Bug 23972

Summary: nss new security issue CVE-2018-12404
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, lewyssmith, mageia, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK MGA6-64-OK
Source RPM: nss-3.36.5-1.2.mga6.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 23706, 23991    

Description David Walser 2018-12-08 18:36:03 CET 
NSS 3.36.6 has been released on November 30, fixing a security issue:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.36.6_release_notes

Updated package uploaded for Mageia 6.

Advisory:
========================

Updated nss packages fix security vulnerability:

Cache side-channel variant of the Bleichenbacher attack (CVE-2018-12404).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.36.6_release_notes
========================

Updated packages in core/updates_testing:
========================
rootcerts-20181108.00-1.mga6
rootcerts-java-20181108.00-1.mga6
nss-3.36.6-1.mga6
nss-doc-3.36.6-1.mga6
libnss3-3.36.6-1.mga6
libnss-devel-3.36.6-1.mga6
libnss-static-devel-3.36.6-1.mga6

from SRPMS:
rootcerts-20181108.00-1.mga6.src.rpm
nss-3.36.6-1.mga6.src.rpm
Comment 1 PC LX 2018-12-09 19:47:46 CET 
Installed and tested without issues.

Tested with firefox. Checked with strace to confirm libs were used.

System: Mageia 6, x86_64, Firefox, Plasma, LXQt, Intel CPU, nVidia GPU using nvidia340 proprietary driver.

$ uname -a
Linux marte 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q firefox
firefox-60.3.0-1.mga6
$ strace -o tmp/strace.log /usr/bin/firefox
<SNIP>
$ egrep -o 'open\("[^"]*"' tmp/strace.log | egrep -o '".*"' | egrep -o '[^"]*' | sort -u > tmp/strace_files.log
$ rpm -ql $(rpm -qa | egrep 'nss.*3.36|rootcert' | sort) > tmp/rpm_files.log
$ for U in $(cat tmp/strace_files.log) ; do grep "$U" tmp/rpm_files.log ; done
/usr/lib64/libfreeblpriv3.so
/usr/lib64/libnss3.so
/usr/lib64/libnssutil3.so
/usr/lib64/libsmime3.so
/usr/lib64/libsoftokn3.so
/usr/lib64/libssl3.so

CC: (none) => mageia

David Walser 2018-12-11 04:12:22 CET

Blocks: (none) => 23991

Nicolas Salguero 2018-12-11 09:47:50 CET

Blocks: (none) => 23706

Comment 2 James Kerr 2018-12-11 11:07:28 CET 
on mga6-64  plasma

packages installed cleanly:
rootcerts-20181108.00-1.mga6.noarch           
rootcerts-java-20181108.00-1.mga6.noarch      
lib64nss3-3.36.6-1.mga6.x86_64                
nss-3.36.6-1.mga6.x86_64                      

no regressions observed

looks OK for mga6-64
Comment 3 Herman Viaene 2018-12-11 14:39:04 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Installed cleanly, further tested by installation of Firefox update bug 23991 (which is dependent on this version of nss).

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2018-12-11 17:12:40 CET 
(In reply to Herman Viaene from comment #3)
> MGA6-32 MATE on IBM Thinkpad R50e
> No installation issues.
> Installed cleanly, further tested by installation of Firefox update bug
> 23991 (which is dependent on this version of nss).

Did the same on a 64-bit Plasma install on a Probook 6550b, updating Firefox and Thunderbird at the same time. Used QA Repo for the task, being careful to add "64" to library names where appropriate when entering the package list. All packages installed cleanly.

Looks good here on 64-bit.

Validating. Advisory in Description.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Lewis Smith 2018-12-15 21:36:46 CET 
Advisoried from comment 0.

Keywords: (none) => advisory
CC: (none) => lewyssmith

Comment 6 Mageia Robot 2018-12-15 22:30:51 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0482.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED