Security update for apache2-mod_nss

Announcement ID: SUSE-SU-2016:2396-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2014-3566 ( NVD ): 3.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
  • CVE-2016-3099 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Products:
  • SUSE Linux Enterprise Server 12
  • SUSE Linux Enterprise Server 12 LTSS 12
  • SUSE Linux Enterprise Server for SAP Applications 12

An update that solves four vulnerabilities can now be installed.

Description:

This update provides apache2-mod_nss 1.0.14, which brings several fixes and enhancements:

  • Fix OpenSSL ciphers stopped parsing at +. (CVE-2016-3099)
  • Created valgrind suppression files to ease debugging.
  • Implement SSL_PPTYPE_FILTER to call executables to get the key password pins.
  • Improvements to migrate.pl.
  • Update default ciphers to something more modern and secure.
  • Check for host and netstat commands in gencert before trying to use them.
  • Add server support for DHE ciphers.
  • Extract SAN from server/client certificates into env
  • Fix memory leaks and other coding issues caught by clang analyzer.
  • Add support for Server Name Indication (SNI).
  • Add support for SNI for reverse proxy connections.
  • Add RenegBufferSize? option.
  • Add support for TLS Session Tickets (RFC 5077).
  • Fix logical AND support in OpenSSL cipher compatibility.
  • Correctly handle disabled ciphers. (CVE-2015-5244)
  • Implement a slew more OpenSSL cipher macros.
  • Fix a number of illegal memory accesses and memory leaks.
  • Support for SHA384 ciphers if they are available in NSS.
  • Add compatibility for mod_ssl-style cipher definitions.
  • Add TLSv1.2-specific ciphers.
  • Completely remove support for SSLv2.
  • Add support for sqlite NSS databases.
  • Compare subject CN and VS hostname during server start up.
  • Add support for enabling TLS v1.2.
  • Don't enable SSL 3 by default. (CVE-2014-3566)
  • Fix CVE-2013-4566.
  • Move nss_pcache to /usr/libexec.
  • Support httpd 2.4+.
  • SHA256 cipher names change spelling from _sha256 to _sha_256.
  • Use apache2-systemd-ask-pass to prompt for a certificate passphrase. (bsc#972968, bsc#975394)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Server for SAP Applications 12
    zypper in -t patch SUSE-SLE-SAP-12-2016-1391=1
  • SUSE Linux Enterprise Server 12 LTSS 12
    zypper in -t patch SUSE-SLE-SERVER-12-2016-1391=1

Package List:

  • SUSE Linux Enterprise Server for SAP Applications 12 (x86_64)
    • apache2-mod_nss-debugsource-1.0.14-10.14.3
    • apache2-mod_nss-1.0.14-10.14.3
    • apache2-mod_nss-debuginfo-1.0.14-10.14.3
  • SUSE Linux Enterprise Server 12 LTSS 12 (ppc64le s390x x86_64)
    • apache2-mod_nss-debugsource-1.0.14-10.14.3
    • apache2-mod_nss-1.0.14-10.14.3
    • apache2-mod_nss-debuginfo-1.0.14-10.14.3

References: