

# Security update for mozilla-nss

Announcement ID: SUSE-SU-2024:2600-1  
Rating: moderate  
References:

  * bsc#1214980
  * bsc#1222804
  * bsc#1222807
  * bsc#1222811
  * bsc#1222813
  * bsc#1222814
  * bsc#1222821
  * bsc#1222822
  * bsc#1222826
  * bsc#1222828
  * bsc#1222830
  * bsc#1222833
  * bsc#1222834
  * bsc#1224113
  * bsc#1224115
  * bsc#1224116
  * bsc#1224118

  
Cross-References:

  * CVE-2023-5388

  
CVSS scores:

  * CVE-2023-5388 ( SUSE ):  6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

  
Affected Products:

  * SUSE Enterprise Storage 7.1
  * SUSE Linux Enterprise High Performance Computing 15 SP2
  * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
  * SUSE Linux Enterprise High Performance Computing 15 SP3
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
  * SUSE Linux Enterprise Micro 5.1
  * SUSE Linux Enterprise Micro 5.2
  * SUSE Linux Enterprise Micro for Rancher 5.2
  * SUSE Linux Enterprise Server 15 SP2
  * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
  * SUSE Linux Enterprise Server 15 SP3
  * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
  * SUSE Linux Enterprise Server for SAP Applications 15 SP2
  * SUSE Linux Enterprise Server for SAP Applications 15 SP3

  
  
An update that solves one vulnerability and has 16 security fixes can now be
installed.

## Description:

This update for mozilla-nss fixes the following issues:

  * FIPS: Added more safe memset (bsc#1222811).
  * FIPS: Adjusted AES GCM restrictions (bsc#1222830).
  * FIPS: Adjusted approved ciphers (bsc#1222813, bsc#1222814, bsc#1222821,
    bsc#1222822, bsc#1224118, bsc#1222807, bsc#1222828, bsc#1222834,
    bsc#1222804, bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115,
    bsc#1224116).

Update to NSS 3.101.1:

  * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.

update to NSS 3.101:

  * add diagnostic assertions for SFTKObject refcount.
  * freeing the slot in DeleteCertAndKey if authentication failed
  * fix formatting issues.
  * Add Firmaprofesional CA Root-A Web to NSS.
  * remove invalid acvp fuzz test vectors.
  * pad short P-384 and P-521 signatures gtests.
  * remove unused FreeBL ECC code.
  * pad short P-384 and P-521 signatures.
  * be less strict about ECDSA private key length.
  * Integrate HACL* P-521.
  * Integrate HACL* P-384.
  * memory leak in create_objects_from_handles.
  * ensure all input is consumed in a few places in mozilla::pkix
  * SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
  * clean up escape handling
  * Use lib::pkix as default validator instead of the old-one
  * Need to add high level support for PQ signing.
  * Certificate Compression: changing the allocation/freeing of buffer +
    Improving the documentation
  * SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
  * Allow for non-full length ecdsa signature when using softoken
  * Modification of .taskcluster.yml due to mozlint indent defects
  * Implement support for PBMAC1 in PKCS#12
  * disable VLA warnings for fuzz builds.
  * remove redundant AllocItem implementation.
  * add PK11_ReadDistrustAfterAttribute.
  *     * Clang-formatting of SEC_GetMgfTypeByOidTag update
  * Set SEC_ERROR_LIBRARY_FAILURE on self-test failure
  * sftk_getParameters(): Fix fallback to default variable after error with
    configfile.
  * Switch to the mozillareleases/image_builder image

  * switch from ec_field_GFp to ec_field_plain

Update to NSS 3.100:

  * merge pk11_kyberSlotList into pk11_ecSlotList for faster Xyber operations.
  * remove ckcapi.
  * avoid a potential PK11GenericObject memory leak.
  * Remove incomplete ESDH code.
  * Decrypt RSA OAEP encrypted messages.
  * Fix certutil CRLDP URI code.
  * Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys.
  * Add ability to encrypt and decrypt CMS messages using ECDH.
  * Correct Templates for key agreement in smime/cmsasn.c.
  * Moving the decodedCert allocation to NSS.
  * Allow developers to speed up repeated local execution of NSS tests that
    depend on certificates.

Update to NSS 3.99:

  * Removing check for message len in ed25519 (bmo#1325335)
  * add ed25519 to SECU_ecName2params. (bmo#1884276)
  * add EdDSA wycheproof tests. (bmo#1325335)
  * nss/lib layer code for EDDSA. (bmo#1325335)
  * Adding EdDSA implementation. (bmo#1325335)
  * Exporting Certificate Compression types (bmo#1881027)
  * Updating ACVP docker to rust 1.74 (bmo#1880857)
  * Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335)
  * Add NSS_CMSRecipient_IsSupported. (bmo#1877730)

Update to NSS 3.98:

  * (CVE-2023-5388) Timing attack against RSA decryption in TLS
  * Certificate Compression: enabling the check that the compression was
    advertised
  * Move Windows workers to nss-1/b-win2022-alpha
  * Remove Email trust bit from OISTE WISeKey Global Root GC CA
  * Replace `distutils.spawn.find_executable` with `shutil.which` within `mach`
    in `nss`
  * Certificate Compression: Updating nss_bogo_shim to support Certificate
    compression
  * TLS Certificate Compression (RFC 8879) Implementation
  * Add valgrind annotations to freebl kyber operations for constant-time
    execution tests
  * Set nssckbi version number to 2.66
  * Add Telekom Security roots
  * Add D-Trust 2022 S/MIME roots
  * Remove expired Security Communication RootCA1 root
  * move keys to a slot that supports concatenation in PK11_ConcatSymKeys
  * remove unmaintained tls-interop tests
  * bogo: add support for the -ipv6 and -shim-id shim flags
  * bogo: add support for the -curves shim flag and update Kyber expectations
  * bogo: adjust expectation for a key usage bit test
  * mozpkix: add option to ignore invalid subject alternative names
  * Fix selfserv not stripping `publicname:` from -X value
  * take ownership of ecckilla shims
  * add valgrind annotations to freebl/ec.c
  * PR_INADDR_ANY needs PR_htonl before assignment to inet.ip
  * Update zlib to 1.3.1

Update to NSS 3.97:

  * make Xyber768d00 opt-in by policy
  * add libssl support for xyber768d00
  * add PK11_ConcatSymKeys
  * add Kyber and a PKCS#11 KEM interface to softoken
  * add a FreeBL API for Kyber
  * part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff
  * part 1: add a script for vendoring kyber from pq-crystals repo
  * Removing the calls to RSA Blind from loader.*
  * fix worker type for level3 mac tasks
  * RSA Blind implementation
  * Remove DSA selftests
  * read KWP testvectors from JSON
  * Backed out changeset dcb174139e4f
  * Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation
  * Wrap CC shell commands in gyp expansions

Update to NSS 3.96.1:

  * Use pypi dependencies for MacOS worker in ./build_gyp.sh
  * p7sign: add -a hash and -u certusage (also p7verify cleanups)
  * add a defensive check for large ssl_DefSend return values
  * Add dependency to the taskcluster script for Darwin
  * Upgrade version of the MacOS worker for the CI

Update to NSS 3.95:

  * Bump builtins version number.
  * Remove Email trust bit from Autoridad de Certificacion Firmaprofesional CIF
    A62634068 root cert.
  * Remove 4 DigiCert (Symantec/Verisign) Root Certificates
  * Remove 3 TrustCor Root Certificates from NSS.
  * Remove Camerfirma root certificates from NSS.
  * Remove old Autoridad de Certificacion Firmaprofesional Certificate.
  * Add four Commscope root certificates to NSS.
  * Add TrustAsia Global Root CA G3 and G4 root certificates.
  * Include P-384 and P-521 Scalar Validation from HACL*
  * Include P-256 Scalar Validation from HACL*.
  * After the HACL 256 ECC patch, NSS incorrectly encodes 256 ECC without DER
    wrapping at the softoken level
  * Add means to provide library parameters to C_Initialize
  * add OSXSAVE and XCR0 tests to AVX2 detection.
  * Typo in ssl3_AppendHandshakeNumber
  * Introducing input check of ssl3_AppendHandshakeNumber
  * Fix Invalid casts in instance.c

Update to NSS 3.94:

  * Updated code and commit ID for HACL*
  * update ACVP fuzzed test vector: refuzzed with current NSS
  * Softoken C_ calls should use system FIPS setting to select NSC_ or FC_
    variants
  * NSS needs a database tool that can dump the low level representation of the
    database
  * declare string literals using char in pkixnames_tests.cpp
  * avoid implicit conversion for ByteString
  * update rust version for acvp docker
  * Moving the init function of the mpi_ints before clean-up in ec.c
  * P-256 ECDH and ECDSA from HACL*
  * Add ACVP test vectors to the repository
  * Stop relying on std::basic_string
  * Transpose the PPC_ABI check from Makefile to gyp

Update to NSS 3.93:

  * Update zlib in NSS to 1.3.
  * softoken: iterate hashUpdate calls for long inputs.
  * regenerate NameConstraints test certificates (bsc#1214980).

Update to NSS 3.92:

  * Set nssckbi version number to 2.62
  * Add 4 Atos TrustedRoot Root CA certificates to NSS
  * Add 4 SSL.com Root CA certificates
  * Add Sectigo E46 and R46 Root CA certificates
  * Add LAWtrust Root CA2 (4096)
  * Remove E-Tugra Certification Authority root
  * Remove Camerfirma Chambers of Commerce Root.
  * Remove Hongkong Post Root CA 1
  * Remove E-Tugra Global Root CA ECC v3 and RSA v3
  * Avoid redefining BYTE_ORDER on hppa Linux

Update to NSS 3.91:

  * Implementation of the HW support check for ADX instruction
  * Removing the support of Curve25519
  * Fix comment about the addition of ticketSupportsEarlyData
  * Adding args to enable-legacy-db build
  * dbtests.sh failure in "certutil dump keys with explicit default trust flags"
  * Initialize flags in slot structures
  * Improve the length check of RSA input to avoid heap overflow
  * Followup Fixes
  * avoid processing unexpected inputs by checking for m_exptmod base sign
  * add a limit check on order_k to avoid infinite loop
  * Update HACL* to commit 5f6051d2
  * add SHA3 to cryptohi and softoken
  * HACL SHA3
  * Disabling ASM C25519 for A but X86_64

Update to NSS 3.90.3:

  * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
  * clean up escape handling.
  * remove redundant AllocItem implementation.
  * Disable ASM support for Curve25519.
  * Disable ASM support for Curve25519 for all but X86_64.

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-2600=1

  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-2600=1

  * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2  
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-2600=1

  * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3  
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-2600=1

  * SUSE Linux Enterprise Server for SAP Applications 15 SP2  
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2024-2600=1

  * SUSE Linux Enterprise Server for SAP Applications 15 SP3  
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2024-2600=1

  * SUSE Enterprise Storage 7.1  
    zypper in -t patch SUSE-Storage-7.1-2024-2600=1

  * SUSE Linux Enterprise Micro 5.1  
    zypper in -t patch SUSE-SUSE-MicroOS-5.1-2024-2600=1

  * SUSE Linux Enterprise Micro 5.2  
    zypper in -t patch SUSE-SUSE-MicroOS-5.2-2024-2600=1

  * SUSE Linux Enterprise Micro for Rancher 5.2  
    zypper in -t patch SUSE-SUSE-MicroOS-5.2-2024-2600=1

## Package List:

  * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (aarch64
    x86_64)
    * libfreebl3-3.101.1-150000.3.117.1
    * libsoftokn3-3.101.1-150000.3.117.1
    * mozilla-nss-certs-3.101.1-150000.3.117.1
    * mozilla-nss-debugsource-3.101.1-150000.3.117.1
    * mozilla-nss-devel-3.101.1-150000.3.117.1
    * mozilla-nss-tools-3.101.1-150000.3.117.1
    * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-3.101.1-150000.3.117.1
    * libsoftokn3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (x86_64)
    * mozilla-nss-certs-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-3.101.1-150000.3.117.1
    * libfreebl3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-certs-32bit-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64
    x86_64)
    * libfreebl3-3.101.1-150000.3.117.1
    * libsoftokn3-3.101.1-150000.3.117.1
    * mozilla-nss-certs-3.101.1-150000.3.117.1
    * mozilla-nss-debugsource-3.101.1-150000.3.117.1
    * mozilla-nss-devel-3.101.1-150000.3.117.1
    * mozilla-nss-tools-3.101.1-150000.3.117.1
    * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-3.101.1-150000.3.117.1
    * libsoftokn3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (x86_64)
    * mozilla-nss-sysinit-32bit-3.101.1-150000.3.117.1
    * mozilla-nss-certs-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-3.101.1-150000.3.117.1
    * libfreebl3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-certs-32bit-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (aarch64 ppc64le s390x
    x86_64)
    * libfreebl3-3.101.1-150000.3.117.1
    * libsoftokn3-3.101.1-150000.3.117.1
    * mozilla-nss-certs-3.101.1-150000.3.117.1
    * mozilla-nss-debugsource-3.101.1-150000.3.117.1
    * mozilla-nss-devel-3.101.1-150000.3.117.1
    * mozilla-nss-tools-3.101.1-150000.3.117.1
    * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-3.101.1-150000.3.117.1
    * libsoftokn3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (x86_64)
    * mozilla-nss-certs-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-3.101.1-150000.3.117.1
    * libfreebl3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-certs-32bit-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 ppc64le s390x
    x86_64)
    * libfreebl3-3.101.1-150000.3.117.1
    * libsoftokn3-3.101.1-150000.3.117.1
    * mozilla-nss-certs-3.101.1-150000.3.117.1
    * mozilla-nss-debugsource-3.101.1-150000.3.117.1
    * mozilla-nss-devel-3.101.1-150000.3.117.1
    * mozilla-nss-tools-3.101.1-150000.3.117.1
    * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-3.101.1-150000.3.117.1
    * libsoftokn3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (x86_64)
    * mozilla-nss-sysinit-32bit-3.101.1-150000.3.117.1
    * mozilla-nss-certs-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-3.101.1-150000.3.117.1
    * libfreebl3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-certs-32bit-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (ppc64le x86_64)
    * libfreebl3-3.101.1-150000.3.117.1
    * libsoftokn3-3.101.1-150000.3.117.1
    * mozilla-nss-certs-3.101.1-150000.3.117.1
    * mozilla-nss-debugsource-3.101.1-150000.3.117.1
    * mozilla-nss-devel-3.101.1-150000.3.117.1
    * mozilla-nss-tools-3.101.1-150000.3.117.1
    * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-3.101.1-150000.3.117.1
    * libsoftokn3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (x86_64)
    * mozilla-nss-certs-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-3.101.1-150000.3.117.1
    * libfreebl3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-certs-32bit-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64)
    * libfreebl3-3.101.1-150000.3.117.1
    * libsoftokn3-3.101.1-150000.3.117.1
    * mozilla-nss-certs-3.101.1-150000.3.117.1
    * mozilla-nss-debugsource-3.101.1-150000.3.117.1
    * mozilla-nss-devel-3.101.1-150000.3.117.1
    * mozilla-nss-tools-3.101.1-150000.3.117.1
    * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-3.101.1-150000.3.117.1
    * libsoftokn3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (x86_64)
    * mozilla-nss-sysinit-32bit-3.101.1-150000.3.117.1
    * mozilla-nss-certs-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-3.101.1-150000.3.117.1
    * libfreebl3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-certs-32bit-debuginfo-3.101.1-150000.3.117.1
  * SUSE Enterprise Storage 7.1 (aarch64 x86_64)
    * libfreebl3-3.101.1-150000.3.117.1
    * libsoftokn3-3.101.1-150000.3.117.1
    * mozilla-nss-certs-3.101.1-150000.3.117.1
    * mozilla-nss-debugsource-3.101.1-150000.3.117.1
    * mozilla-nss-devel-3.101.1-150000.3.117.1
    * mozilla-nss-tools-3.101.1-150000.3.117.1
    * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-3.101.1-150000.3.117.1
    * libsoftokn3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-debuginfo-3.101.1-150000.3.117.1
  * SUSE Enterprise Storage 7.1 (x86_64)
    * mozilla-nss-sysinit-32bit-3.101.1-150000.3.117.1
    * mozilla-nss-certs-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-3.101.1-150000.3.117.1
    * libfreebl3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-certs-32bit-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64)
    * libfreebl3-3.101.1-150000.3.117.1
    * libsoftokn3-3.101.1-150000.3.117.1
    * mozilla-nss-certs-3.101.1-150000.3.117.1
    * mozilla-nss-debugsource-3.101.1-150000.3.117.1
    * mozilla-nss-tools-3.101.1-150000.3.117.1
    * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-3.101.1-150000.3.117.1
    * libsoftokn3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64)
    * libfreebl3-3.101.1-150000.3.117.1
    * libsoftokn3-3.101.1-150000.3.117.1
    * mozilla-nss-certs-3.101.1-150000.3.117.1
    * mozilla-nss-debugsource-3.101.1-150000.3.117.1
    * mozilla-nss-tools-3.101.1-150000.3.117.1
    * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-3.101.1-150000.3.117.1
    * libsoftokn3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 s390x x86_64)
    * libfreebl3-3.101.1-150000.3.117.1
    * libsoftokn3-3.101.1-150000.3.117.1
    * mozilla-nss-certs-3.101.1-150000.3.117.1
    * mozilla-nss-debugsource-3.101.1-150000.3.117.1
    * mozilla-nss-tools-3.101.1-150000.3.117.1
    * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-3.101.1-150000.3.117.1
    * libsoftokn3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-debuginfo-3.101.1-150000.3.117.1

## References:

  * https://www.suse.com/security/cve/CVE-2023-5388.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1214980
  * https://bugzilla.suse.com/show_bug.cgi?id=1222804
  * https://bugzilla.suse.com/show_bug.cgi?id=1222807
  * https://bugzilla.suse.com/show_bug.cgi?id=1222811
  * https://bugzilla.suse.com/show_bug.cgi?id=1222813
  * https://bugzilla.suse.com/show_bug.cgi?id=1222814
  * https://bugzilla.suse.com/show_bug.cgi?id=1222821
  * https://bugzilla.suse.com/show_bug.cgi?id=1222822
  * https://bugzilla.suse.com/show_bug.cgi?id=1222826
  * https://bugzilla.suse.com/show_bug.cgi?id=1222828
  * https://bugzilla.suse.com/show_bug.cgi?id=1222830
  * https://bugzilla.suse.com/show_bug.cgi?id=1222833
  * https://bugzilla.suse.com/show_bug.cgi?id=1222834
  * https://bugzilla.suse.com/show_bug.cgi?id=1224113
  * https://bugzilla.suse.com/show_bug.cgi?id=1224115
  * https://bugzilla.suse.com/show_bug.cgi?id=1224116
  * https://bugzilla.suse.com/show_bug.cgi?id=1224118

SUSE: 2024:2600-1 moderate: mozilla-nss Security Advisory Updates

July 23, 2024

* bsc#1214980 * bsc#1222804 * bsc#1222807 * bsc#1222811 * bsc#1222813

Summary

## This update for mozilla-nss fixes the following issues: * FIPS: Added more safe memset (bsc#1222811). * FIPS: Adjusted AES GCM restrictions (bsc#1222830). * FIPS: Adjusted approved ciphers (bsc#1222813, bsc#1222814, bsc#1222821, bsc#1222822, bsc#1224118, bsc#1222807, bsc#1222828, bsc#1222834, bsc#1222804, bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116). Update to NSS 3.101.1: * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. update to NSS 3.101: * add diagnostic assertions for SFTKObject refcount. * freeing the slot in DeleteCertAndKey if authentication failed * fix formatting issues. * Add Firmaprofesional CA Root-A Web to NSS. * remove invalid acvp fuzz test vectors. * pad short P-384 and P-521 signatures gtests. * remove unused FreeBL ECC code. * pad short P-384 and P-521 signatures. * be less strict about ECDSA private key length. * Integrate HACL* P-521. * Integrate HACL* P-384. * memory leak in create_objects_from_handles. * ensure all input is consumed in a few places in mozilla::pkix * SMIME/CMS and PKCS #12 do not integrate with modern NSS policy * clean up escape handling * Use lib::pkix as default validator instead of the old-one * Need to add high level support for PQ signing. * Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation * SMIME/CMS and PKCS #12 do not integrate with modern NSS policy * Allow for non-full length ecdsa signature when using softoken * Modification of .taskcluster.yml due to mozlint indent defects * Implement support for PBMAC1 in PKCS#12 * disable VLA warnings for fuzz builds. * remove redundant AllocItem implementation. * add PK11_ReadDistrustAfterAttribute. * * Clang-formatting of SEC_GetMgfTypeByOidTag update * Set SEC_ERROR_LIBRARY_FAILURE on self-test failure * sftk_getParameters(): Fix fallback to default variable after error with configfile. * Switch to the mozillareleases/image_builder image * switch from ec_field_GFp to ec_field_plain Update to NSS 3.100: * merge pk11_kyberSlotList into pk11_ecSlotList for faster Xyber operations. * remove ckcapi. * avoid a potential PK11GenericObject memory leak. * Remove incomplete ESDH code. * Decrypt RSA OAEP encrypted messages. * Fix certutil CRLDP URI code. * Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys. * Add ability to encrypt and decrypt CMS messages using ECDH. * Correct Templates for key agreement in smime/cmsasn.c. * Moving the decodedCert allocation to NSS. * Allow developers to speed up repeated local execution of NSS tests that depend on certificates. Update to NSS 3.99: * Removing check for message len in ed25519 (bmo#1325335) * add ed25519 to SECU_ecName2params. (bmo#1884276) * add EdDSA wycheproof tests. (bmo#1325335) * nss/lib layer code for EDDSA. (bmo#1325335) * Adding EdDSA implementation. (bmo#1325335) * Exporting Certificate Compression types (bmo#1881027) * Updating ACVP docker to rust 1.74 (bmo#1880857) * Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335) * Add NSS_CMSRecipient_IsSupported. (bmo#1877730) Update to NSS 3.98: * (CVE-2023-5388) Timing attack against RSA decryption in TLS * Certificate Compression: enabling the check that the compression was advertised * Move Windows workers to nss-1/b-win2022-alpha * Remove Email trust bit from OISTE WISeKey Global Root GC CA * Replace `distutils.spawn.find_executable` with `shutil.which` within `mach` in `nss` * Certificate Compression: Updating nss_bogo_shim to support Certificate compression * TLS Certificate Compression (RFC 8879) Implementation * Add valgrind annotations to freebl kyber operations for constant-time execution tests * Set nssckbi version number to 2.66 * Add Telekom Security roots * Add D-Trust 2022 S/MIME roots * Remove expired Security Communication RootCA1 root * move keys to a slot that supports concatenation in PK11_ConcatSymKeys * remove unmaintained tls-interop tests * bogo: add support for the -ipv6 and -shim-id shim flags * bogo: add support for the -curves shim flag and update Kyber expectations * bogo: adjust expectation for a key usage bit test * mozpkix: add option to ignore invalid subject alternative names * Fix selfserv not stripping `publicname:` from -X value * take ownership of ecckilla shims * add valgrind annotations to freebl/ec.c * PR_INADDR_ANY needs PR_htonl before assignment to inet.ip * Update zlib to 1.3.1 Update to NSS 3.97: * make Xyber768d00 opt-in by policy * add libssl support for xyber768d00 * add PK11_ConcatSymKeys * add Kyber and a PKCS#11 KEM interface to softoken * add a FreeBL API for Kyber * part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff * part 1: add a script for vendoring kyber from pq-crystals repo * Removing the calls to RSA Blind from loader.* * fix worker type for level3 mac tasks * RSA Blind implementation * Remove DSA selftests * read KWP testvectors from JSON * Backed out changeset dcb174139e4f * Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation * Wrap CC shell commands in gyp expansions Update to NSS 3.96.1: * Use pypi dependencies for MacOS worker in ./build_gyp.sh * p7sign: add -a hash and -u certusage (also p7verify cleanups) * add a defensive check for large ssl_DefSend return values * Add dependency to the taskcluster script for Darwin * Upgrade version of the MacOS worker for the CI Update to NSS 3.95: * Bump builtins version number. * Remove Email trust bit from Autoridad de Certificacion Firmaprofesional CIF A62634068 root cert. * Remove 4 DigiCert (Symantec/Verisign) Root Certificates * Remove 3 TrustCor Root Certificates from NSS. * Remove Camerfirma root certificates from NSS. * Remove old Autoridad de Certificacion Firmaprofesional Certificate. * Add four Commscope root certificates to NSS. * Add TrustAsia Global Root CA G3 and G4 root certificates. * Include P-384 and P-521 Scalar Validation from HACL* * Include P-256 Scalar Validation from HACL*. * After the HACL 256 ECC patch, NSS incorrectly encodes 256 ECC without DER wrapping at the softoken level * Add means to provide library parameters to C_Initialize * add OSXSAVE and XCR0 tests to AVX2 detection. * Typo in ssl3_AppendHandshakeNumber * Introducing input check of ssl3_AppendHandshakeNumber * Fix Invalid casts in instance.c Update to NSS 3.94: * Updated code and commit ID for HACL* * update ACVP fuzzed test vector: refuzzed with current NSS * Softoken C_ calls should use system FIPS setting to select NSC_ or FC_ variants * NSS needs a database tool that can dump the low level representation of the database * declare string literals using char in pkixnames_tests.cpp * avoid implicit conversion for ByteString * update rust version for acvp docker * Moving the init function of the mpi_ints before clean-up in ec.c * P-256 ECDH and ECDSA from HACL* * Add ACVP test vectors to the repository * Stop relying on std::basic_string * Transpose the PPC_ABI check from Makefile to gyp Update to NSS 3.93: * Update zlib in NSS to 1.3. * softoken: iterate hashUpdate calls for long inputs. * regenerate NameConstraints test certificates (bsc#1214980). Update to NSS 3.92: * Set nssckbi version number to 2.62 * Add 4 Atos TrustedRoot Root CA certificates to NSS * Add 4 SSL.com Root CA certificates * Add Sectigo E46 and R46 Root CA certificates * Add LAWtrust Root CA2 (4096) * Remove E-Tugra Certification Authority root * Remove Camerfirma Chambers of Commerce Root. * Remove Hongkong Post Root CA 1 * Remove E-Tugra Global Root CA ECC v3 and RSA v3 * Avoid redefining BYTE_ORDER on hppa Linux Update to NSS 3.91: * Implementation of the HW support check for ADX instruction * Removing the support of Curve25519 * Fix comment about the addition of ticketSupportsEarlyData * Adding args to enable-legacy-db build * dbtests.sh failure in "certutil dump keys with explicit default trust flags" * Initialize flags in slot structures * Improve the length check of RSA input to avoid heap overflow * Followup Fixes * avoid processing unexpected inputs by checking for m_exptmod base sign * add a limit check on order_k to avoid infinite loop * Update HACL* to commit 5f6051d2 * add SHA3 to cryptohi and softoken * HACL SHA3 * Disabling ASM C25519 for A but X86_64 Update to NSS 3.90.3: * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * clean up escape handling. * remove redundant AllocItem implementation. * Disable ASM support for Curve25519. * Disable ASM support for Curve25519 for all but X86_64. ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-2600=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-2600=1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-2600=1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-2600=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2024-2600=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2024-2600=1 * SUSE Enterprise Storage 7.1 zypper in -t patch SUSE-Storage-7.1-2024-2600=1 * SUSE Linux Enterprise Micro 5.1 zypper in -t patch SUSE-SUSE-MicroOS-5.1-2024-2600=1 * SUSE Linux Enterprise Micro 5.2 zypper in -t patch SUSE-SUSE-MicroOS-5.2-2024-2600=1 * SUSE Linux Enterprise Micro for Rancher 5.2 zypper in -t patch SUSE-SUSE-MicroOS-5.2-2024-2600=1 ## Package List: * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (aarch64 x86_64) * libfreebl3-3.101.1-150000.3.117.1 * libsoftokn3-3.101.1-150000.3.117.1 * mozilla-nss-certs-3.101.1-150000.3.117.1 * mozilla-nss-debugsource-3.101.1-150000.3.117.1 * mozilla-nss-devel-3.101.1-150000.3.117.1 * mozilla-nss-tools-3.101.1-150000.3.117.1 * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1 * libfreebl3-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-sysinit-3.101.1-150000.3.117.1 * mozilla-nss-sysinit-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-3.101.1-150000.3.117.1 * libsoftokn3-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-debuginfo-3.101.1-150000.3.117.1 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (x86_64) * mozilla-nss-certs-32bit-3.101.1-150000.3.117.1 * libsoftokn3-32bit-3.101.1-150000.3.117.1 * mozilla-nss-32bit-3.101.1-150000.3.117.1 * libfreebl3-32bit-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-32bit-debuginfo-3.101.1-150000.3.117.1 * libfreebl3-32bit-3.101.1-150000.3.117.1 * libsoftokn3-32bit-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-certs-32bit-debuginfo-3.101.1-150000.3.117.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64 x86_64) * libfreebl3-3.101.1-150000.3.117.1 * libsoftokn3-3.101.1-150000.3.117.1 * mozilla-nss-certs-3.101.1-150000.3.117.1 * mozilla-nss-debugsource-3.101.1-150000.3.117.1 * mozilla-nss-devel-3.101.1-150000.3.117.1 * mozilla-nss-tools-3.101.1-150000.3.117.1 * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1 * libfreebl3-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-sysinit-3.101.1-150000.3.117.1 * mozilla-nss-sysinit-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-3.101.1-150000.3.117.1 * libsoftokn3-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-debuginfo-3.101.1-150000.3.117.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (x86_64) * mozilla-nss-sysinit-32bit-3.101.1-150000.3.117.1 * mozilla-nss-certs-32bit-3.101.1-150000.3.117.1 * libsoftokn3-32bit-3.101.1-150000.3.117.1 * mozilla-nss-32bit-3.101.1-150000.3.117.1 * libfreebl3-32bit-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-32bit-debuginfo-3.101.1-150000.3.117.1 * libfreebl3-32bit-3.101.1-150000.3.117.1 * libsoftokn3-32bit-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-sysinit-32bit-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-certs-32bit-debuginfo-3.101.1-150000.3.117.1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (aarch64 ppc64le s390x x86_64) * libfreebl3-3.101.1-150000.3.117.1 * libsoftokn3-3.101.1-150000.3.117.1 * mozilla-nss-certs-3.101.1-150000.3.117.1 * mozilla-nss-debugsource-3.101.1-150000.3.117.1 * mozilla-nss-devel-3.101.1-150000.3.117.1 * mozilla-nss-tools-3.101.1-150000.3.117.1 * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1 * libfreebl3-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-sysinit-3.101.1-150000.3.117.1 * mozilla-nss-sysinit-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-3.101.1-150000.3.117.1 * libsoftokn3-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-debuginfo-3.101.1-150000.3.117.1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (x86_64) * mozilla-nss-certs-32bit-3.101.1-150000.3.117.1 * libsoftokn3-32bit-3.101.1-150000.3.117.1 * mozilla-nss-32bit-3.101.1-150000.3.117.1 * libfreebl3-32bit-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-32bit-debuginfo-3.101.1-150000.3.117.1 * libfreebl3-32bit-3.101.1-150000.3.117.1 * libsoftokn3-32bit-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-certs-32bit-debuginfo-3.101.1-150000.3.117.1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 ppc64le s390x x86_64) * libfreebl3-3.101.1-150000.3.117.1 * libsoftokn3-3.101.1-150000.3.117.1 * mozilla-nss-certs-3.101.1-150000.3.117.1 * mozilla-nss-debugsource-3.101.1-150000.3.117.1 * mozilla-nss-devel-3.101.1-150000.3.117.1 * mozilla-nss-tools-3.101.1-150000.3.117.1 * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1 * libfreebl3-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-sysinit-3.101.1-150000.3.117.1 * mozilla-nss-sysinit-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-3.101.1-150000.3.117.1 * libsoftokn3-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-debuginfo-3.101.1-150000.3.117.1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (x86_64) * mozilla-nss-sysinit-32bit-3.101.1-150000.3.117.1 * mozilla-nss-certs-32bit-3.101.1-150000.3.117.1 * libsoftokn3-32bit-3.101.1-150000.3.117.1 * mozilla-nss-32bit-3.101.1-150000.3.117.1 * libfreebl3-32bit-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-32bit-debuginfo-3.101.1-150000.3.117.1 * libfreebl3-32bit-3.101.1-150000.3.117.1 * libsoftokn3-32bit-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-sysinit-32bit-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-certs-32bit-debuginfo-3.101.1-150000.3.117.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (ppc64le x86_64) * libfreebl3-3.101.1-150000.3.117.1 * libsoftokn3-3.101.1-150000.3.117.1 * mozilla-nss-certs-3.101.1-150000.3.117.1 * mozilla-nss-debugsource-3.101.1-150000.3.117.1 * mozilla-nss-devel-3.101.1-150000.3.117.1 * mozilla-nss-tools-3.101.1-150000.3.117.1 * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1 * libfreebl3-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-sysinit-3.101.1-150000.3.117.1 * mozilla-nss-sysinit-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-3.101.1-150000.3.117.1 * libsoftokn3-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-debuginfo-3.101.1-150000.3.117.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (x86_64) * mozilla-nss-certs-32bit-3.101.1-150000.3.117.1 * libsoftokn3-32bit-3.101.1-150000.3.117.1 * mozilla-nss-32bit-3.101.1-150000.3.117.1 * libfreebl3-32bit-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-32bit-debuginfo-3.101.1-150000.3.117.1 * libfreebl3-32bit-3.101.1-150000.3.117.1 * libsoftokn3-32bit-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-certs-32bit-debuginfo-3.101.1-150000.3.117.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64) * libfreebl3-3.101.1-150000.3.117.1 * libsoftokn3-3.101.1-150000.3.117.1 * mozilla-nss-certs-3.101.1-150000.3.117.1 * mozilla-nss-debugsource-3.101.1-150000.3.117.1 * mozilla-nss-devel-3.101.1-150000.3.117.1 * mozilla-nss-tools-3.101.1-150000.3.117.1 * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1 * libfreebl3-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-sysinit-3.101.1-150000.3.117.1 * mozilla-nss-sysinit-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-3.101.1-150000.3.117.1 * libsoftokn3-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-debuginfo-3.101.1-150000.3.117.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (x86_64) * mozilla-nss-sysinit-32bit-3.101.1-150000.3.117.1 * mozilla-nss-certs-32bit-3.101.1-150000.3.117.1 * libsoftokn3-32bit-3.101.1-150000.3.117.1 * mozilla-nss-32bit-3.101.1-150000.3.117.1 * libfreebl3-32bit-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-32bit-debuginfo-3.101.1-150000.3.117.1 * libfreebl3-32bit-3.101.1-150000.3.117.1 * libsoftokn3-32bit-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-sysinit-32bit-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-certs-32bit-debuginfo-3.101.1-150000.3.117.1 * SUSE Enterprise Storage 7.1 (aarch64 x86_64) * libfreebl3-3.101.1-150000.3.117.1 * libsoftokn3-3.101.1-150000.3.117.1 * mozilla-nss-certs-3.101.1-150000.3.117.1 * mozilla-nss-debugsource-3.101.1-150000.3.117.1 * mozilla-nss-devel-3.101.1-150000.3.117.1 * mozilla-nss-tools-3.101.1-150000.3.117.1 * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1 * libfreebl3-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-sysinit-3.101.1-150000.3.117.1 * mozilla-nss-sysinit-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-3.101.1-150000.3.117.1 * libsoftokn3-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-debuginfo-3.101.1-150000.3.117.1 * SUSE Enterprise Storage 7.1 (x86_64) * mozilla-nss-sysinit-32bit-3.101.1-150000.3.117.1 * mozilla-nss-certs-32bit-3.101.1-150000.3.117.1 * libsoftokn3-32bit-3.101.1-150000.3.117.1 * mozilla-nss-32bit-3.101.1-150000.3.117.1 * libfreebl3-32bit-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-32bit-debuginfo-3.101.1-150000.3.117.1 * libfreebl3-32bit-3.101.1-150000.3.117.1 * libsoftokn3-32bit-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-sysinit-32bit-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-certs-32bit-debuginfo-3.101.1-150000.3.117.1 * SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64) * libfreebl3-3.101.1-150000.3.117.1 * libsoftokn3-3.101.1-150000.3.117.1 * mozilla-nss-certs-3.101.1-150000.3.117.1 * mozilla-nss-debugsource-3.101.1-150000.3.117.1 * mozilla-nss-tools-3.101.1-150000.3.117.1 * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1 * libfreebl3-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-3.101.1-150000.3.117.1 * libsoftokn3-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-debuginfo-3.101.1-150000.3.117.1 * SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64) * libfreebl3-3.101.1-150000.3.117.1 * libsoftokn3-3.101.1-150000.3.117.1 * mozilla-nss-certs-3.101.1-150000.3.117.1 * mozilla-nss-debugsource-3.101.1-150000.3.117.1 * mozilla-nss-tools-3.101.1-150000.3.117.1 * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1 * libfreebl3-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-3.101.1-150000.3.117.1 * libsoftokn3-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-debuginfo-3.101.1-150000.3.117.1 * SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 s390x x86_64) * libfreebl3-3.101.1-150000.3.117.1 * libsoftokn3-3.101.1-150000.3.117.1 * mozilla-nss-certs-3.101.1-150000.3.117.1 * mozilla-nss-debugsource-3.101.1-150000.3.117.1 * mozilla-nss-tools-3.101.1-150000.3.117.1 * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1 * libfreebl3-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-3.101.1-150000.3.117.1 * libsoftokn3-debuginfo-3.101.1-150000.3.117.1 * mozilla-nss-debuginfo-3.101.1-150000.3.117.1

References

* bsc#1214980

* bsc#1222804

* bsc#1222807

* bsc#1222811

* bsc#1222813

* bsc#1222814

* bsc#1222821

* bsc#1222822

* bsc#1222826

* bsc#1222828

* bsc#1222830

* bsc#1222833

* bsc#1222834

* bsc#1224113

* bsc#1224115

* bsc#1224116

* bsc#1224118

Cross-

* CVE-2023-5388

CVSS scores:

* CVE-2023-5388 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected Products:

* SUSE Enterprise Storage 7.1

* SUSE Linux Enterprise High Performance Computing 15 SP2

* SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2

* SUSE Linux Enterprise High Performance Computing 15 SP3

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3

* SUSE Linux Enterprise Micro 5.1

* SUSE Linux Enterprise Micro 5.2

* SUSE Linux Enterprise Micro for Rancher 5.2

* SUSE Linux Enterprise Server 15 SP2

* SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2

* SUSE Linux Enterprise Server 15 SP3

* SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3

* SUSE Linux Enterprise Server for SAP Applications 15 SP2

* SUSE Linux Enterprise Server for SAP Applications 15 SP3

An update that solves one vulnerability and has 16 security fixes can now be

installed.

* https://www.suse.com/security/cve/CVE-2023-5388.html

* https://bugzilla.suse.com/show_bug.cgi?id=1214980

* https://bugzilla.suse.com/show_bug.cgi?id=1222804

* https://bugzilla.suse.com/show_bug.cgi?id=1222807

* https://bugzilla.suse.com/show_bug.cgi?id=1222811

* https://bugzilla.suse.com/show_bug.cgi?id=1222813

* https://bugzilla.suse.com/show_bug.cgi?id=1222814

* https://bugzilla.suse.com/show_bug.cgi?id=1222821

* https://bugzilla.suse.com/show_bug.cgi?id=1222822

* https://bugzilla.suse.com/show_bug.cgi?id=1222826

* https://bugzilla.suse.com/show_bug.cgi?id=1222828

* https://bugzilla.suse.com/show_bug.cgi?id=1222830

* https://bugzilla.suse.com/show_bug.cgi?id=1222833

* https://bugzilla.suse.com/show_bug.cgi?id=1222834

* https://bugzilla.suse.com/show_bug.cgi?id=1224113

* https://bugzilla.suse.com/show_bug.cgi?id=1224115

* https://bugzilla.suse.com/show_bug.cgi?id=1224116

* https://bugzilla.suse.com/show_bug.cgi?id=1224118

Severity

Announcement ID: SUSE-SU-2024:2600-1

Rating: moderate

Get the Latest News & Insights

SUSE: 2024:2600-1 moderate: mozilla-nss Security Advisory Updates

Summary

References

Related News

Get the Latest News & Insights

News

Advisories

HOWTOs

Features

About Us

Powered By