# Security update for mozilla-nss

Announcement ID: SUSE-SU-2024:2600-1  
Rating: moderate  
References:

  * bsc#1214980
  * bsc#1222804
  * bsc#1222807
  * bsc#1222811
  * bsc#1222813
  * bsc#1222814
  * bsc#1222821
  * bsc#1222822
  * bsc#1222826
  * bsc#1222828
  * bsc#1222830
  * bsc#1222833
  * bsc#1222834
  * bsc#1224113
  * bsc#1224115
  * bsc#1224116
  * bsc#1224118

  
Cross-References:

  * CVE-2023-5388

  
CVSS scores:

  * CVE-2023-5388 ( SUSE ):  6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

  
Affected Products:

  * SUSE Enterprise Storage 7.1
  * SUSE Linux Enterprise High Performance Computing 15 SP2
  * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
  * SUSE Linux Enterprise High Performance Computing 15 SP3
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
  * SUSE Linux Enterprise Micro 5.1
  * SUSE Linux Enterprise Micro 5.2
  * SUSE Linux Enterprise Micro for Rancher 5.2
  * SUSE Linux Enterprise Server 15 SP2
  * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
  * SUSE Linux Enterprise Server 15 SP3
  * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
  * SUSE Linux Enterprise Server for SAP Applications 15 SP2
  * SUSE Linux Enterprise Server for SAP Applications 15 SP3

  
  
An update that solves one vulnerability and has 16 security fixes can now be
installed.

## Description:

This update for mozilla-nss fixes the following issues:

  * FIPS: Added more safe memset (bsc#1222811).
  * FIPS: Adjusted AES GCM restrictions (bsc#1222830).
  * FIPS: Adjusted approved ciphers (bsc#1222813, bsc#1222814, bsc#1222821,
    bsc#1222822, bsc#1224118, bsc#1222807, bsc#1222828, bsc#1222834,
    bsc#1222804, bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115,
    bsc#1224116).

Update to NSS 3.101.1:

  * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.

update to NSS 3.101:

  * add diagnostic assertions for SFTKObject refcount.
  * freeing the slot in DeleteCertAndKey if authentication failed
  * fix formatting issues.
  * Add Firmaprofesional CA Root-A Web to NSS.
  * remove invalid acvp fuzz test vectors.
  * pad short P-384 and P-521 signatures gtests.
  * remove unused FreeBL ECC code.
  * pad short P-384 and P-521 signatures.
  * be less strict about ECDSA private key length.
  * Integrate HACL* P-521.
  * Integrate HACL* P-384.
  * memory leak in create_objects_from_handles.
  * ensure all input is consumed in a few places in mozilla::pkix
  * SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
  * clean up escape handling
  * Use lib::pkix as default validator instead of the old-one
  * Need to add high level support for PQ signing.
  * Certificate Compression: changing the allocation/freeing of buffer +
    Improving the documentation
  * SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
  * Allow for non-full length ecdsa signature when using softoken
  * Modification of .taskcluster.yml due to mozlint indent defects
  * Implement support for PBMAC1 in PKCS#12
  * disable VLA warnings for fuzz builds.
  * remove redundant AllocItem implementation.
  * add PK11_ReadDistrustAfterAttribute.
  *     * Clang-formatting of SEC_GetMgfTypeByOidTag update
  * Set SEC_ERROR_LIBRARY_FAILURE on self-test failure
  * sftk_getParameters(): Fix fallback to default variable after error with
    configfile.
  * Switch to the mozillareleases/image_builder image

  * switch from ec_field_GFp to ec_field_plain

Update to NSS 3.100:

  * merge pk11_kyberSlotList into pk11_ecSlotList for faster Xyber operations.
  * remove ckcapi.
  * avoid a potential PK11GenericObject memory leak.
  * Remove incomplete ESDH code.
  * Decrypt RSA OAEP encrypted messages.
  * Fix certutil CRLDP URI code.
  * Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys.
  * Add ability to encrypt and decrypt CMS messages using ECDH.
  * Correct Templates for key agreement in smime/cmsasn.c.
  * Moving the decodedCert allocation to NSS.
  * Allow developers to speed up repeated local execution of NSS tests that
    depend on certificates.

Update to NSS 3.99:

  * Removing check for message len in ed25519 (bmo#1325335)
  * add ed25519 to SECU_ecName2params. (bmo#1884276)
  * add EdDSA wycheproof tests. (bmo#1325335)
  * nss/lib layer code for EDDSA. (bmo#1325335)
  * Adding EdDSA implementation. (bmo#1325335)
  * Exporting Certificate Compression types (bmo#1881027)
  * Updating ACVP docker to rust 1.74 (bmo#1880857)
  * Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335)
  * Add NSS_CMSRecipient_IsSupported. (bmo#1877730)

Update to NSS 3.98:

  * (CVE-2023-5388) Timing attack against RSA decryption in TLS
  * Certificate Compression: enabling the check that the compression was
    advertised
  * Move Windows workers to nss-1/b-win2022-alpha
  * Remove Email trust bit from OISTE WISeKey Global Root GC CA
  * Replace `distutils.spawn.find_executable` with `shutil.which` within `mach`
    in `nss`
  * Certificate Compression: Updating nss_bogo_shim to support Certificate
    compression
  * TLS Certificate Compression (RFC 8879) Implementation
  * Add valgrind annotations to freebl kyber operations for constant-time
    execution tests
  * Set nssckbi version number to 2.66
  * Add Telekom Security roots
  * Add D-Trust 2022 S/MIME roots
  * Remove expired Security Communication RootCA1 root
  * move keys to a slot that supports concatenation in PK11_ConcatSymKeys
  * remove unmaintained tls-interop tests
  * bogo: add support for the -ipv6 and -shim-id shim flags
  * bogo: add support for the -curves shim flag and update Kyber expectations
  * bogo: adjust expectation for a key usage bit test
  * mozpkix: add option to ignore invalid subject alternative names
  * Fix selfserv not stripping `publicname:` from -X value
  * take ownership of ecckilla shims
  * add valgrind annotations to freebl/ec.c
  * PR_INADDR_ANY needs PR_htonl before assignment to inet.ip
  * Update zlib to 1.3.1

Update to NSS 3.97:

  * make Xyber768d00 opt-in by policy
  * add libssl support for xyber768d00
  * add PK11_ConcatSymKeys
  * add Kyber and a PKCS#11 KEM interface to softoken
  * add a FreeBL API for Kyber
  * part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff
  * part 1: add a script for vendoring kyber from pq-crystals repo
  * Removing the calls to RSA Blind from loader.*
  * fix worker type for level3 mac tasks
  * RSA Blind implementation
  * Remove DSA selftests
  * read KWP testvectors from JSON
  * Backed out changeset dcb174139e4f
  * Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation
  * Wrap CC shell commands in gyp expansions

Update to NSS 3.96.1:

  * Use pypi dependencies for MacOS worker in ./build_gyp.sh
  * p7sign: add -a hash and -u certusage (also p7verify cleanups)
  * add a defensive check for large ssl_DefSend return values
  * Add dependency to the taskcluster script for Darwin
  * Upgrade version of the MacOS worker for the CI

Update to NSS 3.95:

  * Bump builtins version number.
  * Remove Email trust bit from Autoridad de Certificacion Firmaprofesional CIF
    A62634068 root cert.
  * Remove 4 DigiCert (Symantec/Verisign) Root Certificates
  * Remove 3 TrustCor Root Certificates from NSS.
  * Remove Camerfirma root certificates from NSS.
  * Remove old Autoridad de Certificacion Firmaprofesional Certificate.
  * Add four Commscope root certificates to NSS.
  * Add TrustAsia Global Root CA G3 and G4 root certificates.
  * Include P-384 and P-521 Scalar Validation from HACL*
  * Include P-256 Scalar Validation from HACL*.
  * After the HACL 256 ECC patch, NSS incorrectly encodes 256 ECC without DER
    wrapping at the softoken level
  * Add means to provide library parameters to C_Initialize
  * add OSXSAVE and XCR0 tests to AVX2 detection.
  * Typo in ssl3_AppendHandshakeNumber
  * Introducing input check of ssl3_AppendHandshakeNumber
  * Fix Invalid casts in instance.c

Update to NSS 3.94:

  * Updated code and commit ID for HACL*
  * update ACVP fuzzed test vector: refuzzed with current NSS
  * Softoken C_ calls should use system FIPS setting to select NSC_ or FC_
    variants
  * NSS needs a database tool that can dump the low level representation of the
    database
  * declare string literals using char in pkixnames_tests.cpp
  * avoid implicit conversion for ByteString
  * update rust version for acvp docker
  * Moving the init function of the mpi_ints before clean-up in ec.c
  * P-256 ECDH and ECDSA from HACL*
  * Add ACVP test vectors to the repository
  * Stop relying on std::basic_string
  * Transpose the PPC_ABI check from Makefile to gyp

Update to NSS 3.93:

  * Update zlib in NSS to 1.3.
  * softoken: iterate hashUpdate calls for long inputs.
  * regenerate NameConstraints test certificates (bsc#1214980).

Update to NSS 3.92:

  * Set nssckbi version number to 2.62
  * Add 4 Atos TrustedRoot Root CA certificates to NSS
  * Add 4 SSL.com Root CA certificates
  * Add Sectigo E46 and R46 Root CA certificates
  * Add LAWtrust Root CA2 (4096)
  * Remove E-Tugra Certification Authority root
  * Remove Camerfirma Chambers of Commerce Root.
  * Remove Hongkong Post Root CA 1
  * Remove E-Tugra Global Root CA ECC v3 and RSA v3
  * Avoid redefining BYTE_ORDER on hppa Linux

Update to NSS 3.91:

  * Implementation of the HW support check for ADX instruction
  * Removing the support of Curve25519
  * Fix comment about the addition of ticketSupportsEarlyData
  * Adding args to enable-legacy-db build
  * dbtests.sh failure in "certutil dump keys with explicit default trust flags"
  * Initialize flags in slot structures
  * Improve the length check of RSA input to avoid heap overflow
  * Followup Fixes
  * avoid processing unexpected inputs by checking for m_exptmod base sign
  * add a limit check on order_k to avoid infinite loop
  * Update HACL* to commit 5f6051d2
  * add SHA3 to cryptohi and softoken
  * HACL SHA3
  * Disabling ASM C25519 for A but X86_64

Update to NSS 3.90.3:

  * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
  * clean up escape handling.
  * remove redundant AllocItem implementation.
  * Disable ASM support for Curve25519.
  * Disable ASM support for Curve25519 for all but X86_64.

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-2600=1

  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-2600=1

  * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2  
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-2600=1

  * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3  
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-2600=1

  * SUSE Linux Enterprise Server for SAP Applications 15 SP2  
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2024-2600=1

  * SUSE Linux Enterprise Server for SAP Applications 15 SP3  
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2024-2600=1

  * SUSE Enterprise Storage 7.1  
    zypper in -t patch SUSE-Storage-7.1-2024-2600=1

  * SUSE Linux Enterprise Micro 5.1  
    zypper in -t patch SUSE-SUSE-MicroOS-5.1-2024-2600=1

  * SUSE Linux Enterprise Micro 5.2  
    zypper in -t patch SUSE-SUSE-MicroOS-5.2-2024-2600=1

  * SUSE Linux Enterprise Micro for Rancher 5.2  
    zypper in -t patch SUSE-SUSE-MicroOS-5.2-2024-2600=1

## Package List:

  * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (aarch64
    x86_64)
    * libfreebl3-3.101.1-150000.3.117.1
    * libsoftokn3-3.101.1-150000.3.117.1
    * mozilla-nss-certs-3.101.1-150000.3.117.1
    * mozilla-nss-debugsource-3.101.1-150000.3.117.1
    * mozilla-nss-devel-3.101.1-150000.3.117.1
    * mozilla-nss-tools-3.101.1-150000.3.117.1
    * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-3.101.1-150000.3.117.1
    * libsoftokn3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (x86_64)
    * mozilla-nss-certs-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-3.101.1-150000.3.117.1
    * libfreebl3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-certs-32bit-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64
    x86_64)
    * libfreebl3-3.101.1-150000.3.117.1
    * libsoftokn3-3.101.1-150000.3.117.1
    * mozilla-nss-certs-3.101.1-150000.3.117.1
    * mozilla-nss-debugsource-3.101.1-150000.3.117.1
    * mozilla-nss-devel-3.101.1-150000.3.117.1
    * mozilla-nss-tools-3.101.1-150000.3.117.1
    * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-3.101.1-150000.3.117.1
    * libsoftokn3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (x86_64)
    * mozilla-nss-sysinit-32bit-3.101.1-150000.3.117.1
    * mozilla-nss-certs-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-3.101.1-150000.3.117.1
    * libfreebl3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-certs-32bit-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (aarch64 ppc64le s390x
    x86_64)
    * libfreebl3-3.101.1-150000.3.117.1
    * libsoftokn3-3.101.1-150000.3.117.1
    * mozilla-nss-certs-3.101.1-150000.3.117.1
    * mozilla-nss-debugsource-3.101.1-150000.3.117.1
    * mozilla-nss-devel-3.101.1-150000.3.117.1
    * mozilla-nss-tools-3.101.1-150000.3.117.1
    * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-3.101.1-150000.3.117.1
    * libsoftokn3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (x86_64)
    * mozilla-nss-certs-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-3.101.1-150000.3.117.1
    * libfreebl3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-certs-32bit-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 ppc64le s390x
    x86_64)
    * libfreebl3-3.101.1-150000.3.117.1
    * libsoftokn3-3.101.1-150000.3.117.1
    * mozilla-nss-certs-3.101.1-150000.3.117.1
    * mozilla-nss-debugsource-3.101.1-150000.3.117.1
    * mozilla-nss-devel-3.101.1-150000.3.117.1
    * mozilla-nss-tools-3.101.1-150000.3.117.1
    * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-3.101.1-150000.3.117.1
    * libsoftokn3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (x86_64)
    * mozilla-nss-sysinit-32bit-3.101.1-150000.3.117.1
    * mozilla-nss-certs-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-3.101.1-150000.3.117.1
    * libfreebl3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-certs-32bit-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (ppc64le x86_64)
    * libfreebl3-3.101.1-150000.3.117.1
    * libsoftokn3-3.101.1-150000.3.117.1
    * mozilla-nss-certs-3.101.1-150000.3.117.1
    * mozilla-nss-debugsource-3.101.1-150000.3.117.1
    * mozilla-nss-devel-3.101.1-150000.3.117.1
    * mozilla-nss-tools-3.101.1-150000.3.117.1
    * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-3.101.1-150000.3.117.1
    * libsoftokn3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (x86_64)
    * mozilla-nss-certs-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-3.101.1-150000.3.117.1
    * libfreebl3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-certs-32bit-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64)
    * libfreebl3-3.101.1-150000.3.117.1
    * libsoftokn3-3.101.1-150000.3.117.1
    * mozilla-nss-certs-3.101.1-150000.3.117.1
    * mozilla-nss-debugsource-3.101.1-150000.3.117.1
    * mozilla-nss-devel-3.101.1-150000.3.117.1
    * mozilla-nss-tools-3.101.1-150000.3.117.1
    * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-3.101.1-150000.3.117.1
    * libsoftokn3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (x86_64)
    * mozilla-nss-sysinit-32bit-3.101.1-150000.3.117.1
    * mozilla-nss-certs-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-3.101.1-150000.3.117.1
    * libfreebl3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-certs-32bit-debuginfo-3.101.1-150000.3.117.1
  * SUSE Enterprise Storage 7.1 (aarch64 x86_64)
    * libfreebl3-3.101.1-150000.3.117.1
    * libsoftokn3-3.101.1-150000.3.117.1
    * mozilla-nss-certs-3.101.1-150000.3.117.1
    * mozilla-nss-debugsource-3.101.1-150000.3.117.1
    * mozilla-nss-devel-3.101.1-150000.3.117.1
    * mozilla-nss-tools-3.101.1-150000.3.117.1
    * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-3.101.1-150000.3.117.1
    * libsoftokn3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-debuginfo-3.101.1-150000.3.117.1
  * SUSE Enterprise Storage 7.1 (x86_64)
    * mozilla-nss-sysinit-32bit-3.101.1-150000.3.117.1
    * mozilla-nss-certs-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-3.101.1-150000.3.117.1
    * libfreebl3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-32bit-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-32bit-3.101.1-150000.3.117.1
    * libsoftokn3-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-sysinit-32bit-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-certs-32bit-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64)
    * libfreebl3-3.101.1-150000.3.117.1
    * libsoftokn3-3.101.1-150000.3.117.1
    * mozilla-nss-certs-3.101.1-150000.3.117.1
    * mozilla-nss-debugsource-3.101.1-150000.3.117.1
    * mozilla-nss-tools-3.101.1-150000.3.117.1
    * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-3.101.1-150000.3.117.1
    * libsoftokn3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64)
    * libfreebl3-3.101.1-150000.3.117.1
    * libsoftokn3-3.101.1-150000.3.117.1
    * mozilla-nss-certs-3.101.1-150000.3.117.1
    * mozilla-nss-debugsource-3.101.1-150000.3.117.1
    * mozilla-nss-tools-3.101.1-150000.3.117.1
    * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-3.101.1-150000.3.117.1
    * libsoftokn3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-debuginfo-3.101.1-150000.3.117.1
  * SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 s390x x86_64)
    * libfreebl3-3.101.1-150000.3.117.1
    * libsoftokn3-3.101.1-150000.3.117.1
    * mozilla-nss-certs-3.101.1-150000.3.117.1
    * mozilla-nss-debugsource-3.101.1-150000.3.117.1
    * mozilla-nss-tools-3.101.1-150000.3.117.1
    * mozilla-nss-certs-debuginfo-3.101.1-150000.3.117.1
    * libfreebl3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-tools-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-3.101.1-150000.3.117.1
    * libsoftokn3-debuginfo-3.101.1-150000.3.117.1
    * mozilla-nss-debuginfo-3.101.1-150000.3.117.1

## References:

  * https://www.suse.com/security/cve/CVE-2023-5388.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1214980
  * https://bugzilla.suse.com/show_bug.cgi?id=1222804
  * https://bugzilla.suse.com/show_bug.cgi?id=1222807
  * https://bugzilla.suse.com/show_bug.cgi?id=1222811
  * https://bugzilla.suse.com/show_bug.cgi?id=1222813
  * https://bugzilla.suse.com/show_bug.cgi?id=1222814
  * https://bugzilla.suse.com/show_bug.cgi?id=1222821
  * https://bugzilla.suse.com/show_bug.cgi?id=1222822
  * https://bugzilla.suse.com/show_bug.cgi?id=1222826
  * https://bugzilla.suse.com/show_bug.cgi?id=1222828
  * https://bugzilla.suse.com/show_bug.cgi?id=1222830
  * https://bugzilla.suse.com/show_bug.cgi?id=1222833
  * https://bugzilla.suse.com/show_bug.cgi?id=1222834
  * https://bugzilla.suse.com/show_bug.cgi?id=1224113
  * https://bugzilla.suse.com/show_bug.cgi?id=1224115
  * https://bugzilla.suse.com/show_bug.cgi?id=1224116
  * https://bugzilla.suse.com/show_bug.cgi?id=1224118

Mozilla NSS Updates: Important Security Advisory for SUSE Systems

July 23, 2024
* bsc#1214980 * bsc#1222804 * bsc#1222807 * bsc#1222811 * bsc#1222813

Summary

## This update for mozilla-nss fixes the following issues: * FIPS: Added more safe memset (bsc#1222811). * FIPS: Adjusted AES GCM restrictions (bsc#1222830). * FIPS: Adjusted approved ciphers (bsc#1222813, bsc#1222814, bsc#1222821, bsc#1222822, bsc#1224118, bsc#1222807, bsc#1222828, bsc#1222834, bsc#1222804, bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116). Update to NSS 3.101.1: * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. update to NSS 3.101: * add diagnostic assertions for SFTKObject refcount. * freeing the slot in DeleteCertAndKey if authentication failed * fix formatting issues. * Add Firmaprofesional CA Root-A Web to NSS. * remove invalid acvp fuzz test vectors. * pad short P-384 and P-521 signatures gtests. * remove unused FreeBL ECC code. * pad short P-384 and P-521 signatures. * be less strict about ECDSA private key length. * Integrate HACL* P-521. * Integrate HACL* P-384. * memory leak in cre...

Read the Full Advisory

References

* bsc#1214980

* bsc#1222804

* bsc#1222807

* bsc#1222811

* bsc#1222813

* bsc#1222814

* bsc#1222821

* bsc#1222822

* bsc#1222826

* bsc#1222828

* bsc#1222830

* bsc#1222833

* bsc#1222834

* bsc#1224113

* bsc#1224115

* bsc#1224116

* bsc#1224118

Cross-

* CVE-2023-5388

CVSS scores:

* CVE-2023-5388 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected Products:

* SUSE Enterprise Storage 7.1

* SUSE Linux Enterprise High Performance Computing 15 SP2

* SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2

* SUSE Linux Enterprise High Performance Computing 15 SP3

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3

* SUSE Linux Enterprise Micro 5.1

* SUSE Linux Enterprise Micro 5.2

* SUSE Linux Enterprise Micro for Rancher 5.2

* SUSE Linux Enterprise Server 15 SP2

* SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2

* SUSE Linux Enterprise Server 15 SP3

* SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3

* SUSE Linux Enterprise...

Read the Full Advisory

Severity
Announcement ID: SUSE-SU-2024:2600-1
Rating: moderate

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved