==============================================================================
openSUSE Security Update: MozillaFirefox to Firefox 32
______________________________________________________________________________
Announcement ID: openSUSE-SU-2014:1099-1
Rating: moderate
References: #894201#894370
Cross-References: CVE-2014-1553 CVE-2014-1562 CVE-2014-1563
CVE-2014-1564 CVE-2014-1565 CVE-2014-1567
Affected Products:
openSUSE 13.1
openSUSE 12.3
______________________________________________________________________________
An update that fixes 6 vulnerabilities is now available.
Description:
...
Mozilla NSS was updated to 3.16.4: Notable Changes:
* The following 1024-bit root CA certificate was restored to allow more
time to develop a better transition strategy for affected sites. It was
removed in NSS 3.16.3, but discussion in the mozilla.dev.security.policy
forum led to the decision to keep this root included longer in order to
give website administrators more time to update their web servers.
- CN = GTE CyberTrust Global Root
* In NSS 3.16.3, the 1024-bit "Entrust.net Secure Server Certification
Authority" root CA certificate was removed. In NSS 3.16.4, a 2048-bit
intermediate CA certificate has been included, without explicit trust.
The intention is to mitigate the effects of the previous removal of the
1024-bit Entrust.net root certificate, because many public Internet
sites still use the "USERTrust Legacy Secure Server CA" intermediate
certificate that is signed by the 1024-bit Entrust.net root certificate.
The inclusion of the intermediate certificate is a temporary measure to
allow those sites to function, by allowing them to find a trust path to
another 2048-bit root CA certificate. The temporarily included
intermediate certificate expires November 1, 2015.
==============================================================================
openSUSE Security Update: mozilla-nss: update to avoid signature forgery
______________________________________________________________________________
Announcement ID: openSUSE-SU-2014:1232-1
Rating: critical
References: #897890
Cross-References: CVE-2014-1568
Affected Products:
openSUSE 13.1
openSUSE 12.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
Mozilla NSS is vulnerable to a variant of a signature forgery attack
previously published by Daniel Bleichenbacher. This is due to lenient
parsing of ASN.1 values involved in a signature and could lead to the
forging of RSA certificates.
==============================================================================
openSUSE Security Update: update for firefox, mozilla-nspr, mozilla-nss and seamonkey
______________________________________________________________________________
Announcement ID: openSUSE-SU-2014:1345-1
Rating: moderate
References: #894370#896624#897890#900941#901213
Cross-References: CVE-2014-1554 CVE-2014-1574 CVE-2014-1575
CVE-2014-1576 CVE-2014-1577 CVE-2014-1578
CVE-2014-1580 CVE-2014-1581 CVE-2014-1582
CVE-2014-1583 CVE-2014-1584 CVE-2014-1585
CVE-2014-1586
Affected Products:
openSUSE 13.1
______________________________________________________________________________
An update that fixes 13 vulnerabilities is now available.
Description:
...
Changes in mozilla-nss:
- update to 3.17.1 (bnc#897890)
* Change library's signature algorithm default to SHA256
* Add support for draft-ietf-tls-downgrade-scsv
* Add clang-cl support to the NSS build system
* Implement TLS 1.3:
* Part 1. Negotiate TLS 1.3
* Part 2. Remove deprecated cipher suites andcompression.
* Add support for little-endian powerpc64
- update to 3.17
* required for Firefox 33 New functionality:
* When using ECDHE, the TLS server code may be configured to generate a
fresh ephemeral ECDH key for each handshake, by setting the
SSL_REUSE_SERVER_ECDHE_KEY socket option to PR_FALSE. The
SSL_REUSE_SERVER_ECDHE_KEY option defaults to PR_TRUE, which means the
server's ephemeral ECDH key is reused for multiple handshakes. This
option does not affect the TLS client code, which always generates a
fresh ephemeral ECDH key for each handshake. New Macros
* SSL_REUSE_SERVER_ECDHE_KEY Notable Changes:
* The manual pages for the certutil and pp tools have been updated to
document the new parameters that had been added in NSS 3.16.2.
* On Windows, the new build variable USE_STATIC_RTL can be used to
specify the static C runtime library should be used. By default the
dynamic C runtime library is used.
update for MozillaFirefox
Description:
This is also a mozilla-nss update to version 3.16:
* required for Firefox 29
* bmo#903885 - (CVE-2014-1492) In a wildcard certificate,
the wildcard character should not be embedded within
the U-label of an internationalized domain name. See
the last bullet point in RFC 6125, Section 7.2.
* Supports the Linux x32 ABI. To build for the Linux x32
target, set the environment variable USE_X32=1 when
building NSS. New Functions:
* NSS_CMSSignerInfo_Verify New Macros
* TLS_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA, etc., cipher suites that
were first defined in SSL 3.0 can now be referred to
with their official IANA names in TLS, with the TLS_
prefix. Previously, they had to be referred to with
their names in SSL 3.0, with the SSL_ prefix. Notable
Changes:
* ECC is enabled by default. It is no longer necessary to
set the environment variable NSS_ENABLE_ECC=1 when
building NSS. To disable ECC, set the environment
variable NSS_DISABLE_ECC=1 when building NSS.
* libpkix should not include the common name of CA as DNS
names when evaluating name constraints.
* AESKeyWrap_Decrypt should not return SECSuccess for
invalid keys.
* Fix a memory corruption in sec_pkcs12_new_asafe.
* If the NSS_SDB_USE_CACHE environment variable is set,
skip the runtime test sdb_measureAccess.
* The built-in roots module has been updated to version
1.97, which adds, removes, and distrusts several
certificates.
* The atob utility has been improved to automatically
ignore lines of text that aren't in base64 format.
* The certutil utility has been improved to support
creation of version 1 and version 2 certificates, in
addition to the existing version 3 support.
Bump PKGREVISION.
Changes in mozilla-nss:
- update to 3.15.5
* required for Firefox 28
* export FREEBL_LOWHASH to get the correct default
headers (bnc#865539) New functionality
* Added support for the TLS application layer protocol
negotiation (ALPN) extension. Two SSL socket options,
SSL_ENABLE_NPN and SSL_ENABLE_ALPN, can be used to
control whether NPN or ALPN (or both) should be used
for application layer protocol negotiation.
* Added the TLS padding extension. The extension type
value is 35655, which may change when an official
extension type value is assigned by IANA. NSS
automatically adds the padding extension to ClientHello
when necessary.
* Added a new macro CERT_LIST_TAIL, defined in certt.h,
for getting the tail of a CERTCertList. Notable Changes
* bmo#950129: Improve the OCSP fetching policy when
verifying OCSP responses
* bmo#949060: Validate the iov input argument (an array
of PRIOVec structures) of ssl_WriteV (called via
PR_Writev). Applications should still take care when
converting struct iov to PRIOVec because the iov_len
members of the two structures have different types
(size_t vs. int). size_t is unsigned and may be larger
than int.
Bump PKGREVISION.
