8.126. nss and nspr
Updated nss and nspr packages that fix a number of bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities.
Note
The nss family of packages, consisting of nss, nss-softokn, and nss-util, has been upgraded to the higher upstream versions, which provide a number of bug fixes and enhancements over the previous versions:
Bug Fixes
- BZ#702083
- The PEM module imposed restrictions on client applications to use unique base file names upon which certificates were derived. Consequently, client applications certifications and keys with the same base name but different file paths failed to load because they were incorrectly deemed to be duplicates. The comparison algorithm has been modified and the PEM module now correctly determines uniqueness regardless of how users name their files.
- BZ#882408
- Due to differences in the upstream version of the nss package, an attempt to enable the unsupported
SSL PKCS#11 bypass
feature failed with a fatal error message. This behavior could break the semantics of certain calls, thus breaking the Application Binary Interface (ABI) compatibility. With this update, the nss package has been modified to preserve the upstream behavior. As a result, an attempt to enableSSL PKCS#11 bypass
no longer fails. - BZ#903017
- Previously, there was a race condition in the certification code related to smart cards. Consequently, when Common Access Card (CAC) or Personal Identity Verification (PIV) smart cards certificates were viewed in the Firefox certificate manager, the Firefox web browser became unresponsive. The underlying source code has been modified to fix the race condition and Firefox no longer hangs in the described scenario.
- BZ#905013
- Due to errors in the Netscape Portable Runtime (NSPR) code responsible for thread synchronization, memory corruption sometimes occurred. Consequently, the web server daemon (
httpd
) sometimes terminated unexpectedly with a segmentation fault after making more than 1023 calls to the NSPR library. With this update, an improvement to the way NSPR frees previously allocated memory has been made andhttpd
no longer crashes in the described scenario. - BZ#918136
- With the 3.14 upstream version of the nss package, support for certificate signatures using the MD5 hash algorithm in digital signatures has been disabled by default. However, certain websites still use MD5-based signatures and therefore an attempt to access such a website failed with an error. With this update, MD5 hash algorithm in digital signatures is supported again so that users can connect to the websites using this algorithm as expected.
- BZ#976572
- With this update, fixes to the implementation of Galois/Counter Mode (GCM) have been backported to the nss package since the upstream version 3.14.1. As a result, users can use GCM without any problems already documented and fixed in the upstream version.
- BZ#977341
- Previously, the output of the
certutil -H
command, which is a list of options and arguments used by thecertutil
utility, did not describe the-F
option. This information has been added and the option is now properly described in the output ofcertutil -H
. - BZ#988083
- Previously, the
pkcs11n.h
header was missing certain constants to support the Transport Layer Security (TLS) 1.2 protocol. The constants have been added to the nss-util package and NSS now supports TLS 1.2 as expected. - BZ#990631
- Previously, Network Security Service (NSS) reverted the permission rights for the
pkcs11.txt
file so that only the owner of the file could read it and write to it. This behavior overwrote other permissions specified by the user. Consequently, users were prevented from adding security modules to their own configuration using the system-wide security databases. This update provides a patch to fix this bug. As a result, NSS preserves the existing permissions forpkcs11.txt
and users are now able to modify the NSS security module database. - BZ#1008534
- Due to a bug in Network Security Services (NSS), the installation of the IPA (Identity, Policy, Audit) server terminated unexpectedly and an error was returned. This bug has been fixed with this update and installation of the IPA server now proceeds as expected.
- BZ#1010224
- The NSS
softoken
cryptographic module did not ensure whether thefreebl
library had been properly initialized before running its self test. Consequently, certain clients, such as the Lightweight Directory Access Protocol (LDAP) client, could initialize and finalize NSS. In such a case,freebl
was cleaned up and unloaded. When the library was loaded again, an attempt to run the test terminated unexpectedly causing client failures such as Transport Layer Security (TLS) connection errors. This bug has been fixed andsoftoken
now correctly initializesfreebl
before running self tests. As a result, the failures no longer occur in the described scenario.
Enhancements
Users of nss and nsrp are advised to upgrade to these updated packages, which fix these bugs and add these enhancements. After installing this update, applications using NSS or NSPR must be restarted for this update to take effect.