0 and 1.1 by default - integrity checks in key4.db not happening on private components with AES_CBC NSS 3.69: - Disable DTLS 1.0 and 1.1 by default (backed out again) - integrity checks in key4.db not happening on private components with AES_CBC (backed out again) - SSL handling of signature algorithms ignores environmental invalid algorithms. - sqlite 3.34 changed it's open semantics, causing nss failures. - Gtest update changed the gtest reports, losing gtest details in all.sh reports. - NSS incorrectly accepting 1536 bit DH primes in FIPS mode - SQLite calls could timeout in starvation situations. - Coverity/cpp scanner errors found in nss 3.67 - Import the NSS documentation from MDN in nss/doc. - NSS using a tempdir to measure sql performance not active Version Update to 3.68.4 (bsc#1200027) - CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.4: zypper in -t patch openSUSE-SLE-15.4-2022-2595=1 - SUSE Linux Enterprise Module for Basesystem 15-SP4: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2022-2595=1 Package List: - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64): libfreebl3-3.79-150400.3.7.1 libfreebl3-debuginfo-3.79-150400.3.7.1 libfreebl3-hmac-3.79-150400.3.7.1 libsoftokn3-3.79-150400.3.7.1 libsoftokn3-debuginfo-3.79-150400.3.7.1 libsoftokn3-hmac-3.79-150400.3.7.1 mozilla-nss-3.79-150400.3.7.1 mozilla-nss-certs-3.79-150400.3.7.1 mozilla-nss-certs-debuginfo-3.79-150400.3.7.1 mozilla-nss-debuginfo-3.79-150400.3.7.1 mozilla-nss-debugsource-3.79-150400.3.7.1 mozilla-nss-devel-3.79-150400.3.7.1 mozilla-nss-sysinit-3.79-150400.3.7.1 mozilla-nss-sysinit-debuginfo-3.79-150400.3.7.1 mozilla-nss-tools-3.79-150400.3.7.1 mozilla-nss-tools-debuginfo-3.79-150400.3.7.1 - openSUSE Leap 15.4 (x86_64): libfreebl3-32bit-3.79-150400.3.7.1 libfreebl3-32bit-debuginfo-3.79-150400.3.7.1 libfreebl3-hmac-32bit-3.79-150400.3.7.1 libsoftokn3-32bit-3.79-150400.3.7.1 libsoftokn3-32bit-debuginfo-3.79-150400.3.7.1 libsoftokn3-hmac-32bit-3.79-150400.3.7.1 mozilla-nss-32bit-3.79-150400.3.7.1 mozilla-nss-32bit-debuginfo-3.79-150400.3.7.1 mozilla-nss-certs-32bit-3.79-150400.3.7.1 mozilla-nss-certs-32bit-debuginfo-3.79-150400.3.7.1 mozilla-nss-sysinit-32bit-3.79-150400.3.7.1 mozilla-nss-sysinit-32bit-debuginfo-3.79-150400.3.7.1 - SUSE Linux Enterprise Module for Basesystem 15-SP4 (aarch64 ppc64le s390x x86_64): libfreebl3-3.79-150400.3.7.1 libfreebl3-debuginfo-3.79-150400.3.7.1 libfreebl3-hmac-3.79-150400.3.7.1 libsoftokn3-3.79-150400.3.7.1 libsoftokn3-debuginfo-3.79-150400.3.7.1 libsoftokn3-hmac-3.79-150400.3.7.1 mozilla-nss-3.79-150400.3.7.1 mozilla-nss-certs-3.79-150400.3.7.1 mozilla-nss-certs-debuginfo-3.79-150400.3.7.1 mozilla-nss-debuginfo-3.79-150400.3.7.1 mozilla-nss-debugsource-3.79-150400.3.7.1 mozilla-nss-devel-3.79-150400.3.7.1 mozilla-nss-sysinit-3.79-150400.3.7.1 mozilla-nss-sysinit-debuginfo-3.79-150400.3.7.1 mozilla-nss-tools-3.79-150400.3.7.1 mozilla-nss-tools-debuginfo-3.79-150400.3.7.1 - SUSE Linux Enterprise Module for Basesystem 15-SP4 (x86_64): libfreebl3-32bit-3.79-150400.3.7.1 libfreebl3-32bit-debuginfo-3.79-150400.3.7.1 libfreebl3-hmac-32bit-3.79-150400.3.7.1 libsoftokn3-32bit-3.79-150400.3.7.1 libsoftokn3-32bit-debuginfo-3.79-150400.3.7.1 libsoftokn3-hmac-32bit-3.79-150400.3.7.1 mozilla-nss-32bit-3.79-150400.3.7.1 mozilla-nss-32bit-debuginfo-3.79-150400.3.7.1 mozilla-nss-certs-32bit-3.79-150400.3.7.1 mozilla-nss-certs-32bit-debuginfo-3.79-150400.3.7.1

References

#1192079 #1192080 #1192086 #1192087 #1192228

#1198486 #1200027

Cross- CVE-2022-31741

CVSS scores:

CVE-2022-31741 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products:

SUSE Linux Enterprise Desktop 15-SP4

SUSE Linux Enterprise High Performance Computing 15-SP4

SUSE Linux Enterprise Module for Basesystem 15-SP4

SUSE Linux Enterprise Server 15-SP4

SUSE Linux Enterprise Server for SAP Applications 15-SP4

SUSE Manager Proxy 4.3

SUSE Manager Retail Branch Server 4.3

SUSE Manager Server 4.3

openSUSE Leap 15.4

https://www.suse.com/security/cve/CVE-2022-31741.html

https://bugzilla.suse.com/1192079

https://bugzilla.suse.com/1192080

https://bugzilla.suse.com/1192086

https://bugzilla.suse.com/1192087

https://bugzilla.suse.com/1192228

https://bugzilla.suse.com/1198486

https://bugzilla.suse.com/1200027

Severity
Announcement ID: SUSE-SU-2022:2595-1
Rating: important

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved