[Oraclevm-errata] OVMSA-2016-0066 Oracle VM 3.2 nss security update
Errata Announcements for Oracle VM
oraclevm-errata at oss.oracle.com
Tue Jun 21 10:09:07 PDT 2016
Oracle VM Security Advisory OVMSA-2016-0066
The following updated rpms for Oracle VM 3.2 have been uploaded to the
Unbreakable Linux Network:
x86_64:
nss-3.21.0-6.el5_11.x86_64.rpm
SRPMS:
http://oss.oracle.com/oraclevm/server/3.2/SRPMS-updates/nss-3.21.0-6.el5_11.src.rpm
Description of changes:
[3.21.0-6]
- Fix SSL_DH_MIN_P_BITS in more places.
[3.21.0-5]
- Keep SSL_DH_MIN_P_BITS at 768 as in the previously released build.
[3.21.0-4]
- Run SSL tests
[3.21.0-3]
- Add compatility patches to prevent regressions
[3.21.0-2]
- Ensure all ssl.sh tests are executed
[3.21.0-1]
- Rebase to nss 3.21
- Resolves: Bug 1297944 - Rebase RHEL 5.11.z to NSS 3.21 in preparation
for Firefox 45
[3.19.1-4]
- Actually apply the fix for CVE-2016-1950 from NSS 3.19.2.3 ...
[3.19.1-3]
- Include the fix for CVE-2016-1950 from NSS 3.19.2.3
[3.19.1-2]
- Resolves: Bug 1269354 - CVE-2015-7182 CVE-2015-7181
[3.19.1-1]
- Rebase nss to 3.19.1
- Pick up upstream fix for client auth. regression caused by 3.19.1
- Revert upstream change to minimum key sizes
- Remove patches that rendered obsolote by the rebase
- Update existing patches on account of the rebase
[3.18.0-7]
- Pick up upstream patch from nss-3.19.1
- Resolves: Bug 1236954 - CVE-2015-2730 NSS: ECDSA signature validation
fails to handle some signatures correctly (MFSA 2015-64)
- Resolves: Bug 1236967 - CVE-2015-2721 NSS: incorrectly permited
skipping of ServerKeyExchange (MFSA 2015-71)
[3.18.0-6]
- On RHEL 6.x keep the TLS version defaults unchanged.
- Update to CKBI 2.4 from NSS 3.18.1 (the only change in NSS 3.18.1)
[3.18.0-5]
- Copy PayPalICA.cert and PayPalRootCA.cert to nss/tests/libpkix/certs
- Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11]
[3.18.0-4]
- Update and reeneable nss-646045.patch on account of the rebase
- Enable additional ssl test cycles and document why some aren't enabled
- Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11]
[3.18.0-3]
- Fix shell syntax error on nss/tests/all.sh
- Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11]
[3.18.0-2]
- Replace expired PayPal test certificate that breaks the build
- Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11]
[3.18.0-1]
- Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11]
[3.16.1-5]
- Resolves: Bug 1158159 - Upgrade to NSS 3.16.2.3 for Firefox 31.3
[3.16.1-4]
- Adjust softokn patch to be compatible with legacy softokn API.
- Resolves: Bug 1145430 - CVE-2014-1568
[3.16.1-3]
- Add patches published with NSS 3.16.2.1
- Resolves: Bug 1145430 - CVE-2014-1568
[3.16.1-2]
- Backport nss-3.12.6 upstream fix required by Firefox 31 ESR
- Resolves: Bug 1110860
[3.16.1-1]
- Rebase to nss-3.16.1 for FF31
- Resolves: Bug 1110860 - Rebase nss in RHEL 5.11 to NSS 3.16.1,
required for FF 31
[3.15.3-6]
- Remove unused and obsolete patches
- Related: Bug 1032468
[3.15.3-5]
- Improve shell code for error detection on %check section
- Resolves: Bug 1035281 - Suboptimal shell code in nss.spec
[3.15.3-4]
- Revoke trust in one mis-issued anssi certificate
- Resolves: Bug 1042684 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA
2013-117)
[3.15.3-3]
- Pick up corrections made in the rhel-10.Z branch, remove an unused patch
- Resolves: rhbz#1032468 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741
nss: various flaws [rhel-5.11]
[3.15.3-2]
- Remove unused patch and retag for update to nss-3.15.3
- Resolves: rhbz#1032468 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741
nss: various flaws [rhel-5.11]
[3.15.3-1]
- Update to nss-3.15.3
- Resolves: rhbz#1032468 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741
nss: various flaws [rhel-5.11]
[3.15.1-2]
- Remove unused patches
- Resolves: rhbz#1002642 - Rebase RHEL 5 to NSS 3.15.1 (for FF 24.x)
[3.15.1-1]
- Rebase to nss-3.15.1
- Resolves: rhbz#1002642 - Rebase RHEL 5 to NSS 3.15.1 (for FF 24.x)
- Resolves: rhbz#1015864 - [Regression] NSS no longer trusts MD5
certificates
- Split %check section tests in two: freebl/softoken and rest of nss tests
- Adjust various patches and spec file steps on account of the rebase
- Add various patches and remove obsoleted ones on account of the rebase
- Renumber patches so freeb/softoken ones match the corresponding ones
in rhel-6 nss-softokn
[3.14.3-18]
- Make the freebl sources identical to the corresponding ones for rhel-6.5
- Related: rhbz#987131
[3.14.3-16]
- Adjust the patches to complete the syncup with upstrean nss
- Use NSS_DISABLE_HW_GCM on the patch as we do on the spec file
- Ensure softoken/freebl code is the same on nss side as on the softoken
side
- Related: rhbz#987131
[3.14.3-16]
- Add disable_hw_gcm.patch and in the spec file export NSS_DISABLE_HW_GCM=1
- Disable HW GCM on RHEL-5 as the older kernel lacks support for it
- Related: rhbz#987131
[3.14.3-15]
- Related: rhbz#987131 - Display cpuifo as part of the tests
[3.14.3-14]
- Resolves: rhbz#987131 - Pick up various upstream GCM code fixes
applied since nss-3.14.3 was released
[3.14.3-13]
- Roll back to 79c87e69caa7454cbcf5f8161a628c538ff3cab3
- Peviously added patch hasn't solved the sporadic core dumps
- Related: rhbz#983766 - nssutil_ReadSecmodDB leaks memory
[3.14.3-12]
- Resolves: rhbz#983766 - nssutil_ReadSecmodDB leaks memory
- Add patch to get rid of sporadic blapitest core dumps
[3.14.3-11]
- Restore 'export NO_FORK_CHECK=1' required for binary compatibility on
RHEL-5
- Remove an unused patch
- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3
[3.14.3-10]
- Resolves: rhbz#807419 - nss-tools certutil -H does not list all options
[3.14.3-9]
- Apply upstream fixes for ecc enabling and aes gcm
- Rename two macros EC_MIN_KEY_BITS and EC_MAX_KEY_BITS per upstream
- Apply several upstream AES GCM fixes
- Resolves: rhbz#960241 - Enable ECC in nss and freebl
- Resolves: rhbz#918948 - [RFE][RHEL5]
[3.14.3-8]
- Enable ECC support limited to suite b
- Export NSS_ENABLE_ECC=1 in the %check section to properly test ecc
- Resolves: rhbz#960241 - Enable ECC in nss and freebl
[3.14.3-7]
- Define -DNO_FORK_CHECK when compiling softoken for ABI compatibility
- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the
lucky-13 issue
[3.14.3-6]
- Remove obsolete nss-nochktest.patch
- Related: rhbz#960241 - Enable ECC in nss and freebl
[3.14.3-5]
- Enable ECC by using the unstripped sources
- Resolves: rhbz#960241 - Enable ECC in nss and freebl
[3.14.3-4]
- Fix rpmdiff test reported failures and remove other unwanted changes
- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the
lucky-13 issue
* Mon Apr 22 2013 Elio Maldonado - 3.14.3-3
- Update to NSS_3_14_3_RTM
- Rework the rebase to preserve needed idiosynchracies
- Ensure we install frebl/softoken from the extra build tree
- Don't include freebl static library or its private headers
- Add patch to deal with system sqlite not being recent enough
- Don't install nss-sysinit nor sharedb
- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the
lucky-13 issue
* Mon Apr 01 2013 Elio Maldonado - 3.14.3-2
- Restore the freebl-softoken source tar ball updated to 3.14.3
- Renumbering of some sources for clarity
- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the
lucky-13 issue
[3.14.3-1]
- Update to NSS_3_14_3_RTM
- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the
lucky-13 issue
[3.13.6-2]
- Resolves: rhbz#891150 - Dis-trust TURKTRUST mis-issued *.google.com
certificate
[3.13.6-1]
- Update to NSS_3_13_6_RTM
- Resolves: rhbz#883788 - [RFE] [RHEL5] Rebase to NSS >= 3.13.6
[3.13.5-8]
- Resolves: rhbz#820684
- Fix last entry in attrFlagsArray to be {NAME_SIZE(unextractable),
PK11_ATTR_UNEXTRACTABLE}
[3.13.5-7]
- Resolves: rhbz#820684
- Enable certutil handle user supplied flags for PKCS #11 attributes.
- This will enable certutil to generate keys in fussy hardware tokens.
[3.13.5-6]
- fix an error in the patch meta-information area (no code change)
[3.13.5-5]
- Related: rhbz#830304 - Fix ia64 / i386 multilib nss install failure
- Remove no longer needed %pre and %preun scriplets meant for nss
updates from RHEL-5.0
[3.13.5-4]
- Related: rhbz#830304 - Fix the changes to the %post line
- Having multiple commands requires that /sbin/lconfig be the beginning
of the scriptlet
[3.13.5-3]
- Resolves: rhbz#830304 - Fix multilib and scriptlet problems
- Fix %post and %postun lines per packaging guildelines
- Add %{?_isa} to tools Requires: per packaging guidelines
- Fix explicit-lib-dependency zlib error reported by rpmlint
[3.13.5-2]
- Resolves: rhbz#830304 - Remove unwanted change to nss.pc.in
[3.13.5-1]
- Update to NSS_3_13_5_RTM
- Resolves: rhbz#830304 - Update RHEL 5.x to NSS 3.13.5 and NSPR 4.9.1
for Mozilla 10.0.6
[3.13.1-4]
- Resolves: rhbz#797939 - Protect NSS_Shutdown from clients that fail to
initialize nss
[3.13.1-3]
- Resolves: Bug 788039 - retagging to prevent update problems
[3.13.1-1]
- Resolves: Bug 788039 - rebase nss to make firefox 10 LTS rebase possible
- Update to 4.8.9
[3.12.10-9]
- Resolves: Bug 713373 - File descriptor leak after service httpd reload
- Don't initialize nss if already initialized or if there are no dbs
[3.12.10-8]
- Retagging for a Y-stream version higher than the RHEL-5-7-Z branch
[3.12.10-7]
- Retagging to keep the n-v-r as high as that for the RHEL-5-7-Z branch
[3.12.10-6]
- Update builtins certs to those from NSSCKBI_1_88_RTM
[3.12.10-5]
- Plug file descriptor leaks on httpd reloads
[3.12.10-4]
- Update builtins certs to those from NSSCKBI_1_87_RTM
[3.12.10-3]
- Update builtins certs to those from NSSCKBI_1_86_RTM
[3.12.10-2]
- Update builtins certs to NSSCKBI_1_85_RTM
[3.12.10-1]
- Update to 3.12.10
[3.12.8-4]
- Fix libcrmf hard-coded maximum size for wrapped private keys
[3.12.8-3]
- Update builtin certs to NSS_3.12.9_WITH_CKBI_1_82_RTM via a patch
[3.12.8-2]
- Update builtin certs to those from NSS_3.12.9_WITH_CKBI_1_82_RTM
[3.12.8-1]
- Update to 3.12.8
More information about the Oraclevm-errata
mailing list