[Oraclevm-errata] OVMSA-2016-0066 Oracle VM 3.2 nss security update

Errata Announcements for Oracle VM oraclevm-errata at oss.oracle.com
Tue Jun 21 10:09:07 PDT 2016


Oracle VM Security Advisory OVMSA-2016-0066

The following updated rpms for Oracle VM 3.2 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
nss-3.21.0-6.el5_11.x86_64.rpm


SRPMS:
http://oss.oracle.com/oraclevm/server/3.2/SRPMS-updates/nss-3.21.0-6.el5_11.src.rpm



Description of changes:

[3.21.0-6]
- Fix SSL_DH_MIN_P_BITS in more places.

[3.21.0-5]
- Keep SSL_DH_MIN_P_BITS at 768 as in the previously released build.

[3.21.0-4]
- Run SSL tests

[3.21.0-3]
- Add compatility patches to prevent regressions

[3.21.0-2]
- Ensure all ssl.sh tests are executed

[3.21.0-1]
- Rebase to nss 3.21
- Resolves: Bug 1297944 - Rebase RHEL 5.11.z to NSS 3.21 in preparation 
for Firefox 45

[3.19.1-4]
- Actually apply the fix for CVE-2016-1950 from NSS 3.19.2.3 ...

[3.19.1-3]
- Include the fix for CVE-2016-1950 from NSS 3.19.2.3

[3.19.1-2]
- Resolves: Bug 1269354 - CVE-2015-7182 CVE-2015-7181

[3.19.1-1]
- Rebase nss to 3.19.1
- Pick up upstream fix for client auth. regression caused by 3.19.1
- Revert upstream change to minimum key sizes
- Remove patches that rendered obsolote by the rebase
- Update existing patches on account of the rebase

[3.18.0-7]
- Pick up upstream patch from nss-3.19.1
- Resolves: Bug 1236954 - CVE-2015-2730 NSS: ECDSA signature validation 
fails to handle some signatures correctly (MFSA 2015-64)
- Resolves: Bug 1236967 - CVE-2015-2721 NSS: incorrectly permited 
skipping of ServerKeyExchange (MFSA 2015-71)

[3.18.0-6]
- On RHEL 6.x keep the TLS version defaults unchanged.
- Update to CKBI 2.4 from NSS 3.18.1 (the only change in NSS 3.18.1)

[3.18.0-5]
- Copy PayPalICA.cert and PayPalRootCA.cert to nss/tests/libpkix/certs
- Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11]

[3.18.0-4]
- Update and reeneable nss-646045.patch on account of the rebase
- Enable additional ssl test cycles and document why some aren't enabled
- Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11]

[3.18.0-3]
- Fix shell syntax error on nss/tests/all.sh
- Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11]

[3.18.0-2]
- Replace expired PayPal test certificate that breaks the build
- Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11]

[3.18.0-1]
- Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11]

[3.16.1-5]
- Resolves: Bug 1158159 - Upgrade to NSS 3.16.2.3 for Firefox 31.3

[3.16.1-4]
- Adjust softokn patch to be compatible with legacy softokn API.
- Resolves: Bug 1145430 - CVE-2014-1568

[3.16.1-3]
- Add patches published with NSS 3.16.2.1
- Resolves: Bug 1145430 - CVE-2014-1568

[3.16.1-2]
- Backport nss-3.12.6 upstream fix required by Firefox 31 ESR
- Resolves: Bug 1110860

[3.16.1-1]
- Rebase to nss-3.16.1 for FF31
- Resolves: Bug 1110860 - Rebase nss in RHEL 5.11 to NSS 3.16.1, 
required for FF 31

[3.15.3-6]
- Remove unused and obsolete patches
- Related: Bug 1032468

[3.15.3-5]
- Improve shell code for error detection on %check section
- Resolves: Bug 1035281 - Suboptimal shell code in nss.spec

[3.15.3-4]
- Revoke trust in one mis-issued anssi certificate
- Resolves: Bug 1042684 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 
2013-117)

[3.15.3-3]
- Pick up corrections made in the rhel-10.Z branch, remove an unused patch
- Resolves: rhbz#1032468 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 
nss: various flaws [rhel-5.11]

[3.15.3-2]
- Remove unused patch and retag for update to nss-3.15.3
- Resolves: rhbz#1032468 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 
nss: various flaws [rhel-5.11]

[3.15.3-1]
- Update to nss-3.15.3
- Resolves: rhbz#1032468 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 
nss: various flaws [rhel-5.11]

[3.15.1-2]
- Remove unused patches
- Resolves: rhbz#1002642 - Rebase RHEL 5 to NSS 3.15.1 (for FF 24.x)

[3.15.1-1]
- Rebase to nss-3.15.1
- Resolves: rhbz#1002642 - Rebase RHEL 5 to NSS 3.15.1 (for FF 24.x)
- Resolves: rhbz#1015864 - [Regression] NSS no longer trusts MD5 
certificates
- Split %check section tests in two: freebl/softoken and rest of nss tests
- Adjust various patches and spec file steps on account of the rebase
- Add various patches and remove obsoleted ones on account of the rebase
- Renumber patches so freeb/softoken ones match the corresponding ones 
in rhel-6 nss-softokn

[3.14.3-18]
- Make the freebl sources identical to the corresponding ones for rhel-6.5
- Related: rhbz#987131

[3.14.3-16]
- Adjust the patches to complete the syncup with upstrean nss
- Use NSS_DISABLE_HW_GCM on the patch as we do on the spec file
- Ensure softoken/freebl code is the same on nss side as on the softoken 
side
- Related: rhbz#987131

[3.14.3-16]
- Add disable_hw_gcm.patch and in the spec file export NSS_DISABLE_HW_GCM=1
- Disable HW GCM on RHEL-5 as the older kernel lacks support for it
- Related: rhbz#987131

[3.14.3-15]
- Related: rhbz#987131 - Display cpuifo as part of the tests

[3.14.3-14]
- Resolves: rhbz#987131 - Pick up various upstream GCM code fixes 
applied since nss-3.14.3 was released

[3.14.3-13]
- Roll back to 79c87e69caa7454cbcf5f8161a628c538ff3cab3
- Peviously added patch hasn't solved the sporadic core dumps
- Related: rhbz#983766 - nssutil_ReadSecmodDB leaks memory

[3.14.3-12]
- Resolves: rhbz#983766 - nssutil_ReadSecmodDB leaks memory
- Add patch to get rid of sporadic blapitest core dumps

[3.14.3-11]
- Restore 'export NO_FORK_CHECK=1' required for binary compatibility on 
RHEL-5
- Remove an unused patch
- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3

[3.14.3-10]
- Resolves: rhbz#807419 - nss-tools certutil -H does not list all options

[3.14.3-9]
- Apply upstream fixes for ecc enabling and aes gcm
- Rename two macros EC_MIN_KEY_BITS and EC_MAX_KEY_BITS per upstream
- Apply several upstream AES GCM fixes
- Resolves: rhbz#960241 - Enable ECC in nss and freebl
- Resolves: rhbz#918948 - [RFE][RHEL5]

[3.14.3-8]
- Enable ECC support limited to suite b
- Export NSS_ENABLE_ECC=1 in the %check section to properly test ecc
- Resolves: rhbz#960241 - Enable ECC in nss and freebl

[3.14.3-7]
- Define -DNO_FORK_CHECK when compiling softoken for ABI compatibility
- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the 
lucky-13 issue

[3.14.3-6]
- Remove obsolete nss-nochktest.patch
- Related: rhbz#960241 - Enable ECC in nss and freebl

[3.14.3-5]
- Enable ECC by using the unstripped sources
- Resolves: rhbz#960241 - Enable ECC in nss and freebl

[3.14.3-4]
- Fix rpmdiff test reported failures and remove other unwanted changes
- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the 
lucky-13 issue

* Mon Apr 22 2013 Elio Maldonado - 3.14.3-3
- Update to NSS_3_14_3_RTM
- Rework the rebase to preserve needed idiosynchracies
- Ensure we install frebl/softoken from the extra build tree
- Don't include freebl static library or its private headers
- Add patch to deal with system sqlite not being recent enough
- Don't install nss-sysinit nor sharedb
- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the 
lucky-13 issue

* Mon Apr 01 2013 Elio Maldonado - 3.14.3-2
- Restore the freebl-softoken source tar ball updated to 3.14.3
- Renumbering of some sources for clarity
- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the 
lucky-13 issue

[3.14.3-1]
- Update to NSS_3_14_3_RTM
- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the 
lucky-13 issue

[3.13.6-2]
- Resolves: rhbz#891150 - Dis-trust TURKTRUST mis-issued *.google.com 
certificate

[3.13.6-1]
- Update to NSS_3_13_6_RTM
- Resolves: rhbz#883788 - [RFE] [RHEL5] Rebase to NSS >= 3.13.6

[3.13.5-8]
- Resolves: rhbz#820684
- Fix last entry in attrFlagsArray to be {NAME_SIZE(unextractable), 
PK11_ATTR_UNEXTRACTABLE}

[3.13.5-7]
- Resolves: rhbz#820684
- Enable certutil handle user supplied flags for PKCS #11 attributes.
- This will enable certutil to generate keys in fussy hardware tokens.

[3.13.5-6]
- fix an error in the patch meta-information area (no code change)

[3.13.5-5]
- Related: rhbz#830304 - Fix ia64 / i386 multilib nss install failure
- Remove no longer needed %pre and %preun scriplets meant for nss 
updates from RHEL-5.0

[3.13.5-4]
- Related: rhbz#830304 - Fix the changes to the %post line
- Having multiple commands requires that /sbin/lconfig be the beginning 
of the scriptlet

[3.13.5-3]
- Resolves: rhbz#830304 - Fix multilib and scriptlet problems
- Fix %post and %postun lines per packaging guildelines
- Add %{?_isa} to tools Requires: per packaging guidelines
- Fix explicit-lib-dependency zlib error reported by rpmlint

[3.13.5-2]
- Resolves: rhbz#830304 - Remove unwanted change to nss.pc.in

[3.13.5-1]
- Update to NSS_3_13_5_RTM
- Resolves: rhbz#830304 - Update RHEL 5.x to NSS 3.13.5 and NSPR 4.9.1 
for Mozilla 10.0.6

[3.13.1-4]
- Resolves: rhbz#797939 - Protect NSS_Shutdown from clients that fail to 
initialize nss

[3.13.1-3]
- Resolves: Bug 788039 - retagging to prevent update problems

[3.13.1-1]
- Resolves: Bug 788039 - rebase nss to make firefox 10 LTS rebase possible
- Update to 4.8.9

[3.12.10-9]
- Resolves: Bug 713373 - File descriptor leak after service httpd reload
- Don't initialize nss if already initialized or if there are no dbs

[3.12.10-8]
- Retagging for a Y-stream version higher than the RHEL-5-7-Z branch

[3.12.10-7]
- Retagging to keep the n-v-r as high as that for the RHEL-5-7-Z branch

[3.12.10-6]
- Update builtins certs to those from NSSCKBI_1_88_RTM

[3.12.10-5]
- Plug file descriptor leaks on httpd reloads

[3.12.10-4]
- Update builtins certs to those from NSSCKBI_1_87_RTM

[3.12.10-3]
- Update builtins certs to those from NSSCKBI_1_86_RTM

[3.12.10-2]
- Update builtins certs to NSSCKBI_1_85_RTM

[3.12.10-1]
- Update to 3.12.10

[3.12.8-4]
- Fix libcrmf hard-coded maximum size for wrapped private keys

[3.12.8-3]
- Update builtin certs to NSS_3.12.9_WITH_CKBI_1_82_RTM via a patch

[3.12.8-2]
- Update builtin certs to those from NSS_3.12.9_WITH_CKBI_1_82_RTM

[3.12.8-1]
- Update to 3.12.8




More information about the Oraclevm-errata mailing list